Summary:

NtCallbackReturn(>) 1 NtGdiCreateSolidBrush(>) 2 NtCreateFile(>) 5 NtContinue(>) 84
NtFlushInstructionCache(>) 1 NtNotifyChangeKey(>) 2 NtGdiGetStockObject(>) 5 NtOpenKey(>) 92
NtFsControlFile(>) 1 NtOpenDirectoryObject(>) 2 NtQueryInformationToken(>) 5 NtCreateEvent(>) 122
NtGdiCreateBitmap(>) 1 NtOpenProcessToken(>) 2 NtSetInformationFile(>) 5 NtCreateThread(>) 125
NtGdiInit(>) 1 NtOpenProcessTokenEx(>) 2 NtQueryInformationFile(>) 7 NtResumeThread(>) 126
NtGdiQueryFontAssocInfo(>) 1 NtOpenThreadTokenEx(>) 2 NtQuerySection(>) 7 NtClose(>) 129
NtGdiSelectBitmap(>) 1 NtQueryDefaultLocale(>) 2 NtUserFindExistingCursorIcon(>) 9 NtProtectVirtualMemory(>) 129
NtOpenKeyedEvent(>) 1 NtQuerySystemTime(>) 2 NtConnectPort(>) 10 NtQueryInformationThread(>) 131
NtOpenMutant(>) 1 NtQueryVirtualMemory(>) 2 NtOpenFile(>) 13 NtRegisterThreadTerminatePort(>) 157
NtOpenSymbolicLinkObject(>) 1 NtSetInformationObject(>) 2 NtCreateSection(>) 15 NtTestAlert(>) 157
NtQueryObject(>) 1 NtSetValueKey(>) 2 NtUserRegisterClassExWOW(>) 15 NtRequestWaitReplyPort(>) 166
NtQuerySymbolicLinkObject(>) 1 NtWriteFile(>) 2 NtDeviceIoControlFile(>) 16 NtDuplicateObject(>) 178
NtSecureConnectPort(>) 1 NtFreeVirtualMemory(>) 3 NtCreateKey(>) 17 NtQueryValueKey(>) 196
NtSetInformationThread(>) 1 NtGdiCreateCompatibleDC(>) 3 NtOpenSection(>) 19 NtAllocateVirtualMemory(>) 388
NtUserCallNoParam(>) 1 NtQueryInformationProcess(>) 4 NtQuerySystemInformation(>) 21 NtSetEventBoostPriority(>) 1156
NtUserGetThreadDesktop(>) 1 NtQueryVolumeInformationFile(>) 4 NtMapViewOfSection(>) 24 NtWaitForSingleObject(>) 1377
NtCreateMutant(>) 2 NtUnmapViewOfSection(>) 4 NtQueryAttributesFile(>) 34

Trace:

00001 488 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00002 488 NtOpenKeyedEvent (0x2000000, {24, 0, 0x0, 0, 0, (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0 00003 488 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00004 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0 00005 488 NtAllocateVirtualMemory (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0 00006 488 NtAllocateVirtualMemory (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0 00007 488 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00008 488 NtAllocateVirtualMemory (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0 00009 488 NtAllocateVirtualMemory (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0 00010 488 NtOpenDirectoryObject (0x3, {24, 0, 0x40, 0, 0, (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0 00011 488 NtOpenSymbolicLinkObject (0x1, {24, 8, 0x40, 0, 0, (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0 00012 488 NtQuerySymbolicLinkObject (12, ... (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0 00013 488 NtClose (12, ... ) == 0x0 00014 488 NtOpenFile (0x100020, {24, 0, 0x42, 0, 0, (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0 00015 488 NtQueryVolumeInformationFile (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0 00016 488 NtFsControlFile (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER 00017 488 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00018 488 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0 00019 488 NtMapViewOfSection (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0 00020 488 NtClose (16, ... ) == 0x0 00021 488 NtQuerySystemInformation (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0 00022 488 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00023 488 NtCreateSection (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0 00024 488 NtSecureConnectPort ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0 00025 488 NtClose (16, ... ) == 0x0 00026 488 NtQueryObject (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0 00027 488 NtSetInformationObject (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0 00028 488 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00029 488 NtQueryVirtualMemory (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0 00030 488 NtAllocateVirtualMemory (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0 00031 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 0, 0, 0, 0} (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 484, 488, 1534, 0} "\20\357\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ) ... {28, 56, reply, 0, 484, 488, 1534, 0} (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 484, 488, 1534, 0} "\20\357\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ) ) == 0x0 00032 488 NtRegisterThreadTerminatePort (24, ... ) == 0x0 00033 488 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0 00034 488 NtQueryValueKey (16, (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00035 488 NtClose (16, ... ) == 0x0 00036 488 NtAllocateVirtualMemory (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0 00037 488 NtOpenMutant (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0 00038 488 NtOpenSection (0x4, {24, 0, 0x40, 0, 0, (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0 00039 488 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0 00040 488 NtClose (28, ... ) == 0x0 00041 488 NtQueryDefaultLocale (0, 2012046252, ... ) == 0x0 00042 488 NtOpenSection (0x4, {24, 0, 0x40, 0, 0, (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0 00043 488 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0 00044 488 NtClose (28, ... ) == 0x0 00045 488 NtOpenSection (0x5, {24, 0, 0x40, 0, 0, (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0 00046 488 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0 00047 488 NtQuerySection (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0 00048 488 NtClose (28, ... ) == 0x0 00049 488 NtOpenSection (0x4, {24, 0, 0x40, 0, 0, (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0 00050 488 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0 00051 488 NtClose (28, ... ) == 0x0 00052 488 NtQueryVirtualMemory (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0 00053 488 NtOpenSection (0x4, {24, 0, 0x40, 0, 0, (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00054 488 NtOpenSection (0x4, {24, 0, 0x40, 0, 0, (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00055 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 484, 488, 1556, 0} "\220\270\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ) ... {28, 56, reply, 0, 484, 488, 1556, 0} (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 484, 488, 1556, 0} "\220\270\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ) ) == 0x0 00056 488 NtProtectVirtualMemory (-1, (0x409000), 122896, 4, ... (0x409000), 126976, 128, ) == 0x0 00057 488 NtProtectVirtualMemory (-1, (0x409000), 126976, 128, ... (0x409000), 126976, 4, ) == 0x0 00058 488 NtFlushInstructionCache (-1, 4231168, 122896, ... ) == 0x0 00059 488 NtOpenProcessToken (-1, 0x8, ... 28, ) == 0x0 00060 488 NtQueryInformationToken (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0 00061 488 NtClose (28, ... ) == 0x0 00062 488 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0 00063 488 NtQueryValueKey (28, (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00064 488 NtClose (28, ... ) == 0x0 00065 488 NtTestAlert (... ) == 0x0 00066 488 NtContinue (1244464, 1, ... 00067 488 NtSetInformationThread (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x40283e,}, 4, ... ) == 0x0 00068 488 NtContinue (1244316, 0, ... 00069 488 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0 00070 488 NtQueryValueKey (28, (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00071 488 NtClose (28, ... ) == 0x0 00072 488 NtAllocateVirtualMemory (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0 00073 488 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, ".dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00074 488 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\.dll"}, 1243040, ... ) }, 1243040, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00075 488 NtQueryAttributesFile ({24, 12, 0x40, 0, 0, ({24, 12, 0x40, 0, 0, ".dll"}, 1243040, ... ) }, 1243040, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00076 488 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\.dll"}, 1243040, ... ) }, 1243040, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00077 488 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\.dll"}, 1243040, ... ) }, 1243040, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00078 488 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1243040, ... ) }, 1243040, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00079 488 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\.dll"}, 1243040, ... ) }, 1243040, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00080 488 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1243040, ... ) }, 1243040, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00081 488 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\.dll"}, 1243040, ... ) }, 1243040, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00082 488 NtContinue (1244400, 0, ... 00083 488 NtAllocateVirtualMemory (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0 00084 488 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0 00085 488 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0 00086 488 NtClose (28, ... ) == 0x0 00087 488 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0 00088 488 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0 00089 488 NtClose (28, ... ) == 0x0 00090 488 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0 00091 488 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0 00092 488 NtClose (28, ... ) == 0x0 00093 488 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0 00094 488 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0 00095 488 NtClose (28, ... ) == 0x0 00096 488 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0 00097 488 NtQueryValueKey (28, (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00098 488 NtQueryValueKey (28, (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00099 488 NtClose (28, ... ) == 0x0 00100 488 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0 00101 488 NtQueryValueKey (28, (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00102 488 NtClose (28, ... ) == 0x0 00103 488 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0 00104 488 NtSetInformationObject (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0 00105 488 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00106 488 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00107 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 484, 488, 1573, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" ) ... {28, 56, reply, 0, 484, 488, 1573, 0} (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 484, 488, 1573, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" ) ) == 0x0 00108 488 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00109 488 NtMapViewOfSection (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x430000), 0x0, 1060864, ) == 0x0 00110 488 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0 00111 488 NtOpenThreadTokenEx (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN 00112 488 NtOpenProcessTokenEx (-1, 0x8, 512, ... -2147482040, ) == 0x0 00113 488 NtQueryInformationToken (-2147482040, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL 00114 488 NtQueryInformationToken (-2147482040, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0 00115 488 NtClose (-2147482040, ... ) == 0x0 00116 488 NtAllocateVirtualMemory (-1, 0, 0, 32, 4096, 4, ... 5505024, 4096, ) == 0x0 00117 488 NtFreeVirtualMemory (-1, (0x540000), 4096, 32768, ... (0x540000), 4096, ) == 0x0 00118 488 NtDuplicateObject (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0 00119 488 NtOpenKey (0x20019, {24, 0, 0x240, 0, 0, (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482040, ) }, ... -2147482040, ) == 0x0 00120 488 NtQueryValueKey (-2147482040, (-2147482040, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00121 488 NtClose (-2147482040, ... ) == 0x0 00122 488 NtOpenKey (0x20019, {24, 0, 0x240, 0, 0, (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482040, ) }, ... -2147482040, ) == 0x0 00123 488 NtQueryValueKey (-2147482040, (-2147482040, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00124 488 NtClose (-2147482040, ... ) == 0x0 00125 488 NtQueryDefaultLocale (0, -136279540, ... ) == 0x0 00126 488 NtGdiQueryFontAssocInfo (0, ... ) == 0x0 00127 488 NtUserCallNoParam (24, ... ) == 0x0 00128 488 NtGdiCreateCompatibleDC (0, ... 00129 488 NtAllocateVirtualMemory (-1, 0, 0, 4096, 12288, 4, ... 5505024, 4096, ) == 0x0 00128 488 NtGdiCreateCompatibleDC ... ) == 0xf010451 00130 488 NtGdiGetStockObject (0, ... ) == 0x1900010 00131 488 NtGdiGetStockObject (4, ... ) == 0x1900011 00132 488 NtGdiCreateBitmap (8, 8, 1, 1, 2010393708, ... ) == 0xb050458 00133 488 NtGdiCreateSolidBrush (0, 0, ... 00134 488 NtAllocateVirtualMemory (-1, 0, 0, 4096, 12288, 4, ... 8716288, 4096, ) == 0x0 00133 488 NtGdiCreateSolidBrush ... ) == 0x810045b 00135 488 NtGdiGetStockObject (13, ... ) == 0x18a0021 00136 488 NtGdiCreateCompatibleDC (0, ... ) == 0x601045c 00137 488 NtGdiSelectBitmap (100729948, 184878168, ... ) == 0x185000f 00138 488 NtUserGetThreadDesktop (488, 0, ... ) == 0x2c 00139 488 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0 00140 488 NtQueryValueKey (52, (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0 00141 488 NtClose (52, ... ) == 0x0 00142 488 NtUserFindExistingCursorIcon (1240812, 1240828, 1241396, ... ) == 0x10011 00143 488 NtUserRegisterClassExWOW (1241332, 1241412, 1241396, 1241428, 673, 128, 0, ... ) == 0x810cc017 00144 488 NtUserFindExistingCursorIcon (1240812, 1240828, 1241396, ... ) == 0x10011 00145 488 NtUserRegisterClassExWOW (1241332, 1241412, 1241396, 1241428, 674, 128, 0, ... ) == 0x810cc01c 00146 488 NtUserFindExistingCursorIcon (1240812, 1240828, 1241396, ... ) == 0x10011 00147 488 NtUserRegisterClassExWOW (1241332, 1241412, 1241396, 1241428, 675, 128, 0, ... ) == 0x810cc01e 00148 488 NtUserFindExistingCursorIcon (1240812, 1240828, 1241396, ... ) == 0x10011 00149 488 NtUserRegisterClassExWOW (1241332, 1241412, 1241396, 1241428, 676, 128, 0, ... ) == 0x810c8002 00150 488 NtUserFindExistingCursorIcon (1240812, 1240828, 1241396, ... ) == 0x10013 00151 488 NtUserRegisterClassExWOW (1241332, 1241412, 1241396, 1241428, 677, 128, 0, ... ) == 0x810cc018 00152 488 NtUserFindExistingCursorIcon (1240812, 1240828, 1241396, ... ) == 0x10011 00153 488 NtUserRegisterClassExWOW (1241332, 1241412, 1241396, 1241428, 678, 128, 0, ... ) == 0x810cc01a 00154 488 NtUserFindExistingCursorIcon (1240812, 1240828, 1241396, ... ) == 0x10011 00155 488 NtUserRegisterClassExWOW (1241332, 1241412, 1241396, 1241428, 679, 128, 0, ... ) == 0x810cc01d 00156 488 NtUserFindExistingCursorIcon (1240812, 1240828, 1241396, ... ) == 0x10011 00157 488 NtUserRegisterClassExWOW (1241332, 1241412, 1241396, 1241428, 681, 128, 0, ... ) == 0x810cc026 00158 488 NtUserFindExistingCursorIcon (1240812, 1240828, 1241396, ... ) == 0x10011 00159 488 NtUserRegisterClassExWOW (1241332, 1241412, 1241396, 1241428, 680, 128, 0, ... ) == 0x810cc019 00160 488 NtUserRegisterClassExWOW (1241284, 1241364, 1241348, 1241380, 0, 128, 0, ... ) == 0x810cc020 00161 488 NtUserRegisterClassExWOW (1241284, 1241360, 1241376, 1241348, 0, 130, 0, ... ) == 0x810cc022 00162 488 NtUserRegisterClassExWOW (1241284, 1241364, 1241348, 1241380, 0, 128, 0, ... ) == 0x810cc023 00163 488 NtUserRegisterClassExWOW (1241284, 1241360, 1241376, 1241348, 0, 130, 0, ... ) == 0x810cc024 00164 488 NtUserRegisterClassExWOW (1241284, 1241364, 1241348, 1241380, 0, 128, 0, ... 00165 488 NtAllocateVirtualMemory (-1, 5681152, 0, 4096, 4096, 32, ... 5681152, 4096, ) == 0x0 00164 488 NtUserRegisterClassExWOW ... ) == 0x810cc025 00166 488 NtCallbackReturn (0, 0, 0, ... 00167 488 NtGdiInit (... ) == 0x1 00168 488 NtGdiGetStockObject (18, ... ) == 0x290001c 00169 488 NtGdiGetStockObject (19, ... ) == 0x1b00019 00170 488 NtAllocateVirtualMemory (-1, 0, 0, 26112, 4096, 64, ... 8781824, 28672, ) == 0x0 00171 488 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00172 488 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00173 488 NtQueryAttributesFile ({24, 12, 0x40, 0, 0, ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00174 488 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242976, ... ) }, 1242976, ... ) == 0x0 00175 488 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0 00176 488 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 52, ... 56, ) == 0x0 00177 488 NtQuerySection (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00178 488 NtOpenProcessToken (-1, 0x8, ... 60, ) == 0x0 00179 488 NtQueryInformationToken (60, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0 00180 488 NtOpenKey (0x3, {24, 0, 0x40, 0, 0, (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00181 488 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 64, ) }, ... 64, ) == 0x0 00182 488 NtQueryValueKey (64, (64, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (64, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 00183 488 NtClose (64, ... ) == 0x0 00184 488 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00185 488 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 64, ) == 0x0 00186 488 NtQueryInformationToken (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00187 488 NtClose (64, ... ) == 0x0 00188 488 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00189 488 NtClose (60, ... ) == 0x0 00190 488 NtClose (52, ... ) == 0x0 00191 488 NtMapViewOfSection (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0 00192 488 NtClose (56, ... ) == 0x0 00193 488 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 56, ) }, ... 56, ) == 0x0 00194 488 NtMapViewOfSection (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0 00195 488 NtClose (56, ... ) == 0x0 00196 488 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00197 488 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242172, ... ) }, 1242172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00198 488 NtQueryAttributesFile ({24, 12, 0x40, 0, 0, ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1242172, ... ) }, 1242172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00199 488 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1242172, ... ) }, 1242172, ... ) == 0x0 00200 488 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0 00201 488 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 56, ... 52, ) == 0x0 00202 488 NtQuerySection (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00203 488 NtClose (56, ... ) == 0x0 00204 488 NtMapViewOfSection (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0 00205 488 NtClose (52, ... ) == 0x0 00206 488 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00207 488 NtAllocateVirtualMemory (-1, 0, 0, 65536, 8192, 4, ... 8847360, 65536, ) == 0x0 00208 488 NtAllocateVirtualMemory (-1, 8847360, 0, 4096, 4096, 4, ... 8847360, 4096, ) == 0x0 00209 488 NtAllocateVirtualMemory (-1, 8851456, 0, 8192, 4096, 4, ... 8851456, 8192, ) == 0x0 00210 488 NtOpenSection (0x4, {24, 0, 0x40, 0, 0, (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0 00211 488 NtMapViewOfSection (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x880000), 0x0, 12288, ) == 0x0 00212 488 NtClose (52, ... ) == 0x0 00213 488 NtAllocateVirtualMemory (-1, 8859648, 0, 4096, 4096, 4, ... 8859648, 4096, ) == 0x0 00214 488 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00215 488 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0 00216 488 NtFreeVirtualMemory (-1, (0x860000), 0, 32768, ... (0x860000), 28672, ) == 0x0 00217 488 NtFreeVirtualMemory (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0 00218 488 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00219 488 NtAllocateVirtualMemory (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0 00220 488 NtAllocateVirtualMemory (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0 00221 488 NtAllocateVirtualMemory (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0 00222 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 8978432, 1048576, ) == 0x0 00223 488 NtAllocateVirtualMemory (-1, 8978432, 0, 32768, 4096, 4, ... 8978432, 32768, ) == 0x0 00224 488 NtOpenDirectoryObject (0x2000f, {24, 0, 0x40, 0, 0, (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0 00225 488 NtCreateMutant (0x1f0001, {24, 52, 0x80, 0, 0, (0x1f0001, {24, 52, 0x80, 0, 0, "Jobaka3"}, 0, ... 56, ) }, 0, ... 56, ) == 0x0 00226 488 NtOpenKey (0x2000000, {24, 28, 0x40, 0, 0, (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 60, ) }, ... 60, ) == 0x0 00227 488 NtQueryValueKey (60, (60, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (60, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0 00228 488 NtQueryValueKey (60, (60, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (60, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0 00229 488 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0 00230 488 NtAllocateVirtualMemory (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0 00231 488 NtOpenKey (0x2000000, {24, 60, 0x40, 0, 0, (0x2000000, {24, 60, 0x40, 0, 0, "Protocol_Catalog9"}, ... 68, ) }, ... 68, ) == 0x0 00232 488 NtQueryValueKey (68, (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0 00233 488 NtNotifyChangeKey (68, 64, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103 00234 488 NtQueryValueKey (68, (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0 00235 488 NtOpenKey (0x2000000, {24, 68, 0x40, 0, 0, (0x2000000, {24, 68, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00236 488 NtQueryValueKey (68, (68, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0 00237 488 NtQueryValueKey (68, (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0 00238 488 NtOpenKey (0x2000000, {24, 68, 0x40, 0, 0, (0x2000000, {24, 68, 0x40, 0, 0, "Catalog_Entries"}, ... 72, ) }, ... 72, ) == 0x0 00239 488 NtOpenKey (0x20019, {24, 72, 0x40, 0, 0, (0x20019, {24, 72, 0x40, 0, 0, "000000000001"}, ... 76, ) }, ... 76, ) == 0x0 00240 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00241 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00242 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\363\0\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\363\0\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\364\0\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\364\0\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\365\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\365\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\366\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\363\0\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\363\0\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\364\0\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\364\0\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\365\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\365\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\366\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\365\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\366\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0 (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\363\0\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\363\0\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\364\0\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\364\0\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\365\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\365\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\366\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 00243 488 NtClose (76, ... ) == 0x0 00244 488 NtOpenKey (0x20019, {24, 72, 0x40, 0, 0, (0x20019, {24, 72, 0x40, 0, 0, "000000000002"}, ... 76, ) }, ... 76, ) == 0x0 00245 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00246 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00247 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\370\0\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\370\0\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\371\0\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\371\0\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\372\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\370\0\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\370\0\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\371\0\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\371\0\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\372\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0 (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\370\0\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\370\0\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\371\0\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\371\0\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\372\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\0\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 00248 488 NtClose (76, ... ) == 0x0 00249 488 NtOpenKey (0x20019, {24, 72, 0x40, 0, 0, (0x20019, {24, 72, 0x40, 0, 0, "000000000003"}, ... 76, ) }, ... 76, ) == 0x0 00250 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00251 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00252 488 NtAllocateVirtualMemory (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0 00253 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\376\0\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\376\0\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\377\0\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\377\0\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\0\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\0\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\1\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\376\0\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\376\0\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\377\0\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\377\0\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\0\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\0\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\1\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\0\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\1\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0 (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\376\0\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\376\0\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\377\0\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\377\0\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\0\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\0\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\1\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 00254 488 NtClose (76, ... ) == 0x0 00255 488 NtOpenKey (0x20019, {24, 72, 0x40, 0, 0, (0x20019, {24, 72, 0x40, 0, 0, "000000000004"}, ... 76, ) }, ... 76, ) == 0x0 00256 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00257 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00258 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\3\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\3\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\4\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\4\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\5\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\3\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\3\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\4\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\4\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\5\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0 (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\3\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\3\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\4\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\4\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\5\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 00259 488 NtClose (76, ... ) == 0x0 00260 488 NtOpenKey (0x20019, {24, 72, 0x40, 0, 0, (0x20019, {24, 72, 0x40, 0, 0, "000000000005"}, ... 76, ) }, ... 76, ) == 0x0 00261 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00262 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00263 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\10\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\10\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\11\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\11\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\12\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\10\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\10\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\11\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\11\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\12\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0 (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\10\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\10\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\11\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\11\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\12\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 00264 488 NtClose (76, ... ) == 0x0 00265 488 NtOpenKey (0x20019, {24, 72, 0x40, 0, 0, (0x20019, {24, 72, 0x40, 0, 0, "000000000006"}, ... 76, ) }, ... 76, ) == 0x0 00266 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00267 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00268 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\15\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\15\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\16\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\17\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\15\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\15\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\16\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\17\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0 (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\15\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\15\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\16\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\17\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 00269 488 NtClose (76, ... ) == 0x0 00270 488 NtOpenKey (0x20019, {24, 72, 0x40, 0, 0, (0x20019, {24, 72, 0x40, 0, 0, "000000000007"}, ... 76, ) }, ... 76, ) == 0x0 00271 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00272 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00273 488 NtAllocateVirtualMemory (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0 00274 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\23\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\23\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\24\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\24\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\25\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\25\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\26\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\23\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\23\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\24\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\24\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\25\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\25\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\26\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\25\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\26\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0 (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\23\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\23\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\24\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\24\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\25\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\25\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\26\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 00275 488 NtClose (76, ... ) == 0x0 00276 488 NtOpenKey (0x20019, {24, 72, 0x40, 0, 0, (0x20019, {24, 72, 0x40, 0, 0, "000000000008"}, ... 76, ) }, ... 76, ) == 0x0 00277 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00278 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00279 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\30\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\30\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\31\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\31\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\32\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\32\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\33\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\30\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\30\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\31\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\31\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\32\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\32\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\33\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\32\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\33\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0 (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\30\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\30\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\31\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\31\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\32\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\32\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\33\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 00280 488 NtClose (76, ... ) == 0x0 00281 488 NtOpenKey (0x20019, {24, 72, 0x40, 0, 0, (0x20019, {24, 72, 0x40, 0, 0, "000000000009"}, ... 76, ) }, ... 76, ) == 0x0 00282 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00283 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00284 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\35\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\35\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\36\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\36\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\37\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\37\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0 \1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\35\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\35\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\36\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\36\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\37\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\37\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0 \1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\37\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0 \1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0 (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\35\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\35\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\36\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\36\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\37\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\37\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0 \1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 00285 488 NtClose (76, ... ) == 0x0 00286 488 NtOpenKey (0x20019, {24, 72, 0x40, 0, 0, (0x20019, {24, 72, 0x40, 0, 0, "000000000010"}, ... 76, ) }, ... 76, ) == 0x0 00287 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00288 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00289 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0"\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0"\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0#\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0$\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0"\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0"\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0#\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0$\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0 (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0"\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0"\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0#\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0$\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0 (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0"\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0"\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0H\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0#\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0$\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\1\0\0\344\1\0\0\350\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0L\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 00290 488 NtClose (76, ... ) == 0x0 00291 488 NtOpenKey (0x20019, {24, 72, 0x40, 0, 0, (0x20019, {24, 72, 0x40, 0, 0, "000000000011"}, ... 76, ) }, ... 76, ) == 0x0 00292 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00293 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00294 488 NtQueryValueKey (76, (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0'\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0'\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0(\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0(\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0)\1\0\0\344\1\0\0\350\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0)\1\0\0\344\1\0\0\350\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0*\1\0\0\344\1\0\0\350\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0*\1\0\0\344\1\0\0\350\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0+\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\214\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0 @\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (76, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0'\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0'\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0(\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0(\1\0\0\344\1\0\0\350\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0)\1\0\0\344\1\0\0\350\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0)\1\0\0\344\1\0\0\350\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0*\1\0\0\344\1\0\0\350\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0*\1\0\0\344\1\0\0\350\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0+\1\0\0\344\1\0\0\350\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\214\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0 @\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0 00295 488 NtClose (76, ... ) == 0x0 00296 488 NtClose (72, ... ) == 0x0 00297 488 NtWaitForSingleObject (64, 0, {0, 0}, ... ) == 0x102 00298 488 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0 00299 488 NtOpenKey (0x2000000, {24, 60, 0x40, 0, 0, (0x2000000, {24, 60, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 76, ) }, ... 76, ) == 0x0 00300 488 NtQueryValueKey (76, (76, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0 00301 488 NtNotifyChangeKey (76, 72, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103 00302 488 NtQueryValueKey (76, (76, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0 00303 488 NtOpenKey (0x2000000, {24, 76, 0x40, 0, 0, (0x2000000, {24, 76, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00304 488 NtQueryValueKey (76, (76, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0 00305 488 NtOpenKey (0x2000000, {24, 76, 0x40, 0, 0, (0x2000000, {24, 76, 0x40, 0, 0, "Catalog_Entries"}, ... 80, ) }, ... 80, ) == 0x0 00306 488 NtAllocateVirtualMemory (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0 00307 488 NtOpenKey (0x20019, {24, 80, 0x40, 0, 0, (0x20019, {24, 80, 0x40, 0, 0, "000000000001"}, ... 84, ) }, ... 84, ) == 0x0 00308 488 NtQueryValueKey (84, (84, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 00309 488 NtQueryValueKey (84, (84, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 00310 488 NtQueryValueKey (84, (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0 00311 488 NtQueryValueKey (84, (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0 00312 488 NtQueryValueKey (84, (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0 00313 488 NtQueryValueKey (84, (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0 00314 488 NtQueryValueKey (84, (84, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (84, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0 00315 488 NtQueryValueKey (84, (84, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00316 488 NtQueryValueKey (84, (84, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0 00317 488 NtQueryValueKey (84, (84, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 00318 488 NtQueryValueKey (84, (84, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00319 488 NtQueryValueKey (84, (84, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00320 488 NtClose (84, ... ) == 0x0 00321 488 NtOpenKey (0x20019, {24, 80, 0x40, 0, 0, (0x20019, {24, 80, 0x40, 0, 0, "000000000002"}, ... 84, ) }, ... 84, ) == 0x0 00322 488 NtQueryValueKey (84, (84, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0 00323 488 NtQueryValueKey (84, (84, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0 00324 488 NtQueryValueKey (84, (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0 00325 488 NtQueryValueKey (84, (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0 00326 488 NtQueryValueKey (84, (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0 00327 488 NtQueryValueKey (84, (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0 00328 488 NtQueryValueKey (84, (84, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (84, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0 00329 488 NtQueryValueKey (84, (84, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00330 488 NtQueryValueKey (84, (84, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0 00331 488 NtQueryValueKey (84, (84, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 00332 488 NtQueryValueKey (84, (84, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00333 488 NtQueryValueKey (84, (84, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00334 488 NtClose (84, ... ) == 0x0 00335 488 NtOpenKey (0x20019, {24, 80, 0x40, 0, 0, (0x20019, {24, 80, 0x40, 0, 0, "000000000003"}, ... 84, ) }, ... 84, ) == 0x0 00336 488 NtQueryValueKey (84, (84, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 00337 488 NtQueryValueKey (84, (84, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 00338 488 NtQueryValueKey (84, (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0 00339 488 NtQueryValueKey (84, (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0 00340 488 NtQueryValueKey (84, (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0 00341 488 NtQueryValueKey (84, (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0 00342 488 NtQueryValueKey (84, (84, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (84, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0 00343 488 NtQueryValueKey (84, (84, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00344 488 NtQueryValueKey (84, (84, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0 00345 488 NtQueryValueKey (84, (84, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 00346 488 NtQueryValueKey (84, (84, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00347 488 NtQueryValueKey (84, (84, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00348 488 NtClose (84, ... ) == 0x0 00349 488 NtClose (80, ... ) == 0x0 00350 488 NtWaitForSingleObject (72, 0, {0, 0}, ... ) == 0x102 00351 488 NtClose (60, ... ) == 0x0 00352 488 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00353 488 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0 00354 488 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 60, ) }, ... 60, ) == 0x0 00355 488 NtQueryValueKey (60, (60, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00356 488 NtClose (60, ... ) == 0x0 00357 488 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 60, ) == 0x0 00358 488 NtAllocateVirtualMemory (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0 00359 488 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 1241680, (0x80100080, {24, 0, 0x40, 0, 1241680, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 80, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 80, {status=0x0, info=1}, ) == 0x0 00360 488 NtQueryInformationFile (80, 1242616, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0 00361 488 NtQueryInformationFile (80, 1242588, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 00362 488 NtQueryInformationFile (80, 1242540, 40, Basic, ... {status=0x0, info=40}, ) == 0x0 00363 488 NtQueryInformationFile (80, 1341992, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0 00364 488 NtQueryInformationFile (80, 1241084, 40, Basic, ... {status=0x0, info=40}, ) == 0x0 00365 488 NtQueryInformationFile (80, 1240928, 4, Ea, ... {status=0x0, info=4}, ) == 0x0 00366 488 NtCreateFile (0x40110080, {24, 0, 0x40, 0, 1240936, (0x40110080, {24, 0, 0x40, 0, 1240936, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ... 00367 488 NtClose (-2147482040, ... ) == 0x0 00366 488 NtCreateFile ... 84, {status=0x0, info=2}, ) == 0x0 00368 488 NtQueryVolumeInformationFile (84, 1240308, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0 00369 488 NtQueryInformationFile (84, 1240268, 40, Basic, ... {status=0x0, info=40}, ) == 0x0 00370 488 NtQueryVolumeInformationFile (80, 1240308, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0 00371 488 NtQueryVolumeInformationFile (80, 1239992, 8, Device, ... {status=0x0, info=8}, ) == 0x0 00372 488 NtSetInformationFile (84, 1240096, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0 00373 488 NtCreateSection (0xf001f, 0x0, 0x0, 2, 134217728, 80, ... 88, ) == 0x0 00374 488 NtMapViewOfSection (88, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x990000), {0, 0}, 118784, ) == 0x0 00375 488 NtClose (88, ... ) == 0x0 00376 488 NtWriteFile (84, 0, 0, 0, (84, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\2\0\240\240\240\240\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\200\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0`\0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\200\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0`\0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0 00377 488 NtWriteFile (84, 0, 0, 0, (84, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 56848, 0x0, 0, ... {status=0x0, info=56848}, ) , 56848, 0x0, 0, ... {status=0x0, info=56848}, ) == 0x0 00378 488 NtUnmapViewOfSection (-1, 0x990000, ... ) == 0x0 00379 488 NtSetInformationFile (84, 1242540, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 00380 488 NtClose (80, ... ) == 0x0 00381 488 NtClose (84, ... ) == 0x0 00382 488 NtOpenKey (0x2000000, {24, 28, 0x40, 0, 0, (0x2000000, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 84, ) }, ... 84, ) == 0x0 00383 488 NtSetValueKey (84, (84, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1, (84, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ... 00384 488 NtSetInformationFile (-2147482828, -136280268, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0 00385 488 NtSetInformationFile (-2147482828, -136280360, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0 00386 488 NtSetInformationFile (-2147482828, -136280668, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0 00383 488 NtSetValueKey ... ) == 0x0 00387 488 NtClose (84, ... ) == 0x0 00388 488 NtCreateMutant (0x1f0001, {24, 52, 0x80, 0, 0, (0x1f0001, {24, 52, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 84, ) }, 0, ... 84, ) == 0x0 00389 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 10027008, 1048576, ) == 0x0 00390 488 NtAllocateVirtualMemory (-1, 11067392, 0, 8192, 4096, 4, ... 11067392, 8192, ) == 0x0 00391 488 NtProtectVirtualMemory (-1, (0xa8e000), 4096, 260, ... (0xa8e000), 4096, 4, ) == 0x0 00392 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 80, {484, 876}, ) == 0x0 00393 488 NtQueryInformationThread (80, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=484,Tid=876,}, 0x0, ) == 0x0 00394 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 1243948, 1244004, 2010981548, 1243932} (24, {28, 56, new_msg, 0, 1243948, 1244004, 2010981548, 1243932} "\0\0\0\0\1\0\1\0C:\WINDOP\0\0\0\344\1\0\0l\3\0\0" ... {28, 56, reply, 0, 484, 488, 1574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\0\0\0\344\1\0\0l\3\0\0" ) ... {28, 56, reply, 0, 484, 488, 1574, 0} (24, {28, 56, new_msg, 0, 1243948, 1244004, 2010981548, 1243932} "\0\0\0\0\1\0\1\0C:\WINDOP\0\0\0\344\1\0\0l\3\0\0" ... {28, 56, reply, 0, 484, 488, 1574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\0\0\0\344\1\0\0l\3\0\0" ) ) == 0x0 00395 488 NtResumeThread (80, ... 1, ) == 0x0 00396 876 NtTestAlert (... ) == 0x0 00397 876 NtContinue (11074864, 1, ... 00398 876 NtRegisterThreadTerminatePort (24, ... ) == 0x0 00399 876 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 88, ) == 0x0 00400 876 NtWaitForSingleObject (64, 0, {0, 0}, ... ) == 0x102 00401 876 NtAllocateVirtualMemory (-1, 11063296, 0, 4096, 4096, 260, ... 00402 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 11075584, 1048576, ) == 0x0 00403 488 NtAllocateVirtualMemory (-1, 12115968, 0, 8192, 4096, 4, ... 12115968, 8192, ) == 0x0 00404 488 NtProtectVirtualMemory (-1, (0xb8e000), 4096, 260, ... (0xb8e000), 4096, 4, ) == 0x0 00405 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 92, {484, 880}, ) == 0x0 00406 488 NtQueryInformationThread (92, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=484,Tid=880,}, 0x0, ) == 0x0 00407 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1574, 0} (24, {28, 56, new_msg, 0, 484, 488, 1574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\0\0\0\344\1\0\0p\3\0\0" ... ... 00401 876 NtAllocateVirtualMemory ... 11063296, 4096, ) == 0x0 00408 876 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11072060, ... ) }, 11072060, ... ) == 0x0 00409 876 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0 00410 876 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 96, ... 00407 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1575, 0} ... {28, 56, reply, 0, 484, 488, 1575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\0\0\0\344\1\0\0p\3\0\0" ) ) == 0x0 00411 488 NtResumeThread (92, ... 1, ) == 0x0 00412 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 12124160, 1048576, ) == 0x0 00413 488 NtAllocateVirtualMemory (-1, 13164544, 0, 8192, 4096, 4, ... 13164544, 8192, ) == 0x0 00414 488 NtProtectVirtualMemory (-1, (0xc8e000), 4096, 260, ... (0xc8e000), 4096, 4, ) == 0x0 00415 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 100, {484, 884}, ) == 0x0 00416 488 NtQueryInformationThread (100, Basic, 28, ... 00410 876 NtCreateSection ... 104, ) == 0x0 00417 880 NtCreateEvent (0x100003, 0x0, 1, 0, ... 00418 876 NtClose (96, ... 00417 880 NtCreateEvent ... 108, ) == 0x0 00418 876 NtClose ... ) == 0x0 00419 880 NtWaitForSingleObject (108, 0, 0x0, ... 00420 876 NtMapViewOfSection (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc90000), 0x0, 229376, ) == 0x0 00421 876 NtClose (104, ... ) == 0x0 00422 876 NtUnmapViewOfSection (-1, 0xc90000, ... ) == 0x0 00423 876 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11072376, ... ) }, 11072376, ... ) == 0x0 00424 876 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... }, 5, 96, ... 00416 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=484,Tid=884,}, 0x0, ) == 0x0 00425 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1575, 0} (24, {28, 56, new_msg, 0, 484, 488, 1575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\0\0\0\344\1\0\0t\3\0\0" ... {28, 56, reply, 0, 484, 488, 1576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\0\0\0\344\1\0\0t\3\0\0" ) ... {28, 56, reply, 0, 484, 488, 1576, 0} (24, {28, 56, new_msg, 0, 484, 488, 1575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\0\0\0\344\1\0\0t\3\0\0" ... {28, 56, reply, 0, 484, 488, 1576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\0\0\0\344\1\0\0t\3\0\0" ) ) == 0x0 00426 488 NtResumeThread (100, ... 1, ) == 0x0 00427 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 13172736, 1048576, ) == 0x0 00428 488 NtAllocateVirtualMemory (-1, 14213120, 0, 8192, 4096, 4, ... 14213120, 8192, ) == 0x0 00429 488 NtProtectVirtualMemory (-1, (0xd8e000), 4096, 260, ... (0xd8e000), 4096, 4, ) == 0x0 00424 876 NtOpenFile ... 104, {status=0x0, info=1}, ) == 0x0 00430 884 NtWaitForSingleObject (108, 0, 0x0, ... 00431 876 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 104, ... 96, ) == 0x0 00432 876 NtQuerySection (96, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00433 876 NtClose (104, ... ) == 0x0 00434 876 NtMapViewOfSection (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0 00435 876 NtClose (96, ... ) == 0x0 00436 876 NtQuerySystemInformation (Basic, 44, ... 00437 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 96, {484, 888}, ) == 0x0 00438 488 NtQueryInformationThread (96, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=484,Tid=888,}, 0x0, ) == 0x0 00439 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1576, 0} (24, {28, 56, new_msg, 0, 484, 488, 1576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\0\0\0\344\1\0\0x\3\0\0" ... {28, 56, reply, 0, 484, 488, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\0\0\0\344\1\0\0x\3\0\0" ) ... {28, 56, reply, 0, 484, 488, 1577, 0} (24, {28, 56, new_msg, 0, 484, 488, 1576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\0\0\0\344\1\0\0x\3\0\0" ... {28, 56, reply, 0, 484, 488, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\0\0\0\344\1\0\0x\3\0\0" ) ) == 0x0 00440 488 NtResumeThread (96, ... 1, ) == 0x0 00441 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 14221312, 1048576, ) == 0x0 00442 488 NtAllocateVirtualMemory (-1, 15261696, 0, 8192, 4096, 4, ... 00436 876 NtQuerySystemInformation ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00443 888 NtWaitForSingleObject (108, 0, 0x0, ... 00444 876 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0 00445 876 NtSetEventBoostPriority (108, ... 00419 880 NtWaitForSingleObject ... ) == 0x0 00446 880 NtSetEventBoostPriority (108, ... 00430 884 NtWaitForSingleObject ... ) == 0x0 00447 884 NtSetEventBoostPriority (108, ... 00443 888 NtWaitForSingleObject ... ) == 0x0 00448 888 NtTestAlert (... ) == 0x0 00447 884 NtSetEventBoostPriority ... ) == 0x0 00446 880 NtSetEventBoostPriority ... ) == 0x0 00445 876 NtSetEventBoostPriority ... ) == 0x0 00442 488 NtAllocateVirtualMemory ... 15261696, 8192, ) == 0x0 00449 888 NtContinue (14220592, 1, ... 00450 884 NtTestAlert (... 00451 876 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 00452 488 NtProtectVirtualMemory (-1, (0xe8e000), 4096, 260, ... 00453 888 NtRegisterThreadTerminatePort (24, ... 00450 884 NtTestAlert ... ) == 0x0 00454 880 NtTestAlert (... 00452 488 NtProtectVirtualMemory ... (0xe8e000), 4096, 4, ) == 0x0 00453 888 NtRegisterThreadTerminatePort ... ) == 0x0 00455 884 NtContinue (13172016, 1, ... 00454 880 NtTestAlert ... ) == 0x0 00456 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 00457 888 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00458 884 NtRegisterThreadTerminatePort (24, ... 00459 880 NtContinue (12123440, 1, ... 00456 488 NtCreateThread ... 104, {484, 892}, ) == 0x0 00457 888 NtDuplicateObject ... 112, ) == 0x0 00458 884 NtRegisterThreadTerminatePort ... ) == 0x0 00460 880 NtRegisterThreadTerminatePort (24, ... 00461 488 NtQueryInformationThread (104, Basic, 28, ... 00462 888 NtWaitForSingleObject (72, 0, {0, 0}, ... 00463 884 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00460 880 NtRegisterThreadTerminatePort ... ) == 0x0 00451 876 NtCreateEvent ... 116, ) == 0x0 00461 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=484,Tid=892,}, 0x0, ) == 0x0 00462 888 NtWaitForSingleObject ... ) == 0x102 00464 880 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00465 876 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11071704, ... }, 11071704, ... 00466 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1577, 0} (24, {28, 56, new_msg, 0, 484, 488, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\0\0\0\344\1\0\0|\3\0\0" ... ... 00467 888 NtAllocateVirtualMemory (-1, 14209024, 0, 4096, 4096, 260, ... 00463 884 NtDuplicateObject ... 120, ) == 0x0 00465 876 NtQueryAttributesFile ... ) == 0x0 00466 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1578, 0} ... {28, 56, reply, 0, 484, 488, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\0\0\0\344\1\0\0|\3\0\0" ) ) == 0x0 00467 888 NtAllocateVirtualMemory ... 14209024, 4096, ) == 0x0 00468 884 NtWaitForSingleObject (72, 0, {0, 0}, ... 00469 876 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ... 00470 488 NtResumeThread (104, ... 00471 888 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 14216236, ... }, 14216236, ... 00468 884 NtWaitForSingleObject ... ) == 0x102 00469 876 NtOpenKey ... 124, ) == 0x0 00470 488 NtResumeThread ... 1, ) == 0x0 00471 888 NtQueryAttributesFile ... ) == 0x0 00472 884 NtCreateEvent (0x100003, 0x0, 1, 0, ... 00473 876 NtQueryValueKey (124, (124, "Transports", Partial, 144, ... , Partial, 144, ... 00464 880 NtDuplicateObject ... 128, ) == 0x0 00474 892 NtWaitForSingleObject (108, 0, 0x0, ... 00475 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 00472 884 NtCreateEvent ... 132, ) == 0x0 00476 888 NtSetEventBoostPriority (108, ... 00477 880 NtWaitForSingleObject (72, 0, {0, 0}, ... 00475 488 NtAllocateVirtualMemory ... 15269888, 1048576, ) == 0x0 00473 876 NtQueryValueKey ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0 00474 892 NtWaitForSingleObject ... ) == 0x0 00476 888 NtSetEventBoostPriority ... ) == 0x0 00477 880 NtWaitForSingleObject ... ) == 0x102 00478 488 NtAllocateVirtualMemory (-1, 16310272, 0, 8192, 4096, 4, ... 00479 892 NtTestAlert (... 00480 876 NtQueryValueKey (124, (124, "Transports", Partial, 144, ... , Partial, 144, ... 00481 888 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 00482 880 NtCreateEvent (0x100003, 0x0, 1, 0, ... 00479 892 NtTestAlert ... ) == 0x0 00478 488 NtAllocateVirtualMemory ... 16310272, 8192, ) == 0x0 00480 876 NtQueryValueKey ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0 00481 888 NtCreateEvent ... 136, ) == 0x0 00482 880 NtCreateEvent ... 140, ) == 0x0 00483 884 NtWaitForSingleObject (132, 0, 0x0, ... 00484 488 NtProtectVirtualMemory (-1, (0xf8e000), 4096, 260, ... 00485 876 NtClose (124, ... 00486 888 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ... 00487 892 NtContinue (15269168, 1, ... 00484 488 NtProtectVirtualMemory ... (0xf8e000), 4096, 4, ) == 0x0 00485 876 NtClose ... ) == 0x0 00486 888 NtOpenSection ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00488 892 NtRegisterThreadTerminatePort (24, ... 00489 880 NtClose (140, ... 00490 876 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ... 00491 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 00488 892 NtRegisterThreadTerminatePort ... ) == 0x0 00489 880 NtClose ... ) == 0x0 00492 888 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 14216352, ... }, 14216352, ... 00491 488 NtCreateThread ... 140, {484, 896}, ) == 0x0 00493 892 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00494 880 NtWaitForSingleObject (132, 0, 0x0, ... 00495 488 NtQueryInformationThread (140, Basic, 28, ... 00493 892 NtDuplicateObject ... 124, ) == 0x0 00495 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=484,Tid=896,}, 0x0, ) == 0x0 00496 892 NtAllocateVirtualMemory (-1, 1347584, 0, 4096, 4096, 4, ... 00497 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1578, 0} (24, {28, 56, new_msg, 0, 484, 488, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\0\0\0\344\1\0\0\200\3\0\0" ... ... 00490 876 NtOpenKey ... 144, ) == 0x0 00498 876 NtQueryValueKey (144, (144, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00499 876 NtCreateEvent (0x100003, 0x0, 1, 0, ... 148, ) == 0x0 00500 876 NtWaitForSingleObject (148, 0, 0x0, ... 00496 892 NtAllocateVirtualMemory ... 1347584, 4096, ) == 0x0 00501 892 NtSetEventBoostPriority (148, ... 00500 876 NtWaitForSingleObject ... ) == 0x0 00502 876 NtQueryValueKey (144, (144, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00503 876 NtQueryValueKey (144, (144, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) , Partial, 152, ... TitleIdx=0, Type=3, Data= (144, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0 00504 876 NtClose (144, ... ) == 0x0 00505 876 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 144, ) }, ... 144, ) == 0x0 00506 876 NtQueryValueKey (144, (144, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (144, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0 00501 892 NtSetEventBoostPriority ... ) == 0x0 00497 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1579, 0} ... {28, 56, reply, 0, 484, 488, 1579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\0\0\0\344\1\0\0\200\3\0\0" ) ) == 0x0 00507 892 NtWaitForSingleObject (72, 0, {0, 0}, ... 00508 488 NtResumeThread (140, ... 00507 892 NtWaitForSingleObject ... ) == 0x102 00508 488 NtResumeThread ... 1, ) == 0x0 00509 876 NtQueryValueKey (144, (144, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ... 00510 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 00509 876 NtQueryValueKey ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0 00510 488 NtAllocateVirtualMemory ... 16318464, 1048576, ) == 0x0 00511 876 NtQueryValueKey (144, (144, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ... 00512 488 NtAllocateVirtualMemory (-1, 17358848, 0, 8192, 4096, 4, ... 00511 876 NtQueryValueKey ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00513 892 NtWaitForSingleObject (132, 0, 0x0, ... 00514 896 NtWaitForSingleObject (108, 0, 0x0, ... 00515 876 NtQueryValueKey (144, (144, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (144, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0 00516 876 NtWaitForSingleObject (108, 0, 0x0, ... 00512 488 NtAllocateVirtualMemory ... 17358848, 8192, ) == 0x0 00517 488 NtProtectVirtualMemory (-1, (0x108e000), 4096, 260, ... (0x108e000), 4096, 4, ) == 0x0 00518 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 152, {484, 308}, ) == 0x0 00519 488 NtQueryInformationThread (152, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=484,Tid=308,}, 0x0, ) == 0x0 00520 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1579, 0} (24, {28, 56, new_msg, 0, 484, 488, 1579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\0\0\0\344\1\0\04\1\0\0" ... {28, 56, reply, 0, 484, 488, 1580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\0\0\0\344\1\0\04\1\0\0" ) ... {28, 56, reply, 0, 484, 488, 1580, 0} (24, {28, 56, new_msg, 0, 484, 488, 1579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\0\0\0\344\1\0\04\1\0\0" ... {28, 56, reply, 0, 484, 488, 1580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\0\0\0\344\1\0\04\1\0\0" ) ) == 0x0 00521 488 NtResumeThread (152, ... 1, ) == 0x0 00522 308 NtWaitForSingleObject (108, 0, 0x0, ... 00523 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 17367040, 1048576, ) == 0x0 00524 488 NtAllocateVirtualMemory (-1, 18407424, 0, 8192, 4096, 4, ... 18407424, 8192, ) == 0x0 00525 488 NtProtectVirtualMemory (-1, (0x118e000), 4096, 260, ... (0x118e000), 4096, 4, ) == 0x0 00526 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 156, {484, 912}, ) == 0x0 00527 488 NtQueryInformationThread (156, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=484,Tid=912,}, 0x0, ) == 0x0 00528 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1580, 0} (24, {28, 56, new_msg, 0, 484, 488, 1580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\0\0\0\344\1\0\0\220\3\0\0" ... {28, 56, reply, 0, 484, 488, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\0\0\0\344\1\0\0\220\3\0\0" ) ... {28, 56, reply, 0, 484, 488, 1581, 0} (24, {28, 56, new_msg, 0, 484, 488, 1580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\0\0\0\344\1\0\0\220\3\0\0" ... {28, 56, reply, 0, 484, 488, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\0\0\0\344\1\0\0\220\3\0\0" ) ) == 0x0 00529 488 NtResumeThread (156, ... 1, ) == 0x0 00530 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 18415616, 1048576, ) == 0x0 00531 488 NtAllocateVirtualMemory (-1, 19456000, 0, 8192, 4096, 4, ... 00532 912 NtWaitForSingleObject (108, 0, 0x0, ... 00531 488 NtAllocateVirtualMemory ... 19456000, 8192, ) == 0x0 00533 488 NtProtectVirtualMemory (-1, (0x128e000), 4096, 260, ... (0x128e000), 4096, 4, ) == 0x0 00534 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 160, {484, 904}, ) == 0x0 00535 488 NtQueryInformationThread (160, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=484,Tid=904,}, 0x0, ) == 0x0 00536 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1581, 0} (24, {28, 56, new_msg, 0, 484, 488, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\0\0\0\344\1\0\0\210\3\0\0" ... {28, 56, reply, 0, 484, 488, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\0\0\0\344\1\0\0\210\3\0\0" ) ... {28, 56, reply, 0, 484, 488, 1582, 0} (24, {28, 56, new_msg, 0, 484, 488, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\0\0\0\344\1\0\0\210\3\0\0" ... {28, 56, reply, 0, 484, 488, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\0\0\0\344\1\0\0\210\3\0\0" ) ) == 0x0 00537 488 NtResumeThread (160, ... 1, ) == 0x0 00538 904 NtWaitForSingleObject (108, 0, 0x0, ... 00539 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 19464192, 1048576, ) == 0x0 00540 488 NtAllocateVirtualMemory (-1, 20504576, 0, 8192, 4096, 4, ... 20504576, 8192, ) == 0x0 00541 488 NtProtectVirtualMemory (-1, (0x138e000), 4096, 260, ... (0x138e000), 4096, 4, ) == 0x0 00542 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 164, {484, 920}, ) == 0x0 00543 488 NtQueryInformationThread (164, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=484,Tid=920,}, 0x0, ) == 0x0 00544 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1582, 0} (24, {28, 56, new_msg, 0, 484, 488, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\0\0\0\344\1\0\0\230\3\0\0" ... {28, 56, reply, 0, 484, 488, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\0\0\0\344\1\0\0\230\3\0\0" ) ... {28, 56, reply, 0, 484, 488, 1583, 0} (24, {28, 56, new_msg, 0, 484, 488, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\0\0\0\344\1\0\0\230\3\0\0" ... {28, 56, reply, 0, 484, 488, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\0\0\0\344\1\0\0\230\3\0\0" ) ) == 0x0 00545 488 NtResumeThread (164, ... 1, ) == 0x0 00546 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 20512768, 1048576, ) == 0x0 00547 488 NtAllocateVirtualMemory (-1, 21553152, 0, 8192, 4096, 4, ... 00548 920 NtWaitForSingleObject (108, 0, 0x0, ... 00547 488 NtAllocateVirtualMemory ... 21553152, 8192, ) == 0x0 00549 488 NtProtectVirtualMemory (-1, (0x148e000), 4096, 260, ... (0x148e000), 4096, 4, ) == 0x0 00550 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 168, {484, 924}, ) == 0x0 00551 488 NtQueryInformationThread (168, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=484,Tid=924,}, 0x0, ) == 0x0 00552 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1583, 0} (24, {28, 56, new_msg, 0, 484, 488, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\0\0\0\344\1\0\0\234\3\0\0" ... {28, 56, reply, 0, 484, 488, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\0\0\0\344\1\0\0\234\3\0\0" ) ... {28, 56, reply, 0, 484, 488, 1584, 0} (24, {28, 56, new_msg, 0, 484, 488, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\0\0\0\344\1\0\0\234\3\0\0" ... {28, 56, reply, 0, 484, 488, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\0\0\0\344\1\0\0\234\3\0\0" ) ) == 0x0 00553 488 NtResumeThread (168, ... 1, ) == 0x0 00492 888 NtQueryAttributesFile ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00554 924 NtWaitForSingleObject (108, 0, 0x0, ... 00555 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 21561344, 1048576, ) == 0x0 00556 488 NtAllocateVirtualMemory (-1, 22601728, 0, 8192, 4096, 4, ... 22601728, 8192, ) == 0x0 00557 488 NtProtectVirtualMemory (-1, (0x158e000), 4096, 260, ... (0x158e000), 4096, 4, ) == 0x0 00558 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 172, {484, 928}, ) == 0x0 00559 488 NtQueryInformationThread (172, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=484,Tid=928,}, 0x0, ) == 0x0 00560 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1584, 0} (24, {28, 56, new_msg, 0, 484, 488, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\0\0\0\344\1\0\0\240\3\0\0" ... ... 00561 888 NtQueryAttributesFile ({24, 12, 0x40, 0, 0, ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 14216352, ... }, 14216352, ... 00560 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1585, 0} ... {28, 56, reply, 0, 484, 488, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\0\0\0\344\1\0\0\240\3\0\0" ) ) == 0x0 00562 488 NtResumeThread (172, ... 1, ) == 0x0 00563 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 22609920, 1048576, ) == 0x0 00564 488 NtAllocateVirtualMemory (-1, 23650304, 0, 8192, 4096, 4, ... 00565 928 NtWaitForSingleObject (108, 0, 0x0, ... 00564 488 NtAllocateVirtualMemory ... 23650304, 8192, ) == 0x0 00566 488 NtProtectVirtualMemory (-1, (0x168e000), 4096, 260, ... (0x168e000), 4096, 4, ) == 0x0 00567 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 176, {484, 932}, ) == 0x0 00568 488 NtQueryInformationThread (176, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=484,Tid=932,}, 0x0, ) == 0x0 00569 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1585, 0} (24, {28, 56, new_msg, 0, 484, 488, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0\344\1\0\0\244\3\0\0" ... {28, 56, reply, 0, 484, 488, 1586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0\344\1\0\0\244\3\0\0" ) ... {28, 56, reply, 0, 484, 488, 1586, 0} (24, {28, 56, new_msg, 0, 484, 488, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0\344\1\0\0\244\3\0\0" ... {28, 56, reply, 0, 484, 488, 1586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0\344\1\0\0\244\3\0\0" ) ) == 0x0 00570 488 NtResumeThread (176, ... 1, ) == 0x0 00571 932 NtWaitForSingleObject (108, 0, 0x0, ... 00572 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 23658496, 1048576, ) == 0x0 00573 488 NtAllocateVirtualMemory (-1, 24698880, 0, 8192, 4096, 4, ... 24698880, 8192, ) == 0x0 00574 488 NtProtectVirtualMemory (-1, (0x178e000), 4096, 260, ... (0x178e000), 4096, 4, ) == 0x0 00575 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 180, {484, 936}, ) == 0x0 00576 488 NtQueryInformationThread (180, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=484,Tid=936,}, 0x0, ) == 0x0 00577 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1586, 0} (24, {28, 56, new_msg, 0, 484, 488, 1586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\0\0\0\344\1\0\0\250\3\0\0" ... {28, 56, reply, 0, 484, 488, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\0\0\0\344\1\0\0\250\3\0\0" ) ... {28, 56, reply, 0, 484, 488, 1587, 0} (24, {28, 56, new_msg, 0, 484, 488, 1586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\0\0\0\344\1\0\0\250\3\0\0" ... {28, 56, reply, 0, 484, 488, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\0\0\0\344\1\0\0\250\3\0\0" ) ) == 0x0 00578 488 NtResumeThread (180, ... 1, ) == 0x0 00579 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 24707072, 1048576, ) == 0x0 00580 488 NtAllocateVirtualMemory (-1, 25747456, 0, 8192, 4096, 4, ... 00581 936 NtWaitForSingleObject (108, 0, 0x0, ... 00580 488 NtAllocateVirtualMemory ... 25747456, 8192, ) == 0x0 00582 488 NtProtectVirtualMemory (-1, (0x188e000), 4096, 260, ... (0x188e000), 4096, 4, ) == 0x0 00583 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 184, {484, 940}, ) == 0x0 00584 488 NtQueryInformationThread (184, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=484,Tid=940,}, 0x0, ) == 0x0 00585 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1587, 0} (24, {28, 56, new_msg, 0, 484, 488, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\0\0\0\344\1\0\0\254\3\0\0" ... {28, 56, reply, 0, 484, 488, 1588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\0\0\0\344\1\0\0\254\3\0\0" ) ... {28, 56, reply, 0, 484, 488, 1588, 0} (24, {28, 56, new_msg, 0, 484, 488, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\0\0\0\344\1\0\0\254\3\0\0" ... {28, 56, reply, 0, 484, 488, 1588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\0\0\0\344\1\0\0\254\3\0\0" ) ) == 0x0 00586 488 NtResumeThread (184, ... 1, ) == 0x0 00587 940 NtWaitForSingleObject (108, 0, 0x0, ... 00588 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 25755648, 1048576, ) == 0x0 00589 488 NtAllocateVirtualMemory (-1, 26796032, 0, 8192, 4096, 4, ... 26796032, 8192, ) == 0x0 00590 488 NtProtectVirtualMemory (-1, (0x198e000), 4096, 260, ... (0x198e000), 4096, 4, ) == 0x0 00591 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 188, {484, 944}, ) == 0x0 00592 488 NtQueryInformationThread (188, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=484,Tid=944,}, 0x0, ) == 0x0 00593 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1588, 0} (24, {28, 56, new_msg, 0, 484, 488, 1588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\0\0\0\344\1\0\0\260\3\0\0" ... {28, 56, reply, 0, 484, 488, 1589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\0\0\0\344\1\0\0\260\3\0\0" ) ... {28, 56, reply, 0, 484, 488, 1589, 0} (24, {28, 56, new_msg, 0, 484, 488, 1588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\0\0\0\344\1\0\0\260\3\0\0" ... {28, 56, reply, 0, 484, 488, 1589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\0\0\0\344\1\0\0\260\3\0\0" ) ) == 0x0 00594 488 NtResumeThread (188, ... 1, ) == 0x0 00595 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 26804224, 1048576, ) == 0x0 00596 488 NtAllocateVirtualMemory (-1, 27844608, 0, 8192, 4096, 4, ... 00597 944 NtWaitForSingleObject (108, 0, 0x0, ... 00596 488 NtAllocateVirtualMemory ... 27844608, 8192, ) == 0x0 00598 488 NtProtectVirtualMemory (-1, (0x1a8e000), 4096, 260, ... (0x1a8e000), 4096, 4, ) == 0x0 00599 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 192, {484, 948}, ) == 0x0 00600 488 NtQueryInformationThread (192, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=484,Tid=948,}, 0x0, ) == 0x0 00601 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1589, 0} (24, {28, 56, new_msg, 0, 484, 488, 1589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\0\0\0\344\1\0\0\264\3\0\0" ... {28, 56, reply, 0, 484, 488, 1590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\0\0\0\344\1\0\0\264\3\0\0" ) ... {28, 56, reply, 0, 484, 488, 1590, 0} (24, {28, 56, new_msg, 0, 484, 488, 1589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\0\0\0\344\1\0\0\264\3\0\0" ... {28, 56, reply, 0, 484, 488, 1590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\0\0\0\344\1\0\0\264\3\0\0" ) ) == 0x0 00602 488 NtResumeThread (192, ... 1, ) == 0x0 00603 948 NtWaitForSingleObject (108, 0, 0x0, ... 00604 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 27852800, 1048576, ) == 0x0 00605 488 NtAllocateVirtualMemory (-1, 28893184, 0, 8192, 4096, 4, ... 28893184, 8192, ) == 0x0 00606 488 NtProtectVirtualMemory (-1, (0x1b8e000), 4096, 260, ... (0x1b8e000), 4096, 4, ) == 0x0 00607 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 196, {484, 952}, ) == 0x0 00608 488 NtQueryInformationThread (196, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=484,Tid=952,}, 0x0, ) == 0x0 00609 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1590, 0} (24, {28, 56, new_msg, 0, 484, 488, 1590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\0\0\0\344\1\0\0\270\3\0\0" ... {28, 56, reply, 0, 484, 488, 1591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\0\0\0\344\1\0\0\270\3\0\0" ) ... {28, 56, reply, 0, 484, 488, 1591, 0} (24, {28, 56, new_msg, 0, 484, 488, 1590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\0\0\0\344\1\0\0\270\3\0\0" ... {28, 56, reply, 0, 484, 488, 1591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\0\0\0\344\1\0\0\270\3\0\0" ) ) == 0x0 00610 488 NtResumeThread (196, ... 1, ) == 0x0 00611 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 28901376, 1048576, ) == 0x0 00612 488 NtAllocateVirtualMemory (-1, 29941760, 0, 8192, 4096, 4, ... 00561 888 NtQueryAttributesFile ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00613 952 NtWaitForSingleObject (108, 0, 0x0, ... 00614 888 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 14216352, ... ) }, 14216352, ... ) == 0x0 00615 888 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0 00616 888 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 200, ... 204, ) == 0x0 00617 888 NtQuerySection (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00618 888 NtClose (200, ... 00612 488 NtAllocateVirtualMemory ... 29941760, 8192, ) == 0x0 00619 488 NtProtectVirtualMemory (-1, (0x1c8e000), 4096, 260, ... (0x1c8e000), 4096, 4, ) == 0x0 00620 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 208, {484, 956}, ) == 0x0 00621 488 NtQueryInformationThread (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=484,Tid=956,}, 0x0, ) == 0x0 00622 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1591, 0} (24, {28, 56, new_msg, 0, 484, 488, 1591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\0\0\0\344\1\0\0\274\3\0\0" ... {28, 56, reply, 0, 484, 488, 1592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\0\0\0\344\1\0\0\274\3\0\0" ) ... {28, 56, reply, 0, 484, 488, 1592, 0} (24, {28, 56, new_msg, 0, 484, 488, 1591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\0\0\0\344\1\0\0\274\3\0\0" ... {28, 56, reply, 0, 484, 488, 1592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\0\0\0\344\1\0\0\274\3\0\0" ) ) == 0x0 00623 488 NtResumeThread (208, ... 1, ) == 0x0 00618 888 NtClose ... ) == 0x0 00624 956 NtWaitForSingleObject (108, 0, 0x0, ... 00625 888 NtMapViewOfSection (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0 00626 888 NtClose (204, ... ) == 0x0 00627 888 NtCreateKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 204, 2, ) }, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 204, 2, ) , 0, ... 204, 2, ) == 0x0 00628 888 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 200, ) }, ... 200, ) == 0x0 00629 888 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00630 888 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... }, ... 00631 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 29949952, 1048576, ) == 0x0 00632 488 NtAllocateVirtualMemory (-1, 30990336, 0, 8192, 4096, 4, ... 30990336, 8192, ) == 0x0 00633 488 NtProtectVirtualMemory (-1, (0x1d8e000), 4096, 260, ... (0x1d8e000), 4096, 4, ) == 0x0 00634 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 212, {484, 960}, ) == 0x0 00635 488 NtQueryInformationThread (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=484,Tid=960,}, 0x0, ) == 0x0 00636 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1592, 0} (24, {28, 56, new_msg, 0, 484, 488, 1592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\0\0\0\344\1\0\0\300\3\0\0" ... ... 00630 888 NtOpenKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00637 888 NtQueryValueKey (200, (200, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00638 888 NtQueryValueKey (204, (204, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00639 888 NtQueryValueKey (200, (200, "UseDomainNameDevolution", Partial, 144, ... , Partial, 144, ... 00636 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1593, 0} ... {28, 56, reply, 0, 484, 488, 1593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\0\0\0\344\1\0\0\300\3\0\0" ) ) == 0x0 00640 488 NtResumeThread (212, ... 1, ) == 0x0 00641 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 30998528, 1048576, ) == 0x0 00642 488 NtAllocateVirtualMemory (-1, 32038912, 0, 8192, 4096, 4, ... 32038912, 8192, ) == 0x0 00643 488 NtProtectVirtualMemory (-1, (0x1e8e000), 4096, 260, ... (0x1e8e000), 4096, 4, ) == 0x0 00644 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 216, {484, 964}, ) == 0x0 00645 488 NtQueryInformationThread (216, Basic, 28, ... 00639 888 NtQueryValueKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00646 960 NtWaitForSingleObject (108, 0, 0x0, ... 00647 888 NtQueryValueKey (204, (204, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 00648 888 NtQueryValueKey (200, (200, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00649 888 NtQueryValueKey (204, (204, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00650 888 NtQueryValueKey (200, (200, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00651 888 NtQueryValueKey (204, (204, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00652 888 NtQueryValueKey (200, (200, "AppendToMultiLabelName", Partial, 144, ... , Partial, 144, ... 00645 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=484,Tid=964,}, 0x0, ) == 0x0 00653 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1593, 0} (24, {28, 56, new_msg, 0, 484, 488, 1593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\0\0\0\344\1\0\0\304\3\0\0" ... {28, 56, reply, 0, 484, 488, 1594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\0\0\0\344\1\0\0\304\3\0\0" ) ... {28, 56, reply, 0, 484, 488, 1594, 0} (24, {28, 56, new_msg, 0, 484, 488, 1593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\0\0\0\344\1\0\0\304\3\0\0" ... {28, 56, reply, 0, 484, 488, 1594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\0\0\0\344\1\0\0\304\3\0\0" ) ) == 0x0 00654 488 NtResumeThread (216, ... 1, ) == 0x0 00655 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 32047104, 1048576, ) == 0x0 00656 488 NtAllocateVirtualMemory (-1, 33087488, 0, 8192, 4096, 4, ... 33087488, 8192, ) == 0x0 00657 488 NtProtectVirtualMemory (-1, (0x1f8e000), 4096, 260, ... (0x1f8e000), 4096, 4, ) == 0x0 00652 888 NtQueryValueKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00658 964 NtWaitForSingleObject (108, 0, 0x0, ... 00659 888 NtQueryValueKey (200, (200, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00660 888 NtQueryValueKey (200, (200, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00661 888 NtQueryValueKey (200, (200, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00662 888 NtQueryValueKey (200, (200, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00663 888 NtQueryValueKey (200, (200, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00664 888 NtQueryValueKey (200, (200, "RegistrationEnabled", Partial, 144, ... , Partial, 144, ... 00665 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 220, {484, 968}, ) == 0x0 00666 488 NtQueryInformationThread (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=484,Tid=968,}, 0x0, ) == 0x0 00667 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1594, 0} (24, {28, 56, new_msg, 0, 484, 488, 1594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\0\0\0\344\1\0\0\310\3\0\0" ... {28, 56, reply, 0, 484, 488, 1595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\0\0\0\344\1\0\0\310\3\0\0" ) ... {28, 56, reply, 0, 484, 488, 1595, 0} (24, {28, 56, new_msg, 0, 484, 488, 1594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\0\0\0\344\1\0\0\310\3\0\0" ... {28, 56, reply, 0, 484, 488, 1595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\0\0\0\344\1\0\0\310\3\0\0" ) ) == 0x0 00668 488 NtResumeThread (220, ... 1, ) == 0x0 00669 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 33095680, 1048576, ) == 0x0 00670 488 NtAllocateVirtualMemory (-1, 34136064, 0, 8192, 4096, 4, ... 00664 888 NtQueryValueKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00671 968 NtWaitForSingleObject (108, 0, 0x0, ... 00672 888 NtQueryValueKey (204, (204, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00673 888 NtQueryValueKey (200, (200, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00674 888 NtQueryValueKey (200, (200, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00675 888 NtQueryValueKey (204, (204, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00676 888 NtQueryValueKey (200, (200, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00677 888 NtQueryValueKey (204, (204, "DisableReverseAddressRegistrations", Partial, 144, ... , Partial, 144, ... 00670 488 NtAllocateVirtualMemory ... 34136064, 8192, ) == 0x0 00678 488 NtProtectVirtualMemory (-1, (0x208e000), 4096, 260, ... (0x208e000), 4096, 4, ) == 0x0 00679 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 224, {484, 972}, ) == 0x0 00680 488 NtQueryInformationThread (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=484,Tid=972,}, 0x0, ) == 0x0 00681 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1595, 0} (24, {28, 56, new_msg, 0, 484, 488, 1595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\0\0\0\344\1\0\0\314\3\0\0" ... {28, 56, reply, 0, 484, 488, 1596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\0\0\0\344\1\0\0\314\3\0\0" ) ... {28, 56, reply, 0, 484, 488, 1596, 0} (24, {28, 56, new_msg, 0, 484, 488, 1595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\0\0\0\344\1\0\0\314\3\0\0" ... {28, 56, reply, 0, 484, 488, 1596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\0\0\0\344\1\0\0\314\3\0\0" ) ) == 0x0 00682 488 NtResumeThread (224, ... 1, ) == 0x0 00677 888 NtQueryValueKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00683 972 NtWaitForSingleObject (108, 0, 0x0, ... 00684 888 NtQueryValueKey (200, (200, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00685 888 NtQueryValueKey (204, (204, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00686 888 NtQueryValueKey (200, (200, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00687 888 NtQueryValueKey (204, (204, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00688 888 NtQueryValueKey (200, (200, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00689 888 NtQueryValueKey (204, (204, "DefaultRegistrationTTL", Partial, 144, ... , Partial, 144, ... 00690 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 34144256, 1048576, ) == 0x0 00691 488 NtAllocateVirtualMemory (-1, 35184640, 0, 8192, 4096, 4, ... 35184640, 8192, ) == 0x0 00692 488 NtProtectVirtualMemory (-1, (0x218e000), 4096, 260, ... (0x218e000), 4096, 4, ) == 0x0 00693 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 228, {484, 996}, ) == 0x0 00694 488 NtQueryInformationThread (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=484,Tid=996,}, 0x0, ) == 0x0 00695 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1596, 0} (24, {28, 56, new_msg, 0, 484, 488, 1596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\0\0\0\344\1\0\0\344\3\0\0" ... ... 00689 888 NtQueryValueKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00696 888 NtQueryValueKey (200, (200, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00697 888 NtQueryValueKey (204, (204, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00698 888 NtQueryValueKey (200, (200, "RegistrationMaxAddressCount", Partial, 144, ... , Partial, 144, ... 00695 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1597, 0} ... {28, 56, reply, 0, 484, 488, 1597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\0\0\0\344\1\0\0\344\3\0\0" ) ) == 0x0 00699 488 NtResumeThread (228, ... 1, ) == 0x0 00700 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 35192832, 1048576, ) == 0x0 00701 488 NtAllocateVirtualMemory (-1, 36233216, 0, 8192, 4096, 4, ... 36233216, 8192, ) == 0x0 00702 488 NtProtectVirtualMemory (-1, (0x228e000), 4096, 260, ... (0x228e000), 4096, 4, ) == 0x0 00703 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 232, {484, 1000}, ) == 0x0 00704 488 NtQueryInformationThread (232, Basic, 28, ... 00698 888 NtQueryValueKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00705 996 NtWaitForSingleObject (108, 0, 0x0, ... 00706 888 NtQueryValueKey (204, (204, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00707 888 NtQueryValueKey (200, (200, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00708 888 NtQueryValueKey (204, (204, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00709 888 NtQueryValueKey (200, (200, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00710 888 NtQueryValueKey (200, (200, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00711 888 NtQueryValueKey (200, (200, "DnsTest", Partial, 144, ... , Partial, 144, ... 00704 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=484,Tid=1000,}, 0x0, ) == 0x0 00712 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1597, 0} (24, {28, 56, new_msg, 0, 484, 488, 1597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\0\0\0\344\1\0\0\350\3\0\0" ... {28, 56, reply, 0, 484, 488, 1598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\0\0\0\344\1\0\0\350\3\0\0" ) ... {28, 56, reply, 0, 484, 488, 1598, 0} (24, {28, 56, new_msg, 0, 484, 488, 1597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\0\0\0\344\1\0\0\350\3\0\0" ... {28, 56, reply, 0, 484, 488, 1598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\0\0\0\344\1\0\0\350\3\0\0" ) ) == 0x0 00713 488 NtResumeThread (232, ... 1, ) == 0x0 00714 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 36241408, 1048576, ) == 0x0 00715 488 NtAllocateVirtualMemory (-1, 37281792, 0, 8192, 4096, 4, ... 37281792, 8192, ) == 0x0 00716 488 NtProtectVirtualMemory (-1, (0x238e000), 4096, 260, ... (0x238e000), 4096, 4, ) == 0x0 00711 888 NtQueryValueKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00717 1000 NtWaitForSingleObject (108, 0, 0x0, ... 00718 888 NtQueryValueKey (200, (200, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00719 888 NtQueryValueKey (200, (200, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00720 888 NtQueryValueKey (200, (200, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00721 888 NtQueryValueKey (200, (200, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00722 888 NtQueryValueKey (200, (200, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00723 888 NtQueryValueKey (200, (200, "MaxCachedSockets", Partial, 144, ... , Partial, 144, ... 00724 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 236, {484, 1020}, ) == 0x0 00725 488 NtQueryInformationThread (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=484,Tid=1020,}, 0x0, ) == 0x0 00726 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1598, 0} (24, {28, 56, new_msg, 0, 484, 488, 1598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\0\0\0\344\1\0\0\374\3\0\0" ... {28, 56, reply, 0, 484, 488, 1599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\0\0\0\344\1\0\0\374\3\0\0" ) ... {28, 56, reply, 0, 484, 488, 1599, 0} (24, {28, 56, new_msg, 0, 484, 488, 1598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\0\0\0\344\1\0\0\374\3\0\0" ... {28, 56, reply, 0, 484, 488, 1599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\0\0\0\344\1\0\0\374\3\0\0" ) ) == 0x0 00727 488 NtResumeThread (236, ... 1, ) == 0x0 00728 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 37289984, 1048576, ) == 0x0 00729 488 NtAllocateVirtualMemory (-1, 38330368, 0, 8192, 4096, 4, ... 00723 888 NtQueryValueKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00730 1020 NtWaitForSingleObject (108, 0, 0x0, ... 00731 888 NtQueryValueKey (200, (200, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00732 888 NtQueryValueKey (200, (200, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00733 888 NtQueryValueKey (200, (200, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00734 888 NtQueryValueKey (200, (200, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00735 888 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 240, ) }, ... 240, ) == 0x0 00736 888 NtQueryValueKey (240, (240, "SystemSetupInProgress", Partial, 144, ... , Partial, 144, ... 00729 488 NtAllocateVirtualMemory ... 38330368, 8192, ) == 0x0 00737 488 NtProtectVirtualMemory (-1, (0x248e000), 4096, 260, ... (0x248e000), 4096, 4, ) == 0x0 00738 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 244, {484, 1024}, ) == 0x0 00739 488 NtQueryInformationThread (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=484,Tid=1024,}, 0x0, ) == 0x0 00740 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1599, 0} (24, {28, 56, new_msg, 0, 484, 488, 1599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\0\0\0\344\1\0\0\0\4\0\0" ... {28, 56, reply, 0, 484, 488, 1600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\0\0\0\344\1\0\0\0\4\0\0" ) ... {28, 56, reply, 0, 484, 488, 1600, 0} (24, {28, 56, new_msg, 0, 484, 488, 1599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\0\0\0\344\1\0\0\0\4\0\0" ... {28, 56, reply, 0, 484, 488, 1600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\0\0\0\344\1\0\0\0\4\0\0" ) ) == 0x0 00741 488 NtResumeThread (244, ... 1, ) == 0x0 00736 888 NtQueryValueKey ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00742 1024 NtWaitForSingleObject (108, 0, 0x0, ... 00743 888 NtClose (240, ... ) == 0x0 00744 888 NtClose (204, ... ) == 0x0 00745 888 NtClose (200, ... ) == 0x0 00746 888 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 200, ) }, ... 200, ) == 0x0 00747 888 NtQueryValueKey (200, (200, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00748 888 NtQueryValueKey (200, (200, "DnsQuickQueryTimeouts", Partial, 144, ... , Partial, 144, ... 00749 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 38338560, 1048576, ) == 0x0 00750 488 NtAllocateVirtualMemory (-1, 39378944, 0, 8192, 4096, 4, ... 39378944, 8192, ) == 0x0 00751 488 NtProtectVirtualMemory (-1, (0x258e000), 4096, 260, ... (0x258e000), 4096, 4, ) == 0x0 00752 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 204, {484, 1028}, ) == 0x0 00753 488 NtQueryInformationThread (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=484,Tid=1028,}, 0x0, ) == 0x0 00754 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1600, 0} (24, {28, 56, new_msg, 0, 484, 488, 1600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\0\0\0\344\1\0\0\4\4\0\0" ... ... 00748 888 NtQueryValueKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00755 888 NtQueryValueKey (200, (200, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00756 888 NtClose (200, ... ) == 0x0 00757 888 NtSetEventBoostPriority (108, ... 00754 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1601, 0} ... {28, 56, reply, 0, 484, 488, 1601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\0\0\0\344\1\0\0\4\4\0\0" ) ) == 0x0 00758 488 NtResumeThread (204, ... 1, ) == 0x0 00759 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 39387136, 1048576, ) == 0x0 00760 488 NtAllocateVirtualMemory (-1, 40427520, 0, 8192, 4096, 4, ... 40427520, 8192, ) == 0x0 00761 488 NtProtectVirtualMemory (-1, (0x268e000), 4096, 260, ... (0x268e000), 4096, 4, ) == 0x0 00762 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 200, {484, 1008}, ) == 0x0 00763 488 NtQueryInformationThread (200, Basic, 28, ... 00514 896 NtWaitForSingleObject ... ) == 0x0 00757 888 NtSetEventBoostPriority ... ) == 0x0 00764 1028 NtWaitForSingleObject (108, 0, 0x0, ... 00765 896 NtSetEventBoostPriority (108, ... 00766 888 NtWaitForSingleObject (108, 0, 0x0, ... 00516 876 NtWaitForSingleObject ... ) == 0x0 00765 896 NtSetEventBoostPriority ... ) == 0x0 00767 876 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11072624, ... }, 11072624, ... 00763 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=484,Tid=1008,}, 0x0, ) == 0x0 00767 876 NtQueryAttributesFile ... ) == 0x0 00768 876 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ... 00769 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1601, 0} (24, {28, 56, new_msg, 0, 484, 488, 1601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\0\0\0\344\1\0\0\360\3\0\0" ... ... 00770 896 NtTestAlert (... 00769 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1602, 0} ... {28, 56, reply, 0, 484, 488, 1602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\0\0\0\344\1\0\0\360\3\0\0" ) ) == 0x0 00770 896 NtTestAlert ... ) == 0x0 00771 488 NtResumeThread (200, ... 00772 896 NtContinue (16317744, 1, ... 00771 488 NtResumeThread ... 1, ) == 0x0 00773 896 NtRegisterThreadTerminatePort (24, ... 00768 876 NtOpenFile ... 240, {status=0x0, info=1}, ) == 0x0 00774 1008 NtWaitForSingleObject (108, 0, 0x0, ... 00773 896 NtRegisterThreadTerminatePort ... ) == 0x0 00775 876 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 240, ... 00776 896 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00775 876 NtCreateSection ... 248, ) == 0x0 00777 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 00778 876 NtClose (240, ... 00777 488 NtAllocateVirtualMemory ... 40435712, 1048576, ) == 0x0 00778 876 NtClose ... ) == 0x0 00779 488 NtAllocateVirtualMemory (-1, 41476096, 0, 8192, 4096, 4, ... 00780 876 NtMapViewOfSection (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... 00779 488 NtAllocateVirtualMemory ... 41476096, 8192, ) == 0x0 00776 896 NtDuplicateObject ... 240, ) == 0x0 00781 488 NtProtectVirtualMemory (-1, (0x278e000), 4096, 260, ... 00782 896 NtWaitForSingleObject (72, 0, {0, 0}, ... 00781 488 NtProtectVirtualMemory ... (0x278e000), 4096, 4, ) == 0x0 00782 896 NtWaitForSingleObject ... ) == 0x102 00780 876 NtMapViewOfSection ... (0x860000), 0x0, 20480, ) == 0x0 00783 896 NtWaitForSingleObject (132, 0, 0x0, ... 00784 876 NtClose (248, ... ) == 0x0 00785 876 NtUnmapViewOfSection (-1, 0x860000, ... ) == 0x0 00786 876 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11072940, ... ) }, 11072940, ... ) == 0x0 00787 876 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 248, {status=0x0, info=1}, ) }, 5, 96, ... 248, {status=0x0, info=1}, ) == 0x0 00788 876 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 248, ... 00789 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 252, {484, 1036}, ) == 0x0 00790 488 NtQueryInformationThread (252, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=484,Tid=1036,}, 0x0, ) == 0x0 00791 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1602, 0} (24, {28, 56, new_msg, 0, 484, 488, 1602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\0\0\0\344\1\0\0\14\4\0\0" ... {28, 56, reply, 0, 484, 488, 1603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\0\0\0\344\1\0\0\14\4\0\0" ) ... {28, 56, reply, 0, 484, 488, 1603, 0} (24, {28, 56, new_msg, 0, 484, 488, 1602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\0\0\0\344\1\0\0\14\4\0\0" ... {28, 56, reply, 0, 484, 488, 1603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\0\0\0\344\1\0\0\14\4\0\0" ) ) == 0x0 00792 488 NtResumeThread (252, ... 1, ) == 0x0 00793 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 41484288, 1048576, ) == 0x0 00794 488 NtAllocateVirtualMemory (-1, 42524672, 0, 8192, 4096, 4, ... 00788 876 NtCreateSection ... 256, ) == 0x0 00795 1036 NtWaitForSingleObject (108, 0, 0x0, ... 00796 876 NtQuerySection (256, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00797 876 NtClose (248, ... ) == 0x0 00798 876 NtMapViewOfSection (256, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0 00799 876 NtClose (256, ... ) == 0x0 00800 876 NtSetEventBoostPriority (108, ... 00522 308 NtWaitForSingleObject ... ) == 0x0 00801 308 NtSetEventBoostPriority (108, ... 00532 912 NtWaitForSingleObject ... ) == 0x0 00802 912 NtSetEventBoostPriority (108, ... 00538 904 NtWaitForSingleObject ... ) == 0x0 00803 904 NtSetEventBoostPriority (108, ... 00548 920 NtWaitForSingleObject ... ) == 0x0 00804 920 NtSetEventBoostPriority (108, ... 00554 924 NtWaitForSingleObject ... ) == 0x0 00805 924 NtSetEventBoostPriority (108, ... 00565 928 NtWaitForSingleObject ... ) == 0x0 00806 928 NtSetEventBoostPriority (108, ... 00571 932 NtWaitForSingleObject ... ) == 0x0 00807 932 NtSetEventBoostPriority (108, ... 00581 936 NtWaitForSingleObject ... ) == 0x0 00808 936 NtSetEventBoostPriority (108, ... 00587 940 NtWaitForSingleObject ... ) == 0x0 00809 940 NtSetEventBoostPriority (108, ... 00597 944 NtWaitForSingleObject ... ) == 0x0 00810 944 NtAllocateVirtualMemory (-1, 8863744, 0, 4096, 4096, 4, ... 8863744, 4096, ) == 0x0 00809 940 NtSetEventBoostPriority ... ) == 0x0 00808 936 NtSetEventBoostPriority ... ) == 0x0 00807 932 NtSetEventBoostPriority ... ) == 0x0 00806 928 NtSetEventBoostPriority ... ) == 0x0 00805 924 NtSetEventBoostPriority ... ) == 0x0 00804 920 NtSetEventBoostPriority ... ) == 0x0 00803 904 NtSetEventBoostPriority ... ) == 0x0 00802 912 NtSetEventBoostPriority ... ) == 0x0 00801 308 NtSetEventBoostPriority ... ) == 0x0 00800 876 NtSetEventBoostPriority ... ) == 0x0 00794 488 NtAllocateVirtualMemory ... 42524672, 8192, ) == 0x0 00811 944 NtSetEventBoostPriority (108, ... 00812 940 NtTestAlert (... 00813 936 NtTestAlert (... 00814 932 NtTestAlert (... 00815 928 NtTestAlert (... 00816 924 NtTestAlert (... 00817 920 NtTestAlert (... 00818 904 NtTestAlert (... 00819 912 NtTestAlert (... 00820 876 NtClose (144, ... 00821 488 NtProtectVirtualMemory (-1, (0x288e000), 4096, 260, ... 00603 948 NtWaitForSingleObject ... ) == 0x0 00811 944 NtSetEventBoostPriority ... ) == 0x0 00812 940 NtTestAlert ... ) == 0x0 00813 936 NtTestAlert ... ) == 0x0 00814 932 NtTestAlert ... ) == 0x0 00815 928 NtTestAlert ... ) == 0x0 00816 924 NtTestAlert ... ) == 0x0 00817 920 NtTestAlert ... ) == 0x0 00818 904 NtTestAlert ... ) == 0x0 00819 912 NtTestAlert ... ) == 0x0 00822 308 NtTestAlert (... 00823 948 NtSetEventBoostPriority (108, ... 00821 488 NtProtectVirtualMemory ... (0x288e000), 4096, 4, ) == 0x0 00824 944 NtTestAlert (... 00825 940 NtContinue (25754928, 1, ... 00826 936 NtContinue (24706352, 1, ... 00827 932 NtContinue (23657776, 1, ... 00828 928 NtContinue (22609200, 1, ... 00829 924 NtContinue (21560624, 1, ... 00830 920 NtContinue (20512048, 1, ... 00831 904 NtContinue (19463472, 1, ... 00832 912 NtContinue (18414896, 1, ... 00613 952 NtWaitForSingleObject ... ) == 0x0 00823 948 NtSetEventBoostPriority ... ) == 0x0 00822 308 NtTestAlert ... ) == 0x0 00833 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 00824 944 NtTestAlert ... ) == 0x0 00834 940 NtRegisterThreadTerminatePort (24, ... 00835 936 NtRegisterThreadTerminatePort (24, ... 00836 932 NtRegisterThreadTerminatePort (24, ... 00837 928 NtRegisterThreadTerminatePort (24, ... 00838 924 NtRegisterThreadTerminatePort (24, ... 00839 920 NtRegisterThreadTerminatePort (24, ... 00840 904 NtRegisterThreadTerminatePort (24, ... 00841 952 NtSetEventBoostPriority (108, ... 00842 912 NtRegisterThreadTerminatePort (24, ... 00820 876 NtClose ... ) == 0x0 00843 308 NtContinue (17366320, 1, ... 00833 488 NtCreateThread ... 144, {484, 1048}, ) == 0x0 00844 944 NtContinue (26803504, 1, ... 00834 940 NtRegisterThreadTerminatePort ... ) == 0x0 00835 936 NtRegisterThreadTerminatePort ... ) == 0x0 00836 932 NtRegisterThreadTerminatePort ... ) == 0x0 00837 928 NtRegisterThreadTerminatePort ... ) == 0x0 00838 924 NtRegisterThreadTerminatePort ... ) == 0x0 00839 920 NtRegisterThreadTerminatePort ... ) == 0x0 00624 956 NtWaitForSingleObject ... ) == 0x0 00841 952 NtSetEventBoostPriority ... ) == 0x0 00840 904 NtRegisterThreadTerminatePort ... ) == 0x0 00842 912 NtRegisterThreadTerminatePort ... ) == 0x0 00845 876 NtWaitForSingleObject (108, 0, 0x0, ... 00846 308 NtRegisterThreadTerminatePort (24, ... 00847 488 NtQueryInformationThread (144, Basic, 28, ... 00848 944 NtRegisterThreadTerminatePort (24, ... 00849 940 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00850 936 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00851 932 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00852 928 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00853 924 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00854 956 NtSetEventBoostPriority (108, ... 00855 920 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00856 948 NtTestAlert (... 00857 904 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00858 912 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00846 308 NtRegisterThreadTerminatePort ... ) == 0x0 00859 952 NtTestAlert (... 00847 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=484,Tid=1048,}, 0x0, ) == 0x0 00848 944 NtRegisterThreadTerminatePort ... ) == 0x0 00849 940 NtDuplicateObject ... 256, ) == 0x0 00850 936 NtDuplicateObject ... 248, ) == 0x0 00851 932 NtDuplicateObject ... 260, ) == 0x0 00852 928 NtDuplicateObject ... 264, ) == 0x0 00646 960 NtWaitForSingleObject ... ) == 0x0 00854 956 NtSetEventBoostPriority ... ) == 0x0 00853 924 NtDuplicateObject ... 268, ) == 0x0 00856 948 NtTestAlert ... ) == 0x0 00855 920 NtDuplicateObject ... 272, ) == 0x0 00857 904 NtDuplicateObject ... 276, ) == 0x0 00860 308 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00859 952 NtTestAlert ... ) == 0x0 00861 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1603, 0} (24, {28, 56, new_msg, 0, 484, 488, 1603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\0\0\0\344\1\0\0\30\4\0\0" ... ... 00862 944 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00863 940 NtWaitForSingleObject (72, 0, {0, 0}, ... 00864 936 NtWaitForSingleObject (72, 0, {0, 0}, ... 00865 932 NtAllocateVirtualMemory (-1, 1351680, 0, 4096, 4096, 4, ... 00866 960 NtSetEventBoostPriority (108, ... 00867 928 NtWaitForSingleObject (148, 0, 0x0, ... 00858 912 NtDuplicateObject ... 280, ) == 0x0 00868 924 NtWaitForSingleObject (148, 0, 0x0, ... 00869 948 NtContinue (27852080, 1, ... 00870 920 NtWaitForSingleObject (148, 0, 0x0, ... 00871 904 NtWaitForSingleObject (148, 0, 0x0, ... 00872 956 NtTestAlert (... 00873 952 NtContinue (28900656, 1, ... 00861 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1604, 0} ... {28, 56, reply, 0, 484, 488, 1604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\0\0\0\344\1\0\0\30\4\0\0" ) ) == 0x0 00862 944 NtDuplicateObject ... 284, ) == 0x0 00863 940 NtWaitForSingleObject ... ) == 0x102 00864 936 NtWaitForSingleObject ... ) == 0x102 00658 964 NtWaitForSingleObject ... ) == 0x0 00866 960 NtSetEventBoostPriority ... ) == 0x0 00865 932 NtAllocateVirtualMemory ... 1351680, 4096, ) == 0x0 00874 912 NtWaitForSingleObject (148, 0, 0x0, ... 00875 948 NtRegisterThreadTerminatePort (24, ... 00872 956 NtTestAlert ... ) == 0x0 00876 952 NtRegisterThreadTerminatePort (24, ... 00877 488 NtResumeThread (144, ... 00878 944 NtWaitForSingleObject (148, 0, 0x0, ... 00879 940 NtWaitForSingleObject (148, 0, 0x0, ... 00880 964 NtSetEventBoostPriority (108, ... 00881 936 NtWaitForSingleObject (148, 0, 0x0, ... 00860 308 NtDuplicateObject ... 288, ) == 0x0 00882 932 NtSetEventBoostPriority (148, ... 00875 948 NtRegisterThreadTerminatePort ... ) == 0x0 00883 956 NtContinue (29949232, 1, ... 00876 952 NtRegisterThreadTerminatePort ... ) == 0x0 00877 488 NtResumeThread ... 1, ) == 0x0 00671 968 NtWaitForSingleObject ... ) == 0x0 00880 964 NtSetEventBoostPriority ... ) == 0x0 00884 308 NtWaitForSingleObject (148, 0, 0x0, ... 00867 928 NtWaitForSingleObject ... ) == 0x0 00882 932 NtSetEventBoostPriority ... ) == 0x0 00885 948 NtWaitForSingleObject (148, 0, 0x0, ... 00886 956 NtRegisterThreadTerminatePort (24, ... 00887 952 NtWaitForSingleObject (148, 0, 0x0, ... 00888 960 NtTestAlert (... 00889 1048 NtWaitForSingleObject (108, 0, 0x0, ... 00890 968 NtSetEventBoostPriority (108, ... 00891 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 00892 928 NtSetEventBoostPriority (148, ... 00893 932 NtWaitForSingleObject (148, 0, 0x0, ... 00894 964 NtTestAlert (... 00886 956 NtRegisterThreadTerminatePort ... ) == 0x0 00888 960 NtTestAlert ... ) == 0x0 00683 972 NtWaitForSingleObject ... ) == 0x0 00890 968 NtSetEventBoostPriority ... ) == 0x0 00868 924 NtWaitForSingleObject ... ) == 0x0 00892 928 NtSetEventBoostPriority ... ) == 0x0 00891 488 NtAllocateVirtualMemory ... 42532864, 1048576, ) == 0x0 00894 964 NtTestAlert ... ) == 0x0 00895 956 NtWaitForSingleObject (148, 0, 0x0, ... 00896 972 NtSetEventBoostPriority (108, ... 00897 960 NtContinue (30997808, 1, ... 00898 924 NtSetEventBoostPriority (148, ... 00899 968 NtTestAlert (... 00900 488 NtAllocateVirtualMemory (-1, 43573248, 0, 8192, 4096, 4, ... 00901 964 NtContinue (32046384, 1, ... 00902 928 NtWaitForSingleObject (148, 0, 0x0, ... 00705 996 NtWaitForSingleObject ... ) == 0x0 00896 972 NtSetEventBoostPriority ... ) == 0x0 00870 920 NtWaitForSingleObject ... ) == 0x0 00898 924 NtSetEventBoostPriority ... ) == 0x0 00903 960 NtRegisterThreadTerminatePort (24, ... 00899 968 NtTestAlert ... ) == 0x0 00900 488 NtAllocateVirtualMemory ... 43573248, 8192, ) == 0x0 00904 964 NtRegisterThreadTerminatePort (24, ... 00905 996 NtSetEventBoostPriority (108, ... 00906 920 NtSetEventBoostPriority (148, ... 00907 972 NtTestAlert (... 00903 960 NtRegisterThreadTerminatePort ... ) == 0x0 00908 968 NtContinue (33094960, 1, ... 00909 488 NtProtectVirtualMemory (-1, (0x298e000), 4096, 260, ... 00717 1000 NtWaitForSingleObject ... ) == 0x0 00871 904 NtWaitForSingleObject ... ) == 0x0 00906 920 NtSetEventBoostPriority ... ) == 0x0 00905 996 NtSetEventBoostPriority ... ) == 0x0 00904 964 NtRegisterThreadTerminatePort ... ) == 0x0 00907 972 NtTestAlert ... ) == 0x0 00910 960 NtWaitForSingleObject (148, 0, 0x0, ... 00911 968 NtRegisterThreadTerminatePort (24, ... 00912 1000 NtSetEventBoostPriority (108, ... 00913 904 NtSetEventBoostPriority (148, ... 00909 488 NtProtectVirtualMemory ... (0x298e000), 4096, 4, ) == 0x0 00914 924 NtWaitForSingleObject (148, 0, 0x0, ... 00915 920 NtWaitForSingleObject (148, 0, 0x0, ... 00916 964 NtWaitForSingleObject (148, 0, 0x0, ... 00917 972 NtContinue (34143536, 1, ... 00918 996 NtTestAlert (... 00730 1020 NtWaitForSingleObject ... ) == 0x0 00874 912 NtWaitForSingleObject ... ) == 0x0 00913 904 NtSetEventBoostPriority ... ) == 0x0 00912 1000 NtSetEventBoostPriority ... ) == 0x0 00911 968 NtRegisterThreadTerminatePort ... ) == 0x0 00919 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 00920 972 NtRegisterThreadTerminatePort (24, ... 00921 1020 NtSetEventBoostPriority (108, ... 00922 912 NtSetEventBoostPriority (148, ... 00918 996 NtTestAlert ... ) == 0x0 00923 904 NtWaitForSingleObject (148, 0, 0x0, ... 00924 968 NtWaitForSingleObject (148, 0, 0x0, ... 00919 488 NtCreateThread ... 292, {484, 1056}, ) == 0x0 00742 1024 NtWaitForSingleObject ... ) == 0x0 00878 944 NtWaitForSingleObject ... ) == 0x0 00922 912 NtSetEventBoostPriority ... ) == 0x0 00921 1020 NtSetEventBoostPriority ... ) == 0x0 00920 972 NtRegisterThreadTerminatePort ... ) == 0x0 00925 996 NtContinue (35192112, 1, ... 00926 1000 NtTestAlert (... 00927 1024 NtSetEventBoostPriority (108, ... 00928 944 NtSetEventBoostPriority (148, ... 00929 488 NtQueryInformationThread (292, Basic, 28, ... 00930 912 NtWaitForSingleObject (148, 0, 0x0, ... 00931 972 NtWaitForSingleObject (148, 0, 0x0, ... 00932 996 NtRegisterThreadTerminatePort (24, ... 00764 1028 NtWaitForSingleObject ... ) == 0x0 00879 940 NtWaitForSingleObject ... ) == 0x0 00928 944 NtSetEventBoostPriority ... ) == 0x0 00927 1024 NtSetEventBoostPriority ... ) == 0x0 00926 1000 NtTestAlert ... ) == 0x0 00929 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=484,Tid=1056,}, 0x0, ) == 0x0 00933 1020 NtTestAlert (... 00934 1028 NtSetEventBoostPriority (108, ... 00935 940 NtSetEventBoostPriority (148, ... 00932 996 NtRegisterThreadTerminatePort ... ) == 0x0 00936 944 NtWaitForSingleObject (148, 0, 0x0, ... 00937 1000 NtContinue (36240688, 1, ... 00938 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1604, 0} (24, {28, 56, new_msg, 0, 484, 488, 1604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\1\0\0\344\1\0\0 \4\0\0" ... ... 00766 888 NtWaitForSingleObject ... ) == 0x0 00881 936 NtWaitForSingleObject ... ) == 0x0 00935 940 NtSetEventBoostPriority ... ) == 0x0 00934 1028 NtSetEventBoostPriority ... ) == 0x0 00933 1020 NtTestAlert ... ) == 0x0 00939 996 NtWaitForSingleObject (148, 0, 0x0, ... 00940 1000 NtRegisterThreadTerminatePort (24, ... 00941 888 NtSetEventBoostPriority (108, ... 00942 936 NtSetEventBoostPriority (148, ... 00938 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1605, 0} ... {28, 56, reply, 0, 484, 488, 1605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\1\0\0\344\1\0\0 \4\0\0" ) ) == 0x0 00943 1024 NtTestAlert (... 00944 940 NtWaitForSingleObject (132, 0, 0x0, ... 00945 1020 NtContinue (37289264, 1, ... 00946 1028 NtTestAlert (... 00774 1008 NtWaitForSingleObject ... ) == 0x0 00884 308 NtWaitForSingleObject ... ) == 0x0 00942 936 NtSetEventBoostPriority ... ) == 0x0 00941 888 NtSetEventBoostPriority ... ) == 0x0 00940 1000 NtRegisterThreadTerminatePort ... ) == 0x0 00947 488 NtResumeThread (292, ... 00943 1024 NtTestAlert ... ) == 0x0 00948 1020 NtRegisterThreadTerminatePort (24, ... 00949 1008 NtSetEventBoostPriority (108, ... 00950 308 NtSetEventBoostPriority (148, ... 00946 1028 NtTestAlert ... ) == 0x0 00951 936 NtWaitForSingleObject (132, 0, 0x0, ... 00952 1000 NtWaitForSingleObject (148, 0, 0x0, ... 00947 488 NtResumeThread ... 1, ) == 0x0 00953 1024 NtContinue (38337840, 1, ... 00795 1036 NtWaitForSingleObject ... ) == 0x0 00885 948 NtWaitForSingleObject ... ) == 0x0 00950 308 NtSetEventBoostPriority ... ) == 0x0 00949 1008 NtSetEventBoostPriority ... ) == 0x0 00948 1020 NtRegisterThreadTerminatePort ... ) == 0x0 00954 1028 NtContinue (39386416, 1, ... 00955 888 NtWaitForSingleObject (148, 0, 0x0, ... 00956 1056 NtWaitForSingleObject (108, 0, 0x0, ... 00957 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 00958 1036 NtSetEventBoostPriority (108, ... 00959 948 NtSetEventBoostPriority (148, ... 00960 1024 NtRegisterThreadTerminatePort (24, ... 00961 308 NtWaitForSingleObject (148, 0, 0x0, ... 00962 1020 NtWaitForSingleObject (148, 0, 0x0, ... 00963 1028 NtRegisterThreadTerminatePort (24, ... 00845 876 NtWaitForSingleObject ... ) == 0x0 00887 952 NtWaitForSingleObject ... ) == 0x0 00958 1036 NtSetEventBoostPriority ... ) == 0x0 00957 488 NtAllocateVirtualMemory ... 43581440, 1048576, ) == 0x0 00960 1024 NtRegisterThreadTerminatePort ... ) == 0x0 00959 948 NtSetEventBoostPriority ... ) == 0x0 00964 1008 NtTestAlert (... 00965 876 NtSetEventBoostPriority (108, ... 00963 1028 NtRegisterThreadTerminatePort ... ) == 0x0 00966 952 NtSetEventBoostPriority (148, ... 00967 488 NtAllocateVirtualMemory (-1, 44621824, 0, 8192, 4096, 4, ... 00968 1024 NtWaitForSingleObject (148, 0, 0x0, ... 00969 948 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00889 1048 NtWaitForSingleObject ... ) == 0x0 00965 876 NtSetEventBoostPriority ... ) == 0x0 00964 1008 NtTestAlert ... ) == 0x0 00970 1028 NtWaitForSingleObject (148, 0, 0x0, ... 00893 932 NtWaitForSingleObject ... ) == 0x0 00966 952 NtSetEventBoostPriority ... ) == 0x0 00971 1036 NtTestAlert (... 00967 488 NtAllocateVirtualMemory ... 44621824, 8192, ) == 0x0 00972 1048 NtSetEventBoostPriority (108, ... 00969 948 NtDuplicateObject ... 296, ) == 0x0 00973 1008 NtContinue (40434992, 1, ... 00974 876 NtWaitForSingleObject (108, 0, 0x0, ... 00975 932 NtSetEventBoostPriority (148, ... 00976 952 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00971 1036 NtTestAlert ... ) == 0x0 00956 1056 NtWaitForSingleObject ... ) == 0x0 00972 1048 NtSetEventBoostPriority ... ) == 0x0 00977 488 NtProtectVirtualMemory (-1, (0x2a8e000), 4096, 260, ... 00978 1008 NtRegisterThreadTerminatePort (24, ... 00902 928 NtWaitForSingleObject ... ) == 0x0 00976 952 NtDuplicateObject ... 300, ) == 0x0 00979 1056 NtSetEventBoostPriority (108, ... 00980 1036 NtContinue (41483568, 1, ... 00975 932 NtSetEventBoostPriority ... ) == 0x0 00981 948 NtWaitForSingleObject (148, 0, 0x0, ... 00977 488 NtProtectVirtualMemory ... (0x2a8e000), 4096, 4, ) == 0x0 00978 1008 NtRegisterThreadTerminatePort ... ) == 0x0 00982 928 NtSetEventBoostPriority (148, ... 00983 1048 NtTestAlert (... 00974 876 NtWaitForSingleObject ... ) == 0x0 00979 1056 NtSetEventBoostPriority ... ) == 0x0 00984 1036 NtRegisterThreadTerminatePort (24, ... 00985 932 NtWaitForSingleObject (148, 0, 0x0, ... 00986 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 00987 1008 NtWaitForSingleObject (148, 0, 0x0, ... 00895 956 NtWaitForSingleObject ... ) == 0x0 00982 928 NtSetEventBoostPriority ... ) == 0x0 00988 876 NtWaitForSingleObject (148, 0, 0x0, ... 00983 1048 NtTestAlert ... ) == 0x0 00989 952 NtWaitForSingleObject (148, 0, 0x0, ... 00984 1036 NtRegisterThreadTerminatePort ... ) == 0x0 00986 488 NtCreateThread ... 304, {484, 1072}, ) == 0x0 00990 1056 NtTestAlert (... 00991 956 NtSetEventBoostPriority (148, ... 00992 928 NtCreateEvent (0x100003, 0x0, 1, 0, ... 00993 1048 NtContinue (42532144, 1, ... 00994 1036 NtWaitForSingleObject (148, 0, 0x0, ... 00995 488 NtQueryInformationThread (304, Basic, 28, ... 00910 960 NtWaitForSingleObject ... ) == 0x0 00990 1056 NtTestAlert ... ) == 0x0 00991 956 NtSetEventBoostPriority ... ) == 0x0 00996 1048 NtRegisterThreadTerminatePort (24, ... 00992 928 NtCreateEvent ... 308, ) == 0x0 00997 960 NtSetEventBoostPriority (148, ... 00998 1056 NtContinue (43580720, 1, ... 00999 956 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00996 1048 NtRegisterThreadTerminatePort ... ) == 0x0 01000 928 NtWaitForSingleObject (308, 0, 0x0, ... 00914 924 NtWaitForSingleObject ... ) == 0x0 01001 1056 NtRegisterThreadTerminatePort (24, ... 00999 956 NtDuplicateObject ... 312, ) == 0x0 01002 1048 NtWaitForSingleObject (148, 0, 0x0, ... 01003 924 NtSetEventBoostPriority (148, ... 01001 1056 NtRegisterThreadTerminatePort ... ) == 0x0 00997 960 NtSetEventBoostPriority ... ) == 0x0 00995 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=484,Tid=1072,}, 0x0, ) == 0x0 01004 956 NtWaitForSingleObject (148, 0, 0x0, ... 00915 920 NtWaitForSingleObject ... ) == 0x0 01003 924 NtSetEventBoostPriority ... ) == 0x0 01005 1056 NtWaitForSingleObject (148, 0, 0x0, ... 01006 960 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01007 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1605, 0} (24, {28, 56, new_msg, 0, 484, 488, 1605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\1\0\0\344\1\0\00\4\0\0" ... ... 01008 920 NtSetEventBoostPriority (148, ... 01009 924 NtWaitForSingleObject (308, 0, 0x0, ... 01006 960 NtDuplicateObject ... 316, ) == 0x0 00916 964 NtWaitForSingleObject ... ) == 0x0 01008 920 NtSetEventBoostPriority ... ) == 0x0 01007 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1606, 0} ... {28, 56, reply, 0, 484, 488, 1606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\1\0\0\344\1\0\00\4\0\0" ) ) == 0x0 01010 964 NtSetEventBoostPriority (148, ... 01011 920 NtWaitForSingleObject (308, 0, 0x0, ... 00923 904 NtWaitForSingleObject ... ) == 0x0 01012 488 NtResumeThread (304, ... 01010 964 NtSetEventBoostPriority ... ) == 0x0 01013 960 NtWaitForSingleObject (148, 0, 0x0, ... 01014 904 NtSetEventBoostPriority (148, ... 01012 488 NtResumeThread ... 1, ) == 0x0 01015 964 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00924 968 NtWaitForSingleObject ... ) == 0x0 01014 904 NtSetEventBoostPriority ... ) == 0x0 01016 1072 NtTestAlert (... 01017 968 NtSetEventBoostPriority (148, ... 01015 964 NtDuplicateObject ... 320, ) == 0x0 01018 904 NtWaitForSingleObject (308, 0, 0x0, ... 00930 912 NtWaitForSingleObject ... ) == 0x0 01016 1072 NtTestAlert ... ) == 0x0 01017 968 NtSetEventBoostPriority ... ) == 0x0 01019 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01020 964 NtWaitForSingleObject (148, 0, 0x0, ... 01021 912 NtSetEventBoostPriority (148, ... 01022 1072 NtContinue (44629296, 1, ... 01023 968 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01019 488 NtAllocateVirtualMemory ... 44630016, 1048576, ) == 0x0 00931 972 NtWaitForSingleObject ... ) == 0x0 01021 912 NtSetEventBoostPriority ... ) == 0x0 01024 1072 NtRegisterThreadTerminatePort (24, ... 01023 968 NtDuplicateObject ... 324, ) == 0x0 01025 972 NtSetEventBoostPriority (148, ... 01026 488 NtAllocateVirtualMemory (-1, 45670400, 0, 8192, 4096, 4, ... 01027 912 NtWaitForSingleObject (308, 0, 0x0, ... 01024 1072 NtRegisterThreadTerminatePort ... ) == 0x0 00936 944 NtWaitForSingleObject ... ) == 0x0 01026 488 NtAllocateVirtualMemory ... 45670400, 8192, ) == 0x0 01025 972 NtSetEventBoostPriority ... ) == 0x0 01028 968 NtWaitForSingleObject (148, 0, 0x0, ... 01029 944 NtSetEventBoostPriority (148, ... 01030 488 NtProtectVirtualMemory (-1, (0x2b8e000), 4096, 260, ... 01031 972 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00939 996 NtWaitForSingleObject ... ) == 0x0 01029 944 NtSetEventBoostPriority ... ) == 0x0 01030 488 NtProtectVirtualMemory ... (0x2b8e000), 4096, 4, ) == 0x0 01032 996 NtSetEventBoostPriority (148, ... 01031 972 NtDuplicateObject ... 328, ) == 0x0 01033 944 NtWaitForSingleObject (308, 0, 0x0, ... 01034 1072 NtWaitForSingleObject (148, 0, 0x0, ... 00952 1000 NtWaitForSingleObject ... ) == 0x0 01032 996 NtSetEventBoostPriority ... ) == 0x0 01035 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01036 972 NtWaitForSingleObject (148, 0, 0x0, ... 01037 1000 NtSetEventBoostPriority (148, ... 01038 996 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01035 488 NtCreateThread ... 332, {484, 1076}, ) == 0x0 00955 888 NtWaitForSingleObject ... ) == 0x0 01038 996 NtDuplicateObject ... 336, ) == 0x0 01039 488 NtQueryInformationThread (332, Basic, 28, ... 01040 888 NtSetEventBoostPriority (148, ... 01037 1000 NtSetEventBoostPriority ... ) == 0x0 01039 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=484,Tid=1076,}, 0x0, ) == 0x0 00961 308 NtWaitForSingleObject ... ) == 0x0 01040 888 NtSetEventBoostPriority ... ) == 0x0 01041 1000 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01042 308 NtSetEventBoostPriority (148, ... 01043 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1606, 0} (24, {28, 56, new_msg, 0, 484, 488, 1606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\1\0\0\344\1\0\04\4\0\0" ... ... 01044 888 NtWaitForSingleObject (148, 0, 0x0, ... 00962 1020 NtWaitForSingleObject ... ) == 0x0 01042 308 NtSetEventBoostPriority ... ) == 0x0 01041 1000 NtDuplicateObject ... 340, ) == 0x0 01043 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1607, 0} ... {28, 56, reply, 0, 484, 488, 1607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\1\0\0\344\1\0\04\4\0\0" ) ) == 0x0 01045 996 NtWaitForSingleObject (148, 0, 0x0, ... 01046 1020 NtSetEventBoostPriority (148, ... 01047 308 NtWaitForSingleObject (308, 0, 0x0, ... 01048 488 NtResumeThread (332, ... 00968 1024 NtWaitForSingleObject ... ) == 0x0 01046 1020 NtSetEventBoostPriority ... ) == 0x0 01049 1000 NtWaitForSingleObject (148, 0, 0x0, ... 01048 488 NtResumeThread ... 1, ) == 0x0 01050 1024 NtSetEventBoostPriority (148, ... 01051 1020 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01052 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 00970 1028 NtWaitForSingleObject ... ) == 0x0 01051 1020 NtDuplicateObject ... 344, ) == 0x0 01052 488 NtAllocateVirtualMemory ... 45678592, 1048576, ) == 0x0 01053 1028 NtSetEventBoostPriority (148, ... 01050 1024 NtSetEventBoostPriority ... ) == 0x0 01054 1076 NtTestAlert (... 01055 488 NtAllocateVirtualMemory (-1, 46718976, 0, 8192, 4096, 4, ... 00981 948 NtWaitForSingleObject ... ) == 0x0 01056 1024 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01054 1076 NtTestAlert ... ) == 0x0 01053 1028 NtSetEventBoostPriority ... ) == 0x0 01057 1020 NtWaitForSingleObject (148, 0, 0x0, ... 01058 948 NtSetEventBoostPriority (148, ... 01056 1024 NtDuplicateObject ... 348, ) == 0x0 01059 1076 NtContinue (45677872, 1, ... 01060 1028 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 00985 932 NtWaitForSingleObject ... ) == 0x0 01058 948 NtSetEventBoostPriority ... ) == 0x0 01055 488 NtAllocateVirtualMemory ... 46718976, 8192, ) == 0x0 01061 1076 NtRegisterThreadTerminatePort (24, ... 01062 932 NtSetEventBoostPriority (148, ... 01060 1028 NtDuplicateObject ... 352, ) == 0x0 01063 948 NtWaitForSingleObject (148, 0, 0x0, ... 01064 488 NtProtectVirtualMemory (-1, (0x2c8e000), 4096, 260, ... 00988 876 NtWaitForSingleObject ... ) == 0x0 01062 932 NtSetEventBoostPriority ... ) == 0x0 01061 1076 NtRegisterThreadTerminatePort ... ) == 0x0 01065 1024 NtWaitForSingleObject (148, 0, 0x0, ... 01066 1028 NtWaitForSingleObject (148, 0, 0x0, ... 01067 876 NtAllocateVirtualMemory (-1, 1355776, 0, 4096, 4096, 4, ... 01064 488 NtProtectVirtualMemory ... (0x2c8e000), 4096, 4, ) == 0x0 01068 932 NtSetEventBoostPriority (308, ... 01067 876 NtAllocateVirtualMemory ... 1355776, 4096, ) == 0x0 01069 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01000 928 NtWaitForSingleObject ... ) == 0x0 01068 932 NtSetEventBoostPriority ... ) == 0x0 01070 1076 NtWaitForSingleObject (148, 0, 0x0, ... 01071 928 NtSetEventBoostPriority (308, ... 01069 488 NtCreateThread ... 356, {484, 1084}, ) == 0x0 01072 932 NtWaitForSingleObject (72, 0, {0, 0}, ... 01009 924 NtWaitForSingleObject ... ) == 0x0 01071 928 NtSetEventBoostPriority ... ) == 0x0 01073 488 NtQueryInformationThread (356, Basic, 28, ... 01074 924 NtWaitForSingleObject (148, 0, 0x0, ... 01072 932 NtWaitForSingleObject ... ) == 0x102 01075 876 NtSetEventBoostPriority (148, ... 01076 928 NtWaitForSingleObject (72, 0, {0, 0}, ... 01077 932 NtWaitForSingleObject (148, 0, 0x0, ... 00989 952 NtWaitForSingleObject ... ) == 0x0 01075 876 NtSetEventBoostPriority ... ) == 0x0 01076 928 NtWaitForSingleObject ... ) == 0x102 01073 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=484,Tid=1084,}, 0x0, ) == 0x0 01078 952 NtSetEventBoostPriority (148, ... 01079 876 NtWaitForSingleObject (308, 0, 0x0, ... 01080 928 NtWaitForSingleObject (148, 0, 0x0, ... 00987 1008 NtWaitForSingleObject ... ) == 0x0 01078 952 NtSetEventBoostPriority ... ) == 0x0 01081 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1607, 0} (24, {28, 56, new_msg, 0, 484, 488, 1607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\1\0\0\344\1\0\0<\4\0\0" ... ... 01082 1008 NtSetEventBoostPriority (148, ... 01083 952 NtWaitForSingleObject (148, 0, 0x0, ... 00994 1036 NtWaitForSingleObject ... ) == 0x0 01081 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1608, 0} ... {28, 56, reply, 0, 484, 488, 1608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\1\0\0\344\1\0\0<\4\0\0" ) ) == 0x0 01082 1008 NtSetEventBoostPriority ... ) == 0x0 01084 1036 NtSetEventBoostPriority (148, ... 01085 488 NtResumeThread (356, ... 01086 1008 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01004 956 NtWaitForSingleObject ... ) == 0x0 01085 488 NtResumeThread ... 1, ) == 0x0 01086 1008 NtDuplicateObject ... 360, ) == 0x0 01087 956 NtSetEventBoostPriority (148, ... 01084 1036 NtSetEventBoostPriority ... ) == 0x0 01088 1084 NtTestAlert (... 01089 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01002 1048 NtWaitForSingleObject ... ) == 0x0 01087 956 NtSetEventBoostPriority ... ) == 0x0 01090 1036 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01088 1084 NtTestAlert ... ) == 0x0 01091 1048 NtSetEventBoostPriority (148, ... 01089 488 NtAllocateVirtualMemory ... 46727168, 1048576, ) == 0x0 01092 956 NtWaitForSingleObject (148, 0, 0x0, ... 01090 1036 NtDuplicateObject ... 364, ) == 0x0 01005 1056 NtWaitForSingleObject ... ) == 0x0 01093 1084 NtContinue (46726448, 1, ... 01094 488 NtAllocateVirtualMemory (-1, 47767552, 0, 8192, 4096, 4, ... 01091 1048 NtSetEventBoostPriority ... ) == 0x0 01095 1008 NtWaitForSingleObject (148, 0, 0x0, ... 01096 1056 NtSetEventBoostPriority (148, ... 01097 1084 NtRegisterThreadTerminatePort (24, ... 01094 488 NtAllocateVirtualMemory ... 47767552, 8192, ) == 0x0 01098 1048 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01013 960 NtWaitForSingleObject ... ) == 0x0 01097 1084 NtRegisterThreadTerminatePort ... ) == 0x0 01099 488 NtProtectVirtualMemory (-1, (0x2d8e000), 4096, 260, ... 01098 1048 NtDuplicateObject ... 368, ) == 0x0 01100 960 NtSetEventBoostPriority (148, ... 01096 1056 NtSetEventBoostPriority ... ) == 0x0 01101 1036 NtWaitForSingleObject (148, 0, 0x0, ... 01099 488 NtProtectVirtualMemory ... (0x2d8e000), 4096, 4, ) == 0x0 01102 1084 NtWaitForSingleObject (148, 0, 0x0, ... 01020 964 NtWaitForSingleObject ... ) == 0x0 01100 960 NtSetEventBoostPriority ... ) == 0x0 01103 1056 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01104 1048 NtWaitForSingleObject (148, 0, 0x0, ... 01105 964 NtSetEventBoostPriority (148, ... 01106 960 NtWaitForSingleObject (148, 0, 0x0, ... 01103 1056 NtDuplicateObject ... 372, ) == 0x0 01028 968 NtWaitForSingleObject ... ) == 0x0 01105 964 NtSetEventBoostPriority ... ) == 0x0 01107 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01108 968 NtSetEventBoostPriority (148, ... 01109 964 NtWaitForSingleObject (148, 0, 0x0, ... 01034 1072 NtWaitForSingleObject ... ) == 0x0 01108 968 NtSetEventBoostPriority ... ) == 0x0 01107 488 NtCreateThread ... 376, {484, 1012}, ) == 0x0 01110 1056 NtWaitForSingleObject (148, 0, 0x0, ... 01111 1072 NtSetEventBoostPriority (148, ... 01112 968 NtWaitForSingleObject (148, 0, 0x0, ... 01113 488 NtQueryInformationThread (376, Basic, 28, ... 01036 972 NtWaitForSingleObject ... ) == 0x0 01111 1072 NtSetEventBoostPriority ... ) == 0x0 01114 972 NtSetEventBoostPriority (148, ... 01113 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=484,Tid=1012,}, 0x0, ) == 0x0 01044 888 NtWaitForSingleObject ... ) == 0x0 01114 972 NtSetEventBoostPriority ... ) == 0x0 01115 1072 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01116 888 NtSetEventBoostPriority (148, ... 01117 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1608, 0} (24, {28, 56, new_msg, 0, 484, 488, 1608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\1\0\0\344\1\0\0\364\3\0\0" ... ... 01118 972 NtWaitForSingleObject (148, 0, 0x0, ... 01045 996 NtWaitForSingleObject ... ) == 0x0 01117 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1609, 0} ... {28, 56, reply, 0, 484, 488, 1609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\1\0\0\344\1\0\0\364\3\0\0" ) ) == 0x0 01116 888 NtSetEventBoostPriority ... ) == 0x0 01115 1072 NtDuplicateObject ... 380, ) == 0x0 01119 996 NtSetEventBoostPriority (148, ... 01120 488 NtResumeThread (376, ... 01121 888 NtQuerySystemInformation (Basic, 44, ... 01122 1072 NtWaitForSingleObject (148, 0, 0x0, ... 01049 1000 NtWaitForSingleObject ... ) == 0x0 01119 996 NtSetEventBoostPriority ... ) == 0x0 01120 488 NtResumeThread ... 1, ) == 0x0 01121 888 NtQuerySystemInformation ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 01123 1000 NtSetEventBoostPriority (148, ... 01124 996 NtWaitForSingleObject (148, 0, 0x0, ... 01125 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01126 1012 NtTestAlert (... 01057 1020 NtWaitForSingleObject ... ) == 0x0 01123 1000 NtSetEventBoostPriority ... ) == 0x0 01127 888 NtWaitForSingleObject (308, 0, 0x0, ... 01125 488 NtAllocateVirtualMemory ... 47775744, 1048576, ) == 0x0 01128 1020 NtSetEventBoostPriority (148, ... 01126 1012 NtTestAlert ... ) == 0x0 01129 1000 NtWaitForSingleObject (148, 0, 0x0, ... 01063 948 NtWaitForSingleObject ... ) == 0x0 01128 1020 NtSetEventBoostPriority ... ) == 0x0 01130 488 NtAllocateVirtualMemory (-1, 48816128, 0, 8192, 4096, 4, ... 01131 1012 NtContinue (47775024, 1, ... 01132 948 NtSetEventBoostPriority (148, ... 01133 1020 NtWaitForSingleObject (148, 0, 0x0, ... 01065 1024 NtWaitForSingleObject ... ) == 0x0 01134 1012 NtRegisterThreadTerminatePort (24, ... 01132 948 NtSetEventBoostPriority ... ) == 0x0 01130 488 NtAllocateVirtualMemory ... 48816128, 8192, ) == 0x0 01135 1024 NtSetEventBoostPriority (148, ... 01134 1012 NtRegisterThreadTerminatePort ... ) == 0x0 01136 948 NtWaitForSingleObject (308, 0, 0x0, ... 01137 488 NtProtectVirtualMemory (-1, (0x2e8e000), 4096, 260, ... 01066 1028 NtWaitForSingleObject ... ) == 0x0 01135 1024 NtSetEventBoostPriority ... ) == 0x0 01138 1028 NtSetEventBoostPriority (148, ... 01137 488 NtProtectVirtualMemory ... (0x2e8e000), 4096, 4, ) == 0x0 01070 1076 NtWaitForSingleObject ... ) == 0x0 01138 1028 NtSetEventBoostPriority ... ) == 0x0 01139 1024 NtWaitForSingleObject (148, 0, 0x0, ... 01140 1076 NtSetEventBoostPriority (148, ... 01141 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01142 1028 NtWaitForSingleObject (148, 0, 0x0, ... 01143 1012 NtWaitForSingleObject (148, 0, 0x0, ... 01074 924 NtWaitForSingleObject ... ) == 0x0 01140 1076 NtSetEventBoostPriority ... ) == 0x0 01141 488 NtCreateThread ... 384, {484, 1088}, ) == 0x0 01144 924 NtSetEventBoostPriority (148, ... 01145 1076 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01080 928 NtWaitForSingleObject ... ) == 0x0 01146 488 NtQueryInformationThread (384, Basic, 28, ... 01144 924 NtSetEventBoostPriority ... ) == 0x0 01147 928 NtSetEventBoostPriority (148, ... 01145 1076 NtDuplicateObject ... 388, ) == 0x0 01146 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=484,Tid=1088,}, 0x0, ) == 0x0 01077 932 NtWaitForSingleObject ... ) == 0x0 01147 928 NtSetEventBoostPriority ... ) == 0x0 01148 1076 NtWaitForSingleObject (148, 0, 0x0, ... 01149 932 NtSetEventBoostPriority (148, ... 01150 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1609, 0} (24, {28, 56, new_msg, 0, 484, 488, 1609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\1\0\0\344\1\0\0@\4\0\0" ... ... 01151 924 NtSetEventBoostPriority (308, ... 01083 952 NtWaitForSingleObject ... ) == 0x0 01150 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1610, 0} ... {28, 56, reply, 0, 484, 488, 1610, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\1\0\0\344\1\0\0@\4\0\0" ) ) == 0x0 01011 920 NtWaitForSingleObject ... ) == 0x0 01151 924 NtSetEventBoostPriority ... ) == 0x0 01152 952 NtSetEventBoostPriority (148, ... 01153 920 NtWaitForSingleObject (148, 0, 0x0, ... 01154 488 NtResumeThread (384, ... 01155 924 NtWaitForSingleObject (72, 0, {0, 0}, ... 01092 956 NtWaitForSingleObject ... ) == 0x0 01154 488 NtResumeThread ... 1, ) == 0x0 01155 924 NtWaitForSingleObject ... ) == 0x102 01156 956 NtSetEventBoostPriority (148, ... 01152 952 NtSetEventBoostPriority ... ) == 0x0 01149 932 NtSetEventBoostPriority ... ) == 0x0 01157 928 NtWaitForSingleObject (132, 0, 0x0, ... 01158 1088 NtTestAlert (... 01159 924 NtWaitForSingleObject (148, 0, 0x0, ... 01095 1008 NtWaitForSingleObject ... ) == 0x0 01160 952 NtWaitForSingleObject (148, 0, 0x0, ... 01161 932 NtWaitForSingleObject (132, 0, 0x0, ... 01158 1088 NtTestAlert ... ) == 0x0 01156 956 NtSetEventBoostPriority ... ) == 0x0 01162 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01163 1008 NtSetEventBoostPriority (148, ... 01164 1088 NtContinue (48823600, 1, ... 01165 956 NtWaitForSingleObject (148, 0, 0x0, ... 01162 488 NtAllocateVirtualMemory ... 48824320, 1048576, ) == 0x0 01101 1036 NtWaitForSingleObject ... ) == 0x0 01163 1008 NtSetEventBoostPriority ... ) == 0x0 01166 1088 NtRegisterThreadTerminatePort (24, ... 01167 1036 NtSetEventBoostPriority (148, ... 01168 488 NtAllocateVirtualMemory (-1, 49864704, 0, 8192, 4096, 4, ... 01169 1008 NtWaitForSingleObject (148, 0, 0x0, ... 01102 1084 NtWaitForSingleObject ... ) == 0x0 01167 1036 NtSetEventBoostPriority ... ) == 0x0 01166 1088 NtRegisterThreadTerminatePort ... ) == 0x0 01168 488 NtAllocateVirtualMemory ... 49864704, 8192, ) == 0x0 01170 1084 NtSetEventBoostPriority (148, ... 01171 1036 NtWaitForSingleObject (148, 0, 0x0, ... 01104 1048 NtWaitForSingleObject ... ) == 0x0 01170 1084 NtSetEventBoostPriority ... ) == 0x0 01172 488 NtProtectVirtualMemory (-1, (0x2f8e000), 4096, 260, ... 01173 1088 NtWaitForSingleObject (148, 0, 0x0, ... 01174 1048 NtSetEventBoostPriority (148, ... 01175 1084 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01172 488 NtProtectVirtualMemory ... (0x2f8e000), 4096, 4, ) == 0x0 01106 960 NtWaitForSingleObject ... ) == 0x0 01174 1048 NtSetEventBoostPriority ... ) == 0x0 01175 1084 NtDuplicateObject ... 392, ) == 0x0 01176 960 NtSetEventBoostPriority (148, ... 01177 1048 NtWaitForSingleObject (148, 0, 0x0, ... 01110 1056 NtWaitForSingleObject ... ) == 0x0 01178 1084 NtWaitForSingleObject (148, 0, 0x0, ... 01176 960 NtSetEventBoostPriority ... ) == 0x0 01179 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01180 1056 NtSetEventBoostPriority (148, ... 01181 960 NtWaitForSingleObject (148, 0, 0x0, ... 01179 488 NtCreateThread ... 396, {484, 1100}, ) == 0x0 01109 964 NtWaitForSingleObject ... ) == 0x0 01180 1056 NtSetEventBoostPriority ... ) == 0x0 01182 964 NtSetEventBoostPriority (148, ... 01183 488 NtQueryInformationThread (396, Basic, 28, ... 01112 968 NtWaitForSingleObject ... ) == 0x0 01184 1056 NtWaitForSingleObject (148, 0, 0x0, ... 01183 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=484,Tid=1100,}, 0x0, ) == 0x0 01185 968 NtSetEventBoostPriority (148, ... 01182 964 NtSetEventBoostPriority ... ) == 0x0 01186 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1610, 0} (24, {28, 56, new_msg, 0, 484, 488, 1610, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\1\0\0\344\1\0\0L\4\0\0" ... ... 01122 1072 NtWaitForSingleObject ... ) == 0x0 01187 964 NtWaitForSingleObject (148, 0, 0x0, ... 01188 1072 NtSetEventBoostPriority (148, ... 01118 972 NtWaitForSingleObject ... ) == 0x0 01189 972 NtSetEventBoostPriority (148, ... 01124 996 NtWaitForSingleObject ... ) == 0x0 01190 996 NtSetEventBoostPriority (148, ... 01129 1000 NtWaitForSingleObject ... ) == 0x0 01191 1000 NtSetEventBoostPriority (148, ... 01133 1020 NtWaitForSingleObject ... ) == 0x0 01192 1020 NtSetEventBoostPriority (148, ... 01139 1024 NtWaitForSingleObject ... ) == 0x0 01193 1024 NtSetEventBoostPriority (148, ... 01143 1012 NtWaitForSingleObject ... ) == 0x0 01194 1012 NtSetEventBoostPriority (148, ... 01142 1028 NtWaitForSingleObject ... ) == 0x0 01195 1028 NtSetEventBoostPriority (148, ... 01148 1076 NtWaitForSingleObject ... ) == 0x0 01196 1076 NtSetEventBoostPriority (148, ... 01153 920 NtWaitForSingleObject ... ) == 0x0 01197 920 NtSetEventBoostPriority (148, ... 01160 952 NtWaitForSingleObject ... ) == 0x0 01198 952 NtSetEventBoostPriority (148, ... 01165 956 NtWaitForSingleObject ... ) == 0x0 01199 956 NtSetEventBoostPriority (148, ... 01159 924 NtWaitForSingleObject ... ) == 0x0 01200 924 NtSetEventBoostPriority (148, ... 01169 1008 NtWaitForSingleObject ... ) == 0x0 01201 1008 NtSetEventBoostPriority (148, ... 01173 1088 NtWaitForSingleObject ... ) == 0x0 01202 1088 NtSetEventBoostPriority (148, ... 01171 1036 NtWaitForSingleObject ... ) == 0x0 01203 1036 NtSetEventBoostPriority (148, ... 01178 1084 NtWaitForSingleObject ... ) == 0x0 01204 1084 NtSetEventBoostPriority (148, ... 01181 960 NtWaitForSingleObject ... ) == 0x0 01205 960 NtSetEventBoostPriority (148, ... 01177 1048 NtWaitForSingleObject ... ) == 0x0 01206 1048 NtSetEventBoostPriority (148, ... 01187 964 NtWaitForSingleObject ... ) == 0x0 01207 964 NtSetEventBoostPriority (148, ... ) == 0x0 01205 960 NtSetEventBoostPriority ... ) == 0x0 01204 1084 NtSetEventBoostPriority ... ) == 0x0 01202 1088 NtSetEventBoostPriority ... ) == 0x0 01199 956 NtSetEventBoostPriority ... ) == 0x0 01198 952 NtSetEventBoostPriority ... ) == 0x0 01196 1076 NtSetEventBoostPriority ... ) == 0x0 01194 1012 NtSetEventBoostPriority ... ) == 0x0 01188 1072 NtSetEventBoostPriority ... ) == 0x0 01206 1048 NtSetEventBoostPriority ... ) == 0x0 01203 1036 NtSetEventBoostPriority ... ) == 0x0 01201 1008 NtSetEventBoostPriority ... ) == 0x0 01200 924 NtSetEventBoostPriority ... ) == 0x0 01197 920 NtSetEventBoostPriority ... ) == 0x0 01195 1028 NtSetEventBoostPriority ... ) == 0x0 01193 1024 NtSetEventBoostPriority ... ) == 0x0 01192 1020 NtSetEventBoostPriority ... ) == 0x0 01191 1000 NtSetEventBoostPriority ... ) == 0x0 01190 996 NtSetEventBoostPriority ... ) == 0x0 01189 972 NtSetEventBoostPriority ... ) == 0x0 01185 968 NtSetEventBoostPriority ... ) == 0x0 01184 1056 NtWaitForSingleObject ... ) == 0x0 01186 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1611, 0} ... {28, 56, reply, 0, 484, 488, 1611, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\1\0\0\344\1\0\0L\4\0\0" ) ) == 0x0 01208 964 NtWaitForSingleObject (308, 0, 0x0, ... 01209 960 NtWaitForSingleObject (308, 0, 0x0, ... 01210 1088 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01211 1084 NtWaitForSingleObject (308, 0, 0x0, ... 01212 956 NtWaitForSingleObject (308, 0, 0x0, ... 01213 952 NtWaitForSingleObject (308, 0, 0x0, ... 01214 1012 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01215 1076 NtWaitForSingleObject (148, 0, 0x0, ... 01216 1048 NtWaitForSingleObject (308, 0, 0x0, ... 01217 1036 NtWaitForSingleObject (308, 0, 0x0, ... 01218 1008 NtWaitForSingleObject (308, 0, 0x0, ... 01219 924 NtWaitForSingleObject (132, 0, 0x0, ... 01220 1072 NtWaitForSingleObject (148, 0, 0x0, ... 01221 1028 NtWaitForSingleObject (308, 0, 0x0, ... 01222 1024 NtWaitForSingleObject (308, 0, 0x0, ... 01223 1020 NtWaitForSingleObject (148, 0, 0x0, ... 01224 1000 NtWaitForSingleObject (148, 0, 0x0, ... 01225 996 NtWaitForSingleObject (148, 0, 0x0, ... 01226 972 NtWaitForSingleObject (148, 0, 0x0, ... 01227 968 NtWaitForSingleObject (148, 0, 0x0, ... 01228 1056 NtSetEventBoostPriority (148, ... 01229 488 NtResumeThread (396, ... 01230 920 NtSetEventBoostPriority (308, ... 01210 1088 NtDuplicateObject ... 400, ) == 0x0 01215 1076 NtWaitForSingleObject ... ) == 0x0 01228 1056 NtSetEventBoostPriority ... ) == 0x0 01229 488 NtResumeThread ... 1, ) == 0x0 01018 904 NtWaitForSingleObject ... ) == 0x0 01230 920 NtSetEventBoostPriority ... ) == 0x0 01231 1076 NtSetEventBoostPriority (148, ... 01232 1088 NtWaitForSingleObject (148, 0, 0x0, ... 01233 1056 NtWaitForSingleObject (308, 0, 0x0, ... 01234 904 NtWaitForSingleObject (148, 0, 0x0, ... 01235 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01220 1072 NtWaitForSingleObject ... ) == 0x0 01231 1076 NtSetEventBoostPriority ... ) == 0x0 01236 920 NtWaitForSingleObject (72, 0, {0, 0}, ... 01237 1072 NtSetEventBoostPriority (148, ... 01235 488 NtAllocateVirtualMemory ... 49872896, 1048576, ) == 0x0 01238 1076 NtWaitForSingleObject (308, 0, 0x0, ... 01223 1020 NtWaitForSingleObject ... ) == 0x0 01237 1072 NtSetEventBoostPriority ... ) == 0x0 01236 920 NtWaitForSingleObject ... ) == 0x102 01239 488 NtAllocateVirtualMemory (-1, 50913280, 0, 8192, 4096, 4, ... 01214 1012 NtDuplicateObject ... 404, ) == 0x0 01240 1100 NtTestAlert (... 01241 1020 NtSetEventBoostPriority (148, ... 01242 1072 NtWaitForSingleObject (148, 0, 0x0, ... 01243 920 NtWaitForSingleObject (132, 0, 0x0, ... 01244 1012 NtWaitForSingleObject (148, 0, 0x0, ... 01224 1000 NtWaitForSingleObject ... ) == 0x0 01241 1020 NtSetEventBoostPriority ... ) == 0x0 01240 1100 NtTestAlert ... ) == 0x0 01239 488 NtAllocateVirtualMemory ... 50913280, 8192, ) == 0x0 01245 1000 NtSetEventBoostPriority (148, ... 01246 1100 NtContinue (49872176, 1, ... 01225 996 NtWaitForSingleObject ... ) == 0x0 01245 1000 NtSetEventBoostPriority ... ) == 0x0 01247 488 NtProtectVirtualMemory (-1, (0x308e000), 4096, 260, ... 01248 996 NtSetEventBoostPriority (148, ... 01249 1100 NtRegisterThreadTerminatePort (24, ... 01250 1020 NtWaitForSingleObject (148, 0, 0x0, ... 01226 972 NtWaitForSingleObject ... ) == 0x0 01248 996 NtSetEventBoostPriority ... ) == 0x0 01247 488 NtProtectVirtualMemory ... (0x308e000), 4096, 4, ) == 0x0 01249 1100 NtRegisterThreadTerminatePort ... ) == 0x0 01251 972 NtSetEventBoostPriority (148, ... 01252 1000 NtWaitForSingleObject (148, 0, 0x0, ... 01253 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01254 996 NtWaitForSingleObject (148, 0, 0x0, ... 01227 968 NtWaitForSingleObject ... ) == 0x0 01251 972 NtSetEventBoostPriority ... ) == 0x0 01253 488 NtCreateThread ... 408, {484, 1108}, ) == 0x0 01255 968 NtSetEventBoostPriority (148, ... 01256 1100 NtWaitForSingleObject (148, 0, 0x0, ... 01232 1088 NtWaitForSingleObject ... ) == 0x0 01255 968 NtSetEventBoostPriority ... ) == 0x0 01257 488 NtQueryInformationThread (408, Basic, 28, ... 01258 1088 NtSetEventBoostPriority (148, ... 01259 972 NtWaitForSingleObject (148, 0, 0x0, ... 01260 968 NtWaitForSingleObject (148, 0, 0x0, ... 01234 904 NtWaitForSingleObject ... ) == 0x0 01258 1088 NtSetEventBoostPriority ... ) == 0x0 01261 904 NtSetEventBoostPriority (148, ... 01257 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=484,Tid=1108,}, 0x0, ) == 0x0 01242 1072 NtWaitForSingleObject ... ) == 0x0 01262 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1611, 0} (24, {28, 56, new_msg, 0, 484, 488, 1611, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\1\0\0\344\1\0\0T\4\0\0" ... ... 01263 1072 NtSetEventBoostPriority (148, ... 01262 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1612, 0} ... {28, 56, reply, 0, 484, 488, 1612, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\1\0\0\344\1\0\0T\4\0\0" ) ) == 0x0 01244 1012 NtWaitForSingleObject ... ) == 0x0 01264 488 NtResumeThread (408, ... 01265 1012 NtSetEventBoostPriority (148, ... 01264 488 NtResumeThread ... 1, ) == 0x0 01250 1020 NtWaitForSingleObject ... ) == 0x0 01265 1012 NtSetEventBoostPriority ... ) == 0x0 01263 1072 NtSetEventBoostPriority ... ) == 0x0 01261 904 NtSetEventBoostPriority ... ) == 0x0 01266 1088 NtWaitForSingleObject (308, 0, 0x0, ... 01267 1108 NtTestAlert (... 01268 1020 NtSetEventBoostPriority (148, ... 01269 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01270 1072 NtWaitForSingleObject (308, 0, 0x0, ... 01271 1012 NtWaitForSingleObject (148, 0, 0x0, ... 01252 1000 NtWaitForSingleObject ... ) == 0x0 01268 1020 NtSetEventBoostPriority ... ) == 0x0 01267 1108 NtTestAlert ... ) == 0x0 01269 488 NtAllocateVirtualMemory ... 50921472, 1048576, ) == 0x0 01272 1000 NtSetEventBoostPriority (148, ... 01273 1020 NtWaitForSingleObject (308, 0, 0x0, ... 01274 1108 NtContinue (50920752, 1, ... 01254 996 NtWaitForSingleObject ... ) == 0x0 01272 1000 NtSetEventBoostPriority ... ) == 0x0 01275 488 NtAllocateVirtualMemory (-1, 51961856, 0, 8192, 4096, 4, ... 01276 904 NtSetEventBoostPriority (308, ... 01277 996 NtSetEventBoostPriority (148, ... 01278 1108 NtRegisterThreadTerminatePort (24, ... 01279 1000 NtWaitForSingleObject (308, 0, 0x0, ... 01275 488 NtAllocateVirtualMemory ... 51961856, 8192, ) == 0x0 01256 1100 NtWaitForSingleObject ... ) == 0x0 01277 996 NtSetEventBoostPriority ... ) == 0x0 01027 912 NtWaitForSingleObject ... ) == 0x0 01276 904 NtSetEventBoostPriority ... ) == 0x0 01278 1108 NtRegisterThreadTerminatePort ... ) == 0x0 01280 1100 NtAllocateVirtualMemory (-1, 1359872, 0, 4096, 4096, 4, ... 01281 488 NtProtectVirtualMemory (-1, (0x318e000), 4096, 260, ... 01282 912 NtWaitForSingleObject (148, 0, 0x0, ... 01283 996 NtWaitForSingleObject (308, 0, 0x0, ... 01284 904 NtWaitForSingleObject (72, 0, {0, 0}, ... 01280 1100 NtAllocateVirtualMemory ... 1359872, 4096, ) == 0x0 01281 488 NtProtectVirtualMemory ... (0x318e000), 4096, 4, ) == 0x0 01285 1108 NtWaitForSingleObject (148, 0, 0x0, ... 01286 1100 NtSetEventBoostPriority (148, ... 01284 904 NtWaitForSingleObject ... ) == 0x102 01287 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01288 904 NtWaitForSingleObject (132, 0, 0x0, ... 01287 488 NtCreateThread ... 412, {484, 1104}, ) == 0x0 01259 972 NtWaitForSingleObject ... ) == 0x0 01286 1100 NtSetEventBoostPriority ... ) == 0x0 01289 488 NtQueryInformationThread (412, Basic, 28, ... 01290 972 NtSetEventBoostPriority (148, ... 01291 1100 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01289 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=484,Tid=1104,}, 0x0, ) == 0x0 01260 968 NtWaitForSingleObject ... ) == 0x0 01290 972 NtSetEventBoostPriority ... ) == 0x0 01291 1100 NtDuplicateObject ... 416, ) == 0x0 01292 968 NtSetEventBoostPriority (148, ... 01293 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1612, 0} (24, {28, 56, new_msg, 0, 484, 488, 1612, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\1\0\0\344\1\0\0P\4\0\0" ... ... 01294 972 NtWaitForSingleObject (308, 0, 0x0, ... 01271 1012 NtWaitForSingleObject ... ) == 0x0 01292 968 NtSetEventBoostPriority ... ) == 0x0 01295 1100 NtWaitForSingleObject (148, 0, 0x0, ... 01293 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1613, 0} ... {28, 56, reply, 0, 484, 488, 1613, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\1\0\0\344\1\0\0P\4\0\0" ) ) == 0x0 01296 1012 NtSetEventBoostPriority (148, ... 01297 968 NtWaitForSingleObject (308, 0, 0x0, ... 01282 912 NtWaitForSingleObject ... ) == 0x0 01296 1012 NtSetEventBoostPriority ... ) == 0x0 01298 488 NtResumeThread (412, ... 01299 912 NtSetEventBoostPriority (148, ... 01300 1012 NtWaitForSingleObject (308, 0, 0x0, ... 01285 1108 NtWaitForSingleObject ... ) == 0x0 01298 488 NtResumeThread ... 1, ) == 0x0 01299 912 NtSetEventBoostPriority ... ) == 0x0 01301 1108 NtSetEventBoostPriority (148, ... 01302 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01303 1104 NtTestAlert (... 01295 1100 NtWaitForSingleObject ... ) == 0x0 01301 1108 NtSetEventBoostPriority ... ) == 0x0 01302 488 NtAllocateVirtualMemory ... 51970048, 1048576, ) == 0x0 01304 1100 NtWaitForSingleObject (308, 0, 0x0, ... 01303 1104 NtTestAlert ... ) == 0x0 01305 1108 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01306 488 NtAllocateVirtualMemory (-1, 53010432, 0, 8192, 4096, 4, ... 01307 1104 NtContinue (51969328, 1, ... 01308 912 NtSetEventBoostPriority (308, ... 01305 1108 NtDuplicateObject ... 420, ) == 0x0 01309 1104 NtRegisterThreadTerminatePort (24, ... 01033 944 NtWaitForSingleObject ... ) == 0x0 01308 912 NtSetEventBoostPriority ... ) == 0x0 01310 1108 NtWaitForSingleObject (308, 0, 0x0, ... 01311 944 NtSetEventBoostPriority (308, ... 01309 1104 NtRegisterThreadTerminatePort ... ) == 0x0 01312 912 NtWaitForSingleObject (72, 0, {0, 0}, ... 01047 308 NtWaitForSingleObject ... ) == 0x0 01311 944 NtSetEventBoostPriority ... ) == 0x0 01306 488 NtAllocateVirtualMemory ... 53010432, 8192, ) == 0x0 01312 912 NtWaitForSingleObject ... ) == 0x102 01313 308 NtSetEventBoostPriority (308, ... 01314 944 NtWaitForSingleObject (72, 0, {0, 0}, ... 01315 488 NtProtectVirtualMemory (-1, (0x328e000), 4096, 260, ... 01316 912 NtWaitForSingleObject (132, 0, 0x0, ... 01079 876 NtWaitForSingleObject ... ) == 0x0 01315 488 NtProtectVirtualMemory ... (0x328e000), 4096, 4, ) == 0x0 01313 308 NtSetEventBoostPriority ... ) == 0x0 01317 1104 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01314 944 NtWaitForSingleObject ... ) == 0x102 01318 876 NtSetEventBoostPriority (308, ... 01319 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01320 308 NtWaitForSingleObject (72, 0, {0, 0}, ... 01317 1104 NtDuplicateObject ... 424, ) == 0x0 01321 944 NtWaitForSingleObject (132, 0, 0x0, ... 01127 888 NtWaitForSingleObject ... ) == 0x0 01318 876 NtSetEventBoostPriority ... ) == 0x0 01319 488 NtCreateThread ... 428, {484, 1112}, ) == 0x0 01322 1104 NtWaitForSingleObject (308, 0, 0x0, ... 01323 888 NtSetEventBoostPriority (308, ... 01320 308 NtWaitForSingleObject ... ) == 0x102 01324 488 NtQueryInformationThread (428, Basic, 28, ... 01136 948 NtWaitForSingleObject ... ) == 0x0 01323 888 NtSetEventBoostPriority ... ) == 0x0 01325 308 NtWaitForSingleObject (132, 0, 0x0, ... 01326 876 NtCreateFile (0xc0100000, {24, 0, 0x42, 0, 0, (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11075140, 67, ... }, 0x0, 0, 3, 3, 0, 11075140, 67, ... 01327 948 NtSetEventBoostPriority (308, ... 01328 888 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ... 01208 964 NtWaitForSingleObject ... ) == 0x0 01327 948 NtSetEventBoostPriority ... ) == 0x0 01326 876 NtCreateFile ... 432, {status=0x0, info=0}, ) == 0x0 01324 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=484,Tid=1112,}, 0x0, ) == 0x0 01329 964 NtSetEventBoostPriority (308, ... 01328 888 NtOpenKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01330 876 NtDeviceIoControlFile (432, 116, 0x0, 0x0, 0x1207b, (432, 116, 0x0, 0x0, 0x1207b, "\7\0\0\0\340\0\0\0x\206\24\0\17\346\367w", 16, 16, ... , 16, 16, ... 01209 960 NtWaitForSingleObject ... ) == 0x0 01329 964 NtSetEventBoostPriority ... ) == 0x0 01331 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1613, 0} (24, {28, 56, new_msg, 0, 484, 488, 1613, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\1\0\0\344\1\0\0X\4\0\0" ... ... 01332 888 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ... 01333 960 NtSetEventBoostPriority (308, ... 01330 876 NtDeviceIoControlFile ... {status=0x0, info=16}, ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0xY\14\201", ) , ) == 0x0 01334 964 NtWaitForSingleObject (72, 0, {0, 0}, ... 01331 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1614, 0} ... {28, 56, reply, 0, 484, 488, 1614, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\1\0\0\344\1\0\0X\4\0\0" ) ) == 0x0 01211 1084 NtWaitForSingleObject ... ) == 0x0 01333 960 NtSetEventBoostPriority ... ) == 0x0 01332 888 NtOpenKey ... 436, ) == 0x0 01335 876 NtDeviceIoControlFile (432, 116, 0x0, 0x0, 0x1207b, (432, 116, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0xY\14\201", 16, 16, ... , 16, 16, ... 01336 948 NtWaitForSingleObject (72, 0, {0, 0}, ... 01337 1084 NtSetEventBoostPriority (308, ... 01338 488 NtResumeThread (428, ... 01339 960 NtWaitForSingleObject (72, 0, {0, 0}, ... 01340 888 NtQueryValueKey (436, (436, "MaxRpcSize", Partial, 144, ... , Partial, 144, ... 01335 876 NtDeviceIoControlFile ... {status=0x0, info=16}, ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0xY\14\201", ) , ) == 0x0 01212 956 NtWaitForSingleObject ... ) == 0x0 01337 1084 NtSetEventBoostPriority ... ) == 0x0 01336 948 NtWaitForSingleObject ... ) == 0x102 01338 488 NtResumeThread ... 1, ) == 0x0 01334 964 NtWaitForSingleObject ... ) == 0x102 01340 888 NtQueryValueKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01339 960 NtWaitForSingleObject ... ) == 0x102 01341 1112 NtTestAlert (... 01342 956 NtSetEventBoostPriority (308, ... 01343 1084 NtWaitForSingleObject (72, 0, {0, 0}, ... 01344 948 NtWaitForSingleObject (132, 0, 0x0, ... 01345 876 NtDeviceIoControlFile (432, 116, 0x0, 0x0, 0x12047, (432, 116, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\370\303\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 16, ... , 248, 16, ... 01346 964 NtWaitForSingleObject (132, 0, 0x0, ... 01347 888 NtClose (436, ... 01348 960 NtWaitForSingleObject (132, 0, 0x0, ... 01213 952 NtWaitForSingleObject ... ) == 0x0 01342 956 NtSetEventBoostPriority ... ) == 0x0 01341 1112 NtTestAlert ... ) == 0x0 01349 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01345 876 NtDeviceIoControlFile ... {status=0x0, info=0}, "", ) == 0x0 01343 1084 NtWaitForSingleObject ... ) == 0x102 01350 952 NtSetEventBoostPriority (308, ... 01351 956 NtWaitForSingleObject (72, 0, {0, 0}, ... 01352 1112 NtContinue (53017904, 1, ... 01349 488 NtAllocateVirtualMemory ... 53018624, 1048576, ) == 0x0 01353 876 NtWaitForSingleObject (64, 0, {0, 0}, ... 01216 1048 NtWaitForSingleObject ... ) == 0x0 01350 952 NtSetEventBoostPriority ... ) == 0x0 01354 1084 NtWaitForSingleObject (132, 0, 0x0, ... 01347 888 NtClose ... ) == 0x0 01355 1112 NtRegisterThreadTerminatePort (24, ... 01356 488 NtAllocateVirtualMemory (-1, 54059008, 0, 8192, 4096, 4, ... 01357 1048 NtSetEventBoostPriority (308, ... 01353 876 NtWaitForSingleObject ... ) == 0x102 01358 952 NtWaitForSingleObject (72, 0, {0, 0}, ... 01359 888 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ... 01355 1112 NtRegisterThreadTerminatePort ... ) == 0x0 01217 1036 NtWaitForSingleObject ... ) == 0x0 01357 1048 NtSetEventBoostPriority ... ) == 0x0 01356 488 NtAllocateVirtualMemory ... 54059008, 8192, ) == 0x0 01360 876 NtDeviceIoControlFile (432, 116, 0x0, 0x0, 0x12003, (432, 116, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ... 01351 956 NtWaitForSingleObject ... ) == 0x102 01359 888 NtOpenKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01358 952 NtWaitForSingleObject ... ) == 0x102 01361 1036 NtSetEventBoostPriority (308, ... 01362 1112 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01363 488 NtProtectVirtualMemory (-1, (0x338e000), 4096, 260, ... 01364 1048 NtWaitForSingleObject (72, 0, {0, 0}, ... 01365 956 NtWaitForSingleObject (132, 0, 0x0, ... 01366 888 NtWaitForSingleObject (308, 0, 0x0, ... 01218 1008 NtWaitForSingleObject ... ) == 0x0 01361 1036 NtSetEventBoostPriority ... ) == 0x0 01367 952 NtWaitForSingleObject (132, 0, 0x0, ... 01362 1112 NtDuplicateObject ... 436, ) == 0x0 01363 488 NtProtectVirtualMemory ... (0x338e000), 4096, 4, ) == 0x0 01364 1048 NtWaitForSingleObject ... ) == 0x102 01368 1008 NtSetEventBoostPriority (308, ... 01360 876 NtDeviceIoControlFile ... {status=0x0, info=440}, ... {status=0x0, info=440}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0 01369 1112 NtWaitForSingleObject (308, 0, 0x0, ... 01370 1036 NtWaitForSingleObject (72, 0, {0, 0}, ... 01221 1028 NtWaitForSingleObject ... ) == 0x0 01368 1008 NtSetEventBoostPriority ... ) == 0x0 01371 1048 NtWaitForSingleObject (132, 0, 0x0, ... 01372 876 NtDeviceIoControlFile (432, 116, 0x0, 0x0, 0x12047, (432, 116, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 0, ... , 248, 0, ... 01373 1028 NtSetEventBoostPriority (308, ... 01370 1036 NtWaitForSingleObject ... ) == 0x102 01374 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01222 1024 NtWaitForSingleObject ... ) == 0x0 01373 1028 NtSetEventBoostPriority ... ) == 0x0 01372 876 NtDeviceIoControlFile ... {status=0x0, info=0}, 0x0, ) == 0x0 01375 1036 NtWaitForSingleObject (132, 0, 0x0, ... 01376 1024 NtSetEventBoostPriority (308, ... 01374 488 NtCreateThread ... 444, {484, 1124}, ) == 0x0 01377 1008 NtWaitForSingleObject (72, 0, {0, 0}, ... 01378 876 NtDeviceIoControlFile (432, 116, 0x0, 0x0, 0x1200b, (432, 116, 0x0, 0x0, 0x1200b, "\0\21\252q\5\0\0\0\0\0\0\0", 12, 0, ... , 12, 0, ... 01233 1056 NtWaitForSingleObject ... ) == 0x0 01376 1024 NtSetEventBoostPriority ... ) == 0x0 01379 488 NtQueryInformationThread (444, Basic, 28, ... 01377 1008 NtWaitForSingleObject ... ) == 0x102 01380 1056 NtSetEventBoostPriority (308, ... 01378 876 NtDeviceIoControlFile ... {status=0x0, info=0}, 0x0, ) == 0x0 01381 1028 NtWaitForSingleObject (72, 0, {0, 0}, ... 01379 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=484,Tid=1124,}, 0x0, ) == 0x0 01238 1076 NtWaitForSingleObject ... ) == 0x0 01380 1056 NtSetEventBoostPriority ... ) == 0x0 01382 1008 NtWaitForSingleObject (132, 0, 0x0, ... 01383 876 NtDeviceIoControlFile (432, 116, 0x0, 0x0, 0x12047, (432, 116, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0e\0t\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 0, ... , 248, 0, ... 01381 1028 NtWaitForSingleObject ... ) == 0x102 01384 1076 NtSetEventBoostPriority (308, ... 01385 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1614, 0} (24, {28, 56, new_msg, 0, 484, 488, 1614, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\1\0\0\344\1\0\0d\4\0\0" ... ... 01386 1024 NtWaitForSingleObject (72, 0, {0, 0}, ... 01387 1056 NtWaitForSingleObject (72, 0, {0, 0}, ... 01266 1088 NtWaitForSingleObject ... ) == 0x0 01388 1028 NtWaitForSingleObject (132, 0, 0x0, ... 01386 1024 NtWaitForSingleObject ... ) == 0x102 01387 1056 NtWaitForSingleObject ... ) == 0x102 01389 1088 NtSetEventBoostPriority (308, ... 01390 1024 NtWaitForSingleObject (132, 0, 0x0, ... 01391 1056 NtWaitForSingleObject (132, 0, 0x0, ... 01270 1072 NtWaitForSingleObject ... ) == 0x0 01389 1088 NtSetEventBoostPriority ... ) == 0x0 01392 1072 NtSetEventBoostPriority (308, ... 01273 1020 NtWaitForSingleObject ... ) == 0x0 01393 1020 NtSetEventBoostPriority (308, ... 01279 1000 NtWaitForSingleObject ... ) == 0x0 01394 1000 NtSetEventBoostPriority (308, ... 01283 996 NtWaitForSingleObject ... ) == 0x0 01395 996 NtSetEventBoostPriority (308, ... 01294 972 NtWaitForSingleObject ... ) == 0x0 01396 972 NtAllocateVirtualMemory (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0 01397 972 NtSetEventBoostPriority (308, ... 01297 968 NtWaitForSingleObject ... ) == 0x0 01398 968 NtSetEventBoostPriority (308, ... 01300 1012 NtWaitForSingleObject ... ) == 0x0 01399 1012 NtSetEventBoostPriority (308, ... 01304 1100 NtWaitForSingleObject ... ) == 0x0 01400 1100 NtSetEventBoostPriority (308, ... 01310 1108 NtWaitForSingleObject ... ) == 0x0 01401 1108 NtSetEventBoostPriority (308, ... 01322 1104 NtWaitForSingleObject ... ) == 0x0 01402 1104 NtSetEventBoostPriority (308, ... 01366 888 NtWaitForSingleObject ... ) == 0x0 01403 888 NtSetEventBoostPriority (308, ... 01369 1112 NtWaitForSingleObject ... ) == 0x0 01404 1112 NtWaitForSingleObject (72, 0, {0, 0}, ... 01403 888 NtSetEventBoostPriority ... ) == 0x0 01402 1104 NtSetEventBoostPriority ... ) == 0x0 01401 1108 NtSetEventBoostPriority ... ) == 0x0 01400 1100 NtSetEventBoostPriority ... ) == 0x0 01392 1072 NtSetEventBoostPriority ... ) == 0x0 01405 1088 NtWaitForSingleObject (72, 0, {0, 0}, ... 01399 1012 NtSetEventBoostPriority ... ) == 0x0 01398 968 NtSetEventBoostPriority ... ) == 0x0 01397 972 NtSetEventBoostPriority ... ) == 0x0 01395 996 NtSetEventBoostPriority ... ) == 0x0 01394 1000 NtSetEventBoostPriority ... ) == 0x0 01393 1020 NtSetEventBoostPriority ... ) == 0x0 01384 1076 NtSetEventBoostPriority ... ) == 0x0 01383 876 NtDeviceIoControlFile ... {status=0x0, info=0}, 0x0, ) == 0x0 01385 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1615, 0} ... {28, 56, reply, 0, 484, 488, 1615, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\1\0\0\344\1\0\0d\4\0\0" ) ) == 0x0 01404 1112 NtWaitForSingleObject ... ) == 0x102 01406 888 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 01407 1104 NtWaitForSingleObject (72, 0, {0, 0}, ... 01408 1108 NtWaitForSingleObject (72, 0, {0, 0}, ... 01409 1100 NtWaitForSingleObject (72, 0, {0, 0}, ... 01410 1072 NtWaitForSingleObject (72, 0, {0, 0}, ... 01411 1012 NtWaitForSingleObject (72, 0, {0, 0}, ... 01412 968 NtWaitForSingleObject (72, 0, {0, 0}, ... 01405 1088 NtWaitForSingleObject ... ) == 0x102 01413 996 NtWaitForSingleObject (72, 0, {0, 0}, ... 01414 1000 NtWaitForSingleObject (72, 0, {0, 0}, ... 01415 1020 NtWaitForSingleObject (72, 0, {0, 0}, ... 01416 1076 NtWaitForSingleObject (72, 0, {0, 0}, ... 01417 876 NtDeviceIoControlFile (432, 116, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ... 01418 488 NtResumeThread (444, ... 01419 1112 NtWaitForSingleObject (132, 0, 0x0, ... 01406 888 NtCreateEvent ... 448, ) == 0x0 01407 1104 NtWaitForSingleObject ... ) == 0x102 01408 1108 NtWaitForSingleObject ... ) == 0x102 01409 1100 NtWaitForSingleObject ... ) == 0x102 01410 1072 NtWaitForSingleObject ... ) == 0x102 01420 1088 NtWaitForSingleObject (132, 0, 0x0, ... 01417 876 NtDeviceIoControlFile ... {status=0x0, info=0}, "", ) == 0x103 01418 488 NtResumeThread ... 1, ) == 0x0 01421 888 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 01422 1104 NtWaitForSingleObject (132, 0, 0x0, ... 01423 1108 NtWaitForSingleObject (132, 0, 0x0, ... 01424 1100 NtWaitForSingleObject (132, 0, 0x0, ... 01425 1072 NtWaitForSingleObject (132, 0, 0x0, ... 01426 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01421 888 NtCreateEvent ... 452, ) == 0x0 01426 488 NtAllocateVirtualMemory ... 54067200, 1048576, ) == 0x0 01427 888 NtQuerySystemTime (... 01428 488 NtAllocateVirtualMemory (-1, 55107584, 0, 8192, 4096, 4, ... 01427 888 NtQuerySystemTime ... {-1013443304, 29889223}, ) == 0x0 01429 876 NtWaitForSingleObject (116, 1, {-5000000, -1}, ... 01430 972 NtWaitForSingleObject (72, 0, {0, 0}, ... 01411 1012 NtWaitForSingleObject ... ) == 0x102 01412 968 NtWaitForSingleObject ... ) == 0x102 01413 996 NtWaitForSingleObject ... ) == 0x102 01414 1000 NtWaitForSingleObject ... ) == 0x102 01415 1020 NtWaitForSingleObject ... ) == 0x102 01416 1076 NtWaitForSingleObject ... ) == 0x102 01431 1124 NtTestAlert (... 01428 488 NtAllocateVirtualMemory ... 55107584, 8192, ) == 0x0 01432 888 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 01430 972 NtWaitForSingleObject ... ) == 0x102 01433 1012 NtWaitForSingleObject (132, 0, 0x0, ... 01434 968 NtWaitForSingleObject (132, 0, 0x0, ... 01435 996 NtWaitForSingleObject (132, 0, 0x0, ... 01436 1000 NtWaitForSingleObject (132, 0, 0x0, ... 01437 1020 NtWaitForSingleObject (132, 0, 0x0, ... 01438 1076 NtWaitForSingleObject (132, 0, 0x0, ... 01431 1124 NtTestAlert ... ) == 0x0 01439 488 NtProtectVirtualMemory (-1, (0x348e000), 4096, 260, ... 01432 888 NtCreateEvent ... 456, ) == 0x0 01440 972 NtWaitForSingleObject (132, 0, 0x0, ... 01441 1124 NtContinue (54066480, 1, ... 01439 488 NtProtectVirtualMemory ... (0x348e000), 4096, 4, ) == 0x0 01442 888 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ... 01443 1124 NtRegisterThreadTerminatePort (24, ... 01444 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01442 888 NtOpenKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01443 1124 NtRegisterThreadTerminatePort ... ) == 0x0 01444 488 NtCreateThread ... 460, {484, 1128}, ) == 0x0 01445 888 NtQuerySystemInformation (Performance, 312, ... 01446 488 NtQueryInformationThread (460, Basic, 28, ... 01445 888 NtQuerySystemInformation ... {system info, class 2, size 312}, 0x0, ) == 0x0 01447 1124 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01446 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=484,Tid=1128,}, 0x0, ) == 0x0 01447 1124 NtDuplicateObject ... 464, ) == 0x0 01448 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1615, 0} (24, {28, 56, new_msg, 0, 484, 488, 1615, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\1\0\0\344\1\0\0h\4\0\0" ... ... 01449 1124 NtWaitForSingleObject (72, 0, {0, 0}, ... 01448 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1616, 0} ... {28, 56, reply, 0, 484, 488, 1616, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\1\0\0\344\1\0\0h\4\0\0" ) ) == 0x0 01449 1124 NtWaitForSingleObject ... ) == 0x102 01450 488 NtResumeThread (460, ... 01451 1124 NtWaitForSingleObject (132, 0, 0x0, ... 01450 488 NtResumeThread ... 1, ) == 0x0 01452 888 NtQueryInformationProcess (-1, QuotaLimits, 32, ... 01453 1128 NtTestAlert (... 01452 888 NtQueryInformationProcess ... {process info, class 1, size 32}, 0x0, ) == 0x0 01453 1128 NtTestAlert ... ) == 0x0 01454 888 NtQueryInformationProcess (-1, VmCounters, 44, ... 01455 1128 NtContinue (55115056, 1, ... 01454 888 NtQueryInformationProcess ... {process info, class 3, size 44}, 0x0, ) == 0x0 01456 1128 NtRegisterThreadTerminatePort (24, ... 01457 888 NtAllocateVirtualMemory (-1, 1368064, 0, 4096, 4096, 4, ... 01456 1128 NtRegisterThreadTerminatePort ... ) == 0x0 01457 888 NtAllocateVirtualMemory ... 1368064, 4096, ) == 0x0 01458 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01459 1128 NtWaitForSingleObject (148, 0, 0x0, ... 01458 488 NtAllocateVirtualMemory ... 55115776, 1048576, ) == 0x0 01460 488 NtAllocateVirtualMemory (-1, 56156160, 0, 8192, 4096, 4, ... 56156160, 8192, ) == 0x0 01461 488 NtProtectVirtualMemory (-1, (0x358e000), 4096, 260, ... (0x358e000), 4096, 4, ) == 0x0 01462 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 468, {484, 1080}, ) == 0x0 01463 488 NtQueryInformationThread (468, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=484,Tid=1080,}, 0x0, ) == 0x0 01464 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1616, 0} (24, {28, 56, new_msg, 0, 484, 488, 1616, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\1\0\0\344\1\0\08\4\0\0" ... ... 01465 888 NtSetEventBoostPriority (148, ... 01459 1128 NtWaitForSingleObject ... ) == 0x0 01466 1128 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 472, ) == 0x0 01467 1128 NtWaitForSingleObject (72, 0, {0, 0}, ... ) == 0x102 01468 1128 NtWaitForSingleObject (132, 0, 0x0, ... 01465 888 NtSetEventBoostPriority ... ) == 0x0 01469 888 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 476, ) == 0x0 01470 888 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 480, ) == 0x0 01464 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1617, 0} ... {28, 56, reply, 0, 484, 488, 1617, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\1\0\0\344\1\0\08\4\0\0" ) ) == 0x0 01471 488 NtResumeThread (468, ... 1, ) == 0x0 01472 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 56164352, 1048576, ) == 0x0 01473 488 NtAllocateVirtualMemory (-1, 57204736, 0, 8192, 4096, 4, ... 57204736, 8192, ) == 0x0 01474 488 NtProtectVirtualMemory (-1, (0x368e000), 4096, 260, ... (0x368e000), 4096, 4, ) == 0x0 01475 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 484, {484, 1188}, ) == 0x0 01476 488 NtQueryInformationThread (484, Basic, 28, ... 01477 888 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 01478 1080 NtAllocateVirtualMemory (-1, 8867840, 0, 4096, 4096, 4, ... 01477 888 NtCreateEvent ... 488, ) == 0x0 01478 1080 NtAllocateVirtualMemory ... 8867840, 4096, ) == 0x0 01479 888 NtConnectPort ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 14216828, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 14216828, 112, ... 01480 1080 NtTestAlert (... ) == 0x0 01481 1080 NtContinue (56163632, 1, ... 01479 888 NtConnectPort ... 492, 0x0, 0x0, 0x0, 112, ) == 0x0 01476 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=484,Tid=1188,}, 0x0, ) == 0x0 01482 888 NtRequestWaitReplyPort (492, {128, 152, new_msg, 0, 1310720, 126032, 1310720, 14216592} (492, {128, 152, new_msg, 0, 1310720, 126032, 1310720, 14216592} "\0$\370w@\364\330\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\260\347\24\0\4\0\0\0\260\347\24\0\20\344\314w\260\347\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0x\1\24\0\0\0\0\0X\347\24\0\300\345\24\00\347\24\0\0\0\0\0\0\0\0\0\0\0\0\0X\347\24\0\0\0\0\0\0\0\0\0\0\0\0\0" ... ... 01483 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1617, 0} (24, {28, 56, new_msg, 0, 484, 488, 1617, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\1\0\0\344\1\0\0\244\4\0\0" ... ... 01484 1080 NtRegisterThreadTerminatePort (24, ... 01483 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1619, 0} ... {28, 56, reply, 0, 484, 488, 1619, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\1\0\0\344\1\0\0\244\4\0\0" ) ) == 0x0 01484 1080 NtRegisterThreadTerminatePort ... ) == 0x0 01485 488 NtResumeThread (484, ... 01486 1080 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01485 488 NtResumeThread ... 1, ) == 0x0 01486 1080 NtDuplicateObject ... 496, ) == 0x0 01482 888 NtRequestWaitReplyPort ... {128, 152, reply, 0, 484, 888, 1620, 0} ... {128, 152, reply, 0, 484, 888, 1620, 0} "\7$\370w@\364\330\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\260\347\24\0\377\377\377\377\260\347\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0x\1\24\0\0\0\0\0X\347\24\0\300\345\24\00\347\24\0\0\0\0\0\0\0\0\0\0\0\0\0X\347\24\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ) == 0x0 01487 1188 NtTestAlert (... 01488 1080 NtWaitForSingleObject (72, 0, {0, 0}, ... 01489 888 NtRequestWaitReplyPort (492, {64, 88, new_msg, 0, 0, 0, 0, 0} (492, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... ... 01487 1188 NtTestAlert ... ) == 0x0 01490 1188 NtContinue (57212208, 1, ... 01491 1188 NtRegisterThreadTerminatePort (24, ... ) == 0x0 01492 1188 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 500, ) == 0x0 01493 1188 NtWaitForSingleObject (72, 0, {0, 0}, ... ) == 0x102 01494 1188 NtWaitForSingleObject (132, 0, 0x0, ... 01495 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01488 1080 NtWaitForSingleObject ... ) == 0x102 01495 488 NtAllocateVirtualMemory ... 57212928, 1048576, ) == 0x0 01496 1080 NtWaitForSingleObject (132, 0, 0x0, ... 01497 488 NtAllocateVirtualMemory (-1, 58253312, 0, 8192, 4096, 4, ... 58253312, 8192, ) == 0x0 01498 488 NtProtectVirtualMemory (-1, (0x378e000), 4096, 260, ... (0x378e000), 4096, 4, ) == 0x0 01499 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 504, {484, 1148}, ) == 0x0 01500 488 NtQueryInformationThread (504, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=484,Tid=1148,}, 0x0, ) == 0x0 01501 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1619, 0} (24, {28, 56, new_msg, 0, 484, 488, 1619, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\1\0\0\344\1\0\0|\4\0\0" ... {28, 56, reply, 0, 484, 488, 1622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\1\0\0\344\1\0\0|\4\0\0" ) ... {28, 56, reply, 0, 484, 488, 1622, 0} (24, {28, 56, new_msg, 0, 484, 488, 1619, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\1\0\0\344\1\0\0|\4\0\0" ... {28, 56, reply, 0, 484, 488, 1622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\1\0\0\344\1\0\0|\4\0\0" ) ) == 0x0 01502 488 NtResumeThread (504, ... 1, ) == 0x0 01503 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 58261504, 1048576, ) == 0x0 01504 488 NtAllocateVirtualMemory (-1, 59301888, 0, 8192, 4096, 4, ... 01505 1148 NtTestAlert (... ) == 0x0 01506 1148 NtContinue (58260784, 1, ... 01507 1148 NtRegisterThreadTerminatePort (24, ... ) == 0x0 01508 1148 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 508, ) == 0x0 01509 1148 NtWaitForSingleObject (72, 0, {0, 0}, ... ) == 0x102 01510 1148 NtWaitForSingleObject (132, 0, 0x0, ... 01504 488 NtAllocateVirtualMemory ... 59301888, 8192, ) == 0x0 01489 888 NtRequestWaitReplyPort ... {52, 76, reply, 0, 484, 888, 1621, 0} ... {52, 76, reply, 0, 484, 888, 1621, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360Y\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" ) ) == 0x0 01511 488 NtProtectVirtualMemory (-1, (0x388e000), 4096, 260, ... 01512 888 NtClose (488, ... 01511 488 NtProtectVirtualMemory ... (0x388e000), 4096, 4, ) == 0x0 01513 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 512, {484, 1160}, ) == 0x0 01514 488 NtQueryInformationThread (512, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=484,Tid=1160,}, 0x0, ) == 0x0 01515 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1622, 0} (24, {28, 56, new_msg, 0, 484, 488, 1622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\2\0\0\344\1\0\0\210\4\0\0" ... {28, 56, reply, 0, 484, 488, 1623, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\2\0\0\344\1\0\0\210\4\0\0" ) ... {28, 56, reply, 0, 484, 488, 1623, 0} (24, {28, 56, new_msg, 0, 484, 488, 1622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\2\0\0\344\1\0\0\210\4\0\0" ... {28, 56, reply, 0, 484, 488, 1623, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\2\0\0\344\1\0\0\210\4\0\0" ) ) == 0x0 01516 488 NtResumeThread (512, ... 1, ) == 0x0 01512 888 NtClose ... ) == 0x0 01517 1160 NtTestAlert (... 01518 888 NtClose (492, ... 01517 1160 NtTestAlert ... ) == 0x0 01518 888 NtClose ... ) == 0x0 01519 1160 NtContinue (59309360, 1, ... 01520 888 NtCreateKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ... 01521 1160 NtRegisterThreadTerminatePort (24, ... 01520 888 NtCreateKey ... 492, 2, ) == 0x0 01521 1160 NtRegisterThreadTerminatePort ... ) == 0x0 01522 888 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ... 01523 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01524 1160 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01523 488 NtAllocateVirtualMemory ... 59310080, 1048576, ) == 0x0 01524 1160 NtDuplicateObject ... 488, ) == 0x0 01525 488 NtAllocateVirtualMemory (-1, 60350464, 0, 8192, 4096, 4, ... 01526 1160 NtWaitForSingleObject (72, 0, {0, 0}, ... 01525 488 NtAllocateVirtualMemory ... 60350464, 8192, ) == 0x0 01526 1160 NtWaitForSingleObject ... ) == 0x102 01527 488 NtProtectVirtualMemory (-1, (0x398e000), 4096, 260, ... 01528 1160 NtWaitForSingleObject (132, 0, 0x0, ... 01527 488 NtProtectVirtualMemory ... (0x398e000), 4096, 4, ) == 0x0 01522 888 NtOpenKey ... 516, ) == 0x0 01529 888 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01530 888 NtQueryValueKey (492, (492, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (492, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0 01531 888 NtQueryValueKey (492, (492, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (492, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0 01532 888 NtClose (492, ... ) == 0x0 01533 888 NtClose (516, ... ) == 0x0 01534 888 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 01535 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 516, {484, 1200}, ) == 0x0 01536 488 NtQueryInformationThread (516, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=484,Tid=1200,}, 0x0, ) == 0x0 01537 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1623, 0} (24, {28, 56, new_msg, 0, 484, 488, 1623, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\2\0\0\344\1\0\0\260\4\0\0" ... {28, 56, reply, 0, 484, 488, 1625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\2\0\0\344\1\0\0\260\4\0\0" ) ... {28, 56, reply, 0, 484, 488, 1625, 0} (24, {28, 56, new_msg, 0, 484, 488, 1623, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\2\0\0\344\1\0\0\260\4\0\0" ... {28, 56, reply, 0, 484, 488, 1625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\2\0\0\344\1\0\0\260\4\0\0" ) ) == 0x0 01538 488 NtResumeThread (516, ... 1, ) == 0x0 01534 888 NtCreateEvent ... 492, ) == 0x0 01539 1200 NtTestAlert (... 01540 888 NtConnectPort ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 14216692, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 14216692, 112, ... 01539 1200 NtTestAlert ... ) == 0x0 01541 1200 NtContinue (60357936, 1, ... 01542 1200 NtRegisterThreadTerminatePort (24, ... ) == 0x0 01540 888 NtConnectPort ... 520, 0x0, 0x0, 0x0, 112, ) == 0x0 01543 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01544 888 NtRequestWaitReplyPort (520, {128, 152, new_msg, 0, 1310720, 125896, 1310720, 14216456} (520, {128, 152, new_msg, 0, 1310720, 125896, 1310720, 14216456} "\0$\370w\270\363\330\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\260\347\24\0\4\0\0\0\260\347\24\0\20\344\314w\260\347\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\08\347\24\0\0\0\0\0`\357\24\0?\360\367\08\357\24\0\0\0\0\0\0\0\0\0\0\0\0\0`\357\24\0\0\0\0\0\0\0\0\0\0\0\0\0" ... ... 01543 488 NtAllocateVirtualMemory ... 60358656, 1048576, ) == 0x0 01545 488 NtAllocateVirtualMemory (-1, 61399040, 0, 8192, 4096, 4, ... 61399040, 8192, ) == 0x0 01546 488 NtProtectVirtualMemory (-1, (0x3a8e000), 4096, 260, ... (0x3a8e000), 4096, 4, ) == 0x0 01547 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 524, {484, 1216}, ) == 0x0 01548 488 NtQueryInformationThread (524, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=484,Tid=1216,}, 0x0, ) == 0x0 01549 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1625, 0} (24, {28, 56, new_msg, 0, 484, 488, 1625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\2\0\0\344\1\0\0\300\4\0\0" ... ... 01550 1200 NtAllocateVirtualMemory (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0 01551 1200 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 528, ) == 0x0 01552 1200 NtWaitForSingleObject (72, 0, {0, 0}, ... 01549 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1628, 0} ... {28, 56, reply, 0, 484, 488, 1628, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\2\0\0\344\1\0\0\300\4\0\0" ) ) == 0x0 01553 488 NtResumeThread (524, ... 1, ) == 0x0 01554 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 61407232, 1048576, ) == 0x0 01555 488 NtAllocateVirtualMemory (-1, 62447616, 0, 8192, 4096, 4, ... 01552 1200 NtWaitForSingleObject ... ) == 0x102 01544 888 NtRequestWaitReplyPort ... {128, 152, reply, 0, 484, 888, 1627, 0} ... {128, 152, reply, 0, 484, 888, 1627, 0} "\7$\370w\270\363\330\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\260\347\24\0\377\377\377\377\260\347\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\08\347\24\0\0\0\0\0`\357\24\0?\360\367\08\357\24\0\0\0\0\0\0\0\0\0\0\0\0\0`\357\24\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ) == 0x0 01556 1216 NtTestAlert (... 01557 1200 NtWaitForSingleObject (132, 0, 0x0, ... 01558 888 NtRequestWaitReplyPort (520, {44, 68, new_msg, 0, 484, 888, 1621, 0} (520, {44, 68, new_msg, 0, 484, 888, 1621, 0} "\1\0\0\0A\2\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... ... 01556 1216 NtTestAlert ... ) == 0x0 01559 1216 NtContinue (61406512, 1, ... 01560 1216 NtRegisterThreadTerminatePort (24, ... ) == 0x0 01555 488 NtAllocateVirtualMemory ... 62447616, 8192, ) == 0x0 01561 488 NtProtectVirtualMemory (-1, (0x3b8e000), 4096, 260, ... (0x3b8e000), 4096, 4, ) == 0x0 01562 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 532, {484, 320}, ) == 0x0 01563 488 NtQueryInformationThread (532, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=484,Tid=320,}, 0x0, ) == 0x0 01564 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1628, 0} (24, {28, 56, new_msg, 0, 484, 488, 1628, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\2\0\0\344\1\0\0@\1\0\0" ... {28, 56, reply, 0, 484, 488, 1630, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\2\0\0\344\1\0\0@\1\0\0" ) ... {28, 56, reply, 0, 484, 488, 1630, 0} (24, {28, 56, new_msg, 0, 484, 488, 1628, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\2\0\0\344\1\0\0@\1\0\0" ... {28, 56, reply, 0, 484, 488, 1630, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\2\0\0\344\1\0\0@\1\0\0" ) ) == 0x0 01565 488 NtResumeThread (532, ... 1, ) == 0x0 01566 1216 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01567 320 NtTestAlert (... 01566 1216 NtDuplicateObject ... 536, ) == 0x0 01567 320 NtTestAlert ... ) == 0x0 01568 1216 NtWaitForSingleObject (72, 0, {0, 0}, ... 01569 320 NtContinue (62455088, 1, ... 01568 1216 NtWaitForSingleObject ... ) == 0x102 01570 320 NtRegisterThreadTerminatePort (24, ... 01571 1216 NtWaitForSingleObject (132, 0, 0x0, ... 01570 320 NtRegisterThreadTerminatePort ... ) == 0x0 01572 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 62455808, 1048576, ) == 0x0 01573 488 NtAllocateVirtualMemory (-1, 63496192, 0, 8192, 4096, 4, ... 63496192, 8192, ) == 0x0 01574 488 NtProtectVirtualMemory (-1, (0x3c8e000), 4096, 260, ... (0x3c8e000), 4096, 4, ) == 0x0 01575 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 540, {484, 1244}, ) == 0x0 01576 488 NtQueryInformationThread (540, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=484,Tid=1244,}, 0x0, ) == 0x0 01577 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1630, 0} (24, {28, 56, new_msg, 0, 484, 488, 1630, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\2\0\0\344\1\0\0\334\4\0\0" ... ... 01578 320 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 544, ) == 0x0 01579 320 NtWaitForSingleObject (72, 0, {0, 0}, ... ) == 0x102 01580 320 NtWaitForSingleObject (132, 0, 0x0, ... 01558 888 NtRequestWaitReplyPort ... {40, 64, reply, 0, 484, 888, 1629, 0} ... {40, 64, reply, 0, 484, 888, 1629, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" ) ) == 0x0 01577 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1631, 0} ... {28, 56, reply, 0, 484, 488, 1631, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\2\0\0\344\1\0\0\334\4\0\0" ) ) == 0x0 01581 888 NtRequestWaitReplyPort (520, {64, 88, new_msg, 56, 0, 1, 0, 0} (520, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\357\330\0@\0\314w\240\343\24\0\274\357\330\0$\360\330\0\0\267\362v$\360\330\0\240\343\24\0\1\0\0\0\260\364\24\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... ... 01582 488 NtResumeThread (540, ... 1, ) == 0x0 01583 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 63504384, 1048576, ) == 0x0 01584 488 NtAllocateVirtualMemory (-1, 64544768, 0, 8192, 4096, 4, ... 01585 1244 NtTestAlert (... ) == 0x0 01586 1244 NtContinue (63503664, 1, ... 01587 1244 NtRegisterThreadTerminatePort (24, ... ) == 0x0 01588 1244 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 548, ) == 0x0 01589 1244 NtWaitForSingleObject (72, 0, {0, 0}, ... ) == 0x102 01590 1244 NtWaitForSingleObject (132, 0, 0x0, ... 01584 488 NtAllocateVirtualMemory ... 64544768, 8192, ) == 0x0 01581 888 NtRequestWaitReplyPort ... {64, 88, reply, 56, 484, 888, 1632, 0} ... {64, 88, reply, 56, 484, 888, 1632, 0} "\10\357\330\0@\0\314w\240\343\24\0\274\357\330\0$\360\330\0\0\267\362v$\360\330\0\240\343\24\0\1\0\0\0\260\364\24\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ) == 0x0 01591 488 NtProtectVirtualMemory (-1, (0x3d8e000), 4096, 260, ... 01592 888 NtClose (492, ... 01591 488 NtProtectVirtualMemory ... (0x3d8e000), 4096, 4, ) == 0x0 01592 888 NtClose ... ) == 0x0 01593 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01594 888 NtClose (520, ... 01593 488 NtCreateThread ... 492, {484, 1248}, ) == 0x0 01594 888 NtClose ... ) == 0x0 01595 488 NtQueryInformationThread (492, Basic, 28, ... 01596 888 NtCreateKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ... 01595 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=484,Tid=1248,}, 0x0, ) == 0x0 01597 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1631, 0} (24, {28, 56, new_msg, 0, 484, 488, 1631, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\1\0\0\344\1\0\0\340\4\0\0" ... {28, 56, reply, 0, 484, 488, 1634, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\1\0\0\344\1\0\0\340\4\0\0" ) ... {28, 56, reply, 0, 484, 488, 1634, 0} (24, {28, 56, new_msg, 0, 484, 488, 1631, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\1\0\0\344\1\0\0\340\4\0\0" ... {28, 56, reply, 0, 484, 488, 1634, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\1\0\0\344\1\0\0\340\4\0\0" ) ) == 0x0 01598 488 NtResumeThread (492, ... 1, ) == 0x0 01599 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 64552960, 1048576, ) == 0x0 01600 488 NtAllocateVirtualMemory (-1, 65593344, 0, 8192, 4096, 4, ... 65593344, 8192, ) == 0x0 01601 488 NtProtectVirtualMemory (-1, (0x3e8e000), 4096, 260, ... (0x3e8e000), 4096, 4, ) == 0x0 01596 888 NtCreateKey ... 520, 2, ) == 0x0 01602 1248 NtTestAlert (... 01603 888 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ... 01602 1248 NtTestAlert ... ) == 0x0 01603 888 NtOpenKey ... 552, ) == 0x0 01604 1248 NtContinue (64552240, 1, ... 01605 888 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ... 01606 1248 NtRegisterThreadTerminatePort (24, ... 01605 888 NtOpenKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01606 1248 NtRegisterThreadTerminatePort ... ) == 0x0 01607 888 NtQueryValueKey (520, (520, "Domain", Partial, 144, ... , Partial, 144, ... 01608 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01609 1248 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01608 488 NtCreateThread ... 556, {484, 1264}, ) == 0x0 01609 1248 NtDuplicateObject ... 560, ) == 0x0 01610 488 NtQueryInformationThread (556, Basic, 28, ... 01611 1248 NtWaitForSingleObject (72, 0, {0, 0}, ... 01610 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=484,Tid=1264,}, 0x0, ) == 0x0 01611 1248 NtWaitForSingleObject ... ) == 0x102 01612 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1634, 0} (24, {28, 56, new_msg, 0, 484, 488, 1634, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\2\0\0\344\1\0\0\360\4\0\0" ... ... 01613 1248 NtWaitForSingleObject (132, 0, 0x0, ... 01612 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1635, 0} ... {28, 56, reply, 0, 484, 488, 1635, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\2\0\0\344\1\0\0\360\4\0\0" ) ) == 0x0 01607 888 NtQueryValueKey ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0 01614 488 NtResumeThread (556, ... 01615 888 NtQueryValueKey (520, (520, "Domain", Partial, 144, ... , Partial, 144, ... 01614 488 NtResumeThread ... 1, ) == 0x0 01615 888 NtQueryValueKey ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0 01616 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01617 888 NtClose (520, ... 01616 488 NtAllocateVirtualMemory ... 65601536, 1048576, ) == 0x0 01617 888 NtClose ... ) == 0x0 01618 488 NtAllocateVirtualMemory (-1, 66641920, 0, 8192, 4096, 4, ... 01619 888 NtClose (552, ... 01620 1264 NtTestAlert (... 01618 488 NtAllocateVirtualMemory ... 66641920, 8192, ) == 0x0 01620 1264 NtTestAlert ... ) == 0x0 01621 488 NtProtectVirtualMemory (-1, (0x3f8e000), 4096, 260, ... 01622 1264 NtContinue (65600816, 1, ... 01621 488 NtProtectVirtualMemory ... (0x3f8e000), 4096, 4, ) == 0x0 01623 1264 NtRegisterThreadTerminatePort (24, ... 01624 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01623 1264 NtRegisterThreadTerminatePort ... ) == 0x0 01624 488 NtCreateThread ... 520, {484, 1268}, ) == 0x0 01619 888 NtClose ... ) == 0x0 01625 488 NtQueryInformationThread (520, Basic, 28, ... 01626 888 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ... 01627 1264 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01626 888 NtOpenKey ... 552, ) == 0x0 01627 1264 NtDuplicateObject ... 564, ) == 0x0 01628 888 NtQueryValueKey (552, (552, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ... 01629 1264 NtWaitForSingleObject (72, 0, {0, 0}, ... 01628 888 NtQueryValueKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01629 1264 NtWaitForSingleObject ... ) == 0x102 01630 888 NtClose (552, ... 01631 1264 NtWaitForSingleObject (132, 0, 0x0, ... 01625 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=484,Tid=1268,}, 0x0, ) == 0x0 01630 888 NtClose ... ) == 0x0 01632 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1635, 0} (24, {28, 56, new_msg, 0, 484, 488, 1635, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\2\0\0\344\1\0\0\364\4\0\0" ... ... 01633 888 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 14216236, ... }, 14216236, ... 01632 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1636, 0} ... {28, 56, reply, 0, 484, 488, 1636, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\2\0\0\344\1\0\0\364\4\0\0" ) ) == 0x0 01633 888 NtQueryAttributesFile ... ) == 0x0 01634 488 NtResumeThread (520, ... 01635 888 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ... 01634 488 NtResumeThread ... 1, ) == 0x0 01635 888 NtOpenFile ... 552, {status=0x0, info=1}, ) == 0x0 01636 1268 NtWaitForSingleObject (108, 0, 0x0, ... 01637 888 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 552, ... 01638 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 66650112, 1048576, ) == 0x0 01639 488 NtAllocateVirtualMemory (-1, 67690496, 0, 8192, 4096, 4, ... 67690496, 8192, ) == 0x0 01640 488 NtProtectVirtualMemory (-1, (0x408e000), 4096, 260, ... (0x408e000), 4096, 4, ) == 0x0 01641 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 568, {484, 708}, ) == 0x0 01642 488 NtQueryInformationThread (568, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=484,Tid=708,}, 0x0, ) == 0x0 01643 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1636, 0} (24, {28, 56, new_msg, 0, 484, 488, 1636, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\2\0\0\344\1\0\0\304\2\0\0" ... ... 01637 888 NtCreateSection ... 572, ) == 0x0 01644 888 NtClose (552, ... ) == 0x0 01645 888 NtMapViewOfSection (572, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 16384, ) == 0x0 01646 888 NtClose (572, ... 01643 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1637, 0} ... {28, 56, reply, 0, 484, 488, 1637, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\2\0\0\344\1\0\0\304\2\0\0" ) ) == 0x0 01647 488 NtResumeThread (568, ... 1, ) == 0x0 01648 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 67698688, 1048576, ) == 0x0 01649 488 NtAllocateVirtualMemory (-1, 68739072, 0, 8192, 4096, 4, ... 68739072, 8192, ) == 0x0 01650 488 NtProtectVirtualMemory (-1, (0x418e000), 4096, 260, ... (0x418e000), 4096, 4, ) == 0x0 01651 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 552, {484, 1300}, ) == 0x0 01652 488 NtQueryInformationThread (552, Basic, 28, ... 01646 888 NtClose ... ) == 0x0 01653 708 NtWaitForSingleObject (108, 0, 0x0, ... 01654 888 NtUnmapViewOfSection (-1, 0x860000, ... ) == 0x0 01655 888 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 14216552, ... ) }, 14216552, ... ) == 0x0 01656 888 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 572, {status=0x0, info=1}, ) }, 5, 96, ... 572, {status=0x0, info=1}, ) == 0x0 01657 888 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 572, ... 576, ) == 0x0 01658 888 NtQuerySection (576, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 01659 888 NtClose (572, ... 01652 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=484,Tid=1300,}, 0x0, ) == 0x0 01660 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1637, 0} (24, {28, 56, new_msg, 0, 484, 488, 1637, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\2\0\0\344\1\0\0\24\5\0\0" ... {28, 56, reply, 0, 484, 488, 1638, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\2\0\0\344\1\0\0\24\5\0\0" ) ... {28, 56, reply, 0, 484, 488, 1638, 0} (24, {28, 56, new_msg, 0, 484, 488, 1637, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\2\0\0\344\1\0\0\24\5\0\0" ... {28, 56, reply, 0, 484, 488, 1638, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\2\0\0\344\1\0\0\24\5\0\0" ) ) == 0x0 01661 488 NtResumeThread (552, ... 1, ) == 0x0 01662 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 68747264, 1048576, ) == 0x0 01663 488 NtAllocateVirtualMemory (-1, 69787648, 0, 8192, 4096, 4, ... 69787648, 8192, ) == 0x0 01664 488 NtProtectVirtualMemory (-1, (0x428e000), 4096, 260, ... (0x428e000), 4096, 4, ) == 0x0 01659 888 NtClose ... ) == 0x0 01665 1300 NtWaitForSingleObject (108, 0, 0x0, ... 01666 888 NtMapViewOfSection (576, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0 01667 888 NtClose (576, ... ) == 0x0 01668 888 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 576, ) }, ... 576, ) == 0x0 01669 888 NtMapViewOfSection (576, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0 01670 888 NtClose (576, ... ) == 0x0 01671 888 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 01672 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 576, {484, 1304}, ) == 0x0 01673 488 NtQueryInformationThread (576, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=484,Tid=1304,}, 0x0, ) == 0x0 01674 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1638, 0} (24, {28, 56, new_msg, 0, 484, 488, 1638, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\2\0\0\344\1\0\0\30\5\0\0" ... {28, 56, reply, 0, 484, 488, 1639, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\2\0\0\344\1\0\0\30\5\0\0" ) ... {28, 56, reply, 0, 484, 488, 1639, 0} (24, {28, 56, new_msg, 0, 484, 488, 1638, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\2\0\0\344\1\0\0\30\5\0\0" ... {28, 56, reply, 0, 484, 488, 1639, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\2\0\0\344\1\0\0\30\5\0\0" ) ) == 0x0 01675 488 NtResumeThread (576, ... 1, ) == 0x0 01676 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 69795840, 1048576, ) == 0x0 01677 488 NtAllocateVirtualMemory (-1, 70836224, 0, 8192, 4096, 4, ... 01671 888 NtCreateEvent ... 572, ) == 0x0 01678 1304 NtWaitForSingleObject (108, 0, 0x0, ... 01679 888 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... }, ... 01677 488 NtAllocateVirtualMemory ... 70836224, 8192, ) == 0x0 01680 488 NtProtectVirtualMemory (-1, (0x438e000), 4096, 260, ... (0x438e000), 4096, 4, ) == 0x0 01681 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01679 888 NtOpenKey ... 580, ) == 0x0 01682 888 NtQueryValueKey (580, (580, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (580, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 01683 888 NtClose (580, ... ) == 0x0 01684 888 NtSetEventBoostPriority (108, ... 01636 1268 NtWaitForSingleObject ... ) == 0x0 01685 1268 NtSetEventBoostPriority (108, ... 01653 708 NtWaitForSingleObject ... ) == 0x0 01686 708 NtSetEventBoostPriority (108, ... 01665 1300 NtWaitForSingleObject ... ) == 0x0 01687 1300 NtSetEventBoostPriority (108, ... 01678 1304 NtWaitForSingleObject ... ) == 0x0 01688 1304 NtTestAlert (... ) == 0x0 01687 1300 NtSetEventBoostPriority ... ) == 0x0 01686 708 NtSetEventBoostPriority ... ) == 0x0 01685 1268 NtSetEventBoostPriority ... ) == 0x0 01684 888 NtSetEventBoostPriority ... ) == 0x0 01681 488 NtCreateThread ... 580, {484, 1308}, ) == 0x0 01689 1304 NtContinue (69795120, 1, ... 01690 1300 NtTestAlert (... 01691 708 NtTestAlert (... 01692 888 NtAllocateVirtualMemory (-1, 1376256, 0, 4096, 4096, 4, ... 01693 488 NtQueryInformationThread (580, Basic, 28, ... 01694 1304 NtRegisterThreadTerminatePort (24, ... 01690 1300 NtTestAlert ... ) == 0x0 01691 708 NtTestAlert ... ) == 0x0 01695 1268 NtTestAlert (... 01692 888 NtAllocateVirtualMemory ... 1376256, 4096, ) == 0x0 01694 1304 NtRegisterThreadTerminatePort ... ) == 0x0 01696 1300 NtContinue (68746544, 1, ... 01697 708 NtContinue (67697968, 1, ... 01695 1268 NtTestAlert ... ) == 0x0 01698 888 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 14216236, ... }, 14216236, ... 01699 1304 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01700 1300 NtRegisterThreadTerminatePort (24, ... 01701 708 NtRegisterThreadTerminatePort (24, ... 01702 1268 NtContinue (66649392, 1, ... 01698 888 NtQueryAttributesFile ... ) == 0x0 01699 1304 NtDuplicateObject ... 584, ) == 0x0 01700 1300 NtRegisterThreadTerminatePort ... ) == 0x0 01701 708 NtRegisterThreadTerminatePort ... ) == 0x0 01703 1268 NtRegisterThreadTerminatePort (24, ... 01704 888 NtQuerySystemInformation (Basic, 44, ... 01705 1304 NtWaitForSingleObject (72, 0, {0, 0}, ... 01706 1300 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01707 708 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01703 1268 NtRegisterThreadTerminatePort ... ) == 0x0 01704 888 NtQuerySystemInformation ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 01693 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=484,Tid=1308,}, 0x0, ) == 0x0 01705 1304 NtWaitForSingleObject ... ) == 0x102 01706 1300 NtDuplicateObject ... 588, ) == 0x0 01708 1268 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01709 888 NtAllocateVirtualMemory (-1, 0, 0, 65536, 8192, 4, ... 01710 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1639, 0} (24, {28, 56, new_msg, 0, 484, 488, 1639, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\2\0\0\344\1\0\0\34\5\0\0" ... ... 01711 1304 NtWaitForSingleObject (132, 0, 0x0, ... 01712 1300 NtWaitForSingleObject (72, 0, {0, 0}, ... 01707 708 NtDuplicateObject ... 592, ) == 0x0 01708 1268 NtDuplicateObject ... 596, ) == 0x0 01710 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1640, 0} ... {28, 56, reply, 0, 484, 488, 1640, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\2\0\0\344\1\0\0\34\5\0\0" ) ) == 0x0 01712 1300 NtWaitForSingleObject ... ) == 0x102 01713 708 NtWaitForSingleObject (72, 0, {0, 0}, ... 01714 1268 NtWaitForSingleObject (72, 0, {0, 0}, ... 01715 488 NtResumeThread (580, ... 01716 1300 NtWaitForSingleObject (132, 0, 0x0, ... 01713 708 NtWaitForSingleObject ... ) == 0x102 01714 1268 NtWaitForSingleObject ... ) == 0x102 01715 488 NtResumeThread ... 1, ) == 0x0 01717 708 NtWaitForSingleObject (132, 0, 0x0, ... 01718 1268 NtWaitForSingleObject (132, 0, 0x0, ... 01709 888 NtAllocateVirtualMemory ... 8781824, 65536, ) == 0x0 01719 1308 NtTestAlert (... 01720 888 NtAllocateVirtualMemory (-1, 8781824, 0, 4096, 4096, 4, ... 01719 1308 NtTestAlert ... ) == 0x0 01720 888 NtAllocateVirtualMemory ... 8781824, 4096, ) == 0x0 01721 1308 NtContinue (70843696, 1, ... 01722 888 NtAllocateVirtualMemory (-1, 8785920, 0, 8192, 4096, 4, ... 01723 1308 NtRegisterThreadTerminatePort (24, ... 01722 888 NtAllocateVirtualMemory ... 8785920, 8192, ) == 0x0 01723 1308 NtRegisterThreadTerminatePort ... ) == 0x0 01724 888 NtSetEventBoostPriority (132, ... 01725 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01726 1308 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01725 488 NtAllocateVirtualMemory ... 70844416, 1048576, ) == 0x0 01726 1308 NtDuplicateObject ... 600, ) == 0x0 01727 488 NtAllocateVirtualMemory (-1, 71884800, 0, 8192, 4096, 4, ... 01728 1308 NtWaitForSingleObject (72, 0, {0, 0}, ... 01727 488 NtAllocateVirtualMemory ... 71884800, 8192, ) == 0x0 01728 1308 NtWaitForSingleObject ... ) == 0x102 01729 488 NtProtectVirtualMemory (-1, (0x448e000), 4096, 260, ... 01730 1308 NtWaitForSingleObject (132, 0, 0x0, ... 01729 488 NtProtectVirtualMemory ... (0x448e000), 4096, 4, ) == 0x0 00483 884 NtWaitForSingleObject ... ) == 0x0 01724 888 NtSetEventBoostPriority ... ) == 0x0 01731 884 NtSetEventBoostPriority (132, ... 01732 888 NtAllocateVirtualMemory (-1, 1380352, 0, 4096, 4096, 4, ... 00494 880 NtWaitForSingleObject ... ) == 0x0 01731 884 NtSetEventBoostPriority ... ) == 0x0 01733 880 NtWaitForSingleObject (148, 0, 0x0, ... 01732 888 NtAllocateVirtualMemory ... 1380352, 4096, ) == 0x0 01734 884 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 01735 888 NtSetEventBoostPriority (148, ... 01736 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01733 880 NtWaitForSingleObject ... ) == 0x0 01735 888 NtSetEventBoostPriority ... ) == 0x0 01737 880 NtSetEventBoostPriority (132, ... 01736 488 NtCreateThread ... 604, {484, 1296}, ) == 0x0 00513 892 NtWaitForSingleObject ... ) == 0x0 01737 880 NtSetEventBoostPriority ... ) == 0x0 01738 888 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 01739 892 NtSetEventBoostPriority (132, ... 01740 488 NtQueryInformationThread (604, Basic, 28, ... 01734 884 NtCreateEvent ... 608, ) == 0x0 01741 880 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 00783 896 NtWaitForSingleObject ... ) == 0x0 01739 892 NtSetEventBoostPriority ... ) == 0x0 01740 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=484,Tid=1296,}, 0x0, ) == 0x0 01742 884 NtAllocateVirtualMemory (-1, 1384448, 0, 4096, 4096, 4, ... 01743 896 NtWaitForSingleObject (148, 0, 0x0, ... 01741 880 NtCreateEvent ... 612, ) == 0x0 01744 892 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 01745 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1640, 0} (24, {28, 56, new_msg, 0, 484, 488, 1640, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\2\0\0\344\1\0\0\20\5\0\0" ... ... 01742 884 NtAllocateVirtualMemory ... 1384448, 4096, ) == 0x0 01746 880 NtWaitForSingleObject (148, 0, 0x0, ... 01738 888 NtCreateEvent ... 616, ) == 0x0 01747 884 NtSetEventBoostPriority (148, ... 01748 888 NtWaitForSingleObject (148, 0, 0x0, ... 01743 896 NtWaitForSingleObject ... ) == 0x0 01747 884 NtSetEventBoostPriority ... ) == 0x0 01749 896 NtSetEventBoostPriority (148, ... 01746 880 NtWaitForSingleObject ... ) == 0x0 01750 880 NtSetEventBoostPriority (148, ... 01748 888 NtWaitForSingleObject ... ) == 0x0 01751 888 NtConnectPort ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 14216524, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 14216524, 112, ... 01750 880 NtSetEventBoostPriority ... ) == 0x0 01749 896 NtSetEventBoostPriority ... ) == 0x0 01752 884 NtAllocateVirtualMemory (-1, 13160448, 0, 4096, 4096, 260, ... 01744 892 NtCreateEvent ... 620, ) == 0x0 01745 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1641, 0} ... {28, 56, reply, 0, 484, 488, 1641, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\2\0\0\344\1\0\0\20\5\0\0" ) ) == 0x0 01753 880 NtAllocateVirtualMemory (-1, 12111872, 0, 4096, 4096, 260, ... 01751 888 NtConnectPort ... 624, 0x0, 0x0, 0x0, 112, ) == 0x0 01754 896 NtSetEventBoostPriority (132, ... 01755 892 NtAllocateVirtualMemory (-1, 1388544, 0, 4096, 4096, 4, ... 01756 488 NtResumeThread (604, ... 01753 880 NtAllocateVirtualMemory ... 12111872, 4096, ) == 0x0 01757 888 NtRequestWaitReplyPort (624, {128, 152, new_msg, 0, 1310720, 125728, 1310720, 14216288} (624, {128, 152, new_msg, 0, 1310720, 125728, 1310720, 14216288} "\0$\370w\20\363\330\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\260\347\24\0\4\0\0\0\260\347\24\0\20\344\314w\260\347\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\230\11\25\0\0\0\0\0\370\13\25\0\270\11\25\0\320\13\25\0\0\0\0\0\0\0\0\0\0\0\0\0\370\13\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... ... 00944 940 NtWaitForSingleObject ... ) == 0x0 01754 896 NtSetEventBoostPriority ... ) == 0x0 01755 892 NtAllocateVirtualMemory ... 1388544, 4096, ) == 0x0 01756 488 NtResumeThread ... 1, ) == 0x0 01758 880 NtWaitForSingleObject (148, 0, 0x0, ... 01759 940 NtWaitForSingleObject (148, 0, 0x0, ... 01760 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 01761 892 NtSetEventBoostPriority (148, ... 01757 888 NtRequestWaitReplyPort ... {128, 152, reply, 0, 484, 888, 1643, 0} ... {128, 152, reply, 0, 484, 888, 1643, 0} "\7$\370w\20\363\330\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\260\347\24\0\377\377\377\377\260\347\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\230\11\25\0\0\0\0\0\370\13\25\0\270\11\25\0\320\13\25\0\0\0\0\0\0\0\0\0\0\0\0\0\370\13\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ) == 0x0 01762 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01760 896 NtCreateEvent ... 628, ) == 0x0 01759 940 NtWaitForSingleObject ... ) == 0x0 01761 892 NtSetEventBoostPriority ... ) == 0x0 01763 888 NtRequestWaitReplyPort (624, {64, 88, new_msg, 0, 484, 888, 1629, 0} (624, {64, 88, new_msg, 0, 484, 888, 1629, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ... ... 01762 488 NtAllocateVirtualMemory ... 71892992, 1048576, ) == 0x0 01764 940 NtSetEventBoostPriority (148, ... 01765 896 NtWaitForSingleObject (148, 0, 0x0, ... 01766 892 NtWaitForSingleObject (148, 0, 0x0, ... 01758 880 NtWaitForSingleObject ... ) == 0x0 01764 940 NtSetEventBoostPriority ... ) == 0x0 01767 488 NtAllocateVirtualMemory (-1, 72933376, 0, 8192, 4096, 4, ... 01752 884 NtAllocateVirtualMemory ... 13160448, 4096, ) == 0x0 01768 1296 NtWaitForSingleObject (148, 0, 0x0, ... 01763 888 NtRequestWaitReplyPort ... {52, 76, reply, 0, 484, 888, 1644, 0} ... {52, 76, reply, 0, 484, 888, 1644, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" ) ) == 0x0 01769 880 NtSetEventBoostPriority (148, ... 01770 940 NtSetEventBoostPriority (132, ... 01771 884 NtWaitForSingleObject (148, 0, 0x0, ... 01765 896 NtWaitForSingleObject ... ) == 0x0 01769 880 NtSetEventBoostPriority ... ) == 0x0 01772 888 NtWaitForSingleObject (148, 0, 0x0, ... 00951 936 NtWaitForSingleObject ... ) == 0x0 01770 940 NtSetEventBoostPriority ... ) == 0x0 01773 896 NtSetEventBoostPriority (148, ... 01767 488 NtAllocateVirtualMemory ... 72933376, 8192, ) == 0x0 01774 936 NtWaitForSingleObject (148, 0, 0x0, ... 01766 892 NtWaitForSingleObject ... ) == 0x0 01773 896 NtSetEventBoostPriority ... ) == 0x0 01775 940 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 01776 892 NtSetEventBoostPriority (148, ... 01777 488 NtProtectVirtualMemory (-1, (0x458e000), 4096, 260, ... 01778 880 NtWaitForSingleObject (148, 0, 0x0, ... 01768 1296 NtWaitForSingleObject ... ) == 0x0 01775 940 NtCreateEvent ... 632, ) == 0x0 01777 488 NtProtectVirtualMemory ... (0x458e000), 4096, 4, ) == 0x0 01779 1296 NtSetEventBoostPriority (148, ... 01780 940 NtWaitForSingleObject (148, 0, 0x0, ... 01781 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01771 884 NtWaitForSingleObject ... ) == 0x0 01779 1296 NtSetEventBoostPriority ... ) == 0x0 01782 884 NtSetEventBoostPriority (148, ... 01781 488 NtCreateThread ... 636, {484, 1284}, ) == 0x0 01776 892 NtSetEventBoostPriority ... ) == 0x0 01783 896 NtWaitForSingleObject (148, 0, 0x0, ... 01772 888 NtWaitForSingleObject ... ) == 0x0 01782 884 NtSetEventBoostPriority ... ) == 0x0 01784 488 NtQueryInformationThread (636, Basic, 28, ... 01785 892 NtWaitForSingleObject (148, 0, 0x0, ... 01786 888 NtSetEventBoostPriority (148, ... 01787 1296 NtTestAlert (... 01788 884 NtWaitForSingleObject (148, 0, 0x0, ... 01774 936 NtWaitForSingleObject ... ) == 0x0 01786 888 NtSetEventBoostPriority ... ) == 0x0 01787 1296 NtTestAlert ... ) == 0x0 01789 936 NtSetEventBoostPriority (148, ... 01784 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=484,Tid=1284,}, 0x0, ) == 0x0 01778 880 NtWaitForSingleObject ... ) == 0x0 01789 936 NtSetEventBoostPriority ... ) == 0x0 01790 1296 NtContinue (71892272, 1, ... 01791 880 NtSetEventBoostPriority (148, ... 01792 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1641, 0} (24, {28, 56, new_msg, 0, 484, 488, 1641, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\2\0\0\344\1\0\0\4\5\0\0" ... ... 01793 888 NtClose (616, ... 01780 940 NtWaitForSingleObject ... ) == 0x0 01791 880 NtSetEventBoostPriority ... ) == 0x0 01794 1296 NtRegisterThreadTerminatePort (24, ... 01792 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1645, 0} ... {28, 56, reply, 0, 484, 488, 1645, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\2\0\0\344\1\0\0\4\5\0\0" ) ) == 0x0 01795 940 NtSetEventBoostPriority (148, ... 01793 888 NtClose ... ) == 0x0 01796 880 NtWaitForSingleObject (148, 0, 0x0, ... 01794 1296 NtRegisterThreadTerminatePort ... ) == 0x0 01783 896 NtWaitForSingleObject ... ) == 0x0 01795 940 NtSetEventBoostPriority ... ) == 0x0 01797 488 NtResumeThread (636, ... 01798 888 NtClose (624, ... 01799 936 NtSetEventBoostPriority (132, ... 01800 896 NtSetEventBoostPriority (148, ... 01801 1296 NtWaitForSingleObject (148, 0, 0x0, ... 01797 488 NtResumeThread ... 1, ) == 0x0 01798 888 NtClose ... ) == 0x0 01785 892 NtWaitForSingleObject ... ) == 0x0 01800 896 NtSetEventBoostPriority ... ) == 0x0 01157 928 NtWaitForSingleObject ... ) == 0x0 01799 936 NtSetEventBoostPriority ... ) == 0x0 01802 940 NtWaitForSingleObject (148, 0, 0x0, ... 01803 1284 NtTestAlert (... 01804 892 NtSetEventBoostPriority (148, ... 01805 888 NtWaitForSingleObject (148, 0, 0x0, ... 01806 928 NtWaitForSingleObject (148, 0, 0x0, ... 01807 896 NtWaitForSingleObject (148, 0, 0x0, ... 01808 936 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 01788 884 NtWaitForSingleObject ... ) == 0x0 01804 892 NtSetEventBoostPriority ... ) == 0x0 01803 1284 NtTestAlert ... ) == 0x0 01809 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01810 884 NtSetEventBoostPriority (148, ... 01808 936 NtCreateEvent ... 624, ) == 0x0 01811 1284 NtContinue (72940848, 1, ... 01796 880 NtWaitForSingleObject ... ) == 0x0 01810 884 NtSetEventBoostPriority ... ) == 0x0 01809 488 NtAllocateVirtualMemory ... 72941568, 1048576, ) == 0x0 01812 936 NtWaitForSingleObject (148, 0, 0x0, ... 01813 880 NtSetEventBoostPriority (148, ... 01814 1284 NtRegisterThreadTerminatePort (24, ... 01815 884 NtWaitForSingleObject (148, 0, 0x0, ... 01816 488 NtAllocateVirtualMemory (-1, 73981952, 0, 8192, 4096, 4, ... 01801 1296 NtWaitForSingleObject ... ) == 0x0 01814 1284 NtRegisterThreadTerminatePort ... ) == 0x0 01813 880 NtSetEventBoostPriority ... ) == 0x0 01817 892 NtWaitForSingleObject (148, 0, 0x0, ... 01816 488 NtAllocateVirtualMemory ... 73981952, 8192, ) == 0x0 01818 1296 NtSetEventBoostPriority (148, ... 01819 880 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 01820 488 NtProtectVirtualMemory (-1, (0x468e000), 4096, 260, ... 01802 940 NtWaitForSingleObject ... ) == 0x0 01819 880 NtCreateEvent ... 616, ) == 0x0 01820 488 NtProtectVirtualMemory ... (0x468e000), 4096, 4, ) == 0x0 01821 940 NtAllocateVirtualMemory (-1, 1392640, 0, 4096, 4096, 4, ... 01818 1296 NtSetEventBoostPriority ... ) == 0x0 01822 1284 NtWaitForSingleObject (148, 0, 0x0, ... 01823 880 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01821 940 NtAllocateVirtualMemory ... 1392640, 4096, ) == 0x0 01824 1296 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01823 880 NtDuplicateObject ... 640, ) == 0x0 01825 940 NtSetEventBoostPriority (148, ... 01824 1296 NtDuplicateObject ... 644, ) == 0x0 01826 880 NtWaitForSingleObject (148, 0, 0x0, ... 01827 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01806 928 NtWaitForSingleObject ... ) == 0x0 01825 940 NtSetEventBoostPriority ... ) == 0x0 01828 928 NtSetEventBoostPriority (148, ... 01827 488 NtCreateThread ... 648, {484, 1316}, ) == 0x0 01805 888 NtWaitForSingleObject ... ) == 0x0 01828 928 NtSetEventBoostPriority ... ) == 0x0 01829 940 NtWaitForSingleObject (148, 0, 0x0, ... 01830 888 NtSetEventBoostPriority (148, ... 01831 488 NtQueryInformationThread (648, Basic, 28, ... 01832 1296 NtWaitForSingleObject (148, 0, 0x0, ... 01807 896 NtWaitForSingleObject ... ) == 0x0 01830 888 NtSetEventBoostPriority ... ) == 0x0 01831 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=484,Tid=1316,}, 0x0, ) == 0x0 01833 896 NtSetEventBoostPriority (148, ... 01834 928 NtWaitForSingleObject (148, 0, 0x0, ... 01812 936 NtWaitForSingleObject ... ) == 0x0 01835 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1645, 0} (24, {28, 56, new_msg, 0, 484, 488, 1645, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\2\0\0\344\1\0\0$\5\0\0" ... ... 01836 936 NtSetEventBoostPriority (148, ... 01815 884 NtWaitForSingleObject ... ) == 0x0 01837 884 NtSetEventBoostPriority (148, ... 01817 892 NtWaitForSingleObject ... ) == 0x0 01838 892 NtSetEventBoostPriority (148, ... 01822 1284 NtWaitForSingleObject ... ) == 0x0 01839 1284 NtSetEventBoostPriority (148, ... 01826 880 NtWaitForSingleObject ... ) == 0x0 01840 880 NtSetEventBoostPriority (148, ... 01829 940 NtWaitForSingleObject ... ) == 0x0 01841 940 NtAllocateVirtualMemory (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0 01840 880 NtSetEventBoostPriority ... ) == 0x0 01839 1284 NtSetEventBoostPriority ... ) == 0x0 01838 892 NtSetEventBoostPriority ... ) == 0x0 01836 936 NtSetEventBoostPriority ... ) == 0x0 01837 884 NtSetEventBoostPriority ... ) == 0x0 01833 896 NtSetEventBoostPriority ... ) == 0x0 01842 888 NtCreateKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ... 01835 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1647, 0} ... {28, 56, reply, 0, 484, 488, 1647, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\2\0\0\344\1\0\0$\5\0\0" ) ) == 0x0 01843 940 NtSetEventBoostPriority (148, ... 01844 1284 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01845 892 NtWaitForSingleObject (148, 0, 0x0, ... 01846 880 NtWaitForSingleObject (148, 0, 0x0, ... 01847 884 NtWaitForSingleObject (148, 0, 0x0, ... 01848 896 NtWaitForSingleObject (148, 0, 0x0, ... 01842 888 NtCreateKey ... 652, 2, ) == 0x0 01849 488 NtResumeThread (648, ... 01832 1296 NtWaitForSingleObject ... ) == 0x0 01843 940 NtSetEventBoostPriority ... ) == 0x0 01850 936 NtWaitForSingleObject (148, 0, 0x0, ... 01844 1284 NtDuplicateObject ... 656, ) == 0x0 01851 888 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ... 01852 1296 NtSetEventBoostPriority (148, ... 01849 488 NtResumeThread ... 1, ) == 0x0 01853 940 NtWaitForSingleObject (148, 0, 0x0, ... 01854 1284 NtWaitForSingleObject (72, 0, {0, 0}, ... 01834 928 NtWaitForSingleObject ... ) == 0x0 01852 1296 NtSetEventBoostPriority ... ) == 0x0 01851 888 NtOpenKey ... 660, ) == 0x0 01855 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01856 928 NtSetEventBoostPriority (148, ... 01854 1284 NtWaitForSingleObject ... ) == 0x102 01857 1296 NtWaitForSingleObject (148, 0, 0x0, ... 01858 888 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ... 01846 880 NtWaitForSingleObject ... ) == 0x0 01856 928 NtSetEventBoostPriority ... ) == 0x0 01855 488 NtAllocateVirtualMemory ... 73990144, 1048576, ) == 0x0 01859 1284 NtWaitForSingleObject (132, 0, 0x0, ... 01860 1316 NtTestAlert (... 01861 880 NtSetEventBoostPriority (148, ... 01858 888 NtOpenKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01862 928 NtSetEventBoostPriority (132, ... 01863 488 NtAllocateVirtualMemory (-1, 75030528, 0, 8192, 4096, 4, ... 01847 884 NtWaitForSingleObject ... ) == 0x0 01861 880 NtSetEventBoostPriority ... ) == 0x0 01860 1316 NtTestAlert ... ) == 0x0 01864 888 NtQueryValueKey (652, (652, "Hostname", Partial, 144, ... , Partial, 144, ... 01161 932 NtWaitForSingleObject ... ) == 0x0 01862 928 NtSetEventBoostPriority ... ) == 0x0 01865 884 NtSetEventBoostPriority (148, ... 01866 880 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 01867 1316 NtContinue (73989424, 1, ... 01864 888 NtQueryValueKey ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0 01868 932 NtWaitForSingleObject (148, 0, 0x0, ... 01848 896 NtWaitForSingleObject ... ) == 0x0 01865 884 NtSetEventBoostPriority ... ) == 0x0 01869 928 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 01863 488 NtAllocateVirtualMemory ... 75030528, 8192, ) == 0x0 01870 1316 NtRegisterThreadTerminatePort (24, ... 01871 888 NtWaitForSingleObject (148, 0, 0x0, ... 01872 896 NtSetEventBoostPriority (148, ... 01866 880 NtCreateEvent ... 664, ) == 0x0 01869 928 NtCreateEvent ... 668, ) == 0x0 01873 488 NtProtectVirtualMemory (-1, (0x478e000), 4096, 260, ... 01870 1316 NtRegisterThreadTerminatePort ... ) == 0x0 01850 936 NtWaitForSingleObject ... ) == 0x0 01872 896 NtSetEventBoostPriority ... ) == 0x0 01874 880 NtWaitForSingleObject (148, 0, 0x0, ... 01875 928 NtWaitForSingleObject (148, 0, 0x0, ... 01873 488 NtProtectVirtualMemory ... (0x478e000), 4096, 4, ) == 0x0 01876 884 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 01877 936 NtAllocateVirtualMemory (-1, 1400832, 0, 4096, 4096, 4, ... 01878 1316 NtWaitForSingleObject (148, 0, 0x0, ... 01879 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01877 936 NtAllocateVirtualMemory ... 1400832, 4096, ) == 0x0 01876 884 NtCreateEvent ... 672, ) == 0x0 01880 936 NtSetEventBoostPriority (148, ... 01879 488 NtCreateThread ... 676, {484, 1320}, ) == 0x0 01881 884 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01882 896 NtWaitForSingleObject (148, 0, 0x0, ... 01883 488 NtQueryInformationThread (676, Basic, 28, ... 01881 884 NtDuplicateObject ... 680, ) == 0x0 01853 940 NtWaitForSingleObject ... ) == 0x0 01880 936 NtSetEventBoostPriority ... ) == 0x0 01884 884 NtWaitForSingleObject (148, 0, 0x0, ... 01885 940 NtSetEventBoostPriority (148, ... 01886 936 NtWaitForSingleObject (148, 0, 0x0, ... 01845 892 NtWaitForSingleObject ... ) == 0x0 01885 940 NtSetEventBoostPriority ... ) == 0x0 01887 892 NtSetEventBoostPriority (148, ... 01883 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=484,Tid=1320,}, 0x0, ) == 0x0 01857 1296 NtWaitForSingleObject ... ) == 0x0 01888 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1647, 0} (24, {28, 56, new_msg, 0, 484, 488, 1647, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\2\0\0\344\1\0\0(\5\0\0" ... ... 01889 1296 NtSetEventBoostPriority (148, ... 01888 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1648, 0} ... {28, 56, reply, 0, 484, 488, 1648, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\2\0\0\344\1\0\0(\5\0\0" ) ) == 0x0 01868 932 NtWaitForSingleObject ... ) == 0x0 01890 488 NtResumeThread (676, ... 01891 932 NtSetEventBoostPriority (148, ... 01890 488 NtResumeThread ... 1, ) == 0x0 01871 888 NtWaitForSingleObject ... ) == 0x0 01891 932 NtSetEventBoostPriority ... ) == 0x0 01889 1296 NtSetEventBoostPriority ... ) == 0x0 01887 892 NtSetEventBoostPriority ... ) == 0x0 01892 940 NtWaitForSingleObject (148, 0, 0x0, ... 01893 1320 NtWaitForSingleObject (148, 0, 0x0, ... 01894 888 NtSetEventBoostPriority (148, ... 01895 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01896 1296 NtWaitForSingleObject (308, 0, 0x0, ... 01897 892 NtWaitForSingleObject (148, 0, 0x0, ... 01874 880 NtWaitForSingleObject ... ) == 0x0 01894 888 NtSetEventBoostPriority ... ) == 0x0 01895 488 NtAllocateVirtualMemory ... 75038720, 1048576, ) == 0x0 01898 880 NtSetEventBoostPriority (148, ... 01899 932 NtWaitForSingleObject (148, 0, 0x0, ... 01875 928 NtWaitForSingleObject ... ) == 0x0 01898 880 NtSetEventBoostPriority ... ) == 0x0 01900 488 NtAllocateVirtualMemory (-1, 76079104, 0, 8192, 4096, 4, ... 01901 928 NtSetEventBoostPriority (148, ... 01902 888 NtQueryValueKey (652, (652, "Hostname", Partial, 144, ... , Partial, 144, ... 01878 1316 NtWaitForSingleObject ... ) == 0x0 01901 928 NtSetEventBoostPriority ... ) == 0x0 01900 488 NtAllocateVirtualMemory ... 76079104, 8192, ) == 0x0 01903 1316 NtSetEventBoostPriority (148, ... 01902 888 NtQueryValueKey ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0 01904 880 NtSetEventBoostPriority (308, ... 01882 896 NtWaitForSingleObject ... ) == 0x0 01903 1316 NtSetEventBoostPriority ... ) == 0x0 01905 488 NtProtectVirtualMemory (-1, (0x488e000), 4096, 260, ... 01906 888 NtWaitForSingleObject (148, 0, 0x0, ... 01907 896 NtSetEventBoostPriority (148, ... 01896 1296 NtWaitForSingleObject ... ) == 0x0 01904 880 NtSetEventBoostPriority ... ) == 0x0 01908 1316 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01905 488 NtProtectVirtualMemory ... (0x488e000), 4096, 4, ) == 0x0 01884 884 NtWaitForSingleObject ... ) == 0x0 01909 1296 NtWaitForSingleObject (148, 0, 0x0, ... 01907 896 NtSetEventBoostPriority ... ) == 0x0 01910 880 NtWaitForSingleObject (148, 0, 0x0, ... 01911 928 NtWaitForSingleObject (148, 0, 0x0, ... 01908 1316 NtDuplicateObject ... 684, ) == 0x0 01912 884 NtSetEventBoostPriority (148, ... 01913 896 NtWaitForSingleObject (148, 0, 0x0, ... 01886 936 NtWaitForSingleObject ... ) == 0x0 01912 884 NtSetEventBoostPriority ... ) == 0x0 01914 1316 NtWaitForSingleObject (148, 0, 0x0, ... 01915 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01916 936 NtSetEventBoostPriority (148, ... 01892 940 NtWaitForSingleObject ... ) == 0x0 01917 940 NtSetEventBoostPriority (148, ... 01893 1320 NtWaitForSingleObject ... ) == 0x0 01918 1320 NtSetEventBoostPriority (148, ... 01897 892 NtWaitForSingleObject ... ) == 0x0 01919 892 NtSetEventBoostPriority (148, ... 01899 932 NtWaitForSingleObject ... ) == 0x0 01920 932 NtSetEventBoostPriority (148, ... 01906 888 NtWaitForSingleObject ... ) == 0x0 01921 888 NtSetEventBoostPriority (148, ... 01909 1296 NtWaitForSingleObject ... ) == 0x0 01922 1296 NtSetEventBoostPriority (148, ... 01910 880 NtWaitForSingleObject ... ) == 0x0 01923 880 NtSetEventBoostPriority (148, ... 01911 928 NtWaitForSingleObject ... ) == 0x0 01924 928 NtAllocateVirtualMemory (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0 01925 928 NtSetEventBoostPriority (148, ... 01923 880 NtSetEventBoostPriority ... ) == 0x0 01922 1296 NtSetEventBoostPriority ... ) == 0x0 01921 888 NtSetEventBoostPriority ... ) == 0x0 01920 932 NtSetEventBoostPriority ... ) == 0x0 01919 892 NtSetEventBoostPriority ... ) == 0x0 01918 1320 NtSetEventBoostPriority ... ) == 0x0 01917 940 NtSetEventBoostPriority ... ) == 0x0 01916 936 NtSetEventBoostPriority ... ) == 0x0 01915 488 NtCreateThread ... 688, {484, 1292}, ) == 0x0 01926 884 NtWaitForSingleObject (148, 0, 0x0, ... 01913 896 NtWaitForSingleObject ... ) == 0x0 01925 928 NtSetEventBoostPriority ... ) == 0x0 01927 880 NtConnectPort ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12119372, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 12119372, 112, ... 01928 1296 NtWaitForSingleObject (72, 0, {0, 0}, ... 01929 932 NtSetEventBoostPriority (132, ... 01930 888 NtClose (652, ... 01931 892 NtAllocateVirtualMemory (-1, 15257600, 0, 4096, 4096, 260, ... 01932 940 NtWaitForSingleObject (148, 0, 0x0, ... 01933 1320 NtTestAlert (... 01934 488 NtQueryInformationThread (688, Basic, 28, ... 01935 896 NtSetEventBoostPriority (148, ... 01936 928 NtWaitForSingleObject (148, 0, 0x0, ... 01928 1296 NtWaitForSingleObject ... ) == 0x102 01927 880 NtConnectPort ... 692, 0x0, 0x0, 0x0, 112, ) == 0x0 01937 936 NtWaitForSingleObject (148, 0, 0x0, ... 01930 888 NtClose ... ) == 0x0 01931 892 NtAllocateVirtualMemory ... 15257600, 4096, ) == 0x0 01219 924 NtWaitForSingleObject ... ) == 0x0 01929 932 NtSetEventBoostPriority ... ) == 0x0 01933 1320 NtTestAlert ... ) == 0x0 01934 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=484,Tid=1292,}, 0x0, ) == 0x0 01914 1316 NtWaitForSingleObject ... ) == 0x0 01938 1296 NtWaitForSingleObject (132, 0, 0x0, ... 01939 880 NtRequestWaitReplyPort (692, {128, 152, new_msg, 0, 1310720, 125728, 1310720, 12119136} (692, {128, 152, new_msg, 0, 1310720, 125728, 1310720, 12119136} "\0$\370w\20\363\270\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\260\347\24\0\4\0\0\0\260\347\24\0\20\344\314w\260\347\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\0\0\300\11\25\0\0\0\0\0\270/\25\0\0\0\0\0X`\25\0\0\0\0\0\0\0\0\0\0\0\0\0\270/\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... ... 01940 888 NtClose (660, ... 01941 892 NtWaitForSingleObject (148, 0, 0x0, ... 01942 924 NtSetEventBoostPriority (132, ... 01943 932 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 01944 1320 NtContinue (75038000, 1, ... 01945 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1648, 0} (24, {28, 56, new_msg, 0, 484, 488, 1648, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\2\0\0\344\1\0\0\14\5\0\0" ... ... 01946 1316 NtSetEventBoostPriority (148, ... 01940 888 NtClose ... ) == 0x0 01939 880 NtRequestWaitReplyPort ... {128, 152, reply, 0, 484, 880, 1650, 0} ... {128, 152, reply, 0, 484, 880, 1650, 0} "\7$\370w\20\363\270\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\260\347\24\0\377\377\377\377\260\347\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\0\0\300\11\25\0\0\0\0\0\270/\25\0\0\0\0\0X`\25\0\0\0\0\0\0\0\0\0\0\0\0\0\270/\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ) == 0x0 01243 920 NtWaitForSingleObject ... ) == 0x0 01942 924 NtSetEventBoostPriority ... ) == 0x0 01943 932 NtCreateEvent ... 660, ) == 0x0 01947 1320 NtRegisterThreadTerminatePort (24, ... 01926 884 NtWaitForSingleObject ... ) == 0x0 01946 1316 NtSetEventBoostPriority ... ) == 0x0 01948 888 NtWaitForSingleObject (148, 0, 0x0, ... 01935 896 NtSetEventBoostPriority ... ) == 0x0 01945 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1651, 0} ... {28, 56, reply, 0, 484, 488, 1651, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\2\0\0\344\1\0\0\14\5\0\0" ) ) == 0x0 01949 920 NtWaitForSingleObject (148, 0, 0x0, ... 01950 880 NtWaitForSingleObject (148, 0, 0x0, ... 01951 932 NtWaitForSingleObject (148, 0, 0x0, ... 01952 884 NtSetEventBoostPriority (148, ... 01947 1320 NtRegisterThreadTerminatePort ... ) == 0x0 01953 924 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 01954 896 NtWaitForSingleObject (148, 0, 0x0, ... 01955 488 NtResumeThread (688, ... 01936 928 NtWaitForSingleObject ... ) == 0x0 01952 884 NtSetEventBoostPriority ... ) == 0x0 01956 1320 NtWaitForSingleObject (148, 0, 0x0, ... 01953 924 NtCreateEvent ... 652, ) == 0x0 01957 928 NtSetEventBoostPriority (148, ... 01955 488 NtResumeThread ... 1, ) == 0x0 01958 884 NtWaitForSingleObject (148, 0, 0x0, ... 01959 1316 NtWaitForSingleObject (308, 0, 0x0, ... 01960 1292 NtWaitForSingleObject (148, 0, 0x0, ... 01937 936 NtWaitForSingleObject ... ) == 0x0 01957 928 NtSetEventBoostPriority ... ) == 0x0 01961 924 NtWaitForSingleObject (148, 0, 0x0, ... 01962 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 01963 936 NtSetEventBoostPriority (148, ... 01941 892 NtWaitForSingleObject ... ) == 0x0 01964 892 NtSetEventBoostPriority (148, ... 01932 940 NtWaitForSingleObject ... ) == 0x0 01965 940 NtSetEventBoostPriority (148, ... 01948 888 NtWaitForSingleObject ... ) == 0x0 01966 888 NtSetEventBoostPriority (148, ... 01949 920 NtWaitForSingleObject ... ) == 0x0 01967 920 NtSetEventBoostPriority (148, ... 01950 880 NtWaitForSingleObject ... ) == 0x0 01968 880 NtSetEventBoostPriority (148, ... 01951 932 NtWaitForSingleObject ... ) == 0x0 01969 932 NtSetEventBoostPriority (148, ... 01954 896 NtWaitForSingleObject ... ) == 0x0 01970 896 NtSetEventBoostPriority (148, ... 01956 1320 NtWaitForSingleObject ... ) == 0x0 01971 1320 NtSetEventBoostPriority (148, ... 01960 1292 NtWaitForSingleObject ... ) == 0x0 01972 1292 NtSetEventBoostPriority (148, ... 01958 884 NtWaitForSingleObject ... ) == 0x0 01973 884 NtSetEventBoostPriority (148, ... 01961 924 NtWaitForSingleObject ... ) == 0x0 01974 924 NtAllocateVirtualMemory (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0 01972 1292 NtSetEventBoostPriority ... ) == 0x0 01970 896 NtSetEventBoostPriority ... ) == 0x0 01969 932 NtSetEventBoostPriority ... ) == 0x0 01968 880 NtSetEventBoostPriority ... ) == 0x0 01966 888 NtSetEventBoostPriority ... ) == 0x0 01964 892 NtSetEventBoostPriority ... ) == 0x0 01963 936 NtSetEventBoostPriority ... ) == 0x0 01962 488 NtAllocateVirtualMemory ... 76087296, 1048576, ) == 0x0 01973 884 NtSetEventBoostPriority ... ) == 0x0 01971 1320 NtSetEventBoostPriority ... ) == 0x0 01967 920 NtSetEventBoostPriority ... ) == 0x0 01965 940 NtSetEventBoostPriority ... ) == 0x0 01975 928 NtWaitForSingleObject (148, 0, 0x0, ... 01976 924 NtSetEventBoostPriority (148, ... 01977 1292 NtTestAlert (... 01978 896 NtWaitForSingleObject (148, 0, 0x0, ... 01979 880 NtRequestWaitReplyPort (692, {64, 88, new_msg, 0, 0, 0, 0, 0} (692, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... ... 01980 932 NtWaitForSingleObject (148, 0, 0x0, ... 01981 888 NtWaitForSingleObject (148, 0, 0x0, ... 01982 936 NtWaitForSingleObject (148, 0, 0x0, ... 01983 488 NtAllocateVirtualMemory (-1, 77127680, 0, 8192, 4096, 4, ... 01984 884 NtSetEventBoostPriority (308, ... 01985 1320 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 01986 892 NtWaitForSingleObject (148, 0, 0x0, ... 01987 940 NtWaitForSingleObject (148, 0, 0x0, ... 01975 928 NtWaitForSingleObject ... ) == 0x0 01976 924 NtSetEventBoostPriority ... ) == 0x0 01977 1292 NtTestAlert ... ) == 0x0 01988 920 NtWaitForSingleObject (148, 0, 0x0, ... 01979 880 NtRequestWaitReplyPort ... {52, 76, reply, 0, 484, 880, 1652, 0} ... {52, 76, reply, 0, 484, 880, 1652, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" ) ) == 0x0 01959 1316 NtWaitForSingleObject ... ) == 0x0 01984 884 NtSetEventBoostPriority ... ) == 0x0 01985 1320 NtDuplicateObject ... 696, ) == 0x0 01989 928 NtSetEventBoostPriority (148, ... 01990 924 NtWaitForSingleObject (148, 0, 0x0, ... 01991 1292 NtContinue (76086576, 1, ... 01992 1316 NtWaitForSingleObject (72, 0, {0, 0}, ... 01993 880 NtWaitForSingleObject (148, 0, 0x0, ... 01983 488 NtAllocateVirtualMemory ... 77127680, 8192, ) == 0x0 01994 884 NtWaitForSingleObject (148, 0, 0x0, ... 01978 896 NtWaitForSingleObject ... ) == 0x0 01989 928 NtSetEventBoostPriority ... ) == 0x0 01992 1316 NtWaitForSingleObject ... ) == 0x102 01995 1292 NtRegisterThreadTerminatePort (24, ... 01996 488 NtProtectVirtualMemory (-1, (0x498e000), 4096, 260, ... 01997 896 NtSetEventBoostPriority (148, ... 01998 928 NtWaitForSingleObject (148, 0, 0x0, ... 01999 1320 NtWaitForSingleObject (148, 0, 0x0, ... 01995 1292 NtRegisterThreadTerminatePort ... ) == 0x0 01980 932 NtWaitForSingleObject ... ) == 0x0 01997 896 NtSetEventBoostPriority ... ) == 0x0 01996 488 NtProtectVirtualMemory ... (0x498e000), 4096, 4, ) == 0x0 02000 1316 NtWaitForSingleObject (148, 0, 0x0, ... 02001 932 NtSetEventBoostPriority (148, ... 02002 1292 NtWaitForSingleObject (148, 0, 0x0, ... 02003 896 NtWaitForSingleObject (148, 0, 0x0, ... 02004 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 01981 888 NtWaitForSingleObject ... ) == 0x0 02001 932 NtSetEventBoostPriority ... ) == 0x0 02005 888 NtSetEventBoostPriority (148, ... 02004 488 NtCreateThread ... 700, {484, 1256}, ) == 0x0 01982 936 NtWaitForSingleObject ... ) == 0x0 02005 888 NtSetEventBoostPriority ... ) == 0x0 02006 932 NtWaitForSingleObject (148, 0, 0x0, ... 02007 936 NtSetEventBoostPriority (148, ... 02008 488 NtQueryInformationThread (700, Basic, 28, ... 02009 888 NtWaitForSingleObject (148, 0, 0x0, ... 01986 892 NtWaitForSingleObject ... ) == 0x0 02007 936 NtSetEventBoostPriority ... ) == 0x0 02008 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=484,Tid=1256,}, 0x0, ) == 0x0 02010 892 NtSetEventBoostPriority (148, ... 02011 936 NtWaitForSingleObject (148, 0, 0x0, ... 02012 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1651, 0} (24, {28, 56, new_msg, 0, 484, 488, 1651, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\2\0\0\344\1\0\0\350\4\0\0" ... ... 01987 940 NtWaitForSingleObject ... ) == 0x0 02010 892 NtSetEventBoostPriority ... ) == 0x0 02013 940 NtSetEventBoostPriority (148, ... 02012 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1653, 0} ... {28, 56, reply, 0, 484, 488, 1653, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\2\0\0\344\1\0\0\350\4\0\0" ) ) == 0x0 01988 920 NtWaitForSingleObject ... ) == 0x0 02013 940 NtSetEventBoostPriority ... ) == 0x0 02014 892 NtWaitForSingleObject (148, 0, 0x0, ... 02015 920 NtSetEventBoostPriority (148, ... 02016 488 NtResumeThread (700, ... 02017 940 NtWaitForSingleObject (148, 0, 0x0, ... 01990 924 NtWaitForSingleObject ... ) == 0x0 02015 920 NtSetEventBoostPriority ... ) == 0x0 02016 488 NtResumeThread ... 1, ) == 0x0 02018 924 NtSetEventBoostPriority (148, ... 02019 920 NtSetEventBoostPriority (132, ... 02020 1256 NtTestAlert (... 01993 880 NtWaitForSingleObject ... ) == 0x0 02018 924 NtSetEventBoostPriority ... ) == 0x0 02021 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02022 880 NtSetEventBoostPriority (148, ... 02020 1256 NtTestAlert ... ) == 0x0 01288 904 NtWaitForSingleObject ... ) == 0x0 02019 920 NtSetEventBoostPriority ... ) == 0x0 01994 884 NtWaitForSingleObject ... ) == 0x0 02022 880 NtSetEventBoostPriority ... ) == 0x0 02021 488 NtAllocateVirtualMemory ... 77135872, 1048576, ) == 0x0 02023 1256 NtContinue (77135152, 1, ... 02024 904 NtSetEventBoostPriority (132, ... 02025 884 NtSetEventBoostPriority (148, ... 02026 920 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02027 924 NtWaitForSingleObject (148, 0, 0x0, ... 02028 488 NtAllocateVirtualMemory (-1, 78176256, 0, 8192, 4096, 4, ... 02029 1256 NtRegisterThreadTerminatePort (24, ... 01999 1320 NtWaitForSingleObject ... ) == 0x0 02025 884 NtSetEventBoostPriority ... ) == 0x0 01321 944 NtWaitForSingleObject ... ) == 0x0 02026 920 NtCreateEvent ... 704, ) == 0x0 02028 488 NtAllocateVirtualMemory ... 78176256, 8192, ) == 0x0 02030 1320 NtSetEventBoostPriority (148, ... 02029 1256 NtRegisterThreadTerminatePort ... ) == 0x0 02031 884 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 02032 944 NtWaitForSingleObject (148, 0, 0x0, ... 02033 920 NtWaitForSingleObject (148, 0, 0x0, ... 02000 1316 NtWaitForSingleObject ... ) == 0x0 02030 1320 NtSetEventBoostPriority ... ) == 0x0 02034 488 NtProtectVirtualMemory (-1, (0x4a8e000), 4096, 260, ... 02024 904 NtSetEventBoostPriority ... ) == 0x0 02035 880 NtWaitForSingleObject (148, 0, 0x0, ... 02036 1256 NtWaitForSingleObject (148, 0, 0x0, ... 02037 1316 NtSetEventBoostPriority (148, ... 02038 1320 NtWaitForSingleObject (148, 0, 0x0, ... 02034 488 NtProtectVirtualMemory ... (0x4a8e000), 4096, 4, ) == 0x0 02039 904 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 01998 928 NtWaitForSingleObject ... ) == 0x0 02037 1316 NtSetEventBoostPriority ... ) == 0x0 02031 884 NtCreateEvent ... 708, ) == 0x0 02040 928 NtSetEventBoostPriority (148, ... 02039 904 NtCreateEvent ... 712, ) == 0x0 02041 1316 NtWaitForSingleObject (132, 0, 0x0, ... 02002 1292 NtWaitForSingleObject ... ) == 0x0 02042 884 NtWaitForSingleObject (148, 0, 0x0, ... 02040 928 NtSetEventBoostPriority ... ) == 0x0 02043 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 02044 904 NtWaitForSingleObject (148, 0, 0x0, ... 02045 1292 NtSetEventBoostPriority (148, ... 02046 928 NtWaitForSingleObject (148, 0, 0x0, ... 02043 488 NtCreateThread ... 716, {484, 1120}, ) == 0x0 02003 896 NtWaitForSingleObject ... ) == 0x0 02047 488 NtQueryInformationThread (716, Basic, 28, ... 02048 896 NtSetEventBoostPriority (148, ... 02047 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=484,Tid=1120,}, 0x0, ) == 0x0 02006 932 NtWaitForSingleObject ... ) == 0x0 02049 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1653, 0} (24, {28, 56, new_msg, 0, 484, 488, 1653, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\2\0\0\344\1\0\0`\4\0\0" ... ... 02050 932 NtSetEventBoostPriority (148, ... 02011 936 NtWaitForSingleObject ... ) == 0x0 02051 936 NtSetEventBoostPriority (148, ... 02009 888 NtWaitForSingleObject ... ) == 0x0 02052 888 NtSetEventBoostPriority (148, ... 02017 940 NtWaitForSingleObject ... ) == 0x0 02053 940 NtSetEventBoostPriority (148, ... 02014 892 NtWaitForSingleObject ... ) == 0x0 02054 892 NtSetEventBoostPriority (148, ... 02027 924 NtWaitForSingleObject ... ) == 0x0 02055 924 NtSetEventBoostPriority (148, ... 02032 944 NtWaitForSingleObject ... ) == 0x0 02056 944 NtSetEventBoostPriority (148, ... 02033 920 NtWaitForSingleObject ... ) == 0x0 02057 920 NtSetEventBoostPriority (148, ... 02035 880 NtWaitForSingleObject ... ) == 0x0 02058 880 NtSetEventBoostPriority (148, ... 02036 1256 NtWaitForSingleObject ... ) == 0x0 02059 1256 NtSetEventBoostPriority (148, ... 02038 1320 NtWaitForSingleObject ... ) == 0x0 02060 1320 NtSetEventBoostPriority (148, ... 02042 884 NtWaitForSingleObject ... ) == 0x0 02061 884 NtSetEventBoostPriority (148, ... 02044 904 NtWaitForSingleObject ... ) == 0x0 02062 904 NtSetEventBoostPriority (148, ... 02046 928 NtWaitForSingleObject ... ) == 0x0 02063 928 NtAllocateVirtualMemory (-1, 22597632, 0, 4096, 4096, 260, ... 22597632, 4096, ) == 0x0 02062 904 NtSetEventBoostPriority ... ) == 0x0 02061 884 NtSetEventBoostPriority ... ) == 0x0 02059 1256 NtSetEventBoostPriority ... ) == 0x0 02058 880 NtSetEventBoostPriority ... ) == 0x0 02057 920 NtSetEventBoostPriority ... ) == 0x0 02056 944 NtSetEventBoostPriority ... ) == 0x0 02055 924 NtSetEventBoostPriority ... ) == 0x0 02053 940 NtSetEventBoostPriority ... ) == 0x0 02051 936 NtSetEventBoostPriority ... ) == 0x0 02060 1320 NtSetEventBoostPriority ... ) == 0x0 02054 892 NtSetEventBoostPriority ... ) == 0x0 02052 888 NtSetEventBoostPriority ... ) == 0x0 02050 932 NtSetEventBoostPriority ... ) == 0x0 02048 896 NtSetEventBoostPriority ... ) == 0x0 02045 1292 NtSetEventBoostPriority ... ) == 0x0 02049 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1654, 0} ... {28, 56, reply, 0, 484, 488, 1654, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\2\0\0\344\1\0\0`\4\0\0" ) ) == 0x0 02064 904 NtAllocateVirtualMemory (-1, 1413120, 0, 4096, 4096, 4, ... 02065 928 NtWaitForSingleObject (148, 0, 0x0, ... 02066 1256 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02067 880 NtCreateKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ... 02068 884 NtRequestWaitReplyPort (692, {64, 88, new_msg, 0, 0, 0, 0, 0} (692, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... ... 02069 920 NtWaitForSingleObject (148, 0, 0x0, ... 02070 924 NtWaitForSingleObject (148, 0, 0x0, ... 02071 940 NtWaitForSingleObject (148, 0, 0x0, ... 02072 944 NtSetEventBoostPriority (132, ... 02073 1320 NtWaitForSingleObject (72, 0, {0, 0}, ... 02074 892 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02075 888 NtWaitForSingleObject (148, 0, 0x0, ... 02076 932 NtWaitForSingleObject (148, 0, 0x0, ... 02077 896 NtWaitForSingleObject (148, 0, 0x0, ... 02078 1292 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02079 488 NtResumeThread (716, ... 02080 936 NtWaitForSingleObject (148, 0, 0x0, ... 02064 904 NtAllocateVirtualMemory ... 1413120, 4096, ) == 0x0 02066 1256 NtDuplicateObject ... 720, ) == 0x0 02068 884 NtRequestWaitReplyPort ... {52, 76, reply, 0, 484, 884, 1655, 0} ... {52, 76, reply, 0, 484, 884, 1655, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" ) ) == 0x0 02067 880 NtCreateKey ... 724, 2, ) == 0x0 01316 912 NtWaitForSingleObject ... ) == 0x0 02072 944 NtSetEventBoostPriority ... ) == 0x0 02074 892 NtCreateEvent ... 728, ) == 0x0 02078 1292 NtDuplicateObject ... 732, ) == 0x0 02079 488 NtResumeThread ... 1, ) == 0x0 02081 904 NtSetEventBoostPriority (148, ... 02082 1256 NtWaitForSingleObject (148, 0, 0x0, ... 02083 884 NtWaitForSingleObject (148, 0, 0x0, ... 02084 912 NtSetEventBoostPriority (132, ... 02085 880 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ... 02086 944 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02073 1320 NtWaitForSingleObject ... ) == 0x102 02087 1120 NtWaitForSingleObject (148, 0, 0x0, ... 02088 892 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02089 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02065 928 NtWaitForSingleObject ... ) == 0x0 02081 904 NtSetEventBoostPriority ... ) == 0x0 01325 308 NtWaitForSingleObject ... ) == 0x0 02085 880 NtOpenKey ... 736, ) == 0x0 02086 944 NtCreateEvent ... 740, ) == 0x0 02090 1320 NtWaitForSingleObject (132, 0, 0x0, ... 02088 892 NtDuplicateObject ... 744, ) == 0x0 02091 928 NtSetEventBoostPriority (148, ... 02089 488 NtAllocateVirtualMemory ... 78184448, 1048576, ) == 0x0 02092 904 NtWaitForSingleObject (148, 0, 0x0, ... 02093 308 NtWaitForSingleObject (148, 0, 0x0, ... 02094 880 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ... 02095 944 NtWaitForSingleObject (148, 0, 0x0, ... 02069 920 NtWaitForSingleObject ... ) == 0x0 02091 928 NtSetEventBoostPriority ... ) == 0x0 02096 892 NtWaitForSingleObject (148, 0, 0x0, ... 02097 488 NtAllocateVirtualMemory (-1, 79224832, 0, 8192, 4096, 4, ... 02094 880 NtOpenKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02098 920 NtAllocateVirtualMemory (-1, 1417216, 0, 4096, 4096, 4, ... 02099 928 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02084 912 NtSetEventBoostPriority ... ) == 0x0 02100 1292 NtWaitForSingleObject (148, 0, 0x0, ... 02098 920 NtAllocateVirtualMemory ... 1417216, 4096, ) == 0x0 02101 880 NtQueryValueKey (724, (724, "Hostname", Partial, 144, ... , Partial, 144, ... 02097 488 NtAllocateVirtualMemory ... 79224832, 8192, ) == 0x0 02102 912 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02103 920 NtSetEventBoostPriority (148, ... 02099 928 NtCreateEvent ... 748, ) == 0x0 02104 488 NtProtectVirtualMemory (-1, (0x4b8e000), 4096, 260, ... 02102 912 NtCreateEvent ... 752, ) == 0x0 02101 880 NtQueryValueKey ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0 02105 928 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02104 488 NtProtectVirtualMemory ... (0x4b8e000), 4096, 4, ) == 0x0 02070 924 NtWaitForSingleObject ... ) == 0x0 02103 920 NtSetEventBoostPriority ... ) == 0x0 02106 880 NtWaitForSingleObject (148, 0, 0x0, ... 02105 928 NtDuplicateObject ... 756, ) == 0x0 02107 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 02108 924 NtSetEventBoostPriority (148, ... 02109 920 NtWaitForSingleObject (148, 0, 0x0, ... 02110 928 NtWaitForSingleObject (148, 0, 0x0, ... 02107 488 NtCreateThread ... 760, {484, 1416}, ) == 0x0 02075 888 NtWaitForSingleObject ... ) == 0x0 02111 488 NtQueryInformationThread (760, Basic, 28, ... 02112 888 NtSetEventBoostPriority (148, ... 02108 924 NtSetEventBoostPriority ... ) == 0x0 02113 912 NtWaitForSingleObject (148, 0, 0x0, ... 02076 932 NtWaitForSingleObject ... ) == 0x0 02112 888 NtSetEventBoostPriority ... ) == 0x0 02114 924 NtWaitForSingleObject (148, 0, 0x0, ... 02115 932 NtSetEventBoostPriority (148, ... 02111 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=484,Tid=1416,}, 0x0, ) == 0x0 02077 896 NtWaitForSingleObject ... ) == 0x0 02115 932 NtSetEventBoostPriority ... ) == 0x0 02116 896 NtSetEventBoostPriority (148, ... 02117 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1654, 0} (24, {28, 56, new_msg, 0, 484, 488, 1654, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\2\0\0\344\1\0\0\210\5\0\0" ... ... 02118 888 NtWaitForSingleObject (148, 0, 0x0, ... 02080 936 NtWaitForSingleObject ... ) == 0x0 02116 896 NtSetEventBoostPriority ... ) == 0x0 02117 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1656, 0} ... {28, 56, reply, 0, 484, 488, 1656, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\2\0\0\344\1\0\0\210\5\0\0" ) ) == 0x0 02119 936 NtSetEventBoostPriority (148, ... 02120 932 NtWaitForSingleObject (148, 0, 0x0, ... 02071 940 NtWaitForSingleObject ... ) == 0x0 02119 936 NtSetEventBoostPriority ... ) == 0x0 02121 488 NtResumeThread (760, ... 02122 940 NtSetEventBoostPriority (148, ... 02123 936 NtWaitForSingleObject (148, 0, 0x0, ... 02082 1256 NtWaitForSingleObject ... ) == 0x0 02121 488 NtResumeThread ... 1, ) == 0x0 02122 940 NtSetEventBoostPriority ... ) == 0x0 02124 896 NtAllocateVirtualMemory (-1, 16306176, 0, 4096, 4096, 260, ... 02125 1256 NtSetEventBoostPriority (148, ... 02126 1416 NtWaitForSingleObject (108, 0, 0x0, ... 02127 940 NtWaitForSingleObject (148, 0, 0x0, ... 02124 896 NtAllocateVirtualMemory ... 16306176, 4096, ) == 0x0 02083 884 NtWaitForSingleObject ... ) == 0x0 02125 1256 NtSetEventBoostPriority ... ) == 0x0 02128 884 NtSetEventBoostPriority (148, ... 02129 896 NtWaitForSingleObject (148, 0, 0x0, ... 02130 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02087 1120 NtWaitForSingleObject ... ) == 0x0 02128 884 NtSetEventBoostPriority ... ) == 0x0 02131 1120 NtSetEventBoostPriority (148, ... 02130 488 NtAllocateVirtualMemory ... 79233024, 1048576, ) == 0x0 02132 1256 NtWaitForSingleObject (148, 0, 0x0, ... 02092 904 NtWaitForSingleObject ... ) == 0x0 02131 1120 NtSetEventBoostPriority ... ) == 0x0 02133 488 NtAllocateVirtualMemory (-1, 80273408, 0, 8192, 4096, 4, ... 02134 904 NtSetEventBoostPriority (148, ... 02135 884 NtWaitForSingleObject (308, 0, 0x0, ... 02093 308 NtWaitForSingleObject ... ) == 0x0 02134 904 NtSetEventBoostPriority ... ) == 0x0 02133 488 NtAllocateVirtualMemory ... 80273408, 8192, ) == 0x0 02136 308 NtSetEventBoostPriority (148, ... 02137 1120 NtSetEventBoostPriority (108, ... 02095 944 NtWaitForSingleObject ... ) == 0x0 02136 308 NtSetEventBoostPriority ... ) == 0x0 02138 488 NtProtectVirtualMemory (-1, (0x4c8e000), 4096, 260, ... 02139 944 NtSetEventBoostPriority (148, ... 02126 1416 NtWaitForSingleObject ... ) == 0x0 02137 1120 NtSetEventBoostPriority ... ) == 0x0 02140 904 NtWaitForSingleObject (148, 0, 0x0, ... 02096 892 NtWaitForSingleObject ... ) == 0x0 02141 1416 NtTestAlert (... 02139 944 NtSetEventBoostPriority ... ) == 0x0 02138 488 NtProtectVirtualMemory ... (0x4c8e000), 4096, 4, ) == 0x0 02142 1120 NtTestAlert (... 02143 892 NtSetEventBoostPriority (148, ... 02141 1416 NtTestAlert ... ) == 0x0 02144 308 NtWaitForSingleObject (148, 0, 0x0, ... 02145 944 NtWaitForSingleObject (148, 0, 0x0, ... 02100 1292 NtWaitForSingleObject ... ) == 0x0 02143 892 NtSetEventBoostPriority ... ) == 0x0 02142 1120 NtTestAlert ... ) == 0x0 02146 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 02147 1292 NtSetEventBoostPriority (148, ... 02148 1416 NtContinue (79232304, 1, ... 02149 1120 NtContinue (78183728, 1, ... 02106 880 NtWaitForSingleObject ... ) == 0x0 02147 1292 NtSetEventBoostPriority ... ) == 0x0 02146 488 NtCreateThread ... 764, {484, 1408}, ) == 0x0 02150 1416 NtRegisterThreadTerminatePort (24, ... 02151 880 NtSetEventBoostPriority (148, ... 02152 1120 NtRegisterThreadTerminatePort (24, ... 02153 1292 NtWaitForSingleObject (308, 0, 0x0, ... 02154 488 NtQueryInformationThread (764, Basic, 28, ... 02109 920 NtWaitForSingleObject ... ) == 0x0 02151 880 NtSetEventBoostPriority ... ) == 0x0 02150 1416 NtRegisterThreadTerminatePort ... ) == 0x0 02155 892 NtWaitForSingleObject (148, 0, 0x0, ... 02152 1120 NtRegisterThreadTerminatePort ... ) == 0x0 02156 920 NtSetEventBoostPriority (148, ... 02154 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=484,Tid=1408,}, 0x0, ) == 0x0 02157 1416 NtWaitForSingleObject (148, 0, 0x0, ... 02110 928 NtWaitForSingleObject ... ) == 0x0 02156 920 NtSetEventBoostPriority ... ) == 0x0 02158 1120 NtWaitForSingleObject (148, 0, 0x0, ... 02159 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1656, 0} (24, {28, 56, new_msg, 0, 484, 488, 1656, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\2\0\0\344\1\0\0\200\5\0\0" ... ... 02160 928 NtSetEventBoostPriority (148, ... 02161 880 NtQueryValueKey (724, (724, "Hostname", Partial, 144, ... , Partial, 144, ... 02113 912 NtWaitForSingleObject ... ) == 0x0 02160 928 NtSetEventBoostPriority ... ) == 0x0 02162 912 NtSetEventBoostPriority (148, ... 02161 880 NtQueryValueKey ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0 02163 920 NtWaitForSingleObject (148, 0, 0x0, ... 02159 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1657, 0} ... {28, 56, reply, 0, 484, 488, 1657, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\2\0\0\344\1\0\0\200\5\0\0" ) ) == 0x0 02114 924 NtWaitForSingleObject ... ) == 0x0 02162 912 NtSetEventBoostPriority ... ) == 0x0 02164 880 NtWaitForSingleObject (148, 0, 0x0, ... 02165 924 NtSetEventBoostPriority (148, ... 02166 488 NtResumeThread (764, ... 02167 912 NtWaitForSingleObject (148, 0, 0x0, ... 02118 888 NtWaitForSingleObject ... ) == 0x0 02165 924 NtSetEventBoostPriority ... ) == 0x0 02166 488 NtResumeThread ... 1, ) == 0x0 02168 928 NtWaitForSingleObject (148, 0, 0x0, ... 02169 888 NtSetEventBoostPriority (148, ... 02170 1408 NtWaitForSingleObject (148, 0, 0x0, ... 02171 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02120 932 NtWaitForSingleObject ... ) == 0x0 02169 888 NtSetEventBoostPriority ... ) == 0x0 02172 932 NtSetEventBoostPriority (148, ... 02171 488 NtAllocateVirtualMemory ... 80281600, 1048576, ) == 0x0 02123 936 NtWaitForSingleObject ... ) == 0x0 02172 932 NtSetEventBoostPriority ... ) == 0x0 02173 888 NtWaitForSingleObject (148, 0, 0x0, ... 02174 936 NtSetEventBoostPriority (148, ... 02175 488 NtAllocateVirtualMemory (-1, 81321984, 0, 8192, 4096, 4, ... 02176 932 NtWaitForSingleObject (148, 0, 0x0, ... 02177 924 NtWaitForSingleObject (148, 0, 0x0, ... 02127 940 NtWaitForSingleObject ... ) == 0x0 02174 936 NtSetEventBoostPriority ... ) == 0x0 02175 488 NtAllocateVirtualMemory ... 81321984, 8192, ) == 0x0 02178 940 NtSetEventBoostPriority (148, ... 02179 936 NtWaitForSingleObject (148, 0, 0x0, ... 02180 488 NtProtectVirtualMemory (-1, (0x4d8e000), 4096, 260, ... 02129 896 NtWaitForSingleObject ... ) == 0x0 02178 940 NtSetEventBoostPriority ... ) == 0x0 02181 896 NtSetEventBoostPriority (148, ... 02180 488 NtProtectVirtualMemory ... (0x4d8e000), 4096, 4, ) == 0x0 02132 1256 NtWaitForSingleObject ... ) == 0x0 02181 896 NtSetEventBoostPriority ... ) == 0x0 02182 1256 NtSetEventBoostPriority (148, ... 02183 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 02184 940 NtAllocateVirtualMemory (-1, 25743360, 0, 4096, 4096, 260, ... 02140 904 NtWaitForSingleObject ... ) == 0x0 02182 1256 NtSetEventBoostPriority ... ) == 0x0 02183 488 NtCreateThread ... 768, {484, 1420}, ) == 0x0 02185 904 NtSetEventBoostPriority (148, ... 02184 940 NtAllocateVirtualMemory ... 25743360, 4096, ) == 0x0 02186 1256 NtSetEventBoostPriority (308, ... 02144 308 NtWaitForSingleObject ... ) == 0x0 02185 904 NtSetEventBoostPriority ... ) == 0x0 02187 488 NtQueryInformationThread (768, Basic, 28, ... 02188 940 NtWaitForSingleObject (148, 0, 0x0, ... 02189 896 NtWaitForSingleObject (148, 0, 0x0, ... 02190 308 NtSetEventBoostPriority (148, ... 02191 904 NtWaitForSingleObject (148, 0, 0x0, ... 02135 884 NtWaitForSingleObject ... ) == 0x0 02186 1256 NtSetEventBoostPriority ... ) == 0x0 02145 944 NtWaitForSingleObject ... ) == 0x0 02190 308 NtSetEventBoostPriority ... ) == 0x0 02187 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=484,Tid=1420,}, 0x0, ) == 0x0 02192 884 NtSetEventBoostPriority (308, ... 02193 944 NtAllocateVirtualMemory (-1, 1421312, 0, 4096, 4096, 4, ... 02194 1256 NtWaitForSingleObject (72, 0, {0, 0}, ... 02195 308 NtSetEventBoostPriority (132, ... 02196 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1657, 0} (24, {28, 56, new_msg, 0, 484, 488, 1657, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\3\0\0\344\1\0\0\214\5\0\0" ... ... 02193 944 NtAllocateVirtualMemory ... 1421312, 4096, ) == 0x0 02153 1292 NtWaitForSingleObject ... ) == 0x0 02192 884 NtSetEventBoostPriority ... ) == 0x0 02194 1256 NtWaitForSingleObject ... ) == 0x102 02197 944 NtSetEventBoostPriority (148, ... 02198 1292 NtWaitForSingleObject (72, 0, {0, 0}, ... 02196 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1658, 0} ... {28, 56, reply, 0, 484, 488, 1658, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\3\0\0\344\1\0\0\214\5\0\0" ) ) == 0x0 02199 884 NtClose (664, ... 02200 1256 NtWaitForSingleObject (132, 0, 0x0, ... 01344 948 NtWaitForSingleObject ... ) == 0x0 02195 308 NtSetEventBoostPriority ... ) == 0x0 02198 1292 NtWaitForSingleObject ... ) == 0x102 02201 488 NtResumeThread (768, ... 02155 892 NtWaitForSingleObject ... ) == 0x0 02197 944 NtSetEventBoostPriority ... ) == 0x0 02202 948 NtSetEventBoostPriority (132, ... 02203 1292 NtWaitForSingleObject (132, 0, 0x0, ... 02204 308 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02201 488 NtResumeThread ... 1, ) == 0x0 02205 892 NtSetEventBoostPriority (148, ... 02206 944 NtWaitForSingleObject (148, 0, 0x0, ... 01346 964 NtWaitForSingleObject ... ) == 0x0 02202 948 NtSetEventBoostPriority ... ) == 0x0 02199 884 NtClose ... ) == 0x0 02207 1420 NtWaitForSingleObject (108, 0, 0x0, ... 02204 308 NtCreateEvent ... 664, ) == 0x0 02157 1416 NtWaitForSingleObject ... ) == 0x0 02205 892 NtSetEventBoostPriority ... ) == 0x0 02208 964 NtWaitForSingleObject (148, 0, 0x0, ... 02209 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02210 884 NtClose (708, ... 02211 1416 NtSetEventBoostPriority (148, ... 02212 308 NtWaitForSingleObject (148, 0, 0x0, ... 02213 892 NtWaitForSingleObject (148, 0, 0x0, ... 02209 488 NtAllocateVirtualMemory ... 81330176, 1048576, ) == 0x0 02158 1120 NtWaitForSingleObject ... ) == 0x0 02211 1416 NtSetEventBoostPriority ... ) == 0x0 02210 884 NtClose ... ) == 0x0 02214 948 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02215 1120 NtSetEventBoostPriority (148, ... 02216 488 NtAllocateVirtualMemory (-1, 82370560, 0, 8192, 4096, 4, ... 02217 884 NtClose (692, ... 02163 920 NtWaitForSingleObject ... ) == 0x0 02215 1120 NtSetEventBoostPriority ... ) == 0x0 02214 948 NtCreateEvent ... 708, ) == 0x0 02216 488 NtAllocateVirtualMemory ... 82370560, 8192, ) == 0x0 02218 920 NtSetEventBoostPriority (148, ... 02217 884 NtClose ... ) == 0x0 02219 1416 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02220 948 NtWaitForSingleObject (148, 0, 0x0, ... 02164 880 NtWaitForSingleObject ... ) == 0x0 02218 920 NtSetEventBoostPriority ... ) == 0x0 02221 488 NtProtectVirtualMemory (-1, (0x4e8e000), 4096, 260, ... 02222 884 NtWaitForSingleObject (148, 0, 0x0, ... 02219 1416 NtDuplicateObject ... 692, ) == 0x0 02223 880 NtSetEventBoostPriority (148, ... 02224 920 NtWaitForSingleObject (148, 0, 0x0, ... 02221 488 NtProtectVirtualMemory ... (0x4e8e000), 4096, 4, ) == 0x0 02225 1120 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02167 912 NtWaitForSingleObject ... ) == 0x0 02223 880 NtSetEventBoostPriority ... ) == 0x0 02226 1416 NtWaitForSingleObject (148, 0, 0x0, ... 02227 912 NtSetEventBoostPriority (148, ... 02225 1120 NtDuplicateObject ... 772, ) == 0x0 02228 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 02168 928 NtWaitForSingleObject ... ) == 0x0 02229 1120 NtWaitForSingleObject (148, 0, 0x0, ... 02228 488 NtCreateThread ... 776, {484, 1424}, ) == 0x0 02230 928 NtSetEventBoostPriority (148, ... 02231 488 NtQueryInformationThread (776, Basic, 28, ... 02170 1408 NtWaitForSingleObject ... ) == 0x0 02230 928 NtSetEventBoostPriority ... ) == 0x0 02232 1408 NtSetEventBoostPriority (148, ... 02231 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=484,Tid=1424,}, 0x0, ) == 0x0 02173 888 NtWaitForSingleObject ... ) == 0x0 02232 1408 NtSetEventBoostPriority ... ) == 0x0 02233 928 NtWaitForSingleObject (148, 0, 0x0, ... 02234 888 NtSetEventBoostPriority (148, ... 02235 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1658, 0} (24, {28, 56, new_msg, 0, 484, 488, 1658, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\3\0\0\344\1\0\0\220\5\0\0" ... ... 02227 912 NtSetEventBoostPriority ... ) == 0x0 02236 880 NtClose (724, ... 02237 1408 NtSetEventBoostPriority (108, ... 02177 924 NtWaitForSingleObject ... ) == 0x0 02238 912 NtWaitForSingleObject (148, 0, 0x0, ... 02236 880 NtClose ... ) == 0x0 02207 1420 NtWaitForSingleObject ... ) == 0x0 02237 1408 NtSetEventBoostPriority ... ) == 0x0 02239 924 NtSetEventBoostPriority (148, ... 02240 1420 NtTestAlert (... 02241 880 NtClose (736, ... 02242 1408 NtTestAlert (... 02240 1420 NtTestAlert ... ) == 0x0 02179 936 NtWaitForSingleObject ... ) == 0x0 02239 924 NtSetEventBoostPriority ... ) == 0x0 02241 880 NtClose ... ) == 0x0 02242 1408 NtTestAlert ... ) == 0x0 02234 888 NtSetEventBoostPriority ... ) == 0x0 02235 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1660, 0} ... {28, 56, reply, 0, 484, 488, 1660, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\3\0\0\344\1\0\0\220\5\0\0" ) ) == 0x0 02243 936 NtSetEventBoostPriority (148, ... 02244 924 NtWaitForSingleObject (148, 0, 0x0, ... 02245 880 NtCreateEvent (0x100003, 0x0, 1, 0, ... 02246 1408 NtContinue (80280880, 1, ... 02247 888 NtWaitForSingleObject (148, 0, 0x0, ... 02176 932 NtWaitForSingleObject ... ) == 0x0 02243 936 NtSetEventBoostPriority ... ) == 0x0 02248 488 NtResumeThread (776, ... 02249 1420 NtContinue (81329456, 1, ... 02245 880 NtCreateEvent ... 736, ) == 0x0 02250 1408 NtRegisterThreadTerminatePort (24, ... 02251 932 NtSetEventBoostPriority (148, ... 02248 488 NtResumeThread ... 1, ) == 0x0 02252 1420 NtRegisterThreadTerminatePort (24, ... 02253 936 NtWaitForSingleObject (148, 0, 0x0, ... 02254 1424 NtTestAlert (... 02255 880 NtWaitForSingleObject (736, 0, 0x0, ... 02188 940 NtWaitForSingleObject ... ) == 0x0 02256 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02252 1420 NtRegisterThreadTerminatePort ... ) == 0x0 02254 1424 NtTestAlert ... ) == 0x0 02257 940 NtSetEventBoostPriority (148, ... 02256 488 NtAllocateVirtualMemory ... 82378752, 1048576, ) == 0x0 02258 1420 NtWaitForSingleObject (148, 0, 0x0, ... 02259 1424 NtContinue (82378032, 1, ... 02189 896 NtWaitForSingleObject ... ) == 0x0 02257 940 NtSetEventBoostPriority ... ) == 0x0 02260 488 NtAllocateVirtualMemory (-1, 83419136, 0, 8192, 4096, 4, ... 02261 896 NtSetEventBoostPriority (148, ... 02262 1424 NtRegisterThreadTerminatePort (24, ... 02251 932 NtSetEventBoostPriority ... ) == 0x0 02250 1408 NtRegisterThreadTerminatePort ... ) == 0x0 02263 940 NtWaitForSingleObject (148, 0, 0x0, ... 02191 904 NtWaitForSingleObject ... ) == 0x0 02261 896 NtSetEventBoostPriority ... ) == 0x0 02262 1424 NtRegisterThreadTerminatePort ... ) == 0x0 02264 932 NtWaitForSingleObject (148, 0, 0x0, ... 02265 1408 NtWaitForSingleObject (148, 0, 0x0, ... 02266 904 NtSetEventBoostPriority (148, ... 02267 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02260 488 NtAllocateVirtualMemory ... 83419136, 8192, ) == 0x0 02206 944 NtWaitForSingleObject ... ) == 0x0 02266 904 NtSetEventBoostPriority ... ) == 0x0 02268 1424 NtWaitForSingleObject (148, 0, 0x0, ... 02269 488 NtProtectVirtualMemory (-1, (0x4f8e000), 4096, 260, ... 02270 944 NtSetEventBoostPriority (148, ... 02271 904 NtWaitForSingleObject (148, 0, 0x0, ... 02269 488 NtProtectVirtualMemory ... (0x4f8e000), 4096, 4, ) == 0x0 02208 964 NtWaitForSingleObject ... ) == 0x0 02270 944 NtSetEventBoostPriority ... ) == 0x0 02272 964 NtSetEventBoostPriority (148, ... 02273 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 02267 896 NtCreateEvent ... 724, ) == 0x0 02212 308 NtWaitForSingleObject ... ) == 0x0 02272 964 NtSetEventBoostPriority ... ) == 0x0 02273 488 NtCreateThread ... 780, {484, 1432}, ) == 0x0 02274 308 NtSetEventBoostPriority (148, ... 02275 896 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02276 944 NtWaitForSingleObject (148, 0, 0x0, ... 02213 892 NtWaitForSingleObject ... ) == 0x0 02274 308 NtSetEventBoostPriority ... ) == 0x0 02277 488 NtQueryInformationThread (780, Basic, 28, ... 02275 896 NtDuplicateObject ... 784, ) == 0x0 02278 892 NtSetEventBoostPriority (148, ... 02279 964 NtSetEventBoostPriority (132, ... 02280 308 NtWaitForSingleObject (148, 0, 0x0, ... 02220 948 NtWaitForSingleObject ... ) == 0x0 02281 896 NtWaitForSingleObject (148, 0, 0x0, ... 01348 960 NtWaitForSingleObject ... ) == 0x0 02279 964 NtSetEventBoostPriority ... ) == 0x0 02282 948 NtSetEventBoostPriority (148, ... 02283 960 NtWaitForSingleObject (148, 0, 0x0, ... 02284 964 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02222 884 NtWaitForSingleObject ... ) == 0x0 02282 948 NtSetEventBoostPriority ... ) == 0x0 02285 884 NtSetEventBoostPriority (148, ... 02284 964 NtCreateEvent ... 788, ) == 0x0 02278 892 NtSetEventBoostPriority ... ) == 0x0 02277 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=484,Tid=1432,}, 0x0, ) == 0x0 02224 920 NtWaitForSingleObject ... ) == 0x0 02286 964 NtWaitForSingleObject (148, 0, 0x0, ... 02287 892 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 02288 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1660, 0} (24, {28, 56, new_msg, 0, 484, 488, 1660, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\3\0\0\344\1\0\0\230\5\0\0" ... ... 02289 920 NtSetEventBoostPriority (148, ... 02287 892 NtCreateEvent ... 792, ) == 0x0 02288 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1661, 0} ... {28, 56, reply, 0, 484, 488, 1661, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\3\0\0\344\1\0\0\230\5\0\0" ) ) == 0x0 02226 1416 NtWaitForSingleObject ... ) == 0x0 02289 920 NtSetEventBoostPriority ... ) == 0x0 02285 884 NtSetEventBoostPriority ... ) == 0x0 02290 948 NtWaitForSingleObject (148, 0, 0x0, ... 02291 488 NtResumeThread (780, ... 02292 1416 NtSetEventBoostPriority (148, ... 02293 920 NtWaitForSingleObject (148, 0, 0x0, ... 02294 884 NtCreateKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ... 02291 488 NtResumeThread ... 1, ) == 0x0 02229 1120 NtWaitForSingleObject ... ) == 0x0 02292 1416 NtSetEventBoostPriority ... ) == 0x0 02294 884 NtCreateKey ... 796, 2, ) == 0x0 02295 892 NtWaitForSingleObject (148, 0, 0x0, ... 02296 1432 NtWaitForSingleObject (148, 0, 0x0, ... 02297 1120 NtSetEventBoostPriority (148, ... 02298 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02299 1416 NtWaitForSingleObject (148, 0, 0x0, ... 02238 912 NtWaitForSingleObject ... ) == 0x0 02297 1120 NtSetEventBoostPriority ... ) == 0x0 02298 488 NtAllocateVirtualMemory ... 83427328, 1048576, ) == 0x0 02300 912 NtSetEventBoostPriority (148, ... 02301 884 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ... 02233 928 NtWaitForSingleObject ... ) == 0x0 02300 912 NtSetEventBoostPriority ... ) == 0x0 02302 488 NtAllocateVirtualMemory (-1, 84467712, 0, 8192, 4096, 4, ... 02303 928 NtSetEventBoostPriority (148, ... 02301 884 NtOpenKey ... 800, ) == 0x0 02304 1120 NtWaitForSingleObject (148, 0, 0x0, ... 02247 888 NtWaitForSingleObject ... ) == 0x0 02302 488 NtAllocateVirtualMemory ... 84467712, 8192, ) == 0x0 02305 884 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ... 02306 888 NtSetEventBoostPriority (148, ... 02307 488 NtProtectVirtualMemory (-1, (0x508e000), 4096, 260, ... 02305 884 NtOpenKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02244 924 NtWaitForSingleObject ... ) == 0x0 02306 888 NtSetEventBoostPriority ... ) == 0x0 02307 488 NtProtectVirtualMemory ... (0x508e000), 4096, 4, ) == 0x0 02308 924 NtSetEventBoostPriority (148, ... 02309 884 NtQueryValueKey (796, (796, "Hostname", Partial, 144, ... , Partial, 144, ... 02303 928 NtSetEventBoostPriority ... ) == 0x0 02310 912 NtWaitForSingleObject (148, 0, 0x0, ... 02311 888 NtSetEventBoostPriority (736, ... 02253 936 NtWaitForSingleObject ... ) == 0x0 02309 884 NtQueryValueKey ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0 02312 928 NtWaitForSingleObject (148, 0, 0x0, ... 02255 880 NtWaitForSingleObject ... ) == 0x0 02311 888 NtSetEventBoostPriority ... ) == 0x0 02313 936 NtSetEventBoostPriority (148, ... 02308 924 NtSetEventBoostPriority ... ) == 0x0 02314 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 02315 880 NtWaitForSingleObject (148, 0, 0x0, ... 02316 888 NtWaitForSingleObject (148, 0, 0x0, ... 02258 1420 NtWaitForSingleObject ... ) == 0x0 02313 936 NtSetEventBoostPriority ... ) == 0x0 02317 924 NtWaitForSingleObject (148, 0, 0x0, ... 02314 488 NtCreateThread ... 804, {484, 1440}, ) == 0x0 02318 1420 NtSetEventBoostPriority (148, ... 02319 936 NtAllocateVirtualMemory (-1, 24694784, 0, 4096, 4096, 260, ... 02263 940 NtWaitForSingleObject ... ) == 0x0 02318 1420 NtSetEventBoostPriority ... ) == 0x0 02320 488 NtQueryInformationThread (804, Basic, 28, ... 02321 884 NtQueryValueKey (796, (796, "Hostname", Partial, 144, ... , Partial, 144, ... 02322 940 NtSetEventBoostPriority (148, ... 02319 936 NtAllocateVirtualMemory ... 24694784, 4096, ) == 0x0 02320 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=484,Tid=1440,}, 0x0, ) == 0x0 02264 932 NtWaitForSingleObject ... ) == 0x0 02322 940 NtSetEventBoostPriority ... ) == 0x0 02321 884 NtQueryValueKey ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0 02323 936 NtWaitForSingleObject (148, 0, 0x0, ... 02324 932 NtSetEventBoostPriority (148, ... 02325 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1661, 0} (24, {28, 56, new_msg, 0, 484, 488, 1661, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\3\0\0\344\1\0\0\240\5\0\0" ... ... 02326 940 NtWaitForSingleObject (148, 0, 0x0, ... 02327 884 NtClose (796, ... 02265 1408 NtWaitForSingleObject ... ) == 0x0 02324 932 NtSetEventBoostPriority ... ) == 0x0 02325 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1662, 0} ... {28, 56, reply, 0, 484, 488, 1662, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\3\0\0\344\1\0\0\240\5\0\0" ) ) == 0x0 02328 1420 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02329 1408 NtSetEventBoostPriority (148, ... 02327 884 NtClose ... ) == 0x0 02330 488 NtResumeThread (804, ... 02268 1424 NtWaitForSingleObject ... ) == 0x0 02329 1408 NtSetEventBoostPriority ... ) == 0x0 02328 1420 NtDuplicateObject ... 796, ) == 0x0 02331 884 NtClose (800, ... 02332 1424 NtSetEventBoostPriority (148, ... 02330 488 NtResumeThread ... 1, ) == 0x0 02333 932 NtWaitForSingleObject (148, 0, 0x0, ... 02334 1420 NtWaitForSingleObject (148, 0, 0x0, ... 02271 904 NtWaitForSingleObject ... ) == 0x0 02332 1424 NtSetEventBoostPriority ... ) == 0x0 02331 884 NtClose ... ) == 0x0 02335 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02336 904 NtSetEventBoostPriority (148, ... 02337 1424 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02338 1408 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02339 1440 NtWaitForSingleObject (108, 0, 0x0, ... 02276 944 NtWaitForSingleObject ... ) == 0x0 02336 904 NtSetEventBoostPriority ... ) == 0x0 02335 488 NtAllocateVirtualMemory ... 84475904, 1048576, ) == 0x0 02340 884 NtWaitForSingleObject (736, 0, 0x0, ... 02338 1408 NtDuplicateObject ... 800, ) == 0x0 02341 944 NtSetEventBoostPriority (148, ... 02337 1424 NtDuplicateObject ... 808, ) == 0x0 02342 488 NtAllocateVirtualMemory (-1, 85516288, 0, 8192, 4096, 4, ... 02280 308 NtWaitForSingleObject ... ) == 0x0 02341 944 NtSetEventBoostPriority ... ) == 0x0 02343 1408 NtWaitForSingleObject (148, 0, 0x0, ... 02344 1424 NtWaitForSingleObject (148, 0, 0x0, ... 02345 904 NtWaitForSingleObject (148, 0, 0x0, ... 02346 308 NtAllocateVirtualMemory (-1, 1425408, 0, 4096, 4096, 4, ... 02347 944 NtWaitForSingleObject (148, 0, 0x0, ... 02346 308 NtAllocateVirtualMemory ... 1425408, 4096, ) == 0x0 02342 488 NtAllocateVirtualMemory ... 85516288, 8192, ) == 0x0 02348 308 NtSetEventBoostPriority (148, ... 02349 488 NtProtectVirtualMemory (-1, (0x518e000), 4096, 260, ... (0x518e000), 4096, 4, ) == 0x0 02350 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 812, {484, 1444}, ) == 0x0 02351 488 NtQueryInformationThread (812, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=484,Tid=1444,}, 0x0, ) == 0x0 02352 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1662, 0} (24, {28, 56, new_msg, 0, 484, 488, 1662, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\3\0\0\344\1\0\0\244\5\0\0" ... {28, 56, reply, 0, 484, 488, 1663, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\3\0\0\344\1\0\0\244\5\0\0" ) ... {28, 56, reply, 0, 484, 488, 1663, 0} (24, {28, 56, new_msg, 0, 484, 488, 1662, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\3\0\0\344\1\0\0\244\5\0\0" ... {28, 56, reply, 0, 484, 488, 1663, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\3\0\0\344\1\0\0\244\5\0\0" ) ) == 0x0 02353 488 NtResumeThread (812, ... 1, ) == 0x0 02281 896 NtWaitForSingleObject ... ) == 0x0 02348 308 NtSetEventBoostPriority ... ) == 0x0 02354 1444 NtWaitForSingleObject (108, 0, 0x0, ... 02355 896 NtSetEventBoostPriority (148, ... 02356 308 NtWaitForSingleObject (148, 0, 0x0, ... 02283 960 NtWaitForSingleObject ... ) == 0x0 02355 896 NtSetEventBoostPriority ... ) == 0x0 02357 960 NtSetEventBoostPriority (148, ... 02358 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02286 964 NtWaitForSingleObject ... ) == 0x0 02357 960 NtSetEventBoostPriority ... ) == 0x0 02359 964 NtSetEventBoostPriority (148, ... 02358 488 NtAllocateVirtualMemory ... 85524480, 1048576, ) == 0x0 02360 896 NtWaitForSingleObject (148, 0, 0x0, ... 02290 948 NtWaitForSingleObject ... ) == 0x0 02359 964 NtSetEventBoostPriority ... ) == 0x0 02361 488 NtAllocateVirtualMemory (-1, 86564864, 0, 8192, 4096, 4, ... 02362 948 NtSetEventBoostPriority (148, ... 02363 960 NtSetEventBoostPriority (132, ... 02293 920 NtWaitForSingleObject ... ) == 0x0 02362 948 NtSetEventBoostPriority ... ) == 0x0 02361 488 NtAllocateVirtualMemory ... 86564864, 8192, ) == 0x0 02364 920 NtSetEventBoostPriority (148, ... 01354 1084 NtWaitForSingleObject ... ) == 0x0 02363 960 NtSetEventBoostPriority ... ) == 0x0 02365 948 NtWaitForSingleObject (148, 0, 0x0, ... 02295 892 NtWaitForSingleObject ... ) == 0x0 02366 1084 NtWaitForSingleObject (148, 0, 0x0, ... 02364 920 NtSetEventBoostPriority ... ) == 0x0 02367 488 NtProtectVirtualMemory (-1, (0x528e000), 4096, 260, ... 02368 960 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02369 964 NtWaitForSingleObject (148, 0, 0x0, ... 02370 892 NtSetEventBoostPriority (148, ... 02367 488 NtProtectVirtualMemory ... (0x528e000), 4096, 4, ) == 0x0 02368 960 NtCreateEvent ... 816, ) == 0x0 02296 1432 NtWaitForSingleObject ... ) == 0x0 02370 892 NtSetEventBoostPriority ... ) == 0x0 02371 920 NtWaitForSingleObject (148, 0, 0x0, ... 02372 1432 NtSetEventBoostPriority (148, ... 02373 960 NtWaitForSingleObject (148, 0, 0x0, ... 02374 892 NtConnectPort ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 15265100, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 15265100, 112, ... 02299 1416 NtWaitForSingleObject ... ) == 0x0 02372 1432 NtSetEventBoostPriority ... ) == 0x0 02375 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 02376 1416 NtSetEventBoostPriority (148, ... 02374 892 NtConnectPort ... 820, 0x0, 0x0, 0x0, 112, ) == 0x0 02304 1120 NtWaitForSingleObject ... ) == 0x0 02376 1416 NtSetEventBoostPriority ... ) == 0x0 02375 488 NtCreateThread ... 824, {484, 1448}, ) == 0x0 02377 1120 NtSetEventBoostPriority (148, ... 02378 892 NtRequestWaitReplyPort (820, {128, 152, new_msg, 0, 1310720, 125728, 1310720, 15264864} (820, {128, 152, new_msg, 0, 1310720, 125728, 1310720, 15264864} "\0$\370w\20\363\350\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\260\347\24\0\4\0\0\0\260\347\24\0\20\344\314w\260\347\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\300\11\25\0\0\0\0\0\230\316\25\0\12\0\0\00\4\24\0\0\0\0\0\0\0\24\0h\2\24\0\230\316\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... ... 02379 1416 NtWaitForSingleObject (308, 0, 0x0, ... 02310 912 NtWaitForSingleObject ... ) == 0x0 02377 1120 NtSetEventBoostPriority ... ) == 0x0 02380 488 NtQueryInformationThread (824, Basic, 28, ... 02381 1432 NtSetEventBoostPriority (108, ... 02378 892 NtRequestWaitReplyPort ... {128, 152, reply, 0, 484, 892, 1665, 0} ... {128, 152, reply, 0, 484, 892, 1665, 0} "\7$\370w\20\363\350\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\260\347\24\0\377\377\377\377\260\347\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\300\11\25\0\0\0\0\0\230\316\25\0\12\0\0\00\4\24\0\0\0\0\0\0\0\24\0h\2\24\0\230\316\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ) == 0x0 02382 912 NtSetEventBoostPriority (148, ... 02383 1120 NtWaitForSingleObject (308, 0, 0x0, ... 02380 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=484,Tid=1448,}, 0x0, ) == 0x0 02339 1440 NtWaitForSingleObject ... ) == 0x0 02381 1432 NtSetEventBoostPriority ... ) == 0x0 02312 928 NtWaitForSingleObject ... ) == 0x0 02382 912 NtSetEventBoostPriority ... ) == 0x0 02384 892 NtWaitForSingleObject (148, 0, 0x0, ... 02385 1440 NtSetEventBoostPriority (108, ... 02386 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1663, 0} (24, {28, 56, new_msg, 0, 484, 488, 1663, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\3\0\0\344\1\0\0\250\5\0\0" ... ... 02387 928 NtSetEventBoostPriority (148, ... 02388 1432 NtTestAlert (... 02389 912 NtWaitForSingleObject (148, 0, 0x0, ... 02354 1444 NtWaitForSingleObject ... ) == 0x0 02385 1440 NtSetEventBoostPriority ... ) == 0x0 02315 880 NtWaitForSingleObject ... ) == 0x0 02387 928 NtSetEventBoostPriority ... ) == 0x0 02388 1432 NtTestAlert ... ) == 0x0 02386 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1666, 0} ... {28, 56, reply, 0, 484, 488, 1666, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\3\0\0\344\1\0\0\250\5\0\0" ) ) == 0x0 02390 1444 NtWaitForSingleObject (148, 0, 0x0, ... 02391 880 NtSetEventBoostPriority (148, ... 02392 1440 NtTestAlert (... 02393 1432 NtContinue (83426608, 1, ... 02316 888 NtWaitForSingleObject ... ) == 0x0 02391 880 NtSetEventBoostPriority ... ) == 0x0 02394 488 NtResumeThread (824, ... 02392 1440 NtTestAlert ... ) == 0x0 02395 888 NtSetEventBoostPriority (148, ... 02396 1432 NtRegisterThreadTerminatePort (24, ... 02397 928 NtSetEventBoostPriority (308, ... 02394 488 NtResumeThread ... 1, ) == 0x0 02317 924 NtWaitForSingleObject ... ) == 0x0 02395 888 NtSetEventBoostPriority ... ) == 0x0 02398 1440 NtContinue (84475184, 1, ... 02399 880 NtWaitForSingleObject (148, 0, 0x0, ... 02400 1448 NtWaitForSingleObject (108, 0, 0x0, ... 02379 1416 NtWaitForSingleObject ... ) == 0x0 02397 928 NtSetEventBoostPriority ... ) == 0x0 02401 924 NtAllocateVirtualMemory (-1, 1429504, 0, 4096, 4096, 4, ... 02402 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02396 1432 NtRegisterThreadTerminatePort ... ) == 0x0 02403 1440 NtRegisterThreadTerminatePort (24, ... 02404 1416 NtWaitForSingleObject (148, 0, 0x0, ... 02401 924 NtAllocateVirtualMemory ... 1429504, 4096, ) == 0x0 02405 928 NtWaitForSingleObject (148, 0, 0x0, ... 02402 488 NtAllocateVirtualMemory ... 86573056, 1048576, ) == 0x0 02406 1432 NtWaitForSingleObject (148, 0, 0x0, ... 02403 1440 NtRegisterThreadTerminatePort ... ) == 0x0 02407 888 NtCreateKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ... 02408 488 NtAllocateVirtualMemory (-1, 87613440, 0, 8192, 4096, 4, ... 02409 1440 NtWaitForSingleObject (148, 0, 0x0, ... 02407 888 NtCreateKey ... 828, 2, ) == 0x0 02410 924 NtSetEventBoostPriority (148, ... 02408 488 NtAllocateVirtualMemory ... 87613440, 8192, ) == 0x0 02411 888 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ... 02323 936 NtWaitForSingleObject ... ) == 0x0 02410 924 NtSetEventBoostPriority ... ) == 0x0 02412 488 NtProtectVirtualMemory (-1, (0x538e000), 4096, 260, ... 02413 936 NtSetEventBoostPriority (148, ... 02411 888 NtOpenKey ... 832, ) == 0x0 02414 924 NtWaitForSingleObject (148, 0, 0x0, ... 02326 940 NtWaitForSingleObject ... ) == 0x0 02413 936 NtSetEventBoostPriority ... ) == 0x0 02412 488 NtProtectVirtualMemory ... (0x538e000), 4096, 4, ) == 0x0 02415 888 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ... 02416 940 NtSetEventBoostPriority (148, ... 02417 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 02333 932 NtWaitForSingleObject ... ) == 0x0 02415 888 NtOpenKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02417 488 NtCreateThread ... 836, {484, 1452}, ) == 0x0 02418 932 NtSetEventBoostPriority (148, ... 02416 940 NtSetEventBoostPriority ... ) == 0x0 02419 936 NtWaitForSingleObject (148, 0, 0x0, ... 02420 488 NtQueryInformationThread (836, Basic, 28, ... 02334 1420 NtWaitForSingleObject ... ) == 0x0 02418 932 NtSetEventBoostPriority ... ) == 0x0 02421 940 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02422 888 NtQueryValueKey (828, (828, "Domain", Partial, 144, ... , Partial, 144, ... 02423 1420 NtSetEventBoostPriority (148, ... 02424 932 NtWaitForSingleObject (148, 0, 0x0, ... 02421 940 NtCreateEvent ... 840, ) == 0x0 02343 1408 NtWaitForSingleObject ... ) == 0x0 02423 1420 NtSetEventBoostPriority ... ) == 0x0 02422 888 NtQueryValueKey ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0 02420 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=484,Tid=1452,}, 0x0, ) == 0x0 02425 1408 NtSetEventBoostPriority (148, ... 02426 940 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02427 888 NtQueryValueKey (828, (828, "Domain", Partial, 144, ... , Partial, 144, ... 02344 1424 NtWaitForSingleObject ... ) == 0x0 02425 1408 NtSetEventBoostPriority ... ) == 0x0 02428 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1666, 0} (24, {28, 56, new_msg, 0, 484, 488, 1666, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\3\0\0\344\1\0\0\254\5\0\0" ... ... 02426 940 NtDuplicateObject ... 844, ) == 0x0 02429 1424 NtSetEventBoostPriority (148, ... 02427 888 NtQueryValueKey ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0 02430 1420 NtWaitForSingleObject (308, 0, 0x0, ... 02428 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1667, 0} ... {28, 56, reply, 0, 484, 488, 1667, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\3\0\0\344\1\0\0\254\5\0\0" ) ) == 0x0 02345 904 NtWaitForSingleObject ... ) == 0x0 02429 1424 NtSetEventBoostPriority ... ) == 0x0 02431 940 NtWaitForSingleObject (148, 0, 0x0, ... 02432 888 NtClose (828, ... 02433 904 NtSetEventBoostPriority (148, ... 02434 488 NtResumeThread (836, ... 02435 1408 NtWaitForSingleObject (148, 0, 0x0, ... 02347 944 NtWaitForSingleObject ... ) == 0x0 02433 904 NtSetEventBoostPriority ... ) == 0x0 02432 888 NtClose ... ) == 0x0 02434 488 NtResumeThread ... 1, ) == 0x0 02436 944 NtSetEventBoostPriority (148, ... 02437 904 NtWaitForSingleObject (148, 0, 0x0, ... 02438 1424 NtWaitForSingleObject (148, 0, 0x0, ... 02439 1452 NtWaitForSingleObject (108, 0, 0x0, ... 02440 888 NtClose (832, ... 02356 308 NtWaitForSingleObject ... ) == 0x0 02436 944 NtSetEventBoostPriority ... ) == 0x0 02441 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02440 888 NtClose ... ) == 0x0 02442 308 NtSetEventBoostPriority (148, ... 02443 944 NtWaitForSingleObject (148, 0, 0x0, ... 02441 488 NtAllocateVirtualMemory ... 87621632, 1048576, ) == 0x0 02444 888 NtWaitForSingleObject (148, 0, 0x0, ... 02360 896 NtWaitForSingleObject ... ) == 0x0 02442 308 NtSetEventBoostPriority ... ) == 0x0 02445 488 NtAllocateVirtualMemory (-1, 88662016, 0, 8192, 4096, 4, ... 02446 896 NtSetEventBoostPriority (148, ... 02366 1084 NtWaitForSingleObject ... ) == 0x0 02447 1084 NtSetEventBoostPriority (148, ... 02365 948 NtWaitForSingleObject ... ) == 0x0 02448 948 NtSetEventBoostPriority (148, ... 02369 964 NtWaitForSingleObject ... ) == 0x0 02449 964 NtAllocateVirtualMemory (-1, 1433600, 0, 4096, 4096, 4, ... 1433600, 4096, ) == 0x0 02450 964 NtSetEventBoostPriority (148, ... 02447 1084 NtSetEventBoostPriority ... ) == 0x0 02446 896 NtSetEventBoostPriority ... ) == 0x0 02445 488 NtAllocateVirtualMemory ... 88662016, 8192, ) == 0x0 02448 948 NtSetEventBoostPriority ... ) == 0x0 02451 308 NtWaitForSingleObject (148, 0, 0x0, ... 02371 920 NtWaitForSingleObject ... ) == 0x0 02450 964 NtSetEventBoostPriority ... ) == 0x0 02452 896 NtWaitForSingleObject (148, 0, 0x0, ... 02453 488 NtProtectVirtualMemory (-1, (0x548e000), 4096, 260, ... 02454 948 NtWaitForSingleObject (148, 0, 0x0, ... 02455 920 NtSetEventBoostPriority (148, ... 02456 964 NtWaitForSingleObject (148, 0, 0x0, ... 02457 1084 NtSetEventBoostPriority (132, ... 02453 488 NtProtectVirtualMemory ... (0x548e000), 4096, 4, ) == 0x0 02373 960 NtWaitForSingleObject ... ) == 0x0 02455 920 NtSetEventBoostPriority ... ) == 0x0 01365 956 NtWaitForSingleObject ... ) == 0x0 02457 1084 NtSetEventBoostPriority ... ) == 0x0 02458 960 NtSetEventBoostPriority (148, ... 02459 956 NtWaitForSingleObject (148, 0, 0x0, ... 02460 920 NtWaitForSingleObject (148, 0, 0x0, ... 02384 892 NtWaitForSingleObject ... ) == 0x0 02458 960 NtSetEventBoostPriority ... ) == 0x0 02461 1084 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02462 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 02463 892 NtSetEventBoostPriority (148, ... 02461 1084 NtCreateEvent ... 832, ) == 0x0 02389 912 NtWaitForSingleObject ... ) == 0x0 02463 892 NtSetEventBoostPriority ... ) == 0x0 02462 488 NtCreateThread ... 828, {484, 1324}, ) == 0x0 02464 912 NtSetEventBoostPriority (148, ... 02465 1084 NtWaitForSingleObject (148, 0, 0x0, ... 02466 960 NtWaitForSingleObject (148, 0, 0x0, ... 02390 1444 NtWaitForSingleObject ... ) == 0x0 02467 488 NtQueryInformationThread (828, Basic, 28, ... 02468 1444 NtSetEventBoostPriority (148, ... 02399 880 NtWaitForSingleObject ... ) == 0x0 02469 880 NtSetEventBoostPriority (148, ... 02404 1416 NtWaitForSingleObject ... ) == 0x0 02470 1416 NtSetEventBoostPriority (148, ... 02405 928 NtWaitForSingleObject ... ) == 0x0 02471 928 NtSetEventBoostPriority (148, ... 02406 1432 NtWaitForSingleObject ... ) == 0x0 02472 1432 NtSetEventBoostPriority (148, ... 02414 924 NtWaitForSingleObject ... ) == 0x0 02473 924 NtSetEventBoostPriority (148, ... 02409 1440 NtWaitForSingleObject ... ) == 0x0 02474 1440 NtSetEventBoostPriority (148, ... 02419 936 NtWaitForSingleObject ... ) == 0x0 02475 936 NtSetEventBoostPriority (148, ... 02424 932 NtWaitForSingleObject ... ) == 0x0 02476 932 NtSetEventBoostPriority (148, ... 02431 940 NtWaitForSingleObject ... ) == 0x0 02477 940 NtSetEventBoostPriority (148, ... 02435 1408 NtWaitForSingleObject ... ) == 0x0 02478 1408 NtSetEventBoostPriority (148, ... 02438 1424 NtWaitForSingleObject ... ) == 0x0 02479 1424 NtSetEventBoostPriority (148, ... 02443 944 NtWaitForSingleObject ... ) == 0x0 02480 944 NtSetEventBoostPriority (148, ... 02444 888 NtWaitForSingleObject ... ) == 0x0 02481 888 NtSetEventBoostPriority (148, ... 02437 904 NtWaitForSingleObject ... ) == 0x0 02482 904 NtSetEventBoostPriority (148, ... 02451 308 NtWaitForSingleObject ... ) == 0x0 02483 308 NtSetEventBoostPriority (148, ... 02454 948 NtWaitForSingleObject ... ) == 0x0 02484 948 NtSetEventBoostPriority (148, ... 02456 964 NtWaitForSingleObject ... ) == 0x0 02485 964 NtAllocateVirtualMemory (-1, 1437696, 0, 4096, 4096, 4, ... 1437696, 4096, ) == 0x0 02484 948 NtSetEventBoostPriority ... ) == 0x0 02483 308 NtSetEventBoostPriority ... ) == 0x0 02481 888 NtSetEventBoostPriority ... ) == 0x0 02480 944 NtSetEventBoostPriority ... ) == 0x0 02479 1424 NtSetEventBoostPriority ... ) == 0x0 02478 1408 NtSetEventBoostPriority ... ) == 0x0 02477 940 NtSetEventBoostPriority ... ) == 0x0 02475 936 NtSetEventBoostPriority ... ) == 0x0 02473 924 NtSetEventBoostPriority ... ) == 0x0 02472 1432 NtSetEventBoostPriority ... ) == 0x0 02471 928 NtSetEventBoostPriority ... ) == 0x0 02469 880 NtSetEventBoostPriority ... ) == 0x0 02468 1444 NtSetEventBoostPriority ... ) == 0x0 02467 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=484,Tid=1324,}, 0x0, ) == 0x0 02482 904 NtSetEventBoostPriority ... ) == 0x0 02476 932 NtSetEventBoostPriority ... ) == 0x0 02474 1440 NtSetEventBoostPriority ... ) == 0x0 02470 1416 NtSetEventBoostPriority ... ) == 0x0 02464 912 NtSetEventBoostPriority ... ) == 0x0 02486 892 NtRequestWaitReplyPort (820, {64, 88, new_msg, 0, 0, 0, 0, 0} (820, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... ... 02487 964 NtSetEventBoostPriority (148, ... 02488 308 NtWaitForSingleObject (148, 0, 0x0, ... 02489 948 NtWaitForSingleObject (148, 0, 0x0, ... 02490 888 NtWaitForSingleObject (148, 0, 0x0, ... 02491 1424 NtWaitForSingleObject (308, 0, 0x0, ... 02492 1408 NtWaitForSingleObject (308, 0, 0x0, ... 02493 944 NtWaitForSingleObject (148, 0, 0x0, ... 02494 936 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02495 940 NtWaitForSingleObject (308, 0, 0x0, ... 02496 924 NtAllocateVirtualMemory (-1, 21549056, 0, 4096, 4096, 260, ... 02497 1432 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02498 880 NtWaitForSingleObject (148, 0, 0x0, ... 02499 928 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 02500 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1667, 0} (24, {28, 56, new_msg, 0, 484, 488, 1667, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\3\0\0\344\1\0\0,\5\0\0" ... ... 02501 904 NtWaitForSingleObject (148, 0, 0x0, ... 02502 932 NtWaitForSingleObject (148, 0, 0x0, ... 02503 1440 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02504 1444 NtSetEventBoostPriority (108, ... 02505 912 NtWaitForSingleObject (148, 0, 0x0, ... 02452 896 NtWaitForSingleObject ... ) == 0x0 02487 964 NtSetEventBoostPriority ... ) == 0x0 02506 1416 NtSetEventBoostPriority (308, ... 02486 892 NtRequestWaitReplyPort ... {52, 76, reply, 0, 484, 892, 1668, 0} ... {52, 76, reply, 0, 484, 892, 1668, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" ) ) == 0x0 02496 924 NtAllocateVirtualMemory ... 21549056, 4096, ) == 0x0 02497 1432 NtDuplicateObject ... 848, ) == 0x0 02494 936 NtCreateEvent ... 852, ) == 0x0 02499 928 NtCreateEvent ... 856, ) == 0x0 02503 1440 NtDuplicateObject ... 860, ) == 0x0 02400 1448 NtWaitForSingleObject ... ) == 0x0 02504 1444 NtSetEventBoostPriority ... ) == 0x0 02507 896 NtSetEventBoostPriority (148, ... 02508 964 NtWaitForSingleObject (148, 0, 0x0, ... 02383 1120 NtWaitForSingleObject ... ) == 0x0 02506 1416 NtSetEventBoostPriority ... ) == 0x0 02509 892 NtWaitForSingleObject (308, 0, 0x0, ... 02510 924 NtWaitForSingleObject (148, 0, 0x0, ... 02511 1432 NtWaitForSingleObject (148, 0, 0x0, ... 02512 936 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02513 928 NtWaitForSingleObject (308, 0, 0x0, ... 02500 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1669, 0} ... {28, 56, reply, 0, 484, 488, 1669, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\3\0\0\344\1\0\0,\5\0\0" ) ) == 0x0 02514 1448 NtAllocateVirtualMemory (-1, 8871936, 0, 4096, 4096, 4, ... 02459 956 NtWaitForSingleObject ... ) == 0x0 02515 1444 NtTestAlert (... 02516 1120 NtSetEventBoostPriority (308, ... 02517 1416 NtWaitForSingleObject (72, 0, {0, 0}, ... 02512 936 NtDuplicateObject ... 864, ) == 0x0 02514 1448 NtAllocateVirtualMemory ... 8871936, 4096, ) == 0x0 02518 956 NtSetEventBoostPriority (148, ... 02519 488 NtResumeThread (828, ... 02430 1420 NtWaitForSingleObject ... ) == 0x0 02515 1444 NtTestAlert ... ) == 0x0 02517 1416 NtWaitForSingleObject ... ) == 0x102 02520 936 NtWaitForSingleObject (148, 0, 0x0, ... 02516 1120 NtSetEventBoostPriority ... ) == 0x0 02507 896 NtSetEventBoostPriority ... ) == 0x0 02521 1440 NtWaitForSingleObject (148, 0, 0x0, ... 02460 920 NtWaitForSingleObject ... ) == 0x0 02518 956 NtSetEventBoostPriority ... ) == 0x0 02519 488 NtResumeThread ... 1, ) == 0x0 02522 1420 NtWaitForSingleObject (148, 0, 0x0, ... 02523 1444 NtContinue (85523760, 1, ... 02524 1416 NtWaitForSingleObject (132, 0, 0x0, ... 02525 1120 NtWaitForSingleObject (72, 0, {0, 0}, ... 02526 896 NtWaitForSingleObject (308, 0, 0x0, ... 02527 920 NtSetEventBoostPriority (148, ... 02528 1448 NtWaitForSingleObject (148, 0, 0x0, ... 02529 1324 NtWaitForSingleObject (108, 0, 0x0, ... 02530 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02531 1444 NtRegisterThreadTerminatePort (24, ... 02532 956 NtSetEventBoostPriority (132, ... 02465 1084 NtWaitForSingleObject ... ) == 0x0 02530 488 NtAllocateVirtualMemory ... 88670208, 1048576, ) == 0x0 02527 920 NtSetEventBoostPriority ... ) == 0x0 02525 1120 NtWaitForSingleObject ... ) == 0x102 01367 952 NtWaitForSingleObject ... ) == 0x0 02532 956 NtSetEventBoostPriority ... ) == 0x0 02533 1084 NtSetEventBoostPriority (148, ... 02534 488 NtAllocateVirtualMemory (-1, 89710592, 0, 8192, 4096, 4, ... 02535 920 NtWaitForSingleObject (148, 0, 0x0, ... 02536 952 NtWaitForSingleObject (148, 0, 0x0, ... 02537 1120 NtWaitForSingleObject (148, 0, 0x0, ... 02538 956 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02466 960 NtWaitForSingleObject ... ) == 0x0 02533 1084 NtSetEventBoostPriority ... ) == 0x0 02531 1444 NtRegisterThreadTerminatePort ... ) == 0x0 02539 960 NtAllocateVirtualMemory (-1, 1441792, 0, 4096, 4096, 4, ... 02538 956 NtCreateEvent ... 868, ) == 0x0 02534 488 NtAllocateVirtualMemory ... 89710592, 8192, ) == 0x0 02539 960 NtAllocateVirtualMemory ... 1441792, 4096, ) == 0x0 02540 1444 NtWaitForSingleObject (148, 0, 0x0, ... 02541 956 NtWaitForSingleObject (148, 0, 0x0, ... 02542 960 NtSetEventBoostPriority (148, ... 02543 488 NtProtectVirtualMemory (-1, (0x558e000), 4096, 260, ... 02544 1084 NtWaitForSingleObject (148, 0, 0x0, ... 02543 488 NtProtectVirtualMemory ... (0x558e000), 4096, 4, ) == 0x0 02545 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 872, {484, 1460}, ) == 0x0 02546 488 NtQueryInformationThread (872, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=484,Tid=1460,}, 0x0, ) == 0x0 02547 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1669, 0} (24, {28, 56, new_msg, 0, 484, 488, 1669, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\3\0\0\344\1\0\0\264\5\0\0" ... {28, 56, reply, 0, 484, 488, 1670, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\3\0\0\344\1\0\0\264\5\0\0" ) ... {28, 56, reply, 0, 484, 488, 1670, 0} (24, {28, 56, new_msg, 0, 484, 488, 1669, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\3\0\0\344\1\0\0\264\5\0\0" ... {28, 56, reply, 0, 484, 488, 1670, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\3\0\0\344\1\0\0\264\5\0\0" ) ) == 0x0 02548 488 NtResumeThread (872, ... 1, ) == 0x0 02489 948 NtWaitForSingleObject ... ) == 0x0 02542 960 NtSetEventBoostPriority ... ) == 0x0 02549 1460 NtWaitForSingleObject (108, 0, 0x0, ... 02550 948 NtSetEventBoostPriority (148, ... 02551 960 NtWaitForSingleObject (148, 0, 0x0, ... 02490 888 NtWaitForSingleObject ... ) == 0x0 02550 948 NtSetEventBoostPriority ... ) == 0x0 02552 888 NtSetEventBoostPriority (148, ... 02488 308 NtWaitForSingleObject ... ) == 0x0 02553 308 NtSetEventBoostPriority (148, ... 02493 944 NtWaitForSingleObject ... ) == 0x0 02554 944 NtSetEventBoostPriority (148, ... 02501 904 NtWaitForSingleObject ... ) == 0x0 02555 904 NtSetEventBoostPriority (148, ... 02502 932 NtWaitForSingleObject ... ) == 0x0 02556 932 NtSetEventBoostPriority (148, ... 02505 912 NtWaitForSingleObject ... ) == 0x0 02557 912 NtSetEventBoostPriority (148, ... 02498 880 NtWaitForSingleObject ... ) == 0x0 02558 880 NtSetEventBoostPriority (148, ... 02508 964 NtWaitForSingleObject ... ) == 0x0 02559 964 NtSetEventBoostPriority (148, ... 02510 924 NtWaitForSingleObject ... ) == 0x0 02560 924 NtSetEventBoostPriority (148, ... 02511 1432 NtWaitForSingleObject ... ) == 0x0 02561 1432 NtSetEventBoostPriority (148, ... 02520 936 NtWaitForSingleObject ... ) == 0x0 02562 936 NtSetEventBoostPriority (148, ... 02521 1440 NtWaitForSingleObject ... ) == 0x0 02563 1440 NtSetEventBoostPriority (148, ... 02522 1420 NtWaitForSingleObject ... ) == 0x0 02564 1420 NtSetEventBoostPriority (148, ... 02528 1448 NtWaitForSingleObject ... ) == 0x0 02565 1448 NtSetEventBoostPriority (148, ... 02536 952 NtWaitForSingleObject ... ) == 0x0 02566 952 NtSetEventBoostPriority (148, ... 02535 920 NtWaitForSingleObject ... ) == 0x0 02567 920 NtSetEventBoostPriority (148, ... 02537 1120 NtWaitForSingleObject ... ) == 0x0 02568 1120 NtSetEventBoostPriority (148, ... 02540 1444 NtWaitForSingleObject ... ) == 0x0 02569 1444 NtSetEventBoostPriority (148, ... 02541 956 NtWaitForSingleObject ... ) == 0x0 02570 956 NtSetEventBoostPriority (148, ... 02544 1084 NtWaitForSingleObject ... ) == 0x0 02571 1084 NtSetEventBoostPriority (148, ... 02551 960 NtWaitForSingleObject ... ) == 0x0 02572 960 NtAllocateVirtualMemory (-1, 1445888, 0, 4096, 4096, 4, ... 1445888, 4096, ) == 0x0 02571 1084 NtSetEventBoostPriority ... ) == 0x0 02570 956 NtSetEventBoostPriority ... ) == 0x0 02569 1444 NtSetEventBoostPriority ... ) == 0x0 02568 1120 NtSetEventBoostPriority ... ) == 0x0 02567 920 NtSetEventBoostPriority ... ) == 0x0 02566 952 NtSetEventBoostPriority ... ) == 0x0 02565 1448 NtSetEventBoostPriority ... ) == 0x0 02564 1420 NtSetEventBoostPriority ... ) == 0x0 02563 1440 NtSetEventBoostPriority ... ) == 0x0 02562 936 NtSetEventBoostPriority ... ) == 0x0 02561 1432 NtSetEventBoostPriority ... ) == 0x0 02560 924 NtSetEventBoostPriority ... ) == 0x0 02559 964 NtSetEventBoostPriority ... ) == 0x0 02557 912 NtSetEventBoostPriority ... ) == 0x0 02556 932 NtSetEventBoostPriority ... ) == 0x0 02555 904 NtSetEventBoostPriority ... ) == 0x0 02554 944 NtSetEventBoostPriority ... ) == 0x0 02552 888 NtSetEventBoostPriority ... ) == 0x0 02573 948 NtWaitForSingleObject (148, 0, 0x0, ... 02558 880 NtSetEventBoostPriority ... ) == 0x0 02553 308 NtSetEventBoostPriority ... ) == 0x0 02574 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02575 1084 NtWaitForSingleObject (148, 0, 0x0, ... 02576 960 NtSetEventBoostPriority (148, ... 02577 956 NtWaitForSingleObject (148, 0, 0x0, ... 02578 1444 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02579 1120 NtWaitForSingleObject (132, 0, 0x0, ... 02580 920 NtAllocateVirtualMemory (-1, 20500480, 0, 4096, 4096, 260, ... 02581 1448 NtSetEventBoostPriority (108, ... 02582 952 NtSetEventBoostPriority (132, ... 02583 1440 NtWaitForSingleObject (308, 0, 0x0, ... 02584 1420 NtSetEventBoostPriority (308, ... 02585 936 NtWaitForSingleObject (148, 0, 0x0, ... 02586 1432 NtWaitForSingleObject (308, 0, 0x0, ... 02587 924 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02588 964 NtWaitForSingleObject (148, 0, 0x0, ... 02589 912 NtWaitForSingleObject (148, 0, 0x0, ... 02590 932 NtAllocateVirtualMemory (-1, 23646208, 0, 4096, 4096, 260, ... 02591 944 NtWaitForSingleObject (148, 0, 0x0, ... 02592 888 NtWaitForSingleObject (148, 0, 0x0, ... 02593 904 NtAllocateVirtualMemory (-1, 19451904, 0, 4096, 4096, 260, ... 02594 880 NtWaitForSingleObject (148, 0, 0x0, ... 02595 308 NtWaitForSingleObject (148, 0, 0x0, ... 02574 488 NtAllocateVirtualMemory ... 89718784, 1048576, ) == 0x0 02573 948 NtWaitForSingleObject ... ) == 0x0 02576 960 NtSetEventBoostPriority ... ) == 0x0 02578 1444 NtDuplicateObject ... 876, ) == 0x0 02580 920 NtAllocateVirtualMemory ... 20500480, 4096, ) == 0x0 01371 1048 NtWaitForSingleObject ... ) == 0x0 02582 952 NtSetEventBoostPriority ... ) == 0x0 02439 1452 NtWaitForSingleObject ... ) == 0x0 02581 1448 NtSetEventBoostPriority ... ) == 0x0 02491 1424 NtWaitForSingleObject ... ) == 0x0 02584 1420 NtSetEventBoostPriority ... ) == 0x0 02587 924 NtCreateEvent ... 880, ) == 0x0 02590 932 NtAllocateVirtualMemory ... 23646208, 4096, ) == 0x0 02593 904 NtAllocateVirtualMemory ... 19451904, 4096, ) == 0x0 02596 948 NtSetEventBoostPriority (148, ... 02597 488 NtAllocateVirtualMemory (-1, 90759168, 0, 8192, 4096, 4, ... 02598 960 NtWaitForSingleObject (148, 0, 0x0, ... 02599 1444 NtWaitForSingleObject (148, 0, 0x0, ... 02600 1048 NtWaitForSingleObject (148, 0, 0x0, ... 02601 920 NtWaitForSingleObject (148, 0, 0x0, ... 02602 952 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02603 1452 NtWaitForSingleObject (148, 0, 0x0, ... 02604 1424 NtWaitForSingleObject (148, 0, 0x0, ... 02605 1448 NtTestAlert (... 02606 1420 NtWaitForSingleObject (72, 0, {0, 0}, ... 02607 924 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02608 932 NtWaitForSingleObject (148, 0, 0x0, ... 02577 956 NtWaitForSingleObject ... ) == 0x0 02609 904 NtWaitForSingleObject (148, 0, 0x0, ... 02597 488 NtAllocateVirtualMemory ... 90759168, 8192, ) == 0x0 02602 952 NtCreateEvent ... 884, ) == 0x0 02605 1448 NtTestAlert ... ) == 0x0 02606 1420 NtWaitForSingleObject ... ) == 0x102 02607 924 NtDuplicateObject ... 888, ) == 0x0 02610 956 NtSetEventBoostPriority (148, ... 02611 488 NtProtectVirtualMemory (-1, (0x568e000), 4096, 260, ... 02612 952 NtWaitForSingleObject (148, 0, 0x0, ... 02613 1448 NtContinue (86572336, 1, ... 02614 1420 NtWaitForSingleObject (132, 0, 0x0, ... 02615 924 NtWaitForSingleObject (148, 0, 0x0, ... 02575 1084 NtWaitForSingleObject ... ) == 0x0 02610 956 NtSetEventBoostPriority ... ) == 0x0 02611 488 NtProtectVirtualMemory ... (0x568e000), 4096, 4, ) == 0x0 02616 1448 NtRegisterThreadTerminatePort (24, ... 02596 948 NtSetEventBoostPriority ... ) == 0x0 02617 1084 NtSetEventBoostPriority (148, ... 02618 956 NtWaitForSingleObject (148, 0, 0x0, ... 02616 1448 NtRegisterThreadTerminatePort ... ) == 0x0 02585 936 NtWaitForSingleObject ... ) == 0x0 02619 948 NtWaitForSingleObject (148, 0, 0x0, ... 02617 1084 NtSetEventBoostPriority ... ) == 0x0 02620 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 02621 936 NtSetEventBoostPriority (148, ... 02622 1084 NtWaitForSingleObject (148, 0, 0x0, ... 02620 488 NtCreateThread ... 892, {484, 780}, ) == 0x0 02588 964 NtWaitForSingleObject ... ) == 0x0 02621 936 NtSetEventBoostPriority ... ) == 0x0 02623 964 NtSetEventBoostPriority (148, ... 02624 488 NtQueryInformationThread (892, Basic, 28, ... 02589 912 NtWaitForSingleObject ... ) == 0x0 02623 964 NtSetEventBoostPriority ... ) == 0x0 02625 936 NtWaitForSingleObject (308, 0, 0x0, ... 02626 912 NtSetEventBoostPriority (148, ... 02624 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=484,Tid=780,}, 0x0, ) == 0x0 02627 964 NtWaitForSingleObject (148, 0, 0x0, ... 02628 1448 NtWaitForSingleObject (148, 0, 0x0, ... 02591 944 NtWaitForSingleObject ... ) == 0x0 02626 912 NtSetEventBoostPriority ... ) == 0x0 02629 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1670, 0} (24, {28, 56, new_msg, 0, 484, 488, 1670, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\3\0\0\344\1\0\0\14\3\0\0" ... ... 02630 944 NtSetEventBoostPriority (148, ... 02631 912 NtWaitForSingleObject (148, 0, 0x0, ... 02594 880 NtWaitForSingleObject ... ) == 0x0 02629 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1671, 0} ... {28, 56, reply, 0, 484, 488, 1671, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\3\0\0\344\1\0\0\14\3\0\0" ) ) == 0x0 02630 944 NtSetEventBoostPriority ... ) == 0x0 02632 880 NtSetEventBoostPriority (148, ... 02633 488 NtResumeThread (892, ... 02634 944 NtAllocateVirtualMemory (-1, 26791936, 0, 4096, 4096, 260, ... 02595 308 NtWaitForSingleObject ... ) == 0x0 02632 880 NtSetEventBoostPriority ... ) == 0x0 02633 488 NtResumeThread ... 1, ) == 0x0 02635 308 NtSetEventBoostPriority (148, ... 02634 944 NtAllocateVirtualMemory ... 26791936, 4096, ) == 0x0 02636 780 NtWaitForSingleObject (108, 0, 0x0, ... 02598 960 NtWaitForSingleObject ... ) == 0x0 02635 308 NtSetEventBoostPriority ... ) == 0x0 02637 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02638 880 NtWaitForSingleObject (148, 0, 0x0, ... 02639 960 NtSetEventBoostPriority (148, ... 02640 944 NtWaitForSingleObject (148, 0, 0x0, ... 02637 488 NtAllocateVirtualMemory ... 90767360, 1048576, ) == 0x0 02600 1048 NtWaitForSingleObject ... ) == 0x0 02639 960 NtSetEventBoostPriority ... ) == 0x0 02641 1048 NtSetEventBoostPriority (148, ... 02642 488 NtAllocateVirtualMemory (-1, 91807744, 0, 8192, 4096, 4, ... 02643 308 NtWaitForSingleObject (148, 0, 0x0, ... 02599 1444 NtWaitForSingleObject ... ) == 0x0 02641 1048 NtSetEventBoostPriority ... ) == 0x0 02644 960 NtWaitForSingleObject (148, 0, 0x0, ... 02645 1444 NtSetEventBoostPriority (148, ... 02642 488 NtAllocateVirtualMemory ... 91807744, 8192, ) == 0x0 02601 920 NtWaitForSingleObject ... ) == 0x0 02645 1444 NtSetEventBoostPriority ... ) == 0x0 02646 920 NtSetEventBoostPriority (148, ... 02647 488 NtProtectVirtualMemory (-1, (0x578e000), 4096, 260, ... 02648 1048 NtSetEventBoostPriority (132, ... 02604 1424 NtWaitForSingleObject ... ) == 0x0 02646 920 NtSetEventBoostPriority ... ) == 0x0 02647 488 NtProtectVirtualMemory ... (0x578e000), 4096, 4, ) == 0x0 02649 1424 NtSetEventBoostPriority (148, ... 01375 1036 NtWaitForSingleObject ... ) == 0x0 02648 1048 NtSetEventBoostPriority ... ) == 0x0 02650 1444 NtWaitForSingleObject (308, 0, 0x0, ... 02603 1452 NtWaitForSingleObject ... ) == 0x0 02651 1036 NtWaitForSingleObject (148, 0, 0x0, ... 02652 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 02653 1048 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02654 1452 NtSetEventBoostPriority (148, ... 02652 488 NtCreateThread ... 896, {484, 1224}, ) == 0x0 02653 1048 NtCreateEvent ... 900, ) == 0x0 02608 932 NtWaitForSingleObject ... ) == 0x0 02654 1452 NtSetEventBoostPriority ... ) == 0x0 02655 488 NtQueryInformationThread (896, Basic, 28, ... 02656 932 NtSetEventBoostPriority (148, ... 02657 1048 NtWaitForSingleObject (148, 0, 0x0, ... 02649 1424 NtSetEventBoostPriority ... ) == 0x0 02658 920 NtWaitForSingleObject (148, 0, 0x0, ... 02659 1452 NtSetEventBoostPriority (108, ... 02609 904 NtWaitForSingleObject ... ) == 0x0 02656 932 NtSetEventBoostPriority ... ) == 0x0 02655 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=484,Tid=1224,}, 0x0, ) == 0x0 02660 904 NtSetEventBoostPriority (148, ... 02529 1324 NtWaitForSingleObject ... ) == 0x0 02659 1452 NtSetEventBoostPriority ... ) == 0x0 02661 1424 NtSetEventBoostPriority (308, ... 02612 952 NtWaitForSingleObject ... ) == 0x0 02662 1324 NtWaitForSingleObject (148, 0, 0x0, ... 02660 904 NtSetEventBoostPriority ... ) == 0x0 02663 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1671, 0} (24, {28, 56, new_msg, 0, 484, 488, 1671, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\3\0\0\344\1\0\0\310\4\0\0" ... ... 02664 1452 NtTestAlert (... 02665 952 NtSetEventBoostPriority (148, ... 02492 1408 NtWaitForSingleObject ... ) == 0x0 02661 1424 NtSetEventBoostPriority ... ) == 0x0 02666 932 NtWaitForSingleObject (148, 0, 0x0, ... 02663 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1672, 0} ... {28, 56, reply, 0, 484, 488, 1672, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\3\0\0\344\1\0\0\310\4\0\0" ) ) == 0x0 02592 888 NtWaitForSingleObject ... ) == 0x0 02667 1408 NtWaitForSingleObject (148, 0, 0x0, ... 02665 952 NtSetEventBoostPriority ... ) == 0x0 02664 1452 NtTestAlert ... ) == 0x0 02668 1424 NtWaitForSingleObject (72, 0, {0, 0}, ... 02669 888 NtSetEventBoostPriority (148, ... 02670 488 NtResumeThread (896, ... 02671 904 NtWaitForSingleObject (148, 0, 0x0, ... 02672 1452 NtContinue (87620912, 1, ... 02615 924 NtWaitForSingleObject ... ) == 0x0 02668 1424 NtWaitForSingleObject ... ) == 0x102 02670 488 NtResumeThread ... 1, ) == 0x0 02673 1452 NtRegisterThreadTerminatePort (24, ... 02674 924 NtSetEventBoostPriority (148, ... 02675 1424 NtWaitForSingleObject (132, 0, 0x0, ... 02669 888 NtSetEventBoostPriority ... ) == 0x0 02676 952 NtWaitForSingleObject (148, 0, 0x0, ... 02677 1224 NtWaitForSingleObject (108, 0, 0x0, ... 02678 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02618 956 NtWaitForSingleObject ... ) == 0x0 02674 924 NtSetEventBoostPriority ... ) == 0x0 02673 1452 NtRegisterThreadTerminatePort ... ) == 0x0 02679 888 NtWaitForSingleObject (308, 0, 0x0, ... 02680 956 NtSetEventBoostPriority (148, ... 02678 488 NtAllocateVirtualMemory ... 91815936, 1048576, ) == 0x0 02681 1452 NtWaitForSingleObject (148, 0, 0x0, ... 02619 948 NtWaitForSingleObject ... ) == 0x0 02682 488 NtAllocateVirtualMemory (-1, 92856320, 0, 8192, 4096, 4, ... 02683 948 NtSetEventBoostPriority (148, ... 02682 488 NtAllocateVirtualMemory ... 92856320, 8192, ) == 0x0 02622 1084 NtWaitForSingleObject ... ) == 0x0 02683 948 NtSetEventBoostPriority ... ) == 0x0 02684 1084 NtSetEventBoostPriority (148, ... 02685 488 NtProtectVirtualMemory (-1, (0x588e000), 4096, 260, ... 02680 956 NtSetEventBoostPriority ... ) == 0x0 02686 924 NtWaitForSingleObject (148, 0, 0x0, ... 02628 1448 NtWaitForSingleObject ... ) == 0x0 02684 1084 NtSetEventBoostPriority ... ) == 0x0 02685 488 NtProtectVirtualMemory ... (0x588e000), 4096, 4, ) == 0x0 02687 956 NtWaitForSingleObject (148, 0, 0x0, ... 02688 1448 NtSetEventBoostPriority (148, ... 02689 948 NtWaitForSingleObject (148, 0, 0x0, ... 02690 1084 NtWaitForSingleObject (148, 0, 0x0, ... 02627 964 NtWaitForSingleObject ... ) == 0x0 02688 1448 NtSetEventBoostPriority ... ) == 0x0 02691 964 NtSetEventBoostPriority (148, ... 02631 912 NtWaitForSingleObject ... ) == 0x0 02692 912 NtSetEventBoostPriority (148, ... 02638 880 NtWaitForSingleObject ... ) == 0x0 02693 880 NtSetEventBoostPriority (148, ... 02640 944 NtWaitForSingleObject ... ) == 0x0 02694 944 NtSetEventBoostPriority (148, ... 02643 308 NtWaitForSingleObject ... ) == 0x0 02695 308 NtSetEventBoostPriority (148, ... 02644 960 NtWaitForSingleObject ... ) == 0x0 02696 960 NtSetEventBoostPriority (148, ... 02651 1036 NtWaitForSingleObject ... ) == 0x0 02697 1036 NtSetEventBoostPriority (148, ... 02657 1048 NtWaitForSingleObject ... ) == 0x0 02698 1048 NtSetEventBoostPriority (148, ... 02658 920 NtWaitForSingleObject ... ) == 0x0 02699 920 NtSetEventBoostPriority (148, ... 02662 1324 NtWaitForSingleObject ... ) == 0x0 02700 1324 NtSetEventBoostPriority (148, ... 02666 932 NtWaitForSingleObject ... ) == 0x0 02701 932 NtSetEventBoostPriority (148, ... 02667 1408 NtWaitForSingleObject ... ) == 0x0 02702 1408 NtSetEventBoostPriority (148, ... 02671 904 NtWaitForSingleObject ... ) == 0x0 02703 904 NtSetEventBoostPriority (148, ... 02676 952 NtWaitForSingleObject ... ) == 0x0 02704 952 NtSetEventBoostPriority (148, ... 02681 1452 NtWaitForSingleObject ... ) == 0x0 02705 1452 NtSetEventBoostPriority (148, ... 02686 924 NtWaitForSingleObject ... ) == 0x0 02706 924 NtSetEventBoostPriority (148, ... 02687 956 NtWaitForSingleObject ... ) == 0x0 02707 956 NtSetEventBoostPriority (148, ... 02689 948 NtWaitForSingleObject ... ) == 0x0 02708 948 NtSetEventBoostPriority (148, ... 02690 1084 NtWaitForSingleObject ... ) == 0x0 02709 1084 NtAllocateVirtualMemory (-1, 46714880, 0, 4096, 4096, 260, ... 46714880, 4096, ) == 0x0 02710 1084 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02708 948 NtSetEventBoostPriority ... ) == 0x0 02707 956 NtSetEventBoostPriority ... ) == 0x0 02706 924 NtSetEventBoostPriority ... ) == 0x0 02705 1452 NtSetEventBoostPriority ... ) == 0x0 02704 952 NtSetEventBoostPriority ... ) == 0x0 02703 904 NtSetEventBoostPriority ... ) == 0x0 02701 932 NtSetEventBoostPriority ... ) == 0x0 02700 1324 NtSetEventBoostPriority ... ) == 0x0 02699 920 NtSetEventBoostPriority ... ) == 0x0 02698 1048 NtSetEventBoostPriority ... ) == 0x0 02697 1036 NtSetEventBoostPriority ... ) == 0x0 02696 960 NtSetEventBoostPriority ... ) == 0x0 02695 308 NtSetEventBoostPriority ... ) == 0x0 02694 944 NtSetEventBoostPriority ... ) == 0x0 02693 880 NtSetEventBoostPriority ... ) == 0x0 02711 1448 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02702 1408 NtSetEventBoostPriority ... ) == 0x0 02692 912 NtSetEventBoostPriority ... ) == 0x0 02691 964 NtSetEventBoostPriority ... ) == 0x0 02712 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 02713 948 NtAllocateVirtualMemory (-1, 27840512, 0, 4096, 4096, 260, ... 02710 1084 NtCreateEvent ... 904, ) == 0x0 02714 924 NtWaitForSingleObject (308, 0, 0x0, ... 02715 956 NtAllocateVirtualMemory (-1, 29937664, 0, 4096, 4096, 260, ... 02716 952 NtAllocateVirtualMemory (-1, 28889088, 0, 4096, 4096, 260, ... 02717 904 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02718 932 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02719 1452 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02720 920 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02721 1324 NtSetEventBoostPriority (108, ... 02722 1048 NtAllocateVirtualMemory (-1, 1449984, 0, 4096, 4096, 4, ... 02723 960 NtWaitForSingleObject (148, 0, 0x0, ... 02724 308 NtWaitForSingleObject (148, 0, 0x0, ... 02725 944 NtWaitForSingleObject (148, 0, 0x0, ... 02726 880 NtWaitForSingleObject (148, 0, 0x0, ... 02727 1036 NtSetEventBoostPriority (132, ... 02711 1448 NtDuplicateObject ... 908, ) == 0x0 02728 912 NtWaitForSingleObject (148, 0, 0x0, ... 02729 964 NtWaitForSingleObject (148, 0, 0x0, ... 02712 488 NtCreateThread ... 912, {484, 1472}, ) == 0x0 02730 1408 NtSetEventBoostPriority (308, ... 02731 1084 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02713 948 NtAllocateVirtualMemory ... 27840512, 4096, ) == 0x0 02715 956 NtAllocateVirtualMemory ... 29937664, 4096, ) == 0x0 02716 952 NtAllocateVirtualMemory ... 28889088, 4096, ) == 0x0 02717 904 NtCreateEvent ... 916, ) == 0x0 02719 1452 NtDuplicateObject ... 920, ) == 0x0 02718 932 NtCreateEvent ... 924, ) == 0x0 02549 1460 NtWaitForSingleObject ... ) == 0x0 02721 1324 NtSetEventBoostPriority ... ) == 0x0 02722 1048 NtAllocateVirtualMemory ... 1449984, 4096, ) == 0x0 02720 920 NtCreateEvent ... 928, ) == 0x0 01382 1008 NtWaitForSingleObject ... ) == 0x0 02727 1036 NtSetEventBoostPriority ... ) == 0x0 02732 1448 NtWaitForSingleObject (148, 0, 0x0, ... 02733 488 NtQueryInformationThread (912, Basic, 28, ... 02495 940 NtWaitForSingleObject ... ) == 0x0 02730 1408 NtSetEventBoostPriority ... ) == 0x0 02731 1084 NtDuplicateObject ... 932, ) == 0x0 02734 948 NtWaitForSingleObject (148, 0, 0x0, ... 02735 956 NtWaitForSingleObject (148, 0, 0x0, ... 02736 952 NtWaitForSingleObject (148, 0, 0x0, ... 02737 904 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02738 1452 NtWaitForSingleObject (148, 0, 0x0, ... 02739 1460 NtSetEventBoostPriority (108, ... 02740 932 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02741 1324 NtTestAlert (... 02742 1048 NtSetEventBoostPriority (148, ... 02743 1008 NtWaitForSingleObject (148, 0, 0x0, ... 02744 920 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02745 1036 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02746 940 NtWaitForSingleObject (148, 0, 0x0, ... 02733 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=484,Tid=1472,}, 0x0, ) == 0x0 02747 1408 NtWaitForSingleObject (72, 0, {0, 0}, ... 02748 1084 NtWaitForSingleObject (148, 0, 0x0, ... 02737 904 NtDuplicateObject ... 936, ) == 0x0 02636 780 NtWaitForSingleObject ... ) == 0x0 02739 1460 NtSetEventBoostPriority ... ) == 0x0 02740 932 NtDuplicateObject ... 940, ) == 0x0 02741 1324 NtTestAlert ... ) == 0x0 02723 960 NtWaitForSingleObject ... ) == 0x0 02742 1048 NtSetEventBoostPriority ... ) == 0x0 02744 920 NtDuplicateObject ... 944, ) == 0x0 02745 1036 NtCreateEvent ... 948, ) == 0x0 02749 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1672, 0} (24, {28, 56, new_msg, 0, 484, 488, 1672, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\3\0\0\344\1\0\0\300\5\0\0" ... ... 02747 1408 NtWaitForSingleObject ... ) == 0x102 02750 780 NtWaitForSingleObject (148, 0, 0x0, ... 02751 904 NtWaitForSingleObject (148, 0, 0x0, ... 02752 932 NtWaitForSingleObject (148, 0, 0x0, ... 02753 960 NtSetEventBoostPriority (148, ... 02754 1324 NtContinue (88669488, 1, ... 02755 1048 NtWaitForSingleObject (148, 0, 0x0, ... 02756 920 NtWaitForSingleObject (148, 0, 0x0, ... 02757 1036 NtWaitForSingleObject (148, 0, 0x0, ... 02758 1408 NtWaitForSingleObject (132, 0, 0x0, ... 02724 308 NtWaitForSingleObject ... ) == 0x0 02759 1324 NtRegisterThreadTerminatePort (24, ... 02753 960 NtSetEventBoostPriority ... ) == 0x0 02760 1460 NtTestAlert (... 02749 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1673, 0} ... {28, 56, reply, 0, 484, 488, 1673, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\3\0\0\344\1\0\0\300\5\0\0" ) ) == 0x0 02761 308 NtSetEventBoostPriority (148, ... 02762 960 NtWaitForSingleObject (148, 0, 0x0, ... 02760 1460 NtTestAlert ... ) == 0x0 02763 488 NtResumeThread (912, ... 02725 944 NtWaitForSingleObject ... ) == 0x0 02764 1460 NtContinue (89718064, 1, ... 02763 488 NtResumeThread ... 1, ) == 0x0 02765 944 NtSetEventBoostPriority (148, ... 02766 1460 NtRegisterThreadTerminatePort (24, ... 02767 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02728 912 NtWaitForSingleObject ... ) == 0x0 02766 1460 NtRegisterThreadTerminatePort ... ) == 0x0 02767 488 NtAllocateVirtualMemory ... 92864512, 1048576, ) == 0x0 02768 912 NtSetEventBoostPriority (148, ... 02769 1460 NtWaitForSingleObject (148, 0, 0x0, ... 02770 488 NtAllocateVirtualMemory (-1, 93904896, 0, 8192, 4096, 4, ... 02729 964 NtWaitForSingleObject ... ) == 0x0 02768 912 NtSetEventBoostPriority ... ) == 0x0 02765 944 NtSetEventBoostPriority ... ) == 0x0 02761 308 NtSetEventBoostPriority ... ) == 0x0 02759 1324 NtRegisterThreadTerminatePort ... ) == 0x0 02771 1472 NtWaitForSingleObject (108, 0, 0x0, ... 02772 964 NtSetEventBoostPriority (148, ... 02770 488 NtAllocateVirtualMemory ... 93904896, 8192, ) == 0x0 02773 944 NtWaitForSingleObject (148, 0, 0x0, ... 02774 308 NtWaitForSingleObject (148, 0, 0x0, ... 02775 1324 NtWaitForSingleObject (148, 0, 0x0, ... 02732 1448 NtWaitForSingleObject ... ) == 0x0 02772 964 NtSetEventBoostPriority ... ) == 0x0 02776 488 NtProtectVirtualMemory (-1, (0x598e000), 4096, 260, ... 02777 1448 NtSetEventBoostPriority (148, ... 02778 912 NtWaitForSingleObject (148, 0, 0x0, ... 02734 948 NtWaitForSingleObject ... ) == 0x0 02777 1448 NtSetEventBoostPriority ... ) == 0x0 02776 488 NtProtectVirtualMemory ... (0x598e000), 4096, 4, ) == 0x0 02779 948 NtSetEventBoostPriority (148, ... 02780 964 NtWaitForSingleObject (148, 0, 0x0, ... 02735 956 NtWaitForSingleObject ... ) == 0x0 02779 948 NtSetEventBoostPriority ... ) == 0x0 02781 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 02782 956 NtSetEventBoostPriority (148, ... 02783 1448 NtWaitForSingleObject (148, 0, 0x0, ... 02736 952 NtWaitForSingleObject ... ) == 0x0 02782 956 NtSetEventBoostPriority ... ) == 0x0 02781 488 NtCreateThread ... 952, {484, 1476}, ) == 0x0 02784 952 NtSetEventBoostPriority (148, ... 02785 948 NtWaitForSingleObject (148, 0, 0x0, ... 02738 1452 NtWaitForSingleObject ... ) == 0x0 02784 952 NtSetEventBoostPriority ... ) == 0x0 02786 488 NtQueryInformationThread (952, Basic, 28, ... 02787 1452 NtSetEventBoostPriority (148, ... 02788 956 NtWaitForSingleObject (148, 0, 0x0, ... 02789 952 NtWaitForSingleObject (148, 0, 0x0, ... 02743 1008 NtWaitForSingleObject ... ) == 0x0 02787 1452 NtSetEventBoostPriority ... ) == 0x0 02790 1008 NtSetEventBoostPriority (148, ... 02786 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=484,Tid=1476,}, 0x0, ) == 0x0 02746 940 NtWaitForSingleObject ... ) == 0x0 02790 1008 NtSetEventBoostPriority ... ) == 0x0 02791 940 NtSetEventBoostPriority (148, ... 02792 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1673, 0} (24, {28, 56, new_msg, 0, 484, 488, 1673, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\3\0\0\344\1\0\0\304\5\0\0" ... ... 02793 1452 NtWaitForSingleObject (148, 0, 0x0, ... 02748 1084 NtWaitForSingleObject ... ) == 0x0 02791 940 NtSetEventBoostPriority ... ) == 0x0 02792 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1674, 0} ... {28, 56, reply, 0, 484, 488, 1674, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\3\0\0\344\1\0\0\304\5\0\0" ) ) == 0x0 02794 1084 NtSetEventBoostPriority (148, ... 02795 1008 NtSetEventBoostPriority (132, ... 02726 880 NtWaitForSingleObject ... ) == 0x0 02794 1084 NtSetEventBoostPriority ... ) == 0x0 02796 488 NtResumeThread (952, ... 02797 880 NtSetEventBoostPriority (148, ... 01388 1028 NtWaitForSingleObject ... ) == 0x0 02795 1008 NtSetEventBoostPriority ... ) == 0x0 02798 940 NtSetEventBoostPriority (308, ... 02750 780 NtWaitForSingleObject ... ) == 0x0 02799 1028 NtWaitForSingleObject (148, 0, 0x0, ... 02796 488 NtResumeThread ... 1, ) == 0x0 02800 1008 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02801 780 NtSetEventBoostPriority (148, ... 02509 892 NtWaitForSingleObject ... ) == 0x0 02798 940 NtSetEventBoostPriority ... ) == 0x0 02797 880 NtSetEventBoostPriority ... ) == 0x0 02802 1084 NtWaitForSingleObject (148, 0, 0x0, ... 02803 1476 NtWaitForSingleObject (108, 0, 0x0, ... 02751 904 NtWaitForSingleObject ... ) == 0x0 02804 892 NtSetEventBoostPriority (308, ... 02801 780 NtSetEventBoostPriority ... ) == 0x0 02800 1008 NtCreateEvent ... 956, ) == 0x0 02805 940 NtCreateEvent (0x100003, 0x0, 1, 0, ... 02806 880 NtSetEventBoostPriority (736, ... 02807 904 NtSetEventBoostPriority (148, ... 02513 928 NtWaitForSingleObject ... ) == 0x0 02804 892 NtSetEventBoostPriority ... ) == 0x0 02808 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02809 1008 NtWaitForSingleObject (148, 0, 0x0, ... 02805 940 NtCreateEvent ... 960, ) == 0x0 02752 932 NtWaitForSingleObject ... ) == 0x0 02810 928 NtSetEventBoostPriority (308, ... 02807 904 NtSetEventBoostPriority ... ) == 0x0 02340 884 NtWaitForSingleObject ... ) == 0x0 02806 880 NtSetEventBoostPriority ... ) == 0x0 02811 780 NtSetEventBoostPriority (108, ... 02808 488 NtAllocateVirtualMemory ... 93913088, 1048576, ) == 0x0 02812 932 NtSetEventBoostPriority (148, ... 02526 896 NtWaitForSingleObject ... ) == 0x0 02810 928 NtSetEventBoostPriority ... ) == 0x0 02813 940 NtWaitForSingleObject (960, 0, 0x0, ... 02814 892 NtCreateKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ... 02815 884 NtWaitForSingleObject (148, 0, 0x0, ... 02816 904 NtWaitForSingleObject (308, 0, 0x0, ... 02677 1224 NtWaitForSingleObject ... ) == 0x0 02811 780 NtSetEventBoostPriority ... ) == 0x0 02755 1048 NtWaitForSingleObject ... ) == 0x0 02817 896 NtSetEventBoostPriority (308, ... 02812 932 NtSetEventBoostPriority ... ) == 0x0 02818 488 NtAllocateVirtualMemory (-1, 94953472, 0, 8192, 4096, 4, ... 02819 880 NtWaitForSingleObject (148, 0, 0x0, ... 02814 892 NtCreateKey ... 964, 2, ) == 0x0 02820 1224 NtSetEventBoostPriority (108, ... 02821 1048 NtSetEventBoostPriority (148, ... 02586 1432 NtWaitForSingleObject ... ) == 0x0 02817 896 NtSetEventBoostPriority ... ) == 0x0 02822 780 NtTestAlert (... 02823 928 NtSetEventBoostPriority (960, ... 02818 488 NtAllocateVirtualMemory ... 94953472, 8192, ) == 0x0 02771 1472 NtWaitForSingleObject ... ) == 0x0 02756 920 NtWaitForSingleObject ... ) == 0x0 02824 1432 NtSetEventBoostPriority (308, ... 02821 1048 NtSetEventBoostPriority ... ) == 0x0 02820 1224 NtSetEventBoostPriority ... ) == 0x0 02825 892 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ... 02826 932 NtWaitForSingleObject (148, 0, 0x0, ... 02822 780 NtTestAlert ... ) == 0x0 02813 940 NtWaitForSingleObject ... ) == 0x0 02823 928 NtSetEventBoostPriority ... ) == 0x0 02827 1472 NtWaitForSingleObject (148, 0, 0x0, ... 02828 920 NtSetEventBoostPriority (148, ... 02583 1440 NtWaitForSingleObject ... ) == 0x0 02824 1432 NtSetEventBoostPriority ... ) == 0x0 02829 488 NtProtectVirtualMemory (-1, (0x5a8e000), 4096, 260, ... 02830 896 NtWaitForSingleObject (960, 0, 0x0, ... 02831 1048 NtWaitForSingleObject (148, 0, 0x0, ... 02825 892 NtOpenKey ... 968, ) == 0x0 02832 940 NtSetEventBoostPriority (960, ... 02833 780 NtContinue (90766640, 1, ... 02757 1036 NtWaitForSingleObject ... ) == 0x0 02834 1440 NtSetEventBoostPriority (308, ... 02828 920 NtSetEventBoostPriority ... ) == 0x0 02835 928 NtWaitForSingleObject (148, 0, 0x0, ... 02836 1432 NtWaitForSingleObject (72, 0, {0, 0}, ... 02829 488 NtProtectVirtualMemory ... (0x5a8e000), 4096, 4, ) == 0x0 02830 896 NtWaitForSingleObject ... ) == 0x0 02832 940 NtSetEventBoostPriority ... ) == 0x0 02837 892 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ... 02838 1036 NtSetEventBoostPriority (148, ... 02625 936 NtWaitForSingleObject ... ) == 0x0 02839 780 NtRegisterThreadTerminatePort (24, ... 02834 1440 NtSetEventBoostPriority ... ) == 0x0 02840 1224 NtTestAlert (... 02841 920 NtWaitForSingleObject (148, 0, 0x0, ... 02836 1432 NtWaitForSingleObject ... ) == 0x102 02842 896 NtWaitForSingleObject (148, 0, 0x0, ... 02843 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 02762 960 NtWaitForSingleObject ... ) == 0x0 02838 1036 NtSetEventBoostPriority ... ) == 0x0 02837 892 NtOpenKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02844 936 NtWaitForSingleObject (148, 0, 0x0, ... 02845 940 NtRequestWaitReplyPort (820, {64, 88, new_msg, 0, 484, 892, 1668, 0} (820, {64, 88, new_msg, 0, 484, 892, 1668, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ... ... 02846 1440 NtWaitForSingleObject (72, 0, {0, 0}, ... 02840 1224 NtTestAlert ... ) == 0x0 02847 1432 NtWaitForSingleObject (132, 0, 0x0, ... 02848 960 NtSetEventBoostPriority (148, ... 02843 488 NtCreateThread ... 972, {484, 1480}, ) == 0x0 02839 780 NtRegisterThreadTerminatePort ... ) == 0x0 02849 1036 NtWaitForSingleObject (148, 0, 0x0, ... 02850 1224 NtContinue (91815216, 1, ... 02845 940 NtRequestWaitReplyPort ... {52, 76, reply, 0, 484, 940, 1675, 0} ... {52, 76, reply, 0, 484, 940, 1675, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" ) ) == 0x0 02769 1460 NtWaitForSingleObject ... ) == 0x0 02848 960 NtSetEventBoostPriority ... ) == 0x0 02851 488 NtQueryInformationThread (972, Basic, 28, ... 02852 780 NtWaitForSingleObject (148, 0, 0x0, ... 02853 1224 NtRegisterThreadTerminatePort (24, ... 02854 1460 NtSetEventBoostPriority (148, ... 02855 940 NtWaitForSingleObject (148, 0, 0x0, ... 02856 892 NtQueryValueKey (964, (964, "Hostname", Partial, 144, ... , Partial, 144, ... 02846 1440 NtWaitForSingleObject ... ) == 0x102 02851 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=484,Tid=1480,}, 0x0, ) == 0x0 02773 944 NtWaitForSingleObject ... ) == 0x0 02853 1224 NtRegisterThreadTerminatePort ... ) == 0x0 02856 892 NtQueryValueKey ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0 02857 1440 NtWaitForSingleObject (132, 0, 0x0, ... 02858 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1674, 0} (24, {28, 56, new_msg, 0, 484, 488, 1674, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\3\0\0\344\1\0\0\310\5\0\0" ... ... 02859 944 NtSetEventBoostPriority (148, ... 02860 1224 NtWaitForSingleObject (148, 0, 0x0, ... 02861 892 NtWaitForSingleObject (148, 0, 0x0, ... 02774 308 NtWaitForSingleObject ... ) == 0x0 02859 944 NtSetEventBoostPriority ... ) == 0x0 02854 1460 NtSetEventBoostPriority ... ) == 0x0 02862 960 NtWaitForSingleObject (148, 0, 0x0, ... 02858 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1676, 0} ... {28, 56, reply, 0, 484, 488, 1676, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\3\0\0\344\1\0\0\310\5\0\0" ) ) == 0x0 02863 308 NtSetEventBoostPriority (148, ... 02864 1460 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02775 1324 NtWaitForSingleObject ... ) == 0x0 02863 308 NtSetEventBoostPriority ... ) == 0x0 02865 488 NtResumeThread (972, ... 02866 1324 NtSetEventBoostPriority (148, ... 02864 1460 NtDuplicateObject ... 976, ) == 0x0 02867 944 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02778 912 NtWaitForSingleObject ... ) == 0x0 02866 1324 NtSetEventBoostPriority ... ) == 0x0 02865 488 NtResumeThread ... 1, ) == 0x0 02868 308 NtWaitForSingleObject (148, 0, 0x0, ... 02869 912 NtSetEventBoostPriority (148, ... 02867 944 NtCreateEvent ... 980, ) == 0x0 02870 1460 NtWaitForSingleObject (148, 0, 0x0, ... 02871 1480 NtWaitForSingleObject (108, 0, 0x0, ... 02872 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02780 964 NtWaitForSingleObject ... ) == 0x0 02869 912 NtSetEventBoostPriority ... ) == 0x0 02873 944 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02874 964 NtSetEventBoostPriority (148, ... 02872 488 NtAllocateVirtualMemory ... 94961664, 1048576, ) == 0x0 02875 912 NtAllocateVirtualMemory (-1, 18403328, 0, 4096, 4096, 260, ... 02783 1448 NtWaitForSingleObject ... ) == 0x0 02874 964 NtSetEventBoostPriority ... ) == 0x0 02873 944 NtDuplicateObject ... 984, ) == 0x0 02876 488 NtAllocateVirtualMemory (-1, 96002048, 0, 8192, 4096, 4, ... 02877 1324 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02878 1448 NtSetEventBoostPriority (148, ... 02879 964 NtWaitForSingleObject (148, 0, 0x0, ... 02880 944 NtWaitForSingleObject (148, 0, 0x0, ... 02875 912 NtAllocateVirtualMemory ... 18403328, 4096, ) == 0x0 02785 948 NtWaitForSingleObject ... ) == 0x0 02878 1448 NtSetEventBoostPriority ... ) == 0x0 02877 1324 NtDuplicateObject ... 988, ) == 0x0 02876 488 NtAllocateVirtualMemory ... 96002048, 8192, ) == 0x0 02881 948 NtSetEventBoostPriority (148, ... 02882 912 NtWaitForSingleObject (148, 0, 0x0, ... 02883 1448 NtWaitForSingleObject (308, 0, 0x0, ... 02884 1324 NtWaitForSingleObject (148, 0, 0x0, ... 02788 956 NtWaitForSingleObject ... ) == 0x0 02881 948 NtSetEventBoostPriority ... ) == 0x0 02885 488 NtProtectVirtualMemory (-1, (0x5b8e000), 4096, 260, ... 02886 956 NtSetEventBoostPriority (148, ... 02887 948 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02789 952 NtWaitForSingleObject ... ) == 0x0 02886 956 NtSetEventBoostPriority ... ) == 0x0 02885 488 NtProtectVirtualMemory ... (0x5b8e000), 4096, 4, ) == 0x0 02888 952 NtSetEventBoostPriority (148, ... 02889 956 NtWaitForSingleObject (148, 0, 0x0, ... 02793 1452 NtWaitForSingleObject ... ) == 0x0 02888 952 NtSetEventBoostPriority ... ) == 0x0 02890 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 02887 948 NtCreateEvent ... 992, ) == 0x0 02891 1452 NtSetEventBoostPriority (148, ... 02892 952 NtWaitForSingleObject (148, 0, 0x0, ... 02890 488 NtCreateThread ... 996, {484, 1484}, ) == 0x0 02799 1028 NtWaitForSingleObject ... ) == 0x0 02891 1452 NtSetEventBoostPriority ... ) == 0x0 02893 948 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02894 1028 NtSetEventBoostPriority (148, ... 02895 488 NtQueryInformationThread (996, Basic, 28, ... 02896 1452 NtWaitForSingleObject (308, 0, 0x0, ... 02802 1084 NtWaitForSingleObject ... ) == 0x0 02894 1028 NtSetEventBoostPriority ... ) == 0x0 02893 948 NtDuplicateObject ... 1000, ) == 0x0 02895 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=484,Tid=1484,}, 0x0, ) == 0x0 02897 1084 NtSetEventBoostPriority (148, ... 02898 948 NtWaitForSingleObject (148, 0, 0x0, ... 02809 1008 NtWaitForSingleObject ... ) == 0x0 02897 1084 NtSetEventBoostPriority ... ) == 0x0 02899 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1676, 0} (24, {28, 56, new_msg, 0, 484, 488, 1676, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\3\0\0\344\1\0\0\314\5\0\0" ... ... 02900 1008 NtSetEventBoostPriority (148, ... 02901 1084 NtWaitForSingleObject (148, 0, 0x0, ... 02815 884 NtWaitForSingleObject ... ) == 0x0 02900 1008 NtSetEventBoostPriority ... ) == 0x0 02899 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1677, 0} ... {28, 56, reply, 0, 484, 488, 1677, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\3\0\0\344\1\0\0\314\5\0\0" ) ) == 0x0 02902 1028 NtSetEventBoostPriority (132, ... 02903 884 NtSetEventBoostPriority (148, ... 02904 488 NtResumeThread (996, ... 02819 880 NtWaitForSingleObject ... ) == 0x0 02903 884 NtSetEventBoostPriority ... ) == 0x0 01390 1024 NtWaitForSingleObject ... ) == 0x0 02902 1028 NtSetEventBoostPriority ... ) == 0x0 02905 880 NtSetEventBoostPriority (148, ... 02904 488 NtResumeThread ... 1, ) == 0x0 02906 1008 NtWaitForSingleObject (148, 0, 0x0, ... 02907 1024 NtWaitForSingleObject (148, 0, 0x0, ... 02826 932 NtWaitForSingleObject ... ) == 0x0 02905 880 NtSetEventBoostPriority ... ) == 0x0 02908 1028 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 02909 884 NtWaitForSingleObject (148, 0, 0x0, ... 02910 1484 NtWaitForSingleObject (108, 0, 0x0, ... 02911 932 NtSetEventBoostPriority (148, ... 02912 880 NtCreateKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ... 02908 1028 NtCreateEvent ... 1004, ) == 0x0 02827 1472 NtWaitForSingleObject ... ) == 0x0 02911 932 NtSetEventBoostPriority ... ) == 0x0 02913 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02914 1472 NtSetEventBoostPriority (148, ... 02915 1028 NtWaitForSingleObject (148, 0, 0x0, ... 02916 932 NtWaitForSingleObject (148, 0, 0x0, ... 02831 1048 NtWaitForSingleObject ... ) == 0x0 02914 1472 NtSetEventBoostPriority ... ) == 0x0 02913 488 NtAllocateVirtualMemory ... 96010240, 1048576, ) == 0x0 02912 880 NtCreateKey ... 1008, 2, ) == 0x0 02917 1048 NtSetEventBoostPriority (148, ... 02918 488 NtAllocateVirtualMemory (-1, 97050624, 0, 8192, 4096, 4, ... 02835 928 NtWaitForSingleObject ... ) == 0x0 02917 1048 NtSetEventBoostPriority ... ) == 0x0 02919 880 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ... 02920 928 NtSetEventBoostPriority (148, ... 02918 488 NtAllocateVirtualMemory ... 97050624, 8192, ) == 0x0 02921 1048 NtWaitForSingleObject (148, 0, 0x0, ... 02841 920 NtWaitForSingleObject ... ) == 0x0 02920 928 NtSetEventBoostPriority ... ) == 0x0 02919 880 NtOpenKey ... 1012, ) == 0x0 02922 488 NtProtectVirtualMemory (-1, (0x5c8e000), 4096, 260, ... 02923 1472 NtSetEventBoostPriority (108, ... 02924 920 NtSetEventBoostPriority (148, ... 02925 880 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ... 02922 488 NtProtectVirtualMemory ... (0x5c8e000), 4096, 4, ) == 0x0 02842 896 NtWaitForSingleObject ... ) == 0x0 02924 920 NtSetEventBoostPriority ... ) == 0x0 02803 1476 NtWaitForSingleObject ... ) == 0x0 02923 1472 NtSetEventBoostPriority ... ) == 0x0 02925 880 NtOpenKey ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02926 928 NtRequestWaitReplyPort (820, {64, 88, new_msg, 0, 0, 0, 0, 0} (820, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... ... 02927 896 NtSetEventBoostPriority (148, ... 02928 1476 NtSetEventBoostPriority (108, ... 02929 920 NtWaitForSingleObject (308, 0, 0x0, ... 02930 1472 NtTestAlert (... 02931 880 NtQueryValueKey (1008, (1008, "Domain", Partial, 144, ... , Partial, 144, ... 02844 936 NtWaitForSingleObject ... ) == 0x0 02871 1480 NtWaitForSingleObject ... ) == 0x0 02928 1476 NtSetEventBoostPriority ... ) == 0x0 02927 896 NtSetEventBoostPriority ... ) == 0x0 02926 928 NtRequestWaitReplyPort ... {52, 76, reply, 0, 484, 928, 1678, 0} ... {52, 76, reply, 0, 484, 928, 1678, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" ) ) == 0x0 02932 488 NtCreateThread (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 02930 1472 NtTestAlert ... ) == 0x0 02933 936 NtSetEventBoostPriority (148, ... 02934 1480 NtSetEventBoostPriority (108, ... 02931 880 NtQueryValueKey ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0 02935 1476 NtTestAlert (... 02936 928 NtWaitForSingleObject (148, 0, 0x0, ... 02932 488 NtCreateThread ... 1016, {484, 1488}, ) == 0x0 02849 1036 NtWaitForSingleObject ... ) == 0x0 02910 1484 NtWaitForSingleObject ... ) == 0x0 02934 1480 NtSetEventBoostPriority ... ) == 0x0 02937 1472 NtContinue (92863792, 1, ... 02938 880 NtQueryValueKey (1008, (1008, "Domain", Partial, 144, ... , Partial, 144, ... 02935 1476 NtTestAlert ... ) == 0x0 02939 488 NtQueryInformationThread (1016, Basic, 28, ... 02940 1484 NtWaitForSingleObject (148, 0, 0x0, ... 02941 1036 NtSetEventBoostPriority (148, ... 02933 936 NtSetEventBoostPriority ... ) == 0x0 02942 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 02943 1472 NtRegisterThreadTerminatePort (24, ... 02938 880 NtQueryValueKey ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0 02944 1476 NtContinue (93912368, 1, ... 02939 488 NtQueryInformationThread ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=484,Tid=1488,}, 0x0, ) == 0x0 02852 780 NtWaitForSingleObject ... ) == 0x0 02941 1036 NtSetEventBoostPriority ... ) == 0x0 02945 1480 NtTestAlert (... 02942 896 NtCreateEvent ... 1020, ) == 0x0 02946 936 NtSetEventBoostPriority (308, ... 02947 880 NtWaitForSingleObject (148, 0, 0x0, ... 02948 1476 NtRegisterThreadTerminatePort (24, ... 02949 780 NtSetEventBoostPriority (148, ... 02950 488 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 484, 488, 1677, 0} (24, {28, 56, new_msg, 0, 484, 488, 1677, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\3\0\0\344\1\0\0\320\5\0\0" ... ... 02951 1036 NtWaitForSingleObject (148, 0, 0x0, ... 02945 1480 NtTestAlert ... ) == 0x0 02952 896 NtWaitForSingleObject (308, 0, 0x0, ... 02650 1444 NtWaitForSingleObject ... ) == 0x0 02946 936 NtSetEventBoostPriority ... ) == 0x0 02855 940 NtWaitForSingleObject ... ) == 0x0 02949 780 NtSetEventBoostPriority ... ) == 0x0 02948 1476 NtRegisterThreadTerminatePort ... ) == 0x0 02950 488 NtRequestWaitReplyPort ... {28, 56, reply, 0, 484, 488, 1679, 0} ... {28, 56, reply, 0, 484, 488, 1679, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\3\0\0\344\1\0\0\320\5\0\0" ) ) == 0x0 02943 1472 NtRegisterThreadTerminatePort ... ) == 0x0 02953 1480 NtContinue (94960944, 1, ... 02954 1444 NtWaitForSingleObject (148, 0, 0x0, ... 02955 940 NtSetEventBoostPriority (148, ... 02956 936 NtWaitForSingleObject (148, 0, 0x0, ... 02957 1476 NtWaitForSingleObject (148, 0, 0x0, ... 02958 488 NtResumeThread (1016, ... 02959 1472 NtWaitForSingleObject (148, 0, 0x0, ... 02861 892 NtWaitForSingleObject ... ) == 0x0 02955 940 NtSetEventBoostPriority ... ) == 0x0 02960 1480 NtRegisterThreadTerminatePort (24, ... 02961 780 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 02958 488 NtResumeThread ... 1, ) == 0x0 02962 892 NtSetEventBoostPriority (148, ... 02963 1488 NtWaitForSingleObject (108, 0, 0x0, ... 02960 1480 NtRegisterThreadTerminatePort ... ) == 0x0 02961 780 NtDuplicateObject ... 1024, ) == 0x0 02860 1224 NtWaitForSingleObject ... ) == 0x0 02962 892 NtSetEventBoostPriority ... ) == 0x0 02964 488 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 02965 1480 NtWaitForSingleObject (148, 0, 0x0, ... 02966 1224 NtSetEventBoostPriority (148, ... 02967 780 NtWaitForSingleObject (148, 0, 0x0, ... 02968 940 NtCreateEvent (0x100003, 0x0, 1, 0, ... 02964 488 NtAllocateVirtualMemory ... 97058816, 1048576, ) == 0x0 02969 892 NtQueryValueKey (964, (964, "Hostname", Partial, 144, ... , Partial, 144, ... 02862 960 NtWaitForSingleObject ... ) == 0x0