Summary:


NtAdjustPrivilegesToken(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryInformationProcess(>)  7 
NtFlushInstructionCache(>)  54 

NtDelayExecution(>)  1 
NtNotifyChangeKey(>)  2 
NtCreateFile(>)  8 
NtContinue(>)  88 

NtGdiCreateBitmap(>)  1 
NtOpenDirectoryObject(>)  2 
NtQueryVirtualMemory(>)  9 
NtMapViewOfSection(>)  99 

NtGdiInit(>)  1 
NtQueryDefaultUILanguage(>)  2 
NtUserFindExistingCursorIcon(>)  9 
NtCreateEvent(>)  113 

NtGdiQueryFontAssocInfo(>)  1 
NtQueryPerformanceCounter(>)  2 
NtConnectPort(>)  10 
NtQuerySystemInformation(>)  116 

NtGdiSelectBitmap(>)  1 
NtSetInformationObject(>)  2 
NtFsControlFile(>)  10 
NtWriteVirtualMemory(>)  116 

NtOpenKeyedEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtOpenThreadToken(>)  10 
NtResumeThread(>)  127 

NtOpenSymbolicLinkObject(>)  1 
NtOpenProcessToken(>)  3 
NtSetInformationThread(>)  11 
NtQueryInformationThread(>)  130 

NtQueryInstallUILanguage(>)  1 
NtOpenProcessTokenEx(>)  3 
NtSetInformationFile(>)  12 
NtOpenKey(>)  135 

NtQueryObject(>)  1 
NtQueryVolumeInformationFile(>)  3 
NtQuerySection(>)  13 
NtCreateThread(>)  143 

NtQuerySymbolicLinkObject(>)  1 
NtReadFile(>)  3 
NtUserRegisterClassExWOW(>)  14 
NtTestAlert(>)  166 

NtQuerySystemTime(>)  1 
NtSecureConnectPort(>)  3 
NtSetValueKey(>)  16 
NtRegisterThreadTerminatePort(>)  169 

NtRaiseException(>)  1 
NtFreeVirtualMemory(>)  4 
NtCreateKey(>)  23 
NtRequestWaitReplyPort(>)  170 

NtSetInformationProcess(>)  1 
NtOpenThreadTokenEx(>)  4 
NtCreateSection(>)  25 
NtDuplicateObject(>)  189 

NtUserCallNoParam(>)  1 
NtQueryDefaultLocale(>)  4 
NtOpenFile(>)  27 
NtQueryValueKey(>)  255 

NtUserGetObjectInformation(>)  1 
NtWriteFile(>)  4 
NtOpenProcess(>)  29 
NtClose(>)  275 

NtUserGetProcessWindowStation(>)  1 
NtCreateMutant(>)  5 
NtDeviceIoControlFile(>)  35 
NtProtectVirtualMemory(>)  357 

NtUserGetThreadDesktop(>)  1 
NtGdiGetStockObject(>)  5 
NtQueryAttributesFile(>)  43 
NtAllocateVirtualMemory(>)  374 

NtCallbackReturn(>)  2 
NtQueryInformationToken(>)  6 
NtUnmapViewOfSection(>)  44 
NtSetEventBoostPriority(>)  590 

NtCreateIoCompletion(>)  2 
NtQueryInformationFile(>)  7 
NtOpenSection(>)  51 
NtWaitForSingleObject(>)  837 


Trace:
 00001  1736   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1736   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1736   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1736   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1736   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1736   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1736   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1736   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1736   NtClose  (12, ... ) == 0x0
 00015  1736   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1736   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1736   NtClose  (16, ... ) == 0x0
 00021  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1736   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1736   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1736   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1736   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1736   NtClose  (16, ... ) == 0x0
 00030  1736   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1736   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1736   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1736   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75469, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ) == 0x0
 00036  1736   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1736   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1736   NtClose  (16, ... ) == 0x0
 00041  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1736   NtClose  (16, ... ) == 0x0
 00044  1736   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1736   NtClose  (16, ... ) == 0x0
 00048  1736   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1736   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1736   NtClose  (16, ... ) == 0x0
 00052  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1736   NtClose  (16, ... ) == 0x0
 00055  1736   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1736   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1736   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ... {24, 52, reply, 0, 1636, 1736, 75470, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ) == 0x0
 00060  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75471, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ) == 0x0
 00061  1736   NtProtectVirtualMemory  (-1, (0x409000), 94224, 4, ... (0x409000), 98304, 128, ) == 0x0
 00062  1736   NtProtectVirtualMemory  (-1, (0x409000), 98304, 128, ... (0x409000), 98304, 4, ) == 0x0
 00063  1736   NtFlushInstructionCache  (-1, 4231168, 94224, ... ) == 0x0
 00064  1736   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065  1736   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066  1736   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067  1736   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068  1736   NtClose  (16, ... ) == 0x0
 00069  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071  1736   NtClose  (16, ... ) == 0x0
 00072  1736   NtTestAlert  (... ) == 0x0
 00073  1736   NtContinue  (1244464, 1, ...
 00074  1736   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x409a00,}, 4, ... ) == 0x0
 00075  1736   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 16, ) }, ... 16, ) == 0x0
 00076  1736   NtCreateEvent  (0x1f0003, {24, 16, 0x80, 1245092, 0,  (0x1f0003, {24, 16, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 28, ) }, 1, 0, ... 28, ) == 0x0
 00077  1736   NtCreateSection  (0xe, {24, 0, 0x40, 1245092, 0,  (0xe, {24, 0, 0x40, 1245092, 0, "\BaseNamedObjects\W32_Virtu"}, {27086, 0}, 64, 134217728, 0, ... 32, ) }, {27086, 0}, 64, 134217728, 0, ... 32, ) == 0x0
 00078  1736   NtMapViewOfSection  (32, -1, (0x0), 0, 27086, 0x0, 27086, 2, 0, 64, ... (0x320000), 0x0, 28672, ) == 0x0
 00079  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 36, ) }, ... 36, ) == 0x0
 00080  1736   NtQueryValueKey  (36,  (36, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00081  1736   NtClose  (36, ... ) == 0x0
 00082  1736   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00083  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00084  1736   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00085  1736   NtClose  (36, ... ) == 0x0
 00086  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00087  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00088  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00089  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00090  1736   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00091  1736   NtClose  (36, ... ) == 0x0
 00092  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00093  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00094  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00095  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00096  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00097  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00098  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00099  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00100  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00101  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00102  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00103  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00104  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105  1736   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00106  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 36, ) }, ... 36, ) == 0x0
 00108  1736   NtQueryValueKey  (36,  (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00109  1736   NtQueryValueKey  (36,  (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00110  1736   NtClose  (36, ... ) == 0x0
 00111  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 36, ) }, ... 36, ) == 0x0
 00112  1736   NtQueryValueKey  (36,  (36, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00113  1736   NtClose  (36, ... ) == 0x0
 00114  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 36, ) }, ... 36, ) == 0x0
 00115  1736   NtSetInformationObject  (36, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00116  1736   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00117  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00118  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00119  1736   NtOpenProcessToken  (-1, 0x20, ... 40, ) == 0x0
 00120  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00121  1736   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00122  1736   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 44, ) }, ... 44, ) == 0x0
 00123  1736   NtQueryValueKey  (44,  (44, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00124  1736   NtClose  (44, ... ) == 0x0
 00125  1736   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 44, ) == 0x0
 00127  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 48, ) == 0x0
 00128  1736   NtQuerySystemTime  (... {945764718, 29926892}, ) == 0x0
 00129  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00130  1736   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00131  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00132  1736   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00133  1736   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00134  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00135  1736   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 60, ) == 0x0
 00136  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 64, ) }, ... 64, ) == 0x0
 00137  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "ActiveComputerName"}, ... 68, ) }, ... 68, ) == 0x0
 00138  1736   NtQueryValueKey  (68,  (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00139  1736   NtClose  (68, ... ) == 0x0
 00140  1736   NtClose  (64, ... ) == 0x0
 00141  1736   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 64, ) == 0x0
 00142  1736   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 68, ) == 0x0
 00143  1736   NtDuplicateObject  (-1, 64, -1, 0x0, 0, 2, ... 72, ) == 0x0
 00144  1736   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00145  1736   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00146  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 76, ) == 0x0
 00147  1736   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00148  1736   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00149  1736   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243252,  (0xc0100080, {24, 0, 0x40, 0, 1243252, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 80, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 80, {status=0x0, info=1}, ) == 0x0
 00150  1736   NtSetInformationFile  (80, 1243308, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00151  1736   NtSetInformationFile  (80, 1243296, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00152  1736   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00153  1736   NtWriteFile  (80, 57, 0, 0,  (80, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00154  1736   NtReadFile  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00155  1736   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00156  1736   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340 \0"\0X@\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) \0X@\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340 \0"\0X@\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) == 0x103
 00157  1736   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00158  1736   NtClose  (76, ... ) == 0x0
 00159  1736   NtClose  (80, ... ) == 0x0
 00160  1736   NtAdjustPrivilegesToken  (40, 0, 1245096, 0, 0, 0, ... ) == 0x0
 00161  1736   NtClose  (40, ... ) == 0x0
 00162  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 3342336, 65536, ) == 0x0
 00163  1736   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00164  1736   NtCreateSection  (0xf0007, 0x0, {18400, 0}, 4, 134217728, 0, ... 40, ) == 0x0
 00165  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x340000), {0, 0}, 20480, ) == 0x0
 00166  1736   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00167  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x340000), {0, 0}, 20480, ) == 0x0
 00168  1736   NtFreeVirtualMemory  (-1, (0x330000), 0, 32768, ... (0x330000), 65536, ) == 0x0
 00169  1736   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00170  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00171  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00172  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00173  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00174  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00175  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00176  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00177  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00178  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00179  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00180  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {580, 0}, ... 80, ) == 0x0
 00181  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 76, ) }, ... 76, ) == 0x0
 00182  1736   NtMapViewOfSection  (76, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00183  1736   NtClose  (76, ... ) == 0x0
 00184  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00185  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00186  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00187  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00188  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00189  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00190  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00191  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00192  1736   NtAllocateVirtualMemory  (80, 0, 0, 1048576, 8192, 4, ... 27852800, 1048576, ) == 0x0
 00193  1736   NtAllocateVirtualMemory  (80, 28893184, 0, 8192, 4096, 4, ... 28893184, 8192, ) == 0x0
 00194  1736   NtProtectVirtualMemory  (80, (0x1b8e000), 4096, 260, ... (0x1b8e000), 4096, 4, ) == 0x0
 00195  1736   NtCreateThread  (0x1f03ff, 0x0, 80, 1243840, 1243784, 1, ... 76, {580, 1744}, ) == 0x0
 00196  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\320\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\320\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75472, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\320\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\320\6\0\0" )  ) == 0x0
 00197  1736   NtResumeThread  (76, ... 1, ) == 0x0
 00198  1736   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00199  1736   NtClose  (80, ... ) == 0x0
 00200  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00201  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00202  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {640, 0}, ... 80, ) == 0x0
 00203  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00204  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00205  1736   NtClose  (84, ... ) == 0x0
 00206  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00207  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00208  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00209  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00210  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00211  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00212  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00213  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00214  1736   NtClose  (80, ... ) == 0x0
 00215  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00216  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00217  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {652, 0}, ... 80, ) == 0x0
 00218  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00219  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00220  1736   NtClose  (84, ... ) == 0x0
 00221  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00222  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00223  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00224  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00225  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00226  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00227  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00228  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00229  1736   NtClose  (80, ... ) == 0x0
 00230  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00231  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00232  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {816, 0}, ... 80, ) == 0x0
 00233  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00234  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00235  1736   NtClose  (84, ... ) == 0x0
 00236  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00237  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00238  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00239  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00240  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00241  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00242  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00243  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00244  1736   NtClose  (80, ... ) == 0x0
 00245  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00246  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00247  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {904, 0}, ... 80, ) == 0x0
 00248  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00249  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00250  1736   NtClose  (84, ... ) == 0x0
 00251  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00252  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00253  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00254  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00255  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00256  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00257  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00258  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00259  1736   NtClose  (80, ... ) == 0x0
 00260  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00261  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00262  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1000, 0}, ... 80, ) == 0x0
 00263  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00264  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff50000), 0x0, 28672, ) == 0x0
 00265  1736   NtClose  (84, ... ) == 0x0
 00266  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00267  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Md\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00268  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00269  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fd\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00270  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00271  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00272  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00273  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00274  1736   NtClose  (80, ... ) == 0x0
 00275  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00276  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00277  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1044, 0}, ... 80, ) == 0x0
 00278  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00279  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00280  1736   NtClose  (84, ... ) == 0x0
 00281  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00282  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00283  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00284  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00285  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00286  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00287  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00288  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00289  1736   NtClose  (80, ... ) == 0x0
 00290  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00291  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00292  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1196, 0}, ... 80, ) == 0x0
 00293  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00294  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00295  1736   NtClose  (84, ... ) == 0x0
 00296  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00297  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00298  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00299  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00300  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00301  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00302  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00303  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00304  1736   NtClose  (80, ... ) == 0x0
 00305  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00306  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00307  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1468, 0}, ... 80, ) == 0x0
 00308  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00309  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00310  1736   NtClose  (84, ... ) == 0x0
 00311  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00312  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00313  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00314  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00315  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00316  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00317  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00318  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00319  1736   NtClose  (80, ... ) == 0x0
 00320  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00321  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00322  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1720, 0}, ... 80, ) == 0x0
 00323  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00324  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00325  1736   NtClose  (84, ... ) == 0x0
 00326  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00327  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00328  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00329  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00330  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00331  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00332  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00333  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00334  1736   NtClose  (80, ... ) == 0x0
 00335  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00336  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00337  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1888, 0}, ... 80, ) == 0x0
 00338  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00339  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00340  1736   NtClose  (84, ... ) == 0x0
 00341  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00342  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00343  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00344  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00345  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00346  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00347  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00348  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00349  1736   NtClose  (80, ... ) == 0x0
 00350  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00351  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00352  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 80, ) == 0x0
 00353  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00354  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00355  1736   NtClose  (84, ... ) == 0x0
 00356  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00357  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00358  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00359  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00360  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00361  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00362  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00363  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00364  1736   NtClose  (80, ... ) == 0x0
 00365  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00366  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00367  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {180, 0}, ... 80, ) == 0x0
 00368  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00369  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00370  1736   NtClose  (84, ... ) == 0x0
 00371  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00372  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00373  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00374  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00375  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00376  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00377  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00378  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00379  1736   NtClose  (80, ... ) == 0x0
 00380  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00381  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00382  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {196, 0}, ... 80, ) == 0x0
 00383  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00384  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00385  1736   NtClose  (84, ... ) == 0x0
 00386  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00387  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00388  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00389  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00390  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00391  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00392  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00393  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00394  1736   NtClose  (80, ... ) == 0x0
 00395  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00396  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00397  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {160, 0}, ... 80, ) == 0x0
 00398  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00399  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00400  1736   NtClose  (84, ... ) == 0x0
 00401  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00402  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00403  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00404  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00405  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00406  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00407  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00408  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00409  1736   NtClose  (80, ... ) == 0x0
 00410  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00411  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00412  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {260, 0}, ... 80, ) == 0x0
 00413  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00414  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00415  1736   NtClose  (84, ... ) == 0x0
 00416  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00417  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00418  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00419  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00420  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00421  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00422  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00423  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00424  1736   NtClose  (80, ... ) == 0x0
 00425  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00426  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00427  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {288, 0}, ... 80, ) == 0x0
 00428  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00429  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00430  1736   NtClose  (84, ... ) == 0x0
 00431  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00432  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00433  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00434  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00435  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00436  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00437  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00438  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00439  1736   NtClose  (80, ... ) == 0x0
 00440  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00441  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00442  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 80, ) == 0x0
 00443  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00444  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00445  1736   NtClose  (84, ... ) == 0x0
 00446  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00447  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00448  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00449  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00450  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00451  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00452  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00453  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00454  1736   NtClose  (80, ... ) == 0x0
 00455  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00456  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00457  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1408, 0}, ... 80, ) == 0x0
 00458  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00459  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00460  1736   NtClose  (84, ... ) == 0x0
 00461  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00462  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00463  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00464  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00465  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00466  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00467  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00468  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00469  1736   NtClose  (80, ... ) == 0x0
 00470  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00471  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00472  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {556, 0}, ... 80, ) == 0x0
 00473  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00474  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00475  1736   NtClose  (84, ... ) == 0x0
 00476  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00477  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00478  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00479  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00480  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00481  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00482  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00483  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00484  1736   NtClose  (80, ... ) == 0x0
 00485  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00486  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00487  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1204, 0}, ... 80, ) == 0x0
 00488  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00489  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00490  1736   NtClose  (84, ... ) == 0x0
 00491  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00492  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00493  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00494  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00495  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00496  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00497  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00498  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00499  1736   NtClose  (80, ... ) == 0x0
 00500  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00501  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00502  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1452, 0}, ... 80, ) == 0x0
 00503  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00504  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00505  1736   NtClose  (84, ... ) == 0x0
 00506  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00507  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00508  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00509  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00510  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00511  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00512  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00513  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00514  1736   NtClose  (80, ... ) == 0x0
 00515  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00516  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00517  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1200, 0}, ... 80, ) == 0x0
 00518  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00519  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00520  1736   NtClose  (84, ... ) == 0x0
 00521  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00522  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00523  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00524  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00525  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00526  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00527  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00528  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00529  1736   NtClose  (80, ... ) == 0x0
 00530  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00531  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00532  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {164, 0}, ... 80, ) == 0x0
 00533  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00534  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00535  1736   NtClose  (84, ... ) == 0x0
 00536  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00537  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00538  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00539  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00540  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00541  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00542  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00543  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00544  1736   NtClose  (80, ... ) == 0x0
 00545  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00546  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00547  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {888, 0}, ... 80, ) == 0x0
 00548  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00549  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00550  1736   NtClose  (84, ... ) == 0x0
 00551  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00552  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00553  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00554  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00555  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00556  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00557  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00558  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00559  1736   NtClose  (80, ... ) == 0x0
 00560  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00561  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00562  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1512, 0}, ... 80, ) == 0x0
 00563  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00564  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00565  1736   NtClose  (84, ... ) == 0x0
 00566  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00567  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00568  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00569  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00570  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00571  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00572  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00573  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00574  1736   NtClose  (80, ... ) == 0x0
 00575  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00576  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00577  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1284, 0}, ... 80, ) == 0x0
 00578  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00579  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00580  1736   NtClose  (84, ... ) == 0x0
 00581  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00582  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00583  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00584  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00585  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00586  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00587  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00588  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00589  1736   NtClose  (80, ... ) == 0x0
 00590  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00591  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00592  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {792, 0}, ... 80, ) == 0x0
 00593  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00594  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00595  1736   NtClose  (84, ... ) == 0x0
 00596  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00597  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00598  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00599  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00600  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00601  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00602  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00603  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00604  1736   NtClose  (80, ... ) == 0x0
 00605  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00606  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00607  1736   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1636, 0}, ... 80, ) == 0x0
 00608  1736   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00609  1736   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00610  1736   NtClose  (84, ... ) == 0x0
 00611  1736   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00612  1736   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00613  1736   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00614  1736   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00615  1736   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00616  1736   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00617  1736   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00618  1736   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00619  1736   NtClose  (80, ... ) == 0x0
 00620  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00621  1736   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00622  1736   NtClose  (40, ... ) == 0x0
 00623  1736   NtClose  (28, ... ) == 0x0
 00624  1736   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x4000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00625  1736   NtContinue  (1244400, 0, ...
 00626  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3342336, 4096, ) == 0x0
 00627  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00628  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00629  1736   NtClose  (28, ... ) == 0x0
 00630  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00631  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00632  1736   NtClose  (28, ... ) == 0x0
 00633  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00634  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00635  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00636  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00637  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00638  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00639  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00640  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00641  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00642  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00643  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00644  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00645  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00646  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00647  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00648  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00649  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00650  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00651  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00652  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00653  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00654  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75536, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75536, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75536, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ) == 0x0
 00655  1736   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00656  1736   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00657  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00658  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00659  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 40, ) == 0x0
 00660  1736   NtClose  (28, ... ) == 0x0
 00661  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00662  1736   NtClose  (40, ... ) == 0x0
 00663  1736   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00664  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00665  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00666  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 40, ... 28, ) == 0x0
 00667  1736   NtClose  (40, ... ) == 0x0
 00668  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00669  1736   NtClose  (28, ... ) == 0x0
 00670  1736   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00671  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00672  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00673  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 40, ) == 0x0
 00674  1736   NtQuerySection  (40, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00675  1736   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00676  1736   NtQueryInformationToken  (80, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00677  1736   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00678  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 84, ) }, ... 84, ) == 0x0
 00679  1736   NtQueryValueKey  (84,  (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00680  1736   NtClose  (84, ... ) == 0x0
 00681  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00682  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00683  1736   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00684  1736   NtClose  (84, ... ) == 0x0
 00685  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00686  1736   NtClose  (80, ... ) == 0x0
 00687  1736   NtClose  (28, ... ) == 0x0
 00688  1736   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00689  1736   NtClose  (40, ... ) == 0x0
 00690  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00691  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00692  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00693  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00694  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00695  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00696  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00697  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00698  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00699  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00700  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00701  1736   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00702  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00703  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00704  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00705  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 40, ) }, ... 40, ) == 0x0
 00706  1736   NtQueryValueKey  (40,  (40, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00707  1736   NtClose  (40, ... ) == 0x0
 00708  1736   NtMapViewOfSection  (-2147482576, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x500000), 0x0, 1060864, ) == 0x0
 00709  1736   NtClose  (-2147482576, ... ) == 0x0
 00710  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 40, ) == 0x0
 00711  1736   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00712  1736   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482576, ) == 0x0
 00713  1736   NtQueryInformationToken  (-2147482576, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00714  1736   NtQueryInformationToken  (-2147482576, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00715  1736   NtClose  (-2147482576, ... ) == 0x0
 00716  1736   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00717  1736   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00718  1736   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 84, ) == 0x0
 00719  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00720  1736   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00721  1736   NtClose  (-2147482576, ... ) == 0x0
 00722  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00723  1736   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00724  1736   NtClose  (-2147482576, ... ) == 0x0
 00725  1736   NtQueryDefaultLocale  (0, -138397364, ... ) == 0x0
 00726  1736   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00727  1736   NtUserCallNoParam  (24, ... ) == 0x0
 00728  1736   NtGdiCreateCompatibleDC  (0, ...
 00729  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00728  1736   NtGdiCreateCompatibleDC  ... ) == 0xf3010663
 00730  1736   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00731  1736   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00732  1736   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0xfd0505f7
 00733  1736   NtGdiCreateSolidBrush  (0, 0, ...
 00734  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00733  1736   NtGdiCreateSolidBrush  ... ) == 0x4210057d
 00735  1736   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00736  1736   NtGdiCreateCompatibleDC  (0, ... ) == 0x69010363
 00737  1736   NtGdiSelectBitmap  (1761674083, -50002441, ... ) == 0x185000f
 00738  1736   NtUserGetThreadDesktop  (1736, 0, ... ) == 0x50
 00739  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 88, ) }, ... 88, ) == 0x0
 00740  1736   NtQueryValueKey  (88,  (88, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (88, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00741  1736   NtClose  (88, ... ) == 0x0
 00742  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00743  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8173c017
 00744  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00745  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8173c01c
 00746  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00747  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8173c01e
 00748  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00749  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81738002
 00750  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00751  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8173c018
 00752  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00753  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8173c01a
 00754  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00755  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8173c01d
 00756  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00757  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8173c026
 00758  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00759  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8173c019
 00760  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c020
 00761  1736   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8173c022
 00762  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c023
 00763  1736   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8173c024
 00764  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c025
 00765  1736   NtCallbackReturn  (0, 0, 0, ...
 00766  1736   NtGdiInit  (... ) == 0x1
 00767  1736   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00768  1736   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00769  1736   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 3538944, 28672, ) == 0x0
 00770  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00771  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00772  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00773  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00774  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 92, ) == 0x0
 00775  1736   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00776  1736   NtClose  (88, ... ) == 0x0
 00777  1736   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00778  1736   NtClose  (92, ... ) == 0x0
 00779  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00780  1736   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00781  1736   NtClose  (92, ... ) == 0x0
 00782  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00783  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00784  1736   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00785  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00786  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00787  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00788  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00789  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00790  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00791  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00792  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 88, ) == 0x0
 00793  1736   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00794  1736   NtClose  (92, ... ) == 0x0
 00795  1736   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00796  1736   NtClose  (88, ... ) == 0x0
 00797  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00798  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00799  1736   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00800  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00801  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00802  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00803  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00804  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00805  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00806  1736   NtAllocateVirtualMemory  (-1, 3604480, 0, 4096, 4096, 4, ... 3604480, 4096, ) == 0x0
 00807  1736   NtAllocateVirtualMemory  (-1, 3608576, 0, 8192, 4096, 4, ... 3608576, 8192, ) == 0x0
 00808  1736   NtAllocateVirtualMemory  (-1, 3616768, 0, 4096, 4096, 4, ... 3616768, 4096, ) == 0x0
 00809  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 88, ) }, ... 88, ) == 0x0
 00810  1736   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x380000), 0x0, 12288, ) == 0x0
 00811  1736   NtClose  (88, ... ) == 0x0
 00812  1736   NtAllocateVirtualMemory  (-1, 3620864, 0, 4096, 4096, 4, ... 3620864, 4096, ) == 0x0
 00813  1736   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00814  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00815  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00816  1736   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00817  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00818  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00819  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00820  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00821  1736   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 28672, ) == 0x0
 00822  1736   NtFreeVirtualMemory  (-1, (0x330144), 0, 32768, ... (0x330000), 4096, ) == 0x0
 00823  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00824  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3342336, 65536, ) == 0x0
 00825  1736   NtAllocateVirtualMemory  (-1, 3342336, 0, 4096, 4096, 4, ... 3342336, 4096, ) == 0x0
 00826  1736   NtAllocateVirtualMemory  (-1, 3346432, 0, 20480, 4096, 4, ... 3346432, 20480, ) == 0x0
 00827  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9502720, 1048576, ) == 0x0
 00828  1736   NtAllocateVirtualMemory  (-1, 9502720, 0, 32768, 4096, 4, ... 9502720, 32768, ) == 0x0
 00829  1736   NtCreateMutant  (0x1f0001, {24, 16, 0x80, 0, 0,  (0x1f0001, {24, 16, 0x80, 0, 0, "Jobaka3"}, 0, ... 88, ) }, 0, ... 88, ) == 0x0
 00830  1736   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 00831  1736   NtQueryValueKey  (92,  (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00832  1736   NtQueryValueKey  (92,  (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00833  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 96, ) == 0x0
 00834  1736   NtOpenKey  (0x2000000, {24, 92, 0x40, 0, 0,  (0x2000000, {24, 92, 0x40, 0, 0, "Protocol_Catalog9"}, ... 100, ) }, ... 100, ) == 0x0
 00835  1736   NtQueryValueKey  (100,  (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00836  1736   NtNotifyChangeKey  (100, 96, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00837  1736   NtQueryValueKey  (100,  (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00838  1736   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00839  1736   NtQueryValueKey  (100,  (100, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00840  1736   NtQueryValueKey  (100,  (100, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00841  1736   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Catalog_Entries"}, ... 104, ) }, ... 104, ) == 0x0
 00842  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000001"}, ... 108, ) }, ... 108, ) == 0x0
 00843  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00844  1736   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00845  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00846  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0O\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0O\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0P\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0Q\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0O\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0O\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0P\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0Q\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0O\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0O\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0P\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0Q\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00847  1736   NtClose  (108, ... ) == 0x0
 00848  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000002"}, ... 108, ) }, ... 108, ) == 0x0
 00849  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00850  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00851  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0T\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0T\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0U\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0V\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0T\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0T\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0U\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0V\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0T\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0T\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0U\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0V\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00852  1736   NtClose  (108, ... ) == 0x0
 00853  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000003"}, ... 108, ) }, ... 108, ) == 0x0
 00854  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00855  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00856  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0Y\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0Y\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0Z\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0[\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0Y\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0Y\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0Z\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0[\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0Y\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0Y\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0Z\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0[\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00857  1736   NtClose  (108, ... ) == 0x0
 00858  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000004"}, ... 108, ) }, ... 108, ) == 0x0
 00859  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00860  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00861  1736   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00862  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0_\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0_\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0`\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0a\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0_\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0_\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0`\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0a\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0_\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0_\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0`\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0a\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00863  1736   NtClose  (108, ... ) == 0x0
 00864  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000005"}, ... 108, ) }, ... 108, ) == 0x0
 00865  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00866  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00867  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0d\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0d\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0e\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0f\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0d\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0d\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0e\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0f\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0d\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0d\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0e\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0f\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00868  1736   NtClose  (108, ... ) == 0x0
 00869  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000006"}, ... 108, ) }, ... 108, ) == 0x0
 00870  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00871  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00872  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0i\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0i\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0j\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0k\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0i\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0i\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0j\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0k\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0i\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0i\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0j\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0k\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00873  1736   NtClose  (108, ... ) == 0x0
 00874  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000007"}, ... 108, ) }, ... 108, ) == 0x0
 00875  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00876  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00877  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0n\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0n\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0o\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0p\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0n\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0n\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0o\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0p\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0n\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0n\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0o\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0p\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00878  1736   NtClose  (108, ... ) == 0x0
 00879  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000008"}, ... 108, ) }, ... 108, ) == 0x0
 00880  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00881  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00882  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0s\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0s\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0t\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0u\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0s\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0s\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0t\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0u\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0s\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0s\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0t\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0u\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00883  1736   NtClose  (108, ... ) == 0x0
 00884  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000009"}, ... 108, ) }, ... 108, ) == 0x0
 00885  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00886  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00887  1736   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00888  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0y\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0y\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0z\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0{\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0y\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0y\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0z\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0{\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0y\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0y\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0z\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0{\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00889  1736   NtClose  (108, ... ) == 0x0
 00890  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000010"}, ... 108, ) }, ... 108, ) == 0x0
 00891  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00892  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00893  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0~\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0~\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\177\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\200\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0~\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0~\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\177\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\200\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0~\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0~\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\177\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\200\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00894  1736   NtClose  (108, ... ) == 0x0
 00895  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000011"}, ... 108, ) }, ... 108, ) == 0x0
 00896  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00897  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00898  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\203\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\203\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\204\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\205\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\203\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\203\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\204\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\205\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\203\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\203\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\204\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\205\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00899  1736   NtClose  (108, ... ) == 0x0
 00900  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000012"}, ... 108, ) }, ... 108, ) == 0x0
 00901  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00902  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00903  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\210\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\210\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\211\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\212\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\210\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\210\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\211\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\212\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\210\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\210\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\211\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\212\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00904  1736   NtClose  (108, ... ) == 0x0
 00905  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000013"}, ... 108, ) }, ... 108, ) == 0x0
 00906  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00907  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00908  1736   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00909  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\216\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\216\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\217\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\220\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\216\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\216\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\217\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\220\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\216\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\216\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\217\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\220\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00910  1736   NtClose  (108, ... ) == 0x0
 00911  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000014"}, ... 108, ) }, ... 108, ) == 0x0
 00912  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00913  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00914  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\223\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\223\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\224\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\225\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\223\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\223\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\224\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\225\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\223\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\223\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\224\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\225\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00915  1736   NtClose  (108, ... ) == 0x0
 00916  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000015"}, ... 108, ) }, ... 108, ) == 0x0
 00917  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00918  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00919  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\230\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\230\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\231\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\232\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\230\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\230\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\231\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\232\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\230\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\230\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\231\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\232\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00920  1736   NtClose  (108, ... ) == 0x0
 00921  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000016"}, ... 108, ) }, ... 108, ) == 0x0
 00922  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00923  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00924  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\235\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\235\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\236\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\237\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\235\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\235\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\236\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\237\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\235\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\235\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\236\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\237\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00925  1736   NtClose  (108, ... ) == 0x0
 00926  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000017"}, ... 108, ) }, ... 108, ) == 0x0
 00927  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00928  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00929  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\242\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\242\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\243\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\244\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\242\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\242\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\243\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\244\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\242\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\242\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\243\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\244\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00930  1736   NtClose  (108, ... ) == 0x0
 00931  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000018"}, ... 108, ) }, ... 108, ) == 0x0
 00932  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00933  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00934  1736   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00935  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\250\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\250\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\251\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\252\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\250\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\250\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\251\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\252\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\250\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\250\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\251\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\252\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00936  1736   NtClose  (108, ... ) == 0x0
 00937  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000019"}, ... 108, ) }, ... 108, ) == 0x0
 00938  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00939  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00940  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\255\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\255\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\256\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\257\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\255\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\255\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\256\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\257\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\255\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\255\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\256\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\257\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00941  1736   NtClose  (108, ... ) == 0x0
 00942  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000020"}, ... 108, ) }, ... 108, ) == 0x0
 00943  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00944  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00945  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\262\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\262\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\263\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\264\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\262\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\262\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\263\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\264\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\262\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\262\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\263\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\264\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00946  1736   NtClose  (108, ... ) == 0x0
 00947  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000021"}, ... 108, ) }, ... 108, ) == 0x0
 00948  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00949  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00950  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\267\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\267\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\270\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\271\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\267\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\267\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\270\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\271\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\267\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\267\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\270\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\271\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\3\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00951  1736   NtClose  (108, ... ) == 0x0
 00952  1736   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000022"}, ... 108, ) }, ... 108, ) == 0x0
 00953  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00954  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00955  1736   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00956  1736   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\275\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\275\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\276\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\277\3\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\277\3\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\300\3\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\300\3\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\301\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0X@\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\275\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\275\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\276\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\277\3\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\277\3\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\300\3\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\300\3\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\301\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0X@\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\275\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\275\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\276\3\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\277\3\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\277\3\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\300\3\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\300\3\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\301\3\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0X@\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00957  1736   NtClose  (108, ... ) == 0x0
 00958  1736   NtClose  (104, ... ) == 0x0
 00959  1736   NtWaitForSingleObject  (96, 0, {0, 0}, ... ) == 0x102
 00960  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 104, ) == 0x0
 00961  1736   NtOpenKey  (0x2000000, {24, 92, 0x40, 0, 0,  (0x2000000, {24, 92, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 108, ) }, ... 108, ) == 0x0
 00962  1736   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00963  1736   NtNotifyChangeKey  (108, 104, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00964  1736   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00965  1736   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00966  1736   NtQueryValueKey  (108,  (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00967  1736   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "Catalog_Entries"}, ... 112, ) }, ... 112, ) == 0x0
 00968  1736   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000001"}, ... 116, ) }, ... 116, ) == 0x0
 00969  1736   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00970  1736   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00971  1736   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00972  1736   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00973  1736   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00974  1736   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00975  1736   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00976  1736   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00977  1736   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00978  1736   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00979  1736   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00980  1736   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00981  1736   NtClose  (116, ... ) == 0x0
 00982  1736   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000002"}, ... 116, ) }, ... 116, ) == 0x0
 00983  1736   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00984  1736   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00985  1736   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00986  1736   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00987  1736   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00988  1736   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00989  1736   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00990  1736   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991  1736   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00992  1736   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00993  1736   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00994  1736   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00995  1736   NtClose  (116, ... ) == 0x0
 00996  1736   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000003"}, ... 116, ) }, ... 116, ) == 0x0
 00997  1736   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00998  1736   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00999  1736   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01000  1736   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01001  1736   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01002  1736   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01003  1736   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01004  1736   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01005  1736   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01006  1736   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01007  1736   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01008  1736   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01009  1736   NtClose  (116, ... ) == 0x0
 01010  1736   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000004"}, ... 116, ) }, ... 116, ) == 0x0
 01011  1736   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01012  1736   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01013  1736   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01014  1736   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01015  1736   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01016  1736   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01017  1736   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 01018  1736   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01019  1736   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01020  1736   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01021  1736   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01022  1736   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01023  1736   NtClose  (116, ... ) == 0x0
 01024  1736   NtClose  (112, ... ) == 0x0
 01025  1736   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 01026  1736   NtClose  (92, ... ) == 0x0
 01027  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01028  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01029  1736   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 01030  1736   NtQueryValueKey  (92,  (92, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01031  1736   NtClose  (92, ... ) == 0x0
 01032  1736   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 92, ) == 0x0
 01033  1736   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01034  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1241400, ... ) }, 1241400, ... ) == 0x0
 01035  1736   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 112, {status=0x0, info=1}, ) }, 7, 2113568, ... 112, {status=0x0, info=1}, ) == 0x0
 01036  1736   NtSetInformationFile  (112, 1241376, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01037  1736   NtClose  (112, ... ) == 0x0
 01038  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 01039  1736   NtQueryInformationFile  (112, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01040  1736   NtQueryInformationFile  (112, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01041  1736   NtQueryInformationFile  (112, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01042  1736   NtAllocateVirtualMemory  (-1, 1368064, 0, 8192, 4096, 4, ... 1368064, 8192, ) == 0x0
 01043  1736   NtQueryInformationFile  (112, 1364040, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01044  1736   NtQueryInformationFile  (112, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01045  1736   NtQueryInformationFile  (112, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01046  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\AVSERVE2.EXE"}, 1239736, ... ) }, 1239736, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01047  1736   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01048  1736   NtClose  (-2147482576, ... ) == 0x0
 01047  1736   NtCreateFile  ... 116, {status=0x0, info=2}, ) == 0x0
 01049  1736   NtQueryVolumeInformationFile  (116, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01050  1736   NtQueryInformationFile  (116, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01051  1736   NtQueryVolumeInformationFile  (112, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01052  1736   NtSetInformationFile  (116, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01053  1736   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 112, ... 120, ) == 0x0
 01054  1736   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x360000), {0, 0}, 28672, ) == 0x0
 01055  1736   NtClose  (120, ... ) == 0x0
 01056  1736   NtWriteFile  (116, 0, 0, 0,  (116, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\2\0d\347\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0\0\232\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\20\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) \0\0\0\0\0\0\0\232\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\20\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) == 0x0
 01057  1736   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 01058  1736   NtSetInformationFile  (116, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01059  1736   NtClose  (112, ... ) == 0x0
 01060  1736   NtClose  (116, ... ) == 0x0
 01061  1736   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 116, ) }, ... 116, ) == 0x0
 01062  1736   NtSetValueKey  (116,  (116, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (116, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 01063  1736   NtSetInformationFile  (-2147482448, -138397904, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01064  1736   NtSetInformationFile  (-2147482448, -138397996, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01065  1736   NtSetInformationFile  (-2147482448, -138398304, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01062  1736   NtSetValueKey  ... ) == 0x0
 01066  1736   NtClose  (116, ... ) == 0x0
 01067  1736   NtCreateMutant  (0x1f0001, {24, 16, 0x80, 0, 0,  (0x1f0001, {24, 16, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 116, ) }, 0, ... 116, ) == 0x0
 01068  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10551296, 1048576, ) == 0x0
 01069  1736   NtAllocateVirtualMemory  (-1, 11591680, 0, 8192, 4096, 4, ... 11591680, 8192, ) == 0x0
 01070  1736   NtProtectVirtualMemory  (-1, (0xb0e000), 4096, 260, ... (0xb0e000), 4096, 4, ) == 0x0
 01071  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 112, {1636, 1276}, ) == 0x0
 01072  1736   NtQueryInformationThread  (112, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1636,Tid=1276,}, 0x0, ) == 0x0
 01073  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0d\6\0\0\374\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0d\6\0\0\374\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75538, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0d\6\0\0\374\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0d\6\0\0\374\4\0\0" )  ) == 0x0
 01074  1736   NtResumeThread  (112, ... 1, ) == 0x0
 01075  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11599872, 1048576, ) == 0x0
 01076  1736   NtAllocateVirtualMemory  (-1, 12640256, 0, 8192, 4096, 4, ... 12640256, 8192, ) == 0x0
 01077  1276   NtTestAlert  (... ) == 0x0
 01078  1276   NtContinue  (11599152, 1, ...
 01079  1276   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01080  1276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 120, ) == 0x0
 01081  1276   NtWaitForSingleObject  (96, 0, {0, 0}, ... ) == 0x102
 01082  1276   NtAllocateVirtualMemory  (-1, 11587584, 0, 4096, 4096, 260, ...
 01083  1736   NtProtectVirtualMemory  (-1, (0xc0e000), 4096, 260, ... (0xc0e000), 4096, 4, ) == 0x0
 01084  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 124, {1636, 704}, ) == 0x0
 01085  1736   NtQueryInformationThread  (124, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1636,Tid=704,}, 0x0, ) == 0x0
 01086  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75538, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0d\6\0\0\300\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0d\6\0\0\300\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75539, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0d\6\0\0\300\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0d\6\0\0\300\2\0\0" )  ) == 0x0
 01087  1736   NtResumeThread  (124, ... 1, ) == 0x0
 01088  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01082  1276   NtAllocateVirtualMemory  ... 11587584, 4096, ) == 0x0
 01089   704   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01090  1276   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11596276, ... }, 11596276, ...
 01089   704   NtCreateEvent  ... 128, ) == 0x0
 01090  1276   NtQueryAttributesFile  ... ) == 0x0
 01091   704   NtWaitForSingleObject  (128, 0, 0x0, ...
 01092  1276   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01093  1276   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 132, ... 136, ) == 0x0
 01094  1276   NtClose  (132, ... ) == 0x0
 01095  1276   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 245760, ) == 0x0
 01096  1276   NtClose  (136, ...
 01088  1736   NtAllocateVirtualMemory  ... 12648448, 1048576, ) == 0x0
 01097  1736   NtAllocateVirtualMemory  (-1, 13688832, 0, 8192, 4096, 4, ... 13688832, 8192, ) == 0x0
 01098  1736   NtProtectVirtualMemory  (-1, (0xd0e000), 4096, 260, ... (0xd0e000), 4096, 4, ) == 0x0
 01099  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 132, {1636, 1568}, ) == 0x0
 01100  1736   NtQueryInformationThread  (132, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1636,Tid=1568,}, 0x0, ) == 0x0
 01101  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75539, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0d\6\0\0 \6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0d\6\0\0 \6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75540, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0d\6\0\0 \6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0d\6\0\0 \6\0\0" )  ) == 0x0
 01096  1276   NtClose  ... ) == 0x0
 01102  1276   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01103  1276   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11596584, ... ) }, 11596584, ... ) == 0x0
 01104  1276   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 01105  1276   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 136, ... 140, ) == 0x0
 01106  1276   NtQuerySection  (140, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01107  1276   NtClose  (136, ...
 01108  1736   NtResumeThread  (132, ... 1, ) == 0x0
 01109  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13697024, 1048576, ) == 0x0
 01110  1736   NtAllocateVirtualMemory  (-1, 14737408, 0, 8192, 4096, 4, ... 14737408, 8192, ) == 0x0
 01111  1736   NtProtectVirtualMemory  (-1, (0xe0e000), 4096, 260, ... (0xe0e000), 4096, 4, ) == 0x0
 01112  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 144, {1636, 1104}, ) == 0x0
 01113  1736   NtQueryInformationThread  (144, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1636,Tid=1104,}, 0x0, ) == 0x0
 01107  1276   NtClose  ... ) == 0x0
 01114  1568   NtWaitForSingleObject  (128, 0, 0x0, ...
 01115  1276   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 01116  1276   NtClose  (140, ... ) == 0x0
 01117  1276   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01118  1276   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01119  1276   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01120  1276   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 01121  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75540, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0P\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0P\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75541, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0P\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0P\4\0\0" )  ) == 0x0
 01122  1736   NtResumeThread  (144, ... 1, ) == 0x0
 01123  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14745600, 1048576, ) == 0x0
 01124  1736   NtAllocateVirtualMemory  (-1, 15785984, 0, 8192, 4096, 4, ... 15785984, 8192, ) == 0x0
 01125  1736   NtProtectVirtualMemory  (-1, (0xf0e000), 4096, 260, ... (0xf0e000), 4096, 4, ) == 0x0
 01126  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01120  1276   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 01127  1104   NtWaitForSingleObject  (128, 0, 0x0, ...
 01128  1276   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01129  1276   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01130  1276   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01131  1276   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01132  1276   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01133  1276   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... }, ...
 01126  1736   NtCreateThread  ... 140, {1636, 784}, ) == 0x0
 01134  1736   NtQueryInformationThread  (140, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1636,Tid=784,}, 0x0, ) == 0x0
 01135  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75541, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0d\6\0\0\20\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0d\6\0\0\20\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75542, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0d\6\0\0\20\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0d\6\0\0\20\3\0\0" )  ) == 0x0
 01136  1736   NtResumeThread  (140, ... 1, ) == 0x0
 01137  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15794176, 1048576, ) == 0x0
 01138  1736   NtAllocateVirtualMemory  (-1, 16834560, 0, 8192, 4096, 4, ... 16834560, 8192, ) == 0x0
 01133  1276   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01139   784   NtWaitForSingleObject  (128, 0, 0x0, ...
 01140  1276   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01141  1276   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01142  1276   NtSetEventBoostPriority  (128, ...
 01091   704   NtWaitForSingleObject  ... ) == 0x0
 01143   704   NtSetEventBoostPriority  (128, ...
 01114  1568   NtWaitForSingleObject  ... ) == 0x0
 01144  1568   NtSetEventBoostPriority  (128, ...
 01127  1104   NtWaitForSingleObject  ... ) == 0x0
 01145  1104   NtSetEventBoostPriority  (128, ...
 01139   784   NtWaitForSingleObject  ... ) == 0x0
 01146   784   NtTestAlert  (... ) == 0x0
 01145  1104   NtSetEventBoostPriority  ... ) == 0x0
 01144  1568   NtSetEventBoostPriority  ... ) == 0x0
 01143   704   NtSetEventBoostPriority  ... ) == 0x0
 01142  1276   NtSetEventBoostPriority  ... ) == 0x0
 01147  1736   NtProtectVirtualMemory  (-1, (0x100e000), 4096, 260, ...
 01148   784   NtContinue  (15793456, 1, ...
 01149  1104   NtTestAlert  (...
 01150  1568   NtTestAlert  (...
 01151  1276   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01147  1736   NtProtectVirtualMemory  ... (0x100e000), 4096, 4, ) == 0x0
 01152   784   NtRegisterThreadTerminatePort  (24, ...
 01149  1104   NtTestAlert  ... ) == 0x0
 01150  1568   NtTestAlert  ... ) == 0x0
 01151  1276   NtCreateEvent  ... 136, ) == 0x0
 01153  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01152   784   NtRegisterThreadTerminatePort  ... ) == 0x0
 01154  1104   NtContinue  (14744880, 1, ...
 01155  1568   NtContinue  (13696304, 1, ...
 01156  1276   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 01153  1736   NtCreateThread  ... 148, {1636, 1484}, ) == 0x0
 01157   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01158  1104   NtRegisterThreadTerminatePort  (24, ...
 01159  1568   NtRegisterThreadTerminatePort  (24, ...
 01156  1276   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01160  1736   NtQueryInformationThread  (148, Basic, 28, ...
 01157   784   NtDuplicateObject  ... 152, ) == 0x0
 01158  1104   NtRegisterThreadTerminatePort  ... ) == 0x0
 01159  1568   NtRegisterThreadTerminatePort  ... ) == 0x0
 01161  1276   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11596196, ... }, 11596196, ...
 01160  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1636,Tid=1484,}, 0x0, ) == 0x0
 01162   784   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01163  1104   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01164  1568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01165   704   NtTestAlert  (...
 01166  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75542, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\314\5\0\0" ...  ...
 01162   784   NtWaitForSingleObject  ... ) == 0x102
 01163  1104   NtDuplicateObject  ... 156, ) == 0x0
 01165   704   NtTestAlert  ... ) == 0x0
 01166  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75543, 0}  ... {28, 56, reply, 0, 1636, 1736, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\314\5\0\0" )  ) == 0x0
 01167   784   NtAllocateVirtualMemory  (-1, 15781888, 0, 4096, 4096, 260, ...
 01168  1104   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01169   704   NtContinue  (12647728, 1, ...
 01170  1736   NtResumeThread  (148, ...
 01167   784   NtAllocateVirtualMemory  ... 15781888, 4096, ) == 0x0
 01168  1104   NtWaitForSingleObject  ... ) == 0x102
 01171   704   NtRegisterThreadTerminatePort  (24, ...
 01170  1736   NtResumeThread  ... 1, ) == 0x0
 01172   784   NtWaitForSingleObject  (128, 0, 0x0, ...
 01173  1104   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01171   704   NtRegisterThreadTerminatePort  ... ) == 0x0
 01174  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01173  1104   NtCreateEvent  ... 160, ) == 0x0
 01175   704   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01164  1568   NtDuplicateObject  ... 164, ) == 0x0
 01176  1484   NtWaitForSingleObject  (128, 0, 0x0, ...
 01174  1736   NtAllocateVirtualMemory  ... 16842752, 1048576, ) == 0x0
 01161  1276   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01177  1104   NtWaitForSingleObject  (160, 0, 0x0, ...
 01178  1568   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01179  1736   NtAllocateVirtualMemory  (-1, 17883136, 0, 8192, 4096, 4, ...
 01180  1276   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11596196, ... }, 11596196, ...
 01178  1568   NtWaitForSingleObject  ... ) == 0x102
 01179  1736   NtAllocateVirtualMemory  ... 17883136, 8192, ) == 0x0
 01180  1276   NtQueryAttributesFile  ... ) == 0x0
 01181  1568   NtWaitForSingleObject  (160, 0, 0x0, ...
 01182  1736   NtProtectVirtualMemory  (-1, (0x110e000), 4096, 260, ...
 01175   704   NtDuplicateObject  ... 168, ) == 0x0
 01182  1736   NtProtectVirtualMemory  ... (0x110e000), 4096, 4, ) == 0x0
 01183   704   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01184  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01183   704   NtWaitForSingleObject  ... ) == 0x102
 01185  1276   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... }, 5, 96, ...
 01186   704   NtWaitForSingleObject  (160, 0, 0x0, ...
 01185  1276   NtOpenFile  ... 172, {status=0x0, info=1}, ) == 0x0
 01187  1276   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 172, ... 176, ) == 0x0
 01188  1276   NtQuerySection  (176, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01189  1276   NtClose  (172, ... ) == 0x0
 01190  1276   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x662b0000), 0x0, 360448, ) == 0x0
 01191  1276   NtClose  (176, ... ) == 0x0
 01184  1736   NtCreateThread  ... 176, {1636, 1612}, ) == 0x0
 01192  1736   NtQueryInformationThread  (176, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1636,Tid=1612,}, 0x0, ) == 0x0
 01193  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75543, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0d\6\0\0L\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0d\6\0\0L\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75544, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0d\6\0\0L\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0d\6\0\0L\6\0\0" )  ) == 0x0
 01194  1736   NtResumeThread  (176, ... 1, ) == 0x0
 01195  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17891328, 1048576, ) == 0x0
 01196  1736   NtAllocateVirtualMemory  (-1, 18931712, 0, 8192, 4096, 4, ... 18931712, 8192, ) == 0x0
 01197  1276   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01198  1612   NtWaitForSingleObject  (128, 0, 0x0, ...
 01197  1276   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01199  1276   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01200  1276   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01201  1276   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01202  1276   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01203  1276   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01204  1736   NtProtectVirtualMemory  (-1, (0x120e000), 4096, 260, ... (0x120e000), 4096, 4, ) == 0x0
 01205  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 172, {1636, 876}, ) == 0x0
 01206  1736   NtQueryInformationThread  (172, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1636,Tid=876,}, 0x0, ) == 0x0
 01207  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75544, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0d\6\0\0l\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0d\6\0\0l\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75545, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0d\6\0\0l\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0d\6\0\0l\3\0\0" )  ) == 0x0
 01208  1736   NtResumeThread  (172, ... 1, ) == 0x0
 01209  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01210  1276   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01211   876   NtWaitForSingleObject  (128, 0, 0x0, ...
 01210  1276   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01212  1276   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01213  1276   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01214  1276   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01215  1276   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01216  1276   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01209  1736   NtAllocateVirtualMemory  ... 18939904, 1048576, ) == 0x0
 01217  1736   NtAllocateVirtualMemory  (-1, 19980288, 0, 8192, 4096, 4, ... 19980288, 8192, ) == 0x0
 01218  1736   NtProtectVirtualMemory  (-1, (0x130e000), 4096, 260, ... (0x130e000), 4096, 4, ) == 0x0
 01219  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 180, {1636, 1628}, ) == 0x0
 01220  1736   NtQueryInformationThread  (180, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1636,Tid=1628,}, 0x0, ) == 0x0
 01221  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75545, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0d\6\0\0\\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0d\6\0\0\\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75546, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0d\6\0\0\\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0d\6\0\0\\6\0\0" )  ) == 0x0
 01222  1276   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01223  1276   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01224  1276   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01225  1276   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01226  1276   NtSetEventBoostPriority  (128, ...
 01172   784   NtWaitForSingleObject  ... ) == 0x0
 01227   784   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15789008, ... ) }, 15789008, ... ) == 0x0
 01228   784   NtSetEventBoostPriority  (128, ...
 01176  1484   NtWaitForSingleObject  ... ) == 0x0
 01229  1484   NtSetEventBoostPriority  (128, ...
 01198  1612   NtWaitForSingleObject  ... ) == 0x0
 01230  1612   NtSetEventBoostPriority  (128, ...
 01211   876   NtWaitForSingleObject  ... ) == 0x0
 01231   876   NtTestAlert  (... ) == 0x0
 01230  1612   NtSetEventBoostPriority  ... ) == 0x0
 01229  1484   NtSetEventBoostPriority  ... ) == 0x0
 01228   784   NtSetEventBoostPriority  ... ) == 0x0
 01226  1276   NtSetEventBoostPriority  ... ) == 0x0
 01232  1736   NtResumeThread  (180, ...
 01233   876   NtContinue  (18939184, 1, ...
 01234  1612   NtTestAlert  (...
 01235   784   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01236  1276   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01232  1736   NtResumeThread  ... 1, ) == 0x0
 01237   876   NtRegisterThreadTerminatePort  (24, ...
 01234  1612   NtTestAlert  ... ) == 0x0
 01235   784   NtCreateEvent  ... 184, ) == 0x0
 01236  1276   NtCreateEvent  ... 188, ) == 0x0
 01238  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01237   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 01239  1612   NtContinue  (17890608, 1, ...
 01240   784   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 01241  1484   NtTestAlert  (...
 01242  1628   NtWaitForSingleObject  (128, 0, 0x0, ...
 01238  1736   NtAllocateVirtualMemory  ... 19988480, 1048576, ) == 0x0
 01243   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01244  1612   NtRegisterThreadTerminatePort  (24, ...
 01240   784   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01241  1484   NtTestAlert  ... ) == 0x0
 01245  1736   NtAllocateVirtualMemory  (-1, 21028864, 0, 8192, 4096, 4, ...
 01243   876   NtDuplicateObject  ... 192, ) == 0x0
 01244  1612   NtRegisterThreadTerminatePort  ... ) == 0x0
 01246  1276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01247  1484   NtContinue  (16842032, 1, ...
 01245  1736   NtAllocateVirtualMemory  ... 21028864, 8192, ) == 0x0
 01248   876   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01249  1612   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01246  1276   NtDuplicateObject  ... 196, ) == 0x0
 01250  1484   NtRegisterThreadTerminatePort  (24, ...
 01251   784   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 15789112, ... }, 15789112, ...
 01252  1736   NtProtectVirtualMemory  (-1, (0x140e000), 4096, 260, ...
 01248   876   NtWaitForSingleObject  ... ) == 0x102
 01253  1276   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01250  1484   NtRegisterThreadTerminatePort  ... ) == 0x0
 01252  1736   NtProtectVirtualMemory  ... (0x140e000), 4096, 4, ) == 0x0
 01254   876   NtWaitForSingleObject  (160, 0, 0x0, ...
 01253  1276   NtOpenKey  ... 200, ) == 0x0
 01255  1484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01256  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01257  1276   NtQueryValueKey  (200,  (200, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01249  1612   NtDuplicateObject  ... 204, ) == 0x0
 01256  1736   NtCreateThread  ... 208, {1636, 1924}, ) == 0x0
 01257  1276   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01258  1612   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01259  1736   NtQueryInformationThread  (208, Basic, 28, ...
 01255  1484   NtDuplicateObject  ... 212, ) == 0x0
 01258  1612   NtWaitForSingleObject  ... ) == 0x102
 01259  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1636,Tid=1924,}, 0x0, ) == 0x0
 01260  1484   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01261  1612   NtWaitForSingleObject  (160, 0, 0x0, ...
 01262  1276   NtClose  (200, ...
 01260  1484   NtWaitForSingleObject  ... ) == 0x102
 01262  1276   NtClose  ... ) == 0x0
 01263  1484   NtWaitForSingleObject  (160, 0, 0x0, ...
 01264  1276   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01265  1276   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 01266  1276   NtWaitForSingleObject  (128, 0, 0x0, ...
 01267  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75546, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0\204\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0\204\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75547, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0\204\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0\204\7\0\0" )  ) == 0x0
 01268  1736   NtResumeThread  (208, ... 1, ) == 0x0
 01269  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01251   784   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01270  1924   NtWaitForSingleObject  (128, 0, 0x0, ...
 01271   784   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 15789112, ... }, 15789112, ...
 01269  1736   NtAllocateVirtualMemory  ... 21037056, 1048576, ) == 0x0
 01272  1736   NtAllocateVirtualMemory  (-1, 22077440, 0, 8192, 4096, 4, ... 22077440, 8192, ) == 0x0
 01273  1736   NtProtectVirtualMemory  (-1, (0x150e000), 4096, 260, ... (0x150e000), 4096, 4, ) == 0x0
 01274  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 200, {1636, 1288}, ) == 0x0
 01275  1736   NtQueryInformationThread  (200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1636,Tid=1288,}, 0x0, ) == 0x0
 01276  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75547, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0d\6\0\0\10\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0d\6\0\0\10\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75548, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0d\6\0\0\10\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0d\6\0\0\10\5\0\0" )  ) == 0x0
 01271   784   NtQueryAttributesFile  ... ) == 0x0
 01277   784   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 01278   784   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 220, ) == 0x0
 01279   784   NtQuerySection  (220, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01280   784   NtClose  (216, ... ) == 0x0
 01281   784   NtMapViewOfSection  (220, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 01282   784   NtClose  (220, ...
 01283  1736   NtResumeThread  (200, ... 1, ) == 0x0
 01284  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 22085632, 1048576, ) == 0x0
 01285  1736   NtAllocateVirtualMemory  (-1, 23126016, 0, 8192, 4096, 4, ... 23126016, 8192, ) == 0x0
 01286  1736   NtProtectVirtualMemory  (-1, (0x160e000), 4096, 260, ... (0x160e000), 4096, 4, ) == 0x0
 01287  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 216, {1636, 752}, ) == 0x0
 01288  1736   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1636,Tid=752,}, 0x0, ) == 0x0
 01282   784   NtClose  ... ) == 0x0
 01289  1288   NtWaitForSingleObject  (128, 0, 0x0, ...
 01290   784   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01291   784   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01292   784   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01293   784   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01294   784   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01295   784   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01296  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75548, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\360\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75549, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\360\2\0\0" )  ) == 0x0
 01297  1736   NtResumeThread  (216, ... 1, ) == 0x0
 01298  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23134208, 1048576, ) == 0x0
 01299  1736   NtAllocateVirtualMemory  (-1, 24174592, 0, 8192, 4096, 4, ... 24174592, 8192, ) == 0x0
 01300  1736   NtProtectVirtualMemory  (-1, (0x170e000), 4096, 260, ... (0x170e000), 4096, 4, ) == 0x0
 01301  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01295   784   NtFlushInstructionCache  ... ) == 0x0
 01302   752   NtWaitForSingleObject  (128, 0, 0x0, ...
 01303   784   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01304   784   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01305   784   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01306   784   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01307   784   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01308   784   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01301  1736   NtCreateThread  ... 220, {1636, 380}, ) == 0x0
 01309  1736   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1636,Tid=380,}, 0x0, ) == 0x0
 01310  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75549, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0|\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0|\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75550, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0|\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0|\1\0\0" )  ) == 0x0
 01311  1736   NtResumeThread  (220, ... 1, ) == 0x0
 01312  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24182784, 1048576, ) == 0x0
 01313  1736   NtAllocateVirtualMemory  (-1, 25223168, 0, 8192, 4096, 4, ... 25223168, 8192, ) == 0x0
 01308   784   NtFlushInstructionCache  ... ) == 0x0
 01314   380   NtWaitForSingleObject  (128, 0, 0x0, ...
 01315   784   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01316   784   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01317   784   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01318   784   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01319   784   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01320   784   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01321  1736   NtProtectVirtualMemory  (-1, (0x180e000), 4096, 260, ... (0x180e000), 4096, 4, ) == 0x0
 01322  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 224, {1636, 312}, ) == 0x0
 01323  1736   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1636,Tid=312,}, 0x0, ) == 0x0
 01324  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75550, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0d\6\0\08\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0d\6\0\08\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75551, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0d\6\0\08\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0d\6\0\08\1\0\0" )  ) == 0x0
 01325  1736   NtResumeThread  (224, ... 1, ) == 0x0
 01326  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01320   784   NtFlushInstructionCache  ... ) == 0x0
 01327   312   NtWaitForSingleObject  (128, 0, 0x0, ...
 01328   784   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01329   784   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 228, 2, ) }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 228, 2, ) , 0, ... 228, 2, ) == 0x0
 01330   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 232, ) }, ... 232, ) == 0x0
 01331   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01332   784   NtQueryValueKey  (232,  (232, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01333   784   NtQueryValueKey  (228,  (228, "DisableAdapterDomainName", Partial, 144, ... , Partial, 144, ...
 01326  1736   NtAllocateVirtualMemory  ... 25231360, 1048576, ) == 0x0
 01334  1736   NtAllocateVirtualMemory  (-1, 26271744, 0, 8192, 4096, 4, ... 26271744, 8192, ) == 0x0
 01335  1736   NtProtectVirtualMemory  (-1, (0x190e000), 4096, 260, ... (0x190e000), 4096, 4, ) == 0x0
 01336  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {1636, 1404}, ) == 0x0
 01337  1736   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1636,Tid=1404,}, 0x0, ) == 0x0
 01338  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75551, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0|\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0|\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75552, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0|\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0|\5\0\0" )  ) == 0x0
 01333   784   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01339   784   NtQueryValueKey  (232,  (232, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01340   784   NtQueryValueKey  (228,  (228, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (228, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01341   784   NtQueryValueKey  (232,  (232, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01342   784   NtQueryValueKey  (228,  (228, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01343   784   NtQueryValueKey  (232,  (232, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01344   784   NtQueryValueKey  (228,  (228, "AllowUnqualifiedQuery", Partial, 144, ... , Partial, 144, ...
 01345  1736   NtResumeThread  (236, ... 1, ) == 0x0
 01346  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26279936, 1048576, ) == 0x0
 01347  1736   NtAllocateVirtualMemory  (-1, 27320320, 0, 8192, 4096, 4, ... 27320320, 8192, ) == 0x0
 01348  1736   NtProtectVirtualMemory  (-1, (0x1a0e000), 4096, 260, ... (0x1a0e000), 4096, 4, ) == 0x0
 01349  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 240, {1636, 476}, ) == 0x0
 01350  1736   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1636,Tid=476,}, 0x0, ) == 0x0
 01344   784   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01351  1404   NtWaitForSingleObject  (128, 0, 0x0, ...
 01352   784   NtQueryValueKey  (232,  (232, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01353   784   NtQueryValueKey  (232,  (232, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01354   784   NtQueryValueKey  (232,  (232, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01355   784   NtQueryValueKey  (232,  (232, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01356   784   NtQueryValueKey  (232,  (232, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01357   784   NtQueryValueKey  (232,  (232, "UseEdns", Partial, 144, ... , Partial, 144, ...
 01358  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75552, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0\334\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0\334\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75553, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0\334\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0\334\1\0\0" )  ) == 0x0
 01359  1736   NtResumeThread  (240, ... 1, ) == 0x0
 01360  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27328512, 1048576, ) == 0x0
 01361  1736   NtAllocateVirtualMemory  (-1, 28368896, 0, 8192, 4096, 4, ... 28368896, 8192, ) == 0x0
 01362  1736   NtProtectVirtualMemory  (-1, (0x1b0e000), 4096, 260, ... (0x1b0e000), 4096, 4, ) == 0x0
 01363  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01357   784   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01364   476   NtWaitForSingleObject  (128, 0, 0x0, ...
 01365   784   NtQueryValueKey  (232,  (232, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01366   784   NtQueryValueKey  (232,  (232, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01367   784   NtQueryValueKey  (232,  (232, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01368   784   NtQueryValueKey  (228,  (228, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01369   784   NtQueryValueKey  (232,  (232, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01370   784   NtQueryValueKey  (232,  (232, "RegisterAdapterName", Partial, 144, ... , Partial, 144, ...
 01363  1736   NtCreateThread  ... 244, {1636, 1964}, ) == 0x0
 01371  1736   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1636,Tid=1964,}, 0x0, ) == 0x0
 01372  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75553, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0\254\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0\254\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75554, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0\254\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0\254\7\0\0" )  ) == 0x0
 01373  1736   NtResumeThread  (244, ... 1, ) == 0x0
 01374  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28377088, 1048576, ) == 0x0
 01375  1736   NtAllocateVirtualMemory  (-1, 29417472, 0, 8192, 4096, 4, ... 29417472, 8192, ) == 0x0
 01370   784   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01376  1964   NtWaitForSingleObject  (128, 0, 0x0, ...
 01377   784   NtQueryValueKey  (228,  (228, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01378   784   NtQueryValueKey  (232,  (232, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01379   784   NtQueryValueKey  (228,  (228, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01380   784   NtQueryValueKey  (232,  (232, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01381   784   NtQueryValueKey  (228,  (228, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01382   784   NtQueryValueKey  (232,  (232, "RegistrationTtl", Partial, 144, ... , Partial, 144, ...
 01383  1736   NtProtectVirtualMemory  (-1, (0x1c0e000), 4096, 260, ... (0x1c0e000), 4096, 4, ) == 0x0
 01384  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 248, {1636, 1624}, ) == 0x0
 01385  1736   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1636,Tid=1624,}, 0x0, ) == 0x0
 01386  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75554, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0X\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0X\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75555, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0X\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0X\6\0\0" )  ) == 0x0
 01387  1736   NtResumeThread  (248, ... 1, ) == 0x0
 01388  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01382   784   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01389  1624   NtWaitForSingleObject  (128, 0, 0x0, ...
 01390   784   NtQueryValueKey  (228,  (228, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01391   784   NtQueryValueKey  (232,  (232, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01392   784   NtQueryValueKey  (228,  (228, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01393   784   NtQueryValueKey  (232,  (232, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01394   784   NtQueryValueKey  (228,  (228, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01395   784   NtQueryValueKey  (232,  (232, "UpdateSecurityLevel", Partial, 144, ... , Partial, 144, ...
 01388  1736   NtAllocateVirtualMemory  ... 29425664, 1048576, ) == 0x0
 01396  1736   NtAllocateVirtualMemory  (-1, 30466048, 0, 8192, 4096, 4, ... 30466048, 8192, ) == 0x0
 01397  1736   NtProtectVirtualMemory  (-1, (0x1d0e000), 4096, 260, ... (0x1d0e000), 4096, 4, ) == 0x0
 01398  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 252, {1636, 1440}, ) == 0x0
 01399  1736   NtQueryInformationThread  (252, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1636,Tid=1440,}, 0x0, ) == 0x0
 01400  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75555, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0d\6\0\0\240\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0d\6\0\0\240\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75556, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0d\6\0\0\240\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0d\6\0\0\240\5\0\0" )  ) == 0x0
 01395   784   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01401   784   NtQueryValueKey  (228,  (228, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01402   784   NtQueryValueKey  (232,  (232, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01403   784   NtQueryValueKey  (232,  (232, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01404   784   NtQueryValueKey  (232,  (232, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01405   784   NtQueryValueKey  (232,  (232, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01406   784   NtQueryValueKey  (232,  (232, "MaxCacheTtl", Partial, 144, ... , Partial, 144, ...
 01407  1736   NtResumeThread  (252, ... 1, ) == 0x0
 01408  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30474240, 1048576, ) == 0x0
 01409  1736   NtAllocateVirtualMemory  (-1, 31514624, 0, 8192, 4096, 4, ... 31514624, 8192, ) == 0x0
 01410  1736   NtProtectVirtualMemory  (-1, (0x1e0e000), 4096, 260, ... (0x1e0e000), 4096, 4, ) == 0x0
 01411  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 256, {1636, 1516}, ) == 0x0
 01412  1736   NtQueryInformationThread  (256, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1636,Tid=1516,}, 0x0, ) == 0x0
 01406   784   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01413  1440   NtWaitForSingleObject  (128, 0, 0x0, ...
 01414   784   NtQueryValueKey  (232,  (232, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01415   784   NtQueryValueKey  (232,  (232, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01416   784   NtQueryValueKey  (232,  (232, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01417   784   NtQueryValueKey  (232,  (232, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01418   784   NtQueryValueKey  (232,  (232, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01419   784   NtQueryValueKey  (232,  (232, "MulticastSendLevel", Partial, 144, ... , Partial, 144, ...
 01420  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75556, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0d\6\0\0\354\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0d\6\0\0\354\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75557, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0d\6\0\0\354\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0d\6\0\0\354\5\0\0" )  ) == 0x0
 01421  1736   NtResumeThread  (256, ... 1, ) == 0x0
 01422  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31522816, 1048576, ) == 0x0
 01423  1736   NtAllocateVirtualMemory  (-1, 32563200, 0, 8192, 4096, 4, ... 32563200, 8192, ) == 0x0
 01424  1736   NtProtectVirtualMemory  (-1, (0x1f0e000), 4096, 260, ... (0x1f0e000), 4096, 4, ) == 0x0
 01425  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01419   784   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426  1516   NtWaitForSingleObject  (128, 0, 0x0, ...
 01427   784   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\Setup"}, ... 260, ) }, ... 260, ) == 0x0
 01428   784   NtQueryValueKey  (260,  (260, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (260, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01429   784   NtClose  (260, ... ) == 0x0
 01430   784   NtClose  (228, ... ) == 0x0
 01431   784   NtClose  (232, ... ) == 0x0
 01432   784   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 01425  1736   NtCreateThread  ... 232, {1636, 1664}, ) == 0x0
 01433  1736   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1636,Tid=1664,}, 0x0, ) == 0x0
 01434  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75557, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\200\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\200\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75558, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\200\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\200\6\0\0" )  ) == 0x0
 01435  1736   NtResumeThread  (232, ... 1, ) == 0x0
 01436  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32571392, 1048576, ) == 0x0
 01437  1736   NtAllocateVirtualMemory  (-1, 33611776, 0, 8192, 4096, 4, ... 33611776, 8192, ) == 0x0
 01432   784   NtOpenKey  ... 228, ) == 0x0
 01438  1664   NtWaitForSingleObject  (128, 0, 0x0, ...
 01439   784   NtQueryValueKey  (228,  (228, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440   784   NtQueryValueKey  (228,  (228, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   784   NtQueryValueKey  (228,  (228, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442   784   NtClose  (228, ... ) == 0x0
 01443   784   NtSetEventBoostPriority  (128, ...
 01242  1628   NtWaitForSingleObject  ... ) == 0x0
 01444  1628   NtSetEventBoostPriority  (128, ...
 01266  1276   NtWaitForSingleObject  ... ) == 0x0
 01445  1276   NtSetEventBoostPriority  (128, ...
 01270  1924   NtWaitForSingleObject  ... ) == 0x0
 01446  1924   NtSetEventBoostPriority  (128, ...
 01289  1288   NtWaitForSingleObject  ... ) == 0x0
 01447  1288   NtSetEventBoostPriority  (128, ...
 01302   752   NtWaitForSingleObject  ... ) == 0x0
 01448   752   NtSetEventBoostPriority  (128, ...
 01314   380   NtWaitForSingleObject  ... ) == 0x0
 01449   380   NtSetEventBoostPriority  (128, ...
 01327   312   NtWaitForSingleObject  ... ) == 0x0
 01450   312   NtSetEventBoostPriority  (128, ...
 01351  1404   NtWaitForSingleObject  ... ) == 0x0
 01451  1404   NtSetEventBoostPriority  (128, ...
 01364   476   NtWaitForSingleObject  ... ) == 0x0
 01452   476   NtSetEventBoostPriority  (128, ...
 01376  1964   NtWaitForSingleObject  ... ) == 0x0
 01453  1964   NtSetEventBoostPriority  (128, ...
 01389  1624   NtWaitForSingleObject  ... ) == 0x0
 01454  1624   NtSetEventBoostPriority  (128, ...
 01413  1440   NtWaitForSingleObject  ... ) == 0x0
 01455  1440   NtSetEventBoostPriority  (128, ...
 01426  1516   NtWaitForSingleObject  ... ) == 0x0
 01456  1516   NtSetEventBoostPriority  (128, ...
 01438  1664   NtWaitForSingleObject  ... ) == 0x0
 01457  1664   NtTestAlert  (... ) == 0x0
 01456  1516   NtSetEventBoostPriority  ... ) == 0x0
 01455  1440   NtSetEventBoostPriority  ... ) == 0x0
 01454  1624   NtSetEventBoostPriority  ... ) == 0x0
 01453  1964   NtSetEventBoostPriority  ... ) == 0x0
 01452   476   NtSetEventBoostPriority  ... ) == 0x0
 01451  1404   NtSetEventBoostPriority  ... ) == 0x0
 01450   312   NtSetEventBoostPriority  ... ) == 0x0
 01449   380   NtSetEventBoostPriority  ... ) == 0x0
 01448   752   NtSetEventBoostPriority  ... ) == 0x0
 01447  1288   NtSetEventBoostPriority  ... ) == 0x0
 01446  1924   NtSetEventBoostPriority  ... ) == 0x0
 01444  1628   NtSetEventBoostPriority  ... ) == 0x0
 01445  1276   NtSetEventBoostPriority  ... ) == 0x0
 01443   784   NtSetEventBoostPriority  ... ) == 0x0
 01458  1736   NtProtectVirtualMemory  (-1, (0x200e000), 4096, 260, ...
 01459  1664   NtContinue  (32570672, 1, ...
 01460  1516   NtTestAlert  (...
 01461  1440   NtTestAlert  (...
 01462  1624   NtTestAlert  (...
 01463  1964   NtTestAlert  (...
 01464   476   NtTestAlert  (...
 01465  1404   NtTestAlert  (...
 01466   312   NtTestAlert  (...
 01467   380   NtTestAlert  (...
 01468   752   NtTestAlert  (...
 01469  1288   NtTestAlert  (...
 01470  1924   NtTestAlert  (...
 01471  1276   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11595888, ... }, 11595888, ...
 01472   784   NtWaitForSingleObject  (128, 0, 0x0, ...
 01458  1736   NtProtectVirtualMemory  ... (0x200e000), 4096, 4, ) == 0x0
 01473  1664   NtRegisterThreadTerminatePort  (24, ...
 01460  1516   NtTestAlert  ... ) == 0x0
 01461  1440   NtTestAlert  ... ) == 0x0
 01462  1624   NtTestAlert  ... ) == 0x0
 01463  1964   NtTestAlert  ... ) == 0x0
 01464   476   NtTestAlert  ... ) == 0x0
 01465  1404   NtTestAlert  ... ) == 0x0
 01466   312   NtTestAlert  ... ) == 0x0
 01467   380   NtTestAlert  ... ) == 0x0
 01468   752   NtTestAlert  ... ) == 0x0
 01469  1288   NtTestAlert  ... ) == 0x0
 01470  1924   NtTestAlert  ... ) == 0x0
 01474  1628   NtTestAlert  (...
 01471  1276   NtQueryAttributesFile  ... ) == 0x0
 01475  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01473  1664   NtRegisterThreadTerminatePort  ... ) == 0x0
 01476  1516   NtContinue  (31522096, 1, ...
 01477  1440   NtContinue  (30473520, 1, ...
 01478  1624   NtContinue  (29424944, 1, ...
 01479  1964   NtContinue  (28376368, 1, ...
 01480   476   NtContinue  (27327792, 1, ...
 01481  1404   NtContinue  (26279216, 1, ...
 01482   312   NtContinue  (25230640, 1, ...
 01483   380   NtContinue  (24182064, 1, ...
 01484   752   NtContinue  (23133488, 1, ...
 01485  1288   NtContinue  (22084912, 1, ...
 01486  1924   NtContinue  (21036336, 1, ...
 01474  1628   NtTestAlert  ... ) == 0x0
 01487  1276   NtSetEventBoostPriority  (128, ...
 01475  1736   NtCreateThread  ... 228, {1636, 1972}, ) == 0x0
 01488  1664   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01489  1516   NtRegisterThreadTerminatePort  (24, ...
 01490  1440   NtRegisterThreadTerminatePort  (24, ...
 01491  1624   NtRegisterThreadTerminatePort  (24, ...
 01492   476   NtRegisterThreadTerminatePort  (24, ...
 01493  1404   NtRegisterThreadTerminatePort  (24, ...
 01494   312   NtRegisterThreadTerminatePort  (24, ...
 01495   380   NtRegisterThreadTerminatePort  (24, ...
 01496   752   NtRegisterThreadTerminatePort  (24, ...
 01497  1288   NtRegisterThreadTerminatePort  (24, ...
 01498  1924   NtRegisterThreadTerminatePort  (24, ...
 01499  1628   NtContinue  (19987760, 1, ...
 01472   784   NtWaitForSingleObject  ... ) == 0x0
 01487  1276   NtSetEventBoostPriority  ... ) == 0x0
 01500  1736   NtQueryInformationThread  (228, Basic, 28, ...
 01488  1664   NtDuplicateObject  ... 260, ) == 0x0
 01489  1516   NtRegisterThreadTerminatePort  ... ) == 0x0
 01490  1440   NtRegisterThreadTerminatePort  ... ) == 0x0
 01491  1624   NtRegisterThreadTerminatePort  ... ) == 0x0
 01492   476   NtRegisterThreadTerminatePort  ... ) == 0x0
 01493  1404   NtRegisterThreadTerminatePort  ... ) == 0x0
 01494   312   NtRegisterThreadTerminatePort  ... ) == 0x0
 01495   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 01496   752   NtRegisterThreadTerminatePort  ... ) == 0x0
 01497  1288   NtRegisterThreadTerminatePort  ... ) == 0x0
 01498  1924   NtRegisterThreadTerminatePort  ... ) == 0x0
 01501   784   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01502  1628   NtRegisterThreadTerminatePort  (24, ...
 01503  1276   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01500  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1636,Tid=1972,}, 0x0, ) == 0x0
 01504  1664   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01505  1516   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01506  1440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01507  1624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01508   476   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01509  1404   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01510   312   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01511   380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01512   752   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01513  1288   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01501   784   NtCreateEvent  ... 264, ) == 0x0
 01514  1924   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01502  1628   NtRegisterThreadTerminatePort  ... ) == 0x0
 01503  1276   NtOpenKey  ... 268, ) == 0x0
 01515  1964   NtRegisterThreadTerminatePort  (24, ...
 01516  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75558, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\264\7\0\0" ...  ...
 01504  1664   NtWaitForSingleObject  ... ) == 0x102
 01505  1516   NtDuplicateObject  ... 272, ) == 0x0
 01506  1440   NtDuplicateObject  ... 276, ) == 0x0
 01507  1624   NtDuplicateObject  ... 280, ) == 0x0
 01508   476   NtDuplicateObject  ... 284, ) == 0x0
 01509  1404   NtDuplicateObject  ... 288, ) == 0x0
 01510   312   NtDuplicateObject  ... 292, ) == 0x0
 01511   380   NtDuplicateObject  ... 296, ) == 0x0
 01512   752   NtDuplicateObject  ... 300, ) == 0x0
 01517   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01513  1288   NtDuplicateObject  ... 304, ) == 0x0
 01518  1628   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01519  1276   NtQueryValueKey  (268,  (268, "Transports", Partial, 144, ... , Partial, 144, ...
 01515  1964   NtRegisterThreadTerminatePort  ... ) == 0x0
 01516  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75559, 0}  ... {28, 56, reply, 0, 1636, 1736, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\264\7\0\0" )  ) == 0x0
 01520  1664   NtWaitForSingleObject  (160, 0, 0x0, ...
 01521  1516   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01522  1440   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01523  1624   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01524   476   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01525  1404   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01526   312   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01527   380   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01517   784   NtDuplicateObject  ... 308, ) == 0x0
 01528   752   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01529  1288   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01514  1924   NtDuplicateObject  ... 312, ) == 0x0
 01518  1628   NtDuplicateObject  ... 316, ) == 0x0
 01530  1964   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01531  1736   NtResumeThread  (228, ...
 01521  1516   NtWaitForSingleObject  ... ) == 0x102
 01522  1440   NtWaitForSingleObject  ... ) == 0x102
 01523  1624   NtWaitForSingleObject  ... ) == 0x102
 01524   476   NtWaitForSingleObject  ... ) == 0x102
 01525  1404   NtWaitForSingleObject  ... ) == 0x102
 01526   312   NtWaitForSingleObject  ... ) == 0x102
 01527   380   NtWaitForSingleObject  ... ) == 0x102
 01519  1276   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01528   752   NtWaitForSingleObject  ... ) == 0x102
 01529  1288   NtWaitForSingleObject  ... ) == 0x102
 01532  1924   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01533  1628   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01530  1964   NtDuplicateObject  ... 320, ) == 0x0
 01531  1736   NtResumeThread  ... 1, ) == 0x0
 01534  1516   NtWaitForSingleObject  (160, 0, 0x0, ...
 01535  1440   NtWaitForSingleObject  (160, 0, 0x0, ...
 01536  1624   NtWaitForSingleObject  (160, 0, 0x0, ...
 01537   476   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01538  1404   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01539   312   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01540   380   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01541  1276   NtQueryValueKey  (268,  (268, "Transports", Partial, 144, ... , Partial, 144, ...
 01542   752   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01543  1288   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01532  1924   NtWaitForSingleObject  ... ) == 0x102
 01533  1628   NtWaitForSingleObject  ... ) == 0x102
 01544  1964   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01545  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01537   476   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01538  1404   NtCreateEvent  ... 324, ) == 0x0
 01539   312   NtCreateEvent  ... 328, ) == 0x0
 01540   380   NtCreateEvent  ... 332, ) == 0x0
 01541  1276   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01542   752   NtCreateEvent  ... 336, ) == 0x0
 01543  1288   NtCreateEvent  ... 340, ) == 0x0
 01546  1924   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01547  1628   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01544  1964   NtCreateEvent  ... 344, ) == 0x0
 01548   784   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01549  1972   NtTestAlert  (...
 01545  1736   NtAllocateVirtualMemory  ... 33619968, 1048576, ) == 0x0
 01550   476   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01551  1404   NtWaitForSingleObject  (324, 0, 0x0, ...
 01552   312   NtClose  (328, ...
 01553  1276   NtClose  (268, ...
 01554   380   NtClose  (332, ...
 01555   752   NtClose  (336, ...
 01546  1924   NtCreateEvent  ... 348, ) == 0x0
 01547  1628   NtCreateEvent  ... 352, ) == 0x0
 01556  1288   NtClose  (340, ...
 01548   784   NtCreateEvent  ... 356, ) == 0x0
 01549  1972   NtTestAlert  ... ) == 0x0
 01557  1736   NtAllocateVirtualMemory  (-1, 34660352, 0, 8192, 4096, 4, ...
 01550   476   NtCreateEvent  ... 360, ) == 0x0
 01552   312   NtClose  ... ) == 0x0
 01553  1276   NtClose  ... ) == 0x0
 01554   380   NtClose  ... ) == 0x0
 01555   752   NtClose  ... ) == 0x0
 01558  1964   NtClose  (344, ...
 01559  1924   NtClose  (348, ...
 01556  1288   NtClose  ... ) == 0x0
 01560   784   NtClose  (356, ...
 01561  1972   NtContinue  (33619248, 1, ...
 01557  1736   NtAllocateVirtualMemory  ... 34660352, 8192, ) == 0x0
 01562   476   NtClose  (360, ...
 01563   312   NtWaitForSingleObject  (324, 0, 0x0, ...
 01564  1276   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01565   380   NtWaitForSingleObject  (324, 0, 0x0, ...
 01566   752   NtWaitForSingleObject  (324, 0, 0x0, ...
 01558  1964   NtClose  ... ) == 0x0
 01559  1924   NtClose  ... ) == 0x0
 01567  1288   NtWaitForSingleObject  (324, 0, 0x0, ...
 01560   784   NtClose  ... ) == 0x0
 01568  1972   NtRegisterThreadTerminatePort  (24, ...
 01569  1736   NtProtectVirtualMemory  (-1, (0x210e000), 4096, 260, ...
 01562   476   NtClose  ... ) == 0x0
 01570  1628   NtClose  (352, ...
 01571  1964   NtWaitForSingleObject  (324, 0, 0x0, ...
 01572  1924   NtWaitForSingleObject  (324, 0, 0x0, ...
 01573   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 01568  1972   NtRegisterThreadTerminatePort  ... ) == 0x0
 01569  1736   NtProtectVirtualMemory  ... (0x210e000), 4096, 4, ) == 0x0
 01574   476   NtSetEventBoostPriority  (324, ...
 01570  1628   NtClose  ... ) == 0x0
 01564  1276   NtOpenKey  ... 352, ) == 0x0
 01575  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01551  1404   NtWaitForSingleObject  ... ) == 0x0
 01574   476   NtSetEventBoostPriority  ... ) == 0x0
 01576  1628   NtWaitForSingleObject  (324, 0, 0x0, ...
 01577  1276   NtQueryValueKey  (352,  (352, "Mapping", Partial, 144, ... , Partial, 144, ...
 01578  1972   NtWaitForSingleObject  (324, 0, 0x0, ...
 01579  1404   NtSetEventBoostPriority  (324, ...
 01575  1736   NtCreateThread  ... 360, {1636, 780}, ) == 0x0
 01577  1276   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01563   312   NtWaitForSingleObject  ... ) == 0x0
 01579  1404   NtSetEventBoostPriority  ... ) == 0x0
 01580  1736   NtQueryInformationThread  (360, Basic, 28, ...
 01581   312   NtSetEventBoostPriority  (324, ...
 01582  1276   NtWaitForSingleObject  (324, 0, 0x0, ...
 01583  1404   NtWaitForSingleObject  (160, 0, 0x0, ...
 01565   380   NtWaitForSingleObject  ... ) == 0x0
 01581   312   NtSetEventBoostPriority  ... ) == 0x0
 01580  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1636,Tid=780,}, 0x0, ) == 0x0
 01584   476   NtWaitForSingleObject  (160, 0, 0x0, ...
 01585   380   NtSetEventBoostPriority  (324, ...
 01586  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75559, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0d\6\0\0\14\3\0\0" ...  ...
 01566   752   NtWaitForSingleObject  ... ) == 0x0
 01585   380   NtSetEventBoostPriority  ... ) == 0x0
 01587   752   NtSetEventBoostPriority  (324, ...
 01586  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75560, 0}  ... {28, 56, reply, 0, 1636, 1736, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0d\6\0\0\14\3\0\0" )  ) == 0x0
 01588   312   NtWaitForSingleObject  (160, 0, 0x0, ...
 01567  1288   NtWaitForSingleObject  ... ) == 0x0
 01587   752   NtSetEventBoostPriority  ... ) == 0x0
 01589   380   NtWaitForSingleObject  (160, 0, 0x0, ...
 01590  1288   NtSetEventBoostPriority  (324, ...
 01591  1736   NtResumeThread  (360, ...
 01571  1964   NtWaitForSingleObject  ... ) == 0x0
 01590  1288   NtSetEventBoostPriority  ... ) == 0x0
 01592  1964   NtSetEventBoostPriority  (324, ...
 01591  1736   NtResumeThread  ... 1, ) == 0x0
 01593   752   NtWaitForSingleObject  (160, 0, 0x0, ...
 01572  1924   NtWaitForSingleObject  ... ) == 0x0
 01592  1964   NtSetEventBoostPriority  ... ) == 0x0
 01594  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01595  1924   NtSetEventBoostPriority  (324, ...
 01596  1288   NtWaitForSingleObject  (160, 0, 0x0, ...
 01597   780   NtTestAlert  (...
 01573   784   NtWaitForSingleObject  ... ) == 0x0
 01595  1924   NtSetEventBoostPriority  ... ) == 0x0
 01594  1736   NtAllocateVirtualMemory  ... 34668544, 1048576, ) == 0x0
 01598   784   NtSetEventBoostPriority  (324, ...
 01597   780   NtTestAlert  ... ) == 0x0
 01599  1964   NtWaitForSingleObject  (324, 0, 0x0, ...
 01576  1628   NtWaitForSingleObject  ... ) == 0x0
 01598   784   NtSetEventBoostPriority  ... ) == 0x0
 01600  1736   NtAllocateVirtualMemory  (-1, 35708928, 0, 8192, 4096, 4, ...
 01601   780   NtContinue  (34667824, 1, ...
 01602  1628   NtSetEventBoostPriority  (324, ...
 01603  1924   NtWaitForSingleObject  (160, 0, 0x0, ...
 01600  1736   NtAllocateVirtualMemory  ... 35708928, 8192, ) == 0x0
 01578  1972   NtWaitForSingleObject  ... ) == 0x0
 01602  1628   NtSetEventBoostPriority  ... ) == 0x0
 01604   780   NtRegisterThreadTerminatePort  (24, ...
 01605   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 01606  1972   NtSetEventBoostPriority  (324, ...
 01607  1736   NtProtectVirtualMemory  (-1, (0x220e000), 4096, 260, ...
 01604   780   NtRegisterThreadTerminatePort  ... ) == 0x0
 01582  1276   NtWaitForSingleObject  ... ) == 0x0
 01606  1972   NtSetEventBoostPriority  ... ) == 0x0
 01607  1736   NtProtectVirtualMemory  ... (0x220e000), 4096, 4, ) == 0x0
 01608  1628   NtWaitForSingleObject  (160, 0, 0x0, ...
 01609  1276   NtSetEventBoostPriority  (324, ...
 01610  1972   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01611  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01599  1964   NtWaitForSingleObject  ... ) == 0x0
 01609  1276   NtSetEventBoostPriority  ... ) == 0x0
 01612   780   NtWaitForSingleObject  (324, 0, 0x0, ...
 01613  1964   NtSetEventBoostPriority  (324, ...
 01611  1736   NtCreateThread  ... 356, {1636, 1656}, ) == 0x0
 01610  1972   NtDuplicateObject  ... 348, ) == 0x0
 01605   784   NtWaitForSingleObject  ... ) == 0x0
 01613  1964   NtSetEventBoostPriority  ... ) == 0x0
 01614  1736   NtQueryInformationThread  (356, Basic, 28, ...
 01615   784   NtSetEventBoostPriority  (324, ...
 01616  1972   NtWaitForSingleObject  (324, 0, 0x0, ...
 01617  1964   NtWaitForSingleObject  (324, 0, 0x0, ...
 01612   780   NtWaitForSingleObject  ... ) == 0x0
 01615   784   NtSetEventBoostPriority  ... ) == 0x0
 01614  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1636,Tid=1656,}, 0x0, ) == 0x0
 01618  1276   NtQueryValueKey  (352,  (352, "Mapping", Partial, 144, ... , Partial, 144, ...
 01619   780   NtSetEventBoostPriority  (324, ...
 01620   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 01616  1972   NtWaitForSingleObject  ... ) == 0x0
 01619   780   NtSetEventBoostPriority  ... ) == 0x0
 01618  1276   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01621  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75560, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0d\6\0\0x\6\0\0" ...  ...
 01622  1972   NtSetEventBoostPriority  (324, ...
 01623   780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01624  1276   NtWaitForSingleObject  (324, 0, 0x0, ...
 01617  1964   NtWaitForSingleObject  ... ) == 0x0
 01622  1972   NtSetEventBoostPriority  ... ) == 0x0
 01621  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75561, 0}  ... {28, 56, reply, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0d\6\0\0x\6\0\0" )  ) == 0x0
 01625  1964   NtSetEventBoostPriority  (324, ...
 01623   780   NtDuplicateObject  ... 344, ) == 0x0
 01620   784   NtWaitForSingleObject  ... ) == 0x0
 01626  1736   NtResumeThread  (356, ...
 01627   780   NtWaitForSingleObject  (324, 0, 0x0, ...
 01628   784   NtSetEventBoostPriority  (324, ...
 01626  1736   NtResumeThread  ... 1, ) == 0x0
 01624  1276   NtWaitForSingleObject  ... ) == 0x0
 01629  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01630  1276   NtSetEventBoostPriority  (324, ...
 01628   784   NtSetEventBoostPriority  ... ) == 0x0
 01625  1964   NtSetEventBoostPriority  ... ) == 0x0
 01631  1972   NtWaitForSingleObject  (324, 0, 0x0, ...
 01632  1656   NtTestAlert  (...
 01627   780   NtWaitForSingleObject  ... ) == 0x0
 01630  1276   NtSetEventBoostPriority  ... ) == 0x0
 01633   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 01634  1964   NtWaitForSingleObject  (324, 0, 0x0, ...
 01635   780   NtSetEventBoostPriority  (324, ...
 01632  1656   NtTestAlert  ... ) == 0x0
 01629  1736   NtAllocateVirtualMemory  ... 35717120, 1048576, ) == 0x0
 01631  1972   NtWaitForSingleObject  ... ) == 0x0
 01635   780   NtSetEventBoostPriority  ... ) == 0x0
 01636  1656   NtContinue  (35716400, 1, ...
 01637  1972   NtSetEventBoostPriority  (324, ...
 01638  1736   NtAllocateVirtualMemory  (-1, 36757504, 0, 8192, 4096, 4, ...
 01639  1276   NtQueryValueKey  (352,  (352, "Mapping", Partial, 152, ... , Partial, 152, ...
 01633   784   NtWaitForSingleObject  ... ) == 0x0
 01637  1972   NtSetEventBoostPriority  ... ) == 0x0
 01640  1656   NtRegisterThreadTerminatePort  (24, ...
 01638  1736   NtAllocateVirtualMemory  ... 36757504, 8192, ) == 0x0
 01641   784   NtSetEventBoostPriority  (324, ...
 01639  1276   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01642  1972   NtWaitForSingleObject  (324, 0, 0x0, ...
 01640  1656   NtRegisterThreadTerminatePort  ... ) == 0x0
 01634  1964   NtWaitForSingleObject  ... ) == 0x0
 01641   784   NtSetEventBoostPriority  ... ) == 0x0
 01643  1736   NtProtectVirtualMemory  (-1, (0x230e000), 4096, 260, ...
 01644  1276   NtClose  (352, ...
 01645   780   NtWaitForSingleObject  (324, 0, 0x0, ...
 01646  1964   NtSetEventBoostPriority  (324, ...
 01647  1656   NtWaitForSingleObject  (324, 0, 0x0, ...
 01643  1736   NtProtectVirtualMemory  ... (0x230e000), 4096, 4, ) == 0x0
 01644  1276   NtClose  ... ) == 0x0
 01642  1972   NtWaitForSingleObject  ... ) == 0x0
 01646  1964   NtSetEventBoostPriority  ... ) == 0x0
 01648  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01649  1972   NtSetEventBoostPriority  (324, ...
 01650  1276   NtWaitForSingleObject  (324, 0, 0x0, ...
 01651   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 01652  1964   NtWaitForSingleObject  (324, 0, 0x0, ...
 01645   780   NtWaitForSingleObject  ... ) == 0x0
 01653   780   NtSetEventBoostPriority  (324, ...
 01647  1656   NtWaitForSingleObject  ... ) == 0x0
 01654  1656   NtSetEventBoostPriority  (324, ...
 01650  1276   NtWaitForSingleObject  ... ) == 0x0
 01655  1276   NtSetEventBoostPriority  (324, ...
 01651   784   NtWaitForSingleObject  ... ) == 0x0
 01656   784   NtSetEventBoostPriority  (324, ...
 01652  1964   NtWaitForSingleObject  ... ) == 0x0
 01657  1964   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 01656   784   NtSetEventBoostPriority  ... ) == 0x0
 01655  1276   NtSetEventBoostPriority  ... ) == 0x0
 01654  1656   NtSetEventBoostPriority  ... ) == 0x0
 01653   780   NtSetEventBoostPriority  ... ) == 0x0
 01649  1972   NtSetEventBoostPriority  ... ) == 0x0
 01648  1736   NtCreateThread  ... 352, {1636, 1248}, ) == 0x0
 01658   784   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01659  1964   NtWaitForSingleObject  (160, 0, 0x0, ...
 01660  1656   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01661   780   NtWaitForSingleObject  (324, 0, 0x0, ...
 01662  1972   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01663  1736   NtQueryInformationThread  (352, Basic, 28, ...
 01664  1276   NtWaitForSingleObject  (324, 0, 0x0, ...
 01658   784   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01660  1656   NtDuplicateObject  ... 340, ) == 0x0
 01662  1972   NtCreateEvent  ... 336, ) == 0x0
 01663  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1636,Tid=1248,}, 0x0, ) == 0x0
 01665   784   NtSetEventBoostPriority  (324, ...
 01666  1656   NtWaitForSingleObject  (324, 0, 0x0, ...
 01667  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75561, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0d\6\0\0\340\4\0\0" ...  ...
 01664  1276   NtWaitForSingleObject  ... ) == 0x0
 01665   784   NtSetEventBoostPriority  ... ) == 0x0
 01668  1276   NtSetEventBoostPriority  (324, ...
 01667  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75562, 0}  ... {28, 56, reply, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0d\6\0\0\340\4\0\0" )  ) == 0x0
 01661   780   NtWaitForSingleObject  ... ) == 0x0
 01668  1276   NtSetEventBoostPriority  ... ) == 0x0
 01669   784   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01670  1972   NtWaitForSingleObject  (336, 0, 0x0, ...
 01671   780   NtSetEventBoostPriority  (324, ...
 01672  1276   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01669   784   NtCreateEvent  ... 332, ) == 0x0
 01666  1656   NtWaitForSingleObject  ... ) == 0x0
 01671   780   NtSetEventBoostPriority  ... ) == 0x0
 01673  1736   NtResumeThread  (352, ...
 01674   784   NtClose  (332, ...
 01675  1656   NtWaitForSingleObject  (336, 0, 0x0, ...
 01676   780   NtSetEventBoostPriority  (336, ...
 01673  1736   NtResumeThread  ... 1, ) == 0x0
 01672  1276   NtOpenKey  ... 268, ) == 0x0
 01670  1972   NtWaitForSingleObject  ... ) == 0x0
 01676   780   NtSetEventBoostPriority  ... ) == 0x0
 01677  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01678  1972   NtSetEventBoostPriority  (336, ...
 01679  1276   NtQueryValueKey  (268,  (268, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01674   784   NtClose  ... ) == 0x0
 01680  1248   NtAllocateVirtualMemory  (-1, 3624960, 0, 4096, 4096, 4, ...
 01675  1656   NtWaitForSingleObject  ... ) == 0x0
 01678  1972   NtSetEventBoostPriority  ... ) == 0x0
 01677  1736   NtAllocateVirtualMemory  ... 36765696, 1048576, ) == 0x0
 01679  1276   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01681   784   NtWaitForSingleObject  (336, 0, 0x0, ...
 01682  1656   NtSetEventBoostPriority  (336, ...
 01680  1248   NtAllocateVirtualMemory  ... 3624960, 4096, ) == 0x0
 01683  1972   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01684  1736   NtAllocateVirtualMemory  (-1, 37806080, 0, 8192, 4096, 4, ...
 01685  1276   NtQueryValueKey  (268,  (268, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01682  1656   NtSetEventBoostPriority  ... ) == 0x0
 01681   784   NtWaitForSingleObject  ... ) == 0x0
 01686  1248   NtTestAlert  (...
 01687   780   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01684  1736   NtAllocateVirtualMemory  ... 37806080, 8192, ) == 0x0
 01685  1276   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01683  1972   NtWaitForSingleObject  ... ) == 0x102
 01688   784   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 01686  1248   NtTestAlert  ... ) == 0x0
 01687   780   NtWaitForSingleObject  ... ) == 0x102
 01689  1656   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01690  1276   NtQueryValueKey  (268,  (268, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01691  1972   NtWaitForSingleObject  (160, 0, 0x0, ...
 01688   784   NtOpenFile  ... 332, {status=0x0, info=0}, ) == 0x0
 01692  1248   NtContinue  (36764976, 1, ...
 01693   780   NtWaitForSingleObject  (160, 0, 0x0, ...
 01689  1656   NtWaitForSingleObject  ... ) == 0x102
 01694  1736   NtProtectVirtualMemory  (-1, (0x240e000), 4096, 260, ...
 01690  1276   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01695   784   NtDeviceIoControlFile  (332, 0, 0x0, 0x0, 0x390008,  (332, 0, 0x0, 0x0, 0x390008, "\204\356\21\252*H\177g\3\305\275\26\277\254\334]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01696  1656   NtWaitForSingleObject  (160, 0, 0x0, ...
 01694  1736   NtProtectVirtualMemory  ... (0x240e000), 4096, 4, ) == 0x0
 01697  1276   NtQueryValueKey  (268,  (268, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01698   784   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01699  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01697  1276   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01698   784   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01699  1736   NtCreateThread  ... 328, {1636, 1036}, ) == 0x0
 01700  1276   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11596844, ... }, 11596844, ...
 01701   784   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01702  1736   NtQueryInformationThread  (328, Basic, 28, ...
 01700  1276   NtQueryAttributesFile  ... ) == 0x0
 01701   784   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01702  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1636,Tid=1036,}, 0x0, ) == 0x0
 01703  1276   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01704   784   NtQuerySystemInformation  (Performance, 312, ...
 01705  1248   NtRegisterThreadTerminatePort  (24, ...
 01706  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75562, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0d\6\0\0\14\4\0\0" ...  ...
 01703  1276   NtOpenFile  ... 364, {status=0x0, info=1}, ) == 0x0
 01705  1248   NtRegisterThreadTerminatePort  ... ) == 0x0
 01706  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75563, 0}  ... {28, 56, reply, 0, 1636, 1736, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0d\6\0\0\14\4\0\0" )  ) == 0x0
 01707  1276   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 364, ...
 01708  1248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01709  1736   NtResumeThread  (328, ...
 01707  1276   NtCreateSection  ... 368, ) == 0x0
 01708  1248   NtDuplicateObject  ... 372, ) == 0x0
 01709  1736   NtResumeThread  ... 1, ) == 0x0
 01710  1276   NtClose  (364, ...
 01711  1248   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01712  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01710  1276   NtClose  ... ) == 0x0
 01711  1248   NtWaitForSingleObject  ... ) == 0x102
 01704   784   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01713  1036   NtWaitForSingleObject  (128, 0, 0x0, ...
 01714  1276   NtMapViewOfSection  (368, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01715  1248   NtWaitForSingleObject  (160, 0, 0x0, ...
 01716   784   NtQuerySystemInformation  (Exception, 16, ...
 01712  1736   NtAllocateVirtualMemory  ... 37814272, 1048576, ) == 0x0
 01716   784   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01717  1736   NtAllocateVirtualMemory  (-1, 38854656, 0, 8192, 4096, 4, ...
 01718   784   NtQuerySystemInformation  (Lookaside, 32, ...
 01717  1736   NtAllocateVirtualMemory  ... 38854656, 8192, ) == 0x0
 01718   784   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01719  1736   NtProtectVirtualMemory  (-1, (0x250e000), 4096, 260, ...
 01720   784   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01719  1736   NtProtectVirtualMemory  ... (0x250e000), 4096, 4, ) == 0x0
 01714  1276   NtMapViewOfSection  ... (0x360000), 0x0, 20480, ) == 0x0
 01721  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01722  1276   NtClose  (368, ...
 01720   784   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01722  1276   NtClose  ... ) == 0x0
 01723   784   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01724  1276   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 01725  1276   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11597152, ... ) }, 11597152, ... ) == 0x0
 01726  1276   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 01727  1276   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 368, ...
 01721  1736   NtCreateThread  ... 364, {1636, 760}, ) == 0x0
 01728   784   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01729  1736   NtQueryInformationThread  (364, Basic, 28, ...
 01728   784   NtCreateKey  ... -2147482576, 2, ) == 0x0
 01729  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1636,Tid=760,}, 0x0, ) == 0x0
 01730   784   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\351\375D\356\254\344\273\\372{\255\377\352\332T\233\350\342X@M\375\347:\301\11\342\257\366I\15\342_\22\346\313\244)\303A!\373\2240\361\317\237:\351\227\333\314\336[\351h-uH\335\252\317\233M.EMOT\336\34\317}\361)\302\21\210\223\240", 80, ... , 0, 3,  (-2147482576, "Seed", 0, 3, "\351\375D\356\254\344\273\\372{\255\377\352\332T\233\350\342X@M\375\347:\301\11\342\257\366I\15\342_\22\346\313\244)\303A!\373\2240\361\317\237:\351\227\333\314\336[\351h-uH\335\252\317\233M.EMOT\336\34\317}\361)\302\21\210\223\240", 80, ... , 80, ...
 01731  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75563, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0d\6\0\0\370\2\0\0" ...  ...
 01730   784   NtSetValueKey  ... ) == 0x0
 01731  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75564, 0}  ... {28, 56, reply, 0, 1636, 1736, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0d\6\0\0\370\2\0\0" )  ) == 0x0
 01732   784   NtClose  (-2147482576, ...
 01727  1276   NtCreateSection  ... 376, ) == 0x0
 01732   784   NtClose  ... ) == 0x0
 01733  1276   NtQuerySection  (376, Image, 48, ...
 01734  1736   NtResumeThread  (364, ...
 01733  1276   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01734  1736   NtResumeThread  ... 1, ) == 0x0
 01735  1276   NtClose  (368, ...
 01736  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01735  1276   NtClose  ... ) == 0x0
 01736  1736   NtAllocateVirtualMemory  ... 38862848, 1048576, ) == 0x0
 01737  1276   NtMapViewOfSection  (376, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01738  1736   NtAllocateVirtualMemory  (-1, 39903232, 0, 8192, 4096, 4, ...
 01695   784   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "0>s\27\220\7\235\202\250.\265\313\24p\254\220/\341\241\216\217c1\266\314\331\250\227\220\300H\344\320\12\356\201u^z\22+\216\371\261]\340"g=\367=b\222]\362\260j\267", ) g=\367=b\222]\362\260j\267 ... {status=0x0, info=256}, "0>s\27\220\7\235\202\250.\265\313\24p\254\220/\341\241\216\217c1\266\314\331\250\227\220\300H\344\320\12\356\201u^z\22+\216\371\261]\340"g=\367=b\222]\362\260j\267", ) , ) == 0x0
 01739   760   NtWaitForSingleObject  (128, 0, 0x0, ...
 01738  1736   NtAllocateVirtualMemory  ... 39903232, 8192, ) == 0x0
 01740   784   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01737  1276   NtMapViewOfSection  ... (0x71a90000), 0x0, 32768, ) == 0x0
 01740   784   NtCreateEvent  ... 368, ) == 0x0
 01741  1276   NtClose  (376, ...
 01742   784   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15789572, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15789572, 188, ...
 01741  1276   NtClose  ... ) == 0x0
 01743  1276   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 01742   784   NtConnectPort  ... 376, 0x0, 0x0, 0x0, 188, ) == 0x0
 01744   784   NtRequestWaitReplyPort  (376, {200, 224, new_msg, 0, 1329576, 12, 2, 1}  (376, {200, 224, new_msg, 0, 1329576, 12, 2, 1} "\0\2\24\0\274\0\0\0l8\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\08\2\24\0\4\0\0\0\1\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\231\37\247uQ\177{\361\30\37\25\0\\1\24\0\12\0\0\0\0\0\0\0\0\0\0\1(\0\0\0 \37\25\0\333\223\14\354`\2\24\0@\37\25\0\\1\24\0\0\0\0\0\0\0\0\0@\37\25\0P\0\0\0H\37\25\0\360\6\221|8\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\360\0\372\31\221|\30\364\360\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1636, 784, 75566, 0} "\7\2\24\0\274\0\0\0l8\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\1\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\231\37\247uQ\177{\361\30\37\25\0\\1\24\0\12\0\0\0\0\0\0\0\0\0\0\1(\0\0\0 \37\25\0\333\223\14\354`\2\24\0@\37\25\0\\1\24\0\0\0\0\0\0\0\0\0@\37\25\0P\0\0\0H\37\25\0\360\6\221|8\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\360\0\372\31\221|\30\364\360\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ... {200, 224, reply, 0, 1636, 784, 75566, 0}  (376, {200, 224, new_msg, 0, 1329576, 12, 2, 1} "\0\2\24\0\274\0\0\0l8\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\08\2\24\0\4\0\0\0\1\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\231\37\247uQ\177{\361\30\37\25\0\\1\24\0\12\0\0\0\0\0\0\0\0\0\0\1(\0\0\0 \37\25\0\333\223\14\354`\2\24\0@\37\25\0\\1\24\0\0\0\0\0\0\0\0\0@\37\25\0P\0\0\0H\37\25\0\360\6\221|8\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\360\0\372\31\221|\30\364\360\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1636, 784, 75566, 0} "\7\2\24\0\274\0\0\0l8\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\1\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\231\37\247uQ\177{\361\30\37\25\0\\1\24\0\12\0\0\0\0\0\0\0\0\0\0\1(\0\0\0 \37\25\0\333\223\14\354`\2\24\0@\37\25\0\\1\24\0\0\0\0\0\0\0\0\0@\37\25\0P\0\0\0H\37\25\0\360\6\221|8\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\360\0\372\31\221|\30\364\360\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01745   784   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 01746   784   NtRequestWaitReplyPort  (376, {64, 88, new_msg, 0, 0, 0, 0, 0}  (376, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01747  1736   NtProtectVirtualMemory  (-1, (0x260e000), 4096, 260, ...
 01748  1276   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ...
 01747  1736   NtProtectVirtualMemory  ... (0x260e000), 4096, 4, ) == 0x0
 01748  1276   NtProtectVirtualMemory  ... (0x71a91000), 4096, 4, ) == 0x0
 01749  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01750  1276   NtFlushInstructionCache  (-1, 1906905088, 128, ...
 01749  1736   NtCreateThread  ... 380, {1636, 484}, ) == 0x0
 01750  1276   NtFlushInstructionCache  ... ) == 0x0
 01751  1736   NtQueryInformationThread  (380, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1636,Tid=484,}, 0x0, ) == 0x0
 01752  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75564, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0d\6\0\0\344\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0d\6\0\0\344\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75567, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0d\6\0\0\344\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0d\6\0\0\344\1\0\0" )  ) == 0x0
 01753  1736   NtResumeThread  (380, ... 1, ) == 0x0
 01754  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01746   784   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1636, 784, 75568, 0}  ... {52, 76, reply, 0, 1636, 784, 75568, 0} "\2\332\243\201\1\0\0\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200X\373`\371t\333\243\201\230\37\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 01755   484   NtWaitForSingleObject  (128, 0, 0x0, ...
 01756  1276   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... }, ...
 01757   784   NtClose  (368, ...
 01756  1276   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01757   784   NtClose  ... ) == 0x0
 01758  1276   NtSetEventBoostPriority  (128, ...
 01759   784   NtClose  (376, ...
 01713  1036   NtWaitForSingleObject  ... ) == 0x0
 01758  1276   NtSetEventBoostPriority  ... ) == 0x0
 01760  1036   NtSetEventBoostPriority  (128, ...
 01759   784   NtClose  ... ) == 0x0
 01739   760   NtWaitForSingleObject  ... ) == 0x0
 01760  1036   NtSetEventBoostPriority  ... ) == 0x0
 01761  1276   NtClose  (268, ...
 01754  1736   NtAllocateVirtualMemory  ... 39911424, 1048576, ) == 0x0
 01762   760   NtSetEventBoostPriority  (128, ...
 01763   784   NtWaitForSingleObject  (128, 0, 0x0, ...
 01764  1036   NtTestAlert  (...
 01755   484   NtWaitForSingleObject  ... ) == 0x0
 01762   760   NtSetEventBoostPriority  ... ) == 0x0
 01765  1736   NtAllocateVirtualMemory  (-1, 40951808, 0, 8192, 4096, 4, ...
 01766   484   NtSetEventBoostPriority  (128, ...
 01764  1036   NtTestAlert  ... ) == 0x0
 01761  1276   NtClose  ... ) == 0x0
 01763   784   NtWaitForSingleObject  ... ) == 0x0
 01766   484   NtSetEventBoostPriority  ... ) == 0x0
 01765  1736   NtAllocateVirtualMemory  ... 40951808, 8192, ) == 0x0
 01767  1036   NtContinue  (37813552, 1, ...
 01768   784   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01769  1276   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11599488, 67, ... }, 0x0, 0, 3, 3, 0, 11599488, 67, ...
 01770   760   NtTestAlert  (...
 01771  1736   NtProtectVirtualMemory  (-1, (0x270e000), 4096, 260, ...
 01768   784   NtCreateKey  ... 268, 2, ) == 0x0
 01772  1036   NtRegisterThreadTerminatePort  (24, ...
 01769  1276   NtCreateFile  ... 376, {status=0x0, info=0}, ) == 0x0
 01770   760   NtTestAlert  ... ) == 0x0
 01773   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01771  1736   NtProtectVirtualMemory  ... (0x270e000), 4096, 4, ) == 0x0
 01772  1036   NtRegisterThreadTerminatePort  ... ) == 0x0
 01774  1276   NtDeviceIoControlFile  (376, 136, 0x0, 0x0, 0x1207b,  (376, 136, 0x0, 0x0, 0x1207b, "\7\0\0\0\250q\250q%\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 01775   760   NtContinue  (38862128, 1, ...
 01776   484   NtTestAlert  (...
 01777  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01778  1036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01774  1276   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0@\273\201\201", ) , ) == 0x0
 01779   760   NtRegisterThreadTerminatePort  (24, ...
 01776   484   NtTestAlert  ... ) == 0x0
 01773   784   NtOpenKey  ... 368, ) == 0x0
 01777  1736   NtCreateThread  ... 384, {1636, 1756}, ) == 0x0
 01780  1276   NtDeviceIoControlFile  (376, 136, 0x0, 0x0, 0x1207b,  (376, 136, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0@\273\201\201", 16, 16, ... , 16, 16, ...
 01779   760   NtRegisterThreadTerminatePort  ... ) == 0x0
 01781   484   NtContinue  (39910704, 1, ...
 01782   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01783  1736   NtQueryInformationThread  (384, Basic, 28, ...
 01778  1036   NtDuplicateObject  ... 388, ) == 0x0
 01784   760   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01785   484   NtRegisterThreadTerminatePort  (24, ...
 01782   784   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01783  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1636,Tid=1756,}, 0x0, ) == 0x0
 01786  1036   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01780  1276   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0@\273\201\201", ) , ) == 0x0
 01785   484   NtRegisterThreadTerminatePort  ... ) == 0x0
 01787   784   NtQueryValueKey  (268,  (268, "Hostname", Partial, 144, ... , Partial, 144, ...
 01788  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75567, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0d\6\0\0\334\6\0\0" ...  ...
 01786  1036   NtWaitForSingleObject  ... ) == 0x102
 01789  1276   NtDeviceIoControlFile  (376, 136, 0x0, 0x0, 0x12047,  (376, 136, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\224\375\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\347\1\5\0\0\20\0\0x\1\24\0x\1\24\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01790   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01787   784   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01788  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75570, 0}  ... {28, 56, reply, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0d\6\0\0\334\6\0\0" )  ) == 0x0
 01791  1036   NtWaitForSingleObject  (160, 0, 0x0, ...
 01789  1276   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01784   760   NtDuplicateObject  ... 392, ) == 0x0
 01792   784   NtQueryValueKey  (268,  (268, "Hostname", Partial, 144, ... , Partial, 144, ...
 01790   484   NtDuplicateObject  ... 396, ) == 0x0
 01793  1276   NtWaitForSingleObject  (96, 0, {0, 0}, ...
 01794   760   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01795  1736   NtResumeThread  (384, ...
 01796   484   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01793  1276   NtWaitForSingleObject  ... ) == 0x102
 01794   760   NtWaitForSingleObject  ... ) == 0x102
 01795  1736   NtResumeThread  ... 1, ) == 0x0
 01796   484   NtWaitForSingleObject  ... ) == 0x102
 01792   784   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01797  1756   NtTestAlert  (...
 01798   760   NtWaitForSingleObject  (160, 0, 0x0, ...
 01799  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01800   484   NtWaitForSingleObject  (160, 0, 0x0, ...
 01801   784   NtClose  (268, ...
 01797  1756   NtTestAlert  ... ) == 0x0
 01799  1736   NtAllocateVirtualMemory  ... 40960000, 1048576, ) == 0x0
 01801   784   NtClose  ... ) == 0x0
 01802  1756   NtContinue  (40959280, 1, ...
 01803  1736   NtAllocateVirtualMemory  (-1, 42000384, 0, 8192, 4096, 4, ...
 01804   784   NtClose  (368, ...
 01805  1756   NtRegisterThreadTerminatePort  (24, ...
 01803  1736   NtAllocateVirtualMemory  ... 42000384, 8192, ) == 0x0
 01804   784   NtClose  ... ) == 0x0
 01805  1756   NtRegisterThreadTerminatePort  ... ) == 0x0
 01806  1276   NtDeviceIoControlFile  (376, 136, 0x0, 0x0, 0x12003,  (376, 136, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01807   784   NtDeviceIoControlFile  (332, 0, 0x0, 0x0, 0x390008,  (332, 0, 0x0, 0x0, 0x390008, "\204\356\21\252*H\1774\3421\350\223\35\16_\1d\273\2\241\6\354\316\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01808  1736   NtProtectVirtualMemory  (-1, (0x280e000), 4096, 260, ...
 01806  1276   NtDeviceIoControlFile  ... {status=0x0, info=368},  ... {status=0x0, info=368}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01809  1756   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01808  1736   NtProtectVirtualMemory  ... (0x280e000), 4096, 4, ) == 0x0
 01810   784   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01809  1756   NtDuplicateObject  ... 268, ) == 0x0
 01811  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01810   784   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01812  1756   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01811  1736   NtCreateThread  ... 400, {1636, 1956}, ) == 0x0
 01813   784   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01812  1756   NtWaitForSingleObject  ... ) == 0x102
 01814  1736   NtQueryInformationThread  (400, Basic, 28, ...
 01813   784   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01815  1756   NtWaitForSingleObject  (160, 0, 0x0, ...
 01814  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1636,Tid=1956,}, 0x0, ) == 0x0
 01816   784   NtQuerySystemInformation  (Performance, 312, ...
 01817  1276   NtDeviceIoControlFile  (376, 136, 0x0, 0x0, 0x12047,  (376, 136, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\347\1\5\0\0\20\0\0x\1\24\0x\1\24\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01816   784   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01817  1276   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01818  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0d\6\0\0\244\7\0\0" ...  ...
 01819  1276   NtDeviceIoControlFile  (376, 136, 0x0, 0x0, 0x12037,  (376, 136, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 01818  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75571, 0}  ... {28, 56, reply, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0d\6\0\0\244\7\0\0" )  ) == 0x0
 01819  1276   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01820  1736   NtResumeThread  (400, ...
 01821  1276   NtDeviceIoControlFile  (376, 136, 0x0, 0x0, 0x1200b,  (376, 136, 0x0, 0x0, 0x1200b, "\0\376\260\0\5\0\0\0\0\314\24\0", 12, 0, ... , 12, 0, ...
 01820  1736   NtResumeThread  ... 1, ) == 0x0
 01821  1276   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01822  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01823   784   NtQuerySystemInformation  (Exception, 16, ...
 01824  1956   NtTestAlert  (...
 01825  1276   NtDeviceIoControlFile  (376, 136, 0x0, 0x0, 0x12047,  (376, 136, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\260\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\347\1\5\0\0\20\0\0x\1\24\0x\1\24\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01823   784   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01824  1956   NtTestAlert  ... ) == 0x0
 01825  1276   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01826   784   NtQuerySystemInformation  (Lookaside, 32, ...
 01827  1956   NtContinue  (42007856, 1, ...
 01828  1276   NtDeviceIoControlFile  (376, 136, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 01826   784   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01829  1956   NtRegisterThreadTerminatePort  (24, ...
 01828  1276   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01830   784   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01829  1956   NtRegisterThreadTerminatePort  ... ) == 0x0
 01831  1276   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01830   784   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01822  1736   NtAllocateVirtualMemory  ... 42008576, 1048576, ) == 0x0
 01831  1276   NtCreateEvent  ... 404, ) == 0x0
 01832  1956   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01833  1736   NtAllocateVirtualMemory  (-1, 43048960, 0, 8192, 4096, 4, ...
 01834   784   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01832  1956   NtDuplicateObject  ... 408, ) == 0x0
 01833  1736   NtAllocateVirtualMemory  ... 43048960, 8192, ) == 0x0
 01834   784   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01835  1956   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01836  1736   NtProtectVirtualMemory  (-1, (0x290e000), 4096, 260, ...
 01837   784   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01835  1956   NtWaitForSingleObject  ... ) == 0x102
 01836  1736   NtProtectVirtualMemory  ... (0x290e000), 4096, 4, ) == 0x0
 01837   784   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01838  1956   NtWaitForSingleObject  (160, 0, 0x0, ...
 01839  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01840   784   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "j`\16\250\322\277\313\202\2620\2051\344\237\22D\215\10\375\321\14\276\22\16\204\315c\342W\334)\202;0\24\215^\340\5L-\275(\343\q\245\231\217\361\200I\233\375\362\3772\36\2321n\330\4\343\223\225\202\217\262\347\333\30W\303\17\364T\10j\337", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "j`\16\250\322\277\313\202\2620\2051\344\237\22D\215\10\375\321\14\276\22\16\204\315c\342W\334)\202;0\24\215^\340\5L-\275(\343\q\245\231\217\361\200I\233\375\362\3772\36\2321n\330\4\343\223\225\202\217\262\347\333\30W\303\17\364T\10j\337", 80, ... , 80, ...
 01841  1276   NtWaitForSingleObject  (404, 0, 0x0, ...
 01840   784   NtSetValueKey  ... ) == 0x0
 01839  1736   NtCreateThread  ... 412, {1636, 1480}, ) == 0x0
 01842  1736   NtQueryInformationThread  (412, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1636,Tid=1480,}, 0x0, ) == 0x0
 01843  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0d\6\0\0\310\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0d\6\0\0\310\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75572, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0d\6\0\0\310\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0d\6\0\0\310\5\0\0" )  ) == 0x0
 01844  1736   NtResumeThread  (412, ... 1, ) == 0x0
 01845  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 43057152, 1048576, ) == 0x0
 01846  1736   NtAllocateVirtualMemory  (-1, 44097536, 0, 8192, 4096, 4, ... 44097536, 8192, ) == 0x0
 01847   784   NtClose  (-2147482564, ...
 01848  1480   NtTestAlert  (...
 01847   784   NtClose  ... ) == 0x0
 01848  1480   NtTestAlert  ... ) == 0x0
 01807   784   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "'3\204\25:(dB\331$\373#\236\350\265-\244\273\251\376\350\312l/\330\357\241\210\333\207\17\301Qzm\220>\300F\234\304\3\362\245t\220\332O\201\26\32\212\217\317\302\317\351\215\34\251!\352\235\257\3278\302\2322\322LD(\313\331al\376>\236\322\350~\321\10n`!H\307\313J\272\302D'\360)\207\304\252\224\246\254\304\340zD\323\363\37z\3761\13\264\330\3349\315\276\316\233\347\360\233\3557\356\320m\244W\317?|7N\200 G\3028\270\6/\35\215\25c\202%\345y\306\2417\352\214\254\357\244d(\373\336$2\275\330\244\13\274\247bz\340\341\346SI\343\363\302\237\331\364\252\32\262\276B\356\336\273\36\200K\237\177T[\272\235b\346\236\12\224Q\354\200[\346\30\5v\327\30\212\277x\224\241\324E\241\307X\221\32\225i\5G~\373\300g{\331*\246\36.\346\33r\343\375\177\#i%", ) , ) == 0x0
 01849  1480   NtContinue  (43056432, 1, ...
 01850   784   NtDeviceIoControlFile  (332, 0, 0x0, 0x0, 0x390008,  (332, 0, 0x0, 0x0, 0x390008, "\204\356\21\252*H\1774\3421\350\223\35\16\14\340\220\356\207\3\244o\222d\273\2\241\6\354\316\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01851  1480   NtRegisterThreadTerminatePort  (24, ...
 01852   784   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01851  1480   NtRegisterThreadTerminatePort  ... ) == 0x0
 01852   784   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01853  1736   NtProtectVirtualMemory  (-1, (0x2a0e000), 4096, 260, ...
 01854  1480   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01853  1736   NtProtectVirtualMemory  ... (0x2a0e000), 4096, 4, ) == 0x0
 01854  1480   NtDuplicateObject  ... 416, ) == 0x0
 01855  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01856  1480   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01855  1736   NtCreateThread  ... 420, {1636, 460}, ) == 0x0
 01856  1480   NtWaitForSingleObject  ... ) == 0x102
 01857  1736   NtQueryInformationThread  (420, Basic, 28, ...
 01858  1480   NtWaitForSingleObject  (160, 0, 0x0, ...
 01857  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1636,Tid=460,}, 0x0, ) == 0x0
 01859   784   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01860   784   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01861   784   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01862   784   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01863   784   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01864   784   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01865  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0d\6\0\0\314\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0d\6\0\0\314\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75573, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0d\6\0\0\314\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0d\6\0\0\314\1\0\0" )  ) == 0x0
 01866  1736   NtResumeThread  (420, ... 1, ) == 0x0
 01867  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 44105728, 1048576, ) == 0x0
 01868  1736   NtAllocateVirtualMemory  (-1, 45146112, 0, 8192, 4096, 4, ... 45146112, 8192, ) == 0x0
 01869  1736   NtProtectVirtualMemory  (-1, (0x2b0e000), 4096, 260, ... (0x2b0e000), 4096, 4, ) == 0x0
 01870  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01871   784   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01872   460   NtTestAlert  (...
 01871   784   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01872   460   NtTestAlert  ... ) == 0x0
 01873   784   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, ">a\7\370,\204P\202$\6\13\217\35\10\207\358l\364'\217e\206\361x\307W\331\36\226\35i5\322\343\10&TyUw\251\20\254p?\345\221\234\351\262\253Q\204?*\326\257\32\3\354\244\247\234:\243\363\344sH\323\353\311\15\315\240\307\216\2315", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, ">a\7\370,\204P\202$\6\13\217\35\10\207\358l\364'\217e\206\361x\307W\331\36\226\35i5\322\343\10&TyUw\251\20\254p?\345\221\234\351\262\253Q\204?*\326\257\32\3\354\244\247\234:\243\363\344sH\323\353\311\15\315\240\307\216\2315", 80, ... , 80, ...
 01874   460   NtContinue  (44105008, 1, ...
 01873   784   NtSetValueKey  ... ) == 0x0
 01875   460   NtRegisterThreadTerminatePort  (24, ...
 01876   784   NtClose  (-2147482564, ...
 01875   460   NtRegisterThreadTerminatePort  ... ) == 0x0
 01876   784   NtClose  ... ) == 0x0
 01870  1736   NtCreateThread  ... 424, {1636, 1856}, ) == 0x0
 01877   460   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01878  1736   NtQueryInformationThread  (424, Basic, 28, ...
 01877   460   NtDuplicateObject  ... 428, ) == 0x0
 01878  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1636,Tid=1856,}, 0x0, ) == 0x0
 01879   460   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01880  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0d\6\0\0@\7\0\0" ...  ...
 01879   460   NtWaitForSingleObject  ... ) == 0x102
 01880  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75574, 0}  ... {28, 56, reply, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0d\6\0\0@\7\0\0" )  ) == 0x0
 01881   460   NtWaitForSingleObject  (160, 0, 0x0, ...
 01850   784   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\375\371_&\306\315\317\375\233\2C\316\30\332\334\25\370\261g\\4j\360\3760'U\26\343\17\363Fj\255 ?\363\1%\307h\242\7\227M\31\15\33L\:\207\232\27\307\356\346a\206\272WZ\313\13Z\312\315&e\21\13=\226\365\2317o\332\231^\344\2319\230\255g\372\1541>,\377\37\277\37\352\307Vo\305\244\272k\357\5\242\30\340\326\205u\327o\365\305\300#q\345rf\241\361\33\237\325\202\376\14\352\35\3449\247^?V\304\233\242mo\3541\\21H\2226\310\257\25\266\364Z\214\317\236\12[o\253n\344ax\367\24\373y\333\303\3504\25\236\2328\26\372\317\234\322,\317j\37\215\10\207*fzk\251\33X=\22E\251uqU\214\207<\354\330\112)\267_{)\346D\301\360c\263\214'#\227\32\222\213\201\332y)\274M\311?ZS#\257\23j\216Q\6`\316|\374\350sO$8", ) , ) == 0x0
 01882  1736   NtResumeThread  (424, ...
 01883   784   NtDeviceIoControlFile  (332, 0, 0x0, 0x0, 0x390008,  (332, 0, 0x0, 0x0, 0x390008, "\204\356\21\252*H\1774\3421\350\223\35\16\14\340\220\356\207\3\244, 256, 256, ... , 256, 256, ...
 01882  1736   NtResumeThread  ... 1, ) == 0x0
 01884   784   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01885  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01884   784   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01885  1736   NtAllocateVirtualMemory  ... 45154304, 1048576, ) == 0x0
 01886   784   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01887  1736   NtAllocateVirtualMemory  (-1, 46194688, 0, 8192, 4096, 4, ...
 01886   784   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01887  1736   NtAllocateVirtualMemory  ... 46194688, 8192, ) == 0x0
 01888  1856   NtTestAlert  (...
 01889   784   NtQuerySystemInformation  (Performance, 312, ...
 01888  1856   NtTestAlert  ... ) == 0x0
 01889   784   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01890  1856   NtContinue  (45153584, 1, ...
 01891   784   NtQuerySystemInformation  (Exception, 16, ...
 01892  1856   NtRegisterThreadTerminatePort  (24, ...
 01891   784   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01892  1856   NtRegisterThreadTerminatePort  ... ) == 0x0
 01893   784   NtQuerySystemInformation  (Lookaside, 32, ...
 01894  1736   NtProtectVirtualMemory  (-1, (0x2c0e000), 4096, 260, ...
 01893   784   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01894  1736   NtProtectVirtualMemory  ... (0x2c0e000), 4096, 4, ) == 0x0
 01895  1856   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01896  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01895  1856   NtDuplicateObject  ... 432, ) == 0x0
 01896  1736   NtCreateThread  ... 436, {1636, 1572}, ) == 0x0
 01897  1856   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 01898  1736   NtQueryInformationThread  (436, Basic, 28, ...
 01897  1856   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 01898  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1636,Tid=1572,}, 0x0, ) == 0x0
 01899  1856   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01900   784   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01901   784   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01902   784   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482564, 2, ) }, 0, 0x0, 0, ... -2147482564, 2, ) == 0x0
 01903   784   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\6S\362\255\17\23\207\250\24\246\16\342\3523\232\350\261\25\37\3656\2\341\311\353T\271\ze3\212@\214\263\205\26\14\30\240yMT,\345\353^\277\240S\247N\3475\214\365\31\32\177\364\32\30\260\232X\323E\227\15\334\320\226\316\274\263\352\213r\354\31", 80, ... ) , 0, 3,  (-2147482564, "Seed", 0, 3, "\6S\362\255\17\23\207\250\24\246\16\342\3523\232\350\261\25\37\3656\2\341\311\353T\271\ze3\212@\214\263\205\26\14\30\240yMT,\345\353^\277\240S\247N\3475\214\365\31\32\177\364\32\30\260\232X\323E\227\15\334\320\226\316\274\263\352\213r\354\31", 80, ... ) , 80, ... ) == 0x0
 01904   784   NtClose  (-2147482564, ... ) == 0x0
 01883   784   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\321\34C\225\331\252+\34\200\357SA\232\352m\365a\20IU<\203\204\37\301q}\257\211\201\346_\233\32\277\4\201\237\<\361\5:xN\311B\83\276EZ6\274G\7l=\323\3213+\314l]8t\334\200u\373\332q\326\313\2+\274 \16\234\245]\313\300kG{\344\34\225Q\231P\252\254C\31F\340\236\367\35wE\13\266\377'\223\10\301\235r\2115\235\7\213L\371\374\3221_\253NF0$\150g\322CI\346k7\6`W\214\306\341\236\362\272_f\220s\302\351\267;D\32\345\205\305<\373mdWI\255D\31\201\36$:\350k\11l\230\357\313\236VJ\243\245\243;\204\371A\331fk\22\2011\372\332W\305\327\2\311\347\273!\350\3u/D\3X\213\333\255\301\266\315\253|\377\37R\23\377\367", ) \350\3u/D\3X\213\333\255\301\266\315\253|\377\37R\23\377\367", ) == 0x0
 01905   784   NtDeviceIoControlFile  (332, 0, 0x0, 0x0, 0x390008,  (332, 0, 0x0, 0x0, 0x390008, "\204\356\21\252*H\1774\3421\350\223\35\16\14\340\220\356\207\3\244, 256, 256, ... , 256, 256, ...
 01906  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0d\6\0\0$\6\0\0" ...  ...
 01899  1856   NtWaitForSingleObject  ... ) == 0x102
 01906  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75575, 0}  ... {28, 56, reply, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0d\6\0\0$\6\0\0" )  ) == 0x0
 01907  1856   NtWaitForSingleObject  (160, 0, 0x0, ...
 01908  1736   NtResumeThread  (436, ... 1, ) == 0x0
 01909  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 46202880, 1048576, ) == 0x0
 01910  1736   NtAllocateVirtualMemory  (-1, 47243264, 0, 8192, 4096, 4, ... 47243264, 8192, ) == 0x0
 01911  1736   NtProtectVirtualMemory  (-1, (0x2d0e000), 4096, 260, ... (0x2d0e000), 4096, 4, ) == 0x0
 01912  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01913   784   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01914  1572   NtTestAlert  (...
 01913   784   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01914  1572   NtTestAlert  ... ) == 0x0
 01915   784   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01916  1572   NtContinue  (46202160, 1, ...
 01915   784   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01917  1572   NtRegisterThreadTerminatePort  (24, ...
 01918   784   NtQuerySystemInformation  (Performance, 312, ...
 01917  1572   NtRegisterThreadTerminatePort  ... ) == 0x0
 01918   784   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01912  1736   NtCreateThread  ... 440, {1636, 1240}, ) == 0x0
 01919  1572   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01920  1736   NtQueryInformationThread  (440, Basic, 28, ...
 01919  1572   NtDuplicateObject  ... 444, ) == 0x0
 01920  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1636,Tid=1240,}, 0x0, ) == 0x0
 01921  1572   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01922  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0d\6\0\0\330\4\0\0" ...  ...
 01921  1572   NtWaitForSingleObject  ... ) == 0x102
 01922  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75576, 0}  ... {28, 56, reply, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0d\6\0\0\330\4\0\0" )  ) == 0x0
 01923  1572   NtWaitForSingleObject  (160, 0, 0x0, ...
 01924   784   NtQuerySystemInformation  (Exception, 16, ...
 01925  1736   NtResumeThread  (440, ...
 01924   784   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01925  1736   NtResumeThread  ... 1, ) == 0x0
 01926   784   NtQuerySystemInformation  (Lookaside, 32, ...
 01927  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01926   784   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01927  1736   NtAllocateVirtualMemory  ... 47251456, 1048576, ) == 0x0
 01928   784   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01929  1736   NtAllocateVirtualMemory  (-1, 48291840, 0, 8192, 4096, 4, ...
 01928   784   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01929  1736   NtAllocateVirtualMemory  ... 48291840, 8192, ) == 0x0
 01930  1240   NtTestAlert  (...
 01931   784   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01930  1240   NtTestAlert  ... ) == 0x0
 01931   784   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01932  1240   NtContinue  (47250736, 1, ...
 01933   784   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01934  1240   NtRegisterThreadTerminatePort  (24, ...
 01933   784   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01934  1240   NtRegisterThreadTerminatePort  ... ) == 0x0
 01935   784   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\202F7\226x(\310zrO1\6\201NJV\211\210\303\277\312\360/\353\305\325F\356\34\264\225\350o,\14`\201\1\313\350\353\16%5\354@JI\265\244$\306Y^N|i\300+Z\\240,,\37\37?\141\353\11\0\13]\305\226\241\217^", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\202F7\226x(\310zrO1\6\201NJV\211\210\303\277\312\360/\353\305\325F\356\34\264\225\350o,\14`\201\1\313\350\353\16%5\354@JI\265\244$\306Y^N|i\300+Z\\240,,\37\37?\141\353\11\0\13]\305\226\241\217^", 80, ... , 80, ...
 01936  1736   NtProtectVirtualMemory  (-1, (0x2e0e000), 4096, 260, ...
 01935   784   NtSetValueKey  ... ) == 0x0
 01936  1736   NtProtectVirtualMemory  ... (0x2e0e000), 4096, 4, ) == 0x0
 01937  1240   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01938  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01937  1240   NtDuplicateObject  ... 448, ) == 0x0
 01938  1736   NtCreateThread  ... 452, {1636, 1156}, ) == 0x0
 01939  1240   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01940  1736   NtQueryInformationThread  (452, Basic, 28, ...
 01939  1240   NtWaitForSingleObject  ... ) == 0x102
 01940  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1636,Tid=1156,}, 0x0, ) == 0x0
 01941  1240   NtWaitForSingleObject  (160, 0, 0x0, ...
 01942   784   NtClose  (-2147482564, ...
 01943  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0d\6\0\0\204\4\0\0" ...  ...
 01942   784   NtClose  ... ) == 0x0
 01943  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75577, 0}  ... {28, 56, reply, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0d\6\0\0\204\4\0\0" )  ) == 0x0
 01905   784   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "`O\202g\237\235;\320\270!AA;\267\210\222\13\3040\357\225\226_\2244~\2534\35\265\322\15\177>_\266\353\255s'\307J1\2WmF\246Z\2m\370x\201#\207\211\334TK5\215\32\320 \33\225\336e]m\4\375\330\337\312{'\221\360v'\351\356\32J\236\237E\325+\22\344)];c\11\373a\361\202B\237\310H`\357w\226\241\364N\15\347\211\260\27|\360\205\372\236L=F_\276\234<>\36\35<\4\315\277\362\373:\223\350d\25\225y8QH\212\223\231'\217\315}\26\244\352\245\272;\11\314\271\333U\224\201\3\255\5d+\222\235_\0\333\316\321\36\254\225\224Q1\225s\222D\0\314\272}J\273\322\231\364\207\15G{\231\211\342jF\330\200\3365\254\1\17\204I\221\336Q1M\237\177\231\2245\361j9k!{Z\306\256\310\255^\273\212"\6\2_\271\22\336\17_\33\216\260", ) \6\2_\271\22\336\17_\33\216\260", ) == 0x0
 01944  1736   NtResumeThread  (452, ...
 01945   784   NtDeviceIoControlFile  (332, 0, 0x0, 0x0, 0x390008,  (332, 0, 0x0, 0x0, 0x390008, "\204\356\21\252*H\1774\3421\350\223\35\16\14\340\220\356\207\3\244, 256, 256, ... , 256, 256, ...
 01944  1736   NtResumeThread  ... 1, ) == 0x0
 01946   784   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01947  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01946   784   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01948  1156   NtTestAlert  (...
 01947  1736   NtAllocateVirtualMemory  ... 48300032, 1048576, ) == 0x0
 01948  1156   NtTestAlert  ... ) == 0x0
 01949  1736   NtAllocateVirtualMemory  (-1, 49340416, 0, 8192, 4096, 4, ...
 01950  1156   NtContinue  (48299312, 1, ...
 01949  1736   NtAllocateVirtualMemory  ... 49340416, 8192, ) == 0x0
 01951  1156   NtRegisterThreadTerminatePort  (24, ...
 01952  1736   NtProtectVirtualMemory  (-1, (0x2f0e000), 4096, 260, ...
 01951  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 01952  1736   NtProtectVirtualMemory  ... (0x2f0e000), 4096, 4, ) == 0x0
 01953   784   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01954  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01953   784   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01955  1156   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01956   784   NtQuerySystemInformation  (Performance, 312, ...
 01955  1156   NtDuplicateObject  ... 456, ) == 0x0
 01956   784   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01957  1156   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01958   784   NtQuerySystemInformation  (Exception, 16, ...
 01957  1156   NtWaitForSingleObject  ... ) == 0x102
 01958   784   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01959  1156   NtWaitForSingleObject  (160, 0, 0x0, ...
 01954  1736   NtCreateThread  ... 460, {1636, 712}, ) == 0x0
 01960   784   NtQuerySystemInformation  (Lookaside, 32, ...
 01961  1736   NtQueryInformationThread  (460, Basic, 28, ...
 01960   784   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01961  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1636,Tid=712,}, 0x0, ) == 0x0
 01962   784   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01963  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0d\6\0\0\310\2\0\0" ...  ...
 01962   784   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01963  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75578, 0}  ... {28, 56, reply, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0d\6\0\0\310\2\0\0" )  ) == 0x0
 01964   784   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01965   784   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482564, 2, ) }, 0, 0x0, 0, ... -2147482564, 2, ) == 0x0
 01966   784   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\250\230\257\235#\327=\253\271\331\276\365xN\342\371S\257\371\273\32\37\36\360\0\377\33yr\315#\245\350g\301\271\320g*Y\36Dr\276!\13\3271x\22i\272&XxP\303\201\345u\3406\216\0\210\277\34\322\11n\335\232v\330\250b6\213\362\237", 80, ... ) , 0, 3,  (-2147482564, "Seed", 0, 3, "\250\230\257\235#\327=\253\271\331\276\365xN\342\371S\257\371\273\32\37\36\360\0\377\33yr\315#\245\350g\301\271\320g*Y\36Dr\276!\13\3271x\22i\272&XxP\303\201\345u\3406\216\0\210\277\34\322\11n\335\232v\330\250b6\213\362\237", 80, ... ) , 80, ... ) == 0x0
 01967   784   NtClose  (-2147482564, ... ) == 0x0
 01968  1736   NtResumeThread  (460, ... 1, ) == 0x0
 01969  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 49348608, 1048576, ) == 0x0
 01970  1736   NtAllocateVirtualMemory  (-1, 50388992, 0, 8192, 4096, 4, ... 50388992, 8192, ) == 0x0
 01971  1736   NtProtectVirtualMemory  (-1, (0x300e000), 4096, 260, ... (0x300e000), 4096, 4, ) == 0x0
 01972  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 464, {1636, 212}, ) == 0x0
 01973  1736   NtQueryInformationThread  (464, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1636,Tid=212,}, 0x0, ) == 0x0
 01945   784   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "47\267\240\357#mY\201Q?^\273[\272N:\3\211\323\g\376}6\376\247\376\236j_X(\235\337\275\215\207\221\376\311\303\241\246\222\271\340\204\346\301\313\231&\240\337\274\1'`Wy\36\327\326\376W`\177\32 x\361\341k\376I\233\205\204\207\306\22\244[\345\250xB\253w'\245\2478\60\326\227B\27(QH\202s5K\322\255D4k", ) \326\376W`\177\32 x\361\341k\376I\233\205\204\207\306\22\244[\345\250xB\253w'\245\2478\60\326\227B\27(QH\202s5K\322\255D4k", ) == 0x0
 01974   712   NtTestAlert  (...
 01975   784   NtDeviceIoControlFile  (332, 0, 0x0, 0x0, 0x390008,  (332, 0, 0x0, 0x0, 0x390008, "\204\356\21\252*H\1774\3421\350\223\35\16\14\340\220\356\207\3\244, 256, 256, ... , 256, 256, ...
 01974   712   NtTestAlert  ... ) == 0x0
 01976   784   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01977   712   NtContinue  (49347888, 1, ...
 01976   784   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01978   712   NtRegisterThreadTerminatePort  (24, ...
 01979   784   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01978   712   NtRegisterThreadTerminatePort  ... ) == 0x0
 01979   784   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01980  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0d\6\0\0\324\0\0\0" ...  ...
 01981   712   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01980  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75579, 0}  ... {28, 56, reply, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0d\6\0\0\324\0\0\0" )  ) == 0x0
 01981   712   NtDuplicateObject  ... 468, ) == 0x0
 01982  1736   NtResumeThread  (464, ...
 01983   712   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01982  1736   NtResumeThread  ... 1, ) == 0x0
 01983   712   NtWaitForSingleObject  ... ) == 0x102
 01984  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01985   712   NtWaitForSingleObject  (160, 0, 0x0, ...
 01986   784   NtQuerySystemInformation  (Performance, 312, ...
 01987   212   NtTestAlert  (...
 01984  1736   NtAllocateVirtualMemory  ... 50397184, 1048576, ) == 0x0
 01986   784   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01987   212   NtTestAlert  ... ) == 0x0
 01988  1736   NtAllocateVirtualMemory  (-1, 51437568, 0, 8192, 4096, 4, ...
 01989   784   NtQuerySystemInformation  (Exception, 16, ...
 01990   212   NtContinue  (50396464, 1, ...
 01988  1736   NtAllocateVirtualMemory  ... 51437568, 8192, ) == 0x0
 01989   784   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01991   212   NtRegisterThreadTerminatePort  (24, ...
 01992  1736   NtProtectVirtualMemory  (-1, (0x310e000), 4096, 260, ...
 01993   784   NtQuerySystemInformation  (Lookaside, 32, ...
 01991   212   NtRegisterThreadTerminatePort  ... ) == 0x0
 01992  1736   NtProtectVirtualMemory  ... (0x310e000), 4096, 4, ) == 0x0
 01993   784   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01994  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01995   212   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01996   784   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01995   212   NtDuplicateObject  ... 472, ) == 0x0
 01996   784   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01997   212   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01998   784   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01997   212   NtWaitForSingleObject  ... ) == 0x102
 01998   784   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01999   212   NtWaitForSingleObject  (160, 0, 0x0, ...
 02000   784   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01994  1736   NtCreateThread  ... 476, {1636, 1536}, ) == 0x0
 02000   784   NtCreateKey  ... -2147482564, 2, ) == 0x0
 02001  1736   NtQueryInformationThread  (476, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1636,Tid=1536,}, 0x0, ) == 0x0
 02002  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0d\6\0\0\0\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0d\6\0\0\0\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75580, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0d\6\0\0\0\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0d\6\0\0\0\6\0\0" )  ) == 0x0
 02003  1736   NtResumeThread  (476, ... 1, ) == 0x0
 02004  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 51445760, 1048576, ) == 0x0
 02005  1736   NtAllocateVirtualMemory  (-1, 52486144, 0, 8192, 4096, 4, ... 52486144, 8192, ) == 0x0
 02006   784   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\261\24\2\301]'\377\255\212e1\346G\10B\224\343g\306\317\10iC>:\336\207\20\3717\312\220\0kxx\227\331\20\27\351\200\344\4\35\345\337&\362%\214$'\24\15\337\334F\341v\213FF\201\242r\311N\11J\347\306K\160\6D2\321\5", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\261\24\2\301]'\377\255\212e1\346G\10B\224\343g\306\317\10iC>:\336\207\20\3717\312\220\0kxx\227\331\20\27\351\200\344\4\35\345\337&\362%\214$'\24\15\337\334F\341v\213FF\201\242r\311N\11J\347\306K\160\6D2\321\5", 80, ... , 80, ...
 02007  1536   NtTestAlert  (...
 02006   784   NtSetValueKey  ... ) == 0x0
 02007  1536   NtTestAlert  ... ) == 0x0
 02008   784   NtClose  (-2147482564, ...
 02009  1536   NtContinue  (51445040, 1, ...
 02008   784   NtClose  ... ) == 0x0
 02010  1536   NtRegisterThreadTerminatePort  (24, ...
 01975   784   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "9\177'Xy\357<\210\346\244\312\352\226u\22A\251xH\217E\352\376\335\344\22\0\246A\27\3739\336Ht\247\333\34\215T\353\3636^\217;\376\3\2\307.\211Ko\371\363\256\272\263\245\230f\277_'Q\344#\334\223v\217\306\221%\231\31\27\315\351\246y\12\365]\325\343\371\14f\247r\330F\313\301`k\267\367\250\306\263\363\310\361\205\273\15\235\337\33O\233\240^]\337\lg_\374\342pf\225b\263\344GD,\306\364\255\344\31\323\246\263\3112>C.\222\337\212\261\320\301 X\322\215v\0\354\315(\327\324\213\322p\367IG\364\252\324\1\13|m\223o\207i\11\223\37\226\251w\376\322\316\324}.\352P>\10\256\317\350\376\341\1771\273`\202]\350\3\37d\256\335\3d\202\344\235\310\231m\373\350$\314\344\17\266\31\17k\345\246d\355O\330\336\34r9\333!\4\322\6.ch\372\324_\342c9", ) , ) == 0x0
 02010  1536   NtRegisterThreadTerminatePort  ... ) == 0x0
 02011   784   NtDeviceIoControlFile  (332, 0, 0x0, 0x0, 0x390008,  (332, 0, 0x0, 0x0, 0x390008, "\204\356\21\252*H\1774\3421\350\223\35\16\14\340\220\356\207\3\244, 256, 256, ... , 256, 256, ...
 02012  1736   NtProtectVirtualMemory  (-1, (0x320e000), 4096, 260, ...
 02013  1536   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02012  1736   NtProtectVirtualMemory  ... (0x320e000), 4096, 4, ) == 0x0
 02013  1536   NtDuplicateObject  ... 480, ) == 0x0
 02014  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02015  1536   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02014  1736   NtCreateThread  ... 484, {1636, 444}, ) == 0x0
 02015  1536   NtWaitForSingleObject  ... ) == 0x102
 02016  1736   NtQueryInformationThread  (484, Basic, 28, ...
 02017  1536   NtWaitForSingleObject  (160, 0, 0x0, ...
 02016  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1636,Tid=444,}, 0x0, ) == 0x0
 02018   784   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02019   784   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02020   784   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02021   784   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02022   784   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02023   784   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02024  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0d\6\0\0\274\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0d\6\0\0\274\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75581, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0d\6\0\0\274\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0d\6\0\0\274\1\0\0" )  ) == 0x0
 02025  1736   NtResumeThread  (484, ... 1, ) == 0x0
 02026  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 52494336, 1048576, ) == 0x0
 02027  1736   NtAllocateVirtualMemory  (-1, 53534720, 0, 8192, 4096, 4, ... 53534720, 8192, ) == 0x0
 02028  1736   NtProtectVirtualMemory  (-1, (0x330e000), 4096, 260, ... (0x330e000), 4096, 4, ) == 0x0
 02029  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02030   784   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02031   444   NtTestAlert  (...
 02030   784   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02031   444   NtTestAlert  ... ) == 0x0
 02032   784   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02033   444   NtContinue  (52493616, 1, ...
 02032   784   NtCreateKey  ... -2147482564, 2, ) == 0x0
 02034   444   NtRegisterThreadTerminatePort  (24, ...
 02035   784   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "s\377\274\213\333\370\6\1u\322\0-'\305b\2445\231\230\337vh\1\3?\353<"\222\20\27%Y\3B\346|\26,HW\321%\305V\333\216{\365\201K{\264\326\313\221\2\363\306\324\252\341\\340\313\36\363\206\207\336BiP\257\332t\6<\232", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "s\377\274\213\333\370\6\1u\322\0-'\305b\2445\231\230\337vh\1\3?\353<"\222\20\27%Y\3B\346|\26,HW\321%\305V\333\216{\365\201K{\264\326\313\221\2\363\306\324\252\341\\340\313\36\363\206\207\336BiP\257\332t\6<\232", 80, ... \222\20\27%Y\3B\346|\26,HW\321%\305V\333\216{\365\201K{\264\326\313\221\2\363\306\324\252\341\\340\313\36\363\206\207\336BiP\257\332t\6<\232", 80, ...
 02034   444   NtRegisterThreadTerminatePort  ... ) == 0x0
 02035   784   NtSetValueKey  ... ) == 0x0
 02029  1736   NtCreateThread  ... 488, {1636, 1904}, ) == 0x0
 02036   444   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02037  1736   NtQueryInformationThread  (488, Basic, 28, ...
 02036   444   NtDuplicateObject  ... 492, ) == 0x0
 02037  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1636,Tid=1904,}, 0x0, ) == 0x0
 02038   444   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02039  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0d\6\0\0p\7\0\0" ...  ...
 02038   444   NtWaitForSingleObject  ... ) == 0x102
 02039  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75582, 0}  ... {28, 56, reply, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0d\6\0\0p\7\0\0" )  ) == 0x0
 02040   444   NtWaitForSingleObject  (160, 0, 0x0, ...
 02041   784   NtClose  (-2147482564, ...
 02042  1736   NtResumeThread  (488, ...
 02041   784   NtClose  ... ) == 0x0
 02042  1736   NtResumeThread  ... 1, ) == 0x0
 02011   784   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, ">\356\303x\201\342*\124\256\301H\310\17\204.Tv\373hKD\375\365T(\264\277\221\2545>\321\326\223\26\210\3Y\320\206#\365]z\274\31Z\276\234\265\246|\330\217\266M\220\34\325j\242V0\303S\266\307\235\275\323\24\265*\272\276+\251\3044\27\\11\301\242\337\346\300\261\352\376\23/\365"N\2726\363\346\32\311\376\244\206\14pa*1\243\254\226Es>(F\350CE\244\341\247\261h\252\266X-o\233\272\240g\37\13KcrcO1\337\321\253\311\1 \312\245T\263X"o\331\3)g\35\6\31\7\322.+\353"\10\226\341\16\213\321\341\4\375\304\217\236M\354m\335\217\3\377\357\225\222\211\267k\337\312\273\34\376\204\361\332\261\264M\277\263\373M\25\26\240Q\325w\216/\27\37\4\11\34\6\367\276\363\273\325\3277\21\217\3353\257cD\20\221q\304\362\224x\302\21Q\264k\337S\1\204\11\374\245", ) N\2726\363\346\32\311\376\244\206\14pa*1\243\254\226Es>(F\350CE\244\341\247\261h\252\266X-o\233\272\240g\37\13KcrcO1\337\321\253\311\1 \312\245T\263X ... {status=0x0, info=256}, ">\356\303x\201\342*\124\256\301H\310\17\204.Tv\373hKD\375\365T(\264\277\221\2545>\321\326\223\26\210\3Y\320\206#\365]z\274\31Z\276\234\265\246|\330\217\266M\220\34\325j\242V0\303S\266\307\235\275\323\24\265*\272\276+\251\3044\27\\11\301\242\337\346\300\261\352\376\23/\365"N\2726\363\346\32\311\376\244\206\14pa*1\243\254\226Es>(F\350CE\244\341\247\261h\252\266X-o\233\272\240g\37\13KcrcO1\337\321\253\311\1 \312\245T\263X"o\331\3)g\35\6\31\7\322.+\353"\10\226\341\16\213\321\341\4\375\304\217\236M\354m\335\217\3\377\357\225\222\211\267k\337\312\273\34\376\204\361\332\261\264M\277\263\373M\25\26\240Q\325w\216/\27\37\4\11\34\6\367\276\363\273\325\3277\21\217\3353\257cD\20\221q\304\362\224x\302\21Q\264k\337S\1\204\11\374\245", ) \10\226\341\16\213\321\341\4\375\304\217\236M\354m\335\217\3\377\357\225\222\211\267k\337\312\273\34\376\204\361\332\261\264M\277\263\373M\25\26\240Q\325w\216/\27\37\4\11\34\6\367\276\363\273\325\3277\21\217\3353\257cD\20\221q\304\362\224x\302\21Q\264k\337S\1\204\11\374\245", ) == 0x0
 02043  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02044   784   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02043  1736   NtAllocateVirtualMemory  ... 53542912, 1048576, ) == 0x0
 02044   784   NtCreateEvent  ... 496, ) == 0x0
 02045  1736   NtAllocateVirtualMemory  (-1, 54583296, 0, 8192, 4096, 4, ...
 02046   784   NtSetEventBoostPriority  (404, ...
 02045  1736   NtAllocateVirtualMemory  ... 54583296, 8192, ) == 0x0
 02047  1904   NtTestAlert  (...
 01841  1276   NtWaitForSingleObject  ... ) == 0x0
 02046   784   NtSetEventBoostPriority  ... ) == 0x0
 02047  1904   NtTestAlert  ... ) == 0x0
 02048  1276   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 02049   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 02050  1904   NtContinue  (53542192, 1, ...
 02048  1276   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 02051  1904   NtRegisterThreadTerminatePort  (24, ...
 02052  1276   NtSetEventBoostPriority  (324, ...
 02051  1904   NtRegisterThreadTerminatePort  ... ) == 0x0
 02053  1736   NtProtectVirtualMemory  (-1, (0x340e000), 4096, 260, ...
 02049   784   NtWaitForSingleObject  ... ) == 0x0
 02052  1276   NtSetEventBoostPriority  ... ) == 0x0
 02053  1736   NtProtectVirtualMemory  ... (0x340e000), 4096, 4, ) == 0x0
 02054   784   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15789420, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15789420, 188, ...
 02055  1276   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ...
 02056  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02055  1276   NtAllocateVirtualMemory  ... 1396736, 4096, ) == 0x0
 02056  1736   NtCreateThread  ... 500, {1636, 1944}, ) == 0x0
 02057  1276   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02058  1736   NtQueryInformationThread  (500, Basic, 28, ...
 02057  1276   NtCreateEvent  ... 504, ) == 0x0
 02058  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1636,Tid=1944,}, 0x0, ) == 0x0
 02059  1276   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 11596408, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 11596408, 188, ...
 02060  1904   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02054   784   NtConnectPort  ... 508, 0x0, 0x0, 0x0, 188, ) == 0x0
 02061  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0d\6\0\0\230\7\0\0" ...  ...
 02060  1904   NtDuplicateObject  ... 512, ) == 0x0
 02062   784   NtRequestWaitReplyPort  (508, {200, 224, new_msg, 0, 1329576, 12, 2, 1310721}  (508, {200, 224, new_msg, 0, 1329576, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\11\335$\215\303\310\343\317XG\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\310;\25\0O\37\340\275x\1\24\0PG\25\0h\1\24\0\0\0\0\0\0\0\0\0PG\25\0P\0\0\0XG\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\360\0\372\31\221|\200\363\360\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02061  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75584, 0}  ... {28, 56, reply, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0d\6\0\0\230\7\0\0" )  ) == 0x0
 02063  1904   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02064  1736   NtResumeThread  (500, ...
 02063  1904   NtWaitForSingleObject  ... ) == 0x102
 02062   784   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 784, 75585, 0}  ... {200, 224, reply, 0, 1636, 784, 75585, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\11\335$\215\303\310\343\317XG\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\310;\25\0O\37\340\275x\1\24\0PG\25\0h\1\24\0\0\0\0\0\0\0\0\0PG\25\0P\0\0\0XG\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\360\0\372\31\221|\200\363\360\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02064  1736   NtResumeThread  ... 1, ) == 0x0
 02065  1904   NtWaitForSingleObject  (160, 0, 0x0, ...
 02066   784   NtRequestWaitReplyPort  (508, {44, 68, new_msg, 0, 1636, 784, 75568, 0}  (508, {44, 68, new_msg, 0, 1636, 784, 75568, 0} "\1\332\0\0A\2\4\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200\377\377\377\377t\333\243\201\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 02067  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02059  1276   NtConnectPort  ... 516, 0x0, 0x0, 0x0, 188, ) == 0x0
 02068  1944   NtTestAlert  (...
 02069  1276   NtRequestWaitReplyPort  (516, {200, 224, new_msg, 0, 2883626, 1363432, 12, 2}  (516, {200, 224, new_msg, 0, 2883626, 1363432, 12, 2} "\0\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\1\0\4\0\4\0\0\0\107\24\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0\231\320\242\2069\6\324R\240R\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0xR\25\0\373\366/(x\1\24\0\230R\25\0h\1\24\0\0\0\0\0\0\0\0\0\230R\25\0P\0\0\0\240R\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\260\0\372\31\221|\214\370\260\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 02068  1944   NtTestAlert  ... ) == 0x0
 02070  1944   NtContinue  (54590768, 1, ...
 02071  1944   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02069  1276   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1276, 75588, 0}  ... {200, 224, reply, 0, 1636, 1276, 75588, 0} "\7\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\107\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0\231\320\242\2069\6\324R\240R\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0xR\25\0\373\366/(x\1\24\0\230R\25\0h\1\24\0\0\0\0\0\0\0\0\0\230R\25\0P\0\0\0\240R\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\260\0\372\31\221|\214\370\260\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 02067  1736   NtAllocateVirtualMemory  ... 54591488, 1048576, ) == 0x0
 02066   784   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 784, 75587, 0}  ... {40, 64, reply, 0, 1636, 784, 75587, 0} "\2\332\243\201\4\0\0\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200X\373`\371t\333\243\201\320\1\0\0X-\12\0" )  ) == 0x0
 02072  1276   NtRequestWaitReplyPort  (516, {44, 68, new_msg, 56, 0, 0, 0, 0}  (516, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\260W\25\0\322\0\0\0" ...  ...
 02073  1736   NtAllocateVirtualMemory  (-1, 55631872, 0, 8192, 4096, 4, ...
 02074   784   NtRequestWaitReplyPort  (508, {64, 88, new_msg, 56, 1377848, 15789932, 15790032, 0}  (508, {64, 88, new_msg, 56, 1377848, 15789932, 15790032, 0} "\10\357\360\0@\0\25\0\346\277\347w\320\357\360\0l\357\360\0\20\0\0\0\250.\362v\254\6\25\0\1\0\0\0\250X\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0(\347\24\0" ...  ...
 02075  1944   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02073  1736   NtAllocateVirtualMemory  ... 55631872, 8192, ) == 0x0
 02075  1944   NtDuplicateObject  ... 520, ) == 0x0
 02076  1736   NtProtectVirtualMemory  (-1, (0x350e000), 4096, 260, ...
 02074   784   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 784, 75589, 0}  ... {64, 88, reply, 56, 1636, 784, 75589, 0} "\10\357\360\0@\0\25\0\346\277\347w\320\357\360\0l\357\360\0\20\0\0\0\250.\362v\254\6\25\0\1\0\0\0\250X\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0(\347\24\0" )  ) == 0x0
 02077  1944   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02076  1736   NtProtectVirtualMemory  ... (0x350e000), 4096, 4, ) == 0x0
 02078   784   NtClose  (496, ...
 02077  1944   NtWaitForSingleObject  ... ) == 0x102
 02079  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02078   784   NtClose  ... ) == 0x0
 02080  1944   NtWaitForSingleObject  (160, 0, 0x0, ...
 02072  1276   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1276, 75590, 0}  ... {40, 64, reply, 0, 1636, 1276, 75590, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300l\253S\371X\353Q\200\323\1\0\0\350\370\14\0" )  ) == 0x0
 02079  1736   NtCreateThread  ... 496, {1636, 1020}, ) == 0x0
 02081   784   NtClose  (508, ...
 02082  1276   NtRequestWaitReplyPort  (516, {64, 88, new_msg, 56, 1310720, 11596276, 1398696, 0}  (516, {64, 88, new_msg, 56, 1310720, 11596276, 1398696, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\20^\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02083  1736   NtQueryInformationThread  (496, Basic, 28, ...
 02081   784   NtClose  ... ) == 0x0
 02083  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1636,Tid=1020,}, 0x0, ) == 0x0
 02084   784   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ...
 02082  1276   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1276, 75592, 0}  ... {64, 88, reply, 56, 1636, 1276, 75592, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\20^\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02085  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0d\6\0\0\374\3\0\0" ...  ...
 02084   784   NtAllocateVirtualMemory  ... 1400832, 4096, ) == 0x0
 02086  1276   NtWaitForSingleObject  (324, 0, 0x0, ...
 02085  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75593, 0}  ... {28, 56, reply, 0, 1636, 1736, 75593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0d\6\0\0\374\3\0\0" )  ) == 0x0
 02087   784   NtSetEventBoostPriority  (324, ...
 02086  1276   NtWaitForSingleObject  ... ) == 0x0
 02088  1276   NtRequestWaitReplyPort  (516, {44, 68, new_msg, 56, 1636, 1276, 75590, 0}  (516, {44, 68, new_msg, 56, 1636, 1276, 75590, 0} "\1\356\0\0B\2\3\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\260W\25\0\322\0\0\0" ...  ...
 02087   784   NtSetEventBoostPriority  ... ) == 0x0
 02088  1276   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1276, 75594, 0}  ... {40, 64, reply, 0, 1636, 1276, 75594, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300l\353\10\370X\353Q\200\351\1\0\0\350\232\14\0" )  ) == 0x0
 02089  1736   NtResumeThread  (496, ...
 02090  1276   NtRequestWaitReplyPort  (516, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0}  (516, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\340i\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02089  1736   NtResumeThread  ... 1, ) == 0x0
 02091   784   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02092  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02091   784   NtCreateKey  ... 508, 2, ) == 0x0
 02092  1736   NtAllocateVirtualMemory  ... 55640064, 1048576, ) == 0x0
 02093   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02094  1736   NtAllocateVirtualMemory  (-1, 56680448, 0, 8192, 4096, 4, ...
 02093   784   NtOpenKey  ... 524, ) == 0x0
 02094  1736   NtAllocateVirtualMemory  ... 56680448, 8192, ) == 0x0
 02095   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02090  1276   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1276, 75595, 0}  ... {64, 88, reply, 56, 1636, 1276, 75595, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\340i\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02096  1020   NtTestAlert  (...
 02095   784   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02097  1276   NtRequestWaitReplyPort  (516, {44, 68, new_msg, 56, 1636, 1276, 75594, 0}  (516, {44, 68, new_msg, 56, 1636, 1276, 75594, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\260W\25\0\322\0\0\0" ...  ...
 02096  1020   NtTestAlert  ... ) == 0x0
 02098  1736   NtProtectVirtualMemory  (-1, (0x360e000), 4096, 260, ...
 02099  1020   NtContinue  (55639344, 1, ...
 02098  1736   NtProtectVirtualMemory  ... (0x360e000), 4096, 4, ) == 0x0
 02097  1276   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1276, 75596, 0}  ... {40, 64, reply, 0, 1636, 1276, 75596, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0|\1\0\0h\236\14\0" )  ) == 0x0
 02100  1020   NtRegisterThreadTerminatePort  (24, ...
 02101  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02102  1276   NtRequestWaitReplyPort  (516, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0}  (516, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\200l\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02100  1020   NtRegisterThreadTerminatePort  ... ) == 0x0
 02101  1736   NtCreateThread  ... 528, {1636, 1524}, ) == 0x0
 02103   784   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 02102  1276   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1276, 75597, 0}  ... {64, 88, reply, 56, 1636, 1276, 75597, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\200l\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02104  1736   NtQueryInformationThread  (528, Basic, 28, ...
 02103   784   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02105  1276   NtClose  (504, ...
 02104  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1636,Tid=1524,}, 0x0, ) == 0x0
 02106   784   NtQueryValueKey  (508,  (508, "Domain", Partial, 144, ... , Partial, 144, ...
 02105  1276   NtClose  ... ) == 0x0
 02107  1020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02106   784   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02108  1276   NtClose  (516, ...
 02107  1020   NtDuplicateObject  ... 504, ) == 0x0
 02109   784   NtQueryValueKey  (508,  (508, "Domain", Partial, 144, ... , Partial, 144, ...
 02108  1276   NtClose  ... ) == 0x0
 02110  1020   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02109   784   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02111  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75593, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0d\6\0\0\364\5\0\0" ...  ...
 02110  1020   NtWaitForSingleObject  ... ) == 0x102
 02112  1276   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02111  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75599, 0}  ... {28, 56, reply, 0, 1636, 1736, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0d\6\0\0\364\5\0\0" )  ) == 0x0
 02113  1020   NtWaitForSingleObject  (160, 0, 0x0, ...
 02112  1276   NtCreateEvent  ... 516, ) == 0x0
 02114  1736   NtResumeThread  (528, ...
 02115   784   NtClose  (508, ...
 02116  1276   NtOpenThreadToken  (-2, 0xc, 1, ...
 02114  1736   NtResumeThread  ... 1, ) == 0x0
 02115   784   NtClose  ... ) == 0x0
 02116  1276   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02117  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02118   784   NtClose  (524, ...
 02119  1276   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02120  1524   NtTestAlert  (...
 02118   784   NtClose  ... ) == 0x0
 02119  1276   NtCreateEvent  ... 524, ) == 0x0
 02120  1524   NtTestAlert  ... ) == 0x0
 02121   784   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 02117  1736   NtAllocateVirtualMemory  ... 56688640, 1048576, ) == 0x0
 02122  1524   NtContinue  (56687920, 1, ...
 02121   784   NtOpenKey  ... 508, ) == 0x0
 02123  1736   NtAllocateVirtualMemory  (-1, 57729024, 0, 8192, 4096, 4, ...
 02124  1524   NtRegisterThreadTerminatePort  (24, ...
 02125  1276   NtOpenThreadToken  (-2, 0xc, 1, ...
 02123  1736   NtAllocateVirtualMemory  ... 57729024, 8192, ) == 0x0
 02124  1524   NtRegisterThreadTerminatePort  ... ) == 0x0
 02125  1276   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02126  1736   NtProtectVirtualMemory  (-1, (0x370e000), 4096, 260, ...
 02127   784   NtQueryValueKey  (508,  (508, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 02128  1276   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02126  1736   NtProtectVirtualMemory  ... (0x370e000), 4096, 4, ) == 0x0
 02127   784   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02128  1276   NtSetInformationThread  ... ) == 0x0
 02129  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02130   784   NtClose  (508, ...
 02131  1276   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11595968,  (0xc0100080, {24, 0, 0x40, 0, 11595968, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 02132  1524   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02130   784   NtClose  ... ) == 0x0
 02131  1276   NtCreateFile  ... 508, {status=0x0, info=1}, ) == 0x0
 02132  1524   NtDuplicateObject  ... 532, ) == 0x0
 02133   784   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15789008, ... }, 15789008, ...
 02134  1524   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02133   784   NtQueryAttributesFile  ... ) == 0x0
 02134  1524   NtWaitForSingleObject  ... ) == 0x102
 02135  1276   NtSetInformationFile  (508, 11596024, 8, Pipe, ...
 02129  1736   NtCreateThread  ... 536, {1636, 276}, ) == 0x0
 02136  1524   NtWaitForSingleObject  (160, 0, 0x0, ...
 02135  1276   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02137  1736   NtQueryInformationThread  (536, Basic, 28, ...
 02138   784   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02139  1276   NtSetInformationFile  (508, 11596012, 8, Completion, ...
 02137  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1636,Tid=276,}, 0x0, ) == 0x0
 02138   784   NtOpenFile  ... 540, {status=0x0, info=1}, ) == 0x0
 02139  1276   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02140  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75599, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0d\6\0\0\24\1\0\0" ...  ...
 02141   784   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 540, ...
 02142  1276   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02140  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75600, 0}  ... {28, 56, reply, 0, 1636, 1736, 75600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0d\6\0\0\24\1\0\0" )  ) == 0x0
 02141   784   NtCreateSection  ... 544, ) == 0x0
 02142  1276   NtSetInformationThread  ... ) == 0x0
 02143   784   NtClose  (540, ...
 02144  1736   NtResumeThread  (536, ...
 02143   784   NtClose  ... ) == 0x0
 02144  1736   NtResumeThread  ... 1, ) == 0x0
 02145  1276   NtWriteFile  (508, 189, 0, 0,  (508, 189, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 02146  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02145  1276   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 02146  1736   NtAllocateVirtualMemory  ... 57737216, 1048576, ) == 0x0
 02147  1276   NtReadFile  (508, 189, 0, 0, 1024, {0, 0}, 0, ...
 02148  1736   NtAllocateVirtualMemory  (-1, 58777600, 0, 8192, 4096, 4, ...
 02147  1276   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20P+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02148  1736   NtAllocateVirtualMemory  ... 58777600, 8192, ) == 0x0
 02149  1276   NtFsControlFile  (508, 189, 0x0, 0x0, 0x11c017,  (508, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\260\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 02150   784   NtMapViewOfSection  (544, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02151   276   NtWaitForSingleObject  (128, 0, 0x0, ...
 02149  1276   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20P+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02150   784   NtMapViewOfSection  ... (0x360000), 0x0, 20480, ) == 0x0
 02152  1736   NtProtectVirtualMemory  (-1, (0x380e000), 4096, 260, ...
 02153   784   NtClose  (544, ...
 02152  1736   NtProtectVirtualMemory  ... (0x380e000), 4096, 4, ) == 0x0
 02153   784   NtClose  ... ) == 0x0
 02154  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02155   784   NtUnmapViewOfSection  (-1, 0x360000, ...
 02154  1736   NtCreateThread  ... 544, {1636, 1496}, ) == 0x0
 02155   784   NtUnmapViewOfSection  ... ) == 0x0
 02156  1736   NtQueryInformationThread  (544, Basic, 28, ...
 02157  1276   NtFsControlFile  (508, 189, 0x0, 0x0, 0x11c017,  (508, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\10\233 IE*dK\202\302\222yAZ\332\256\1\0\0\0\1\0\0\0&\0(\0\10n\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 02156  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1636,Tid=1496,}, 0x0, ) == 0x0
 02157  1276   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\10\233 IE*dK\202\302\222yAZ\332\256\0\0\0\0", ) , ) == 0x103
 02158   784   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15789316, ... }, 15789316, ...
 02159  1276   NtFsControlFile  (508, 189, 0x0, 0x0, 0x11c017,  (508, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\10\233 IE*dK\202\302\222yAZ\332\256", 44, 1024, ... , 44, 1024, ...
 02158   784   NtQueryAttributesFile  ... ) == 0x0
 02159  1276   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0XN\25\0\1\0\0\0dN\25\0 \0\0\0\1\0\0\0\30\0\32\0pN\25\0\214N\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0\300N\25\0\1\0\0\0\5\0\15\0\320N\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02160   784   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02161  1276   NtClose  (524, ...
 02160   784   NtOpenFile  ... 540, {status=0x0, info=1}, ) == 0x0
 02161  1276   NtClose  ... ) == 0x0
 02162   784   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 540, ...
 02163  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75600, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0\330\5\0\0" ...  ...
 02162   784   NtCreateSection  ... 524, ) == 0x0
 02163  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75601, 0}  ... {28, 56, reply, 0, 1636, 1736, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0\330\5\0\0" )  ) == 0x0
 02164  1276   NtClose  (508, ...
 02165  1736   NtResumeThread  (544, ...
 02164  1276   NtClose  ... ) == 0x0
 02165  1736   NtResumeThread  ... 1, ) == 0x0
 02166  1276   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1329576, 0x0, 11597892, 188, ... , {12, 2, 1, 1}, 0x0, 1329576, 0x0, 11597892, 188, ...
 02167  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02166  1276   NtSecureConnectPort  ... 508, 0x0, 0x0, 0x0, 188, ) == 0x0
 02168   784   NtQuerySection  (524, Image, 48, ...
 02169  1496   NtWaitForSingleObject  (128, 0, 0x0, ...
 02170  1276   NtOpenThreadToken  (-2, 0xc, 1, ...
 02168   784   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02167  1736   NtAllocateVirtualMemory  ... 58785792, 1048576, ) == 0x0
 02171   784   NtClose  (540, ...
 02172  1736   NtAllocateVirtualMemory  (-1, 59826176, 0, 8192, 4096, 4, ...
 02170  1276   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02172  1736   NtAllocateVirtualMemory  ... 59826176, 8192, ) == 0x0
 02173  1276   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02174  1736   NtProtectVirtualMemory  (-1, (0x390e000), 4096, 260, ...
 02173  1276   NtSetInformationThread  ... ) == 0x0
 02174  1736   NtProtectVirtualMemory  ... (0x390e000), 4096, 4, ) == 0x0
 02175  1276   NtRequestWaitReplyPort  (508, {200, 224, new_msg, 0, 1363432, 12, 2, 1310977}  (508, {200, 224, new_msg, 0, 1363432, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\350\302\204@ \6\241&\37\14\243\215;&\2=\12\0\0\0yE7@\207\226\371\255\0\0\0\0\300'\25\0o\260x\214uN\321\246(\0\0\0\31\331\0C\0\0\24\0\240\366\260\0\23d\356\302\0\0\0\0\330>\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\260\0\372\31\221|X\376\260\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02176  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02171   784   NtClose  ... ) == 0x0
 02177   784   NtMapViewOfSection  (524, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 32768, ) == 0x0
 02178   784   NtClose  (524, ... ) == 0x0
 02179   784   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 02180   784   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 02181   784   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 02182   784   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02176  1736   NtCreateThread  ... 524, {1636, 1500}, ) == 0x0
 02175  1276   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1276, 75603, 0}  ... {200, 224, reply, 0, 1636, 1276, 75603, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\350\302\204@ \6\241&\37\14\243\215;&\2=\12\0\0\0yE7@\207\226\371\255\0\0\0\0\300'\25\0o\260x\214uN\321\246(\0\0\0\31\331\0C\0\0\24\0\240\366\260\0\23d\356\302\0\0\0\0\330>\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\260\0\372\31\221|X\376\260\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02183  1736   NtQueryInformationThread  (524, Basic, 28, ...
 02182   784   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02183  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1636,Tid=1500,}, 0x0, ) == 0x0
 02184   784   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02185  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75601, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0d\6\0\0\334\5\0\0" ...  ...
 02184   784   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02185  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75604, 0}  ... {28, 56, reply, 0, 1636, 1736, 75604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0d\6\0\0\334\5\0\0" )  ) == 0x0
 02186   784   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 02187  1276   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02186   784   NtFlushInstructionCache  ... ) == 0x0
 02187  1276   NtSetInformationThread  ... ) == 0x0
 02188   784   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... }, ...
 02189  1276   NtRequestWaitReplyPort  (508, {56, 80, new_msg, 0, 44, 3, 20, 0}  (508, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0E*dK\202\302\222yAZ\332\256\1\0\0\0\0\0\0\0&\0(\0x\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 02190  1736   NtResumeThread  (524, ... 1, ) == 0x0
 02191  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 59834368, 1048576, ) == 0x0
 02192  1736   NtAllocateVirtualMemory  (-1, 60874752, 0, 8192, 4096, 4, ... 60874752, 8192, ) == 0x0
 02188   784   NtOpenSection  ... 540, ) == 0x0
 02193  1500   NtWaitForSingleObject  (128, 0, 0x0, ...
 02194   784   NtMapViewOfSection  (540, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 02195   784   NtClose  (540, ... ) == 0x0
 02196   784   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02197   784   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 02198   784   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 02199   784   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ...
 02200  1736   NtProtectVirtualMemory  (-1, (0x3a0e000), 4096, 260, ... (0x3a0e000), 4096, 4, ) == 0x0
 02201  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 540, {1636, 932}, ) == 0x0
 02202  1736   NtQueryInformationThread  (540, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1636,Tid=932,}, 0x0, ) == 0x0
 02203  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75604, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0d\6\0\0\244\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0d\6\0\0\244\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75606, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0d\6\0\0\244\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0d\6\0\0\244\3\0\0" )  ) == 0x0
 02204  1736   NtResumeThread  (540, ... 1, ) == 0x0
 02205  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02199   784   NtProtectVirtualMemory  ... (0x76f61000), 4096, 32, ) == 0x0
 02206   932   NtWaitForSingleObject  (128, 0, 0x0, ...
 02207   784   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 02208   784   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 02209   784   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 02210   784   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 02211   784   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 02212   784   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... }, ...
 02205  1736   NtAllocateVirtualMemory  ... 60882944, 1048576, ) == 0x0
 02213  1736   NtAllocateVirtualMemory  (-1, 61923328, 0, 8192, 4096, 4, ... 61923328, 8192, ) == 0x0
 02214  1736   NtProtectVirtualMemory  (-1, (0x3b0e000), 4096, 260, ... (0x3b0e000), 4096, 4, ) == 0x0
 02215  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 548, {1636, 1780}, ) == 0x0
 02216  1736   NtQueryInformationThread  (548, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1636,Tid=1780,}, 0x0, ) == 0x0
 02217  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75606, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0d\6\0\0\364\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0d\6\0\0\364\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75607, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0d\6\0\0\364\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0d\6\0\0\364\6\0\0" )  ) == 0x0
 02212   784   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02218   784   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 552, ) == 0x0
 02219   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 556, ) }, ... 556, ) == 0x0
 02220   784   NtQueryValueKey  (556,  (556, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (556, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02221   784   NtClose  (556, ... ) == 0x0
 02222   784   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02223   784   NtQueryPerformanceCounter  (...
 02224  1736   NtResumeThread  (548, ... 1, ) == 0x0
 02225  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 61931520, 1048576, ) == 0x0
 02226  1736   NtAllocateVirtualMemory  (-1, 62971904, 0, 8192, 4096, 4, ... 62971904, 8192, ) == 0x0
 02227  1736   NtProtectVirtualMemory  (-1, (0x3c0e000), 4096, 260, ... (0x3c0e000), 4096, 4, ) == 0x0
 02228  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 556, {1636, 1804}, ) == 0x0
 02229  1736   NtQueryInformationThread  (556, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1636,Tid=1804,}, 0x0, ) == 0x0
 02223   784   NtQueryPerformanceCounter  ... {1110147649, 16}, {3579545, 0}, ) == 0x0
 02230  1780   NtWaitForSingleObject  (128, 0, 0x0, ...
 02231   784   NtSetEventBoostPriority  (128, ...
 02151   276   NtWaitForSingleObject  ... ) == 0x0
 02232   276   NtSetEventBoostPriority  (128, ...
 02169  1496   NtWaitForSingleObject  ... ) == 0x0
 02233  1496   NtSetEventBoostPriority  (128, ...
 02193  1500   NtWaitForSingleObject  ... ) == 0x0
 02234  1500   NtSetEventBoostPriority  (128, ...
 02206   932   NtWaitForSingleObject  ... ) == 0x0
 02235   932   NtSetEventBoostPriority  (128, ...
 02230  1780   NtWaitForSingleObject  ... ) == 0x0
 02236  1780   NtTestAlert  (... ) == 0x0
 02235   932   NtSetEventBoostPriority  ... ) == 0x0
 02234  1500   NtSetEventBoostPriority  ... ) == 0x0
 02233  1496   NtSetEventBoostPriority  ... ) == 0x0
 02232   276   NtSetEventBoostPriority  ... ) == 0x0
 02231   784   NtSetEventBoostPriority  ... ) == 0x0
 02237  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75607, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0d\6\0\0\14\7\0\0" ...  ...
 02238  1780   NtContinue  (61930800, 1, ...
 02239   932   NtTestAlert  (...
 02240  1500   NtTestAlert  (...
 02241  1496   NtTestAlert  (...
 02242   784   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15789008, ... }, 15789008, ...
 02237  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75608, 0}  ... {28, 56, reply, 0, 1636, 1736, 75608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0d\6\0\0\14\7\0\0" )  ) == 0x0
 02243  1780   NtRegisterThreadTerminatePort  (24, ...
 02239   932   NtTestAlert  ... ) == 0x0
 02240  1500   NtTestAlert  ... ) == 0x0
 02241  1496   NtTestAlert  ... ) == 0x0
 02242   784   NtQueryAttributesFile  ... ) == 0x0
 02244  1736   NtResumeThread  (556, ...
 02243  1780   NtRegisterThreadTerminatePort  ... ) == 0x0
 02245   932   NtContinue  (60882224, 1, ...
 02246  1500   NtContinue  (59833648, 1, ...
 02247  1496   NtContinue  (58785072, 1, ...
 02248   784   NtQuerySystemInformation  (Basic, 44, ...
 02244  1736   NtResumeThread  ... 1, ) == 0x0
 02249  1780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02250   932   NtRegisterThreadTerminatePort  (24, ...
 02251  1500   NtRegisterThreadTerminatePort  (24, ...
 02252  1496   NtRegisterThreadTerminatePort  (24, ...
 02253   276   NtTestAlert  (...
 02254  1804   NtTestAlert  (...
 02255  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02249  1780   NtDuplicateObject  ... 560, ) == 0x0
 02250   932   NtRegisterThreadTerminatePort  ... ) == 0x0
 02251  1500   NtRegisterThreadTerminatePort  ... ) == 0x0
 02252  1496   NtRegisterThreadTerminatePort  ... ) == 0x0
 02253   276   NtTestAlert  ... ) == 0x0
 02254  1804   NtTestAlert  ... ) == 0x0
 02248   784   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02256  1780   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02257   932   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02258  1500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02259  1496   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02260   276   NtContinue  (57736496, 1, ...
 02261  1804   NtContinue  (62979376, 1, ...
 02262   784   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 02255  1736   NtAllocateVirtualMemory  ... 62980096, 1048576, ) == 0x0
 02256  1780   NtWaitForSingleObject  ... ) == 0x102
 02257   932   NtDuplicateObject  ... 564, ) == 0x0
 02258  1500   NtDuplicateObject  ... 568, ) == 0x0
 02263   276   NtRegisterThreadTerminatePort  (24, ...
 02264  1804   NtRegisterThreadTerminatePort  (24, ...
 02262   784   NtAllocateVirtualMemory  ... 3538944, 65536, ) == 0x0
 02265  1736   NtAllocateVirtualMemory  (-1, 64020480, 0, 8192, 4096, 4, ...
 02266  1780   NtWaitForSingleObject  (160, 0, 0x0, ...
 02267   932   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02268  1500   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02263   276   NtRegisterThreadTerminatePort  ... ) == 0x0
 02264  1804   NtRegisterThreadTerminatePort  ... ) == 0x0
 02269   784   NtAllocateVirtualMemory  (-1, 3538944, 0, 4096, 4096, 4, ...
 02265  1736   NtAllocateVirtualMemory  ... 64020480, 8192, ) == 0x0
 02267   932   NtWaitForSingleObject  ... ) == 0x102
 02268  1500   NtWaitForSingleObject  ... ) == 0x102
 02270   276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02259  1496   NtDuplicateObject  ... 572, ) == 0x0
 02269   784   NtAllocateVirtualMemory  ... 3538944, 4096, ) == 0x0
 02271  1736   NtProtectVirtualMemory  (-1, (0x3d0e000), 4096, 260, ...
 02272   932   NtWaitForSingleObject  (160, 0, 0x0, ...
 02273  1500   NtWaitForSingleObject  (160, 0, 0x0, ...
 02274  1804   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02275  1496   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02276   784   NtAllocateVirtualMemory  (-1, 3543040, 0, 8192, 4096, 4, ...
 02271  1736   NtProtectVirtualMemory  ... (0x3d0e000), 4096, 4, ) == 0x0
 02274  1804   NtDuplicateObject  ... 576, ) == 0x0
 02275  1496   NtWaitForSingleObject  ... ) == 0x102
 02270   276   NtDuplicateObject  ... 580, ) == 0x0
 02277  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02278  1804   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02279  1496   NtWaitForSingleObject  (160, 0, 0x0, ...
 02280   276   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02276   784   NtAllocateVirtualMemory  ... 3543040, 8192, ) == 0x0
 02278  1804   NtWaitForSingleObject  ... ) == 0x102
 02280   276   NtWaitForSingleObject  ... ) == 0x102
 02281   784   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 15789008, ... }, 15789008, ...
 02282  1804   NtWaitForSingleObject  (160, 0, 0x0, ...
 02283   276   NtWaitForSingleObject  (160, 0, 0x0, ...
 02281   784   NtQueryAttributesFile  ... ) == 0x0
 02277  1736   NtCreateThread  ... 584, {1636, 336}, ) == 0x0
 02284   784   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... }, 5, 96, ...
 02285  1736   NtQueryInformationThread  (584, Basic, 28, ...
 02284   784   NtOpenFile  ... 588, {status=0x0, info=1}, ) == 0x0
 02285  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1636,Tid=336,}, 0x0, ) == 0x0
 02286   784   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 588, ...
 02287  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75608, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0d\6\0\0P\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0d\6\0\0P\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75609, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0d\6\0\0P\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0d\6\0\0P\1\0\0" )  ) == 0x0
 02288  1736   NtResumeThread  (584, ... 1, ) == 0x0
 02289  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 64028672, 1048576, ) == 0x0
 02290  1736   NtAllocateVirtualMemory  (-1, 65069056, 0, 8192, 4096, 4, ... 65069056, 8192, ) == 0x0
 02286   784   NtCreateSection  ... 592, ) == 0x0
 02291   336   NtWaitForSingleObject  (128, 0, 0x0, ...
 02292   784   NtClose  (588, ... ) == 0x0
 02293   784   NtMapViewOfSection  (592, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 110592, ) == 0x0
 02294   784   NtClose  (592, ... ) == 0x0
 02295   784   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 02296   784   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 15789316, ... ) }, 15789316, ... ) == 0x0
 02297   784   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... }, 5, 96, ...
 02298  1736   NtProtectVirtualMemory  (-1, (0x3e0e000), 4096, 260, ... (0x3e0e000), 4096, 4, ) == 0x0
 02299  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 592, {1636, 504}, ) == 0x0
 02300  1736   NtQueryInformationThread  (592, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1636,Tid=504,}, 0x0, ) == 0x0
 02301  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75609, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0\370\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75610, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0\370\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75610, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0\370\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75610, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0\370\1\0\0" )  ) == 0x0
 02302  1736   NtResumeThread  (592, ... 1, ) == 0x0
 02303  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02297   784   NtOpenFile  ... 588, {status=0x0, info=1}, ) == 0x0
 02304   504   NtWaitForSingleObject  (128, 0, 0x0, ...
 02305   784   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 588, ... 596, ) == 0x0
 02306   784   NtQuerySection  (596, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02307   784   NtClose  (588, ... ) == 0x0
 02308   784   NtMapViewOfSection  (596, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x751d0000), 0x0, 122880, ) == 0x0
 02309   784   NtClose  (596, ... ) == 0x0
 02310   784   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ...
 02303  1736   NtAllocateVirtualMemory  ... 65077248, 1048576, ) == 0x0
 02189  1276   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 1636, 1276, 75605, 0}  ... {44, 68, reply, 0, 1636, 1276, 75605, 0} "\4\376\255\201\0\0\0\0\200Y\274\201\356\12$\342\264\311\275\201:\332R\200X\253v\367\324\376\255\201\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02311  1736   NtAllocateVirtualMemory  (-1, 66117632, 0, 8192, 4096, 4, ...
 02312  1276   NtRaiseException  (11598352, 11597612, 1, ...
 02311  1736   NtAllocateVirtualMemory  ... 66117632, 8192, ) == 0x0
 02310   784   NtProtectVirtualMemory  ... (0x751d1000), 4096, 32, ) == 0x0
 02313  1736   NtProtectVirtualMemory  (-1, (0x3f0e000), 4096, 260, ...
 02314   784   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ...
 02313  1736   NtProtectVirtualMemory  ... (0x3f0e000), 4096, 4, ) == 0x0
 02314   784   NtProtectVirtualMemory  ... (0x751d1000), 4096, 4, ) == 0x0
 02315  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02316   784   NtFlushInstructionCache  (-1, 1964838912, 224, ...
 02317  1276   NtQueryVirtualMemory  (-1, 0x77ea0470, BasicVlm, 16, ...
 02316   784   NtFlushInstructionCache  ... ) == 0x0
 02317  1276   NtQueryVirtualMemory  ... {memory info, class 3, size 16}, 0x0, ) == 0x0
 02318   784   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ...
 02319  1276   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 02315  1736   NtCreateThread  ... 596, {1636, 988}, ) == 0x0
 02319  1276   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02320  1736   NtQueryInformationThread  (596, Basic, 28, ...
 02321  1276   NtContinue  (11596580, 0, ...
 02320  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1636,Tid=988,}, 0x0, ) == 0x0
 02322  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75610, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75610, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0d\6\0\0\334\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75611, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0d\6\0\0\334\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75611, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75610, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0d\6\0\0\334\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75611, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0d\6\0\0\334\3\0\0" )  ) == 0x0
 02323  1736   NtResumeThread  (596, ... 1, ) == 0x0
 02324  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 66125824, 1048576, ) == 0x0
 02325  1736   NtAllocateVirtualMemory  (-1, 67166208, 0, 8192, 4096, 4, ... 67166208, 8192, ) == 0x0
 02318   784   NtProtectVirtualMemory  ... (0x751d1000), 4096, 32, ) == 0x0
 02326   988   NtWaitForSingleObject  (128, 0, 0x0, ...
 02327   784   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02328   784   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02329   784   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02330   784   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 15788492, ... }, 15788492, ...
 02331  1736   NtProtectVirtualMemory  (-1, (0x400e000), 4096, 260, ... (0x400e000), 4096, 4, ) == 0x0
 02332  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 588, {1636, 1692}, ) == 0x0
 02333  1736   NtQueryInformationThread  (588, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1636,Tid=1692,}, 0x0, ) == 0x0
 02334  1276   NtDeviceIoControlFile  (376, 136, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ... {status=0x0, info=0}, "", ) == 0x103
 02335  1276   NtWaitForSingleObject  (136, 1, {-5000000, -1}, ...
 02336  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75611, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75611, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0d\6\0\0\234\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75612, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0d\6\0\0\234\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75612, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75611, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0d\6\0\0\234\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75612, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0d\6\0\0\234\6\0\0" )  ) == 0x0
 02337  1736   NtResumeThread  (588, ... 1, ) == 0x0
 02338  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02339  1692   NtWaitForSingleObject  (128, 0, 0x0, ...
 02338  1736   NtAllocateVirtualMemory  ... 67174400, 1048576, ) == 0x0
 02340  1736   NtAllocateVirtualMemory  (-1, 68214784, 0, 8192, 4096, 4, ... 68214784, 8192, ) == 0x0
 02341  1736   NtProtectVirtualMemory  (-1, (0x410e000), 4096, 260, ... (0x410e000), 4096, 4, ) == 0x0
 02342  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02330   784   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02343   784   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 15788492, ... ) }, 15788492, ... ) == 0x0
 02344   784   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 600, {status=0x0, info=1}, ) }, 5, 96, ... 600, {status=0x0, info=1}, ) == 0x0
 02345   784   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 600, ... 604, ) == 0x0
 02346   784   NtQuerySection  (604, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02342  1736   NtCreateThread  ... 608, {1636, 1808}, ) == 0x0
 02347  1736   NtQueryInformationThread  (608, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1636,Tid=1808,}, 0x0, ) == 0x0
 02348  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75612, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75612, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0d\6\0\0\20\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75613, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0d\6\0\0\20\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75613, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75612, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0d\6\0\0\20\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75613, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0d\6\0\0\20\7\0\0" )  ) == 0x0
 02349  1736   NtResumeThread  (608, ... 1, ) == 0x0
 02350  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 68222976, 1048576, ) == 0x0
 02351  1736   NtAllocateVirtualMemory  (-1, 69263360, 0, 8192, 4096, 4, ... 69263360, 8192, ) == 0x0
 02352   784   NtClose  (600, ...
 02353  1808   NtWaitForSingleObject  (128, 0, 0x0, ...
 02352   784   NtClose  ... ) == 0x0
 02354   784   NtMapViewOfSection  (604, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 02355   784   NtClose  (604, ... ) == 0x0
 02356   784   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02357   784   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02358   784   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02359  1736   NtProtectVirtualMemory  (-1, (0x420e000), 4096, 260, ... (0x420e000), 4096, 4, ) == 0x0
 02360  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 604, {1636, 1800}, ) == 0x0
 02361  1736   NtQueryInformationThread  (604, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1636,Tid=1800,}, 0x0, ) == 0x0
 02362  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75613, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75613, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\10\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75614, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\10\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75614, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75613, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\10\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75614, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\10\7\0\0" )  ) == 0x0
 02363  1736   NtResumeThread  (604, ... 1, ) == 0x0
 02364  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02365   784   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ...
 02366  1800   NtWaitForSingleObject  (128, 0, 0x0, ...
 02365   784   NtProtectVirtualMemory  ... (0x77921000), 4096, 32, ) == 0x0
 02367   784   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02368   784   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02369   784   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02370   784   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02371   784   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02364  1736   NtAllocateVirtualMemory  ... 69271552, 1048576, ) == 0x0
 02372  1736   NtAllocateVirtualMemory  (-1, 70311936, 0, 8192, 4096, 4, ... 70311936, 8192, ) == 0x0
 02373  1736   NtProtectVirtualMemory  (-1, (0x430e000), 4096, 260, ... (0x430e000), 4096, 4, ) == 0x0
 02374  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 600, {1636, 1348}, ) == 0x0
 02375  1736   NtQueryInformationThread  (600, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1636,Tid=1348,}, 0x0, ) == 0x0
 02376  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75614, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75614, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0d\6\0\0D\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75615, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0d\6\0\0D\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75615, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75614, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0d\6\0\0D\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75615, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0d\6\0\0D\5\0\0" )  ) == 0x0
 02377   784   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02378   784   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02379   784   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02380   784   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02381   784   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02382   784   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02383  1736   NtResumeThread  (600, ... 1, ) == 0x0
 02384  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 70320128, 1048576, ) == 0x0
 02385  1736   NtAllocateVirtualMemory  (-1, 71360512, 0, 8192, 4096, 4, ... 71360512, 8192, ) == 0x0
 02386  1736   NtProtectVirtualMemory  (-1, (0x440e000), 4096, 260, ... (0x440e000), 4096, 4, ) == 0x0
 02387  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 612, {1636, 1396}, ) == 0x0
 02388  1736   NtQueryInformationThread  (612, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1636,Tid=1396,}, 0x0, ) == 0x0
 02389   784   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ...
 02390  1348   NtWaitForSingleObject  (128, 0, 0x0, ...
 02389   784   NtProtectVirtualMemory  ... (0x751d1000), 4096, 32, ) == 0x0
 02391   784   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02392   784   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02393   784   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02394   784   NtAllocateVirtualMemory  (-1, 3629056, 0, 4096, 4096, 4, ... 3629056, 4096, ) == 0x0
 02395   784   NtQueryDefaultUILanguage  (2090319928, ...
 02396   784   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ...
 02397  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75615, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75615, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0d\6\0\0t\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75616, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0d\6\0\0t\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75616, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75615, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0d\6\0\0t\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75616, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0d\6\0\0t\5\0\0" )  ) == 0x0
 02398  1736   NtResumeThread  (612, ... 1, ) == 0x0
 02399  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 71368704, 1048576, ) == 0x0
 02400  1736   NtAllocateVirtualMemory  (-1, 72409088, 0, 8192, 4096, 4, ... 72409088, 8192, ) == 0x0
 02401  1736   NtProtectVirtualMemory  (-1, (0x450e000), 4096, 260, ... (0x450e000), 4096, 4, ) == 0x0
 02402  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02396   784   NtOpenThreadTokenEx  ... ) == STATUS_NO_TOKEN
 02403  1396   NtWaitForSingleObject  (128, 0, 0x0, ...
 02404   784   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482564, ) == 0x0
 02405   784   NtQueryInformationToken  (-2147482564, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02406   784   NtClose  (-2147482564, ... ) == 0x0
 02407   784   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482564, ) }, ... -2147482564, ) == 0x0
 02408   784   NtOpenKey  (0x80000000, {24, -2147482564, 0x240, 0, 0,  (0x80000000, {24, -2147482564, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02409   784   NtOpenKey  (0x80000000, {24, -2147482564, 0x640, 0, 0,  (0x80000000, {24, -2147482564, 0x640, 0, 0, "Control Panel\Desktop"}, ... }, ...
 02402  1736   NtCreateThread  ... 616, {1636, 1176}, ) == 0x0
 02410  1736   NtQueryInformationThread  (616, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1636,Tid=1176,}, 0x0, ) == 0x0
 02411  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75616, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75616, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0d\6\0\0\230\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75617, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0d\6\0\0\230\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75617, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75616, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0d\6\0\0\230\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75617, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0d\6\0\0\230\4\0\0" )  ) == 0x0
 02412  1736   NtResumeThread  (616, ... 1, ) == 0x0
 02413  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 72417280, 1048576, ) == 0x0
 02414  1736   NtAllocateVirtualMemory  (-1, 73457664, 0, 8192, 4096, 4, ... 73457664, 8192, ) == 0x0
 02409   784   NtOpenKey  ... -2147481440, ) == 0x0
 02415  1176   NtWaitForSingleObject  (128, 0, 0x0, ...
 02416   784   NtQueryValueKey  (-2147481440,  (-2147481440, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02417   784   NtClose  (-2147481440, ... ) == 0x0
 02418   784   NtClose  (-2147482564, ... ) == 0x0
 02395   784   NtQueryDefaultUILanguage  ... ) == 0x0
 02419   784   NtAllocateVirtualMemory  (-1, 15777792, 0, 4096, 4096, 260, ... 15777792, 4096, ) == 0x0
 02420   784   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 02421  1736   NtProtectVirtualMemory  (-1, (0x460e000), 4096, 260, ... (0x460e000), 4096, 4, ) == 0x0
 02422  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 620, {1636, 1852}, ) == 0x0
 02423  1736   NtQueryInformationThread  (620, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1636,Tid=1852,}, 0x0, ) == 0x0
 02424  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75617, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75617, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0d\6\0\0<\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75618, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0d\6\0\0<\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75618, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75617, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0d\6\0\0<\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75618, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0d\6\0\0<\7\0\0" )  ) == 0x0
 02425  1736   NtResumeThread  (620, ... 1, ) == 0x0
 02426  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02427   784   NtQueryDefaultLocale  (1, 15789212, ...
 02428  1852   NtWaitForSingleObject  (128, 0, 0x0, ...
 02427   784   NtQueryDefaultLocale  ... ) == 0x0
 02429   784   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02430   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\Setup"}, ... 624, ) }, ... 624, ) == 0x0
 02431   784   NtQueryValueKey  (624,  (624, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (624, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02432   784   NtClose  (624, ... ) == 0x0
 02433   784   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 624, ) == 0x0
 02426  1736   NtAllocateVirtualMemory  ... 73465856, 1048576, ) == 0x0
 02434  1736   NtAllocateVirtualMemory  (-1, 74506240, 0, 8192, 4096, 4, ... 74506240, 8192, ) == 0x0
 02435  1736   NtProtectVirtualMemory  (-1, (0x470e000), 4096, 260, ... (0x470e000), 4096, 4, ) == 0x0
 02436  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 628, {1636, 1420}, ) == 0x0
 02437  1736   NtQueryInformationThread  (628, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1636,Tid=1420,}, 0x0, ) == 0x0
 02438  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75618, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75618, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0d\6\0\0\214\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75619, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0d\6\0\0\214\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75619, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75618, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0d\6\0\0\214\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75619, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0d\6\0\0\214\5\0\0" )  ) == 0x0
 02439   784   NtCallbackReturn  (0, 0, 0, ...
 02440   784   NtUserGetProcessWindowStation  (... ) == 0x1c
 02441   784   NtUserGetObjectInformation  (28, 1, 15788808, 12, 15788820, ... ) == 0x1
 02442   784   NtOpenKey  (0xf003f, {24, 36, 0x40, 0, 0,  (0xf003f, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02443   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\WPA\PnP"}, ... 632, ) }, ... 632, ) == 0x0
 02444   784   NtQueryValueKey  (632,  (632, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (632, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 02445   784   NtClose  (632, ...
 02446  1736   NtResumeThread  (628, ... 1, ) == 0x0
 02447  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 74514432, 1048576, ) == 0x0
 02448  1736   NtAllocateVirtualMemory  (-1, 75554816, 0, 8192, 4096, 4, ... 75554816, 8192, ) == 0x0
 02449  1736   NtProtectVirtualMemory  (-1, (0x480e000), 4096, 260, ... (0x480e000), 4096, 4, ) == 0x0
 02450  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 636, {1636, 824}, ) == 0x0
 02451  1736   NtQueryInformationThread  (636, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1636,Tid=824,}, 0x0, ) == 0x0
 02445   784   NtClose  ... ) == 0x0
 02452  1420   NtWaitForSingleObject  (128, 0, 0x0, ...
 02453   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\Setup"}, ... 632, ) }, ... 632, ) == 0x0
 02454   784   NtQueryValueKey  (632,  (632, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (632, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02455   784   NtQueryValueKey  (632,  (632, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (632, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02456   784   NtClose  (632, ... ) == 0x0
 02457   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\Setup"}, ... 632, ) }, ... 632, ) == 0x0
 02458   784   NtQueryValueKey  (632,  (632, "SystemPartition", Partial, 144, ... , Partial, 144, ...
 02459  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75619, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75619, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\08\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75620, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\08\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75620, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75619, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\08\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75620, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\08\3\0\0" )  ) == 0x0
 02460  1736   NtResumeThread  (636, ... 1, ) == 0x0
 02461  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 75563008, 1048576, ) == 0x0
 02462  1736   NtAllocateVirtualMemory  (-1, 76603392, 0, 8192, 4096, 4, ... 76603392, 8192, ) == 0x0
 02463  1736   NtProtectVirtualMemory  (-1, (0x490e000), 4096, 260, ... (0x490e000), 4096, 4, ) == 0x0
 02464  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02458   784   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02465   824   NtWaitForSingleObject  (128, 0, 0x0, ...
 02466   784   NtQueryValueKey  (632,  (632, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (632, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02467   784   NtClose  (632, ... ) == 0x0
 02468   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 632, ) }, ... 632, ) == 0x0
 02469   784   NtQueryValueKey  (632,  (632, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (632, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02470   784   NtQueryValueKey  (632,  (632, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (632, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02471   784   NtClose  (632, ...
 02464  1736   NtCreateThread  ... 640, {1636, 868}, ) == 0x0
 02472  1736   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1636,Tid=868,}, 0x0, ) == 0x0
 02473  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75620, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75620, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75621, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0d\6\0\0d\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75621, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75620, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75621, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0d\6\0\0d\3\0\0" )  ) == 0x0
 02474  1736   NtResumeThread  (640, ... 1, ) == 0x0
 02475  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 76611584, 1048576, ) == 0x0
 02476  1736   NtAllocateVirtualMemory  (-1, 77651968, 0, 8192, 4096, 4, ... 77651968, 8192, ) == 0x0
 02471   784   NtClose  ... ) == 0x0
 02477   868   NtWaitForSingleObject  (128, 0, 0x0, ...
 02478   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 632, ) }, ... 632, ) == 0x0
 02479   784   NtQueryValueKey  (632,  (632, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (632, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02480   784   NtQueryValueKey  (632,  (632, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (632, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02481   784   NtClose  (632, ... ) == 0x0
 02482   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 632, ) }, ... 632, ) == 0x0
 02483   784   NtQueryValueKey  (632,  (632, "ServicePackCachePath", Partial, 144, ... , Partial, 144, ...
 02484  1736   NtProtectVirtualMemory  (-1, (0x4a0e000), 4096, 260, ... (0x4a0e000), 4096, 4, ) == 0x0
 02485  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 644, {1636, 896}, ) == 0x0
 02486  1736   NtQueryInformationThread  (644, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1636,Tid=896,}, 0x0, ) == 0x0
 02487  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75621, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75621, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0d\6\0\0\200\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0d\6\0\0\200\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75622, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75621, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0d\6\0\0\200\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0d\6\0\0\200\3\0\0" )  ) == 0x0
 02488  1736   NtResumeThread  (644, ... 1, ) == 0x0
 02489  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02483   784   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02490   896   NtWaitForSingleObject  (128, 0, 0x0, ...
 02491   784   NtQueryValueKey  (632,  (632, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (632, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02492   784   NtClose  (632, ... ) == 0x0
 02493   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 632, ) }, ... 632, ) == 0x0
 02494   784   NtQueryValueKey  (632,  (632, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (632, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02495   784   NtQueryValueKey  (632,  (632, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (632, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02496   784   NtClose  (632, ...
 02489  1736   NtAllocateVirtualMemory  ... 77660160, 1048576, ) == 0x0
 02497  1736   NtAllocateVirtualMemory  (-1, 78700544, 0, 8192, 4096, 4, ... 78700544, 8192, ) == 0x0
 02498  1736   NtProtectVirtualMemory  (-1, (0x4b0e000), 4096, 260, ... (0x4b0e000), 4096, 4, ) == 0x0
 02499  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 648, {1636, 168}, ) == 0x0
 02500  1736   NtQueryInformationThread  (648, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1636,Tid=168,}, 0x0, ) == 0x0
 02501  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75622, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0d\6\0\0\250\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75623, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0d\6\0\0\250\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75623, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0d\6\0\0\250\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75623, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0d\6\0\0\250\0\0\0" )  ) == 0x0
 02496   784   NtClose  ... ) == 0x0
 02502   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 632, ) }, ... 632, ) == 0x0
 02503   784   NtQueryValueKey  (632,  (632, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02504   784   NtQueryValueKey  (632,  (632, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (632, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 02505   784   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 02506   784   NtClose  (632, ... ) == 0x0
 02507   784   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02508  1736   NtResumeThread  (648, ... 1, ) == 0x0
 02509  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 78708736, 1048576, ) == 0x0
 02510  1736   NtAllocateVirtualMemory  (-1, 79749120, 0, 8192, 4096, 4, ... 79749120, 8192, ) == 0x0
 02511  1736   NtProtectVirtualMemory  (-1, (0x4c0e000), 4096, 260, ... (0x4c0e000), 4096, 4, ) == 0x0
 02512  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 632, {1636, 2012}, ) == 0x0
 02513  1736   NtQueryInformationThread  (632, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1636,Tid=2012,}, 0x0, ) == 0x0
 02507   784   NtCreateEvent  ... 652, ) == 0x0
 02514   168   NtWaitForSingleObject  (128, 0, 0x0, ...
 02515   784   NtCreateMutant  (0x1f0001, 0x0, 0, ... 656, ) == 0x0
 02516   784   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 660, ) == 0x0
 02517   784   NtCreateMutant  (0x1f0001, 0x0, 0, ... 664, ) == 0x0
 02518   784   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 668, ) == 0x0
 02519   784   NtCreateMutant  (0x1f0001, 0x0, 0, ... 672, ) == 0x0
 02520   784   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... }, ...
 02521  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75623, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75623, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0d\6\0\0\334\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75624, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0d\6\0\0\334\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75624, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75623, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0d\6\0\0\334\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75624, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0d\6\0\0\334\7\0\0" )  ) == 0x0
 02522  1736   NtResumeThread  (632, ... 1, ) == 0x0
 02523  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 79757312, 1048576, ) == 0x0
 02524  1736   NtAllocateVirtualMemory  (-1, 80797696, 0, 8192, 4096, 4, ... 80797696, 8192, ) == 0x0
 02525  1736   NtProtectVirtualMemory  (-1, (0x4d0e000), 4096, 260, ... (0x4d0e000), 4096, 4, ) == 0x0
 02526  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02520   784   NtOpenKey  ... 676, ) == 0x0
 02527  2012   NtWaitForSingleObject  (128, 0, 0x0, ...
 02528   784   NtQueryValueKey  (676,  (676, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (676, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02529   784   NtQueryValueKey  (676,  (676, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (676, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02530   784   NtQueryValueKey  (676,  (676, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02531   784   NtOpenKey  (0x1, {24, 676, 0x40, 0, 0,  (0x1, {24, 676, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02532   784   NtClose  (676, ... ) == 0x0
 02533   784   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 15788724, ... }, 15788724, ...
 02526  1736   NtCreateThread  ... 676, {1636, 1252}, ) == 0x0
 02534  1736   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1636,Tid=1252,}, 0x0, ) == 0x0
 02535  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75624, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75624, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\344\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\344\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75625, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75624, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\344\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\344\4\0\0" )  ) == 0x0
 02536  1736   NtResumeThread  (676, ... 1, ) == 0x0
 02537  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 80805888, 1048576, ) == 0x0
 02538  1736   NtAllocateVirtualMemory  (-1, 81846272, 0, 8192, 4096, 4, ... 81846272, 8192, ) == 0x0
 02533   784   NtQueryAttributesFile  ... ) == 0x0
 02539  1252   NtWaitForSingleObject  (128, 0, 0x0, ...
 02540   784   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 680, ) }, ... 680, ) == 0x0
 02541   784   NtQueryValueKey  (680,  (680, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (680, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (680, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02542   784   NtClose  (680, ... ) == 0x0
 02543   784   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 680, ) }, ... 680, ) == 0x0
 02544   784   NtQueryValueKey  (680,  (680, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (680, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (680, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 02545   784   NtClose  (680, ...
 02546  1736   NtProtectVirtualMemory  (-1, (0x4e0e000), 4096, 260, ... (0x4e0e000), 4096, 4, ) == 0x0
 02547  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {1636, 1028}, ) == 0x0
 02548  1736   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1636,Tid=1028,}, 0x0, ) == 0x0
 02549  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75625, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75626, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\4\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75626, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75626, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\4\4\0\0" )  ) == 0x0
 02550  1736   NtResumeThread  (684, ... 1, ) == 0x0
 02551  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02545   784   NtClose  ... ) == 0x0
 02552  1028   NtWaitForSingleObject  (128, 0, 0x0, ...
 02553   784   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02554   784   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 680, ) }, ... 680, ) == 0x0
 02555   784   NtQueryValueKey  (680,  (680, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (680, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (680, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02556   784   NtClose  (680, ... ) == 0x0
 02557   784   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshbth.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02558   784   NtSetEventBoostPriority  (128, ...
 02551  1736   NtAllocateVirtualMemory  ... 81854464, 1048576, ) == 0x0
 02559  1736   NtAllocateVirtualMemory  (-1, 82894848, 0, 8192, 4096, 4, ... 82894848, 8192, ) == 0x0
 02560  1736   NtProtectVirtualMemory  (-1, (0x4f0e000), 4096, 260, ... (0x4f0e000), 4096, 4, ) == 0x0
 02561  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {1636, 1180}, ) == 0x0
 02562  1736   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1636,Tid=1180,}, 0x0, ) == 0x0
 02563  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75626, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75626, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75627, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0\234\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75627, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75626, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75627, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0\234\4\0\0" )  ) == 0x0
 02291   336   NtWaitForSingleObject  ... ) == 0x0
 02558   784   NtSetEventBoostPriority  ... ) == 0x0
 02564   336   NtSetEventBoostPriority  (128, ...
 02565   784   NtWaitForSingleObject  (128, 0, 0x0, ...
 02304   504   NtWaitForSingleObject  ... ) == 0x0
 02564   336   NtSetEventBoostPriority  ... ) == 0x0
 02566   504   NtSetEventBoostPriority  (128, ...
 02567  1736   NtResumeThread  (680, ...
 02326   988   NtWaitForSingleObject  ... ) == 0x0
 02566   504   NtSetEventBoostPriority  ... ) == 0x0
 02568   988   NtSetEventBoostPriority  (128, ...
 02567  1736   NtResumeThread  ... 1, ) == 0x0
 02569   336   NtTestAlert  (...
 02339  1692   NtWaitForSingleObject  ... ) == 0x0
 02568   988   NtSetEventBoostPriority  ... ) == 0x0
 02570  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02571  1692   NtSetEventBoostPriority  (128, ...
 02569   336   NtTestAlert  ... ) == 0x0
 02572   504   NtTestAlert  (...
 02573  1180   NtWaitForSingleObject  (128, 0, 0x0, ...
 02353  1808   NtWaitForSingleObject  ... ) == 0x0
 02571  1692   NtSetEventBoostPriority  ... ) == 0x0
 02570  1736   NtAllocateVirtualMemory  ... 82903040, 1048576, ) == 0x0
 02574   336   NtContinue  (64027952, 1, ...
 02572   504   NtTestAlert  ... ) == 0x0
 02575  1808   NtSetEventBoostPriority  (128, ...
 02576   988   NtTestAlert  (...
 02577  1736   NtAllocateVirtualMemory  (-1, 83943424, 0, 8192, 4096, 4, ...
 02578   336   NtRegisterThreadTerminatePort  (24, ...
 02366  1800   NtWaitForSingleObject  ... ) == 0x0
 02575  1808   NtSetEventBoostPriority  ... ) == 0x0
 02579   504   NtContinue  (65076528, 1, ...
 02576   988   NtTestAlert  ... ) == 0x0
 02577  1736   NtAllocateVirtualMemory  ... 83943424, 8192, ) == 0x0
 02580  1800   NtSetEventBoostPriority  (128, ...
 02578   336   NtRegisterThreadTerminatePort  ... ) == 0x0
 02581  1692   NtTestAlert  (...
 02582   504   NtRegisterThreadTerminatePort  (24, ...
 02583   988   NtContinue  (66125104, 1, ...
 02584  1808   NtTestAlert  (...
 02390  1348   NtWaitForSingleObject  ... ) == 0x0
 02580  1800   NtSetEventBoostPriority  ... ) == 0x0
 02585   336   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02581  1692   NtTestAlert  ... ) == 0x0
 02582   504   NtRegisterThreadTerminatePort  ... ) == 0x0
 02586   988   NtRegisterThreadTerminatePort  (24, ...
 02587  1348   NtSetEventBoostPriority  (128, ...
 02584  1808   NtTestAlert  ... ) == 0x0
 02588  1736   NtProtectVirtualMemory  (-1, (0x500e000), 4096, 260, ...
 02589  1800   NtTestAlert  (...
 02590  1692   NtContinue  (67173680, 1, ...
 02591   504   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02403  1396   NtWaitForSingleObject  ... ) == 0x0
 02587  1348   NtSetEventBoostPriority  ... ) == 0x0
 02586   988   NtRegisterThreadTerminatePort  ... ) == 0x0
 02592  1808   NtContinue  (68222256, 1, ...
 02588  1736   NtProtectVirtualMemory  ... (0x500e000), 4096, 4, ) == 0x0
 02589  1800   NtTestAlert  ... ) == 0x0
 02593  1692   NtRegisterThreadTerminatePort  (24, ...
 02585   336   NtDuplicateObject  ... 688, ) == 0x0
 02594  1396   NtSetEventBoostPriority  (128, ...
 02591   504   NtDuplicateObject  ... 692, ) == 0x0
 02595   988   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02596  1808   NtRegisterThreadTerminatePort  (24, ...
 02597  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02598  1800   NtContinue  (69270832, 1, ...
 02593  1692   NtRegisterThreadTerminatePort  ... ) == 0x0
 02415  1176   NtWaitForSingleObject  ... ) == 0x0
 02594  1396   NtSetEventBoostPriority  ... ) == 0x0
 02599   336   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02600   504   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02601  1348   NtTestAlert  (...
 02596  1808   NtRegisterThreadTerminatePort  ... ) == 0x0
 02597  1736   NtCreateThread  ... 696, {1636, 596}, ) == 0x0
 02602  1800   NtRegisterThreadTerminatePort  (24, ...
 02603  1176   NtSetEventBoostPriority  (128, ...
 02604  1692   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02595   988   NtDuplicateObject  ... 700, ) == 0x0
 02599   336   NtWaitForSingleObject  ... ) == 0x102
 02600   504   NtWaitForSingleObject  ... ) == 0x102
 02601  1348   NtTestAlert  ... ) == 0x0
 02605  1808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02606  1736   NtQueryInformationThread  (696, Basic, 28, ...
 02428  1852   NtWaitForSingleObject  ... ) == 0x0
 02603  1176   NtSetEventBoostPriority  ... ) == 0x0
 02602  1800   NtRegisterThreadTerminatePort  ... ) == 0x0
 02607  1396   NtTestAlert  (...
 02608   988   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02609   336   NtWaitForSingleObject  (160, 0, 0x0, ...
 02610   504   NtWaitForSingleObject  (160, 0, 0x0, ...
 02611  1348   NtContinue  (70319408, 1, ...
 02604  1692   NtDuplicateObject  ... 704, ) == 0x0
 02612  1852   NtSetEventBoostPriority  (128, ...
 02606  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1636,Tid=596,}, 0x0, ) == 0x0
 02605  1808   NtDuplicateObject  ... 708, ) == 0x0
 02613  1800   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02607  1396   NtTestAlert  ... ) == 0x0
 02608   988   NtWaitForSingleObject  ... ) == 0x102
 02614  1348   NtRegisterThreadTerminatePort  (24, ...
 02452  1420   NtWaitForSingleObject  ... ) == 0x0
 02612  1852   NtSetEventBoostPriority  ... ) == 0x0
 02615  1692   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02616  1176   NtTestAlert  (...
 02617  1808   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02618  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75627, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75627, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0T\2\0\0" ...  ...
 02619  1396   NtContinue  (71367984, 1, ...
 02620   988   NtWaitForSingleObject  (160, 0, 0x0, ...
 02621  1420   NtSetEventBoostPriority  (128, ...
 02614  1348   NtRegisterThreadTerminatePort  ... ) == 0x0
 02613  1800   NtDuplicateObject  ... 712, ) == 0x0
 02615  1692   NtWaitForSingleObject  ... ) == 0x102
 02616  1176   NtTestAlert  ... ) == 0x0
 02617  1808   NtWaitForSingleObject  ... ) == 0x102
 02618  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75628, 0}  ... {28, 56, reply, 0, 1636, 1736, 75628, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0T\2\0\0" )  ) == 0x0
 02622  1396   NtRegisterThreadTerminatePort  (24, ...
 02465   824   NtWaitForSingleObject  ... ) == 0x0
 02621  1420   NtSetEventBoostPriority  ... ) == 0x0
 02623  1348   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02624  1800   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02625  1692   NtWaitForSingleObject  (160, 0, 0x0, ...
 02626  1176   NtContinue  (72416560, 1, ...
 02627  1808   NtWaitForSingleObject  (160, 0, 0x0, ...
 02628  1736   NtResumeThread  (696, ...
 02629   824   NtSetEventBoostPriority  (128, ...
 02622  1396   NtRegisterThreadTerminatePort  ... ) == 0x0
 02630  1852   NtTestAlert  (...
 02631  1420   NtTestAlert  (...
 02624  1800   NtWaitForSingleObject  ... ) == 0x102
 02632  1176   NtRegisterThreadTerminatePort  (24, ...
 02477   868   NtWaitForSingleObject  ... ) == 0x0
 02629   824   NtSetEventBoostPriority  ... ) == 0x0
 02628  1736   NtResumeThread  ... 1, ) == 0x0
 02633  1396   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02630  1852   NtTestAlert  ... ) == 0x0
 02631  1420   NtTestAlert  ... ) == 0x0
 02634  1800   NtWaitForSingleObject  (160, 0, 0x0, ...
 02635   868   NtSetEventBoostPriority  (128, ...
 02632  1176   NtRegisterThreadTerminatePort  ... ) == 0x0
 02623  1348   NtDuplicateObject  ... 716, ) == 0x0
 02636   596   NtWaitForSingleObject  (128, 0, 0x0, ...
 02637  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02638   824   NtTestAlert  (...
 02639  1852   NtContinue  (73465136, 1, ...
 02640  1420   NtContinue  (74513712, 1, ...
 02490   896   NtWaitForSingleObject  ... ) == 0x0
 02635   868   NtSetEventBoostPriority  ... ) == 0x0
 02641  1176   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02642  1348   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02633  1396   NtDuplicateObject  ... 720, ) == 0x0
 02638   824   NtTestAlert  ... ) == 0x0
 02643  1852   NtRegisterThreadTerminatePort  (24, ...
 02644   896   NtSetEventBoostPriority  (128, ...
 02645  1420   NtRegisterThreadTerminatePort  (24, ...
 02637  1736   NtAllocateVirtualMemory  ... 83951616, 1048576, ) == 0x0
 02646   868   NtTestAlert  (...
 02642  1348   NtWaitForSingleObject  ... ) == 0x102
 02647  1396   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02648   824   NtContinue  (75562288, 1, ...
 02514   168   NtWaitForSingleObject  ... ) == 0x0
 02644   896   NtSetEventBoostPriority  ... ) == 0x0
 02643  1852   NtRegisterThreadTerminatePort  ... ) == 0x0
 02645  1420   NtRegisterThreadTerminatePort  ... ) == 0x0
 02649  1736   NtAllocateVirtualMemory  (-1, 84992000, 0, 8192, 4096, 4, ...
 02646   868   NtTestAlert  ... ) == 0x0
 02650  1348   NtWaitForSingleObject  (160, 0, 0x0, ...
 02647  1396   NtWaitForSingleObject  ... ) == 0x102
 02651   168   NtSetEventBoostPriority  (128, ...
 02652   824   NtRegisterThreadTerminatePort  (24, ...
 02641  1176   NtDuplicateObject  ... 724, ) == 0x0
 02653  1852   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02654  1420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02649  1736   NtAllocateVirtualMemory  ... 84992000, 8192, ) == 0x0
 02655   868   NtContinue  (76610864, 1, ...
 02527  2012   NtWaitForSingleObject  ... ) == 0x0
 02651   168   NtSetEventBoostPriority  ... ) == 0x0
 02656  1396   NtWaitForSingleObject  (160, 0, 0x0, ...
 02652   824   NtRegisterThreadTerminatePort  ... ) == 0x0
 02657  1176   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ...
 02658   896   NtTestAlert  (...
 02653  1852   NtDuplicateObject  ... 728, ) == 0x0
 02659  1736   NtProtectVirtualMemory  (-1, (0x510e000), 4096, 260, ...
 02660  2012   NtWaitForSingleObject  (324, 0, 0x0, ...
 02661   868   NtRegisterThreadTerminatePort  (24, ...
 02654  1420   NtDuplicateObject  ... 732, ) == 0x0
 02662   824   NtWaitForSingleObject  (324, 0, 0x0, ...
 02657  1176   NtAllocateVirtualMemory  ... 1409024, 4096, ) == 0x0
 02658   896   NtTestAlert  ... ) == 0x0
 02663  1852   NtWaitForSingleObject  (324, 0, 0x0, ...
 02659  1736   NtProtectVirtualMemory  ... (0x510e000), 4096, 4, ) == 0x0
 02661   868   NtRegisterThreadTerminatePort  ... ) == 0x0
 02664  1420   NtWaitForSingleObject  (324, 0, 0x0, ...
 02665   168   NtTestAlert  (...
 02666  1176   NtSetEventBoostPriority  (324, ...
 02667   896   NtContinue  (77659440, 1, ...
 02668  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02669   868   NtWaitForSingleObject  (324, 0, 0x0, ...
 02665   168   NtTestAlert  ... ) == 0x0
 02660  2012   NtWaitForSingleObject  ... ) == 0x0
 02666  1176   NtSetEventBoostPriority  ... ) == 0x0
 02670   896   NtRegisterThreadTerminatePort  (24, ...
 02668  1736   NtCreateThread  ... 736, {1636, 1168}, ) == 0x0
 02671  2012   NtSetEventBoostPriority  (324, ...
 02672   168   NtContinue  (78708016, 1, ...
 02673  1176   NtWaitForSingleObject  (324, 0, 0x0, ...
 02670   896   NtRegisterThreadTerminatePort  ... ) == 0x0
 02663  1852   NtWaitForSingleObject  ... ) == 0x0
 02671  2012   NtSetEventBoostPriority  ... ) == 0x0
 02674  1736   NtQueryInformationThread  (736, Basic, 28, ...
 02675   168   NtRegisterThreadTerminatePort  (24, ...
 02676  1852   NtSetEventBoostPriority  (324, ...
 02677   896   NtWaitForSingleObject  (324, 0, 0x0, ...
 02674  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1636,Tid=1168,}, 0x0, ) == 0x0
 02664  1420   NtWaitForSingleObject  ... ) == 0x0
 02676  1852   NtSetEventBoostPriority  ... ) == 0x0
 02675   168   NtRegisterThreadTerminatePort  ... ) == 0x0
 02678  2012   NtSetEventBoostPriority  (128, ...
 02679  1420   NtSetEventBoostPriority  (324, ...
 02680  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75628, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75628, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0d\6\0\0\220\4\0\0" ...  ...
 02681   168   NtWaitForSingleObject  (324, 0, 0x0, ...
 02662   824   NtWaitForSingleObject  ... ) == 0x0
 02679  1420   NtSetEventBoostPriority  ... ) == 0x0
 02539  1252   NtWaitForSingleObject  ... ) == 0x0
 02678  2012   NtSetEventBoostPriority  ... ) == 0x0
 02680  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75629, 0}  ... {28, 56, reply, 0, 1636, 1736, 75629, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0d\6\0\0\220\4\0\0" )  ) == 0x0
 02682  1852   NtWaitForSingleObject  (324, 0, 0x0, ...
 02683   824   NtSetEventBoostPriority  (324, ...
 02684  1252   NtWaitForSingleObject  (324, 0, 0x0, ...
 02685  2012   NtTestAlert  (...
 02686  1420   NtWaitForSingleObject  (324, 0, 0x0, ...
 02669   868   NtWaitForSingleObject  ... ) == 0x0
 02685  2012   NtTestAlert  ... ) == 0x0
 02687   868   NtSetEventBoostPriority  (324, ...
 02688  2012   NtContinue  (79756592, 1, ...
 02673  1176   NtWaitForSingleObject  ... ) == 0x0
 02689  2012   NtRegisterThreadTerminatePort  (24, ...
 02690  1176   NtSetEventBoostPriority  (324, ...
 02687   868   NtSetEventBoostPriority  ... ) == 0x0
 02683   824   NtSetEventBoostPriority  ... ) == 0x0
 02691  1736   NtResumeThread  (736, ...
 02677   896   NtWaitForSingleObject  ... ) == 0x0
 02692   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02693   824   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02691  1736   NtResumeThread  ... 1, ) == 0x0
 02694   896   NtSetEventBoostPriority  (324, ...
 02692   868   NtDuplicateObject  ... 740, ) == 0x0
 02693   824   NtDuplicateObject  ... 744, ) == 0x0
 02695  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02681   168   NtWaitForSingleObject  ... ) == 0x0
 02694   896   NtSetEventBoostPriority  ... ) == 0x0
 02690  1176   NtSetEventBoostPriority  ... ) == 0x0
 02689  2012   NtRegisterThreadTerminatePort  ... ) == 0x0
 02696  1168   NtWaitForSingleObject  (128, 0, 0x0, ...
 02697   868   NtWaitForSingleObject  (324, 0, 0x0, ...
 02695  1736   NtAllocateVirtualMemory  ... 85000192, 1048576, ) == 0x0
 02698   168   NtSetEventBoostPriority  (324, ...
 02699   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02700  1176   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02701  2012   NtWaitForSingleObject  (324, 0, 0x0, ...
 02702  1736   NtAllocateVirtualMemory  (-1, 86040576, 0, 8192, 4096, 4, ...
 02684  1252   NtWaitForSingleObject  ... ) == 0x0
 02699   896   NtDuplicateObject  ... 748, ) == 0x0
 02703  1252   NtSetEventBoostPriority  (324, ...
 02702  1736   NtAllocateVirtualMemory  ... 86040576, 8192, ) == 0x0
 02698   168   NtSetEventBoostPriority  ... ) == 0x0
 02704   824   NtWaitForSingleObject  (324, 0, 0x0, ...
 02700  1176   NtWaitForSingleObject  ... ) == 0x102
 02682  1852   NtWaitForSingleObject  ... ) == 0x0
 02703  1252   NtSetEventBoostPriority  ... ) == 0x0
 02705   896   NtWaitForSingleObject  (324, 0, 0x0, ...
 02706   168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02707  1852   NtSetEventBoostPriority  (324, ...
 02708  1176   NtWaitForSingleObject  (324, 0, 0x0, ...
 02709  1736   NtProtectVirtualMemory  (-1, (0x520e000), 4096, 260, ...
 02686  1420   NtWaitForSingleObject  ... ) == 0x0
 02707  1852   NtSetEventBoostPriority  ... ) == 0x0
 02706   168   NtDuplicateObject  ... 752, ) == 0x0
 02710  1420   NtSetEventBoostPriority  (324, ...
 02709  1736   NtProtectVirtualMemory  ... (0x520e000), 4096, 4, ) == 0x0
 02711  1852   NtWaitForSingleObject  (324, 0, 0x0, ...
 02712  1252   NtSetEventBoostPriority  (128, ...
 02697   868   NtWaitForSingleObject  ... ) == 0x0
 02710  1420   NtSetEventBoostPriority  ... ) == 0x0
 02713  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02714   168   NtWaitForSingleObject  (324, 0, 0x0, ...
 02715   868   NtSetEventBoostPriority  (324, ...
 02552  1028   NtWaitForSingleObject  ... ) == 0x0
 02712  1252   NtSetEventBoostPriority  ... ) == 0x0
 02716  1420   NtWaitForSingleObject  (324, 0, 0x0, ...
 02713  1736   NtCreateThread  ... 756, {1636, 120}, ) == 0x0
 02701  2012   NtWaitForSingleObject  ... ) == 0x0
 02717  1028   NtWaitForSingleObject  (324, 0, 0x0, ...
 02715   868   NtSetEventBoostPriority  ... ) == 0x0
 02718  1252   NtTestAlert  (...
 02719  2012   NtSetEventBoostPriority  (324, ...
 02720  1736   NtQueryInformationThread  (756, Basic, 28, ...
 02721   868   NtWaitForSingleObject  (324, 0, 0x0, ...
 02704   824   NtWaitForSingleObject  ... ) == 0x0
 02719  2012   NtSetEventBoostPriority  ... ) == 0x0
 02718  1252   NtTestAlert  ... ) == 0x0
 02720  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1636,Tid=120,}, 0x0, ) == 0x0
 02722   824   NtSetEventBoostPriority  (324, ...
 02723  1252   NtContinue  (80805168, 1, ...
 02724  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02705   896   NtWaitForSingleObject  ... ) == 0x0
 02722   824   NtSetEventBoostPriority  ... ) == 0x0
 02725  1252   NtRegisterThreadTerminatePort  (24, ...
 02726   896   NtSetEventBoostPriority  (324, ...
 02724  2012   NtDuplicateObject  ... 760, ) == 0x0
 02727   824   NtWaitForSingleObject  (324, 0, 0x0, ...
 02728  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75629, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75629, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0x\0\0\0" ...  ...
 02708  1176   NtWaitForSingleObject  ... ) == 0x0
 02726   896   NtSetEventBoostPriority  ... ) == 0x0
 02729  2012   NtWaitForSingleObject  (324, 0, 0x0, ...
 02725  1252   NtRegisterThreadTerminatePort  ... ) == 0x0
 02730  1176   NtSetEventBoostPriority  (324, ...
 02728  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75630, 0}  ... {28, 56, reply, 0, 1636, 1736, 75630, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0x\0\0\0" )  ) == 0x0
 02731   896   NtWaitForSingleObject  (324, 0, 0x0, ...
 02714   168   NtWaitForSingleObject  ... ) == 0x0
 02730  1176   NtSetEventBoostPriority  ... ) == 0x0
 02732  1252   NtWaitForSingleObject  (324, 0, 0x0, ...
 02733  1736   NtResumeThread  (756, ...
 02734   168   NtSetEventBoostPriority  (324, ...
 02711  1852   NtWaitForSingleObject  ... ) == 0x0
 02735  1852   NtSetEventBoostPriority  (324, ...
 02717  1028   NtWaitForSingleObject  ... ) == 0x0
 02736  1028   NtSetEventBoostPriority  (324, ...
 02716  1420   NtWaitForSingleObject  ... ) == 0x0
 02737  1420   NtSetEventBoostPriority  (324, ...
 02721   868   NtWaitForSingleObject  ... ) == 0x0
 02738   868   NtSetEventBoostPriority  (324, ...
 02729  2012   NtWaitForSingleObject  ... ) == 0x0
 02739  2012   NtSetEventBoostPriority  (324, ...
 02727   824   NtWaitForSingleObject  ... ) == 0x0
 02740   824   NtSetEventBoostPriority  (324, ...
 02731   896   NtWaitForSingleObject  ... ) == 0x0
 02741   896   NtSetEventBoostPriority  (324, ...
 02732  1252   NtWaitForSingleObject  ... ) == 0x0
 02742  1252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 764, ) == 0x0
 02739  2012   NtSetEventBoostPriority  ... ) == 0x0
 02736  1028   NtSetEventBoostPriority  ... ) == 0x0
 02734   168   NtSetEventBoostPriority  ... ) == 0x0
 02733  1736   NtResumeThread  ... 1, ) == 0x0
 02741   896   NtSetEventBoostPriority  ... ) == 0x0
 02740   824   NtSetEventBoostPriority  ... ) == 0x0
 02738   868   NtSetEventBoostPriority  ... ) == 0x0
 02737  1420   NtSetEventBoostPriority  ... ) == 0x0
 02735  1852   NtSetEventBoostPriority  ... ) == 0x0
 02743  1176   NtWaitForSingleObject  (160, 0, 0x0, ...
 02744  1252   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02745   120   NtWaitForSingleObject  (128, 0, 0x0, ...
 02746  2012   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02747   168   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02748  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02749   896   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02750   824   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02751   868   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02752  1420   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02753  1852   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02744  1252   NtWaitForSingleObject  ... ) == 0x102
 02746  2012   NtWaitForSingleObject  ... ) == 0x102
 02754  1028   NtSetEventBoostPriority  (128, ...
 02747   168   NtWaitForSingleObject  ... ) == 0x102
 02755  1252   NtWaitForSingleObject  (160, 0, 0x0, ...
 02756  2012   NtWaitForSingleObject  (160, 0, 0x0, ...
 02565   784   NtWaitForSingleObject  ... ) == 0x0
 02754  1028   NtSetEventBoostPriority  ... ) == 0x0
 02757   168   NtWaitForSingleObject  (160, 0, 0x0, ...
 02758   784   NtSetEventBoostPriority  (128, ...
 02759  1028   NtTestAlert  (...
 02573  1180   NtWaitForSingleObject  ... ) == 0x0
 02758   784   NtSetEventBoostPriority  ... ) == 0x0
 02760  1180   NtSetEventBoostPriority  (128, ...
 02759  1028   NtTestAlert  ... ) == 0x0
 02748  1736   NtAllocateVirtualMemory  ... 86048768, 1048576, ) == 0x0
 02749   896   NtWaitForSingleObject  ... ) == 0x102
 02750   824   NtWaitForSingleObject  ... ) == 0x102
 02751   868   NtWaitForSingleObject  ... ) == 0x102
 02752  1420   NtWaitForSingleObject  ... ) == 0x102
 02753  1852   NtWaitForSingleObject  ... ) == 0x102
 02636   596   NtWaitForSingleObject  ... ) == 0x0
 02760  1180   NtSetEventBoostPriority  ... ) == 0x0
 02761  1028   NtContinue  (81853744, 1, ...
 02762  1736   NtAllocateVirtualMemory  (-1, 87089152, 0, 8192, 4096, 4, ...
 02763   896   NtWaitForSingleObject  (160, 0, 0x0, ...
 02764   824   NtWaitForSingleObject  (160, 0, 0x0, ...
 02765   868   NtWaitForSingleObject  (160, 0, 0x0, ...
 02766  1420   NtWaitForSingleObject  (160, 0, 0x0, ...
 02767   596   NtSetEventBoostPriority  (128, ...
 02768  1852   NtWaitForSingleObject  (160, 0, 0x0, ...
 02769   784   NtSetEventBoostPriority  (160, ...
 02770  1028   NtRegisterThreadTerminatePort  (24, ...
 02762  1736   NtAllocateVirtualMemory  ... 87089152, 8192, ) == 0x0
 02696  1168   NtWaitForSingleObject  ... ) == 0x0
 02767   596   NtSetEventBoostPriority  ... ) == 0x0
 01177  1104   NtWaitForSingleObject  ... ) == 0x0
 02769   784   NtSetEventBoostPriority  ... ) == 0x0
 02771  1180   NtTestAlert  (...
 02772  1168   NtSetEventBoostPriority  (128, ...
 02773  1736   NtProtectVirtualMemory  (-1, (0x530e000), 4096, 260, ...
 02770  1028   NtRegisterThreadTerminatePort  ... ) == 0x0
 02774  1104   NtSetEventBoostPriority  (160, ...
 02775   784   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ...
 02745   120   NtWaitForSingleObject  ... ) == 0x0
 02772  1168   NtSetEventBoostPriority  ... ) == 0x0
 02771  1180   NtTestAlert  ... ) == 0x0
 02773  1736   NtProtectVirtualMemory  ... (0x530e000), 4096, 4, ) == 0x0
 01181  1568   NtWaitForSingleObject  ... ) == 0x0
 02774  1104   NtSetEventBoostPriority  ... ) == 0x0
 02776  1028   NtWaitForSingleObject  (324, 0, 0x0, ...
 02777   120   NtWaitForSingleObject  (324, 0, 0x0, ...
 02775   784   NtAllocateVirtualMemory  ... 1413120, 4096, ) == 0x0
 02778   596   NtTestAlert  (...
 02779  1180   NtContinue  (82902320, 1, ...
 02780  1568   NtWaitForSingleObject  (324, 0, 0x0, ...
 02781  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02782  1104   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02783   784   NtSetEventBoostPriority  (324, ...
 02778   596   NtTestAlert  ... ) == 0x0
 02784  1180   NtRegisterThreadTerminatePort  (24, ...
 02785  1168   NtTestAlert  (...
 02781  1736   NtCreateThread  ... 768, {1636, 1732}, ) == 0x0
 02777   120   NtWaitForSingleObject  ... ) == 0x0
 02783   784   NtSetEventBoostPriority  ... ) == 0x0
 02786   596   NtContinue  (83950896, 1, ...
 02784  1180   NtRegisterThreadTerminatePort  ... ) == 0x0
 02785  1168   NtTestAlert  ... ) == 0x0
 02787   120   NtSetEventBoostPriority  (324, ...
 02788  1736   NtQueryInformationThread  (768, Basic, 28, ...
 02782  1104   NtCreateEvent  ... 772, ) == 0x0
 02789   596   NtRegisterThreadTerminatePort  (24, ...
 02790  1180   NtWaitForSingleObject  (324, 0, 0x0, ...
 02776  1028   NtWaitForSingleObject  ... ) == 0x0
 02787   120   NtSetEventBoostPriority  ... ) == 0x0
 02791  1168   NtContinue  (84999472, 1, ...
 02788  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1636,Tid=1732,}, 0x0, ) == 0x0
 02792  1104   NtWaitForSingleObject  (324, 0, 0x0, ...
 02789   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 02793   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 02794  1028   NtSetEventBoostPriority  (324, ...
 02795  1168   NtRegisterThreadTerminatePort  (24, ...
 02796  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75630, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75630, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0d\6\0\0\304\6\0\0" ...  ...
 02797   596   NtWaitForSingleObject  (324, 0, 0x0, ...
 02780  1568   NtWaitForSingleObject  ... ) == 0x0
 02794  1028   NtSetEventBoostPriority  ... ) == 0x0
 02795  1168   NtRegisterThreadTerminatePort  ... ) == 0x0
 02796  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75631, 0}  ... {28, 56, reply, 0, 1636, 1736, 75631, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0d\6\0\0\304\6\0\0" )  ) == 0x0
 02798   120   NtTestAlert  (...
 02799  1568   NtSetEventBoostPriority  (324, ...
 02800  1168   NtWaitForSingleObject  (324, 0, 0x0, ...
 02801  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02790  1180   NtWaitForSingleObject  ... ) == 0x0
 02799  1568   NtSetEventBoostPriority  ... ) == 0x0
 02798   120   NtTestAlert  ... ) == 0x0
 02802  1736   NtResumeThread  (768, ...
 02803  1180   NtSetEventBoostPriority  (324, ...
 02801  1028   NtDuplicateObject  ... 776, ) == 0x0
 02804   120   NtContinue  (86048048, 1, ...
 02792  1104   NtWaitForSingleObject  ... ) == 0x0
 02802  1736   NtResumeThread  ... 1, ) == 0x0
 02805  1028   NtWaitForSingleObject  (324, 0, 0x0, ...
 02806   120   NtRegisterThreadTerminatePort  (24, ...
 02807  1104   NtSetEventBoostPriority  (324, ...
 02808  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02806   120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02793   784   NtWaitForSingleObject  ... ) == 0x0
 02807  1104   NtSetEventBoostPriority  ... ) == 0x0
 02808  1736   NtAllocateVirtualMemory  ... 87097344, 1048576, ) == 0x0
 02809   784   NtSetEventBoostPriority  (324, ...
 02810   120   NtWaitForSingleObject  (324, 0, 0x0, ...
 02803  1180   NtSetEventBoostPriority  ... ) == 0x0
 02811  1568   NtWaitForSingleObject  (324, 0, 0x0, ...
 02812  1732   NtWaitForSingleObject  (324, 0, 0x0, ...
 02797   596   NtWaitForSingleObject  ... ) == 0x0
 02809   784   NtSetEventBoostPriority  ... ) == 0x0
 02813  1736   NtAllocateVirtualMemory  (-1, 88137728, 0, 8192, 4096, 4, ...
 02814  1104   NtWaitForSingleObject  (324, 0, 0x0, ...
 02815  1180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02816   596   NtSetEventBoostPriority  (324, ...
 02817   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 02813  1736   NtAllocateVirtualMemory  ... 88137728, 8192, ) == 0x0
 02800  1168   NtWaitForSingleObject  ... ) == 0x0
 02815  1180   NtDuplicateObject  ... 780, ) == 0x0
 02816   596   NtSetEventBoostPriority  ... ) == 0x0
 02818  1168   NtSetEventBoostPriority  (324, ...
 02819  1736   NtProtectVirtualMemory  (-1, (0x540e000), 4096, 260, ...
 02820   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02805  1028   NtWaitForSingleObject  ... ) == 0x0
 02819  1736   NtProtectVirtualMemory  ... (0x540e000), 4096, 4, ) == 0x0
 02820   596   NtDuplicateObject  ... 784, ) == 0x0
 02821  1028   NtSetEventBoostPriority  (324, ...
 02822  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02818  1168   NtSetEventBoostPriority  ... ) == 0x0
 02823  1180   NtWaitForSingleObject  (324, 0, 0x0, ...
 02811  1568   NtWaitForSingleObject  ... ) == 0x0
 02821  1028   NtSetEventBoostPriority  ... ) == 0x0
 02822  1736   NtCreateThread  ... 788, {1636, 748}, ) == 0x0
 02824  1168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02825  1568   NtSetEventBoostPriority  (324, ...
 02826   596   NtWaitForSingleObject  (324, 0, 0x0, ...
 02827  1736   NtQueryInformationThread  (788, Basic, 28, ...
 02812  1732   NtWaitForSingleObject  ... ) == 0x0
 02825  1568   NtSetEventBoostPriority  ... ) == 0x0
 02824  1168   NtDuplicateObject  ... 792, ) == 0x0
 02828  1732   NtSetEventBoostPriority  (324, ...
 02827  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1636,Tid=748,}, 0x0, ) == 0x0
 02829  1568   NtSetEventBoostPriority  (160, ...
 02830  1028   NtWaitForSingleObject  (324, 0, 0x0, ...
 02814  1104   NtWaitForSingleObject  ... ) == 0x0
 02828  1732   NtSetEventBoostPriority  ... ) == 0x0
 02831  1168   NtWaitForSingleObject  (324, 0, 0x0, ...
 02832  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75631, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75631, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0d\6\0\0\354\2\0\0" ...  ...
 02833  1104   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ...
 01186   704   NtWaitForSingleObject  ... ) == 0x0
 02829  1568   NtSetEventBoostPriority  ... ) == 0x0
 02833  1104   NtAllocateVirtualMemory  ... 1417216, 4096, ) == 0x0
 02832  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75632, 0}  ... {28, 56, reply, 0, 1636, 1736, 75632, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0d\6\0\0\354\2\0\0" )  ) == 0x0
 02834   704   NtWaitForSingleObject  (324, 0, 0x0, ...
 02835  1104   NtSetEventBoostPriority  (324, ...
 02836  1568   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02837  1736   NtResumeThread  (788, ...
 02838  1732   NtTestAlert  (...
 02836  1568   NtCreateEvent  ... 796, ) == 0x0
 02837  1736   NtResumeThread  ... 1, ) == 0x0
 02838  1732   NtTestAlert  ... ) == 0x0
 02839  1568   NtWaitForSingleObject  (324, 0, 0x0, ...
 02840  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02841  1732   NtContinue  (87096624, 1, ...
 02810   120   NtWaitForSingleObject  ... ) == 0x0
 02835  1104   NtSetEventBoostPriority  ... ) == 0x0
 02842   748   NtWaitForSingleObject  (324, 0, 0x0, ...
 02843  1732   NtRegisterThreadTerminatePort  (24, ...
 02844   120   NtSetEventBoostPriority  (324, ...
 02845  1104   NtWaitForSingleObject  (324, 0, 0x0, ...
 02843  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 02817   784   NtWaitForSingleObject  ... ) == 0x0
 02846  1732   NtWaitForSingleObject  (324, 0, 0x0, ...
 02847   784   NtSetEventBoostPriority  (324, ...
 02844   120   NtSetEventBoostPriority  ... ) == 0x0
 02840  1736   NtAllocateVirtualMemory  ... 88145920, 1048576, ) == 0x0
 02823  1180   NtWaitForSingleObject  ... ) == 0x0
 02848   120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02849  1736   NtAllocateVirtualMemory  (-1, 89186304, 0, 8192, 4096, 4, ...
 02850  1180   NtSetEventBoostPriority  (324, ...
 02848   120   NtDuplicateObject  ... 800, ) == 0x0
 02849  1736   NtAllocateVirtualMemory  ... 89186304, 8192, ) == 0x0
 02826   596   NtWaitForSingleObject  ... ) == 0x0
 02850  1180   NtSetEventBoostPriority  ... ) == 0x0
 02847   784   NtSetEventBoostPriority  ... ) == 0x0
 02851   596   NtSetEventBoostPriority  (324, ...
 02852  1736   NtProtectVirtualMemory  (-1, (0x550e000), 4096, 260, ...
 02853  1180   NtWaitForSingleObject  (324, 0, 0x0, ...
 02830  1028   NtWaitForSingleObject  ... ) == 0x0
 02851   596   NtSetEventBoostPriority  ... ) == 0x0
 02854   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 02852  1736   NtProtectVirtualMemory  ... (0x550e000), 4096, 4, ) == 0x0
 02855   120   NtWaitForSingleObject  (324, 0, 0x0, ...
 02856  1028   NtSetEventBoostPriority  (324, ...
 02857   596   NtWaitForSingleObject  (324, 0, 0x0, ...
 02858  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02831  1168   NtWaitForSingleObject  ... ) == 0x0
 02856  1028   NtSetEventBoostPriority  ... ) == 0x0
 02859  1168   NtSetEventBoostPriority  (324, ...
 02834   704   NtWaitForSingleObject  ... ) == 0x0
 02860   704   NtSetEventBoostPriority  (324, ...
 02839  1568   NtWaitForSingleObject  ... ) == 0x0
 02861  1568   NtSetEventBoostPriority  (324, ...
 02842   748   NtWaitForSingleObject  ... ) == 0x0
 02862   748   NtSetEventBoostPriority  (324, ...
 02845  1104   NtWaitForSingleObject  ... ) == 0x0
 02863  1104   NtSetEventBoostPriority  (324, ...
 02846  1732   NtWaitForSingleObject  ... ) == 0x0
 02864  1732   NtSetEventBoostPriority  (324, ...
 02854   784   NtWaitForSingleObject  ... ) == 0x0
 02865   784   NtSetEventBoostPriority  (324, ...
 02855   120   NtWaitForSingleObject  ... ) == 0x0
 02866   120   NtSetEventBoostPriority  (324, ...
 02853  1180   NtWaitForSingleObject  ... ) == 0x0
 02867  1180   NtSetEventBoostPriority  (324, ...
 02857   596   NtWaitForSingleObject  ... ) == 0x0
 02868   596   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 02869   596   NtWaitForSingleObject  (160, 0, 0x0, ...
 02866   120   NtSetEventBoostPriority  ... ) == 0x0
 02865   784   NtSetEventBoostPriority  ... ) == 0x0
 02863  1104   NtSetEventBoostPriority  ... ) == 0x0
 02862   748   NtSetEventBoostPriority  ... ) == 0x0
 02861  1568   NtSetEventBoostPriority  ... ) == 0x0
 02860   704   NtSetEventBoostPriority  ... ) == 0x0
 02859  1168   NtSetEventBoostPriority  ... ) == 0x0
 02870  1028   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02867  1180   NtSetEventBoostPriority  ... ) == 0x0
 02864  1732   NtSetEventBoostPriority  ... ) == 0x0
 02858  1736   NtCreateThread  ... 804, {1636, 1300}, ) == 0x0
 02871   120   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02872   784   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02873  1104   NtAllocateVirtualMemory  (-1, 14733312, 0, 4096, 4096, 260, ...
 02874   748   NtTestAlert  (...
 02875  1568   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ...
 02876  1168   NtWaitForSingleObject  (324, 0, 0x0, ...
 02877   704   NtSetEventBoostPriority  (160, ...
 02878  1180   NtWaitForSingleObject  (324, 0, 0x0, ...
 02879  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02880  1736   NtQueryInformationThread  (804, Basic, 28, ...
 02870  1028   NtWaitForSingleObject  ... ) == 0x102
 02872   784   NtCreateEvent  ... 808, ) == 0x0
 02873  1104   NtAllocateVirtualMemory  ... 14733312, 4096, ) == 0x0
 02874   748   NtTestAlert  ... ) == 0x0
 02875  1568   NtAllocateVirtualMemory  ... 1421312, 4096, ) == 0x0
 02871   120   NtWaitForSingleObject  ... ) == 0x102
 01254   876   NtWaitForSingleObject  ... ) == 0x0
 02877   704   NtSetEventBoostPriority  ... ) == 0x0
 02879  1732   NtDuplicateObject  ... 812, ) == 0x0
 02880  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1636,Tid=1300,}, 0x0, ) == 0x0
 02881  1028   NtWaitForSingleObject  (160, 0, 0x0, ...
 02882   784   NtWaitForSingleObject  (336, 0, 0x0, ...
 02883  1104   NtWaitForSingleObject  (324, 0, 0x0, ...
 02884   748   NtContinue  (88145200, 1, ...
 02885  1568   NtSetEventBoostPriority  (324, ...
 02886   876   NtWaitForSingleObject  (324, 0, 0x0, ...
 02887   120   NtWaitForSingleObject  (160, 0, 0x0, ...
 02888   704   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02889  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75632, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75632, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\3\0\0d\6\0\0\24\5\0\0" ...  ...
 02890   748   NtRegisterThreadTerminatePort  (24, ...
 02878  1180   NtWaitForSingleObject  ... ) == 0x0
 02885  1568   NtSetEventBoostPriority  ... ) == 0x0
 02888   704   NtCreateEvent  ... 816, ) == 0x0
 02889  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75633, 0}  ... {28, 56, reply, 0, 1636, 1736, 75633, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\3\0\0d\6\0\0\24\5\0\0" )  ) == 0x0
 02891  1180   NtSetEventBoostPriority  (324, ...
 02890   748   NtRegisterThreadTerminatePort  ... ) == 0x0
 02892  1568   NtWaitForSingleObject  (324, 0, 0x0, ...
 02893   704   NtWaitForSingleObject  (324, 0, 0x0, ...
 02894  1732   NtWaitForSingleObject  (324, 0, 0x0, ...
 02876  1168   NtWaitForSingleObject  ... ) == 0x0
 02891  1180   NtSetEventBoostPriority  ... ) == 0x0
 02895   748   NtWaitForSingleObject  (324, 0, 0x0, ...
 02896  1168   NtSetEventBoostPriority  (324, ...
 02897  1736   NtResumeThread  (804, ...
 02898  1180   NtSetEventBoostPriority  (336, ...
 02883  1104   NtWaitForSingleObject  ... ) == 0x0
 02897  1736   NtResumeThread  ... 1, ) == 0x0
 02882   784   NtWaitForSingleObject  ... ) == 0x0
 02898  1180   NtSetEventBoostPriority  ... ) == 0x0
 02899  1104   NtSetEventBoostPriority  (324, ...
 02900   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 02901  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02902  1180   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02886   876   NtWaitForSingleObject  ... ) == 0x0
 02899  1104   NtSetEventBoostPriority  ... ) == 0x0
 02901  1736   NtAllocateVirtualMemory  ... 89194496, 1048576, ) == 0x0
 02903   876   NtSetEventBoostPriority  (324, ...
 02902  1180   NtWaitForSingleObject  ... ) == 0x102
 02896  1168   NtSetEventBoostPriority  ... ) == 0x0
 02904  1300   NtWaitForSingleObject  (324, 0, 0x0, ...
 02892  1568   NtWaitForSingleObject  ... ) == 0x0
 02903   876   NtSetEventBoostPriority  ... ) == 0x0
 02905  1736   NtAllocateVirtualMemory  (-1, 90234880, 0, 8192, 4096, 4, ...
 02906  1180   NtWaitForSingleObject  (324, 0, 0x0, ...
 02907  1168   NtWaitForSingleObject  (336, 0, 0x0, ...
 02908  1568   NtSetEventBoostPriority  (324, ...
 02909  1104   NtWaitForSingleObject  (324, 0, 0x0, ...
 02905  1736   NtAllocateVirtualMemory  ... 90234880, 8192, ) == 0x0
 02910   876   NtWaitForSingleObject  (324, 0, 0x0, ...
 02893   704   NtWaitForSingleObject  ... ) == 0x0
 02908  1568   NtSetEventBoostPriority  ... ) == 0x0
 02911   704   NtSetEventBoostPriority  (324, ...
 02912  1736   NtProtectVirtualMemory  (-1, (0x560e000), 4096, 260, ...
 02894  1732   NtWaitForSingleObject  ... ) == 0x0
 02911   704   NtSetEventBoostPriority  ... ) == 0x0
 02913  1732   NtSetEventBoostPriority  (324, ...
 02912  1736   NtProtectVirtualMemory  ... (0x560e000), 4096, 4, ) == 0x0
 02914  1568   NtWaitForSingleObject  (324, 0, 0x0, ...
 02900   784   NtWaitForSingleObject  ... ) == 0x0
 02913  1732   NtSetEventBoostPriority  ... ) == 0x0
 02915  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02916   784   NtSetEventBoostPriority  (324, ...
 02917  1732   NtWaitForSingleObject  (324, 0, 0x0, ...
 02895   748   NtWaitForSingleObject  ... ) == 0x0
 02916   784   NtSetEventBoostPriority  ... ) == 0x0
 02915  1736   NtCreateThread  ... 820, {1636, 500}, ) == 0x0
 02918   704   NtWaitForSingleObject  (324, 0, 0x0, ...
 02919   748   NtSetEventBoostPriority  (324, ...
 02920  1736   NtQueryInformationThread  (820, Basic, 28, ...
 02904  1300   NtWaitForSingleObject  ... ) == 0x0
 02920  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1636,Tid=500,}, 0x0, ) == 0x0
 02921  1300   NtSetEventBoostPriority  (324, ...
 02919   748   NtSetEventBoostPriority  ... ) == 0x0
 02922   784   NtSetEventBoostPriority  (336, ...
 02909  1104   NtWaitForSingleObject  ... ) == 0x0
 02921  1300   NtSetEventBoostPriority  ... ) == 0x0
 02923   748   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02924  1104   NtSetEventBoostPriority  (324, ...
 02907  1168   NtWaitForSingleObject  ... ) == 0x0
 02922   784   NtSetEventBoostPriority  ... ) == 0x0
 02925  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75633, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75633, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\3\0\0d\6\0\0\364\1\0\0" ...  ...
 02906  1180   NtWaitForSingleObject  ... ) == 0x0
 02926  1168   NtWaitForSingleObject  (324, 0, 0x0, ...
 02924  1104   NtSetEventBoostPriority  ... ) == 0x0
 02923   748   NtDuplicateObject  ... 824, ) == 0x0
 02927   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 02928  1180   NtSetEventBoostPriority  (324, ...
 02925  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75634, 0}  ... {28, 56, reply, 0, 1636, 1736, 75634, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\3\0\0d\6\0\0\364\1\0\0" )  ) == 0x0
 02929  1104   NtWaitForSingleObject  (324, 0, 0x0, ...
 02930  1300   NtTestAlert  (...
 02910   876   NtWaitForSingleObject  ... ) == 0x0
 02931  1736   NtResumeThread  (820, ...
 02928  1180   NtSetEventBoostPriority  ... ) == 0x0
 02932   748   NtWaitForSingleObject  (324, 0, 0x0, ...
 02930  1300   NtTestAlert  ... ) == 0x0
 02933   876   NtSetEventBoostPriority  (324, ...
 02931  1736   NtResumeThread  ... 1, ) == 0x0
 02934  1180   NtWaitForSingleObject  (160, 0, 0x0, ...
 02935  1300   NtContinue  (89193776, 1, ...
 02914  1568   NtWaitForSingleObject  ... ) == 0x0
 02933   876   NtSetEventBoostPriority  ... ) == 0x0
 02936  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02937  1568   NtSetEventBoostPriority  (324, ...
 02938  1300   NtRegisterThreadTerminatePort  (24, ...
 02939   876   NtWaitForSingleObject  (324, 0, 0x0, ...
 02940   500   NtWaitForSingleObject  (324, 0, 0x0, ...
 02917  1732   NtWaitForSingleObject  ... ) == 0x0
 02937  1568   NtSetEventBoostPriority  ... ) == 0x0
 02938  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 02936  1736   NtAllocateVirtualMemory  ... 90243072, 1048576, ) == 0x0
 02941  1732   NtSetEventBoostPriority  (324, ...
 02942  1568   NtWaitForSingleObject  (324, 0, 0x0, ...
 02943  1300   NtWaitForSingleObject  (324, 0, 0x0, ...
 02918   704   NtWaitForSingleObject  ... ) == 0x0
 02944  1736   NtAllocateVirtualMemory  (-1, 91283456, 0, 8192, 4096, 4, ...
 02941  1732   NtSetEventBoostPriority  ... ) == 0x0
 02945   704   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ...
 02944  1736   NtAllocateVirtualMemory  ... 91283456, 8192, ) == 0x0
 02946  1732   NtWaitForSingleObject  (336, 0, 0x0, ...
 02945   704   NtAllocateVirtualMemory  ... 1425408, 4096, ) == 0x0
 02947  1736   NtProtectVirtualMemory  (-1, (0x570e000), 4096, 260, ...
 02948   704   NtSetEventBoostPriority  (324, ...
 02947  1736   NtProtectVirtualMemory  ... (0x570e000), 4096, 4, ) == 0x0
 02949  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 828, {1636, 1132}, ) == 0x0
 02950  1736   NtQueryInformationThread  (828, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1636,Tid=1132,}, 0x0, ) == 0x0
 02951  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75634, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75634, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\3\0\0d\6\0\0l\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75635, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\3\0\0d\6\0\0l\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75635, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75634, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\3\0\0d\6\0\0l\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75635, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\3\0\0d\6\0\0l\4\0\0" )  ) == 0x0
 02926  1168   NtWaitForSingleObject  ... ) == 0x0
 02948   704   NtSetEventBoostPriority  ... ) == 0x0
 02952  1168   NtSetEventBoostPriority  (324, ...
 02927   784   NtWaitForSingleObject  ... ) == 0x0
 02953   784   NtSetEventBoostPriority  (324, ...
 02932   748   NtWaitForSingleObject  ... ) == 0x0
 02954   748   NtSetEventBoostPriority  (324, ...
 02929  1104   NtWaitForSingleObject  ... ) == 0x0
 02955  1104   NtSetEventBoostPriority  (324, ...
 02940   500   NtWaitForSingleObject  ... ) == 0x0
 02956   500   NtSetEventBoostPriority  (324, ...
 02939   876   NtWaitForSingleObject  ... ) == 0x0
 02957   876   NtSetEventBoostPriority  (324, ...
 02942  1568   NtWaitForSingleObject  ... ) == 0x0
 02958  1568   NtSetEventBoostPriority  (324, ...
 02943  1300   NtWaitForSingleObject  ... ) == 0x0
 02959  1300   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 832, ) == 0x0
 02960  1300   NtWaitForSingleObject  (336, 0, 0x0, ...
 02956   500   NtSetEventBoostPriority  ... ) == 0x0
 02954   748   NtSetEventBoostPriority  ... ) == 0x0
 02953   784   NtSetEventBoostPriority  ... ) == 0x0
 02952  1168   NtSetEventBoostPriority  ... ) == 0x0
 02961   704   NtAllocateVirtualMemory  (-1, 12636160, 0, 4096, 4096, 260, ...
 02958  1568   NtSetEventBoostPriority  ... ) == 0x0
 02957   876   NtSetEventBoostPriority  ... ) == 0x0
 02955  1104   NtSetEventBoostPriority  ... ) == 0x0
 02962  1736   NtResumeThread  (828, ...
 02963   748   NtWaitForSingleObject  (336, 0, 0x0, ...
 02964   500   NtTestAlert  (...
 02965   784   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15789236, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15789236, 188, ...
 02961   704   NtAllocateVirtualMemory  ... 12636160, 4096, ) == 0x0
 02966  1568   NtAllocateVirtualMemory  (-1, 13684736, 0, 4096, 4096, 260, ...
 02967   876   NtSetEventBoostPriority  (160, ...
 02968  1104   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02962  1736   NtResumeThread  ... 1, ) == 0x0
 02969  1168   NtSetEventBoostPriority  (336, ...
 02964   500   NtTestAlert  ... ) == 0x0
 02970   704   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02966  1568   NtAllocateVirtualMemory  ... 13684736, 4096, ) == 0x0
 02965   784   NtConnectPort  ... 836, 0x0, 0x0, 0x0, 188, ) == 0x0
 01261  1612   NtWaitForSingleObject  ... ) == 0x0
 02967   876   NtSetEventBoostPriority  ... ) == 0x0
 02968  1104   NtCreateEvent  ... 840, ) == 0x0
 02971  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02946  1732   NtWaitForSingleObject  ... ) == 0x0
 02969  1168   NtSetEventBoostPriority  ... ) == 0x0
 02972   500   NtContinue  (90242352, 1, ...
 02970   704   NtCreateEvent  ... 844, ) == 0x0
 02973  1132   NtTestAlert  (...
 02974  1612   NtSetEventBoostPriority  (160, ...
 02975   784   NtRequestWaitReplyPort  (836, {200, 224, new_msg, 0, 1379240, 12, 2, 1310721}  (836, {200, 224, new_msg, 0, 1379240, 12, 2, 1310721} "\0\5\24\0\274\0\0\0\354<\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\244\36\25\0\4\0\0\0\0\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\203\32N\213\247\366\263\237P\241\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0x\274\25\0@\250\25\0\10\5\24\0H\241\25\0h\1\24\0\0\0\0\0\0\0\0\0H\241\25\0P\0\0\0P\241\25\0(\356\360\0x\1\24\0P\0\0\0\200\300\0\0\0\0\24\04\353\360\0\372\31\221|\310\362\360\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02976  1568   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02977   876   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02978  1732   NtSetEventBoostPriority  (336, ...
 02971  1736   NtAllocateVirtualMemory  ... 91291648, 1048576, ) == 0x0
 02979  1168   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02980   500   NtRegisterThreadTerminatePort  (24, ...
 02981   704   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01263  1484   NtWaitForSingleObject  ... ) == 0x0
 02974  1612   NtSetEventBoostPriority  ... ) == 0x0
 02973  1132   NtTestAlert  ... ) == 0x0
 02976  1568   NtCreateEvent  ... 848, ) == 0x0
 02960  1300   NtWaitForSingleObject  ... ) == 0x0
 02978  1732   NtSetEventBoostPriority  ... ) == 0x0
 02977   876   NtCreateEvent  ... 852, ) == 0x0
 02975   784   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 784, 75637, 0}  ... {200, 224, reply, 0, 1636, 784, 75637, 0} "\7\5\24\0\274\0\0\0\354<\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\203\32N\213\247\366\263\237P\241\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0x\274\25\0@\250\25\0\10\5\24\0H\241\25\0h\1\24\0\0\0\0\0\0\0\0\0H\241\25\0P\0\0\0P\241\25\0(\356\360\0x\1\24\0P\0\0\0\200\300\0\0\0\0\24\04\353\360\0\372\31\221|\310\362\360\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02982  1736   NtAllocateVirtualMemory  (-1, 92332032, 0, 8192, 4096, 4, ...
 02979  1168   NtWaitForSingleObject  ... ) == 0x102
 02980   500   NtRegisterThreadTerminatePort  ... ) == 0x0
 02983  1104   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02984  1484   NtSetEventBoostPriority  (160, ...
 02981   704   NtDuplicateObject  ... 856, ) == 0x0
 02985  1132   NtContinue  (91290928, 1, ...
 02986  1300   NtSetEventBoostPriority  (336, ...
 02987  1568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02988  1612   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02989   876   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ...
 02990  1732   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02982  1736   NtAllocateVirtualMemory  ... 92332032, 8192, ) == 0x0
 02991  1168   NtWaitForSingleObject  (160, 0, 0x0, ...
 02992   500   NtWaitForSingleObject  (324, 0, 0x0, ...
 01520  1664   NtWaitForSingleObject  ... ) == 0x0
 02984  1484   NtSetEventBoostPriority  ... ) == 0x0
 02983  1104   NtDuplicateObject  ... 860, ) == 0x0
 02993   704   NtWaitForSingleObject  (324, 0, 0x0, ...
 02963   748   NtWaitForSingleObject  ... ) == 0x0
 02994  1132   NtRegisterThreadTerminatePort  (24, ...
 02987  1568   NtDuplicateObject  ... 864, ) == 0x0
 02988  1612   NtCreateEvent  ... 868, ) == 0x0
 02989   876   NtAllocateVirtualMemory  ... 1429504, 4096, ) == 0x0
 02990  1732   NtWaitForSingleObject  ... ) == 0x102
 02986  1300   NtSetEventBoostPriority  ... ) == 0x0
 02995   784   NtRequestWaitReplyPort  (836, {64, 88, new_msg, 0, 1636, 784, 75587, 0}  (836, {64, 88, new_msg, 0, 1636, 784, 75587, 0} "\1\332\0\0A\2\10\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200\377\377\377\377t\333\243\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02996  1736   NtProtectVirtualMemory  (-1, (0x580e000), 4096, 260, ...
 02997  1664   NtWaitForSingleObject  (324, 0, 0x0, ...
 02998  1104   NtWaitForSingleObject  (324, 0, 0x0, ...
 02999   748   NtWaitForSingleObject  (324, 0, 0x0, ...
 02994  1132   NtRegisterThreadTerminatePort  ... ) == 0x0
 03000  1568   NtWaitForSingleObject  (324, 0, 0x0, ...
 03001  1612   NtWaitForSingleObject  (324, 0, 0x0, ...
 03002   876   NtSetEventBoostPriority  (324, ...
 03003  1732   NtWaitForSingleObject  (160, 0, 0x0, ...
 03004  1484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02996  1736   NtProtectVirtualMemory  ... (0x580e000), 4096, 4, ) == 0x0
 03005  1300   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02995   784   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1636, 784, 75638, 0}  ... {52, 76, reply, 0, 1636, 784, 75638, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\2000/\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 02992   500   NtWaitForSingleObject  ... ) == 0x0
 03002   876   NtSetEventBoostPriority  ... ) == 0x0
 03004  1484   NtCreateEvent  ... 872, ) == 0x0
 03006  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03005  1300   NtWaitForSingleObject  ... ) == 0x102
 03007   500   NtSetEventBoostPriority  (324, ...
 03008   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 03009  1132   NtWaitForSingleObject  (324, 0, 0x0, ...
 03010  1484   NtWaitForSingleObject  (324, 0, 0x0, ...
 03006  1736   NtCreateThread  ... 876, {1636, 948}, ) == 0x0
 02993   704   NtWaitForSingleObject  ... ) == 0x0
 03011  1300   NtWaitForSingleObject  (160, 0, 0x0, ...
 03012  1736   NtQueryInformationThread  (876, Basic, 28, ...
 03013   704   NtSetEventBoostPriority  (324, ...
 03012  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1636,Tid=948,}, 0x0, ) == 0x0
 02997  1664   NtWaitForSingleObject  ... ) == 0x0
 03013   704   NtSetEventBoostPriority  ... ) == 0x0
 03007   500   NtSetEventBoostPriority  ... ) == 0x0
 03014   876   NtWaitForSingleObject  (324, 0, 0x0, ...
 03015  1664   NtSetEventBoostPriority  (324, ...
 03016  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75635, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75635, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0d\6\0\0\264\3\0\0" ...  ...
 03017   500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02998  1104   NtWaitForSingleObject  ... ) == 0x0
 03015  1664   NtSetEventBoostPriority  ... ) == 0x0
 03016  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75639, 0}  ... {28, 56, reply, 0, 1636, 1736, 75639, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0d\6\0\0\264\3\0\0" )  ) == 0x0
 03018  1104   NtSetEventBoostPriority  (324, ...
 03017   500   NtDuplicateObject  ... 880, ) == 0x0
 03019   704   NtWaitForSingleObject  (324, 0, 0x0, ...
 02999   748   NtWaitForSingleObject  ... ) == 0x0
 03018  1104   NtSetEventBoostPriority  ... ) == 0x0
 03020  1736   NtResumeThread  (876, ...
 03021  1664   NtWaitForSingleObject  (324, 0, 0x0, ...
 03022   748   NtSetEventBoostPriority  (324, ...
 03023   500   NtWaitForSingleObject  (324, 0, 0x0, ...
 03020  1736   NtResumeThread  ... 1, ) == 0x0
 03000  1568   NtWaitForSingleObject  ... ) == 0x0
 03024  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03025  1568   NtSetEventBoostPriority  (324, ...
 03022   748   NtSetEventBoostPriority  ... ) == 0x0
 03026  1104   NtWaitForSingleObject  (324, 0, 0x0, ...
 03027   948   NtWaitForSingleObject  (324, 0, 0x0, ...
 03001  1612   NtWaitForSingleObject  ... ) == 0x0
 03025  1568   NtSetEventBoostPriority  ... ) == 0x0
 03024  1736   NtAllocateVirtualMemory  ... 92340224, 1048576, ) == 0x0
 03028  1612   NtSetEventBoostPriority  (324, ...
 03029   748   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03008   784   NtWaitForSingleObject  ... ) == 0x0
 03028  1612   NtSetEventBoostPriority  ... ) == 0x0
 03030  1736   NtAllocateVirtualMemory  (-1, 93380608, 0, 8192, 4096, 4, ...
 03031   784   NtSetEventBoostPriority  (324, ...
 03029   748   NtWaitForSingleObject  ... ) == 0x102
 03032  1568   NtWaitForSingleObject  (324, 0, 0x0, ...
 03009  1132   NtWaitForSingleObject  ... ) == 0x0
 03031   784   NtSetEventBoostPriority  ... ) == 0x0
 03030  1736   NtAllocateVirtualMemory  ... 93380608, 8192, ) == 0x0
 03033   748   NtWaitForSingleObject  (324, 0, 0x0, ...
 03034  1132   NtSetEventBoostPriority  (324, ...
 03035  1612   NtWaitForSingleObject  (324, 0, 0x0, ...
 03036  1736   NtProtectVirtualMemory  (-1, (0x590e000), 4096, 260, ...
 03010  1484   NtWaitForSingleObject  ... ) == 0x0
 03034  1132   NtSetEventBoostPriority  ... ) == 0x0
 03037  1484   NtSetEventBoostPriority  (324, ...
 03036  1736   NtProtectVirtualMemory  ... (0x590e000), 4096, 4, ) == 0x0
 03014   876   NtWaitForSingleObject  ... ) == 0x0
 03037  1484   NtSetEventBoostPriority  ... ) == 0x0
 03038  1132   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03039   876   NtSetEventBoostPriority  (324, ...
 03040  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03041   784   NtClose  (808, ...
 03042  1484   NtWaitForSingleObject  (324, 0, 0x0, ...
 03019   704   NtWaitForSingleObject  ... ) == 0x0
 03039   876   NtSetEventBoostPriority  ... ) == 0x0
 03038  1132   NtDuplicateObject  ... 884, ) == 0x0
 03041   784   NtClose  ... ) == 0x0
 03043   704   NtSetEventBoostPriority  (324, ...
 03044   876   NtWaitForSingleObject  (324, 0, 0x0, ...
 03045  1132   NtWaitForSingleObject  (324, 0, 0x0, ...
 03021  1664   NtWaitForSingleObject  ... ) == 0x0
 03043   704   NtSetEventBoostPriority  ... ) == 0x0
 03046   784   NtClose  (836, ...
 03040  1736   NtCreateThread  ... 808, {1636, 188}, ) == 0x0
 03047  1664   NtSetEventBoostPriority  (324, ...
 03048   704   NtWaitForSingleObject  (324, 0, 0x0, ...
 03046   784   NtClose  ... ) == 0x0
 03023   500   NtWaitForSingleObject  ... ) == 0x0
 03047  1664   NtSetEventBoostPriority  ... ) == 0x0
 03049  1736   NtQueryInformationThread  (808, Basic, 28, ...
 03050   500   NtSetEventBoostPriority  (324, ...
 03051   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 03052  1664   NtWaitForSingleObject  (324, 0, 0x0, ...
 03026  1104   NtWaitForSingleObject  ... ) == 0x0
 03050   500   NtSetEventBoostPriority  ... ) == 0x0
 03049  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1636,Tid=188,}, 0x0, ) == 0x0
 03053  1104   NtSetEventBoostPriority  (324, ...
 03054   500   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03027   948   NtWaitForSingleObject  ... ) == 0x0
 03053  1104   NtSetEventBoostPriority  ... ) == 0x0
 03055  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75639, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75639, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0d\6\0\0\274\0\0\0" ...  ...
 03056   948   NtSetEventBoostPriority  (324, ...
 03057  1104   NtWaitForSingleObject  (324, 0, 0x0, ...
 03032  1568   NtWaitForSingleObject  ... ) == 0x0
 03056   948   NtSetEventBoostPriority  ... ) == 0x0
 03055  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75641, 0}  ... {28, 56, reply, 0, 1636, 1736, 75641, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0d\6\0\0\274\0\0\0" )  ) == 0x0
 03054   500   NtWaitForSingleObject  ... ) == 0x102
 03058  1568   NtSetEventBoostPriority  (324, ...
 03059   948   NtTestAlert  (...
 03033   748   NtWaitForSingleObject  ... ) == 0x0
 03058  1568   NtSetEventBoostPriority  ... ) == 0x0
 03060   500   NtWaitForSingleObject  (160, 0, 0x0, ...
 03061   748   NtSetEventBoostPriority  (324, ...
 03059   948   NtTestAlert  ... ) == 0x0
 03062  1568   NtWaitForSingleObject  (324, 0, 0x0, ...
 03035  1612   NtWaitForSingleObject  ... ) == 0x0
 03061   748   NtSetEventBoostPriority  ... ) == 0x0
 03063   948   NtContinue  (92339504, 1, ...
 03064  1736   NtResumeThread  (808, ...
 03065  1612   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ...
 03066   948   NtRegisterThreadTerminatePort  (24, ...
 03065  1612   NtAllocateVirtualMemory  ... 1433600, 4096, ) == 0x0
 03064  1736   NtResumeThread  ... 1, ) == 0x0
 03067  1612   NtSetEventBoostPriority  (324, ...
 03066   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 03068  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03069   748   NtWaitForSingleObject  (160, 0, 0x0, ...
 03070   188   NtAllocateVirtualMemory  (-1, 3633152, 0, 4096, 4096, 4, ...
 03071   948   NtWaitForSingleObject  (324, 0, 0x0, ...
 03068  1736   NtAllocateVirtualMemory  ... 93388800, 1048576, ) == 0x0
 03070   188   NtAllocateVirtualMemory  ... 3633152, 4096, ) == 0x0
 03042  1484   NtWaitForSingleObject  ... ) == 0x0
 03067  1612   NtSetEventBoostPriority  ... ) == 0x0
 03072  1736   NtAllocateVirtualMemory  (-1, 94429184, 0, 8192, 4096, 4, ...
 03073   188   NtTestAlert  (...
 03074  1484   NtSetEventBoostPriority  (324, ...
 03075  1612   NtWaitForSingleObject  (324, 0, 0x0, ...
 03072  1736   NtAllocateVirtualMemory  ... 94429184, 8192, ) == 0x0
 03073   188   NtTestAlert  ... ) == 0x0
 03045  1132   NtWaitForSingleObject  ... ) == 0x0
 03074  1484   NtSetEventBoostPriority  ... ) == 0x0
 03076  1132   NtSetEventBoostPriority  (324, ...
 03077   188   NtContinue  (93388080, 1, ...
 03044   876   NtWaitForSingleObject  ... ) == 0x0
 03076  1132   NtSetEventBoostPriority  ... ) == 0x0
 03078  1484   NtWaitForSingleObject  (324, 0, 0x0, ...
 03079  1736   NtProtectVirtualMemory  (-1, (0x5a0e000), 4096, 260, ...
 03080   876   NtSetEventBoostPriority  (324, ...
 03081   188   NtRegisterThreadTerminatePort  (24, ...
 03082  1132   NtWaitForSingleObject  (324, 0, 0x0, ...
 03051   784   NtWaitForSingleObject  ... ) == 0x0
 03079  1736   NtProtectVirtualMemory  ... (0x5a0e000), 4096, 4, ) == 0x0
 03081   188   NtRegisterThreadTerminatePort  ... ) == 0x0
 03083   784   NtSetEventBoostPriority  (324, ...
 03084  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03085   188   NtWaitForSingleObject  (324, 0, 0x0, ...
 03048   704   NtWaitForSingleObject  ... ) == 0x0
 03083   784   NtSetEventBoostPriority  ... ) == 0x0
 03084  1736   NtCreateThread  ... 836, {1636, 1372}, ) == 0x0
 03086   704   NtSetEventBoostPriority  (324, ...
 03080   876   NtSetEventBoostPriority  ... ) == 0x0
 03052  1664   NtWaitForSingleObject  ... ) == 0x0
 03087  1736   NtQueryInformationThread  (836, Basic, 28, ...
 03088   876   NtWaitForSingleObject  (324, 0, 0x0, ...
 03089  1664   NtSetEventBoostPriority  (324, ...
 03087  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1636,Tid=1372,}, 0x0, ) == 0x0
 03057  1104   NtWaitForSingleObject  ... ) == 0x0
 03089  1664   NtSetEventBoostPriority  ... ) == 0x0
 03086   704   NtSetEventBoostPriority  ... ) == 0x0
 03090   784   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03091  1104   NtSetEventBoostPriority  (324, ...
 03092  1664   NtSetEventBoostPriority  (160, ...
 03093   704   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 03090   784   NtCreateKey  ... 888, 2, ) == 0x0
 03062  1568   NtWaitForSingleObject  ... ) == 0x0
 01534  1516   NtWaitForSingleObject  ... ) == 0x0
 03092  1664   NtSetEventBoostPriority  ... ) == 0x0
 03093   704   NtCreateEvent  ... 892, ) == 0x0
 03094   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 03095  1516   NtWaitForSingleObject  (324, 0, 0x0, ...
 03096  1568   NtSetEventBoostPriority  (324, ...
 03091  1104   NtSetEventBoostPriority  ... ) == 0x0
 03097  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75641, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75641, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\3\0\0d\6\0\0\\5\0\0" ...  ...
 03098  1664   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03094   784   NtOpenKey  ... 896, ) == 0x0
 03075  1612   NtWaitForSingleObject  ... ) == 0x0
 03099  1104   NtWaitForSingleObject  (404, 0, 0x0, ...
 03097  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75642, 0}  ... {28, 56, reply, 0, 1636, 1736, 75642, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\3\0\0d\6\0\0\\5\0\0" )  ) == 0x0
 03098  1664   NtCreateEvent  ... 900, ) == 0x0
 03100   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 03101  1612   NtSetEventBoostPriority  (324, ...
 03102  1736   NtResumeThread  (836, ...
 03103  1664   NtWaitForSingleObject  (324, 0, 0x0, ...
 03100   784   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03071   948   NtWaitForSingleObject  ... ) == 0x0
 03101  1612   NtSetEventBoostPriority  ... ) == 0x0
 03102  1736   NtResumeThread  ... 1, ) == 0x0
 03096  1568   NtSetEventBoostPriority  ... ) == 0x0
 03104   704   NtWaitForSingleObject  (324, 0, 0x0, ...
 03105  1372   NtWaitForSingleObject  (324, 0, 0x0, ...
 03106   948   NtSetEventBoostPriority  (324, ...
 03107   784   NtQueryValueKey  (888,  (888, "Hostname", Partial, 144, ... , Partial, 144, ...
 03108  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03109  1568   NtWaitForSingleObject  (324, 0, 0x0, ...
 03082  1132   NtWaitForSingleObject  ... ) == 0x0
 03107   784   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 03106   948   NtSetEventBoostPriority  ... ) == 0x0
 03110  1612   NtWaitForSingleObject  (324, 0, 0x0, ...
 03111  1132   NtSetEventBoostPriority  (324, ...
 03112   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 03113   948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03085   188   NtWaitForSingleObject  ... ) == 0x0
 03111  1132   NtSetEventBoostPriority  ... ) == 0x0
 03114   188   NtSetEventBoostPriority  (324, ...
 03113   948   NtDuplicateObject  ... 904, ) == 0x0
 03078  1484   NtWaitForSingleObject  ... ) == 0x0
 03114   188   NtSetEventBoostPriority  ... ) == 0x0
 03115  1132   NtWaitForSingleObject  (324, 0, 0x0, ...
 03108  1736   NtAllocateVirtualMemory  ... 94437376, 1048576, ) == 0x0
 03116  1484   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ...
 03117   948   NtWaitForSingleObject  (324, 0, 0x0, ...
 03118   188   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03116  1484   NtAllocateVirtualMemory  ... 1437696, 4096, ) == 0x0
 03119  1736   NtAllocateVirtualMemory  (-1, 95477760, 0, 8192, 4096, 4, ...
 03120  1484   NtSetEventBoostPriority  (324, ...
 03118   188   NtDuplicateObject  ... 908, ) == 0x0
 03088   876   NtWaitForSingleObject  ... ) == 0x0
 03119  1736   NtAllocateVirtualMemory  ... 95477760, 8192, ) == 0x0
 03121   188   NtWaitForSingleObject  (324, 0, 0x0, ...
 03122   876   NtSetEventBoostPriority  (324, ...
 03123  1736   NtProtectVirtualMemory  (-1, (0x5b0e000), 4096, 260, ...
 03095  1516   NtWaitForSingleObject  ... ) == 0x0
 03122   876   NtSetEventBoostPriority  ... ) == 0x0
 03124  1516   NtSetEventBoostPriority  (324, ...
 03123  1736   NtProtectVirtualMemory  ... (0x5b0e000), 4096, 4, ) == 0x0
 03120  1484   NtSetEventBoostPriority  ... ) == 0x0
 03103  1664   NtWaitForSingleObject  ... ) == 0x0
 03124  1516   NtSetEventBoostPriority  ... ) == 0x0
 03125  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03126   876   NtWaitForSingleObject  (324, 0, 0x0, ...
 03127  1664   NtSetEventBoostPriority  (324, ...
 03128  1484   NtWaitForSingleObject  (324, 0, 0x0, ...
 03129  1516   NtSetEventBoostPriority  (160, ...
 03104   704   NtWaitForSingleObject  ... ) == 0x0
 03127  1664   NtSetEventBoostPriority  ... ) == 0x0
 03130   704   NtSetEventBoostPriority  (324, ...
 01535  1440   NtWaitForSingleObject  ... ) == 0x0
 03129  1516   NtSetEventBoostPriority  ... ) == 0x0
 03125  1736   NtCreateThread  ... 912, {1636, 900}, ) == 0x0
 03105  1372   NtWaitForSingleObject  ... ) == 0x0
 03131  1440   NtWaitForSingleObject  (324, 0, 0x0, ...
 03130   704   NtSetEventBoostPriority  ... ) == 0x0
 03132  1516   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03133  1372   NtSetEventBoostPriority  (324, ...
 03134  1736   NtQueryInformationThread  (912, Basic, 28, ...
 03135   704   NtSetEventBoostPriority  (404, ...
 03109  1568   NtWaitForSingleObject  ... ) == 0x0
 03133  1372   NtSetEventBoostPriority  ... ) == 0x0
 03132  1516   NtCreateEvent  ... 916, ) == 0x0
 03134  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1636,Tid=900,}, 0x0, ) == 0x0
 03136  1664   NtWaitForSingleObject  (324, 0, 0x0, ...
 03137  1568   NtSetEventBoostPriority  (324, ...
 03099  1104   NtWaitForSingleObject  ... ) == 0x0
 03135   704   NtSetEventBoostPriority  ... ) == 0x0
 03138  1516   NtWaitForSingleObject  (324, 0, 0x0, ...
 03139  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75642, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75642, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0d\6\0\0\204\3\0\0" ...  ...
 03110  1612   NtWaitForSingleObject  ... ) == 0x0
 03137  1568   NtSetEventBoostPriority  ... ) == 0x0
 03140  1104   NtWaitForSingleObject  (324, 0, 0x0, ...
 03141   704   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 03142  1612   NtSetEventBoostPriority  (324, ...
 03139  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75643, 0}  ... {28, 56, reply, 0, 1636, 1736, 75643, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0d\6\0\0\204\3\0\0" )  ) == 0x0
 03143  1372   NtTestAlert  (...
 03112   784   NtWaitForSingleObject  ... ) == 0x0
 03142  1612   NtSetEventBoostPriority  ... ) == 0x0
 03141   704   NtCreateEvent  ... 920, ) == 0x0
 03144  1568   NtWaitForSingleObject  (324, 0, 0x0, ...
 03145   784   NtSetEventBoostPriority  (324, ...
 03143  1372   NtTestAlert  ... ) == 0x0
 03146  1612   NtWaitForSingleObject  (324, 0, 0x0, ...
 03147   704   NtWaitForSingleObject  (920, 0, 0x0, ...
 03117   948   NtWaitForSingleObject  ... ) == 0x0
 03145   784   NtSetEventBoostPriority  ... ) == 0x0
 03148  1372   NtContinue  (94436656, 1, ...
 03149  1736   NtResumeThread  (912, ...
 03150   948   NtSetEventBoostPriority  (324, ...
 03151  1372   NtRegisterThreadTerminatePort  (24, ...
 03121   188   NtWaitForSingleObject  ... ) == 0x0
 03150   948   NtSetEventBoostPriority  ... ) == 0x0
 03149  1736   NtResumeThread  ... 1, ) == 0x0
 03152   188   NtSetEventBoostPriority  (324, ...
 03151  1372   NtRegisterThreadTerminatePort  ... ) == 0x0
 03153   948   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03115  1132   NtWaitForSingleObject  ... ) == 0x0
 03152   188   NtSetEventBoostPriority  ... ) == 0x0
 03154  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03155  1372   NtWaitForSingleObject  (324, 0, 0x0, ...
 03156   784   NtQueryValueKey  (888,  (888, "Hostname", Partial, 144, ... , Partial, 144, ...
 03157   900   NtWaitForSingleObject  (324, 0, 0x0, ...
 03158  1132   NtSetEventBoostPriority  (324, ...
 03153   948   NtWaitForSingleObject  ... ) == 0x102
 03154  1736   NtAllocateVirtualMemory  ... 95485952, 1048576, ) == 0x0
 03159   188   NtWaitForSingleObject  (324, 0, 0x0, ...
 03156   784   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 03126   876   NtWaitForSingleObject  ... ) == 0x0
 03160   948   NtWaitForSingleObject  (160, 0, 0x0, ...
 03161  1736   NtAllocateVirtualMemory  (-1, 96526336, 0, 8192, 4096, 4, ...
 03162   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 03163   876   NtSetEventBoostPriority  (324, ...
 03161  1736   NtAllocateVirtualMemory  ... 96526336, 8192, ) == 0x0
 03128  1484   NtWaitForSingleObject  ... ) == 0x0
 03163   876   NtSetEventBoostPriority  ... ) == 0x0
 03158  1132   NtSetEventBoostPriority  ... ) == 0x0
 03164  1484   NtSetEventBoostPriority  (324, ...
 03165   876   NtAllocateVirtualMemory  (-1, 18927616, 0, 4096, 4096, 260, ...
 03131  1440   NtWaitForSingleObject  ... ) == 0x0
 03164  1484   NtSetEventBoostPriority  ... ) == 0x0
 03166  1132   NtWaitForSingleObject  (324, 0, 0x0, ...
 03167  1736   NtProtectVirtualMemory  (-1, (0x5c0e000), 4096, 260, ...
 03168  1440   NtSetEventBoostPriority  (324, ...
 03169  1484   NtWaitForSingleObject  (324, 0, 0x0, ...
 03136  1664   NtWaitForSingleObject  ... ) == 0x0
 03168  1440   NtSetEventBoostPriority  ... ) == 0x0
 03167  1736   NtProtectVirtualMemory  ... (0x5c0e000), 4096, 4, ) == 0x0
 03165   876   NtAllocateVirtualMemory  ... 18927616, 4096, ) == 0x0
 03170  1664   NtSetEventBoostPriority  (324, ...
 03171  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03138  1516   NtWaitForSingleObject  ... ) == 0x0
 03170  1664   NtSetEventBoostPriority  ... ) == 0x0
 03172   876   NtWaitForSingleObject  (324, 0, 0x0, ...
 03173  1516   NtSetEventBoostPriority  (324, ...
 03171  1736   NtCreateThread  ... 924, {1636, 1708}, ) == 0x0
 03174  1664   NtWaitForSingleObject  (324, 0, 0x0, ...
 03140  1104   NtWaitForSingleObject  ... ) == 0x0
 03173  1516   NtSetEventBoostPriority  ... ) == 0x0
 03175  1736   NtQueryInformationThread  (924, Basic, 28, ...
 03176  1440   NtSetEventBoostPriority  (160, ...
 03177  1104   NtSetEventBoostPriority  (324, ...
 03175  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1636,Tid=1708,}, 0x0, ) == 0x0
 03144  1568   NtWaitForSingleObject  ... ) == 0x0
 03177  1104   NtSetEventBoostPriority  ... ) == 0x0
 01536  1624   NtWaitForSingleObject  ... ) == 0x0
 03176  1440   NtSetEventBoostPriority  ... ) == 0x0
 03178  1516   NtWaitForSingleObject  (324, 0, 0x0, ...
 03179  1568   NtSetEventBoostPriority  (324, ...
 03180  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75643, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75643, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\3\0\0d\6\0\0\254\6\0\0" ...  ...
 03181  1624   NtWaitForSingleObject  (324, 0, 0x0, ...
 03182  1440   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03146  1612   NtWaitForSingleObject  ... ) == 0x0
 03179  1568   NtSetEventBoostPriority  ... ) == 0x0
 03180  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75644, 0}  ... {28, 56, reply, 0, 1636, 1736, 75644, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\3\0\0d\6\0\0\254\6\0\0" )  ) == 0x0
 03183  1612   NtSetEventBoostPriority  (324, ...
 03182  1440   NtCreateEvent  ... 928, ) == 0x0
 03184  1568   NtWaitForSingleObject  (336, 0, 0x0, ...
 03157   900   NtWaitForSingleObject  ... ) == 0x0
 03185  1736   NtResumeThread  (924, ...
 03186  1440   NtWaitForSingleObject  (324, 0, 0x0, ...
 03183  1612   NtSetEventBoostPriority  ... ) == 0x0
 03187  1104   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 14740660, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 14740660, 188, ...
 03188   900   NtSetEventBoostPriority  (324, ...
 03185  1736   NtResumeThread  ... 1, ) == 0x0
 03189  1612   NtWaitForSingleObject  (324, 0, 0x0, ...
 03159   188   NtWaitForSingleObject  ... ) == 0x0
 03188   900   NtSetEventBoostPriority  ... ) == 0x0
 03190  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03187  1104   NtConnectPort  ... 932, 0x0, 0x0, 0x0, 188, ) == 0x0
 03191   188   NtSetEventBoostPriority  (324, ...
 03192  1708   NtWaitForSingleObject  (128, 0, 0x0, ...
 03193   900   NtSetEventBoostPriority  (128, ...
 03162   784   NtWaitForSingleObject  ... ) == 0x0
 03191   188   NtSetEventBoostPriority  ... ) == 0x0
 03194  1104   NtRequestWaitReplyPort  (932, {200, 224, new_msg, 0, 1379240, 12, 2, 1}  (932, {200, 224, new_msg, 0, 1379240, 12, 2, 1} "\0\0\0\0\274\0\0\0@\307\25\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\20\3\24\0\4\0\0\0\0\0\0\0\230\1\24\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\25\0 \0\0\0@\307\25\0(\0\0\0\30\250\0\0\374\354\340\0\12\0\0\0\310\5\221|\0\0\10\0\310\355\340\0\20\355\340\0\0\0\0\0\310\5\221|h\376\25\0`\1\24\0\0\0\0\0\0\0\0\0h\376\25\0P\0\0\0p\376\25\0\0\0\0\0\20\3\24\0P\0\0\0\210\354\0\0\0\0\24\04\353\340\0\30\356\220|\310\362\340\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 03195   784   NtSetEventBoostPriority  (324, ...
 03192  1708   NtWaitForSingleObject  ... ) == 0x0
 03193   900   NtSetEventBoostPriority  ... ) == 0x0
 03196   188   NtWaitForSingleObject  (336, 0, 0x0, ...
 03155  1372   NtWaitForSingleObject  ... ) == 0x0
 03197  1708   NtWaitForSingleObject  (324, 0, 0x0, ...
 03195   784   NtSetEventBoostPriority  ... ) == 0x0
 03198   900   NtTestAlert  (...
 03194  1104   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1104, 75646, 0}  ... {200, 224, reply, 0, 1636, 1104, 75646, 0} "\7\0\0\0\274\0\0\0@\307\25\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\17\0\0\0\0\0\0\0\0\0\25\0 \0\0\0@\307\25\0(\0\0\0\30\250\0\0\374\354\340\0\12\0\0\0\310\5\221|\0\0\10\0\310\355\340\0\20\355\340\0\0\0\0\0\310\5\221|h\376\25\0`\1\24\0\0\0\0\0\0\0\0\0h\376\25\0P\0\0\0p\376\25\0\0\0\0\0\20\3\24\0P\0\0\0\210\354\0\0\0\0\24\04\353\340\0\30\356\220|\310\362\340\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 03190  1736   NtAllocateVirtualMemory  ... 96534528, 1048576, ) == 0x0
 03199  1372   NtSetEventBoostPriority  (324, ...
 03198   900   NtTestAlert  ... ) == 0x0
 03200   784   NtClose  (888, ...
 03166  1132   NtWaitForSingleObject  ... ) == 0x0
 03201  1736   NtAllocateVirtualMemory  (-1, 97574912, 0, 8192, 4096, 4, ...
 03202   900   NtContinue  (95485232, 1, ...
 03200   784   NtClose  ... ) == 0x0
 03203  1132   NtSetEventBoostPriority  (324, ...
 03201  1736   NtAllocateVirtualMemory  ... 97574912, 8192, ) == 0x0
 03204   900   NtRegisterThreadTerminatePort  (24, ...
 03205   784   NtClose  (896, ...
 03169  1484   NtWaitForSingleObject  ... ) == 0x0
 03203  1132   NtSetEventBoostPriority  ... ) == 0x0
 03206  1736   NtProtectVirtualMemory  (-1, (0x5d0e000), 4096, 260, ...
 03199  1372   NtSetEventBoostPriority  ... ) == 0x0
 03207  1104   NtSetEventBoostPriority  (920, ...
 03208  1484   NtSetEventBoostPriority  (324, ...
 03205   784   NtClose  ... ) == 0x0
 03204   900   NtRegisterThreadTerminatePort  ... ) == 0x0
 03206  1736   NtProtectVirtualMemory  ... (0x5d0e000), 4096, 4, ) == 0x0
 03209  1372   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03172   876   NtWaitForSingleObject  ... ) == 0x0
 03147   704   NtWaitForSingleObject  ... ) == 0x0
 03207  1104   NtSetEventBoostPriority  ... ) == 0x0
 03210   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 03211   900   NtWaitForSingleObject  (324, 0, 0x0, ...
 03212  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03209  1372   NtDuplicateObject  ... 896, ) == 0x0
 03213   704   NtWaitForSingleObject  (324, 0, 0x0, ...
 03214   876   NtSetEventBoostPriority  (324, ...
 03215  1104   NtWaitForSingleObject  (324, 0, 0x0, ...
 03208  1484   NtSetEventBoostPriority  ... ) == 0x0
 03216  1132   NtSetEventBoostPriority  (336, ...
 03212  1736   NtCreateThread  ... 888, {1636, 1884}, ) == 0x0
 03174  1664   NtWaitForSingleObject  ... ) == 0x0
 03214   876   NtSetEventBoostPriority  ... ) == 0x0
 03217  1484   NtWaitForSingleObject  (324, 0, 0x0, ...
 03184  1568   NtWaitForSingleObject  ... ) == 0x0
 03216  1132   NtSetEventBoostPriority  ... ) == 0x0
 03218  1664   NtSetEventBoostPriority  (324, ...
 03219  1736   NtQueryInformationThread  (888, Basic, 28, ...
 03220  1372   NtWaitForSingleObject  (324, 0, 0x0, ...
 03221  1568   NtWaitForSingleObject  (324, 0, 0x0, ...
 03178  1516   NtWaitForSingleObject  ... ) == 0x0
 03222  1132   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03219  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1636,Tid=1884,}, 0x0, ) == 0x0
 03223  1516   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ...
 03222  1132   NtWaitForSingleObject  ... ) == 0x102
 03224  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75644, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75644, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0d\6\0\0\\7\0\0" ...  ...
 03223  1516   NtAllocateVirtualMemory  ... 1441792, 4096, ) == 0x0
 03225  1132   NtWaitForSingleObject  (160, 0, 0x0, ...
 03224  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75647, 0}  ... {28, 56, reply, 0, 1636, 1736, 75647, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0d\6\0\0\\7\0\0" )  ) == 0x0
 03226  1516   NtSetEventBoostPriority  (324, ...
 03218  1664   NtSetEventBoostPriority  ... ) == 0x0
 03227   876   NtWaitForSingleObject  (324, 0, 0x0, ...
 03228  1736   NtResumeThread  (888, ...
 03229  1664   NtWaitForSingleObject  (324, 0, 0x0, ...
 03228  1736   NtResumeThread  ... 1, ) == 0x0
 03230  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 97583104, 1048576, ) == 0x0
 03231  1736   NtAllocateVirtualMemory  (-1, 98623488, 0, 8192, 4096, 4, ... 98623488, 8192, ) == 0x0
 03232  1736   NtProtectVirtualMemory  (-1, (0x5e0e000), 4096, 260, ... (0x5e0e000), 4096, 4, ) == 0x0
 03233  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 936, {1636, 1652}, ) == 0x0
 03234  1736   NtQueryInformationThread  (936, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1636,Tid=1652,}, 0x0, ) == 0x0
 03181  1624   NtWaitForSingleObject  ... ) == 0x0
 03226  1516   NtSetEventBoostPriority  ... ) == 0x0
 03235  1884   NtWaitForSingleObject  (128, 0, 0x0, ...
 03236  1624   NtSetEventBoostPriority  (324, ...
 03237  1516   NtWaitForSingleObject  (324, 0, 0x0, ...
 03186  1440   NtWaitForSingleObject  ... ) == 0x0
 03236  1624   NtSetEventBoostPriority  ... ) == 0x0
 03238  1440   NtSetEventBoostPriority  (324, ...
 03239  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75647, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75647, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0d\6\0\0t\6\0\0" ...  ...
 03189  1612   NtWaitForSingleObject  ... ) == 0x0
 03238  1440   NtSetEventBoostPriority  ... ) == 0x0
 03240  1612   NtSetEventBoostPriority  (324, ...
 03239  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75648, 0}  ... {28, 56, reply, 0, 1636, 1736, 75648, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0d\6\0\0t\6\0\0" )  ) == 0x0
 03241  1624   NtWaitForSingleObject  (324, 0, 0x0, ...
 03197  1708   NtWaitForSingleObject  ... ) == 0x0
 03240  1612   NtSetEventBoostPriority  ... ) == 0x0
 03242  1736   NtResumeThread  (936, ...
 03243  1708   NtSetEventBoostPriority  (324, ...
 03244  1440   NtWaitForSingleObject  (324, 0, 0x0, ...
 03210   784   NtWaitForSingleObject  ... ) == 0x0
 03243  1708   NtSetEventBoostPriority  ... ) == 0x0
 03242  1736   NtResumeThread  ... 1, ) == 0x0
 03245   784   NtSetEventBoostPriority  (324, ...
 03246  1612   NtWaitForSingleObject  (324, 0, 0x0, ...
 03247  1652   NtWaitForSingleObject  (128, 0, 0x0, ...
 03211   900   NtWaitForSingleObject  ... ) == 0x0
 03245   784   NtSetEventBoostPriority  ... ) == 0x0
 03248  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03249   900   NtSetEventBoostPriority  (324, ...
 03250  1708   NtSetEventBoostPriority  (128, ...
 03251   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 03213   704   NtWaitForSingleObject  ... ) == 0x0
 03249   900   NtSetEventBoostPriority  ... ) == 0x0
 03235  1884   NtWaitForSingleObject  ... ) == 0x0
 03250  1708   NtSetEventBoostPriority  ... ) == 0x0
 03252   704   NtSetEventBoostPriority  (324, ...
 03248  1736   NtAllocateVirtualMemory  ... 98631680, 1048576, ) == 0x0
 03253  1884   NtWaitForSingleObject  (324, 0, 0x0, ...
 03215  1104   NtWaitForSingleObject  ... ) == 0x0
 03252   704   NtSetEventBoostPriority  ... ) == 0x0
 03254  1708   NtTestAlert  (...
 03255  1104   NtSetEventBoostPriority  (324, ...
 03256  1736   NtAllocateVirtualMemory  (-1, 99672064, 0, 8192, 4096, 4, ...
 03257   900   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03217  1484   NtWaitForSingleObject  ... ) == 0x0
 03255  1104   NtSetEventBoostPriority  ... ) == 0x0
 03254  1708   NtTestAlert  ... ) == 0x0
 03256  1736   NtAllocateVirtualMemory  ... 99672064, 8192, ) == 0x0
 03258  1484   NtSetEventBoostPriority  (324, ...
 03257   900   NtDuplicateObject  ... 940, ) == 0x0
 03259   704   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 03260  1708   NtContinue  (96533808, 1, ...
 03221  1568   NtWaitForSingleObject  ... ) == 0x0
 03258  1484   NtSetEventBoostPriority  ... ) == 0x0
 03261  1736   NtProtectVirtualMemory  (-1, (0x5f0e000), 4096, 260, ...
 03262   900   NtWaitForSingleObject  (324, 0, 0x0, ...
 03259   704   NtCreateEvent  ... 944, ) == 0x0
 03263  1568   NtSetEventBoostPriority  (324, ...
 03264  1708   NtRegisterThreadTerminatePort  (24, ...
 03265  1104   NtRequestWaitReplyPort  (932, {64, 88, new_msg, 0, 0, 0, 0, 0}  (932, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03261  1736   NtProtectVirtualMemory  ... (0x5f0e000), 4096, 4, ) == 0x0
 03220  1372   NtWaitForSingleObject  ... ) == 0x0
 03266   704   NtWaitForSingleObject  (336, 0, 0x0, ...
 03263  1568   NtSetEventBoostPriority  ... ) == 0x0
 03267  1484   NtWaitForSingleObject  (324, 0, 0x0, ...
 03268  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03269  1372   NtSetEventBoostPriority  (324, ...
 03265  1104   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1636, 1104, 75649, 0}  ... {52, 76, reply, 0, 1636, 1104, 75649, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\230\37\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 03264  1708   NtRegisterThreadTerminatePort  ... ) == 0x0
 03270  1568   NtSetEventBoostPriority  (336, ...
 03227   876   NtWaitForSingleObject  ... ) == 0x0
 03269  1372   NtSetEventBoostPriority  ... ) == 0x0
 03271  1104   NtWaitForSingleObject  (324, 0, 0x0, ...
 03272  1708   NtWaitForSingleObject  (324, 0, 0x0, ...
 03273   876   NtSetEventBoostPriority  (324, ...
 03196   188   NtWaitForSingleObject  ... ) == 0x0
 03270  1568   NtSetEventBoostPriority  ... ) == 0x0
 03274  1372   NtWaitForSingleObject  (336, 0, 0x0, ...
 03229  1664   NtWaitForSingleObject  ... ) == 0x0
 03275   188   NtWaitForSingleObject  (324, 0, 0x0, ...
 03273   876   NtSetEventBoostPriority  ... ) == 0x0
 03276  1568   NtWaitForSingleObject  (920, 0, 0x0, ...
 03268  1736   NtCreateThread  ... 948, {1636, 1588}, ) == 0x0
 03277  1664   NtSetEventBoostPriority  (324, ...
 03278   876   NtWaitForSingleObject  (324, 0, 0x0, ...
 03237  1516   NtWaitForSingleObject  ... ) == 0x0
 03277  1664   NtSetEventBoostPriority  ... ) == 0x0
 03279  1736   NtQueryInformationThread  (948, Basic, 28, ...
 03280  1516   NtAllocateVirtualMemory  (-1, 1445888, 0, 4096, 4096, 4, ... 1445888, 4096, ) == 0x0
 03279  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1636,Tid=1588,}, 0x0, ) == 0x0
 03281  1664   NtWaitForSingleObject  (324, 0, 0x0, ...
 03282  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75648, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75648, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0d\6\0\04\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75650, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0d\6\0\04\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75650, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75648, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0d\6\0\04\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75650, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0d\6\0\04\6\0\0" )  ) == 0x0
 03283  1736   NtResumeThread  (948, ... 1, ) == 0x0
 03284  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 99680256, 1048576, ) == 0x0
 03285  1736   NtAllocateVirtualMemory  (-1, 100720640, 0, 8192, 4096, 4, ... 100720640, 8192, ) == 0x0
 03286  1516   NtSetEventBoostPriority  (324, ...
 03287  1588   NtWaitForSingleObject  (128, 0, 0x0, ...
 03241  1624   NtWaitForSingleObject  ... ) == 0x0
 03286  1516   NtSetEventBoostPriority  ... ) == 0x0
 03288  1624   NtSetEventBoostPriority  (324, ...
 03244  1440   NtWaitForSingleObject  ... ) == 0x0
 03289  1440   NtSetEventBoostPriority  (324, ...
 03246  1612   NtWaitForSingleObject  ... ) == 0x0
 03290  1612   NtSetEventBoostPriority  (324, ...
 03251   784   NtWaitForSingleObject  ... ) == 0x0
 03291   784   NtSetEventBoostPriority  (324, ...
 03253  1884   NtWaitForSingleObject  ... ) == 0x0
 03292  1884   NtSetEventBoostPriority  (324, ...
 03262   900   NtWaitForSingleObject  ... ) == 0x0
 03293   900   NtSetEventBoostPriority  (324, ...
 03267  1484   NtWaitForSingleObject  ... ) == 0x0
 03294  1484   NtSetEventBoostPriority  (324, ...
 03271  1104   NtWaitForSingleObject  ... ) == 0x0
 03295  1104   NtSetEventBoostPriority  (324, ...
 03272  1708   NtWaitForSingleObject  ... ) == 0x0
 03296  1708   NtSetEventBoostPriority  (324, ...
 03275   188   NtWaitForSingleObject  ... ) == 0x0
 03297   188   NtSetEventBoostPriority  (324, ...
 03278   876   NtWaitForSingleObject  ... ) == 0x0
 03298   876   NtSetEventBoostPriority  (324, ...
 03281  1664   NtWaitForSingleObject  ... ) == 0x0
 03299  1664   NtAllocateVirtualMemory  (-1, 32559104, 0, 4096, 4096, 260, ... 32559104, 4096, ) == 0x0
 03300  1664   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03296  1708   NtSetEventBoostPriority  ... ) == 0x0
 03295  1104   NtSetEventBoostPriority  ... ) == 0x0
 03294  1484   NtSetEventBoostPriority  ... ) == 0x0
 03293   900   NtSetEventBoostPriority  ... ) == 0x0
 03292  1884   NtSetEventBoostPriority  ... ) == 0x0
 03291   784   NtSetEventBoostPriority  ... ) == 0x0
 03290  1612   NtSetEventBoostPriority  ... ) == 0x0
 03289  1440   NtSetEventBoostPriority  ... ) == 0x0
 03288  1624   NtSetEventBoostPriority  ... ) == 0x0
 03301  1516   NtAllocateVirtualMemory  (-1, 31510528, 0, 4096, 4096, 260, ...
 03298   876   NtSetEventBoostPriority  ... ) == 0x0
 03297   188   NtSetEventBoostPriority  ... ) == 0x0
 03302  1736   NtProtectVirtualMemory  (-1, (0x600e000), 4096, 260, ...
 03300  1664   NtCreateEvent  ... 952, ) == 0x0
 03303  1708   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03304  1484   NtAllocateVirtualMemory  (-1, 16830464, 0, 4096, 4096, 260, ...
 03305  1104   NtWaitForSingleObject  (336, 0, 0x0, ...
 03306   900   NtWaitForSingleObject  (336, 0, 0x0, ...
 03307   784   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03308  1612   NtAllocateVirtualMemory  (-1, 17879040, 0, 4096, 4096, 260, ...
 03309  1440   NtAllocateVirtualMemory  (-1, 30461952, 0, 4096, 4096, 260, ...
 03310  1624   NtSetEventBoostPriority  (160, ...
 03301  1516   NtAllocateVirtualMemory  ... 31510528, 4096, ) == 0x0
 03311   876   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03312  1884   NtSetEventBoostPriority  (128, ...
 03302  1736   NtProtectVirtualMemory  ... (0x600e000), 4096, 4, ) == 0x0
 03313  1664   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03303  1708   NtDuplicateObject  ... 956, ) == 0x0
 03314   188   NtSetEventBoostPriority  (336, ...
 03304  1484   NtAllocateVirtualMemory  ... 16830464, 4096, ) == 0x0
 03307   784   NtCreateKey  ... 960, 2, ) == 0x0
 03308  1612   NtAllocateVirtualMemory  ... 17879040, 4096, ) == 0x0
 03309  1440   NtAllocateVirtualMemory  ... 30461952, 4096, ) == 0x0
 03315  1516   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03311   876   NtCreateEvent  ... 964, ) == 0x0
 03247  1652   NtWaitForSingleObject  ... ) == 0x0
 03312  1884   NtSetEventBoostPriority  ... ) == 0x0
 03316  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03313  1664   NtDuplicateObject  ... 968, ) == 0x0
 03317  1708   NtWaitForSingleObject  (336, 0, 0x0, ...
 03266   704   NtWaitForSingleObject  ... ) == 0x0
 03314   188   NtSetEventBoostPriority  ... ) == 0x0
 03318  1484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03319   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 03320  1612   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03321  1440   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03315  1516   NtCreateEvent  ... 972, ) == 0x0
 01583  1404   NtWaitForSingleObject  ... ) == 0x0
 03310  1624   NtSetEventBoostPriority  ... ) == 0x0
 03322  1652   NtSetEventBoostPriority  (128, ...
 03323  1884   NtTestAlert  (...
 03316  1736   NtCreateThread  ... 976, {1636, 1620}, ) == 0x0
 03324  1664   NtWaitForSingleObject  (336, 0, 0x0, ...
 03325   704   NtSetEventBoostPriority  (336, ...
 03326   188   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03318  1484   NtCreateEvent  ... 980, ) == 0x0
 03319   784   NtOpenKey  ... 984, ) == 0x0
 03320  1612   NtCreateEvent  ... 988, ) == 0x0
 03321  1440   NtCreateEvent  ... 992, ) == 0x0
 03327   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03328  1404   NtSetEventBoostPriority  (160, ...
 03287  1588   NtWaitForSingleObject  ... ) == 0x0
 03322  1652   NtSetEventBoostPriority  ... ) == 0x0
 03329  1624   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03323  1884   NtTestAlert  ... ) == 0x0
 03330  1736   NtQueryInformationThread  (976, Basic, 28, ...
 03274  1372   NtWaitForSingleObject  ... ) == 0x0
 03325   704   NtSetEventBoostPriority  ... ) == 0x0
 03326   188   NtWaitForSingleObject  ... ) == 0x102
 03331  1484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03332   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 03333  1612   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03334  1440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03327   876   NtDuplicateObject  ... 996, ) == 0x0
 03335  1588   NtTestAlert  (...
 01584   476   NtWaitForSingleObject  ... ) == 0x0
 03328  1404   NtSetEventBoostPriority  ... ) == 0x0
 03336  1516   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03329  1624   NtCreateEvent  ... 1000, ) == 0x0
 03337  1884   NtContinue  (97582384, 1, ...
 03338  1372   NtSetEventBoostPriority  (336, ...
 03330  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1636,Tid=1620,}, 0x0, ) == 0x0
 03339  1652   NtTestAlert  (...
 03340   188   NtWaitForSingleObject  (160, 0, 0x0, ...
 03331  1484   NtDuplicateObject  ... 1004, ) == 0x0
 03332   784   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03333  1612   NtDuplicateObject  ... 1008, ) == 0x0
 03334  1440   NtDuplicateObject  ... 1012, ) == 0x0
 03335  1588   NtTestAlert  ... ) == 0x0
 03341   876   NtWaitForSingleObject  (336, 0, 0x0, ...
 03342   476   NtSetEventBoostPriority  (160, ...
 03343  1404   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03336  1516   NtDuplicateObject  ... 1016, ) == 0x0
 03344  1624   NtAllocateVirtualMemory  (-1, 1449984, 0, 4096, 4096, 4, ...
 03305  1104   NtWaitForSingleObject  ... ) == 0x0
 03345  1884   NtRegisterThreadTerminatePort  (24, ...
 03338  1372   NtSetEventBoostPriority  ... ) == 0x0
 03346   704   NtSetEventBoostPriority  (920, ...
 03339  1652   NtTestAlert  ... ) == 0x0
 03347  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75650, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75650, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\3\0\0d\6\0\0T\6\0\0" ...  ...
 03348  1484   NtWaitForSingleObject  (324, 0, 0x0, ...
 03349   784   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 03350  1612   NtWaitForSingleObject  (324, 0, 0x0, ...
 03351  1440   NtWaitForSingleObject  (324, 0, 0x0, ...
 01588   312   NtWaitForSingleObject  ... ) == 0x0
 03342   476   NtSetEventBoostPriority  ... ) == 0x0
 03343  1404   NtCreateEvent  ... 1020, ) == 0x0
 03352  1516   NtWaitForSingleObject  (324, 0, 0x0, ...
 03344  1624   NtAllocateVirtualMemory  ... 1449984, 4096, ) == 0x0
 03353  1104   NtSetEventBoostPriority  (336, ...
 03354  1588   NtContinue  (99679536, 1, ...
 03355  1372   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03276  1568   NtWaitForSingleObject  ... ) == 0x0
 03346   704   NtSetEventBoostPriority  ... ) == 0x0
 03356  1652   NtContinue  (98630960, 1, ...
 03347  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75651, 0}  ... {28, 56, reply, 0, 1636, 1736, 75651, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\3\0\0d\6\0\0T\6\0\0" )  ) == 0x0
 03345  1884   NtRegisterThreadTerminatePort  ... ) == 0x0
 03349   784   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03357   312   NtWaitForSingleObject  (324, 0, 0x0, ...
 03358   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03359  1624   NtSetEventBoostPriority  (324, ...
 03306   900   NtWaitForSingleObject  ... ) == 0x0
 03353  1104   NtSetEventBoostPriority  ... ) == 0x0
 03360  1588   NtRegisterThreadTerminatePort  (24, ...
 03361  1568   NtRequestWaitReplyPort  (932, {64, 88, new_msg, 0, 1636, 1104, 75649, 0}  (932, {64, 88, new_msg, 0, 1636, 1104, 75649, 0} "\1\356\0\0A\2\10\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03362   704   NtWaitForSingleObject  (324, 0, 0x0, ...
 03363  1652   NtRegisterThreadTerminatePort  (24, ...
 03364  1736   NtResumeThread  (976, ...
 03365  1884   NtWaitForSingleObject  (324, 0, 0x0, ...
 03366   784   NtQueryValueKey  (960,  (960, "Domain", Partial, 144, ... , Partial, 144, ...
 03367  1404   NtWaitForSingleObject  (324, 0, 0x0, ...
 03355  1372   NtWaitForSingleObject  ... ) == 0x102
 03358   476   NtCreateEvent  ... 1024, ) == 0x0
 03368   900   NtSetEventBoostPriority  (336, ...
 03369  1104   NtWaitForSingleObject  (324, 0, 0x0, ...
 03360  1588   NtRegisterThreadTerminatePort  ... ) == 0x0
 03363  1652   NtRegisterThreadTerminatePort  ... ) == 0x0
 03364  1736   NtResumeThread  ... 1, ) == 0x0
 03366   784   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03370  1372   NtWaitForSingleObject  (160, 0, 0x0, ...
 03317  1708   NtWaitForSingleObject  ... ) == 0x0
 03368   900   NtSetEventBoostPriority  ... ) == 0x0
 03371   476   NtWaitForSingleObject  (324, 0, 0x0, ...
 03348  1484   NtWaitForSingleObject  ... ) == 0x0
 03359  1624   NtSetEventBoostPriority  ... ) == 0x0
 03361  1568   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1636, 1568, 75652, 0}  ... {52, 76, reply, 0, 1636, 1568, 75652, 0} "\2\332\243\201\1\0\0\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200X\373`\371t\333\243\201\260\37\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 03372  1620   NtWaitForSingleObject  (324, 0, 0x0, ...
 03373  1588   NtWaitForSingleObject  (324, 0, 0x0, ...
 03374  1652   NtWaitForSingleObject  (324, 0, 0x0, ...
 03375  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03376   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 03377  1708   NtWaitForSingleObject  (324, 0, 0x0, ...
 03378   900   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03379  1484   NtSetEventBoostPriority  (324, ...
 03380  1624   NtWaitForSingleObject  (324, 0, 0x0, ...
 03381  1568   NtWaitForSingleObject  (324, 0, 0x0, ...
 03375  1736   NtAllocateVirtualMemory  ... 100728832, 1048576, ) == 0x0
 03350  1612   NtWaitForSingleObject  ... ) == 0x0
 03382  1736   NtAllocateVirtualMemory  (-1, 101769216, 0, 8192, 4096, 4, ...
 03383  1612   NtSetEventBoostPriority  (324, ...
 03382  1736   NtAllocateVirtualMemory  ... 101769216, 8192, ) == 0x0
 03351  1440   NtWaitForSingleObject  ... ) == 0x0
 03384  1736   NtProtectVirtualMemory  (-1, (0x610e000), 4096, 260, ...
 03385  1440   NtSetEventBoostPriority  (324, ...
 03384  1736   NtProtectVirtualMemory  ... (0x610e000), 4096, 4, ) == 0x0
 03352  1516   NtWaitForSingleObject  ... ) == 0x0
 03386  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03387  1516   NtSetEventBoostPriority  (324, ...
 03385  1440   NtSetEventBoostPriority  ... ) == 0x0
 03383  1612   NtSetEventBoostPriority  ... ) == 0x0
 03379  1484   NtSetEventBoostPriority  ... ) == 0x0
 03378   900   NtWaitForSingleObject  ... ) == 0x102
 03357   312   NtWaitForSingleObject  ... ) == 0x0
 03387  1516   NtSetEventBoostPriority  ... ) == 0x0
 03388  1440   NtWaitForSingleObject  (324, 0, 0x0, ...
 03389  1612   NtWaitForSingleObject  (324, 0, 0x0, ...
 03390  1484   NtWaitForSingleObject  (324, 0, 0x0, ...
 03391   312   NtSetEventBoostPriority  (324, ...
 03392   900   NtWaitForSingleObject  (324, 0, 0x0, ...
 03386  1736   NtCreateThread  ... 1028, {1636, 1376}, ) == 0x0
 03362   704   NtWaitForSingleObject  ... ) == 0x0
 03391   312   NtSetEventBoostPriority  ... ) == 0x0
 03393   704   NtSetEventBoostPriority  (324, ...
 03394  1736   NtQueryInformationThread  (1028, Basic, 28, ...
 03395  1516   NtWaitForSingleObject  (324, 0, 0x0, ...
 03365  1884   NtWaitForSingleObject  ... ) == 0x0
 03393   704   NtSetEventBoostPriority  ... ) == 0x0
 03394  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=1636,Tid=1376,}, 0x0, ) == 0x0
 03396  1884   NtSetEventBoostPriority  (324, ...
 03397   312   NtWaitForSingleObject  (324, 0, 0x0, ...
 03367  1404   NtWaitForSingleObject  ... ) == 0x0
 03396  1884   NtSetEventBoostPriority  ... ) == 0x0
 03398  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75651, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75651, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\4\0\0d\6\0\0`\5\0\0" ...  ...
 03399  1404   NtAllocateVirtualMemory  (-1, 1454080, 0, 4096, 4096, 4, ...
 03400   704   NtRequestWaitReplyPort  (932, {64, 88, new_msg, 0, 0, 0, 0, 0}  (932, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03399  1404   NtAllocateVirtualMemory  ... 1454080, 4096, ) == 0x0
 03398  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75653, 0}  ... {28, 56, reply, 0, 1636, 1736, 75653, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\4\0\0d\6\0\0`\5\0\0" )  ) == 0x0
 03401  1404   NtSetEventBoostPriority  (324, ...
 03400   704   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1636, 704, 75654, 0}  ... {52, 76, reply, 0, 1636, 704, 75654, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\2000/\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 03402  1884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03403  1736   NtResumeThread  (1028, ...
 03404   704   NtWaitForSingleObject  (324, 0, 0x0, ...
 03402  1884   NtDuplicateObject  ... 1032, ) == 0x0
 03403  1736   NtResumeThread  ... 1, ) == 0x0
 03405  1884   NtWaitForSingleObject  (324, 0, 0x0, ...
 03406  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 101777408, 1048576, ) == 0x0
 03407  1736   NtAllocateVirtualMemory  (-1, 102817792, 0, 8192, 4096, 4, ... 102817792, 8192, ) == 0x0
 03408  1736   NtProtectVirtualMemory  (-1, (0x620e000), 4096, 260, ... (0x620e000), 4096, 4, ) == 0x0
 03409  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1036, {1636, 1368}, ) == 0x0
 03410  1736   NtQueryInformationThread  (1036, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=1636,Tid=1368,}, 0x0, ) == 0x0
 03371   476   NtWaitForSingleObject  ... ) == 0x0
 03401  1404   NtSetEventBoostPriority  ... ) == 0x0
NtAdjustPrivilegesToken(>)	1	NtGdiCreateSolidBrush(>)	2	NtQueryInformationProcess(>)	7	NtFlushInstructionCache(>)	54
NtDelayExecution(>)	1	NtNotifyChangeKey(>)	2	NtCreateFile(>)	8	NtContinue(>)	88
NtGdiCreateBitmap(>)	1	NtOpenDirectoryObject(>)	2	NtQueryVirtualMemory(>)	9	NtMapViewOfSection(>)	99
NtGdiInit(>)	1	NtQueryDefaultUILanguage(>)	2	NtUserFindExistingCursorIcon(>)	9	NtCreateEvent(>)	113
NtGdiQueryFontAssocInfo(>)	1	NtQueryPerformanceCounter(>)	2	NtConnectPort(>)	10	NtQuerySystemInformation(>)	116
NtGdiSelectBitmap(>)	1	NtSetInformationObject(>)	2	NtFsControlFile(>)	10	NtWriteVirtualMemory(>)	116
NtOpenKeyedEvent(>)	1	NtGdiCreateCompatibleDC(>)	3	NtOpenThreadToken(>)	10	NtResumeThread(>)	127
NtOpenSymbolicLinkObject(>)	1	NtOpenProcessToken(>)	3	NtSetInformationThread(>)	11	NtQueryInformationThread(>)	130
NtQueryInstallUILanguage(>)	1	NtOpenProcessTokenEx(>)	3	NtSetInformationFile(>)	12	NtOpenKey(>)	135
NtQueryObject(>)	1	NtQueryVolumeInformationFile(>)	3	NtQuerySection(>)	13	NtCreateThread(>)	143
NtQuerySymbolicLinkObject(>)	1	NtReadFile(>)	3	NtUserRegisterClassExWOW(>)	14	NtTestAlert(>)	166
NtQuerySystemTime(>)	1	NtSecureConnectPort(>)	3	NtSetValueKey(>)	16	NtRegisterThreadTerminatePort(>)	169
NtRaiseException(>)	1	NtFreeVirtualMemory(>)	4	NtCreateKey(>)	23	NtRequestWaitReplyPort(>)	170
NtSetInformationProcess(>)	1	NtOpenThreadTokenEx(>)	4	NtCreateSection(>)	25	NtDuplicateObject(>)	189
NtUserCallNoParam(>)	1	NtQueryDefaultLocale(>)	4	NtOpenFile(>)	27	NtQueryValueKey(>)	255
NtUserGetObjectInformation(>)	1	NtWriteFile(>)	4	NtOpenProcess(>)	29	NtClose(>)	275
NtUserGetProcessWindowStation(>)	1	NtCreateMutant(>)	5	NtDeviceIoControlFile(>)	35	NtProtectVirtualMemory(>)	357
NtUserGetThreadDesktop(>)	1	NtGdiGetStockObject(>)	5	NtQueryAttributesFile(>)	43	NtAllocateVirtualMemory(>)	374
NtCallbackReturn(>)	2	NtQueryInformationToken(>)	6	NtUnmapViewOfSection(>)	44	NtSetEventBoostPriority(>)	590
NtCreateIoCompletion(>)	2	NtQueryInformationFile(>)	7	NtOpenSection(>)	51	NtWaitForSingleObject(>)	837