Summary:


NtGdiCreateBitmap(>) 
 1 
NtQueryDefaultUILanguage(>) 
 2 
NtFsControlFile(>) 
 7 
NtQueryAttributesFile(>) 
 39 

NtGdiInit(>) 
 1 
NtQueryPerformanceCounter(>) 
 2 
NtQueryInformationFile(>) 
 7 
NtFlushInstructionCache(>) 
 53 

NtGdiQueryFontAssocInfo(>) 
 1 
NtQuerySystemTime(>) 
 2 
NtConnectPort(>) 
 8 
NtContinue(>) 
 92 

NtGdiSelectBitmap(>) 
 1 
NtSetInformationObject(>) 
 2 
NtOpenThreadToken(>) 
 8 
NtQuerySystemInformation(>) 
 116 

NtOpenKeyedEvent(>) 
 1 
NtUserGetProcessWindowStation(>) 
 2 
NtQueryVirtualMemory(>) 
 9 
NtCreateEvent(>) 
 123 

NtOpenSymbolicLinkObject(>) 
 1 
NtFreeVirtualMemory(>) 
 3 
NtSetInformationFile(>) 
 9 
NtQueryInformationThread(>) 
 133 

NtQueryInstallUILanguage(>) 
 1 
NtGdiCreateCompatibleDC(>) 
 3 
NtSetInformationThread(>) 
 9 
NtResumeThread(>) 
 135 

NtQueryObject(>) 
 1 
NtOpenThreadTokenEx(>) 
 3 
NtUnmapViewOfSection(>) 
 9 
NtOpenKey(>) 
 142 

NtQuerySymbolicLinkObject(>) 
 1 
NtQueryDefaultLocale(>) 
 3 
NtUserFindExistingCursorIcon(>) 
 9 
NtCreateThread(>) 
 144 

NtRaiseException(>) 
 1 
NtQueryVolumeInformationFile(>) 
 3 
NtQueryInformationProcess(>) 
 10 
NtRequestWaitReplyPort(>) 
 168 

NtSetInformationProcess(>) 
 1 
NtSecureConnectPort(>) 
 3 
NtQuerySection(>) 
 14 
NtTestAlert(>) 
 174 

NtUserCallNoParam(>) 
 1 
NtWriteFile(>) 
 3 
NtUserRegisterClassExWOW(>) 
 14 
NtRegisterThreadTerminatePort(>) 
 177 

NtUserGetObjectInformation(>) 
 1 
NtCreateIoCompletion(>) 
 4 
NtSetValueKey(>) 
 15 
NtDuplicateObject(>) 
 205 

NtUserGetThreadDesktop(>) 
 1 
NtOpenProcessTokenEx(>) 
 4 
NtOpenSection(>) 
 21 
NtClose(>) 
 215 

NtCallbackReturn(>) 
 2 
NtCreateMutant(>) 
 5 
NtCreateKey(>) 
 22 
NtProtectVirtualMemory(>) 
 249 

NtGdiCreateSolidBrush(>) 
 2 
NtGdiGetStockObject(>) 
 5 
NtCreateSection(>) 
 22 
NtQueryValueKey(>) 
 263 

NtNotifyChangeKey(>) 
 2 
NtReadFile(>) 
 5 
NtOpenFile(>) 
 26 
NtAllocateVirtualMemory(>) 
 399 

NtOpenDirectoryObject(>) 
 2 
NtQueryInformationToken(>) 
 6 
NtMapViewOfSection(>) 
 35 
NtSetEventBoostPriority(>) 
 773 

NtOpenProcessToken(>) 
 2 
NtCreateFile(>) 
 7 
NtDeviceIoControlFile(>) 
 36 
NtWaitForSingleObject(>) 
 1019 


Trace:
 00001  1736   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1736   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1736   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1736   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1736   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1736   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1736   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1736   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1736   NtClose  (12, ... ) == 0x0
 00015  1736   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1736   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1736   NtClose  (16, ... ) == 0x0
 00021  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1736   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1736   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1736   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1736   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1736   NtClose  (16, ... ) == 0x0
 00030  1736   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1736   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1736   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1736   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75469, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ) == 0x0
 00036  1736   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1736   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1736   NtClose  (16, ... ) == 0x0
 00041  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1736   NtClose  (16, ... ) == 0x0
 00044  1736   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1736   NtClose  (16, ... ) == 0x0
 00048  1736   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1736   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1736   NtClose  (16, ... ) == 0x0
 00052  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1736   NtClose  (16, ... ) == 0x0
 00055  1736   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1736   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1736   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ... {24, 52, reply, 0, 1636, 1736, 75470, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ) == 0x0
 00060  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75471, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ) == 0x0
 00061  1736   NtProtectVirtualMemory  (-1, (0x409000), 65552, 4, ... (0x409000), 69632, 128, ) == 0x0
 00062  1736   NtProtectVirtualMemory  (-1, (0x409000), 69632, 128, ... (0x409000), 69632, 4, ) == 0x0
 00063  1736   NtFlushInstructionCache  (-1, 4231168, 65552, ... ) == 0x0
 00064  1736   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00066  1736   NtReadFile  (16, 0, 0, 0, 4, {25596, 0}, 0, ... {status=0x0, info=4},  (16, 0, 0, 0, 4, {25596, 0}, 0, ... {status=0x0, info=4}, "\0\0\0\0", ) , ) == 0x0
 00067  1736   NtReadFile  (16, 0, 0, 0, 8, {25588, 0}, 0, ... {status=0x0, info=8},  (16, 0, 0, 0, 8, {25588, 0}, 0, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00068  1736   NtReadFile  (16, 0, 0, 0, 4, {0, 0}, 0, ... {status=0x0, info=4},  (16, 0, 0, 0, 4, {0, 0}, 0, ... {status=0x0, info=4}, "MZ\220\0", ) , ) == 0x0
 00069  1736   NtClose  (16, ... ) == 0x0
 00070  1736   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00071  1736   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00072  1736   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00073  1736   NtClose  (16, ... ) == 0x0
 00074  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00075  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00076  1736   NtClose  (16, ... ) == 0x0
 00077  1736   NtTestAlert  (... ) == 0x0
 00078  1736   NtContinue  (1244464, 1, ...
 00079  1736   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x40283e,}, 4, ... ) == 0x0
 00080  1736   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00081  1736   NtContinue  (1244400, 0, ...
 00082  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00083  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00084  1736   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00085  1736   NtClose  (16, ... ) == 0x0
 00086  1736   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00087  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00088  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00089  1736   NtClose  (16, ... ) == 0x0
 00090  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00091  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00092  1736   NtClose  (16, ... ) == 0x0
 00093  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00094  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00095  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00096  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00097  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00098  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00099  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00100  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00101  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00102  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00103  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00104  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00105  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00106  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00107  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00108  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00109  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00110  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00111  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00112  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00113  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00114  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75472, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ) == 0x0
 00115  1736   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00116  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00117  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00118  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 28, ) == 0x0
 00119  1736   NtClose  (16, ... ) == 0x0
 00120  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00121  1736   NtClose  (28, ... ) == 0x0
 00122  1736   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00123  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00124  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00125  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 16, ) == 0x0
 00126  1736   NtClose  (28, ... ) == 0x0
 00127  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00128  1736   NtClose  (16, ... ) == 0x0
 00129  1736   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00130  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00131  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00132  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00133  1736   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00134  1736   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00135  1736   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00136  1736   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00137  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00138  1736   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00139  1736   NtClose  (36, ... ) == 0x0
 00140  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00141  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00142  1736   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00143  1736   NtClose  (36, ... ) == 0x0
 00144  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00145  1736   NtClose  (32, ... ) == 0x0
 00146  1736   NtClose  (16, ... ) == 0x0
 00147  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00148  1736   NtClose  (28, ... ) == 0x0
 00149  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00150  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00151  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00152  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00153  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00154  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00155  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00156  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00157  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00158  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00159  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00160  1736   NtClose  (28, ... ) == 0x0
 00161  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00162  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00163  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00164  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00165  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00166  1736   NtClose  (28, ... ) == 0x0
 00167  1736   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00168  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00169  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00170  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00171  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00172  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00173  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00174  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00175  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00176  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00177  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00178  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00179  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00180  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00181  1736   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00182  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00183  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00184  1736   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00185  1736   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00186  1736   NtClose  (28, ... ) == 0x0
 00187  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00188  1736   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189  1736   NtClose  (28, ... ) == 0x0
 00190  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00191  1736   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00192  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00194  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00195  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00196  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00198  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00199  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00200  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 16, ) }, ... 16, ) == 0x0
 00201  1736   NtQueryValueKey  (16,  (16, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00202  1736   NtClose  (16, ... ) == 0x0
 00203  1736   NtMapViewOfSection  (-2147482576, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x420000), 0x0, 1060864, ) == 0x0
 00204  1736   NtClose  (-2147482576, ... ) == 0x0
 00205  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 16, ) == 0x0
 00206  1736   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00207  1736   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482576, ) == 0x0
 00208  1736   NtQueryInformationToken  (-2147482576, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00209  1736   NtQueryInformationToken  (-2147482576, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00210  1736   NtClose  (-2147482576, ... ) == 0x0
 00211  1736   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5439488, 4096, ) == 0x0
 00212  1736   NtFreeVirtualMemory  (-1, (0x530000), 4096, 32768, ... (0x530000), 4096, ) == 0x0
 00213  1736   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00214  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00215  1736   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00216  1736   NtClose  (-2147482576, ... ) == 0x0
 00217  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00218  1736   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00219  1736   NtClose  (-2147482576, ... ) == 0x0
 00220  1736   NtQueryDefaultLocale  (0, -139347636, ... ) == 0x0
 00221  1736   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00222  1736   NtUserCallNoParam  (24, ... ) == 0x0
 00223  1736   NtGdiCreateCompatibleDC  (0, ...
 00224  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5439488, 4096, ) == 0x0
 00223  1736   NtGdiCreateCompatibleDC  ... ) == 0xf2010663
 00225  1736   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00226  1736   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00227  1736   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0xfd0505f7
 00228  1736   NtGdiCreateSolidBrush  (0, 0, ...
 00229  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8650752, 4096, ) == 0x0
 00228  1736   NtGdiCreateSolidBrush  ... ) == 0x4210057d
 00230  1736   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00231  1736   NtGdiCreateCompatibleDC  (0, ... ) == 0x69010363
 00232  1736   NtGdiSelectBitmap  (1761674083, -50002441, ... ) == 0x185000f
 00233  1736   NtUserGetThreadDesktop  (1736, 0, ... ) == 0x24
 00234  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00235  1736   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00236  1736   NtClose  (44, ... ) == 0x0
 00237  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00238  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8173c017
 00239  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00240  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8173c01c
 00241  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00242  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8173c01e
 00243  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00244  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81738002
 00245  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00246  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8173c018
 00247  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00248  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8173c01a
 00249  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00250  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8173c01d
 00251  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00252  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8173c026
 00253  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00254  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8173c019
 00255  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c020
 00256  1736   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8173c022
 00257  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c023
 00258  1736   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8173c024
 00259  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c025
 00260  1736   NtCallbackReturn  (0, 0, 0, ...
 00261  1736   NtGdiInit  (... ) == 0x1
 00262  1736   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00263  1736   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00264  1736   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 8716288, 28672, ) == 0x0
 00265  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00266  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00267  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00268  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00269  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 48, ) == 0x0
 00270  1736   NtQuerySection  (48, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00271  1736   NtClose  (44, ... ) == 0x0
 00272  1736   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00273  1736   NtClose  (48, ... ) == 0x0
 00274  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 48, ) }, ... 48, ) == 0x0
 00275  1736   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00276  1736   NtClose  (48, ... ) == 0x0
 00277  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00278  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00279  1736   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00280  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00281  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00282  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00283  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00285  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00286  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00287  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 44, ) == 0x0
 00288  1736   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00289  1736   NtClose  (48, ... ) == 0x0
 00290  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00291  1736   NtClose  (44, ... ) == 0x0
 00292  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00293  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00294  1736   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00295  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00296  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00297  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00298  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00300  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8781824, 65536, ) == 0x0
 00301  1736   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00302  1736   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ... 8785920, 8192, ) == 0x0
 00303  1736   NtAllocateVirtualMemory  (-1, 8794112, 0, 4096, 4096, 4, ... 8794112, 4096, ) == 0x0
 00304  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00305  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x870000), 0x0, 12288, ) == 0x0
 00306  1736   NtClose  (44, ... ) == 0x0
 00307  1736   NtAllocateVirtualMemory  (-1, 8798208, 0, 4096, 4096, 4, ... 8798208, 4096, ) == 0x0
 00308  1736   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00309  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00310  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00311  1736   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00312  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00313  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00315  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00316  1736   NtFreeVirtualMemory  (-1, (0x850000), 0, 32768, ... (0x850000), 28672, ) == 0x0
 00317  1736   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00318  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00319  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00320  1736   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00321  1736   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00322  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 8912896, 1048576, ) == 0x0
 00323  1736   NtAllocateVirtualMemory  (-1, 8912896, 0, 32768, 4096, 4, ... 8912896, 32768, ) == 0x0
 00324  1736   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00325  1736   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "Jobaka3"}, 0, ... 48, ) }, 0, ... 48, ) == 0x0
 00326  1736   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00327  1736   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00328  1736   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00329  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00330  1736   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Protocol_Catalog9"}, ... 60, ) }, ... 60, ) == 0x0
 00331  1736   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00332  1736   NtNotifyChangeKey  (60, 56, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00333  1736   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00334  1736   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00335  1736   NtQueryValueKey  (60,  (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00336  1736   NtQueryValueKey  (60,  (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00337  1736   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Catalog_Entries"}, ... 64, ) }, ... 64, ) == 0x0
 00338  1736   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00339  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000001"}, ... 68, ) }, ... 68, ) == 0x0
 00340  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00341  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00342  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00343  1736   NtClose  (68, ... ) == 0x0
 00344  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000002"}, ... 68, ) }, ... 68, ) == 0x0
 00345  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00346  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00347  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00348  1736   NtClose  (68, ... ) == 0x0
 00349  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000003"}, ... 68, ) }, ... 68, ) == 0x0
 00350  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00351  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00352  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0a\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0a\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0b\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0b\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0c\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0c\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0a\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0a\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0b\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0b\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0c\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0c\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0c\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0a\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0a\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0b\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0b\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0c\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0c\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00353  1736   NtClose  (68, ... ) == 0x0
 00354  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000004"}, ... 68, ) }, ... 68, ) == 0x0
 00355  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00356  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00357  1736   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00358  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00359  1736   NtClose  (68, ... ) == 0x0
 00360  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000005"}, ... 68, ) }, ... 68, ) == 0x0
 00361  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00362  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00363  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00364  1736   NtClose  (68, ... ) == 0x0
 00365  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000006"}, ... 68, ) }, ... 68, ) == 0x0
 00366  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00367  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00368  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00369  1736   NtClose  (68, ... ) == 0x0
 00370  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000007"}, ... 68, ) }, ... 68, ) == 0x0
 00371  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00372  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00373  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0v\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0v\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0w\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0x\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0v\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0v\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0w\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0x\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0v\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0v\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0w\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0x\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00374  1736   NtClose  (68, ... ) == 0x0
 00375  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000008"}, ... 68, ) }, ... 68, ) == 0x0
 00376  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00377  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00378  1736   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00379  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00380  1736   NtClose  (68, ... ) == 0x0
 00381  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000009"}, ... 68, ) }, ... 68, ) == 0x0
 00382  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00383  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00384  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00385  1736   NtClose  (68, ... ) == 0x0
 00386  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000010"}, ... 68, ) }, ... 68, ) == 0x0
 00387  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00388  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00389  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00390  1736   NtClose  (68, ... ) == 0x0
 00391  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000011"}, ... 68, ) }, ... 68, ) == 0x0
 00392  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00393  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00394  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00395  1736   NtClose  (68, ... ) == 0x0
 00396  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000012"}, ... 68, ) }, ... 68, ) == 0x0
 00397  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00398  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00399  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\220\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\220\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\221\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\221\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\222\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\222\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\220\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\220\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\221\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\221\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\222\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\222\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\222\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\220\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\220\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\221\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\221\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\222\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\222\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00400  1736   NtClose  (68, ... ) == 0x0
 00401  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000013"}, ... 68, ) }, ... 68, ) == 0x0
 00402  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00403  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00404  1736   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00405  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00406  1736   NtClose  (68, ... ) == 0x0
 00407  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000014"}, ... 68, ) }, ... 68, ) == 0x0
 00408  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00409  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00410  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00411  1736   NtClose  (68, ... ) == 0x0
 00412  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000015"}, ... 68, ) }, ... 68, ) == 0x0
 00413  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00414  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00415  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00416  1736   NtClose  (68, ... ) == 0x0
 00417  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000016"}, ... 68, ) }, ... 68, ) == 0x0
 00418  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00419  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00420  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\245\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\245\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\246\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\246\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\247\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\245\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\245\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\246\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\246\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\247\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\245\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\245\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\246\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\246\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\247\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00421  1736   NtClose  (68, ... ) == 0x0
 00422  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000017"}, ... 68, ) }, ... 68, ) == 0x0
 00423  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00424  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00425  1736   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00426  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00427  1736   NtClose  (68, ... ) == 0x0
 00428  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000018"}, ... 68, ) }, ... 68, ) == 0x0
 00429  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00430  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00431  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00432  1736   NtClose  (68, ... ) == 0x0
 00433  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000019"}, ... 68, ) }, ... 68, ) == 0x0
 00434  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00435  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00436  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00437  1736   NtClose  (68, ... ) == 0x0
 00438  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000020"}, ... 68, ) }, ... 68, ) == 0x0
 00439  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00440  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00441  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00442  1736   NtClose  (68, ... ) == 0x0
 00443  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000021"}, ... 68, ) }, ... 68, ) == 0x0
 00444  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00445  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00446  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\277\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\277\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\300\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\300\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\277\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\277\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\300\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\300\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\277\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\277\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\300\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\300\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00447  1736   NtClose  (68, ... ) == 0x0
 00448  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000022"}, ... 68, ) }, ... 68, ) == 0x0
 00449  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00450  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00451  1736   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00452  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\305\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\305\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\306\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\307\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\307\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\310\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\310\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\311\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\305\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\305\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\306\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\307\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\307\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\310\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\310\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\311\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\305\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\305\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\306\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\307\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\307\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\310\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\310\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\311\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00453  1736   NtClose  (68, ... ) == 0x0
 00454  1736   NtClose  (64, ... ) == 0x0
 00455  1736   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00456  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00457  1736   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 68, ) }, ... 68, ) == 0x0
 00458  1736   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00459  1736   NtNotifyChangeKey  (68, 64, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00460  1736   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00461  1736   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00462  1736   NtQueryValueKey  (68,  (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00463  1736   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Catalog_Entries"}, ... 72, ) }, ... 72, ) == 0x0
 00464  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000001"}, ... 76, ) }, ... 76, ) == 0x0
 00465  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00466  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00467  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00468  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00469  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00470  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00471  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00472  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00473  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00474  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00475  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00476  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00477  1736   NtClose  (76, ... ) == 0x0
 00478  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000002"}, ... 76, ) }, ... 76, ) == 0x0
 00479  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00480  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00481  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00482  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00483  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00484  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00485  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00486  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00487  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00488  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00489  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00490  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00491  1736   NtClose  (76, ... ) == 0x0
 00492  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000003"}, ... 76, ) }, ... 76, ) == 0x0
 00493  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00494  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00495  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00496  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00497  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00498  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00499  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00500  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00501  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00502  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00503  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00504  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00505  1736   NtClose  (76, ... ) == 0x0
 00506  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000004"}, ... 76, ) }, ... 76, ) == 0x0
 00507  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00508  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00509  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00510  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00511  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00512  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00513  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 00514  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00516  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00517  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00518  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00519  1736   NtClose  (76, ... ) == 0x0
 00520  1736   NtClose  (72, ... ) == 0x0
 00521  1736   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 00522  1736   NtClose  (52, ... ) == 0x0
 00523  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00524  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00525  1736   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00526  1736   NtQueryValueKey  (52,  (52, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00527  1736   NtClose  (52, ... ) == 0x0
 00528  1736   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00529  1736   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00530  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00531  1736   NtQueryInformationFile  (72, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00532  1736   NtQueryInformationFile  (72, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00533  1736   NtQueryInformationFile  (72, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00534  1736   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 00535  1736   NtQueryInformationFile  (72, 1355896, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00536  1736   NtQueryInformationFile  (72, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00537  1736   NtQueryInformationFile  (72, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00538  1736   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00539  1736   NtClose  (-2147482576, ... ) == 0x0
 00538  1736   NtCreateFile  ... 76, {status=0x0, info=2}, ) == 0x0
 00540  1736   NtQueryVolumeInformationFile  (76, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00541  1736   NtQueryInformationFile  (76, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00542  1736   NtQueryVolumeInformationFile  (72, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00543  1736   NtSetInformationFile  (76, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00544  1736   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 72, ... 80, ) == 0x0
 00545  1736   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x850000), {0, 0}, 28672, ) == 0x0
 00546  1736   NtClose  (80, ... ) == 0x0
 00547  1736   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\2\0d\347\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\240\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) \0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\240\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) == 0x0
 00548  1736   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 00549  1736   NtSetInformationFile  (76, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00550  1736   NtClose  (72, ... ) == 0x0
 00551  1736   NtClose  (76, ... ) == 0x0
 00552  1736   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 76, ) }, ... 76, ) == 0x0
 00553  1736   NtSetValueKey  (76,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 00554  1736   NtSetInformationFile  (-2147482448, -139348176, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00555  1736   NtSetInformationFile  (-2147482448, -139348268, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00556  1736   NtSetInformationFile  (-2147482448, -139348576, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00553  1736   NtSetValueKey  ... ) == 0x0
 00557  1736   NtClose  (76, ... ) == 0x0
 00558  1736   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 76, ) }, 0, ... 76, ) == 0x0
 00559  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9961472, 1048576, ) == 0x0
 00560  1736   NtAllocateVirtualMemory  (-1, 11001856, 0, 8192, 4096, 4, ... 11001856, 8192, ) == 0x0
 00561  1736   NtProtectVirtualMemory  (-1, (0xa7e000), 4096, 260, ... (0xa7e000), 4096, 4, ) == 0x0
 00562  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 72, {1636, 1356}, ) == 0x0
 00563  1736   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1636,Tid=1356,}, 0x0, ) == 0x0
 00564  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75480, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75480, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75480, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" )  ) == 0x0
 00565  1736   NtResumeThread  (72, ... 1, ) == 0x0
 00566  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11010048, 1048576, ) == 0x0
 00567  1736   NtAllocateVirtualMemory  (-1, 12050432, 0, 8192, 4096, 4, ... 12050432, 8192, ) == 0x0
 00568  1736   NtProtectVirtualMemory  (-1, (0xb7e000), 4096, 260, ...
 00569  1356   NtTestAlert  (... ) == 0x0
 00570  1356   NtContinue  (11009328, 1, ...
 00571  1356   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00572  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 80, ) == 0x0
 00573  1356   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00574  1356   NtAllocateVirtualMemory  (-1, 10997760, 0, 4096, 4096, 260, ...
 00568  1736   NtProtectVirtualMemory  ... (0xb7e000), 4096, 4, ) == 0x0
 00575  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 84, {1636, 868}, ) == 0x0
 00576  1736   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1636,Tid=868,}, 0x0, ) == 0x0
 00577  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75480, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75480, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75481, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0d\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75481, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75480, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75481, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0d\3\0\0" )  ) == 0x0
 00578  1736   NtResumeThread  (84, ... 1, ) == 0x0
 00579  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12058624, 1048576, ) == 0x0
 00574  1356   NtAllocateVirtualMemory  ... 10997760, 4096, ) == 0x0
 00580   868   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00581  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006452, ... }, 11006452, ...
 00580   868   NtCreateEvent  ... 88, ) == 0x0
 00581  1356   NtQueryAttributesFile  ... ) == 0x0
 00582   868   NtWaitForSingleObject  (88, 0, 0x0, ...
 00583  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00584  1356   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 96, ) == 0x0
 00585  1356   NtClose  (92, ... ) == 0x0
 00586  1356   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc80000), 0x0, 245760, ) == 0x0
 00587  1356   NtClose  (96, ...
 00588  1736   NtAllocateVirtualMemory  (-1, 13099008, 0, 8192, 4096, 4, ... 13099008, 8192, ) == 0x0
 00589  1736   NtProtectVirtualMemory  (-1, (0xc7e000), 4096, 260, ... (0xc7e000), 4096, 4, ) == 0x0
 00590  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 92, {1636, 808}, ) == 0x0
 00591  1736   NtQueryInformationThread  (92, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1636,Tid=808,}, 0x0, ) == 0x0
 00592  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75481, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75481, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0(\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75482, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0(\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75482, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75481, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0(\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75482, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0(\3\0\0" )  ) == 0x0
 00593  1736   NtResumeThread  (92, ...
 00587  1356   NtClose  ... ) == 0x0
 00593  1736   NtResumeThread  ... 1, ) == 0x0
 00594  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13369344, 1048576, ) == 0x0
 00595  1736   NtAllocateVirtualMemory  (-1, 14409728, 0, 8192, 4096, 4, ... 14409728, 8192, ) == 0x0
 00596  1736   NtProtectVirtualMemory  (-1, (0xdbe000), 4096, 260, ...
 00597   808   NtWaitForSingleObject  (88, 0, 0x0, ...
 00596  1736   NtProtectVirtualMemory  ... (0xdbe000), 4096, 4, ) == 0x0
 00598  1356   NtUnmapViewOfSection  (-1, 0xc80000, ... ) == 0x0
 00599  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006760, ... ) }, 11006760, ... ) == 0x0
 00600  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00601  1356   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 00602  1356   NtQuerySection  (100, Image, 48, ...
 00603  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 104, {1636, 2020}, ) == 0x0
 00604  1736   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1636,Tid=2020,}, 0x0, ) == 0x0
 00605  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75482, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75482, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75483, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\344\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75483, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75482, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75483, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\344\7\0\0" )  ) == 0x0
 00606  1736   NtResumeThread  (104, ... 1, ) == 0x0
 00607  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14417920, 1048576, ) == 0x0
 00602  1356   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00608  2020   NtWaitForSingleObject  (88, 0, 0x0, ...
 00609  1356   NtClose  (96, ... ) == 0x0
 00610  1356   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 00611  1356   NtClose  (100, ... ) == 0x0
 00612  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00613  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 00614  1736   NtAllocateVirtualMemory  (-1, 15458304, 0, 8192, 4096, 4, ... 15458304, 8192, ) == 0x0
 00615  1736   NtProtectVirtualMemory  (-1, (0xebe000), 4096, 260, ... (0xebe000), 4096, 4, ) == 0x0
 00616  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 100, {1636, 896}, ) == 0x0
 00617  1736   NtQueryInformationThread  (100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1636,Tid=896,}, 0x0, ) == 0x0
 00618  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75483, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75483, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\200\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75484, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\200\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75484, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75483, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\200\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75484, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\200\3\0\0" )  ) == 0x0
 00619  1736   NtResumeThread  (100, ...
 00613  1356   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 00620  1356   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00621  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00622  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00623  1356   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00624  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00625  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 00619  1736   NtResumeThread  ... 1, ) == 0x0
 00626  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15466496, 1048576, ) == 0x0
 00627  1736   NtAllocateVirtualMemory  (-1, 16506880, 0, 8192, 4096, 4, ... 16506880, 8192, ) == 0x0
 00628  1736   NtProtectVirtualMemory  (-1, (0xfbe000), 4096, 260, ... (0xfbe000), 4096, 4, ) == 0x0
 00629  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 96, {1636, 1252}, ) == 0x0
 00630  1736   NtQueryInformationThread  (96, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1636,Tid=1252,}, 0x0, ) == 0x0
 00631  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75484, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75484, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0d\6\0\0\344\4\0\0" ...  ...
 00625  1356   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 00632   896   NtWaitForSingleObject  (88, 0, 0x0, ...
 00633  1356   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00634  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00635  1356   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00636  1356   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00637  1356   NtSetEventBoostPriority  (88, ...
 00631  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75485, 0}  ... {28, 56, reply, 0, 1636, 1736, 75485, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0d\6\0\0\344\4\0\0" )  ) == 0x0
 00638  1736   NtResumeThread  (96, ... 1, ) == 0x0
 00639  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16515072, 1048576, ) == 0x0
 00640  1736   NtAllocateVirtualMemory  (-1, 17555456, 0, 8192, 4096, 4, ... 17555456, 8192, ) == 0x0
 00641  1736   NtProtectVirtualMemory  (-1, (0x10be000), 4096, 260, ... (0x10be000), 4096, 4, ) == 0x0
 00642  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 108, {1636, 2016}, ) == 0x0
 00582   868   NtWaitForSingleObject  ... ) == 0x0
 00637  1356   NtSetEventBoostPriority  ... ) == 0x0
 00643  1252   NtWaitForSingleObject  (88, 0, 0x0, ...
 00644   868   NtSetEventBoostPriority  (88, ...
 00645  1356   NtWaitForSingleObject  (88, 0, 0x0, ...
 00597   808   NtWaitForSingleObject  ... ) == 0x0
 00644   868   NtSetEventBoostPriority  ... ) == 0x0
 00646   808   NtSetEventBoostPriority  (88, ...
 00647  1736   NtQueryInformationThread  (108, Basic, 28, ...
 00608  2020   NtWaitForSingleObject  ... ) == 0x0
 00646   808   NtSetEventBoostPriority  ... ) == 0x0
 00648  2020   NtSetEventBoostPriority  (88, ...
 00647  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1636,Tid=2016,}, 0x0, ) == 0x0
 00649   868   NtTestAlert  (...
 00632   896   NtWaitForSingleObject  ... ) == 0x0
 00648  2020   NtSetEventBoostPriority  ... ) == 0x0
 00650  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75485, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75485, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0d\6\0\0\340\7\0\0" ...  ...
 00651   896   NtSetEventBoostPriority  (88, ...
 00649   868   NtTestAlert  ... ) == 0x0
 00652   808   NtTestAlert  (...
 00643  1252   NtWaitForSingleObject  ... ) == 0x0
 00651   896   NtSetEventBoostPriority  ... ) == 0x0
 00650  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75486, 0}  ... {28, 56, reply, 0, 1636, 1736, 75486, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0d\6\0\0\340\7\0\0" )  ) == 0x0
 00653   868   NtContinue  (12057904, 1, ...
 00654  1252   NtSetEventBoostPriority  (88, ...
 00652   808   NtTestAlert  ... ) == 0x0
 00655  2020   NtTestAlert  (...
 00656  1736   NtResumeThread  (108, ...
 00645  1356   NtWaitForSingleObject  ... ) == 0x0
 00654  1252   NtSetEventBoostPriority  ... ) == 0x0
 00657   868   NtRegisterThreadTerminatePort  (24, ...
 00658   808   NtContinue  (13106480, 1, ...
 00655  2020   NtTestAlert  ... ) == 0x0
 00659   896   NtTestAlert  (...
 00660  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00656  1736   NtResumeThread  ... 1, ) == 0x0
 00657   868   NtRegisterThreadTerminatePort  ... ) == 0x0
 00661   808   NtRegisterThreadTerminatePort  (24, ...
 00662  2020   NtContinue  (14417200, 1, ...
 00660  1356   NtCreateEvent  ... 112, ) == 0x0
 00659   896   NtTestAlert  ... ) == 0x0
 00663  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00664   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00661   808   NtRegisterThreadTerminatePort  ... ) == 0x0
 00665  2020   NtRegisterThreadTerminatePort  (24, ...
 00666  1252   NtTestAlert  (...
 00667  2016   NtTestAlert  (...
 00668   896   NtContinue  (15465776, 1, ...
 00663  1736   NtAllocateVirtualMemory  ... 17563648, 1048576, ) == 0x0
 00669  1356   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 00670   808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00665  2020   NtRegisterThreadTerminatePort  ... ) == 0x0
 00666  1252   NtTestAlert  ... ) == 0x0
 00667  2016   NtTestAlert  ... ) == 0x0
 00671   896   NtRegisterThreadTerminatePort  (24, ...
 00672  1736   NtAllocateVirtualMemory  (-1, 18604032, 0, 8192, 4096, 4, ...
 00669  1356   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00664   868   NtDuplicateObject  ... 116, ) == 0x0
 00673  2020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00674  1252   NtContinue  (16514352, 1, ...
 00675  2016   NtContinue  (17562928, 1, ...
 00671   896   NtRegisterThreadTerminatePort  ... ) == 0x0
 00672  1736   NtAllocateVirtualMemory  ... 18604032, 8192, ) == 0x0
 00676  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11006372, ... }, 11006372, ...
 00677   868   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00670   808   NtDuplicateObject  ... 120, ) == 0x0
 00678  1252   NtRegisterThreadTerminatePort  (24, ...
 00679  2016   NtRegisterThreadTerminatePort  (24, ...
 00680   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00681  1736   NtProtectVirtualMemory  (-1, (0x11be000), 4096, 260, ...
 00677   868   NtWaitForSingleObject  ... ) == 0x102
 00682   808   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00678  1252   NtRegisterThreadTerminatePort  ... ) == 0x0
 00679  2016   NtRegisterThreadTerminatePort  ... ) == 0x0
 00673  2020   NtDuplicateObject  ... 124, ) == 0x0
 00680   896   NtDuplicateObject  ... 128, ) == 0x0
 00682   808   NtWaitForSingleObject  ... ) == 0x102
 00683  1252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00681  1736   NtProtectVirtualMemory  ... (0x11be000), 4096, 4, ) == 0x0
 00684   868   NtAllocateVirtualMemory  (-1, 12046336, 0, 4096, 4096, 260, ...
 00685  2020   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00686   896   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00687   808   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00688  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00689  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00684   868   NtAllocateVirtualMemory  ... 12046336, 4096, ) == 0x0
 00685  2020   NtWaitForSingleObject  ... ) == 0x102
 00686   896   NtWaitForSingleObject  ... ) == 0x102
 00687   808   NtCreateEvent  ... 132, ) == 0x0
 00688  2016   NtDuplicateObject  ... 136, ) == 0x0
 00689  1736   NtCreateThread  ... 140, {1636, 2012}, ) == 0x0
 00690   868   NtWaitForSingleObject  (88, 0, 0x0, ...
 00691  2020   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00692   896   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00683  1252   NtDuplicateObject  ... 144, ) == 0x0
 00693  2016   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00694  1736   NtQueryInformationThread  (140, Basic, 28, ...
 00691  2020   NtCreateEvent  ... 148, ) == 0x0
 00692   896   NtCreateEvent  ... 152, ) == 0x0
 00695  1252   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00693  2016   NtWaitForSingleObject  ... ) == 0x102
 00694  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1636,Tid=2012,}, 0x0, ) == 0x0
 00696   808   NtWaitForSingleObject  (132, 0, 0x0, ...
 00697  2020   NtClose  (148, ...
 00676  1356   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00695  1252   NtWaitForSingleObject  ... ) == 0x102
 00698  2016   NtWaitForSingleObject  (132, 0, 0x0, ...
 00699   896   NtClose  (152, ...
 00697  2020   NtClose  ... ) == 0x0
 00700  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11006372, ... }, 11006372, ...
 00701  1252   NtWaitForSingleObject  (132, 0, 0x0, ...
 00702  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75486, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75486, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0d\6\0\0\334\7\0\0" ...  ...
 00699   896   NtClose  ... ) == 0x0
 00703  2020   NtWaitForSingleObject  (132, 0, 0x0, ...
 00700  1356   NtQueryAttributesFile  ... ) == 0x0
 00702  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75487, 0}  ... {28, 56, reply, 0, 1636, 1736, 75487, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0d\6\0\0\334\7\0\0" )  ) == 0x0
 00704   896   NtWaitForSingleObject  (132, 0, 0x0, ...
 00705  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... }, 5, 96, ...
 00706  1736   NtResumeThread  (140, ...
 00705  1356   NtOpenFile  ... 152, {status=0x0, info=1}, ) == 0x0
 00706  1736   NtResumeThread  ... 1, ) == 0x0
 00707  1356   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 152, ...
 00708  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00709  2012   NtWaitForSingleObject  (88, 0, 0x0, ...
 00707  1356   NtCreateSection  ... 148, ) == 0x0
 00710  1356   NtQuerySection  (148, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00711  1356   NtClose  (152, ... ) == 0x0
 00712  1356   NtMapViewOfSection  (148, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x662b0000), 0x0, 360448, ) == 0x0
 00713  1356   NtClose  (148, ... ) == 0x0
 00714  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00715  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 00708  1736   NtAllocateVirtualMemory  ... 18612224, 1048576, ) == 0x0
 00716  1736   NtAllocateVirtualMemory  (-1, 19652608, 0, 8192, 4096, 4, ... 19652608, 8192, ) == 0x0
 00717  1736   NtProtectVirtualMemory  (-1, (0x12be000), 4096, 260, ... (0x12be000), 4096, 4, ) == 0x0
 00718  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 148, {1636, 1028}, ) == 0x0
 00719  1736   NtQueryInformationThread  (148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1636,Tid=1028,}, 0x0, ) == 0x0
 00720  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75487, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75487, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\4\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75488, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75487, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\4\4\0\0" )  ) == 0x0
 00715  1356   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 00721  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00722  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00723  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00724  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00725  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00726  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 00727  1736   NtResumeThread  (148, ... 1, ) == 0x0
 00728  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19660800, 1048576, ) == 0x0
 00729  1736   NtAllocateVirtualMemory  (-1, 20701184, 0, 8192, 4096, 4, ... 20701184, 8192, ) == 0x0
 00730  1736   NtProtectVirtualMemory  (-1, (0x13be000), 4096, 260, ... (0x13be000), 4096, 4, ) == 0x0
 00731  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 152, {1636, 384}, ) == 0x0
 00732  1736   NtQueryInformationThread  (152, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1636,Tid=384,}, 0x0, ) == 0x0
 00726  1356   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 00733  1028   NtWaitForSingleObject  (88, 0, 0x0, ...
 00734  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00735  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00736  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00737  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00738  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00739  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 00740  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75488, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\200\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\200\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75489, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\200\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\200\1\0\0" )  ) == 0x0
 00741  1736   NtResumeThread  (152, ... 1, ) == 0x0
 00742  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20709376, 1048576, ) == 0x0
 00743  1736   NtAllocateVirtualMemory  (-1, 21749760, 0, 8192, 4096, 4, ... 21749760, 8192, ) == 0x0
 00744  1736   NtProtectVirtualMemory  (-1, (0x14be000), 4096, 260, ... (0x14be000), 4096, 4, ) == 0x0
 00745  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00739  1356   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 00746   384   NtWaitForSingleObject  (88, 0, 0x0, ...
 00747  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00748  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00749  1356   NtSetEventBoostPriority  (88, ...
 00690   868   NtWaitForSingleObject  ... ) == 0x0
 00750   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12053456, ... ) }, 12053456, ... ) == 0x0
 00751   868   NtSetEventBoostPriority  (88, ...
 00709  2012   NtWaitForSingleObject  ... ) == 0x0
 00752  2012   NtSetEventBoostPriority  (88, ...
 00733  1028   NtWaitForSingleObject  ... ) == 0x0
 00753  1028   NtSetEventBoostPriority  (88, ...
 00746   384   NtWaitForSingleObject  ... ) == 0x0
 00754   384   NtTestAlert  (... ) == 0x0
 00753  1028   NtSetEventBoostPriority  ... ) == 0x0
 00752  2012   NtSetEventBoostPriority  ... ) == 0x0
 00751   868   NtSetEventBoostPriority  ... ) == 0x0
 00749  1356   NtSetEventBoostPriority  ... ) == 0x0
 00745  1736   NtCreateThread  ... 156, {1636, 1180}, ) == 0x0
 00755   384   NtContinue  (20708656, 1, ...
 00756  1028   NtTestAlert  (...
 00757   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00758  1356   NtQuerySystemInformation  (Basic, 44, ...
 00759  1736   NtQueryInformationThread  (156, Basic, 28, ...
 00760   384   NtRegisterThreadTerminatePort  (24, ...
 00756  1028   NtTestAlert  ... ) == 0x0
 00757   868   NtCreateEvent  ... 160, ) == 0x0
 00758  1356   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00759  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1636,Tid=1180,}, 0x0, ) == 0x0
 00760   384   NtRegisterThreadTerminatePort  ... ) == 0x0
 00761  1028   NtContinue  (19660080, 1, ...
 00762   868   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 00763  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 00764  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75489, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0d\6\0\0\234\4\0\0" ...  ...
 00765   384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00766  1028   NtRegisterThreadTerminatePort  (24, ...
 00762   868   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00763  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00764  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75490, 0}  ... {28, 56, reply, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0d\6\0\0\234\4\0\0" )  ) == 0x0
 00765   384   NtDuplicateObject  ... 164, ) == 0x0
 00766  1028   NtRegisterThreadTerminatePort  ... ) == 0x0
 00767  2012   NtTestAlert  (...
 00768  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 00769   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 12053560, ... }, 12053560, ...
 00770   384   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00771  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00767  2012   NtTestAlert  ... ) == 0x0
 00772  1736   NtResumeThread  (156, ...
 00768  1356   NtOpenKey  ... 168, ) == 0x0
 00770   384   NtWaitForSingleObject  ... ) == 0x102
 00773  2012   NtContinue  (18611504, 1, ...
 00772  1736   NtResumeThread  ... 1, ) == 0x0
 00774  1356   NtQueryValueKey  (168,  (168, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 00775   384   NtWaitForSingleObject  (132, 0, 0x0, ...
 00776  2012   NtRegisterThreadTerminatePort  (24, ...
 00777  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00774  1356   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00776  2012   NtRegisterThreadTerminatePort  ... ) == 0x0
 00777  1736   NtAllocateVirtualMemory  ... 21757952, 1048576, ) == 0x0
 00778  1356   NtClose  (168, ...
 00779  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00780  1736   NtAllocateVirtualMemory  (-1, 22798336, 0, 8192, 4096, 4, ...
 00778  1356   NtClose  ... ) == 0x0
 00771  1028   NtDuplicateObject  ... 168, ) == 0x0
 00781  1180   NtWaitForSingleObject  (88, 0, 0x0, ...
 00780  1736   NtAllocateVirtualMemory  ... 22798336, 8192, ) == 0x0
 00782  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 00783  1028   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00779  2012   NtDuplicateObject  ... 172, ) == 0x0
 00784  1736   NtProtectVirtualMemory  (-1, (0x15be000), 4096, 260, ...
 00783  1028   NtWaitForSingleObject  ... ) == 0x102
 00785  2012   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00784  1736   NtProtectVirtualMemory  ... (0x15be000), 4096, 4, ) == 0x0
 00786  1028   NtWaitForSingleObject  (132, 0, 0x0, ...
 00785  2012   NtWaitForSingleObject  ... ) == 0x102
 00787  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00788  2012   NtWaitForSingleObject  (132, 0, 0x0, ...
 00787  1736   NtCreateThread  ... 176, {1636, 420}, ) == 0x0
 00789  1736   NtQueryInformationThread  (176, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1636,Tid=420,}, 0x0, ) == 0x0
 00790  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0d\6\0\0\244\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0d\6\0\0\244\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75491, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0d\6\0\0\244\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0d\6\0\0\244\1\0\0" )  ) == 0x0
 00791  1736   NtResumeThread  (176, ... 1, ) == 0x0
 00792  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00782  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00769   868   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00793   420   NtWaitForSingleObject  (88, 0, 0x0, ...
 00794  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 00795   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 12053560, ... }, 12053560, ...
 00794  1356   NtCreateEvent  ... 180, ) == 0x0
 00792  1736   NtAllocateVirtualMemory  ... 22806528, 1048576, ) == 0x0
 00796  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 00797  1736   NtAllocateVirtualMemory  (-1, 23846912, 0, 8192, 4096, 4, ...
 00796  1356   NtCreateEvent  ... 184, ) == 0x0
 00797  1736   NtAllocateVirtualMemory  ... 23846912, 8192, ) == 0x0
 00798  1356   NtQuerySystemTime  (...
 00799  1736   NtProtectVirtualMemory  (-1, (0x16be000), 4096, 260, ...
 00795   868   NtQueryAttributesFile  ... ) == 0x0
 00799  1736   NtProtectVirtualMemory  ... (0x16be000), 4096, 4, ) == 0x0
 00800   868   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 00801  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00800   868   NtOpenFile  ... 188, {status=0x0, info=1}, ) == 0x0
 00798  1356   NtQuerySystemTime  ... {-1506051738, 29923477}, ) == 0x0
 00802   868   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 188, ...
 00803  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00802   868   NtCreateSection  ... 192, ) == 0x0
 00803  1356   NtCreateEvent  ... 196, ) == 0x0
 00804   868   NtQuerySection  (192, Image, 48, ...
 00805  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 00801  1736   NtCreateThread  ... 200, {1636, 596}, ) == 0x0
 00805  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00806  1736   NtQueryInformationThread  (200, Basic, 28, ...
 00807  1356   NtQuerySystemInformation  (Performance, 312, ...
 00806  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1636,Tid=596,}, 0x0, ) == 0x0
 00804   868   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00808  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0d\6\0\0T\2\0\0" ...  ...
 00809   868   NtClose  (188, ...
 00808  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75492, 0}  ... {28, 56, reply, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0d\6\0\0T\2\0\0" )  ) == 0x0
 00809   868   NtClose  ... ) == 0x0
 00807  1356   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00810   868   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 00811  1356   NtQueryInformationProcess  (-1, QuotaLimits, 32, ...
 00810   868   NtMapViewOfSection  ... (0x76f20000), 0x0, 159744, ) == 0x0
 00811  1356   NtQueryInformationProcess  ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00812   868   NtClose  (192, ...
 00813  1356   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 00814  1736   NtResumeThread  (200, ...
 00813  1356   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00814  1736   NtResumeThread  ... 1, ) == 0x0
 00815  1356   NtWaitForSingleObject  (88, 0, 0x0, ...
 00816  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00812   868   NtClose  ... ) == 0x0
 00817   596   NtWaitForSingleObject  (88, 0, 0x0, ...
 00816  1736   NtAllocateVirtualMemory  ... 23855104, 1048576, ) == 0x0
 00818   868   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 00819  1736   NtAllocateVirtualMemory  (-1, 24895488, 0, 8192, 4096, 4, ...
 00818   868   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 00819  1736   NtAllocateVirtualMemory  ... 24895488, 8192, ) == 0x0
 00820   868   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00821   868   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00822   868   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00823   868   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00824   868   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 00825  1736   NtProtectVirtualMemory  (-1, (0x17be000), 4096, 260, ... (0x17be000), 4096, 4, ) == 0x0
 00826  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 192, {1636, 376}, ) == 0x0
 00827  1736   NtQueryInformationThread  (192, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1636,Tid=376,}, 0x0, ) == 0x0
 00828  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0d\6\0\0x\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0d\6\0\0x\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75493, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0d\6\0\0x\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0d\6\0\0x\1\0\0" )  ) == 0x0
 00829  1736   NtResumeThread  (192, ... 1, ) == 0x0
 00830  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00824   868   NtFlushInstructionCache  ... ) == 0x0
 00831   376   NtWaitForSingleObject  (88, 0, 0x0, ...
 00832   868   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00833   868   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00834   868   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00835   868   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00836   868   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00837   868   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 00830  1736   NtAllocateVirtualMemory  ... 24903680, 1048576, ) == 0x0
 00838  1736   NtAllocateVirtualMemory  (-1, 25944064, 0, 8192, 4096, 4, ... 25944064, 8192, ) == 0x0
 00839  1736   NtProtectVirtualMemory  (-1, (0x18be000), 4096, 260, ... (0x18be000), 4096, 4, ) == 0x0
 00840  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 188, {1636, 1168}, ) == 0x0
 00841  1736   NtQueryInformationThread  (188, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1636,Tid=1168,}, 0x0, ) == 0x0
 00842  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0d\6\0\0\220\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0d\6\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75494, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0d\6\0\0\220\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0d\6\0\0\220\4\0\0" )  ) == 0x0
 00837   868   NtFlushInstructionCache  ... ) == 0x0
 00843   868   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00844   868   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00845   868   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00846   868   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00847   868   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00848   868   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 00849  1736   NtResumeThread  (188, ... 1, ) == 0x0
 00850  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25952256, 1048576, ) == 0x0
 00851  1736   NtAllocateVirtualMemory  (-1, 26992640, 0, 8192, 4096, 4, ... 26992640, 8192, ) == 0x0
 00852  1736   NtProtectVirtualMemory  (-1, (0x19be000), 4096, 260, ... (0x19be000), 4096, 4, ) == 0x0
 00853  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 204, {1636, 120}, ) == 0x0
 00854  1736   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1636,Tid=120,}, 0x0, ) == 0x0
 00848   868   NtFlushInstructionCache  ... ) == 0x0
 00855  1168   NtWaitForSingleObject  (88, 0, 0x0, ...
 00856   868   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00857   868   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) , 0, ... 208, 2, ) == 0x0
 00858   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 212, ) }, ... 212, ) == 0x0
 00859   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00860   868   NtQueryValueKey  (212,  (212, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00861   868   NtQueryValueKey  (208,  (208, "DisableAdapterDomainName", Partial, 144, ... , Partial, 144, ...
 00862  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0x\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75495, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0x\0\0\0" )  ) == 0x0
 00863  1736   NtResumeThread  (204, ... 1, ) == 0x0
 00864  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27000832, 1048576, ) == 0x0
 00865  1736   NtAllocateVirtualMemory  (-1, 28041216, 0, 8192, 4096, 4, ... 28041216, 8192, ) == 0x0
 00866  1736   NtProtectVirtualMemory  (-1, (0x1abe000), 4096, 260, ... (0x1abe000), 4096, 4, ) == 0x0
 00867  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00861   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00868   120   NtWaitForSingleObject  (88, 0, 0x0, ...
 00869   868   NtQueryValueKey  (212,  (212, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00870   868   NtQueryValueKey  (208,  (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00871   868   NtQueryValueKey  (212,  (212, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00872   868   NtQueryValueKey  (208,  (208, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   868   NtQueryValueKey  (212,  (212, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00874   868   NtQueryValueKey  (208,  (208, "AllowUnqualifiedQuery", Partial, 144, ... , Partial, 144, ...
 00867  1736   NtCreateThread  ... 216, {1636, 928}, ) == 0x0
 00875  1736   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1636,Tid=928,}, 0x0, ) == 0x0
 00876  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\240\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\240\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75496, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\240\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\240\3\0\0" )  ) == 0x0
 00877  1736   NtResumeThread  (216, ... 1, ) == 0x0
 00878  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28049408, 1048576, ) == 0x0
 00879  1736   NtAllocateVirtualMemory  (-1, 29089792, 0, 8192, 4096, 4, ... 29089792, 8192, ) == 0x0
 00874   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00880   928   NtWaitForSingleObject  (88, 0, 0x0, ...
 00881   868   NtQueryValueKey  (212,  (212, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882   868   NtQueryValueKey  (212,  (212, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00883   868   NtQueryValueKey  (212,  (212, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00884   868   NtQueryValueKey  (212,  (212, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00885   868   NtQueryValueKey  (212,  (212, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00886   868   NtQueryValueKey  (212,  (212, "UseEdns", Partial, 144, ... , Partial, 144, ...
 00887  1736   NtProtectVirtualMemory  (-1, (0x1bbe000), 4096, 260, ... (0x1bbe000), 4096, 4, ) == 0x0
 00888  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 220, {1636, 1732}, ) == 0x0
 00889  1736   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1636,Tid=1732,}, 0x0, ) == 0x0
 00890  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0\304\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0\304\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75497, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0\304\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0\304\6\0\0" )  ) == 0x0
 00891  1736   NtResumeThread  (220, ... 1, ) == 0x0
 00892  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00886   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00893  1732   NtWaitForSingleObject  (88, 0, 0x0, ...
 00894   868   NtQueryValueKey  (212,  (212, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895   868   NtQueryValueKey  (212,  (212, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00896   868   NtQueryValueKey  (212,  (212, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   868   NtQueryValueKey  (208,  (208, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00898   868   NtQueryValueKey  (212,  (212, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00899   868   NtQueryValueKey  (212,  (212, "RegisterAdapterName", Partial, 144, ... , Partial, 144, ...
 00892  1736   NtAllocateVirtualMemory  ... 29097984, 1048576, ) == 0x0
 00900  1736   NtAllocateVirtualMemory  (-1, 30138368, 0, 8192, 4096, 4, ... 30138368, 8192, ) == 0x0
 00901  1736   NtProtectVirtualMemory  (-1, (0x1cbe000), 4096, 260, ... (0x1cbe000), 4096, 4, ) == 0x0
 00902  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 224, {1636, 428}, ) == 0x0
 00903  1736   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1636,Tid=428,}, 0x0, ) == 0x0
 00904  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0d\6\0\0\254\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0d\6\0\0\254\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75498, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0d\6\0\0\254\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0d\6\0\0\254\1\0\0" )  ) == 0x0
 00899   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905   868   NtQueryValueKey  (208,  (208, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00906   868   NtQueryValueKey  (212,  (212, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00907   868   NtQueryValueKey  (208,  (208, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00908   868   NtQueryValueKey  (212,  (212, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00909   868   NtQueryValueKey  (208,  (208, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   868   NtQueryValueKey  (212,  (212, "RegistrationTtl", Partial, 144, ... , Partial, 144, ...
 00911  1736   NtResumeThread  (224, ... 1, ) == 0x0
 00912  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30146560, 1048576, ) == 0x0
 00913  1736   NtAllocateVirtualMemory  (-1, 31186944, 0, 8192, 4096, 4, ... 31186944, 8192, ) == 0x0
 00914  1736   NtProtectVirtualMemory  (-1, (0x1dbe000), 4096, 260, ... (0x1dbe000), 4096, 4, ) == 0x0
 00915  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {1636, 748}, ) == 0x0
 00916  1736   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=1636,Tid=748,}, 0x0, ) == 0x0
 00910   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917   428   NtWaitForSingleObject  (88, 0, 0x0, ...
 00918   868   NtQueryValueKey  (208,  (208, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919   868   NtQueryValueKey  (212,  (212, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00920   868   NtQueryValueKey  (208,  (208, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00921   868   NtQueryValueKey  (212,  (212, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00922   868   NtQueryValueKey  (208,  (208, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923   868   NtQueryValueKey  (212,  (212, "UpdateSecurityLevel", Partial, 144, ... , Partial, 144, ...
 00924  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\354\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\354\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75499, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\354\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\354\2\0\0" )  ) == 0x0
 00925  1736   NtResumeThread  (228, ... 1, ) == 0x0
 00926  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31195136, 1048576, ) == 0x0
 00927  1736   NtAllocateVirtualMemory  (-1, 32235520, 0, 8192, 4096, 4, ... 32235520, 8192, ) == 0x0
 00928  1736   NtProtectVirtualMemory  (-1, (0x1ebe000), 4096, 260, ... (0x1ebe000), 4096, 4, ) == 0x0
 00929  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00923   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00930   748   NtWaitForSingleObject  (88, 0, 0x0, ...
 00931   868   NtQueryValueKey  (208,  (208, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00932   868   NtQueryValueKey  (212,  (212, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933   868   NtQueryValueKey  (212,  (212, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00934   868   NtQueryValueKey  (212,  (212, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00935   868   NtQueryValueKey  (212,  (212, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00936   868   NtQueryValueKey  (212,  (212, "MaxCacheTtl", Partial, 144, ... , Partial, 144, ...
 00929  1736   NtCreateThread  ... 232, {1636, 1300}, ) == 0x0
 00937  1736   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=1636,Tid=1300,}, 0x0, ) == 0x0
 00938  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\24\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\24\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75500, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\24\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\24\5\0\0" )  ) == 0x0
 00939  1736   NtResumeThread  (232, ... 1, ) == 0x0
 00940  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32243712, 1048576, ) == 0x0
 00941  1736   NtAllocateVirtualMemory  (-1, 33284096, 0, 8192, 4096, 4, ... 33284096, 8192, ) == 0x0
 00936   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00942  1300   NtWaitForSingleObject  (88, 0, 0x0, ...
 00943   868   NtQueryValueKey  (212,  (212, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944   868   NtQueryValueKey  (212,  (212, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945   868   NtQueryValueKey  (212,  (212, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946   868   NtQueryValueKey  (212,  (212, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947   868   NtQueryValueKey  (212,  (212, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948   868   NtQueryValueKey  (212,  (212, "MulticastSendLevel", Partial, 144, ... , Partial, 144, ...
 00949  1736   NtProtectVirtualMemory  (-1, (0x1fbe000), 4096, 260, ... (0x1fbe000), 4096, 4, ) == 0x0
 00950  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {1636, 1096}, ) == 0x0
 00951  1736   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=1636,Tid=1096,}, 0x0, ) == 0x0
 00952  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0H\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0H\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75501, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0H\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0H\4\0\0" )  ) == 0x0
 00953  1736   NtResumeThread  (236, ... 1, ) == 0x0
 00954  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00948   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955  1096   NtWaitForSingleObject  (88, 0, 0x0, ...
 00956   868   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 240, ) }, ... 240, ) == 0x0
 00957   868   NtQueryValueKey  (240,  (240, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00958   868   NtClose  (240, ... ) == 0x0
 00959   868   NtClose  (208, ... ) == 0x0
 00960   868   NtClose  (212, ... ) == 0x0
 00961   868   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 00954  1736   NtAllocateVirtualMemory  ... 33292288, 1048576, ) == 0x0
 00962  1736   NtAllocateVirtualMemory  (-1, 34332672, 0, 8192, 4096, 4, ... 34332672, 8192, ) == 0x0
 00963  1736   NtProtectVirtualMemory  (-1, (0x20be000), 4096, 260, ... (0x20be000), 4096, 4, ) == 0x0
 00964  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 212, {1636, 252}, ) == 0x0
 00965  1736   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=1636,Tid=252,}, 0x0, ) == 0x0
 00966  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0\374\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0\374\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75502, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0\374\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0\374\0\0\0" )  ) == 0x0
 00961   868   NtOpenKey  ... 208, ) == 0x0
 00967   868   NtQueryValueKey  (208,  (208, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00968   868   NtQueryValueKey  (208,  (208, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969   868   NtQueryValueKey  (208,  (208, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00970   868   NtClose  (208, ... ) == 0x0
 00971   868   NtSetEventBoostPriority  (88, ...
 00781  1180   NtWaitForSingleObject  ... ) == 0x0
 00972  1180   NtSetEventBoostPriority  (88, ...
 00793   420   NtWaitForSingleObject  ... ) == 0x0
 00973   420   NtSetEventBoostPriority  (88, ...
 00817   596   NtWaitForSingleObject  ... ) == 0x0
 00974   596   NtSetEventBoostPriority  (88, ...
 00815  1356   NtWaitForSingleObject  ... ) == 0x0
 00975  1356   NtSetEventBoostPriority  (88, ...
 00831   376   NtWaitForSingleObject  ... ) == 0x0
 00976   376   NtSetEventBoostPriority  (88, ...
 00855  1168   NtWaitForSingleObject  ... ) == 0x0
 00977  1168   NtSetEventBoostPriority  (88, ...
 00868   120   NtWaitForSingleObject  ... ) == 0x0
 00978   120   NtSetEventBoostPriority  (88, ...
 00880   928   NtWaitForSingleObject  ... ) == 0x0
 00979   928   NtSetEventBoostPriority  (88, ...
 00893  1732   NtWaitForSingleObject  ... ) == 0x0
 00980  1732   NtSetEventBoostPriority  (88, ...
 00917   428   NtWaitForSingleObject  ... ) == 0x0
 00981   428   NtSetEventBoostPriority  (88, ...
 00930   748   NtWaitForSingleObject  ... ) == 0x0
 00982   748   NtSetEventBoostPriority  (88, ...
 00942  1300   NtWaitForSingleObject  ... ) == 0x0
 00983  1300   NtSetEventBoostPriority  (88, ...
 00955  1096   NtWaitForSingleObject  ... ) == 0x0
 00984  1096   NtTestAlert  (... ) == 0x0
 00983  1300   NtSetEventBoostPriority  ... ) == 0x0
 00982   748   NtSetEventBoostPriority  ... ) == 0x0
 00981   428   NtSetEventBoostPriority  ... ) == 0x0
 00980  1732   NtSetEventBoostPriority  ... ) == 0x0
 00979   928   NtSetEventBoostPriority  ... ) == 0x0
 00978   120   NtSetEventBoostPriority  ... ) == 0x0
 00977  1168   NtSetEventBoostPriority  ... ) == 0x0
 00976   376   NtSetEventBoostPriority  ... ) == 0x0
 00974   596   NtSetEventBoostPriority  ... ) == 0x0
 00973   420   NtSetEventBoostPriority  ... ) == 0x0
 00972  1180   NtSetEventBoostPriority  ... ) == 0x0
 00975  1356   NtSetEventBoostPriority  ... ) == 0x0
 00971   868   NtSetEventBoostPriority  ... ) == 0x0
 00985  1736   NtResumeThread  (212, ...
 00986  1096   NtContinue  (33291568, 1, ...
 00987  1300   NtTestAlert  (...
 00988   748   NtTestAlert  (...
 00989   428   NtTestAlert  (...
 00990  1732   NtTestAlert  (...
 00991   928   NtTestAlert  (...
 00992   120   NtTestAlert  (...
 00993  1168   NtTestAlert  (...
 00994   376   NtTestAlert  (...
 00995   596   NtTestAlert  (...
 00996   420   NtTestAlert  (...
 00997  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00998   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00985  1736   NtResumeThread  ... 1, ) == 0x0
 00999  1096   NtRegisterThreadTerminatePort  (24, ...
 00987  1300   NtTestAlert  ... ) == 0x0
 00988   748   NtTestAlert  ... ) == 0x0
 00989   428   NtTestAlert  ... ) == 0x0
 00990  1732   NtTestAlert  ... ) == 0x0
 00991   928   NtTestAlert  ... ) == 0x0
 00992   120   NtTestAlert  ... ) == 0x0
 00993  1168   NtTestAlert  ... ) == 0x0
 00994   376   NtTestAlert  ... ) == 0x0
 00995   596   NtTestAlert  ... ) == 0x0
 00996   420   NtTestAlert  ... ) == 0x0
 00997  1356   NtCreateEvent  ... 208, ) == 0x0
 01000  1180   NtTestAlert  (...
 01001   252   NtTestAlert  (...
 01002  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00999  1096   NtRegisterThreadTerminatePort  ... ) == 0x0
 01003  1300   NtContinue  (32242992, 1, ...
 01004   748   NtContinue  (31194416, 1, ...
 01005   428   NtContinue  (30145840, 1, ...
 01006  1732   NtContinue  (29097264, 1, ...
 01007   928   NtContinue  (28048688, 1, ...
 01008   120   NtContinue  (27000112, 1, ...
 01009  1168   NtContinue  (25951536, 1, ...
 01010   376   NtContinue  (24902960, 1, ...
 01011   596   NtContinue  (23854384, 1, ...
 01012   420   NtContinue  (22805808, 1, ...
 00998   868   NtCreateEvent  ... 240, ) == 0x0
 01000  1180   NtTestAlert  ... ) == 0x0
 01001   252   NtTestAlert  ... ) == 0x0
 01002  1736   NtAllocateVirtualMemory  ... 34340864, 1048576, ) == 0x0
 01013  1096   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01014  1300   NtRegisterThreadTerminatePort  (24, ...
 01015   748   NtRegisterThreadTerminatePort  (24, ...
 01016   428   NtRegisterThreadTerminatePort  (24, ...
 01017  1732   NtRegisterThreadTerminatePort  (24, ...
 01018   928   NtRegisterThreadTerminatePort  (24, ...
 01019   120   NtRegisterThreadTerminatePort  (24, ...
 01020  1168   NtRegisterThreadTerminatePort  (24, ...
 01021   376   NtRegisterThreadTerminatePort  (24, ...
 01022   596   NtRegisterThreadTerminatePort  (24, ...
 01023   420   NtRegisterThreadTerminatePort  (24, ...
 01024   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01025  1180   NtContinue  (21757232, 1, ...
 01026  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01027  1736   NtAllocateVirtualMemory  (-1, 35381248, 0, 8192, 4096, 4, ...
 01013  1096   NtDuplicateObject  ... 244, ) == 0x0
 01014  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 01015   748   NtRegisterThreadTerminatePort  ... ) == 0x0
 01016   428   NtRegisterThreadTerminatePort  ... ) == 0x0
 01017  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 01018   928   NtRegisterThreadTerminatePort  ... ) == 0x0
 01019   120   NtRegisterThreadTerminatePort  ... ) == 0x0
 01020  1168   NtRegisterThreadTerminatePort  ... ) == 0x0
 01021   376   NtRegisterThreadTerminatePort  ... ) == 0x0
 01022   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 01023   420   NtRegisterThreadTerminatePort  ... ) == 0x0
 01024   868   NtDuplicateObject  ... 248, ) == 0x0
 01028  1180   NtRegisterThreadTerminatePort  (24, ...
 01026  1356   NtDuplicateObject  ... 252, ) == 0x0
 01027  1736   NtAllocateVirtualMemory  ... 35381248, 8192, ) == 0x0
 01029  1096   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01030  1300   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01031   748   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01032   428   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01033  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01034   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01035   120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01036  1168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01037   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01038   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01039   420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01040   868   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ...
 01028  1180   NtRegisterThreadTerminatePort  ... ) == 0x0
 01041  1356   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01042   252   NtContinue  (34340144, 1, ...
 01043  1736   NtProtectVirtualMemory  (-1, (0x21be000), 4096, 260, ...
 01029  1096   NtWaitForSingleObject  ... ) == 0x102
 01030  1300   NtDuplicateObject  ... 256, ) == 0x0
 01031   748   NtDuplicateObject  ... 260, ) == 0x0
 01032   428   NtDuplicateObject  ... 264, ) == 0x0
 01033  1732   NtDuplicateObject  ... 268, ) == 0x0
 01034   928   NtDuplicateObject  ... 272, ) == 0x0
 01035   120   NtDuplicateObject  ... 276, ) == 0x0
 01036  1168   NtDuplicateObject  ... 280, ) == 0x0
 01037   376   NtDuplicateObject  ... 284, ) == 0x0
 01038   596   NtDuplicateObject  ... 288, ) == 0x0
 01040   868   NtAllocateVirtualMemory  ... 1368064, 4096, ) == 0x0
 01044  1180   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01041  1356   NtCreateEvent  ... 292, ) == 0x0
 01045   252   NtRegisterThreadTerminatePort  (24, ...
 01043  1736   NtProtectVirtualMemory  ... (0x21be000), 4096, 4, ) == 0x0
 01046  1096   NtWaitForSingleObject  (132, 0, 0x0, ...
 01047  1300   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01048   748   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01049   428   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01050  1732   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01051   928   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01052   120   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01053  1168   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01054   376   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01055   596   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01056   868   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01039   420   NtDuplicateObject  ... 296, ) == 0x0
 01057  1356   NtWaitForSingleObject  (292, 0, 0x0, ...
 01045   252   NtRegisterThreadTerminatePort  ... ) == 0x0
 01058  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01047  1300   NtCreateEvent  ... 300, ) == 0x0
 01048   748   NtCreateEvent  ... 304, ) == 0x0
 01049   428   NtCreateEvent  ... 308, ) == 0x0
 01050  1732   NtCreateEvent  ... 312, ) == 0x0
 01051   928   NtCreateEvent  ... 316, ) == 0x0
 01052   120   NtCreateEvent  ... 320, ) == 0x0
 01053  1168   NtCreateEvent  ... 324, ) == 0x0
 01054   376   NtCreateEvent  ... 328, ) == 0x0
 01055   596   NtCreateEvent  ... 332, ) == 0x0
 01044  1180   NtCreateEvent  ... 336, ) == 0x0
 01059   420   NtWaitForSingleObject  (292, 0, 0x0, ...
 01060   252   NtWaitForSingleObject  (292, 0, 0x0, ...
 01058  1736   NtCreateThread  ... 340, {1636, 500}, ) == 0x0
 01061  1300   NtClose  (300, ...
 01062   748   NtClose  (304, ...
 01063   428   NtClose  (308, ...
 01064  1732   NtClose  (312, ...
 01065   928   NtClose  (316, ...
 01066   120   NtClose  (320, ...
 01067  1168   NtClose  (324, ...
 01068   376   NtClose  (328, ...
 01069   596   NtClose  (332, ...
 01070  1180   NtClose  (336, ...
 01071  1736   NtQueryInformationThread  (340, Basic, 28, ...
 01061  1300   NtClose  ... ) == 0x0
 01062   748   NtClose  ... ) == 0x0
 01063   428   NtClose  ... ) == 0x0
 01064  1732   NtClose  ... ) == 0x0
 01065   928   NtClose  ... ) == 0x0
 01066   120   NtClose  ... ) == 0x0
 01067  1168   NtClose  ... ) == 0x0
 01068   376   NtClose  ... ) == 0x0
 01069   596   NtClose  ... ) == 0x0
 01070  1180   NtClose  ... ) == 0x0
 01071  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=1636,Tid=500,}, 0x0, ) == 0x0
 01072  1300   NtWaitForSingleObject  (292, 0, 0x0, ...
 01073   748   NtWaitForSingleObject  (292, 0, 0x0, ...
 01074   428   NtWaitForSingleObject  (292, 0, 0x0, ...
 01075  1732   NtWaitForSingleObject  (292, 0, 0x0, ...
 01076   928   NtWaitForSingleObject  (292, 0, 0x0, ...
 01077   120   NtWaitForSingleObject  (292, 0, 0x0, ...
 01078  1168   NtWaitForSingleObject  (292, 0, 0x0, ...
 01079   376   NtWaitForSingleObject  (292, 0, 0x0, ...
 01080   596   NtWaitForSingleObject  (292, 0, 0x0, ...
 01081  1180   NtWaitForSingleObject  (292, 0, 0x0, ...
 01056   868   NtCreateEvent  ... 336, ) == 0x0
 01082  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0d\6\0\0\364\1\0\0" ...  ...
 01083   868   NtClose  (336, ...
 01082  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75503, 0}  ... {28, 56, reply, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0d\6\0\0\364\1\0\0" )  ) == 0x0
 01083   868   NtClose  ... ) == 0x0
 01084  1736   NtResumeThread  (340, ...
 01085   868   NtSetEventBoostPriority  (292, ...
 01084  1736   NtResumeThread  ... 1, ) == 0x0
 01057  1356   NtWaitForSingleObject  ... ) == 0x0
 01085   868   NtSetEventBoostPriority  ... ) == 0x0
 01086  1356   NtSetEventBoostPriority  (292, ...
 01087  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01059   420   NtWaitForSingleObject  ... ) == 0x0
 01086  1356   NtSetEventBoostPriority  ... ) == 0x0
 01088   868   NtWaitForSingleObject  (292, 0, 0x0, ...
 01089   500   NtTestAlert  (...
 01090   420   NtSetEventBoostPriority  (292, ...
 01087  1736   NtAllocateVirtualMemory  ... 35389440, 1048576, ) == 0x0
 01091  1356   NtWaitForSingleObject  (292, 0, 0x0, ...
 01060   252   NtWaitForSingleObject  ... ) == 0x0
 01090   420   NtSetEventBoostPriority  ... ) == 0x0
 01089   500   NtTestAlert  ... ) == 0x0
 01092  1736   NtAllocateVirtualMemory  (-1, 36429824, 0, 8192, 4096, 4, ...
 01093   252   NtSetEventBoostPriority  (292, ...
 01094   500   NtContinue  (35388720, 1, ...
 01072  1300   NtWaitForSingleObject  ... ) == 0x0
 01093   252   NtSetEventBoostPriority  ... ) == 0x0
 01092  1736   NtAllocateVirtualMemory  ... 36429824, 8192, ) == 0x0
 01095  1300   NtSetEventBoostPriority  (292, ...
 01096   500   NtRegisterThreadTerminatePort  (24, ...
 01097   420   NtWaitForSingleObject  (292, 0, 0x0, ...
 01073   748   NtWaitForSingleObject  ... ) == 0x0
 01098  1736   NtProtectVirtualMemory  (-1, (0x22be000), 4096, 260, ...
 01096   500   NtRegisterThreadTerminatePort  ... ) == 0x0
 01099   748   NtSetEventBoostPriority  (292, ...
 01098  1736   NtProtectVirtualMemory  ... (0x22be000), 4096, 4, ) == 0x0
 01095  1300   NtSetEventBoostPriority  ... ) == 0x0
 01100   252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01074   428   NtWaitForSingleObject  ... ) == 0x0
 01101  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01102  1300   NtWaitForSingleObject  (292, 0, 0x0, ...
 01100   252   NtDuplicateObject  ... 336, ) == 0x0
 01103   428   NtSetEventBoostPriority  (292, ...
 01099   748   NtSetEventBoostPriority  ... ) == 0x0
 01104   500   NtWaitForSingleObject  (292, 0, 0x0, ...
 01105   252   NtWaitForSingleObject  (292, 0, 0x0, ...
 01075  1732   NtWaitForSingleObject  ... ) == 0x0
 01106   748   NtWaitForSingleObject  (292, 0, 0x0, ...
 01107  1732   NtSetEventBoostPriority  (292, ...
 01076   928   NtWaitForSingleObject  ... ) == 0x0
 01108   928   NtSetEventBoostPriority  (292, ...
 01077   120   NtWaitForSingleObject  ... ) == 0x0
 01109   120   NtSetEventBoostPriority  (292, ...
 01078  1168   NtWaitForSingleObject  ... ) == 0x0
 01110  1168   NtSetEventBoostPriority  (292, ...
 01079   376   NtWaitForSingleObject  ... ) == 0x0
 01111   376   NtSetEventBoostPriority  (292, ...
 01081  1180   NtWaitForSingleObject  ... ) == 0x0
 01112  1180   NtSetEventBoostPriority  (292, ...
 01080   596   NtWaitForSingleObject  ... ) == 0x0
 01113   596   NtSetEventBoostPriority  (292, ...
 01091  1356   NtWaitForSingleObject  ... ) == 0x0
 01114  1356   NtSetEventBoostPriority  (292, ...
 01088   868   NtWaitForSingleObject  ... ) == 0x0
 01115   868   NtSetEventBoostPriority  (292, ...
 01097   420   NtWaitForSingleObject  ... ) == 0x0
 01116   420   NtSetEventBoostPriority  (292, ...
 01102  1300   NtWaitForSingleObject  ... ) == 0x0
 01117  1300   NtSetEventBoostPriority  (292, ...
 01104   500   NtWaitForSingleObject  ... ) == 0x0
 01118   500   NtSetEventBoostPriority  (292, ...
 01105   252   NtWaitForSingleObject  ... ) == 0x0
 01119   252   NtSetEventBoostPriority  (292, ...
 01106   748   NtWaitForSingleObject  ... ) == 0x0
 01120   748   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 332, ) == 0x0
 01119   252   NtSetEventBoostPriority  ... ) == 0x0
 01118   500   NtSetEventBoostPriority  ... ) == 0x0
 01117  1300   NtSetEventBoostPriority  ... ) == 0x0
 01116   420   NtSetEventBoostPriority  ... ) == 0x0
 01114  1356   NtSetEventBoostPriority  ... ) == 0x0
 01112  1180   NtSetEventBoostPriority  ... ) == 0x0
 01115   868   NtSetEventBoostPriority  ... ) == 0x0
 01113   596   NtSetEventBoostPriority  ... ) == 0x0
 01111   376   NtSetEventBoostPriority  ... ) == 0x0
 01110  1168   NtSetEventBoostPriority  ... ) == 0x0
 01109   120   NtSetEventBoostPriority  ... ) == 0x0
 01108   928   NtSetEventBoostPriority  ... ) == 0x0
 01107  1732   NtSetEventBoostPriority  ... ) == 0x0
 01103   428   NtSetEventBoostPriority  ... ) == 0x0
 01101  1736   NtCreateThread  ... 328, {1636, 1132}, ) == 0x0
 01121   748   NtWaitForSingleObject  (332, 0, 0x0, ...
 01122   500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01123   252   NtWaitForSingleObject  (332, 0, 0x0, ...
 01124   420   NtWaitForSingleObject  (332, 0, 0x0, ...
 01125  1356   NtWaitForSingleObject  (332, 0, 0x0, ...
 01126  1300   NtWaitForSingleObject  (332, 0, 0x0, ...
 01127   868   NtSetEventBoostPriority  (332, ...
 01128   596   NtWaitForSingleObject  (332, 0, 0x0, ...
 01129   376   NtWaitForSingleObject  (332, 0, 0x0, ...
 01130  1168   NtWaitForSingleObject  (332, 0, 0x0, ...
 01131   120   NtWaitForSingleObject  (332, 0, 0x0, ...
 01132   928   NtWaitForSingleObject  (332, 0, 0x0, ...
 01133  1732   NtWaitForSingleObject  (332, 0, 0x0, ...
 01134   428   NtWaitForSingleObject  (332, 0, 0x0, ...
 01135  1736   NtQueryInformationThread  (328, Basic, 28, ...
 01136  1180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01122   500   NtDuplicateObject  ... 324, ) == 0x0
 01121   748   NtWaitForSingleObject  ... ) == 0x0
 01127   868   NtSetEventBoostPriority  ... ) == 0x0
 01135  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=1636,Tid=1132,}, 0x0, ) == 0x0
 01136  1180   NtDuplicateObject  ... 320, ) == 0x0
 01137   748   NtSetEventBoostPriority  (332, ...
 01138   500   NtWaitForSingleObject  (332, 0, 0x0, ...
 01139  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0d\6\0\0l\4\0\0" ...  ...
 01123   252   NtWaitForSingleObject  ... ) == 0x0
 01137   748   NtSetEventBoostPriority  ... ) == 0x0
 01140  1180   NtWaitForSingleObject  (332, 0, 0x0, ...
 01141   252   NtSetEventBoostPriority  (332, ...
 01139  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75504, 0}  ... {28, 56, reply, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0d\6\0\0l\4\0\0" )  ) == 0x0
 01142   748   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01124   420   NtWaitForSingleObject  ... ) == 0x0
 01141   252   NtSetEventBoostPriority  ... ) == 0x0
 01143   868   NtWaitForSingleObject  (332, 0, 0x0, ...
 01144  1736   NtResumeThread  (328, ...
 01145   420   NtSetEventBoostPriority  (332, ...
 01146   252   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01126  1300   NtWaitForSingleObject  ... ) == 0x0
 01144  1736   NtResumeThread  ... 1, ) == 0x0
 01145   420   NtSetEventBoostPriority  ... ) == 0x0
 01142   748   NtWaitForSingleObject  ... ) == 0x102
 01147  1300   NtSetEventBoostPriority  (332, ...
 01148  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01149   420   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01150   748   NtWaitForSingleObject  (132, 0, 0x0, ...
 01128   596   NtWaitForSingleObject  ... ) == 0x0
 01147  1300   NtSetEventBoostPriority  ... ) == 0x0
 01148  1736   NtAllocateVirtualMemory  ... 36438016, 1048576, ) == 0x0
 01151   596   NtSetEventBoostPriority  (332, ...
 01152  1300   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01129   376   NtWaitForSingleObject  ... ) == 0x0
 01151   596   NtSetEventBoostPriority  ... ) == 0x0
 01153  1736   NtAllocateVirtualMemory  (-1, 37478400, 0, 8192, 4096, 4, ...
 01146   252   NtWaitForSingleObject  ... ) == 0x102
 01154  1132   NtAllocateVirtualMemory  (-1, 8802304, 0, 4096, 4096, 4, ...
 01149   420   NtWaitForSingleObject  ... ) == 0x102
 01155   376   NtSetEventBoostPriority  (332, ...
 01152  1300   NtWaitForSingleObject  ... ) == 0x102
 01153  1736   NtAllocateVirtualMemory  ... 37478400, 8192, ) == 0x0
 01156   252   NtWaitForSingleObject  (132, 0, 0x0, ...
 01154  1132   NtAllocateVirtualMemory  ... 8802304, 4096, ) == 0x0
 01130  1168   NtWaitForSingleObject  ... ) == 0x0
 01155   376   NtSetEventBoostPriority  ... ) == 0x0
 01157   420   NtWaitForSingleObject  (132, 0, 0x0, ...
 01158  1300   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ...
 01159   596   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01160  1168   NtWaitForSingleObject  (292, 0, 0x0, ...
 01161  1132   NtTestAlert  (...
 01162  1736   NtProtectVirtualMemory  (-1, (0x23be000), 4096, 260, ...
 01158  1300   NtAllocateVirtualMemory  ... 1372160, 4096, ) == 0x0
 01159   596   NtWaitForSingleObject  ... ) == 0x102
 01161  1132   NtTestAlert  ... ) == 0x0
 01162  1736   NtProtectVirtualMemory  ... (0x23be000), 4096, 4, ) == 0x0
 01163  1300   NtSetEventBoostPriority  (292, ...
 01164   596   NtWaitForSingleObject  (292, 0, 0x0, ...
 01165  1132   NtContinue  (36437296, 1, ...
 01166  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01160  1168   NtWaitForSingleObject  ... ) == 0x0
 01163  1300   NtSetEventBoostPriority  ... ) == 0x0
 01167   376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01168  1168   NtSetEventBoostPriority  (292, ...
 01166  1736   NtCreateThread  ... 316, {1636, 1024}, ) == 0x0
 01169  1132   NtRegisterThreadTerminatePort  (24, ...
 01164   596   NtWaitForSingleObject  ... ) == 0x0
 01168  1168   NtSetEventBoostPriority  ... ) == 0x0
 01167   376   NtWaitForSingleObject  ... ) == 0x102
 01170  1736   NtQueryInformationThread  (316, Basic, 28, ...
 01171   596   NtWaitForSingleObject  (132, 0, 0x0, ...
 01169  1132   NtRegisterThreadTerminatePort  ... ) == 0x0
 01172  1300   NtWaitForSingleObject  (132, 0, 0x0, ...
 01173   376   NtWaitForSingleObject  (132, 0, 0x0, ...
 01170  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=1636,Tid=1024,}, 0x0, ) == 0x0
 01174  1132   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01175  1168   NtSetEventBoostPriority  (332, ...
 01174  1132   NtDuplicateObject  ... 312, ) == 0x0
 01131   120   NtWaitForSingleObject  ... ) == 0x0
 01175  1168   NtSetEventBoostPriority  ... ) == 0x0
 01176   120   NtSetEventBoostPriority  (332, ...
 01177  1132   NtWaitForSingleObject  (332, 0, 0x0, ...
 01132   928   NtWaitForSingleObject  ... ) == 0x0
 01176   120   NtSetEventBoostPriority  ... ) == 0x0
 01178  1168   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01179   928   NtSetEventBoostPriority  (332, ...
 01180  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0d\6\0\0\0\4\0\0" ...  ...
 01133  1732   NtWaitForSingleObject  ... ) == 0x0
 01179   928   NtSetEventBoostPriority  ... ) == 0x0
 01178  1168   NtWaitForSingleObject  ... ) == 0x102
 01181  1732   NtSetEventBoostPriority  (332, ...
 01180  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75505, 0}  ... {28, 56, reply, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0d\6\0\0\0\4\0\0" )  ) == 0x0
 01182   120   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01134   428   NtWaitForSingleObject  ... ) == 0x0
 01181  1732   NtSetEventBoostPriority  ... ) == 0x0
 01183  1168   NtWaitForSingleObject  (132, 0, 0x0, ...
 01184  1736   NtResumeThread  (316, ...
 01185   428   NtSetEventBoostPriority  (332, ...
 01182   120   NtWaitForSingleObject  ... ) == 0x102
 01186   928   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01187  1732   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01125  1356   NtWaitForSingleObject  ... ) == 0x0
 01185   428   NtSetEventBoostPriority  ... ) == 0x0
 01184  1736   NtResumeThread  ... 1, ) == 0x0
 01188   120   NtWaitForSingleObject  (132, 0, 0x0, ...
 01186   928   NtWaitForSingleObject  ... ) == 0x102
 01189  1356   NtSetEventBoostPriority  (332, ...
 01187  1732   NtWaitForSingleObject  ... ) == 0x102
 01190  1024   NtTestAlert  (...
 01191  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01138   500   NtWaitForSingleObject  ... ) == 0x0
 01192   928   NtWaitForSingleObject  (132, 0, 0x0, ...
 01193  1732   NtWaitForSingleObject  (132, 0, 0x0, ...
 01190  1024   NtTestAlert  ... ) == 0x0
 01189  1356   NtSetEventBoostPriority  ... ) == 0x0
 01194   428   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01195   500   NtSetEventBoostPriority  (332, ...
 01196  1024   NtContinue  (37485872, 1, ...
 01197  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01194   428   NtWaitForSingleObject  ... ) == 0x102
 01140  1180   NtWaitForSingleObject  ... ) == 0x0
 01195   500   NtSetEventBoostPriority  ... ) == 0x0
 01198  1024   NtRegisterThreadTerminatePort  (24, ...
 01197  1356   NtOpenKey  ... 308, ) == 0x0
 01199  1180   NtSetEventBoostPriority  (332, ...
 01200   428   NtWaitForSingleObject  (132, 0, 0x0, ...
 01191  1736   NtAllocateVirtualMemory  ... 37486592, 1048576, ) == 0x0
 01198  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 01201   500   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01143   868   NtWaitForSingleObject  ... ) == 0x0
 01199  1180   NtSetEventBoostPriority  ... ) == 0x0
 01202  1736   NtAllocateVirtualMemory  (-1, 38526976, 0, 8192, 4096, 4, ...
 01203  1356   NtQueryValueKey  (308,  (308, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01204   868   NtSetEventBoostPriority  (332, ...
 01201   500   NtWaitForSingleObject  ... ) == 0x102
 01205  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01202  1736   NtAllocateVirtualMemory  ... 38526976, 8192, ) == 0x0
 01177  1132   NtWaitForSingleObject  ... ) == 0x0
 01204   868   NtSetEventBoostPriority  ... ) == 0x0
 01203  1356   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01206   500   NtWaitForSingleObject  (132, 0, 0x0, ...
 01205  1024   NtDuplicateObject  ... 304, ) == 0x0
 01207  1132   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01208  1736   NtProtectVirtualMemory  (-1, (0x24be000), 4096, 260, ...
 01209   868   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01210  1356   NtClose  (308, ...
 01211  1024   NtWaitForSingleObject  (292, 0, 0x0, ...
 01208  1736   NtProtectVirtualMemory  ... (0x24be000), 4096, 4, ) == 0x0
 01212  1180   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01207  1132   NtWaitForSingleObject  ... ) == 0x102
 01210  1356   NtClose  ... ) == 0x0
 01213  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01212  1180   NtWaitForSingleObject  ... ) == 0x102
 01214  1132   NtWaitForSingleObject  (292, 0, 0x0, ...
 01215  1356   NtWaitForSingleObject  (292, 0, 0x0, ...
 01209   868   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01216  1180   NtWaitForSingleObject  (292, 0, 0x0, ...
 01217   868   NtSetEventBoostPriority  (292, ...
 01211  1024   NtWaitForSingleObject  ... ) == 0x0
 01218  1024   NtSetEventBoostPriority  (292, ...
 01214  1132   NtWaitForSingleObject  ... ) == 0x0
 01219  1132   NtSetEventBoostPriority  (292, ...
 01215  1356   NtWaitForSingleObject  ... ) == 0x0
 01220  1356   NtSetEventBoostPriority  (292, ...
 01216  1180   NtWaitForSingleObject  ... ) == 0x0
 01221  1180   NtWaitForSingleObject  (132, 0, 0x0, ...
 01220  1356   NtSetEventBoostPriority  ... ) == 0x0
 01219  1132   NtSetEventBoostPriority  ... ) == 0x0
 01218  1024   NtSetEventBoostPriority  ... ) == 0x0
 01217   868   NtSetEventBoostPriority  ... ) == 0x0
 01213  1736   NtCreateThread  ... 308, {1636, 948}, ) == 0x0
 01222  1356   NtOpenThreadToken  (-2, 0xc, 1, ...
 01223  1132   NtWaitForSingleObject  (132, 0, 0x0, ...
 01224   868   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 01225  1736   NtQueryInformationThread  (308, Basic, 28, ...
 01222  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01224   868   NtOpenFile  ... 300, {status=0x0, info=0}, ) == 0x0
 01225  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1636,Tid=948,}, 0x0, ) == 0x0
 01226  1356   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01227   868   NtDeviceIoControlFile  (300, 0, 0x0, 0x0, 0x390008,  (300, 0, 0x0, 0x0, 0x390008, "%@\362\246\0\205\252b\363w\273\354\11\334oe\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01228  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0d\6\0\0\264\3\0\0" ...  ...
 01226  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01229  1024   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01228  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75506, 0}  ... {28, 56, reply, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0d\6\0\0\264\3\0\0" )  ) == 0x0
 01230  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006064, ... }, 11006064, ...
 01229  1024   NtWaitForSingleObject  ... ) == 0x102
 01231   868   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01230  1356   NtQueryAttributesFile  ... ) == 0x0
 01232  1024   NtWaitForSingleObject  (132, 0, 0x0, ...
 01231   868   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01233  1736   NtResumeThread  (308, ...
 01234   868   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01233  1736   NtResumeThread  ... 1, ) == 0x0
 01234   868   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01235  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01236   868   NtQuerySystemInformation  (Performance, 312, ...
 01235  1736   NtAllocateVirtualMemory  ... 38535168, 1048576, ) == 0x0
 01236   868   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01237  1736   NtAllocateVirtualMemory  (-1, 39575552, 0, 8192, 4096, 4, ...
 01238  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01239   948   NtTestAlert  (...
 01237  1736   NtAllocateVirtualMemory  ... 39575552, 8192, ) == 0x0
 01238  1356   NtOpenKey  ... 344, ) == 0x0
 01239   948   NtTestAlert  ... ) == 0x0
 01240   868   NtQuerySystemInformation  (Exception, 16, ...
 01241  1356   NtQueryValueKey  (344,  (344, "Transports", Partial, 144, ... , Partial, 144, ...
 01242   948   NtContinue  (38534448, 1, ...
 01240   868   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01241  1356   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01243   948   NtRegisterThreadTerminatePort  (24, ...
 01244   868   NtQuerySystemInformation  (Lookaside, 32, ...
 01245  1356   NtQueryValueKey  (344,  (344, "Transports", Partial, 144, ... , Partial, 144, ...
 01243   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 01244   868   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01245  1356   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01246  1736   NtProtectVirtualMemory  (-1, (0x25be000), 4096, 260, ...
 01247   868   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01248   948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01246  1736   NtProtectVirtualMemory  ... (0x25be000), 4096, 4, ) == 0x0
 01247   868   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01248   948   NtDuplicateObject  ... 348, ) == 0x0
 01249  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01250  1356   NtClose  (344, ...
 01251   948   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01249  1736   NtCreateThread  ... 352, {1636, 1064}, ) == 0x0
 01250  1356   NtClose  ... ) == 0x0
 01251   948   NtWaitForSingleObject  ... ) == 0x102
 01252  1736   NtQueryInformationThread  (352, Basic, 28, ...
 01253  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01254   948   NtWaitForSingleObject  (132, 0, 0x0, ...
 01252  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1636,Tid=1064,}, 0x0, ) == 0x0
 01253  1356   NtOpenKey  ... 344, ) == 0x0
 01255   868   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01256  1356   NtQueryValueKey  (344,  (344, "Mapping", Partial, 144, ... , Partial, 144, ...
 01255   868   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01256  1356   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01257   868   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01258  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0d\6\0\0(\4\0\0" ...  ...
 01259  1356   NtQueryValueKey  (344,  (344, "Mapping", Partial, 144, ... , Partial, 144, ...
 01258  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75507, 0}  ... {28, 56, reply, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0d\6\0\0(\4\0\0" )  ) == 0x0
 01259  1356   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01260  1736   NtResumeThread  (352, ...
 01261  1356   NtQueryValueKey  (344,  (344, "Mapping", Partial, 152, ... , Partial, 152, ...
 01260  1736   NtResumeThread  ... 1, ) == 0x0
 01261  1356   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01262  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01263  1356   NtClose  (344, ...
 01257   868   NtCreateKey  ... -2147482576, 2, ) == 0x0
 01264  1064   NtTestAlert  (...
 01263  1356   NtClose  ... ) == 0x0
 01265   868   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\300\250\254\363\24\315p\274q\266\365\315\26\13\363\340\215\237\220\1e\203\11\351$\225\211x\323\257\374\253p2\327v\301\216b\373_\242\315\34\10d\217b\6j\2100Q\273x\223\365\16$#\14\341w\376\366^\266D\251)\0b\334\321\265MkC\236\31", 80, ... , 0, 3,  (-2147482576, "Seed", 0, 3, "\300\250\254\363\24\315p\274q\266\365\315\26\13\363\340\215\237\220\1e\203\11\351$\225\211x\323\257\374\253p2\327v\301\216b\373_\242\315\34\10d\217b\6j\2100Q\273x\223\365\16$#\14\341w\376\366^\266D\251)\0b\334\321\265MkC\236\31", 80, ... , 80, ...
 01264  1064   NtTestAlert  ... ) == 0x0
 01262  1736   NtAllocateVirtualMemory  ... 39583744, 1048576, ) == 0x0
 01265   868   NtSetValueKey  ... ) == 0x0
 01266  1064   NtContinue  (39583024, 1, ...
 01267  1736   NtAllocateVirtualMemory  (-1, 40624128, 0, 8192, 4096, 4, ...
 01268   868   NtClose  (-2147482576, ...
 01269  1064   NtRegisterThreadTerminatePort  (24, ...
 01267  1736   NtAllocateVirtualMemory  ... 40624128, 8192, ) == 0x0
 01268   868   NtClose  ... ) == 0x0
 01269  1064   NtRegisterThreadTerminatePort  ... ) == 0x0
 01270  1736   NtProtectVirtualMemory  (-1, (0x26be000), 4096, 260, ...
 01227   868   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "PIQ\223\240\4\27\227\230FpZ\3516I>'\265\21\35\204\360v\254`b\33\26\324\21[V@\207I\37?\35\262}\22\331&L\350\344U\204\325#\240\244$\265L\301\343\321\276F[\252\3\263\212\260[v@\373\212\347:\354\32\3553\330j\263\256C\224S\322\\242\276\303\277\37\214\275\347\2228\316r\3637\373'\375\265s|\271\341\356\343\40\266\346!\276f(h\370r\233\211\314A\236\200\357\332\222*h}4f3$\322\202\223\324\20^$\25\363\302l\216H\256\1775\325\30b\254\16\11\235\311\346} i\344U\355FQ\2350ZV\240\275\324\332k\20\37\370", ) '\375\265s|\271\341\356\343\40\266\346!\276f(h\370r\233\211\314A\236\200\357\332\222*h}4f3$\322\202\223\324\20^$\25\363\302l\216H\256\1775\325\30b\254\16\11\235\311\346} i\344U\355FQ\2350ZV\240\275\324\332k\20\37\370", ) == 0x0
 01271  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01270  1736   NtProtectVirtualMemory  ... (0x26be000), 4096, 4, ) == 0x0
 01272  1064   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01271  1356   NtOpenKey  ... 344, ) == 0x0
 01273  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01272  1064   NtDuplicateObject  ... 356, ) == 0x0
 01274  1356   NtQueryValueKey  (344,  (344, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01275   868   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01276  1064   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01274  1356   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01275   868   NtCreateEvent  ... 360, ) == 0x0
 01276  1064   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01277  1356   NtQueryValueKey  (344,  (344, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01278   868   NtWaitForSingleObject  (292, 0, 0x0, ...
 01279  1064   NtSetEventBoostPriority  (292, ...
 01277  1356   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01278   868   NtWaitForSingleObject  ... ) == 0x0
 01279  1064   NtSetEventBoostPriority  ... ) == 0x0
 01273  1736   NtCreateThread  ... 364, {1636, 1384}, ) == 0x0
 01280   868   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 12054020, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 12054020, 188, ...
 01281  1356   NtQueryValueKey  (344,  (344, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01282  1736   NtQueryInformationThread  (364, Basic, 28, ...
 01281  1356   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01282  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1636,Tid=1384,}, 0x0, ) == 0x0
 01283  1356   NtQueryValueKey  (344,  (344, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01284  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0d\6\0\0h\5\0\0" ...  ...
 01283  1356   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01284  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75509, 0}  ... {28, 56, reply, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0d\6\0\0h\5\0\0" )  ) == 0x0
 01285  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11007020, ... }, 11007020, ...
 01286  1064   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01280   868   NtConnectPort  ... 368, 0x0, 0x0, 0x0, 188, ) == 0x0
 01285  1356   NtQueryAttributesFile  ... ) == 0x0
 01286  1064   NtWaitForSingleObject  ... ) == 0x102
 01287   868   NtRequestWaitReplyPort  (368, {200, 224, new_msg, 0, 1380504, 12, 2, 1310721}  (368, {200, 224, new_msg, 0, 1380504, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\337\222\25\271X\205\7\310H\20\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0 \20\25\0\362\327\213\222x\1\24\0@\20\25\0h\1\24\0\0\0\0\0\0\0\0\0@\20\25\0P\0\0\0H\20\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\267\0\372\31\221|\30\364\267\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01288  1736   NtResumeThread  (364, ...
 01289  1064   NtWaitForSingleObject  (132, 0, 0x0, ...
 01288  1736   NtResumeThread  ... 1, ) == 0x0
 01287   868   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 868, 75510, 0}  ... {200, 224, reply, 0, 1636, 868, 75510, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\337\222\25\271X\205\7\310H\20\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0 \20\25\0\362\327\213\222x\1\24\0@\20\25\0h\1\24\0\0\0\0\0\0\0\0\0@\20\25\0P\0\0\0H\20\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\267\0\372\31\221|\30\364\267\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01290  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01291   868   NtRequestWaitReplyPort  (368, {64, 88, new_msg, 0, 0, 0, 0, 0}  (368, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01290  1736   NtAllocateVirtualMemory  ... 40632320, 1048576, ) == 0x0
 01292  1736   NtAllocateVirtualMemory  (-1, 41672704, 0, 8192, 4096, 4, ... 41672704, 8192, ) == 0x0
 01293  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01294  1384   NtWaitForSingleObject  (88, 0, 0x0, ...
 01293  1356   NtOpenFile  ... 372, {status=0x0, info=1}, ) == 0x0
 01295  1356   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 372, ... 376, ) == 0x0
 01296  1356   NtClose  (372, ... ) == 0x0
 01297  1356   NtMapViewOfSection  (376, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x850000), 0x0, 20480, ) == 0x0
 01298  1356   NtClose  (376, ... ) == 0x0
 01299  1736   NtProtectVirtualMemory  (-1, (0x27be000), 4096, 260, ... (0x27be000), 4096, 4, ) == 0x0
 01300  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 376, {1636, 188}, ) == 0x0
 01301  1736   NtQueryInformationThread  (376, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1636,Tid=188,}, 0x0, ) == 0x0
 01302  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0d\6\0\0\274\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0d\6\0\0\274\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75512, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0d\6\0\0\274\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0d\6\0\0\274\0\0\0" )  ) == 0x0
 01303  1736   NtResumeThread  (376, ... 1, ) == 0x0
 01304  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01305  1356   NtUnmapViewOfSection  (-1, 0x850000, ...
 01306   188   NtWaitForSingleObject  (88, 0, 0x0, ...
 01305  1356   NtUnmapViewOfSection  ... ) == 0x0
 01307  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11007328, ... ) }, 11007328, ... ) == 0x0
 01308  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 372, {status=0x0, info=1}, ) }, 5, 96, ... 372, {status=0x0, info=1}, ) == 0x0
 01309  1356   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 372, ... 380, ) == 0x0
 01310  1356   NtQuerySection  (380, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01311  1356   NtClose  (372, ... ) == 0x0
 01304  1736   NtAllocateVirtualMemory  ... 41680896, 1048576, ) == 0x0
 01312  1736   NtAllocateVirtualMemory  (-1, 42721280, 0, 8192, 4096, 4, ... 42721280, 8192, ) == 0x0
 01313  1736   NtProtectVirtualMemory  (-1, (0x28be000), 4096, 260, ... (0x28be000), 4096, 4, ) == 0x0
 01314  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 372, {1636, 2040}, ) == 0x0
 01315  1736   NtQueryInformationThread  (372, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1636,Tid=2040,}, 0x0, ) == 0x0
 01316  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0d\6\0\0\370\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0d\6\0\0\370\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75513, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0d\6\0\0\370\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0d\6\0\0\370\7\0\0" )  ) == 0x0
 01317  1356   NtMapViewOfSection  (380, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 01318  1356   NtClose  (380, ... ) == 0x0
 01319  1356   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 01320  1356   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ... (0x71a91000), 4096, 4, ) == 0x0
 01321  1356   NtFlushInstructionCache  (-1, 1906905088, 128, ... ) == 0x0
 01322  1736   NtResumeThread  (372, ...
 01291   868   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1636, 868, 75511, 0}  ... {52, 76, reply, 0, 1636, 868, 75511, 0} "\2\332\243\201\1\0\0\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200X\373`\371t\333\243\201\270+\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 01322  1736   NtResumeThread  ... 1, ) == 0x0
 01323   868   NtClose  (360, ...
 01324  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01323   868   NtClose  ... ) == 0x0
 01324  1736   NtAllocateVirtualMemory  ... 42729472, 1048576, ) == 0x0
 01325   868   NtClose  (368, ...
 01326  1736   NtAllocateVirtualMemory  (-1, 43769856, 0, 8192, 4096, 4, ...
 01325   868   NtClose  ... ) == 0x0
 01326  1736   NtAllocateVirtualMemory  ... 43769856, 8192, ) == 0x0
 01327   868   NtWaitForSingleObject  (88, 0, 0x0, ...
 01328  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... }, ...
 01329  2040   NtWaitForSingleObject  (88, 0, 0x0, ...
 01330  1736   NtProtectVirtualMemory  (-1, (0x29be000), 4096, 260, ...
 01328  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01330  1736   NtProtectVirtualMemory  ... (0x29be000), 4096, 4, ) == 0x0
 01331  1356   NtSetEventBoostPriority  (88, ...
 01332  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01294  1384   NtWaitForSingleObject  ... ) == 0x0
 01331  1356   NtSetEventBoostPriority  ... ) == 0x0
 01333  1384   NtSetEventBoostPriority  (88, ...
 01332  1736   NtCreateThread  ... 368, {1636, 216}, ) == 0x0
 01306   188   NtWaitForSingleObject  ... ) == 0x0
 01333  1384   NtSetEventBoostPriority  ... ) == 0x0
 01334   188   NtSetEventBoostPriority  (88, ...
 01335  1736   NtQueryInformationThread  (368, Basic, 28, ...
 01336  1356   NtClose  (344, ...
 01329  2040   NtWaitForSingleObject  ... ) == 0x0
 01334   188   NtSetEventBoostPriority  ... ) == 0x0
 01335  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1636,Tid=216,}, 0x0, ) == 0x0
 01337  2040   NtSetEventBoostPriority  (88, ...
 01336  1356   NtClose  ... ) == 0x0
 01338  1384   NtTestAlert  (...
 01339   188   NtTestAlert  (...
 01327   868   NtWaitForSingleObject  ... ) == 0x0
 01337  2040   NtSetEventBoostPriority  ... ) == 0x0
 01340  1356   NtWaitForSingleObject  (88, 0, 0x0, ...
 01338  1384   NtTestAlert  ... ) == 0x0
 01341   868   NtSetEventBoostPriority  (88, ...
 01339   188   NtTestAlert  ... ) == 0x0
 01342  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75513, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0d\6\0\0\330\0\0\0" ...  ...
 01340  1356   NtWaitForSingleObject  ... ) == 0x0
 01343  1384   NtContinue  (40631600, 1, ...
 01344   188   NtContinue  (41680176, 1, ...
 01342  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75515, 0}  ... {28, 56, reply, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0d\6\0\0\330\0\0\0" )  ) == 0x0
 01345  1356   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11009664, 67, ... }, 0x0, 0, 3, 3, 0, 11009664, 67, ...
 01346  1384   NtRegisterThreadTerminatePort  (24, ...
 01347   188   NtRegisterThreadTerminatePort  (24, ...
 01348  1736   NtResumeThread  (368, ...
 01345  1356   NtCreateFile  ... 344, {status=0x0, info=0}, ) == 0x0
 01346  1384   NtRegisterThreadTerminatePort  ... ) == 0x0
 01347   188   NtRegisterThreadTerminatePort  ... ) == 0x0
 01348  1736   NtResumeThread  ... 1, ) == 0x0
 01341   868   NtSetEventBoostPriority  ... ) == 0x0
 01349  2040   NtTestAlert  (...
 01350  1384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01351   188   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01352  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01353   868   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01349  2040   NtTestAlert  ... ) == 0x0
 01354  1356   NtDeviceIoControlFile  (344, 112, 0x0, 0x0, 0x1207b,  (344, 112, 0x0, 0x0, 0x1207b, "\7\0\0\0x\1\24\0\340\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 01355   216   NtTestAlert  (...
 01350  1384   NtDuplicateObject  ... 360, ) == 0x0
 01351   188   NtDuplicateObject  ... 380, ) == 0x0
 01353   868   NtCreateKey  ... 384, 2, ) == 0x0
 01356  2040   NtContinue  (42728752, 1, ...
 01354  1356   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0\300\332\243\201", ) , ) == 0x0
 01355   216   NtTestAlert  ... ) == 0x0
 01357  1384   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01358   188   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01352  1736   NtAllocateVirtualMemory  ... 43778048, 1048576, ) == 0x0
 01359  2040   NtRegisterThreadTerminatePort  (24, ...
 01360  1356   NtDeviceIoControlFile  (344, 112, 0x0, 0x0, 0x1207b,  (344, 112, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0\300\332\243\201", 16, 16, ... , 16, 16, ...
 01361   216   NtContinue  (43777328, 1, ...
 01357  1384   NtWaitForSingleObject  ... ) == 0x102
 01358   188   NtWaitForSingleObject  ... ) == 0x102
 01362  1736   NtAllocateVirtualMemory  (-1, 44818432, 0, 8192, 4096, 4, ...
 01359  2040   NtRegisterThreadTerminatePort  ... ) == 0x0
 01360  1356   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0\300\332\243\201", ) , ) == 0x0
 01363   216   NtRegisterThreadTerminatePort  (24, ...
 01364  1384   NtWaitForSingleObject  (132, 0, 0x0, ...
 01365   188   NtWaitForSingleObject  (132, 0, 0x0, ...
 01362  1736   NtAllocateVirtualMemory  ... 44818432, 8192, ) == 0x0
 01366  2040   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01367  1356   NtDeviceIoControlFile  (344, 112, 0x0, 0x0, 0x12047,  (344, 112, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\260\1\5\0\0\20\0\0x\1\24\0x\1\24\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01363   216   NtRegisterThreadTerminatePort  ... ) == 0x0
 01368  1736   NtProtectVirtualMemory  (-1, (0x2abe000), 4096, 260, ...
 01369   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01367  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01366  2040   NtDuplicateObject  ... 388, ) == 0x0
 01368  1736   NtProtectVirtualMemory  ... (0x2abe000), 4096, 4, ) == 0x0
 01369   868   NtOpenKey  ... 392, ) == 0x0
 01370   216   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01371  2040   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01372  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01373   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01370   216   NtDuplicateObject  ... 396, ) == 0x0
 01371  2040   NtWaitForSingleObject  ... ) == 0x102
 01374  1356   NtWaitForSingleObject  (56, 0, {0, 0}, ...
 01373   868   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01375   216   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01376  2040   NtWaitForSingleObject  (132, 0, 0x0, ...
 01374  1356   NtWaitForSingleObject  ... ) == 0x102
 01377   868   NtQueryValueKey  (384,  (384, "Hostname", Partial, 144, ... , Partial, 144, ...
 01375   216   NtWaitForSingleObject  ... ) == 0x102
 01378  1356   NtDeviceIoControlFile  (344, 112, 0x0, 0x0, 0x12003,  (344, 112, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01377   868   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01379   216   NtWaitForSingleObject  (132, 0, 0x0, ...
 01378  1356   NtDeviceIoControlFile  ... {status=0x0, info=400},  ... {status=0x0, info=400}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01372  1736   NtCreateThread  ... 404, {1636, 152}, ) == 0x0
 01380   868   NtQueryValueKey  (384,  (384, "Hostname", Partial, 144, ... , Partial, 144, ...
 01381  1356   NtDeviceIoControlFile  (344, 112, 0x0, 0x0, 0x12047,  (344, 112, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\260\1\5\0\0\20\0\0x\1\24\0x\1\24\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01382  1736   NtQueryInformationThread  (404, Basic, 28, ...
 01380   868   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01381  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01382  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1636,Tid=152,}, 0x0, ) == 0x0
 01383   868   NtClose  (384, ...
 01384  1356   NtDeviceIoControlFile  (344, 112, 0x0, 0x0, 0x12037,  (344, 112, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 01385  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75515, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0d\6\0\0\230\0\0\0" ...  ...
 01383   868   NtClose  ... ) == 0x0
 01384  1356   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01385  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75516, 0}  ... {28, 56, reply, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0d\6\0\0\230\0\0\0" )  ) == 0x0
 01386   868   NtClose  (392, ...
 01387  1356   NtDeviceIoControlFile  (344, 112, 0x0, 0x0, 0x1200b,  (344, 112, 0x0, 0x0, 0x1200b, "\0\376\247\0\5\0\0\0\0\256\24\0", 12, 0, ... , 12, 0, ...
 01386   868   NtClose  ... ) == 0x0
 01388  1736   NtResumeThread  (404, ...
 01387  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01388  1736   NtResumeThread  ... 1, ) == 0x0
 01389  1356   NtDeviceIoControlFile  (344, 112, 0x0, 0x0, 0x12047,  (344, 112, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\247\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\260\1\5\0\0\20\0\0x\1\24\0x\1\24\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01390  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01389  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01390  1736   NtAllocateVirtualMemory  ... 44826624, 1048576, ) == 0x0
 01391  1356   NtDeviceIoControlFile  (344, 112, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 01392  1736   NtAllocateVirtualMemory  (-1, 45867008, 0, 8192, 4096, 4, ...
 01391  1356   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01392  1736   NtAllocateVirtualMemory  ... 45867008, 8192, ) == 0x0
 01393  1356   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 01394   868   NtWaitForSingleObject  (292, 0, 0x0, ...
 01395   152   NtTestAlert  (...
 01396  1736   NtProtectVirtualMemory  (-1, (0x2bbe000), 4096, 260, ...
 01395   152   NtTestAlert  ... ) == 0x0
 01396  1736   NtProtectVirtualMemory  ... (0x2bbe000), 4096, 4, ) == 0x0
 01397   152   NtContinue  (44825904, 1, ...
 01398  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01399   152   NtRegisterThreadTerminatePort  (24, ...
 01398  1736   NtCreateThread  ... 392, {1636, 900}, ) == 0x0
 01399   152   NtRegisterThreadTerminatePort  ... ) == 0x0
 01400  1736   NtQueryInformationThread  (392, Basic, 28, ...
 01393  1356   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 01400  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1636,Tid=900,}, 0x0, ) == 0x0
 01401  1356   NtSetEventBoostPriority  (292, ...
 01402   152   NtWaitForSingleObject  (292, 0, 0x0, ...
 01394   868   NtWaitForSingleObject  ... ) == 0x0
 01401  1356   NtSetEventBoostPriority  ... ) == 0x0
 01403   868   NtSetEventBoostPriority  (292, ...
 01402   152   NtWaitForSingleObject  ... ) == 0x0
 01404   152   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 384, ) == 0x0
 01405   152   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01403   868   NtSetEventBoostPriority  ... ) == 0x0
 01406  1356   NtDeviceIoControlFile  (300, 0, 0x0, 0x0, 0x390008,  (300, 0, 0x0, 0x0, 0x390008, "%@\362\246\0\205\252o\353\303\351\343\341\7$\260s\307\264\336Y\36U\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01407  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75516, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0d\6\0\0\204\3\0\0" ...  ...
 01408   868   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 01409  1356   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01407  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75517, 0}  ... {28, 56, reply, 0, 1636, 1736, 75517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0d\6\0\0\204\3\0\0" )  ) == 0x0
 01405   152   NtWaitForSingleObject  ... ) == 0x102
 01409  1356   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01410  1736   NtResumeThread  (392, ...
 01411   152   NtWaitForSingleObject  (132, 0, 0x0, ...
 01408   868   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 01410  1736   NtResumeThread  ... 1, ) == 0x0
 01412   868   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01413  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01412   868   NtCreateEvent  ... 408, ) == 0x0
 01414  1356   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01415   900   NtTestAlert  (...
 01416   868   NtWaitForSingleObject  (408, 0, 0x0, ...
 01414  1356   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01415   900   NtTestAlert  ... ) == 0x0
 01417  1356   NtQuerySystemInformation  (Performance, 312, ...
 01418   900   NtContinue  (45874480, 1, ...
 01417  1356   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01419   900   NtRegisterThreadTerminatePort  (24, ...
 01420  1356   NtQuerySystemInformation  (Exception, 16, ...
 01419   900   NtRegisterThreadTerminatePort  ... ) == 0x0
 01420  1356   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01413  1736   NtAllocateVirtualMemory  ... 45875200, 1048576, ) == 0x0
 01421   900   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01422  1736   NtAllocateVirtualMemory  (-1, 46915584, 0, 8192, 4096, 4, ...
 01421   900   NtDuplicateObject  ... 412, ) == 0x0
 01422  1736   NtAllocateVirtualMemory  ... 46915584, 8192, ) == 0x0
 01423   900   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01424  1736   NtProtectVirtualMemory  (-1, (0x2cbe000), 4096, 260, ...
 01423   900   NtWaitForSingleObject  ... ) == 0x102
 01424  1736   NtProtectVirtualMemory  ... (0x2cbe000), 4096, 4, ) == 0x0
 01425   900   NtWaitForSingleObject  (132, 0, 0x0, ...
 01426  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01427  1356   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01428  1356   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01429  1356   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01430  1356   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482564, 2, ) }, 0, 0x0, 0, ... -2147482564, 2, ) == 0x0
 01431  1356   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\331*\200\315\266Ee\16\235fiS\332\375\30\245\370\23]\352eVw\247\H\264\344\325l\245\265\16\254\227$\326\277\305#|\267\2766:\201\11\254\367\373\367,L}\312\307\312\324mj\251\326\304d\3523\314\221\26\224\316\321Bg-\376\22\3163\317", 80, ... ) , 0, 3,  (-2147482564, "Seed", 0, 3, "\331*\200\315\266Ee\16\235fiS\332\375\30\245\370\23]\352eVw\247\H\264\344\325l\245\265\16\254\227$\326\277\305#|\267\2766:\201\11\254\367\373\367,L}\312\307\312\324mj\251\326\304d\3523\314\221\26\224\316\321Bg-\376\22\3163\317", 80, ... ) , 80, ... ) == 0x0
 01432  1356   NtClose  (-2147482564, ... ) == 0x0
 01426  1736   NtCreateThread  ... 416, {1636, 1388}, ) == 0x0
 01433  1736   NtQueryInformationThread  (416, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1636,Tid=1388,}, 0x0, ) == 0x0
 01434  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75517, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0d\6\0\0l\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0d\6\0\0l\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75518, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0d\6\0\0l\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0d\6\0\0l\5\0\0" )  ) == 0x0
 01435  1736   NtResumeThread  (416, ... 1, ) == 0x0
 01436  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 46923776, 1048576, ) == 0x0
 01437  1736   NtAllocateVirtualMemory  (-1, 47964160, 0, 8192, 4096, 4, ... 47964160, 8192, ) == 0x0
 01406  1356   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\323\30\254\230\340\343X\313\324O0sB)\336s4)\22\33Arh\2475\365\"m\377\251&\11t\31\312\204x\246\215\306\16\305j\5s\275\313}\376;\204\360%\355(\222\306MR\302\314Bs\370\361eB\3507\31}G\240\231\5\15\261\34\345H\267@\330\364S||N\0q\311\31W\353\260<\374\3707\316!\366\352\345\4xG\34\202\337\303\372\364\10\36\242C\307m\211\323\2\220\360\275\317Pe\371+\337\12\212\23\25_5\275l\36tq\345a4MaN\266\232\302\315\357\233\306\331\201\13\231O\242\231\3\377\24\233\4\235\24\265\7\205\30x\177\265H\301M\370\15\177/\243\227\266hQ,\245\357\11\257D0\17\260\30\242\217\323\222Ul\26\207", ) m\377\251&\11t\31\312\204x\246305\325\7\322\322.\13g\322\2505\317^\353F\0\266(g\364\12^\342\4\277\16\326\374\347 \370\277R\261\203\24\234\0S\31a\245\0\233h>\215\306\16\305j\5s\275\313}\376;\204\360%\355(\222\306MR\302\314Bs\370\361eB\3507\31}G\240\231\5\15\261\34\345H\267@\330\364S||N\0q\311\31W\353\260<\374\3707\316!\366\352\345\4xG\34\202\337\303\372\364\10\36\242C\307m\211\323\2\220\360\275\317Pe\371+\337\12\212\23\25_5\275l\36tq\345a4MaN\266\232\302\315\357\233\306\331\201\13\231O\242\231\3\377\24\233\4\235\24\265\7\205\30x\177\265H\301M\370\15\177/\243\227\266hQ,\245\357\11\257D0\17\260\30\242\217\323\222Ul\26\207", ) == 0x0
 01438  1388   NtTestAlert  (...
 01439  1356   NtDeviceIoControlFile  (300, 0, 0x0, 0x0, 0x390008,  (300, 0, 0x0, 0x0, 0x390008, "%@\362\246\0\205\252o\353\303\351\343\341\7)\250\307\225\2736\202U\200s\307\264\336Y\36U\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01438  1388   NtTestAlert  ... ) == 0x0
 01440  1356   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01441  1388   NtContinue  (46923056, 1, ...
 01440  1356   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01442  1388   NtRegisterThreadTerminatePort  (24, ...
 01443  1356   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01442  1388   NtRegisterThreadTerminatePort  ... ) == 0x0
 01443  1356   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01444  1736   NtProtectVirtualMemory  (-1, (0x2dbe000), 4096, 260, ...
 01445  1388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01444  1736   NtProtectVirtualMemory  ... (0x2dbe000), 4096, 4, ) == 0x0
 01445  1388   NtDuplicateObject  ... 420, ) == 0x0
 01446  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01447  1388   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01446  1736   NtCreateThread  ... 424, {1636, 2036}, ) == 0x0
 01447  1388   NtWaitForSingleObject  ... ) == 0x102
 01448  1736   NtQueryInformationThread  (424, Basic, 28, ...
 01449  1388   NtWaitForSingleObject  (132, 0, 0x0, ...
 01448  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1636,Tid=2036,}, 0x0, ) == 0x0
 01450  1356   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01451  1356   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01452  1356   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01453  1356   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01454  1356   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01455  1356   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482564, 2, ) }, 0, 0x0, 0, ... -2147482564, 2, ) == 0x0
 01456  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75518, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0d\6\0\0\364\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0d\6\0\0\364\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75519, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0d\6\0\0\364\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0d\6\0\0\364\7\0\0" )  ) == 0x0
 01457  1736   NtResumeThread  (424, ... 1, ) == 0x0
 01458  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 47972352, 1048576, ) == 0x0
 01459  1736   NtAllocateVirtualMemory  (-1, 49012736, 0, 8192, 4096, 4, ... 49012736, 8192, ) == 0x0
 01460  1736   NtProtectVirtualMemory  (-1, (0x2ebe000), 4096, 260, ... (0x2ebe000), 4096, 4, ) == 0x0
 01461  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01462  1356   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "_\266C\323\257w\303q\253\323F\376\32728\347\315 \7?N\267h\353\370\201\214HMay\256\27TE\373\264\232\31\266K\373+\225\371\24\347W\245\374O\245\32\344\250\310\11\246%\33\341q\3x\222\245O\23\21\236 Z\246\324\231\334\1V)\346", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "_\266C\323\257w\303q\253\323F\376\32728\347\315 \7?N\267h\353\370\201\214HMay\256\27TE\373\264\232\31\266K\373+\225\371\24\347W\245\374O\245\32\344\250\310\11\246%\33\341q\3x\222\245O\23\21\236 Z\246\324\231\334\1V)\346", 80, ... , 80, ...
 01463  2036   NtTestAlert  (...
 01462  1356   NtSetValueKey  ... ) == 0x0
 01463  2036   NtTestAlert  ... ) == 0x0
 01464  1356   NtClose  (-2147482564, ...
 01465  2036   NtContinue  (47971632, 1, ...
 01464  1356   NtClose  ... ) == 0x0
 01466  2036   NtRegisterThreadTerminatePort  (24, ...
 01439  1356   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\6\217G\205\236\273\276\230\361\204\15\34Q\242\354\347\13\250V\376M\\340blpW\276Z\215\341\231\371e\243T\241\241\374f\236vu1E\214\220\317x\375\265\22\237\243y\304\357\311\210\253\361\20\366\363\314\314b0\203\313\220q1\251\5\345L\336\30\276;#M\241&\311\271g\372\3T\m\33\351$=\357F ?\360\307\224\310\363\371\244\355U\333\277i\315\327\20\5P\353\2271\224\361\335T\16f\347{\251\306\255\330\12\237\222\241\32\244B\20\315\267\E\3741\367\233=\207\363\364\307\10\34\331\352\230\17o\320\315\4\251\223\325\14\237\226P`\33\3\35471v\210\226\334\25R\17\\210?\327f\313a\353\207Ko%\345\332{9I~r\3320[\376R!J01\322\324\22\3677\333#\235\314aL{\377q\330\323\314\20"6i~y-o\20\355\306\34\274\247\275\16\257\363\23\31\\352\6u\310\244", ) 6i~y-o\20\355\306\34\274\247\275\16\257\363\23\31\\352\6u\310\244", ) == 0x0
 01466  2036   NtRegisterThreadTerminatePort  ... ) == 0x0
 01467  1356   NtDeviceIoControlFile  (300, 0, 0x0, 0x0, 0x390008,  (300, 0, 0x0, 0x0, 0x390008, "%@\362\246\0\205\252o\353\303\351\343\341\7)\250\307\225\2736\202X\230\307\225\2736\202U\200s\307\264\336Y\36U\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01461  1736   NtCreateThread  ... 428, {1636, 1708}, ) == 0x0
 01468  2036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01469  1736   NtQueryInformationThread  (428, Basic, 28, ...
 01468  2036   NtDuplicateObject  ... 432, ) == 0x0
 01469  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1636,Tid=1708,}, 0x0, ) == 0x0
 01470  2036   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01471  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75519, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0d\6\0\0\254\6\0\0" ...  ...
 01470  2036   NtWaitForSingleObject  ... ) == 0x102
 01471  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75520, 0}  ... {28, 56, reply, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0d\6\0\0\254\6\0\0" )  ) == 0x0
 01472  2036   NtWaitForSingleObject  (132, 0, 0x0, ...
 01473  1356   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01474  1736   NtResumeThread  (428, ...
 01473  1356   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01474  1736   NtResumeThread  ... 1, ) == 0x0
 01475  1356   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01476  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01475  1356   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01476  1736   NtAllocateVirtualMemory  ... 49020928, 1048576, ) == 0x0
 01477  1356   NtQuerySystemInformation  (Performance, 312, ...
 01478  1736   NtAllocateVirtualMemory  (-1, 50061312, 0, 8192, 4096, 4, ...
 01477  1356   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01478  1736   NtAllocateVirtualMemory  ... 50061312, 8192, ) == 0x0
 01479  1708   NtTestAlert  (...
 01480  1356   NtQuerySystemInformation  (Exception, 16, ...
 01479  1708   NtTestAlert  ... ) == 0x0
 01480  1356   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01481  1708   NtContinue  (49020208, 1, ...
 01482  1356   NtQuerySystemInformation  (Lookaside, 32, ...
 01483  1708   NtRegisterThreadTerminatePort  (24, ...
 01482  1356   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01483  1708   NtRegisterThreadTerminatePort  ... ) == 0x0
 01484  1356   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01485  1736   NtProtectVirtualMemory  (-1, (0x2fbe000), 4096, 260, ...
 01484  1356   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01485  1736   NtProtectVirtualMemory  ... (0x2fbe000), 4096, 4, ) == 0x0
 01486  1708   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01487  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01486  1708   NtDuplicateObject  ... 436, ) == 0x0
 01487  1736   NtCreateThread  ... 440, {1636, 1776}, ) == 0x0
 01488  1708   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01489  1736   NtQueryInformationThread  (440, Basic, 28, ...
 01488  1708   NtWaitForSingleObject  ... ) == 0x102
 01489  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1636,Tid=1776,}, 0x0, ) == 0x0
 01490  1708   NtWaitForSingleObject  (132, 0, 0x0, ...
 01491  1356   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01492  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75520, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0d\6\0\0\360\6\0\0" ...  ...
 01491  1356   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01492  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75521, 0}  ... {28, 56, reply, 0, 1636, 1736, 75521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0d\6\0\0\360\6\0\0" )  ) == 0x0
 01493  1356   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01494  1736   NtResumeThread  (440, ...
 01493  1356   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01494  1736   NtResumeThread  ... 1, ) == 0x0
 01495  1356   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\331E\210j\206\276HK \246\233i7d*\362C\2718\0\307\274\241\230x\254\10S&u\23\267\14\203\21\300W|\15\214<\366\314\214\247\317'|\330@\365\367\266\313\262\213\27\215\10h\24\234\13\202\177\233$j\363l$\366M\374',DT%J", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\331E\210j\206\276HK \246\233i7d*\362C\2718\0\307\274\241\230x\254\10S&u\23\267\14\203\21\300W|\15\214<\366\314\214\247\317'|\330@\365\367\266\313\262\213\27\215\10h\24\234\13\202\177\233$j\363l$\366M\374',DT%J", 80, ... , 80, ...
 01496  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01495  1356   NtSetValueKey  ... ) == 0x0
 01497  1776   NtTestAlert  (...
 01496  1736   NtAllocateVirtualMemory  ... 50069504, 1048576, ) == 0x0
 01497  1776   NtTestAlert  ... ) == 0x0
 01498  1736   NtAllocateVirtualMemory  (-1, 51109888, 0, 8192, 4096, 4, ...
 01499  1776   NtContinue  (50068784, 1, ...
 01498  1736   NtAllocateVirtualMemory  ... 51109888, 8192, ) == 0x0
 01500  1776   NtRegisterThreadTerminatePort  (24, ...
 01501  1736   NtProtectVirtualMemory  (-1, (0x30be000), 4096, 260, ...
 01500  1776   NtRegisterThreadTerminatePort  ... ) == 0x0
 01501  1736   NtProtectVirtualMemory  ... (0x30be000), 4096, 4, ) == 0x0
 01502  1356   NtClose  (-2147482564, ...
 01503  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01502  1356   NtClose  ... ) == 0x0
 01504  1776   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01467  1356   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "6\237F=\31'\360\301@\27\313i\262\325q\231g\346\244l\344\206\12F\15v\376\2334z\351Z\22\177f\37\306~\303\350\232;\352\2703\377\357@\355D6\205\216W:G\302\346\302\2toy28\217-E\274)\305\22\301\2315\340\27t\324\36\352\364\302\200\330\23\21?'\20\241 w:\375\266\20K\223\250\357\335\2N\323;\250\350q\254\232\262j,\31\224F\212\24\235F\261n\315\252\272\233\233\367%\257n\356P\336\220D\247\300\312k\226\300 \353\330\311\0\252\B\214\17imvm\241H\7\346\200\324:\375B>f\246%J\336\270\356\206\264\251\11T\203\267\212\271=\327\1rP{\307\272\210\265\37\326\341\340\243>\11\330\311\341\204F~\232\217\27:G\350\346\20\311\307kS\362\206^}\177\3732\366\37\357\337\304\330\235\211\230f\247\200&\365s)\26\2569=L\312:|W\270\15\325\372\315", ) , ) == 0x0
 01504  1776   NtDuplicateObject  ... 444, ) == 0x0
 01505  1356   NtDeviceIoControlFile  (300, 0, 0x0, 0x0, 0x390008,  (300, 0, 0x0, 0x0, 0x390008, "%@\362\246\0\205\252o\353\303\351\343\341\7)\250\307\225\2736\202X\230\307\225\2736\202X\230\307\225\2736\202U\200s\307\264\336Y\36U\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01506  1776   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01507  1356   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01506  1776   NtWaitForSingleObject  ... ) == 0x102
 01507  1356   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01508  1776   NtWaitForSingleObject  (132, 0, 0x0, ...
 01503  1736   NtCreateThread  ... 448, {1636, 1324}, ) == 0x0
 01509  1356   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01510  1736   NtQueryInformationThread  (448, Basic, 28, ...
 01509  1356   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01510  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1636,Tid=1324,}, 0x0, ) == 0x0
 01511  1356   NtQuerySystemInformation  (Performance, 312, ...
 01512  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75521, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0d\6\0\0,\5\0\0" ...  ...
 01511  1356   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01512  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75522, 0}  ... {28, 56, reply, 0, 1636, 1736, 75522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0d\6\0\0,\5\0\0" )  ) == 0x0
 01513  1356   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01514  1356   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01515  1356   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01516  1356   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01517  1736   NtResumeThread  (448, ... 1, ) == 0x0
 01518  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 51118080, 1048576, ) == 0x0
 01519  1736   NtAllocateVirtualMemory  (-1, 52158464, 0, 8192, 4096, 4, ... 52158464, 8192, ) == 0x0
 01520  1736   NtProtectVirtualMemory  (-1, (0x31be000), 4096, 260, ... (0x31be000), 4096, 4, ) == 0x0
 01521  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 452, {1636, 1884}, ) == 0x0
 01522  1736   NtQueryInformationThread  (452, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1636,Tid=1884,}, 0x0, ) == 0x0
 01523  1356   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01524  1324   NtTestAlert  (...
 01523  1356   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01524  1324   NtTestAlert  ... ) == 0x0
 01525  1356   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\324J\233\216\255\256\266Z\310\30\3703V\267\363KW\271\307"\344\267\364\351\w\wZVQ,\233\5\17p\251n\211z~\264\200\205E^\316hX\244\350\360N\323\3100\35\254\37X\13b\205LY\345\6\311'\350\226I\337U8\327\205`\24G", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\324J\233\216\255\256\266Z\310\30\3703V\267\363KW\271\307"\344\267\364\351\w\wZVQ,\233\5\17p\251n\211z~\264\200\205E^\316hX\244\350\360N\323\3100\35\254\37X\13b\205LY\345\6\311'\350\226I\337U8\327\205`\24G", 80, ... \344\267\364\351\w\wZVQ,\233\5\17p\251n\211z~\264\200\205E^\316hX\244\350\360N\323\3100\35\254\37X\13b\205LY\345\6\311'\350\226I\337U8\327\205`\24G", 80, ...
 01526  1324   NtContinue  (51117360, 1, ...
 01525  1356   NtSetValueKey  ... ) == 0x0
 01527  1324   NtRegisterThreadTerminatePort  (24, ...
 01528  1356   NtClose  (-2147482564, ...
 01527  1324   NtRegisterThreadTerminatePort  ... ) == 0x0
 01528  1356   NtClose  ... ) == 0x0
 01529  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75522, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0d\6\0\0\\7\0\0" ...  ...
 01530  1324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01529  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75523, 0}  ... {28, 56, reply, 0, 1636, 1736, 75523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0d\6\0\0\\7\0\0" )  ) == 0x0
 01530  1324   NtDuplicateObject  ... 456, ) == 0x0
 01531  1736   NtResumeThread  (452, ...
 01532  1324   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01531  1736   NtResumeThread  ... 1, ) == 0x0
 01532  1324   NtWaitForSingleObject  ... ) == 0x102
 01533  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01534  1324   NtWaitForSingleObject  (132, 0, 0x0, ...
 01505  1356   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\3 \316\273>\16\346\326\331\2523\344\202\263\271-\326U5\362B\366\303\225\3449\210\373\34\7\360\6\333\327\341\237\367\316\315f\201\212\4\326KU\325IJ\314\2241\11\322/5\233\343\244\25\243\225p_\227\305\332\346\3506\32\210x\200\240~\273\255\2736U\237\24\367L"\0z\22+>]l\354\33\327j\260^\207K\220\311\371\1[E\304\326\317\377\312\227\227Bp%\2072|\7\354\272\264\216X\331\354DE\25\11\337\366\27\205\344\347\270\324\177+!\35\13\20\22\275\232\300\222\306\10\351\2342v\372\261u\327\261Q\221\233-\204\1\372\220\336Dz\353S\214\302\312\374\31u\247\231\207z\15\230\343\304\245\370Q\371LOK\263\367\357\321\254\247s\254\10\37\255\235\24\227#\306b.\277\314\23L\371F?f.\375\34]\230\227\305*\6\237\337D\326MS\205\220\2726\252\343\2439\203E5\275\\14\300E\26n", ) \0z\22+>]l\354\33\327j\260^\207K\220\311\371\1[E\304\326\317\377\312\227\227Bp%\2072|\7\354\272\264\216X\331\354DE\25\11\337\366\27\205\344\347\270\324\177+!\35\13\20\22\275\232\300\222\306\10\351\2342v\372\261u\327\261Q\221\233-\204\1\372\220\336Dz\353S\214\302\312\374\31u\247\231\207z\15\230\343\304\245\370Q\371LOK\263\367\357\321\254\247s\254\10\37\255\235\24\227#\306b.\277\314\23L\371F?f.\375\34]\230\227\305*\6\237\337D\326MS\205\220\2726\252\343\2439\203E5\275\\14\300E\26n", ) == 0x0
 01535  1884   NtTestAlert  (...
 01533  1736   NtAllocateVirtualMemory  ... 52166656, 1048576, ) == 0x0
 01536  1356   NtDeviceIoControlFile  (300, 0, 0x0, 0x0, 0x390008,  (300, 0, 0x0, 0x0, 0x390008, "%@\362\246\0\205\252o\353\303\351\343\341\7)\250\307\225\2736\202X\230\307\225\2736\202X\230\307\225\2736\202X\230\307\225\2736\202U\200s\307\264\336Y\36U\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01535  1884   NtTestAlert  ... ) == 0x0
 01537  1736   NtAllocateVirtualMemory  (-1, 53207040, 0, 8192, 4096, 4, ...
 01538  1356   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01539  1884   NtContinue  (52165936, 1, ...
 01537  1736   NtAllocateVirtualMemory  ... 53207040, 8192, ) == 0x0
 01538  1356   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01540  1884   NtRegisterThreadTerminatePort  (24, ...
 01541  1736   NtProtectVirtualMemory  (-1, (0x32be000), 4096, 260, ...
 01542  1356   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01540  1884   NtRegisterThreadTerminatePort  ... ) == 0x0
 01541  1736   NtProtectVirtualMemory  ... (0x32be000), 4096, 4, ) == 0x0
 01542  1356   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01543  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01544  1884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01545  1356   NtQuerySystemInformation  (Performance, 312, ...
 01544  1884   NtDuplicateObject  ... 460, ) == 0x0
 01545  1356   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01546  1884   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01547  1356   NtQuerySystemInformation  (Exception, 16, ...
 01546  1884   NtWaitForSingleObject  ... ) == 0x102
 01547  1356   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01548  1884   NtWaitForSingleObject  (132, 0, 0x0, ...
 01549  1356   NtQuerySystemInformation  (Lookaside, 32, ...
 01543  1736   NtCreateThread  ... 464, {1636, 248}, ) == 0x0
 01549  1356   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01550  1736   NtQueryInformationThread  (464, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1636,Tid=248,}, 0x0, ) == 0x0
 01551  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75523, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0d\6\0\0\370\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0d\6\0\0\370\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75524, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0d\6\0\0\370\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0d\6\0\0\370\0\0\0" )  ) == 0x0
 01552  1736   NtResumeThread  (464, ... 1, ) == 0x0
 01553  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 53215232, 1048576, ) == 0x0
 01554  1736   NtAllocateVirtualMemory  (-1, 54255616, 0, 8192, 4096, 4, ... 54255616, 8192, ) == 0x0
 01555  1356   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01556   248   NtTestAlert  (...
 01555  1356   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01556   248   NtTestAlert  ... ) == 0x0
 01557  1356   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01558   248   NtContinue  (53214512, 1, ...
 01557  1356   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01559   248   NtRegisterThreadTerminatePort  (24, ...
 01560  1356   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01559   248   NtRegisterThreadTerminatePort  ... ) == 0x0
 01560  1356   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01561  1736   NtProtectVirtualMemory  (-1, (0x33be000), 4096, 260, ...
 01562   248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01561  1736   NtProtectVirtualMemory  ... (0x33be000), 4096, 4, ) == 0x0
 01562   248   NtDuplicateObject  ... 468, ) == 0x0
 01563  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01564   248   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01563  1736   NtCreateThread  ... 472, {1636, 1652}, ) == 0x0
 01564   248   NtWaitForSingleObject  ... ) == 0x102
 01565  1736   NtQueryInformationThread  (472, Basic, 28, ...
 01566   248   NtWaitForSingleObject  (132, 0, 0x0, ...
 01565  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1636,Tid=1652,}, 0x0, ) == 0x0
 01567  1356   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\312M\253T\235y\266, 80, ... ) , 0, 3,  (-2147482564, "Seed", 0, 3, "\312M\253T\235y\266, 80, ... ) , 80, ... ) == 0x0
 01568  1356   NtClose  (-2147482564, ... ) == 0x0
 01536  1356   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\24C=\372/\12\236\206I\357\2Q\3\322.\261\211\27\23\217\235\362\305\333=\251\305\366\362\20xRr\240\235*\233z\241\37\32\305J\207H\3008\304]NIF\235\370o\370\330\263\277Mr\354\342\334\371|e\263}\247%\242\330*\313\311\223\306 \367 \331(\205\277PU%\265.E\232\353\2\342\200i\202\310q\370\32\16\312^j9\367\311gl6Q\2g\320-\361Z\327e\2B/\370i\221i\223\221\327\312\341Q\22\364\340D\33\12"\2720P\214\17\2239\303\30\325u\206\23C\267\353\336\12\236^\22\305\224\31\260.\2034S.Df>a\276g\14F\243,\12\345\333\225k\23\342\2610ek(\232^\226\266t\203(\360\274\267n\4\373\323\347\227}hl>\302s%\5\17\37358(\253E|\310bY\2676\264PWu\265j\235Y8\374\150\362\327\215\255=\361\31g\277\230\3654A\307", ) \2720P\214\17\2239\303\30\325u\206\23C\267\353\336\12\236^\22\305\224\31\260.\2034S.Df>a\276g\14F\243,\12\345\333\225k\23\342\2610ek(\232^\226\266t\203(\360\274\267n\4\373\323\347\227}hl>\302s%\5\17\37358(\253E|\310bY\2676\264PWu\265j\235Y8\374\150\362\327\215\255=\361\31g\277\230\3654A\307", ) == 0x0
 01569  1356   NtDeviceIoControlFile  (300, 0, 0x0, 0x0, 0x390008,  (300, 0, 0x0, 0x0, 0x390008, "%@\362\246\0\205\252o\353\303\351\343\341\7)\250\307\225\2736\202X\230\307\225\2736\202X\230\307\225\2736\202X\230\307\225\2736\202X\230\307\225\2736\202U\200s\307\264\336Y\36U\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01570  1356   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01571  1356   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01572  1356   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01573  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75524, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0d\6\0\0t\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0d\6\0\0t\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75525, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0d\6\0\0t\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0d\6\0\0t\6\0\0" )  ) == 0x0
 01574  1736   NtResumeThread  (472, ... 1, ) == 0x0
 01575  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 54263808, 1048576, ) == 0x0
 01576  1736   NtAllocateVirtualMemory  (-1, 55304192, 0, 8192, 4096, 4, ... 55304192, 8192, ) == 0x0
 01577  1736   NtProtectVirtualMemory  (-1, (0x34be000), 4096, 260, ... (0x34be000), 4096, 4, ) == 0x0
 01578  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01579  1356   NtQuerySystemInformation  (Exception, 16, ...
 01580  1652   NtTestAlert  (...
 01579  1356   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01580  1652   NtTestAlert  ... ) == 0x0
 01581  1356   NtQuerySystemInformation  (Lookaside, 32, ...
 01582  1652   NtContinue  (54263088, 1, ...
 01581  1356   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01583  1652   NtRegisterThreadTerminatePort  (24, ...
 01584  1356   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01583  1652   NtRegisterThreadTerminatePort  ... ) == 0x0
 01584  1356   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01578  1736   NtCreateThread  ... 476, {1636, 588}, ) == 0x0
 01585  1652   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01586  1736   NtQueryInformationThread  (476, Basic, 28, ...
 01585  1652   NtDuplicateObject  ... 480, ) == 0x0
 01586  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1636,Tid=588,}, 0x0, ) == 0x0
 01587  1652   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 01588  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75525, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0d\6\0\0L\2\0\0" ...  ...
 01587  1652   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 01588  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75526, 0}  ... {28, 56, reply, 0, 1636, 1736, 75526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0d\6\0\0L\2\0\0" )  ) == 0x0
 01589  1652   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01590  1356   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01591  1356   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482564, 2, ) }, 0, 0x0, 0, ... -2147482564, 2, ) == 0x0
 01592  1356   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\340C\321Q\353\251\367\224\1\234E\377`\323\361\266{L\32\206\254=\231\\234\324\366\235\341\365tDz\312\35\21\210\207\336Q\200/?B\311\10\233\274\11\306^\221i\216\25\332H\5\275`\11R"\202\236oC\366\33\0[@v\311\5|y;_\377", 80, ... ) , 0, 3,  (-2147482564, "Seed", 0, 3, "\340C\321Q\353\251\367\224\1\234E\377`\323\361\266{L\32\206\254=\231\\234\324\366\235\341\365tDz\312\35\21\210\207\336Q\200/?B\311\10\233\274\11\306^\221i\216\25\332H\5\275`\11R"\202\236oC\366\33\0[@v\311\5|y;_\377", 80, ... ) \202\236oC\366\33\0[@v\311\5|y;_\377", 80, ... ) == 0x0
 01593  1356   NtClose  (-2147482564, ... ) == 0x0
 01569  1356   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "Cs)?\356[]\352?\327&\32\11Y\33$\34\320\306rAjb\255\201 \212\354l\233\4\3256,\335\373\3732\242S\254#(\342\337@@\20\2117\254\226\202\27lVlU\227k<\274\321_\34\345N\211\346\354\251\356\325\14S\22\242\347\243\2713\263\374\273\27B:v\4\253\16T\321-g\367\350\27\237\266w\247J\343O#\206Bf\330\274\332vi\352\362\363\2048a\33\330\33\312\312\331\334s\304\26~\243\13\257\262B@r\35\203e\314\334\266n\303\213V\177\315\314l \365"o\214\366\367\372;\20\337\307\241+\351\32 IN8\245r\311\272\324\17\24-\346\227\364r]B\246\342\34\354;\244\203?\6k\265\210\17\32q", ) o\214\366\367\372;\20\337\307\241+\351\32 IN8\245r\311\272\324\17\24-\346\227\364r]B\246\342\34\354;\244\203?\6k\265\210\17\32q", ) == 0x0
 01594  1356   NtDeviceIoControlFile  (300, 0, 0x0, 0x0, 0x390008,  (300, 0, 0x0, 0x0, 0x390008, "%@\362\246\0\205\252o\353\303\351\343\341\7)\250\307\225\2736\202X\230\307\225\2736\202X\230\307\225\2736\202X\230\307\225\2736\202X\230\307\225\2736\202X\230\307\225\2736\202U\200s\307\264\336Y\36U\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01595  1356   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01596  1736   NtResumeThread  (476, ...
 01589  1652   NtWaitForSingleObject  ... ) == 0x102
 01596  1736   NtResumeThread  ... 1, ) == 0x0
 01597  1652   NtWaitForSingleObject  (132, 0, 0x0, ...
 01598  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 55312384, 1048576, ) == 0x0
 01599  1736   NtAllocateVirtualMemory  (-1, 56352768, 0, 8192, 4096, 4, ... 56352768, 8192, ) == 0x0
 01600  1736   NtProtectVirtualMemory  (-1, (0x35be000), 4096, 260, ... (0x35be000), 4096, 4, ) == 0x0
 01601  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 484, {1636, 440}, ) == 0x0
 01602  1736   NtQueryInformationThread  (484, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1636,Tid=440,}, 0x0, ) == 0x0
 01603  1356   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01604   588   NtTestAlert  (...
 01603  1356   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01604   588   NtTestAlert  ... ) == 0x0
 01605  1356   NtQuerySystemInformation  (Performance, 312, ...
 01606   588   NtContinue  (55311664, 1, ...
 01605  1356   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01607   588   NtRegisterThreadTerminatePort  (24, ...
 01608  1356   NtQuerySystemInformation  (Exception, 16, ...
 01607   588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01609  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75526, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0d\6\0\0\270\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0d\6\0\0\270\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75527, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0d\6\0\0\270\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0d\6\0\0\270\1\0\0" )  ) == 0x0
 01610  1736   NtResumeThread  (484, ... 1, ) == 0x0
 01611  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 56360960, 1048576, ) == 0x0
 01612  1736   NtAllocateVirtualMemory  (-1, 57401344, 0, 8192, 4096, 4, ... 57401344, 8192, ) == 0x0
 01613  1736   NtProtectVirtualMemory  (-1, (0x36be000), 4096, 260, ... (0x36be000), 4096, 4, ) == 0x0
 01614  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01615   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01608  1356   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01616   440   NtTestAlert  (...
 01615   588   NtDuplicateObject  ... 488, ) == 0x0
 01617  1356   NtQuerySystemInformation  (Lookaside, 32, ...
 01616   440   NtTestAlert  ... ) == 0x0
 01618   588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01617  1356   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01619   440   NtContinue  (56360240, 1, ...
 01618   588   NtWaitForSingleObject  ... ) == 0x102
 01620  1356   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01621   440   NtRegisterThreadTerminatePort  (24, ...
 01622   588   NtWaitForSingleObject  (132, 0, 0x0, ...
 01620  1356   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01621   440   NtRegisterThreadTerminatePort  ... ) == 0x0
 01614  1736   NtCreateThread  ... 492, {1636, 1296}, ) == 0x0
 01623  1356   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01624  1736   NtQueryInformationThread  (492, Basic, 28, ...
 01625   440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01624  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1636,Tid=1296,}, 0x0, ) == 0x0
 01625   440   NtDuplicateObject  ... 496, ) == 0x0
 01626  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75527, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0d\6\0\0\20\5\0\0" ...  ...
 01627   440   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01626  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75528, 0}  ... {28, 56, reply, 0, 1636, 1736, 75528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0d\6\0\0\20\5\0\0" )  ) == 0x0
 01627   440   NtWaitForSingleObject  ... ) == 0x102
 01623  1356   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01628   440   NtWaitForSingleObject  (132, 0, 0x0, ...
 01629  1356   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01630  1736   NtResumeThread  (492, ...
 01629  1356   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01630  1736   NtResumeThread  ... 1, ) == 0x0
 01631  1356   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\327j\350/ZQ\271\23;\206\246W\265\266t\262WE\277\323\227\377\250\3\252\357\226\260\215\315\260\334\323[\363V\a\220f\340CVgP\251\233\231\274e\360t\2213\305\222\304BY\232\26T\22\3103\260\343Y.O\275\15\362:\34P\207+\265\203", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\327j\350/ZQ\271\23;\206\246W\265\266t\262WE\277\323\227\377\250\3\252\357\226\260\215\315\260\334\323[\363V\a\220f\340CVgP\251\233\231\274e\360t\2213\305\222\304BY\232\26T\22\3103\260\343Y.O\275\15\362:\34P\207+\265\203", 80, ... , 80, ...
 01632  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01631  1356   NtSetValueKey  ... ) == 0x0
 01632  1736   NtAllocateVirtualMemory  ... 57409536, 1048576, ) == 0x0
 01633  1356   NtClose  (-2147482564, ...
 01634  1736   NtAllocateVirtualMemory  (-1, 58449920, 0, 8192, 4096, 4, ...
 01635  1296   NtTestAlert  (...
 01634  1736   NtAllocateVirtualMemory  ... 58449920, 8192, ) == 0x0
 01635  1296   NtTestAlert  ... ) == 0x0
 01633  1356   NtClose  ... ) == 0x0
 01636  1296   NtContinue  (57408816, 1, ...
 01594  1356   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\236l\222)\17\200#\251\274r\316\3379\37\367Q\336\252Ls\207^\370R\323<\220\340\307j\302\214\200TM\346\304rl\211\250\11\323Rz\361\24\375\265Q`'\354\37\334d\10MJ\230r\366\277.\367S\32i\273\330t\352\220\273kJ:h\210\222\274\360\11\366\353\354\260\373Z\17\366r\264mI\16\352\158\354)/@\245\325>\251T\206\17R\256\205.\367\370\346\341\334b\237b\264\225z\11C\252k\27\265\331\251\367#\252U\242BV\207\13\345g,T\205@\252\277R=\347-<\237\177\26\255\25y?[\177x3^\254\205z\234\33\2728\277\31{Y\332\322$\326\317\3663+\253\34\\310$%\277\1`j\32\333\30\261?\330\333\244\242\17\303\277\252\204\25\302\375\344\252\342=|\236\327\247\177\361\246\346\21\312h?\244\330\37\215\343\47"\231\304D\356\36\5\272\245.\7\235\210;\2\275\333\355C\344", ) \231\304D\356\36\5\272\245.\7\235\210;\2\275\333\355C\344", ) == 0x0
 01637  1296   NtRegisterThreadTerminatePort  (24, ...
 01638  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01637  1296   NtRegisterThreadTerminatePort  ... ) == 0x0
 01638  1356   NtCreateEvent  ... 500, ) == 0x0
 01639  1736   NtProtectVirtualMemory  (-1, (0x37be000), 4096, 260, ...
 01640  1356   NtSetEventBoostPriority  (408, ...
 01639  1736   NtProtectVirtualMemory  ... (0x37be000), 4096, 4, ) == 0x0
 01416   868   NtWaitForSingleObject  ... ) == 0x0
 01640  1356   NtSetEventBoostPriority  ... ) == 0x0
 01641   868   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01642  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01643  1296   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01641   868   NtCreateEvent  ... 504, ) == 0x0
 01642  1736   NtCreateThread  ... 508, {1636, 1620}, ) == 0x0
 01643  1296   NtDuplicateObject  ... 512, ) == 0x0
 01644  1356   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 11006584, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 11006584, 188, ...
 01645  1736   NtQueryInformationThread  (508, Basic, 28, ...
 01646  1296   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01645  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1636,Tid=1620,}, 0x0, ) == 0x0
 01646  1296   NtWaitForSingleObject  ... ) == 0x102
 01647   868   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 12053868, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 12053868, 188, ...
 01644  1356   NtConnectPort  ... 516, 0x0, 0x0, 0x0, 188, ) == 0x0
 01648  1296   NtWaitForSingleObject  (132, 0, 0x0, ...
 01649  1356   NtRequestWaitReplyPort  (516, {200, 224, new_msg, 0, 2883626, 1355840, 12, 2}  (516, {200, 224, new_msg, 0, 2883626, 1355840, 12, 2} "\0\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\3\0\4\0\0\0\240<\24\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0l\220\341|0\24\227\23\330G\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\240D\25\0\200\251\327\234x\1\24\0\320G\25\0h\1\24\0\0\0\0\0\0\0\0\0\320G\25\0P\0\0\0\330G\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\247\0\372\31\221|\214\370\247\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 01647   868   NtConnectPort  ... 520, 0x0, 0x0, 0x0, 188, ) == 0x0
 01650  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75528, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0d\6\0\0T\6\0\0" ...  ...
 01651   868   NtRequestWaitReplyPort  (520, {200, 224, new_msg, 0, 1380504, 12, 2, 1310721}  (520, {200, 224, new_msg, 0, 1380504, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0 F\25\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0\227\316*\37\200\202\326\352\230I\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0pI\25\0\13j\274kx\1\24\0\220I\25\0h\1\24\0\0\0\0\0\0\0\0\0\220I\25\0P\0\0\0\230I\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\267\0\372\31\221|\200\363\267\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01650  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75532, 0}  ... {28, 56, reply, 0, 1636, 1736, 75532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0d\6\0\0T\6\0\0" )  ) == 0x0
 01649  1356   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1356, 75531, 0}  ... {200, 224, reply, 0, 1636, 1356, 75531, 0} "\7\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\240<\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0l\220\341|0\24\227\23\330G\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\240D\25\0\200\251\327\234x\1\24\0\320G\25\0h\1\24\0\0\0\0\0\0\0\0\0\320G\25\0P\0\0\0\330G\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\247\0\372\31\221|\214\370\247\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 01652  1736   NtResumeThread  (508, ...
 01651   868   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 868, 75533, 0}  ... {200, 224, reply, 0, 1636, 868, 75533, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0\227\316*\37\200\202\326\352\230I\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0pI\25\0\13j\274kx\1\24\0\220I\25\0h\1\24\0\0\0\0\0\0\0\0\0\220I\25\0P\0\0\0\230I\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\267\0\372\31\221|\200\363\267\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01652  1736   NtResumeThread  ... 1, ) == 0x0
 01653  1356   NtRequestWaitReplyPort  (516, {44, 68, new_msg, 56, 0, 0, 0, 0}  (516, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\370J\25\0\322\0\0\0" ...  ...
 01654  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01653  1356   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1356, 75534, 0}  ... {40, 64, reply, 0, 1636, 1356, 75534, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\323\1\0\0\350\370\14\0" )  ) == 0x0
 01655   868   NtRequestWaitReplyPort  (520, {44, 68, new_msg, 0, 1636, 868, 75511, 0}  (520, {44, 68, new_msg, 0, 1636, 868, 75511, 0} "\1\332\0\0A\2\4\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200\377\377\377\377t\333\243\201\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 01656  1620   NtTestAlert  (...
 01657  1356   NtRequestWaitReplyPort  (516, {64, 88, new_msg, 56, 1310720, 11006452, 1395440, 0}  (516, {64, 88, new_msg, 56, 1310720, 11006452, 1395440, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\360K\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01656  1620   NtTestAlert  ... ) == 0x0
 01658  1620   NtContinue  (58457392, 1, ...
 01659  1620   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01657  1356   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1356, 75536, 0}  ... {64, 88, reply, 56, 1636, 1356, 75536, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\360K\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01654  1736   NtAllocateVirtualMemory  ... 58458112, 1048576, ) == 0x0
 01655   868   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 868, 75535, 0}  ... {40, 64, reply, 0, 1636, 868, 75535, 0} "\2\332\243\201\4\0\0\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200X\373`\371t\333\243\201\320\1\0\0X-\12\0" )  ) == 0x0
 01660  1620   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01661  1736   NtAllocateVirtualMemory  (-1, 59498496, 0, 8192, 4096, 4, ...
 01662   868   NtRequestWaitReplyPort  (520, {64, 88, new_msg, 56, 1388352, 12054380, 12054480, 0}  (520, {64, 88, new_msg, 56, 1388352, 12054380, 12054480, 0} "\10\357\267\0@\0\25\0\346\277\347w\320\357\267\0l\357\267\0\20\0\0\0\250.\362v\264/\25\0\1\0\0\00N\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\20\331\24\0" ...  ...
 01660  1620   NtDuplicateObject  ... 524, ) == 0x0
 01661  1736   NtAllocateVirtualMemory  ... 59498496, 8192, ) == 0x0
 01663  1620   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ...
 01664  1736   NtProtectVirtualMemory  (-1, (0x38be000), 4096, 260, ...
 01662   868   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 868, 75537, 0}  ... {64, 88, reply, 56, 1636, 868, 75537, 0} "\10\357\267\0@\0\25\0\346\277\347w\320\357\267\0l\357\267\0\20\0\0\0\250.\362v\264/\25\0\1\0\0\00N\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\20\331\24\0" )  ) == 0x0
 01663  1620   NtAllocateVirtualMemory  ... 1396736, 4096, ) == 0x0
 01664  1736   NtProtectVirtualMemory  ... (0x38be000), 4096, 4, ) == 0x0
 01665  1356   NtWaitForSingleObject  (292, 0, 0x0, ...
 01666  1620   NtSetEventBoostPriority  (292, ...
 01667  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01665  1356   NtWaitForSingleObject  ... ) == 0x0
 01666  1620   NtSetEventBoostPriority  ... ) == 0x0
 01668   868   NtWaitForSingleObject  (292, 0, 0x0, ...
 01669  1356   NtSetEventBoostPriority  (292, ...
 01667  1736   NtCreateThread  ... 528, {1636, 1588}, ) == 0x0
 01669  1356   NtSetEventBoostPriority  ... ) == 0x0
 01668   868   NtWaitForSingleObject  ... ) == 0x0
 01670  1356   NtWaitForSingleObject  (292, 0, 0x0, ...
 01671  1736   NtQueryInformationThread  (528, Basic, 28, ...
 01672   868   NtSetEventBoostPriority  (292, ...
 01673  1620   NtWaitForSingleObject  (292, 0, 0x0, ...
 01671  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1636,Tid=1588,}, 0x0, ) == 0x0
 01672   868   NtSetEventBoostPriority  ... ) == 0x0
 01673  1620   NtWaitForSingleObject  ... ) == 0x0
 01674  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75532, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0d\6\0\04\6\0\0" ...  ...
 01675   868   NtWaitForSingleObject  (292, 0, 0x0, ...
 01676  1620   NtSetEventBoostPriority  (292, ...
 01674  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75538, 0}  ... {28, 56, reply, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0d\6\0\04\6\0\0" )  ) == 0x0
 01670  1356   NtWaitForSingleObject  ... ) == 0x0
 01676  1620   NtSetEventBoostPriority  ... ) == 0x0
 01677  1356   NtSetEventBoostPriority  (292, ...
 01675   868   NtWaitForSingleObject  ... ) == 0x0
 01678   868   NtClose  (504, ... ) == 0x0
 01679   868   NtClose  (520, ... ) == 0x0
 01680  1620   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01677  1356   NtSetEventBoostPriority  ... ) == 0x0
 01681  1736   NtResumeThread  (528, ...
 01682   868   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01683  1356   NtRequestWaitReplyPort  (516, {44, 68, new_msg, 56, 1636, 1356, 75534, 0}  (516, {44, 68, new_msg, 56, 1636, 1356, 75534, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0\370J\25\0\322\0\0\0" ...  ...
 01681  1736   NtResumeThread  ... 1, ) == 0x0
 01682   868   NtCreateKey  ... 520, 2, ) == 0x0
 01684  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01685   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01684  1736   NtAllocateVirtualMemory  ... 59506688, 1048576, ) == 0x0
 01685   868   NtOpenKey  ... 504, ) == 0x0
 01686  1736   NtAllocateVirtualMemory  (-1, 60547072, 0, 8192, 4096, 4, ...
 01687   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01686  1736   NtAllocateVirtualMemory  ... 60547072, 8192, ) == 0x0
 01687   868   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01680  1620   NtWaitForSingleObject  ... ) == 0x102
 01688  1588   NtTestAlert  (...
 01683  1356   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1356, 75540, 0}  ... {40, 64, reply, 0, 1636, 1356, 75540, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300l\353\10\370X\353Q\200\351\1\0\0\350\232\14\0" )  ) == 0x0
 01689  1736   NtProtectVirtualMemory  (-1, (0x39be000), 4096, 260, ...
 01690  1620   NtWaitForSingleObject  (132, 0, 0x0, ...
 01688  1588   NtTestAlert  ... ) == 0x0
 01691  1356   NtRequestWaitReplyPort  (516, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0}  (516, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\370]\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01689  1736   NtProtectVirtualMemory  ... (0x39be000), 4096, 4, ) == 0x0
 01692  1588   NtContinue  (59505968, 1, ...
 01693  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01694  1588   NtRegisterThreadTerminatePort  (24, ...
 01691  1356   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1356, 75541, 0}  ... {64, 88, reply, 56, 1636, 1356, 75541, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\370]\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01693  1736   NtCreateThread  ... 532, {1636, 2044}, ) == 0x0
 01694  1588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01695  1356   NtRequestWaitReplyPort  (516, {44, 68, new_msg, 56, 1636, 1356, 75540, 0}  (516, {44, 68, new_msg, 56, 1636, 1356, 75540, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\370J\25\0\322\0\0\0" ...  ...
 01696  1736   NtQueryInformationThread  (532, Basic, 28, ...
 01697   868   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 01696  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1636,Tid=2044,}, 0x0, ) == 0x0
 01697   868   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01698  1588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01695  1356   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1356, 75542, 0}  ... {40, 64, reply, 0, 1636, 1356, 75542, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300l\253S\371X\353Q\200|\1\0\0h\236\14\0" )  ) == 0x0
 01699   868   NtQueryValueKey  (520,  (520, "Domain", Partial, 144, ... , Partial, 144, ...
 01698  1588   NtDuplicateObject  ... 536, ) == 0x0
 01700  1356   NtRequestWaitReplyPort  (516, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0}  (516, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\30'\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01699   868   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01701  1588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01702   868   NtQueryValueKey  (520,  (520, "Domain", Partial, 144, ... , Partial, 144, ...
 01701  1588   NtWaitForSingleObject  ... ) == 0x102
 01700  1356   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1356, 75543, 0}  ... {64, 88, reply, 56, 1636, 1356, 75543, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\30'\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01702   868   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01703  1588   NtWaitForSingleObject  (132, 0, 0x0, ...
 01704  1356   NtClose  (500, ...
 01705  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75538, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0d\6\0\0\374\7\0\0" ...  ...
 01706   868   NtClose  (520, ...
 01704  1356   NtClose  ... ) == 0x0
 01705  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75544, 0}  ... {28, 56, reply, 0, 1636, 1736, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0d\6\0\0\374\7\0\0" )  ) == 0x0
 01706   868   NtClose  ... ) == 0x0
 01707  1736   NtResumeThread  (532, ...
 01708   868   NtClose  (504, ...
 01707  1736   NtResumeThread  ... 1, ) == 0x0
 01708   868   NtClose  ... ) == 0x0
 01709  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01710   868   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 01711  1356   NtClose  (516, ...
 01712  2044   NtTestAlert  (...
 01710   868   NtOpenKey  ... 504, ) == 0x0
 01711  1356   NtClose  ... ) == 0x0
 01712  2044   NtTestAlert  ... ) == 0x0
 01709  1736   NtAllocateVirtualMemory  ... 60555264, 1048576, ) == 0x0
 01713  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01714  2044   NtContinue  (60554544, 1, ...
 01715  1736   NtAllocateVirtualMemory  (-1, 61595648, 0, 8192, 4096, 4, ...
 01713  1356   NtCreateEvent  ... 516, ) == 0x0
 01716  2044   NtRegisterThreadTerminatePort  (24, ...
 01715  1736   NtAllocateVirtualMemory  ... 61595648, 8192, ) == 0x0
 01717  1356   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 01716  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 01718  1736   NtProtectVirtualMemory  (-1, (0x3abe000), 4096, 260, ...
 01717  1356   NtOpenKey  ... 520, ) == 0x0
 01719   868   NtQueryValueKey  (504,  (504, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 01718  1736   NtProtectVirtualMemory  ... (0x3abe000), 4096, 4, ) == 0x0
 01720  2044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01719   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01721  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01720  2044   NtDuplicateObject  ... 500, ) == 0x0
 01722   868   NtClose  (504, ...
 01723  1356   NtOpenKey  (0x20019, {24, 520, 0x40, 0, 0,  (0x20019, {24, 520, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 01724  2044   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01722   868   NtClose  ... ) == 0x0
 01723  1356   NtOpenKey  ... 504, ) == 0x0
 01724  2044   NtWaitForSingleObject  ... ) == 0x102
 01725   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12053456, ... }, 12053456, ...
 01726  1356   NtQueryValueKey  (504,  (504, "ComputerName", Full, 108, ... , Full, 108, ...
 01727  2044   NtWaitForSingleObject  (132, 0, 0x0, ...
 01725   868   NtQueryAttributesFile  ... ) == 0x0
 01726  1356   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01721  1736   NtCreateThread  ... 540, {1636, 1308}, ) == 0x0
 01728  1356   NtClose  (504, ...
 01729  1736   NtQueryInformationThread  (540, Basic, 28, ...
 01728  1356   NtClose  ... ) == 0x0
 01729  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1636,Tid=1308,}, 0x0, ) == 0x0
 01730   868   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 01731  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75544, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0d\6\0\0\34\5\0\0" ...  ...
 01730   868   NtOpenFile  ... 504, {status=0x0, info=1}, ) == 0x0
 01731  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75546, 0}  ... {28, 56, reply, 0, 1636, 1736, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0d\6\0\0\34\5\0\0" )  ) == 0x0
 01732   868   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 504, ...
 01733  1356   NtClose  (520, ...
 01732   868   NtCreateSection  ... 544, ) == 0x0
 01733  1356   NtClose  ... ) == 0x0
 01734   868   NtClose  (504, ...
 01735  1356   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ...
 01734   868   NtClose  ... ) == 0x0
 01735  1356   NtCreateIoCompletion  ... 504, ) == 0x0
 01736  1736   NtResumeThread  (540, ...
 01737  1356   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ...
 01736  1736   NtResumeThread  ... 1, ) == 0x0
 01737  1356   NtCreateIoCompletion  ... 520, ) == 0x0
 01738  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01739   868   NtMapViewOfSection  (544, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01740  1308   NtWaitForSingleObject  (88, 0, 0x0, ...
 01738  1736   NtAllocateVirtualMemory  ... 61603840, 1048576, ) == 0x0
 01739   868   NtMapViewOfSection  ... (0x850000), 0x0, 20480, ) == 0x0
 01741  1736   NtAllocateVirtualMemory  (-1, 62644224, 0, 8192, 4096, 4, ...
 01742   868   NtClose  (544, ...
 01741  1736   NtAllocateVirtualMemory  ... 62644224, 8192, ) == 0x0
 01742   868   NtClose  ... ) == 0x0
 01743  1356   NtDuplicateObject  (-1, 504, -1, 0x0, 0, 2, ... 544, ) == 0x0
 01744  1356   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01745  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 548, ) == 0x0
 01746  1356   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01748   868   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 01749   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12053764, ... ) }, 12053764, ... ) == 0x0
 01750   868   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 552, {status=0x0, info=1}, ) }, 5, 96, ... 552, {status=0x0, info=1}, ) == 0x0
 01747  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01751  1736   NtProtectVirtualMemory  (-1, (0x3bbe000), 4096, 260, ...
 01747  1356   NtSetInformationThread  ... ) == 0x0
 01751  1736   NtProtectVirtualMemory  ... (0x3bbe000), 4096, 4, ) == 0x0
 01752  1356   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11006144,  (0xc0100080, {24, 0, 0x40, 0, 11006144, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 01753  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01752  1356   NtCreateFile  ... 556, {status=0x0, info=1}, ) == 0x0
 01753  1736   NtCreateThread  ... 560, {1636, 1676}, ) == 0x0
 01754  1736   NtQueryInformationThread  (560, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1636,Tid=1676,}, 0x0, ) == 0x0
 01755  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75546, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0d\6\0\0\214\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0d\6\0\0\214\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75547, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0d\6\0\0\214\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0d\6\0\0\214\6\0\0" )  ) == 0x0
 01756  1736   NtResumeThread  (560, ... 1, ) == 0x0
 01757  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01758  1356   NtSetInformationFile  (556, 11006200, 8, Pipe, ...
 01759   868   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 552, ...
 01760  1676   NtWaitForSingleObject  (88, 0, 0x0, ...
 01758  1356   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01759   868   NtCreateSection  ... 564, ) == 0x0
 01761  1356   NtSetInformationFile  (556, 11006188, 8, Completion, ...
 01762   868   NtQuerySection  (564, Image, 48, ...
 01761  1356   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01762   868   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01763  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01764   868   NtClose  (552, ...
 01763  1356   NtSetInformationThread  ... ) == 0x0
 01764   868   NtClose  ... ) == 0x0
 01757  1736   NtAllocateVirtualMemory  ... 62652416, 1048576, ) == 0x0
 01765  1356   NtWriteFile  (556, 209, 0, 0,  (556, 209, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 01766  1736   NtAllocateVirtualMemory  (-1, 63692800, 0, 8192, 4096, 4, ...
 01765  1356   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 01766  1736   NtAllocateVirtualMemory  ... 63692800, 8192, ) == 0x0
 01767  1356   NtReadFile  (556, 209, 0, 0, 1024, {0, 0}, 0, ...
 01768  1736   NtProtectVirtualMemory  (-1, (0x3cbe000), 4096, 260, ...
 01767  1356   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01768  1736   NtProtectVirtualMemory  ... (0x3cbe000), 4096, 4, ) == 0x0
 01769  1356   NtFsControlFile  (556, 209, 0x0, 0x0, 0x11c017,  (556, 209, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\247\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 01770  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01769  1356   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01771   868   NtMapViewOfSection  (564, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01770  1736   NtCreateThread  ... 552, {1636, 1376}, ) == 0x0
 01771   868   NtMapViewOfSection  ... (0x76fb0000), 0x0, 32768, ) == 0x0
 01772  1736   NtQueryInformationThread  (552, Basic, 28, ...
 01773   868   NtClose  (564, ...
 01772  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1636,Tid=1376,}, 0x0, ) == 0x0
 01773   868   NtClose  ... ) == 0x0
 01774  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75547, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0d\6\0\0`\5\0\0" ...  ...
 01775   868   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 01774  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75556, 0}  ... {28, 56, reply, 0, 1636, 1736, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0d\6\0\0`\5\0\0" )  ) == 0x0
 01775   868   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 01776  1356   NtFsControlFile  (556, 209, 0x0, 0x0, 0x11c017,  (556, 209, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\1\0\0\0\1\0\0\0&\0(\0`*\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 01777  1736   NtResumeThread  (552, ...
 01776  1356   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) , ) == 0x103
 01777  1736   NtResumeThread  ... 1, ) == 0x0
 01778  1356   NtFsControlFile  (556, 209, 0x0, 0x0, 0x11c017,  (556, 209, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340", 44, 1024, ... , 44, 1024, ...
 01779  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01778  1356   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\360T\25\0\1\0\0\0\374T\25\0 \0\0\0\1\0\0\0\30\0\32\0\10U\25\0$U\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0\240$\25\0\1\0\0\0\5\0\15\0\260$\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01779  1736   NtAllocateVirtualMemory  ... 63700992, 1048576, ) == 0x0
 01780  1356   NtClose  (548, ...
 01781  1736   NtAllocateVirtualMemory  (-1, 64741376, 0, 8192, 4096, 4, ...
 01780  1356   NtClose  ... ) == 0x0
 01781  1736   NtAllocateVirtualMemory  ... 64741376, 8192, ) == 0x0
 01782   868   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 01783  1376   NtWaitForSingleObject  (88, 0, 0x0, ...
 01784  1356   NtClose  (556, ...
 01782   868   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 01784  1356   NtClose  ... ) == 0x0
 01785   868   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 01786  1356   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1380504, 0x0, 11008068, 188, ... , {12, 2, 1, 1}, 0x0, 1380504, 0x0, 11008068, 188, ...
 01785   868   NtFlushInstructionCache  ... ) == 0x0
 01786  1356   NtSecureConnectPort  ... 556, 0x0, 0x0, 0x0, 188, ) == 0x0
 01787  1736   NtProtectVirtualMemory  (-1, (0x3dbe000), 4096, 260, ...
 01788  1356   NtOpenThreadToken  (-2, 0xc, 1, ...
 01787  1736   NtProtectVirtualMemory  ... (0x3dbe000), 4096, 4, ) == 0x0
 01789   868   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 01790  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01789   868   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 01791   868   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 01792   868   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 01793   868   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 548, ) }, ... 548, ) == 0x0
 01794   868   NtMapViewOfSection  (548, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 01795   868   NtClose  (548, ... ) == 0x0
 01788  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01790  1736   NtCreateThread  ... 548, {1636, 1436}, ) == 0x0
 01796  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01797  1736   NtQueryInformationThread  (548, Basic, 28, ...
 01796  1356   NtSetInformationThread  ... ) == 0x0
 01797  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1636,Tid=1436,}, 0x0, ) == 0x0
 01798  1356   NtRequestWaitReplyPort  (556, {200, 224, new_msg, 0, 1355840, 12, 2, 1310977}  (556, {200, 224, new_msg, 0, 1355840, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0k\326\314Y\225pR\341\337\347e\363e\272\323U\12\0\0\0\226B\361(\347q\3030\0\0\0\0pP\25\0d\344\234\276i\304\306\375(\0\0\0M\307\0\324\0\0\24\0\240\366\247\0U$\350k\0\0\0\0\330G\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\247\0\372\31\221|X\376\247\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01799  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75556, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0d\6\0\0\234\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0d\6\0\0\234\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75559, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0d\6\0\0\234\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0d\6\0\0\234\5\0\0" )  ) == 0x0
 01798  1356   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1356, 75558, 0}  ... {200, 224, reply, 0, 1636, 1356, 75558, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0k\326\314Y\225pR\341\337\347e\363e\272\323U\12\0\0\0\226B\361(\347q\3030\0\0\0\0pP\25\0d\344\234\276i\304\306\375(\0\0\0M\307\0\324\0\0\24\0\240\366\247\0U$\350k\0\0\0\0\330G\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\247\0\372\31\221|X\376\247\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01800   868   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ...
 01801  1736   NtResumeThread  (548, ...
 01800   868   NtProtectVirtualMemory  ... (0x76f61000), 4096, 32, ) == 0x0
 01801  1736   NtResumeThread  ... 1, ) == 0x0
 01802   868   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 01803  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01802   868   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 01803  1736   NtAllocateVirtualMemory  ... 64749568, 1048576, ) == 0x0
 01804   868   NtFlushInstructionCache  (-1, 1995837440, 228, ...
 01805  1736   NtAllocateVirtualMemory  (-1, 65789952, 0, 8192, 4096, 4, ...
 01804   868   NtFlushInstructionCache  ... ) == 0x0
 01805  1736   NtAllocateVirtualMemory  ... 65789952, 8192, ) == 0x0
 01806  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01807  1436   NtWaitForSingleObject  (88, 0, 0x0, ...
 01808   868   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ...
 01806  1356   NtSetInformationThread  ... ) == 0x0
 01808   868   NtProtectVirtualMemory  ... (0x76f61000), 4096, 32, ) == 0x0
 01809  1356   NtRequestWaitReplyPort  (556, {56, 80, new_msg, 0, 44, 3, 20, 0}  (556, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0b\363\222I\243j\304#\242z\321\340\1\0\0\0\0\0\0\0&\0(\0X\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 01810   868   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 01811   868   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 01812  1736   NtProtectVirtualMemory  (-1, (0x3ebe000), 4096, 260, ... (0x3ebe000), 4096, 4, ) == 0x0
 01813  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 564, {1636, 724}, ) == 0x0
 01814  1736   NtQueryInformationThread  (564, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1636,Tid=724,}, 0x0, ) == 0x0
 01815  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75559, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0d\6\0\0\324\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0d\6\0\0\324\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75561, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0d\6\0\0\324\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0d\6\0\0\324\2\0\0" )  ) == 0x0
 01816  1736   NtResumeThread  (564, ... 1, ) == 0x0
 01817  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01818   868   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 01819   724   NtWaitForSingleObject  (88, 0, 0x0, ...
 01818   868   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 01820   868   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 01821   868   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 01822   868   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01823   868   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 568, ) == 0x0
 01824   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 572, ) }, ... 572, ) == 0x0
 01817  1736   NtAllocateVirtualMemory  ... 65798144, 1048576, ) == 0x0
 01809  1356   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 1636, 1356, 75560, 0}  ... {44, 68, reply, 0, 1636, 1356, 75560, 0} "\4\376\255\201\0\0\0\0\200Y\274\201\356\12$\342\264\311\275\201:\332R\200X\253v\367\324\376\255\201\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01825  1736   NtAllocateVirtualMemory  (-1, 66838528, 0, 8192, 4096, 4, ...
 01826  1356   NtRaiseException  (11008528, 11007788, 1, ...
 01825  1736   NtAllocateVirtualMemory  ... 66838528, 8192, ) == 0x0
 01827   868   NtQueryValueKey  (572,  (572, "LdapClientIntegrity", Partial, 144, ... , Partial, 144, ...
 01828  1736   NtProtectVirtualMemory  (-1, (0x3fbe000), 4096, 260, ...
 01827   868   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01828  1736   NtProtectVirtualMemory  ... (0x3fbe000), 4096, 4, ) == 0x0
 01829   868   NtClose  (572, ...
 01830  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01829   868   NtClose  ... ) == 0x0
 01831  1356   NtQueryVirtualMemory  (-1, 0x77ea0470, BasicVlm, 16, ...
 01832   868   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... }, ...
 01831  1356   NtQueryVirtualMemory  ... {memory info, class 3, size 16}, 0x0, ) == 0x0
 01832   868   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01833  1356   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 01830  1736   NtCreateThread  ... 572, {1636, 1276}, ) == 0x0
 01833  1356   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01834  1736   NtQueryInformationThread  (572, Basic, 28, ...
 01835  1356   NtContinue  (11006756, 0, ...
 01834  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1636,Tid=1276,}, 0x0, ) == 0x0
 01836  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75561, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0d\6\0\0\374\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0d\6\0\0\374\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75562, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0d\6\0\0\374\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0d\6\0\0\374\4\0\0" )  ) == 0x0
 01837  1736   NtResumeThread  (572, ... 1, ) == 0x0
 01838  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 66846720, 1048576, ) == 0x0
 01839  1736   NtAllocateVirtualMemory  (-1, 67887104, 0, 8192, 4096, 4, ... 67887104, 8192, ) == 0x0
 01840   868   NtQueryPerformanceCounter  (...
 01841  1276   NtWaitForSingleObject  (88, 0, 0x0, ...
 01840   868   NtQueryPerformanceCounter  ... {1106736155, 16}, {3579545, 0}, ) == 0x0
 01842   868   NtSetEventBoostPriority  (88, ...
 01740  1308   NtWaitForSingleObject  ... ) == 0x0
 01843  1308   NtSetEventBoostPriority  (88, ...
 01760  1676   NtWaitForSingleObject  ... ) == 0x0
 01844  1676   NtSetEventBoostPriority  (88, ...
 01783  1376   NtWaitForSingleObject  ... ) == 0x0
 01845  1376   NtAllocateVirtualMemory  (-1, 8806400, 0, 4096, 4096, 4, ... 8806400, 4096, ) == 0x0
 01844  1676   NtSetEventBoostPriority  ... ) == 0x0
 01843  1308   NtSetEventBoostPriority  ... ) == 0x0
 01842   868   NtSetEventBoostPriority  ... ) == 0x0
 01846  1736   NtProtectVirtualMemory  (-1, (0x40be000), 4096, 260, ...
 01847  1356   NtDeviceIoControlFile  (344, 112, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 01848  1376   NtSetEventBoostPriority  (88, ...
 01849  1676   NtTestAlert  (...
 01850  1308   NtTestAlert  (...
 01846  1736   NtProtectVirtualMemory  ... (0x40be000), 4096, 4, ) == 0x0
 01847  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 01807  1436   NtWaitForSingleObject  ... ) == 0x0
 01848  1376   NtSetEventBoostPriority  ... ) == 0x0
 01849  1676   NtTestAlert  ... ) == 0x0
 01850  1308   NtTestAlert  ... ) == 0x0
 01851  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01852  1436   NtSetEventBoostPriority  (88, ...
 01853  1356   NtWaitForSingleObject  (112, 1, {-5000000, -1}, ...
 01854  1376   NtTestAlert  (...
 01855  1676   NtContinue  (62651696, 1, ...
 01856  1308   NtContinue  (61603120, 1, ...
 01819   724   NtWaitForSingleObject  ... ) == 0x0
 01852  1436   NtSetEventBoostPriority  ... ) == 0x0
 01851  1736   NtCreateThread  ... 576, {1636, 1368}, ) == 0x0
 01857   868   NtWaitForSingleObject  (88, 0, 0x0, ...
 01854  1376   NtTestAlert  ... ) == 0x0
 01858  1676   NtRegisterThreadTerminatePort  (24, ...
 01859   724   NtSetEventBoostPriority  (88, ...
 01860  1308   NtRegisterThreadTerminatePort  (24, ...
 01861  1736   NtQueryInformationThread  (576, Basic, 28, ...
 01862  1376   NtContinue  (63700272, 1, ...
 01841  1276   NtWaitForSingleObject  ... ) == 0x0
 01859   724   NtSetEventBoostPriority  ... ) == 0x0
 01858  1676   NtRegisterThreadTerminatePort  ... ) == 0x0
 01860  1308   NtRegisterThreadTerminatePort  ... ) == 0x0
 01861  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1636,Tid=1368,}, 0x0, ) == 0x0
 01863  1276   NtSetEventBoostPriority  (88, ...
 01864  1376   NtRegisterThreadTerminatePort  (24, ...
 01865  1436   NtTestAlert  (...
 01866  1676   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ...
 01867  1308   NtWaitForSingleObject  (292, 0, 0x0, ...
 01868   724   NtTestAlert  (...
 01857   868   NtWaitForSingleObject  ... ) == 0x0
 01863  1276   NtSetEventBoostPriority  ... ) == 0x0
 01869  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75562, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0d\6\0\0X\5\0\0" ...  ...
 01865  1436   NtTestAlert  ... ) == 0x0
 01864  1376   NtRegisterThreadTerminatePort  ... ) == 0x0
 01866  1676   NtAllocateVirtualMemory  ... 1400832, 4096, ) == 0x0
 01870   868   NtWaitForSingleObject  (292, 0, 0x0, ...
 01868   724   NtTestAlert  ... ) == 0x0
 01869  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75563, 0}  ... {28, 56, reply, 0, 1636, 1736, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0d\6\0\0X\5\0\0" )  ) == 0x0
 01871  1436   NtContinue  (64748848, 1, ...
 01872  1376   NtWaitForSingleObject  (292, 0, 0x0, ...
 01873  1676   NtSetEventBoostPriority  (292, ...
 01874   724   NtContinue  (65797424, 1, ...
 01875  1736   NtResumeThread  (576, ...
 01876  1436   NtRegisterThreadTerminatePort  (24, ...
 01867  1308   NtWaitForSingleObject  ... ) == 0x0
 01873  1676   NtSetEventBoostPriority  ... ) == 0x0
 01877   724   NtRegisterThreadTerminatePort  (24, ...
 01875  1736   NtResumeThread  ... 1, ) == 0x0
 01878  1308   NtSetEventBoostPriority  (292, ...
 01876  1436   NtRegisterThreadTerminatePort  ... ) == 0x0
 01879  1676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01877   724   NtRegisterThreadTerminatePort  ... ) == 0x0
 01870   868   NtWaitForSingleObject  ... ) == 0x0
 01880  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01881  1436   NtWaitForSingleObject  (292, 0, 0x0, ...
 01879  1676   NtDuplicateObject  ... 580, ) == 0x0
 01882   868   NtSetEventBoostPriority  (292, ...
 01883   724   NtWaitForSingleObject  (292, 0, 0x0, ...
 01878  1308   NtSetEventBoostPriority  ... ) == 0x0
 01884  1276   NtTestAlert  (...
 01885  1368   NtWaitForSingleObject  (292, 0, 0x0, ...
 01880  1736   NtAllocateVirtualMemory  ... 67895296, 1048576, ) == 0x0
 01872  1376   NtWaitForSingleObject  ... ) == 0x0
 01882   868   NtSetEventBoostPriority  ... ) == 0x0
 01886  1676   NtWaitForSingleObject  (292, 0, 0x0, ...
 01887  1308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01884  1276   NtTestAlert  ... ) == 0x0
 01888  1376   NtSetEventBoostPriority  (292, ...
 01889  1736   NtAllocateVirtualMemory  (-1, 68935680, 0, 8192, 4096, 4, ...
 01890   868   NtWaitForSingleObject  (88, 0, 0x0, ...
 01887  1308   NtDuplicateObject  ... 584, ) == 0x0
 01881  1436   NtWaitForSingleObject  ... ) == 0x0
 01888  1376   NtSetEventBoostPriority  ... ) == 0x0
 01891  1276   NtContinue  (66846000, 1, ...
 01889  1736   NtAllocateVirtualMemory  ... 68935680, 8192, ) == 0x0
 01892  1436   NtSetEventBoostPriority  (292, ...
 01893  1308   NtWaitForSingleObject  (292, 0, 0x0, ...
 01894  1276   NtRegisterThreadTerminatePort  (24, ...
 01885  1368   NtWaitForSingleObject  ... ) == 0x0
 01895  1736   NtProtectVirtualMemory  (-1, (0x41be000), 4096, 260, ...
 01894  1276   NtRegisterThreadTerminatePort  ... ) == 0x0
 01896  1368   NtSetEventBoostPriority  (292, ...
 01895  1736   NtProtectVirtualMemory  ... (0x41be000), 4096, 4, ) == 0x0
 01897  1276   NtWaitForSingleObject  (292, 0, 0x0, ...
 01883   724   NtWaitForSingleObject  ... ) == 0x0
 01896  1368   NtSetEventBoostPriority  ... ) == 0x0
 01898  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01892  1436   NtSetEventBoostPriority  ... ) == 0x0
 01899  1376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01900   724   NtSetEventBoostPriority  (292, ...
 01901  1368   NtSetEventBoostPriority  (88, ...
 01902  1436   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01886  1676   NtWaitForSingleObject  ... ) == 0x0
 01899  1376   NtDuplicateObject  ... 588, ) == 0x0
 01890   868   NtWaitForSingleObject  ... ) == 0x0
 01901  1368   NtSetEventBoostPriority  ... ) == 0x0
 01902  1436   NtDuplicateObject  ... 592, ) == 0x0
 01903  1676   NtSetEventBoostPriority  (292, ...
 01904   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12053456, ... }, 12053456, ...
 01905  1376   NtWaitForSingleObject  (292, 0, 0x0, ...
 01906  1368   NtTestAlert  (...
 01900   724   NtSetEventBoostPriority  ... ) == 0x0
 01898  1736   NtCreateThread  ... 596, {1636, 704}, ) == 0x0
 01904   868   NtQueryAttributesFile  ... ) == 0x0
 01893  1308   NtWaitForSingleObject  ... ) == 0x0
 01906  1368   NtTestAlert  ... ) == 0x0
 01907   724   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01908   868   NtQuerySystemInformation  (Basic, 44, ...
 01909  1736   NtQueryInformationThread  (596, Basic, 28, ...
 01910  1308   NtSetEventBoostPriority  (292, ...
 01911  1368   NtContinue  (67894576, 1, ...
 01907   724   NtDuplicateObject  ... 600, ) == 0x0
 01903  1676   NtSetEventBoostPriority  ... ) == 0x0
 01912  1436   NtWaitForSingleObject  (292, 0, 0x0, ...
 01909  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1636,Tid=704,}, 0x0, ) == 0x0
 01897  1276   NtWaitForSingleObject  ... ) == 0x0
 01910  1308   NtSetEventBoostPriority  ... ) == 0x0
 01913  1368   NtRegisterThreadTerminatePort  (24, ...
 01908   868   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01914  1676   NtWaitForSingleObject  (292, 0, 0x0, ...
 01915  1276   NtSetEventBoostPriority  (292, ...
 01916  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75563, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0d\6\0\0\300\2\0\0" ...  ...
 01917  1308   NtWaitForSingleObject  (292, 0, 0x0, ...
 01918   724   NtWaitForSingleObject  (292, 0, 0x0, ...
 01919   868   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 01905  1376   NtWaitForSingleObject  ... ) == 0x0
 01916  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75564, 0}  ... {28, 56, reply, 0, 1636, 1736, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0d\6\0\0\300\2\0\0" )  ) == 0x0
 01915  1276   NtSetEventBoostPriority  ... ) == 0x0
 01913  1368   NtRegisterThreadTerminatePort  ... ) == 0x0
 01919   868   NtAllocateVirtualMemory  ... 8716288, 65536, ) == 0x0
 01920  1376   NtSetEventBoostPriority  (292, ...
 01921  1276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01922  1368   NtWaitForSingleObject  (292, 0, 0x0, ...
 01923   868   NtAllocateVirtualMemory  (-1, 8716288, 0, 4096, 4096, 4, ...
 01912  1436   NtWaitForSingleObject  ... ) == 0x0
 01920  1376   NtSetEventBoostPriority  ... ) == 0x0
 01921  1276   NtDuplicateObject  ... 604, ) == 0x0
 01924  1436   NtSetEventBoostPriority  (292, ...
 01923   868   NtAllocateVirtualMemory  ... 8716288, 4096, ) == 0x0
 01925  1736   NtResumeThread  (596, ...
 01926  1376   NtWaitForSingleObject  (292, 0, 0x0, ...
 01914  1676   NtWaitForSingleObject  ... ) == 0x0
 01924  1436   NtSetEventBoostPriority  ... ) == 0x0
 01927   868   NtWaitForSingleObject  (332, 0, 0x0, ...
 01925  1736   NtResumeThread  ... 1, ) == 0x0
 01928  1676   NtSetEventBoostPriority  (292, ...
 01929  1436   NtWaitForSingleObject  (292, 0, 0x0, ...
 01930  1276   NtWaitForSingleObject  (292, 0, 0x0, ...
 01931   704   NtWaitForSingleObject  (292, 0, 0x0, ...
 01918   724   NtWaitForSingleObject  ... ) == 0x0
 01928  1676   NtSetEventBoostPriority  ... ) == 0x0
 01932  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01933   724   NtSetEventBoostPriority  (292, ...
 01917  1308   NtWaitForSingleObject  ... ) == 0x0
 01934  1308   NtSetEventBoostPriority  (292, ...
 01922  1368   NtWaitForSingleObject  ... ) == 0x0
 01935  1368   NtSetEventBoostPriority  (292, ...
 01926  1376   NtWaitForSingleObject  ... ) == 0x0
 01936  1376   NtSetEventBoostPriority  (292, ...
 01930  1276   NtWaitForSingleObject  ... ) == 0x0
 01937  1276   NtSetEventBoostPriority  (292, ...
 01931   704   NtWaitForSingleObject  ... ) == 0x0
 01938   704   NtSetEventBoostPriority  (292, ...
 01929  1436   NtWaitForSingleObject  ... ) == 0x0
 01939  1436   NtWaitForSingleObject  (332, 0, 0x0, ...
 01938   704   NtSetEventBoostPriority  ... ) == 0x0
 01937  1276   NtSetEventBoostPriority  ... ) == 0x0
 01936  1376   NtSetEventBoostPriority  ... ) == 0x0
 01935  1368   NtSetEventBoostPriority  ... ) == 0x0
 01933   724   NtSetEventBoostPriority  ... ) == 0x0
 01932  1736   NtAllocateVirtualMemory  ... 68943872, 1048576, ) == 0x0
 01934  1308   NtSetEventBoostPriority  ... ) == 0x0
 01940  1676   NtSetEventBoostPriority  (332, ...
 01941  1276   NtWaitForSingleObject  (332, 0, 0x0, ...
 01942  1376   NtWaitForSingleObject  (332, 0, 0x0, ...
 01943   704   NtTestAlert  (...
 01944   724   NtWaitForSingleObject  (332, 0, 0x0, ...
 01945  1736   NtAllocateVirtualMemory  (-1, 69984256, 0, 8192, 4096, 4, ...
 01946  1308   NtWaitForSingleObject  (332, 0, 0x0, ...
 01927   868   NtWaitForSingleObject  ... ) == 0x0
 01940  1676   NtSetEventBoostPriority  ... ) == 0x0
 01947  1368   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01943   704   NtTestAlert  ... ) == 0x0
 01945  1736   NtAllocateVirtualMemory  ... 69984256, 8192, ) == 0x0
 01948   868   NtSetEventBoostPriority  (332, ...
 01949  1676   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01947  1368   NtDuplicateObject  ... 608, ) == 0x0
 01950   704   NtContinue  (68943152, 1, ...
 01939  1436   NtWaitForSingleObject  ... ) == 0x0
 01949  1676   NtWaitForSingleObject  ... ) == 0x102
 01951  1368   NtWaitForSingleObject  (332, 0, 0x0, ...
 01952  1436   NtSetEventBoostPriority  (332, ...
 01953   704   NtRegisterThreadTerminatePort  (24, ...
 01954  1676   NtWaitForSingleObject  (132, 0, 0x0, ...
 01941  1276   NtWaitForSingleObject  ... ) == 0x0
 01953   704   NtRegisterThreadTerminatePort  ... ) == 0x0
 01952  1436   NtSetEventBoostPriority  ... ) == 0x0
 01948   868   NtSetEventBoostPriority  ... ) == 0x0
 01955  1736   NtProtectVirtualMemory  (-1, (0x42be000), 4096, 260, ...
 01956  1276   NtSetEventBoostPriority  (332, ...
 01957   704   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01958   868   NtAllocateVirtualMemory  (-1, 8720384, 0, 8192, 4096, 4, ...
 01955  1736   NtProtectVirtualMemory  ... (0x42be000), 4096, 4, ) == 0x0
 01942  1376   NtWaitForSingleObject  ... ) == 0x0
 01956  1276   NtSetEventBoostPriority  ... ) == 0x0
 01959  1436   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01958   868   NtAllocateVirtualMemory  ... 8720384, 8192, ) == 0x0
 01960  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01961  1376   NtSetEventBoostPriority  (332, ...
 01962  1276   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01959  1436   NtWaitForSingleObject  ... ) == 0x102
 01957   704   NtDuplicateObject  ... 612, ) == 0x0
 01960  1736   NtCreateThread  ... 616, {1636, 1568}, ) == 0x0
 01946  1308   NtWaitForSingleObject  ... ) == 0x0
 01963  1436   NtWaitForSingleObject  (132, 0, 0x0, ...
 01964   704   NtWaitForSingleObject  (332, 0, 0x0, ...
 01965  1736   NtQueryInformationThread  (616, Basic, 28, ...
 01966  1308   NtSetEventBoostPriority  (332, ...
 01965  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1636,Tid=1568,}, 0x0, ) == 0x0
 01944   724   NtWaitForSingleObject  ... ) == 0x0
 01966  1308   NtSetEventBoostPriority  ... ) == 0x0
 01961  1376   NtSetEventBoostPriority  ... ) == 0x0
 01967   868   NtWaitForSingleObject  (332, 0, 0x0, ...
 01962  1276   NtWaitForSingleObject  ... ) == 0x102
 01968   724   NtSetEventBoostPriority  (332, ...
 01969  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75564, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0d\6\0\0 \6\0\0" ...  ...
 01970  1376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01951  1368   NtWaitForSingleObject  ... ) == 0x0
 01971  1276   NtWaitForSingleObject  (132, 0, 0x0, ...
 01969  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75565, 0}  ... {28, 56, reply, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0d\6\0\0 \6\0\0" )  ) == 0x0
 01972  1368   NtSetEventBoostPriority  (332, ...
 01973  1736   NtResumeThread  (616, ...
 01964   704   NtWaitForSingleObject  ... ) == 0x0
 01972  1368   NtSetEventBoostPriority  ... ) == 0x0
 01974   704   NtSetEventBoostPriority  (332, ...
 01973  1736   NtResumeThread  ... 1, ) == 0x0
 01968   724   NtSetEventBoostPriority  ... ) == 0x0
 01975  1308   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01970  1376   NtWaitForSingleObject  ... ) == 0x102
 01967   868   NtWaitForSingleObject  ... ) == 0x0
 01974   704   NtSetEventBoostPriority  ... ) == 0x0
 01976  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01977   724   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01975  1308   NtWaitForSingleObject  ... ) == 0x102
 01978   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 12053456, ... }, 12053456, ...
 01979  1376   NtWaitForSingleObject  (132, 0, 0x0, ...
 01980  1368   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01981  1568   NtWaitForSingleObject  (88, 0, 0x0, ...
 01982   704   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01978   868   NtQueryAttributesFile  ... ) == 0x0
 01983  1308   NtWaitForSingleObject  (132, 0, 0x0, ...
 01980  1368   NtWaitForSingleObject  ... ) == 0x102
 01984   868   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... }, 5, 96, ...
 01982   704   NtWaitForSingleObject  ... ) == 0x102
 01985  1368   NtWaitForSingleObject  (132, 0, 0x0, ...
 01976  1736   NtAllocateVirtualMemory  ... 69992448, 1048576, ) == 0x0
 01977   724   NtWaitForSingleObject  ... ) == 0x102
 01986   704   NtWaitForSingleObject  (132, 0, 0x0, ...
 01987  1736   NtAllocateVirtualMemory  (-1, 71032832, 0, 8192, 4096, 4, ...
 01988   724   NtWaitForSingleObject  (132, 0, 0x0, ...
 01987  1736   NtAllocateVirtualMemory  ... 71032832, 8192, ) == 0x0
 01989  1736   NtProtectVirtualMemory  (-1, (0x43be000), 4096, 260, ... (0x43be000), 4096, 4, ) == 0x0
 01990  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 620, {1636, 1104}, ) == 0x0
 01991  1736   NtQueryInformationThread  (620, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1636,Tid=1104,}, 0x0, ) == 0x0
 01992  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75565, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0d\6\0\0P\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0d\6\0\0P\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75566, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0d\6\0\0P\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0d\6\0\0P\4\0\0" )  ) == 0x0
 01984   868   NtOpenFile  ... 624, {status=0x0, info=1}, ) == 0x0
 01993   868   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 624, ... 628, ) == 0x0
 01994   868   NtClose  (624, ... ) == 0x0
 01995   868   NtMapViewOfSection  (628, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc80000), 0x0, 110592, ) == 0x0
 01996   868   NtClose  (628, ... ) == 0x0
 01997  1736   NtResumeThread  (620, ... 1, ) == 0x0
 01998  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 71041024, 1048576, ) == 0x0
 01999  1736   NtAllocateVirtualMemory  (-1, 72081408, 0, 8192, 4096, 4, ... 72081408, 8192, ) == 0x0
 02000  1104   NtWaitForSingleObject  (88, 0, 0x0, ...
 02001   868   NtUnmapViewOfSection  (-1, 0xc80000, ...
 02002  1736   NtProtectVirtualMemory  (-1, (0x44be000), 4096, 260, ... (0x44be000), 4096, 4, ) == 0x0
 02003  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 628, {1636, 784}, ) == 0x0
 02004  1736   NtQueryInformationThread  (628, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1636,Tid=784,}, 0x0, ) == 0x0
 02005  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75566, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0d\6\0\0\20\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0d\6\0\0\20\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75567, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0d\6\0\0\20\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0d\6\0\0\20\3\0\0" )  ) == 0x0
 02001   868   NtUnmapViewOfSection  ... ) == 0x0
 02006   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 12053764, ... ) }, 12053764, ... ) == 0x0
 02007   868   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 624, {status=0x0, info=1}, ) }, 5, 96, ... 624, {status=0x0, info=1}, ) == 0x0
 02008   868   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 624, ... 632, ) == 0x0
 02009   868   NtQuerySection  (632, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02010   868   NtClose  (624, ... ) == 0x0
 02011   868   NtMapViewOfSection  (632, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02012  1736   NtResumeThread  (628, ... 1, ) == 0x0
 02013  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 72089600, 1048576, ) == 0x0
 02014  1736   NtAllocateVirtualMemory  (-1, 73129984, 0, 8192, 4096, 4, ... 73129984, 8192, ) == 0x0
 02015  1736   NtProtectVirtualMemory  (-1, (0x45be000), 4096, 260, ... (0x45be000), 4096, 4, ) == 0x0
 02016  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 624, {1636, 1792}, ) == 0x0
 02017  1736   NtQueryInformationThread  (624, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1636,Tid=1792,}, 0x0, ) == 0x0
 02011   868   NtMapViewOfSection  ... (0x751d0000), 0x0, 122880, ) == 0x0
 02018   784   NtWaitForSingleObject  (88, 0, 0x0, ...
 02019   868   NtClose  (632, ... ) == 0x0
 02020   868   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02021   868   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02022   868   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02023   868   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ...
 02024  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75567, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0d\6\0\0\0\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0d\6\0\0\0\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75568, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0d\6\0\0\0\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0d\6\0\0\0\7\0\0" )  ) == 0x0
 02025  1736   NtResumeThread  (624, ... 1, ) == 0x0
 02026  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 73138176, 1048576, ) == 0x0
 02027  1736   NtAllocateVirtualMemory  (-1, 74178560, 0, 8192, 4096, 4, ... 74178560, 8192, ) == 0x0
 02028  1736   NtProtectVirtualMemory  (-1, (0x46be000), 4096, 260, ... (0x46be000), 4096, 4, ) == 0x0
 02029  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02023   868   NtProtectVirtualMemory  ... (0x751d1000), 4096, 32, ) == 0x0
 02030  1792   NtWaitForSingleObject  (88, 0, 0x0, ...
 02031   868   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02032   868   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02033   868   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02034   868   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 02035   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 12052940, ... }, 12052940, ...
 02029  1736   NtCreateThread  ... 632, {1636, 192}, ) == 0x0
 02036  1736   NtQueryInformationThread  (632, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1636,Tid=192,}, 0x0, ) == 0x0
 02037  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75568, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0d\6\0\0\300\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0d\6\0\0\300\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75569, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0d\6\0\0\300\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0d\6\0\0\300\0\0\0" )  ) == 0x0
 02038  1736   NtResumeThread  (632, ... 1, ) == 0x0
 02039  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 74186752, 1048576, ) == 0x0
 02040  1736   NtAllocateVirtualMemory  (-1, 75227136, 0, 8192, 4096, 4, ... 75227136, 8192, ) == 0x0
 02041   192   NtWaitForSingleObject  (88, 0, 0x0, ...
 02042  1736   NtProtectVirtualMemory  (-1, (0x47be000), 4096, 260, ... (0x47be000), 4096, 4, ) == 0x0
 02043  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 636, {1636, 1484}, ) == 0x0
 02044  1736   NtQueryInformationThread  (636, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1636,Tid=1484,}, 0x0, ) == 0x0
 02045  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\0\314\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\0\314\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75570, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\0\314\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\0\314\5\0\0" )  ) == 0x0
 02046  1736   NtResumeThread  (636, ... 1, ) == 0x0
 02047  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02048  1484   NtWaitForSingleObject  (88, 0, 0x0, ...
 02047  1736   NtAllocateVirtualMemory  ... 75235328, 1048576, ) == 0x0
 02049  1736   NtAllocateVirtualMemory  (-1, 76275712, 0, 8192, 4096, 4, ... 76275712, 8192, ) == 0x0
 02050  1736   NtProtectVirtualMemory  (-1, (0x48be000), 4096, 260, ... (0x48be000), 4096, 4, ) == 0x0
 02051  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02035   868   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02052   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 12052940, ... ) }, 12052940, ... ) == 0x0
 02053   868   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 640, {status=0x0, info=1}, ) }, 5, 96, ... 640, {status=0x0, info=1}, ) == 0x0
 02054   868   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 640, ... 644, ) == 0x0
 02055   868   NtQuerySection  (644, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02056   868   NtClose  (640, ... ) == 0x0
 02051  1736   NtCreateThread  ... 640, {1636, 1120}, ) == 0x0
 02057  1736   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1636,Tid=1120,}, 0x0, ) == 0x0
 02058  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0d\6\0\0`\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0d\6\0\0`\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75571, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0d\6\0\0`\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0d\6\0\0`\4\0\0" )  ) == 0x0
 02059  1736   NtResumeThread  (640, ... 1, ) == 0x0
 02060  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 76283904, 1048576, ) == 0x0
 02061  1736   NtAllocateVirtualMemory  (-1, 77324288, 0, 8192, 4096, 4, ... 77324288, 8192, ) == 0x0
 02062   868   NtMapViewOfSection  (644, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02063  1120   NtWaitForSingleObject  (88, 0, 0x0, ...
 02062   868   NtMapViewOfSection  ... (0x77920000), 0x0, 995328, ) == 0x0
 02064   868   NtClose  (644, ... ) == 0x0
 02065   868   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02066   868   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02067   868   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02068   868   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02069  1736   NtProtectVirtualMemory  (-1, (0x49be000), 4096, 260, ... (0x49be000), 4096, 4, ) == 0x0
 02070  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 644, {1636, 520}, ) == 0x0
 02071  1736   NtQueryInformationThread  (644, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1636,Tid=520,}, 0x0, ) == 0x0
 02072  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0d\6\0\0\10\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0d\6\0\0\10\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75572, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0d\6\0\0\10\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0d\6\0\0\10\2\0\0" )  ) == 0x0
 02073  1736   NtResumeThread  (644, ... 1, ) == 0x0
 02074  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02075   868   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ...
 02076   520   NtWaitForSingleObject  (88, 0, 0x0, ...
 02075   868   NtProtectVirtualMemory  ... (0x77921000), 4096, 4, ) == 0x0
 02077   868   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02078   868   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02079   868   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02080   868   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02081   868   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02074  1736   NtAllocateVirtualMemory  ... 77332480, 1048576, ) == 0x0
 02082  1736   NtAllocateVirtualMemory  (-1, 78372864, 0, 8192, 4096, 4, ... 78372864, 8192, ) == 0x0
 02083  1736   NtProtectVirtualMemory  (-1, (0x4abe000), 4096, 260, ... (0x4abe000), 4096, 4, ) == 0x0
 02084  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 648, {1636, 1612}, ) == 0x0
 02085  1736   NtQueryInformationThread  (648, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1636,Tid=1612,}, 0x0, ) == 0x0
 02086  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0d\6\0\0L\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0d\6\0\0L\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75573, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0d\6\0\0L\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0d\6\0\0L\6\0\0" )  ) == 0x0
 02087   868   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02088   868   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02089   868   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02090   868   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02091   868   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02092   868   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02093  1736   NtResumeThread  (648, ... 1, ) == 0x0
 02094  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 78381056, 1048576, ) == 0x0
 02095  1736   NtAllocateVirtualMemory  (-1, 79421440, 0, 8192, 4096, 4, ... 79421440, 8192, ) == 0x0
 02096  1736   NtProtectVirtualMemory  (-1, (0x4bbe000), 4096, 260, ... (0x4bbe000), 4096, 4, ) == 0x0
 02097  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 652, {1636, 876}, ) == 0x0
 02098  1736   NtQueryInformationThread  (652, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1636,Tid=876,}, 0x0, ) == 0x0
 02099   868   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ...
 02100  1612   NtWaitForSingleObject  (88, 0, 0x0, ...
 02099   868   NtProtectVirtualMemory  ... (0x751d1000), 4096, 4, ) == 0x0
 02101   868   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02102  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0d\6\0\0l\3\0\0" ...  ...
 02103   868   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02104   868   NtQueryDefaultUILanguage  (2090319928, ...
 02105   868   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02106   868   NtOpenProcessTokenEx  (-1, 0x20008, 512, ...
 02102  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75574, 0}  ... {28, 56, reply, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0d\6\0\0l\3\0\0" )  ) == 0x0
 02107  1736   NtResumeThread  (652, ... 1, ) == 0x0
 02108  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 79429632, 1048576, ) == 0x0
 02109  1736   NtAllocateVirtualMemory  (-1, 80470016, 0, 8192, 4096, 4, ... 80470016, 8192, ) == 0x0
 02110  1736   NtProtectVirtualMemory  (-1, (0x4cbe000), 4096, 260, ... (0x4cbe000), 4096, 4, ) == 0x0
 02111  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02106   868   NtOpenProcessTokenEx  ... -2147482564, ) == 0x0
 02112   876   NtWaitForSingleObject  (88, 0, 0x0, ...
 02113   868   NtQueryInformationToken  (-2147482564, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02114   868   NtClose  (-2147482564, ... ) == 0x0
 02115   868   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482564, ) }, ... -2147482564, ) == 0x0
 02116   868   NtOpenKey  (0x80000000, {24, -2147482564, 0x240, 0, 0,  (0x80000000, {24, -2147482564, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02117   868   NtOpenKey  (0x80000000, {24, -2147482564, 0x640, 0, 0,  (0x80000000, {24, -2147482564, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481440, ) }, ... -2147481440, ) == 0x0
 02118   868   NtQueryValueKey  (-2147481440,  (-2147481440, "MultiUILanguageId", Partial, 256, ... , Partial, 256, ...
 02111  1736   NtCreateThread  ... 656, {1636, 1628}, ) == 0x0
 02119  1736   NtQueryInformationThread  (656, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1636,Tid=1628,}, 0x0, ) == 0x0
 02120  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0d\6\0\0\\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0d\6\0\0\\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75575, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0d\6\0\0\\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0d\6\0\0\\6\0\0" )  ) == 0x0
 02121  1736   NtResumeThread  (656, ... 1, ) == 0x0
 02122  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 80478208, 1048576, ) == 0x0
 02123  1736   NtAllocateVirtualMemory  (-1, 81518592, 0, 8192, 4096, 4, ... 81518592, 8192, ) == 0x0
 02118   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02124  1628   NtWaitForSingleObject  (88, 0, 0x0, ...
 02125   868   NtClose  (-2147481440, ... ) == 0x0
 02126   868   NtClose  (-2147482564, ... ) == 0x0
 02104   868   NtQueryDefaultUILanguage  ... ) == 0x0
 02127   868   NtAllocateVirtualMemory  (-1, 12042240, 0, 4096, 4096, 260, ... 12042240, 4096, ) == 0x0
 02128   868   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 02129   868   NtQueryDefaultLocale  (1, 12053660, ... ) == 0x0
 02130  1736   NtProtectVirtualMemory  (-1, (0x4dbe000), 4096, 260, ... (0x4dbe000), 4096, 4, ) == 0x0
 02131  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 660, {1636, 940}, ) == 0x0
 02132  1736   NtQueryInformationThread  (660, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1636,Tid=940,}, 0x0, ) == 0x0
 02133  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0d\6\0\0\254\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0d\6\0\0\254\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75576, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0d\6\0\0\254\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0d\6\0\0\254\3\0\0" )  ) == 0x0
 02134  1736   NtResumeThread  (660, ... 1, ) == 0x0
 02135  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02136   868   NtQueryInformationProcess  (-1, Wow64, 4, ...
 02137   940   NtWaitForSingleObject  (88, 0, 0x0, ...
 02136   868   NtQueryInformationProcess  ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02138   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 664, ) }, ... 664, ) == 0x0
 02139   868   NtQueryValueKey  (664,  (664, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (664, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02140   868   NtClose  (664, ... ) == 0x0
 02141   868   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 664, ) == 0x0
 02142   868   NtCallbackReturn  (0, 0, 0, ...
 02143   868   NtUserGetProcessWindowStation  (...
 02135  1736   NtAllocateVirtualMemory  ... 81526784, 1048576, ) == 0x0
 02144  1736   NtAllocateVirtualMemory  (-1, 82567168, 0, 8192, 4096, 4, ... 82567168, 8192, ) == 0x0
 02145  1736   NtProtectVirtualMemory  (-1, (0x4ebe000), 4096, 260, ... (0x4ebe000), 4096, 4, ) == 0x0
 02146  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 668, {1636, 1316}, ) == 0x0
 02147  1736   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1636,Tid=1316,}, 0x0, ) == 0x0
 02148  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0$\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0$\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75577, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0$\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0$\5\0\0" )  ) == 0x0
 02143   868   NtUserGetProcessWindowStation  ... ) == 0x20
 02149   868   NtUserGetObjectInformation  (32, 1, 12053256, 12, 12053268, ... ) == 0x1
 02150   868   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02151   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\WPA\PnP"}, ... 672, ) }, ... 672, ) == 0x0
 02152   868   NtQueryValueKey  (672,  (672, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (672, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 02153   868   NtClose  (672, ... ) == 0x0
 02154   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... }, ...
 02155  1736   NtResumeThread  (668, ... 1, ) == 0x0
 02156  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 82575360, 1048576, ) == 0x0
 02157  1736   NtAllocateVirtualMemory  (-1, 83615744, 0, 8192, 4096, 4, ... 83615744, 8192, ) == 0x0
 02158  1736   NtProtectVirtualMemory  (-1, (0x4fbe000), 4096, 260, ... (0x4fbe000), 4096, 4, ) == 0x0
 02159  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {1636, 1924}, ) == 0x0
 02160  1736   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1636,Tid=1924,}, 0x0, ) == 0x0
 02154   868   NtOpenKey  ... 676, ) == 0x0
 02161  1316   NtWaitForSingleObject  (88, 0, 0x0, ...
 02162   868   NtQueryValueKey  (676,  (676, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (676, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02163   868   NtQueryValueKey  (676,  (676, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (676, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02164   868   NtClose  (676, ... ) == 0x0
 02165   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 676, ) }, ... 676, ) == 0x0
 02166   868   NtQueryValueKey  (676,  (676, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (676, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02167   868   NtQueryValueKey  (676,  (676, "SystemPartition", Partial, 144, ... , Partial, 144, ...
 02168  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0\204\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0\204\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75578, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0\204\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0\204\7\0\0" )  ) == 0x0
 02169  1736   NtResumeThread  (672, ... 1, ) == 0x0
 02170  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 83623936, 1048576, ) == 0x0
 02171  1736   NtAllocateVirtualMemory  (-1, 84664320, 0, 8192, 4096, 4, ... 84664320, 8192, ) == 0x0
 02172  1736   NtProtectVirtualMemory  (-1, (0x50be000), 4096, 260, ... (0x50be000), 4096, 4, ) == 0x0
 02173  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02167   868   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02174  1924   NtWaitForSingleObject  (88, 0, 0x0, ...
 02175   868   NtClose  (676, ... ) == 0x0
 02176   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 676, ) }, ... 676, ) == 0x0
 02177   868   NtQueryValueKey  (676,  (676, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (676, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02178   868   NtQueryValueKey  (676,  (676, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (676, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02179   868   NtClose  (676, ... ) == 0x0
 02180   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... }, ...
 02173  1736   NtCreateThread  ... 676, {1636, 644}, ) == 0x0
 02181  1736   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1636,Tid=644,}, 0x0, ) == 0x0
 02182  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\204\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\204\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75579, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\204\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\204\2\0\0" )  ) == 0x0
 02183  1736   NtResumeThread  (676, ... 1, ) == 0x0
 02184  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02180   868   NtOpenKey  ... 680, ) == 0x0
 02185   644   NtWaitForSingleObject  (88, 0, 0x0, ...
 02186   868   NtQueryValueKey  (680,  (680, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (680, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02187   868   NtQueryValueKey  (680,  (680, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (680, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02188   868   NtClose  (680, ... ) == 0x0
 02189   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 680, ) }, ... 680, ) == 0x0
 02190   868   NtQueryValueKey  (680,  (680, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (680, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02191   868   NtQueryValueKey  (680,  (680, "ServicePackCachePath", Partial, 144, ... , Partial, 144, ...
 02184  1736   NtAllocateVirtualMemory  ... 84672512, 1048576, ) == 0x0
 02192  1736   NtAllocateVirtualMemory  (-1, 85712896, 0, 8192, 4096, 4, ... 85712896, 8192, ) == 0x0
 02193  1736   NtProtectVirtualMemory  (-1, (0x51be000), 4096, 260, ... (0x51be000), 4096, 4, ) == 0x0
 02194  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {1636, 1288}, ) == 0x0
 02195  1736   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1636,Tid=1288,}, 0x0, ) == 0x0
 02196  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\10\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\10\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75580, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\10\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\10\5\0\0" )  ) == 0x0
 02191   868   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02197   868   NtClose  (680, ... ) == 0x0
 02198   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 680, ) }, ... 680, ) == 0x0
 02199   868   NtQueryValueKey  (680,  (680, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (680, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02200   868   NtQueryValueKey  (680,  (680, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (680, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02201   868   NtClose  (680, ... ) == 0x0
 02202   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... }, ...
 02203  1736   NtResumeThread  (684, ... 1, ) == 0x0
 02204  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 85721088, 1048576, ) == 0x0
 02205  1736   NtAllocateVirtualMemory  (-1, 86761472, 0, 8192, 4096, 4, ... 86761472, 8192, ) == 0x0
 02206  1736   NtProtectVirtualMemory  (-1, (0x52be000), 4096, 260, ... (0x52be000), 4096, 4, ) == 0x0
 02207  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {1636, 752}, ) == 0x0
 02208  1736   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1636,Tid=752,}, 0x0, ) == 0x0
 02202   868   NtOpenKey  ... 688, ) == 0x0
 02209  1288   NtWaitForSingleObject  (88, 0, 0x0, ...
 02210   868   NtQueryValueKey  (688,  (688, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02211   868   NtQueryValueKey  (688,  (688, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (688, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 02212   868   NtClose  (688, ... ) == 0x0
 02213   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 688, ) == 0x0
 02214   868   NtCreateMutant  (0x1f0001, 0x0, 0, ... 692, ) == 0x0
 02215   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02216  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0\360\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75581, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0\360\2\0\0" )  ) == 0x0
 02217  1736   NtResumeThread  (680, ... 1, ) == 0x0
 02218  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 86769664, 1048576, ) == 0x0
 02219  1736   NtAllocateVirtualMemory  (-1, 87810048, 0, 8192, 4096, 4, ... 87810048, 8192, ) == 0x0
 02220  1736   NtProtectVirtualMemory  (-1, (0x53be000), 4096, 260, ... (0x53be000), 4096, 4, ) == 0x0
 02221  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02215   868   NtCreateEvent  ... 696, ) == 0x0
 02222   752   NtWaitForSingleObject  (88, 0, 0x0, ...
 02223   868   NtCreateMutant  (0x1f0001, 0x0, 0, ... 700, ) == 0x0
 02224   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 704, ) == 0x0
 02225   868   NtCreateMutant  (0x1f0001, 0x0, 0, ... 708, ) == 0x0
 02226   868   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 712, ) }, ... 712, ) == 0x0
 02227   868   NtQueryValueKey  (712,  (712, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (712, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02228   868   NtQueryValueKey  (712,  (712, "LogLevel", Partial, 144, ... , Partial, 144, ...
 02221  1736   NtCreateThread  ... 716, {1636, 624}, ) == 0x0
 02229  1736   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1636,Tid=624,}, 0x0, ) == 0x0
 02230  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0p\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0p\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75582, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0p\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0p\2\0\0" )  ) == 0x0
 02231  1736   NtResumeThread  (716, ... 1, ) == 0x0
 02232  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 87818240, 1048576, ) == 0x0
 02233  1736   NtAllocateVirtualMemory  (-1, 88858624, 0, 8192, 4096, 4, ... 88858624, 8192, ) == 0x0
 02228   868   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02234   624   NtWaitForSingleObject  (88, 0, 0x0, ...
 02235   868   NtQueryValueKey  (712,  (712, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02236   868   NtOpenKey  (0x1, {24, 712, 0x40, 0, 0,  (0x1, {24, 712, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02237   868   NtClose  (712, ... ) == 0x0
 02238   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 12053172, ... ) }, 12053172, ... ) == 0x0
 02239   868   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 712, ) }, ... 712, ) == 0x0
 02240   868   NtQueryValueKey  (712,  (712, "ComputerName", Full, 128, ... , Full, 128, ...
 02241  1736   NtProtectVirtualMemory  (-1, (0x54be000), 4096, 260, ... (0x54be000), 4096, 4, ) == 0x0
 02242  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 720, {1636, 380}, ) == 0x0
 02243  1736   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1636,Tid=380,}, 0x0, ) == 0x0
 02244  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0|\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0|\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75583, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0|\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0|\1\0\0" )  ) == 0x0
 02245  1736   NtResumeThread  (720, ... 1, ) == 0x0
 02246  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02240   868   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02247   380   NtWaitForSingleObject  (88, 0, 0x0, ...
 02248   868   NtClose  (712, ... ) == 0x0
 02249   868   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 712, ) }, ... 712, ) == 0x0
 02250   868   NtQueryValueKey  (712,  (712, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (712, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (712, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 02251   868   NtClose  (712, ... ) == 0x0
 02252   868   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02253   868   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 02246  1736   NtAllocateVirtualMemory  ... 88866816, 1048576, ) == 0x0
 02254  1736   NtAllocateVirtualMemory  (-1, 89907200, 0, 8192, 4096, 4, ... 89907200, 8192, ) == 0x0
 02255  1736   NtProtectVirtualMemory  (-1, (0x55be000), 4096, 260, ... (0x55be000), 4096, 4, ) == 0x0
 02256  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 712, {1636, 776}, ) == 0x0
 02257  1736   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1636,Tid=776,}, 0x0, ) == 0x0
 02258  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0\10\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0\10\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75584, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0\10\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0\10\3\0\0" )  ) == 0x0
 02253   868   NtOpenKey  ... 724, ) == 0x0
 02259   868   NtQueryValueKey  (724,  (724, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (724, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (724, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02260   868   NtClose  (724, ... ) == 0x0
 02261   868   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshbth.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02262   868   NtSetEventBoostPriority  (88, ...
 01981  1568   NtWaitForSingleObject  ... ) == 0x0
 02263  1568   NtSetEventBoostPriority  (88, ...
 02000  1104   NtWaitForSingleObject  ... ) == 0x0
 02264  1104   NtSetEventBoostPriority  (88, ...
 02018   784   NtWaitForSingleObject  ... ) == 0x0
 02265   784   NtSetEventBoostPriority  (88, ...
 02030  1792   NtWaitForSingleObject  ... ) == 0x0
 02266  1792   NtSetEventBoostPriority  (88, ...
 02041   192   NtWaitForSingleObject  ... ) == 0x0
 02267   192   NtSetEventBoostPriority  (88, ...
 02048  1484   NtWaitForSingleObject  ... ) == 0x0
 02268  1484   NtSetEventBoostPriority  (88, ...
 02063  1120   NtWaitForSingleObject  ... ) == 0x0
 02269  1120   NtSetEventBoostPriority  (88, ...
 02076   520   NtWaitForSingleObject  ... ) == 0x0
 02270   520   NtSetEventBoostPriority  (88, ...
 02100  1612   NtWaitForSingleObject  ... ) == 0x0
 02271  1612   NtSetEventBoostPriority  (88, ...
 02112   876   NtWaitForSingleObject  ... ) == 0x0
 02272   876   NtSetEventBoostPriority  (88, ...
 02124  1628   NtWaitForSingleObject  ... ) == 0x0
 02273  1628   NtSetEventBoostPriority  (88, ...
 02137   940   NtWaitForSingleObject  ... ) == 0x0
 02274   940   NtSetEventBoostPriority  (88, ...
 02161  1316   NtWaitForSingleObject  ... ) == 0x0
 02275  1316   NtSetEventBoostPriority  (88, ...
 02174  1924   NtWaitForSingleObject  ... ) == 0x0
 02276  1924   NtSetEventBoostPriority  (88, ...
 02185   644   NtWaitForSingleObject  ... ) == 0x0
 02277   644   NtSetEventBoostPriority  (88, ...
 02209  1288   NtWaitForSingleObject  ... ) == 0x0
 02278  1288   NtSetEventBoostPriority  (88, ...
 02222   752   NtWaitForSingleObject  ... ) == 0x0
 02279   752   NtSetEventBoostPriority  (88, ...
 02234   624   NtWaitForSingleObject  ... ) == 0x0
 02280   624   NtSetEventBoostPriority  (88, ...
 02247   380   NtWaitForSingleObject  ... ) == 0x0
 02281   380   NtTestAlert  (... ) == 0x0
 02280   624   NtSetEventBoostPriority  ... ) == 0x0
 02279   752   NtSetEventBoostPriority  ... ) == 0x0
 02278  1288   NtSetEventBoostPriority  ... ) == 0x0
 02277   644   NtSetEventBoostPriority  ... ) == 0x0
 02276  1924   NtSetEventBoostPriority  ... ) == 0x0
 02275  1316   NtSetEventBoostPriority  ... ) == 0x0
 02274   940   NtSetEventBoostPriority  ... ) == 0x0
 02273  1628   NtSetEventBoostPriority  ... ) == 0x0
 02272   876   NtSetEventBoostPriority  ... ) == 0x0
 02271  1612   NtSetEventBoostPriority  ... ) == 0x0
 02270   520   NtSetEventBoostPriority  ... ) == 0x0
 02269  1120   NtSetEventBoostPriority  ... ) == 0x0
 02268  1484   NtSetEventBoostPriority  ... ) == 0x0
 02267   192   NtSetEventBoostPriority  ... ) == 0x0
 02266  1792   NtSetEventBoostPriority  ... ) == 0x0
 02265   784   NtSetEventBoostPriority  ... ) == 0x0
 02264  1104   NtSetEventBoostPriority  ... ) == 0x0
 02263  1568   NtSetEventBoostPriority  ... ) == 0x0
 02262   868   NtSetEventBoostPriority  ... ) == 0x0
 02282  1736   NtResumeThread  (712, ...
 02283   380   NtContinue  (88866096, 1, ...
 02284   624   NtTestAlert  (...
 02285   752   NtTestAlert  (...
 02286  1288   NtTestAlert  (...
 02287   644   NtTestAlert  (...
 02288  1924   NtTestAlert  (...
 02289  1316   NtTestAlert  (...
 02290   940   NtTestAlert  (...
 02291  1628   NtTestAlert  (...
 02292   876   NtTestAlert  (...
 02293  1612   NtTestAlert  (...
 02294   520   NtTestAlert  (...
 02295  1120   NtTestAlert  (...
 02296  1484   NtTestAlert  (...
 02297   192   NtTestAlert  (...
 02298  1792   NtTestAlert  (...
 02299   784   NtTestAlert  (...
 02300  1104   NtTestAlert  (...
 02301   868   NtSetEventBoostPriority  (132, ...
 02282  1736   NtResumeThread  ... 1, ) == 0x0
 02302   380   NtRegisterThreadTerminatePort  (24, ...
 02284   624   NtTestAlert  ... ) == 0x0
 02285   752   NtTestAlert  ... ) == 0x0
 02286  1288   NtTestAlert  ... ) == 0x0
 02287   644   NtTestAlert  ... ) == 0x0
 02288  1924   NtTestAlert  ... ) == 0x0
 02289  1316   NtTestAlert  ... ) == 0x0
 02290   940   NtTestAlert  ... ) == 0x0
 02291  1628   NtTestAlert  ... ) == 0x0
 02292   876   NtTestAlert  ... ) == 0x0
 02293  1612   NtTestAlert  ... ) == 0x0
 02294   520   NtTestAlert  ... ) == 0x0
 02295  1120   NtTestAlert  ... ) == 0x0
 02296  1484   NtTestAlert  ... ) == 0x0
 02297   192   NtTestAlert  ... ) == 0x0
 02298  1792   NtTestAlert  ... ) == 0x0
 02299   784   NtTestAlert  ... ) == 0x0
 02300  1104   NtTestAlert  ... ) == 0x0
 00696   808   NtWaitForSingleObject  ... ) == 0x0
 02301   868   NtSetEventBoostPriority  ... ) == 0x0
 02303  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02302   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 02304   624   NtContinue  (87817520, 1, ...
 02305   752   NtContinue  (86768944, 1, ...
 02306  1288   NtContinue  (85720368, 1, ...
 02307   644   NtContinue  (84671792, 1, ...
 02308  1924   NtContinue  (83623216, 1, ...
 02309  1316   NtContinue  (82574640, 1, ...
 02310   940   NtContinue  (81526064, 1, ...
 02311  1628   NtContinue  (80477488, 1, ...
 02312   876   NtContinue  (79428912, 1, ...
 02313  1612   NtContinue  (78380336, 1, ...
 02314   520   NtContinue  (77331760, 1, ...
 02315  1120   NtContinue  (76283184, 1, ...
 02316  1484   NtContinue  (75234608, 1, ...
 02317   192   NtContinue  (74186032, 1, ...
 02318  1792   NtContinue  (73137456, 1, ...
 02319   784   NtContinue  (72088880, 1, ...
 02320   808   NtSetEventBoostPriority  (132, ...
 02321  1104   NtContinue  (71040304, 1, ...
 02322   868   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02303  1736   NtAllocateVirtualMemory  ... 89915392, 1048576, ) == 0x0
 02323   380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02324   624   NtRegisterThreadTerminatePort  (24, ...
 02325   752   NtRegisterThreadTerminatePort  (24, ...
 02326  1288   NtRegisterThreadTerminatePort  (24, ...
 02327   644   NtRegisterThreadTerminatePort  (24, ...
 02328  1924   NtRegisterThreadTerminatePort  (24, ...
 02329  1316   NtRegisterThreadTerminatePort  (24, ...
 02330   940   NtRegisterThreadTerminatePort  (24, ...
 02331  1628   NtRegisterThreadTerminatePort  (24, ...
 02332   876   NtRegisterThreadTerminatePort  (24, ...
 02333  1612   NtRegisterThreadTerminatePort  (24, ...
 02334   520   NtRegisterThreadTerminatePort  (24, ...
 02335  1120   NtRegisterThreadTerminatePort  (24, ...
 02336  1484   NtRegisterThreadTerminatePort  (24, ...
 02337   192   NtRegisterThreadTerminatePort  (24, ...
 02338  1792   NtRegisterThreadTerminatePort  (24, ...
 00701  1252   NtWaitForSingleObject  ... ) == 0x0
 02320   808   NtSetEventBoostPriority  ... ) == 0x0
 02339   784   NtRegisterThreadTerminatePort  (24, ...
 02340  1104   NtRegisterThreadTerminatePort  (24, ...
 02341  1568   NtTestAlert  (...
 02342   776   NtTestAlert  (...
 02343  1736   NtAllocateVirtualMemory  (-1, 90955776, 0, 8192, 4096, 4, ...
 02323   380   NtDuplicateObject  ... 724, ) == 0x0
 02324   624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02325   752   NtRegisterThreadTerminatePort  ... ) == 0x0
 02326  1288   NtRegisterThreadTerminatePort  ... ) == 0x0
 02327   644   NtRegisterThreadTerminatePort  ... ) == 0x0
 02328  1924   NtRegisterThreadTerminatePort  ... ) == 0x0
 02329  1316   NtRegisterThreadTerminatePort  ... ) == 0x0
 02330   940   NtRegisterThreadTerminatePort  ... ) == 0x0
 02331  1628   NtRegisterThreadTerminatePort  ... ) == 0x0
 02332   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 02333  1612   NtRegisterThreadTerminatePort  ... ) == 0x0
 02334   520   NtRegisterThreadTerminatePort  ... ) == 0x0
 02335  1120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02336  1484   NtRegisterThreadTerminatePort  ... ) == 0x0
 02337   192   NtRegisterThreadTerminatePort  ... ) == 0x0
 02344  1252   NtSetEventBoostPriority  (132, ...
 02338  1792   NtRegisterThreadTerminatePort  ... ) == 0x0
 02345   808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02339   784   NtRegisterThreadTerminatePort  ... ) == 0x0
 02340  1104   NtRegisterThreadTerminatePort  ... ) == 0x0
 02341  1568   NtTestAlert  ... ) == 0x0
 02342   776   NtTestAlert  ... ) == 0x0
 02343  1736   NtAllocateVirtualMemory  ... 90955776, 8192, ) == 0x0
 02346   380   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02347   624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02348   752   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02349  1288   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02350   644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02351  1924   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02352  1316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02353   940   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02354  1628   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02355   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02356  1612   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02357   520   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02358  1120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02359  1484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00703  2020   NtWaitForSingleObject  ... ) == 0x0
 02344  1252   NtSetEventBoostPriority  ... ) == 0x0
 02360   192   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02361  1792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02322   868   NtCreateEvent  ... 728, ) == 0x0
 02362   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02363  1104   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02364  1568   NtContinue  (69991728, 1, ...
 02365   776   NtContinue  (89914672, 1, ...
 02345   808   NtCreateEvent  ... 732, ) == 0x0
 02366  1736   NtProtectVirtualMemory  (-1, (0x56be000), 4096, 260, ...
 02346   380   NtWaitForSingleObject  ... ) == 0x102
 02347   624   NtDuplicateObject  ... 736, ) == 0x0
 02348   752   NtDuplicateObject  ... 740, ) == 0x0
 02349  1288   NtDuplicateObject  ... 744, ) == 0x0
 02350   644   NtDuplicateObject  ... 748, ) == 0x0
 02351  1924   NtDuplicateObject  ... 752, ) == 0x0
 02352  1316   NtDuplicateObject  ... 756, ) == 0x0
 02353   940   NtDuplicateObject  ... 760, ) == 0x0
 02354  1628   NtDuplicateObject  ... 764, ) == 0x0
 02355   876   NtDuplicateObject  ... 768, ) == 0x0
 02356  1612   NtDuplicateObject  ... 772, ) == 0x0
 02357   520   NtDuplicateObject  ... 776, ) == 0x0
 02358  1120   NtDuplicateObject  ... 780, ) == 0x0
 02367  2020   NtSetEventBoostPriority  (132, ...
 02359  1484   NtDuplicateObject  ... 784, ) == 0x0
 02368  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02360   192   NtDuplicateObject  ... 788, ) == 0x0
 02369   868   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ...
 02361  1792   NtDuplicateObject  ... 792, ) == 0x0
 02362   784   NtDuplicateObject  ... 796, ) == 0x0
 02370  1568   NtRegisterThreadTerminatePort  (24, ...
 02371   776   NtRegisterThreadTerminatePort  (24, ...
 02372   808   NtWaitForSingleObject  (292, 0, 0x0, ...
 02366  1736   NtProtectVirtualMemory  ... (0x56be000), 4096, 4, ) == 0x0
 02373   380   NtWaitForSingleObject  (132, 0, 0x0, ...
 02374   624   NtWaitForSingleObject  (292, 0, 0x0, ...
 02375   752   NtWaitForSingleObject  (292, 0, 0x0, ...
 02376  1288   NtWaitForSingleObject  (292, 0, 0x0, ...
 02377   644   NtWaitForSingleObject  (292, 0, 0x0, ...
 02378  1924   NtWaitForSingleObject  (292, 0, 0x0, ...
 02379  1316   NtWaitForSingleObject  (292, 0, 0x0, ...
 02380   940   NtWaitForSingleObject  (292, 0, 0x0, ...
 02381  1628   NtWaitForSingleObject  (292, 0, 0x0, ...
 02382   876   NtWaitForSingleObject  (292, 0, 0x0, ...
 02383  1612   NtWaitForSingleObject  (292, 0, 0x0, ...
 02384   520   NtWaitForSingleObject  (292, 0, 0x0, ...
 00704   896   NtWaitForSingleObject  ... ) == 0x0
 02367  2020   NtSetEventBoostPriority  ... ) == 0x0
 02385  1120   NtWaitForSingleObject  (292, 0, 0x0, ...
 02386  1484   NtWaitForSingleObject  (292, 0, 0x0, ...
 02368  1252   NtCreateEvent  ... 800, ) == 0x0
 02387   192   NtWaitForSingleObject  (292, 0, 0x0, ...
 02369   868   NtAllocateVirtualMemory  ... 1409024, 4096, ) == 0x0
 02388  1792   NtWaitForSingleObject  (292, 0, 0x0, ...
 02389   784   NtWaitForSingleObject  (292, 0, 0x0, ...
 02370  1568   NtRegisterThreadTerminatePort  ... ) == 0x0
 02371   776   NtRegisterThreadTerminatePort  ... ) == 0x0
 02390  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02391   896   NtWaitForSingleObject  (292, 0, 0x0, ...
 02363  1104   NtDuplicateObject  ... 804, ) == 0x0
 02392  1252   NtWaitForSingleObject  (292, 0, 0x0, ...
 02393   868   NtSetEventBoostPriority  (292, ...
 02394  1568   NtWaitForSingleObject  (292, 0, 0x0, ...
 02395  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02390  1736   NtCreateThread  ... 808, {1636, 312}, ) == 0x0
 02396  1104   NtWaitForSingleObject  (292, 0, 0x0, ...
 02372   808   NtWaitForSingleObject  ... ) == 0x0
 02393   868   NtSetEventBoostPriority  ... ) == 0x0
 02397   776   NtWaitForSingleObject  (292, 0, 0x0, ...
 02395  2020   NtCreateEvent  ... 812, ) == 0x0
 02398  1736   NtQueryInformationThread  (808, Basic, 28, ...
 02399   808   NtSetEventBoostPriority  (292, ...
 02400   868   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 12053684, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 12053684, 188, ...
 02401  2020   NtWaitForSingleObject  (292, 0, 0x0, ...
 02374   624   NtWaitForSingleObject  ... ) == 0x0
 02399   808   NtSetEventBoostPriority  ... ) == 0x0
 02398  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1636,Tid=312,}, 0x0, ) == 0x0
 02402   624   NtSetEventBoostPriority  (292, ...
 02400   868   NtConnectPort  ... 816, 0x0, 0x0, 0x0, 188, ) == 0x0
 02403   808   NtWaitForSingleObject  (292, 0, 0x0, ...
 02375   752   NtWaitForSingleObject  ... ) == 0x0
 02402   624   NtSetEventBoostPriority  ... ) == 0x0
 02404   868   NtRequestWaitReplyPort  (816, {200, 224, new_msg, 0, 1379128, 12, 2, 1310721}  (816, {200, 224, new_msg, 0, 1379128, 12, 2, 1310721} "\0\1\24\0\274\0\0\0\204B\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\\226\235\356\30m\202,x\1\24\0\\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\310\177\25\0\242\253\206D\270\1\24\0\350\177\25\0h\1\24\0\0\0\0\0\0\0\0\0\350\177\25\0P\0\0\0\360\177\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\04\353\267\0\372\31\221|\310\362\267\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02405   752   NtSetEventBoostPriority  (292, ...
 02406  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0d\6\0\08\1\0\0" ...  ...
 02376  1288   NtWaitForSingleObject  ... ) == 0x0
 02405   752   NtSetEventBoostPriority  ... ) == 0x0
 02407  1288   NtSetEventBoostPriority  (292, ...
 02406  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75587, 0}  ... {28, 56, reply, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0d\6\0\08\1\0\0" )  ) == 0x0
 02404   868   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 868, 75586, 0}  ... {200, 224, reply, 0, 1636, 868, 75586, 0} "\7\1\24\0\274\0\0\0\204B\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\\226\235\356\30m\202,x\1\24\0\\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\310\177\25\0\242\253\206D\270\1\24\0\350\177\25\0h\1\24\0\0\0\0\0\0\0\0\0\350\177\25\0P\0\0\0\360\177\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\04\353\267\0\372\31\221|\310\362\267\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02408   624   NtWaitForSingleObject  (292, 0, 0x0, ...
 02377   644   NtWaitForSingleObject  ... ) == 0x0
 02407  1288   NtSetEventBoostPriority  ... ) == 0x0
 02409  1736   NtResumeThread  (808, ...
 02410   868   NtRequestWaitReplyPort  (816, {64, 88, new_msg, 0, 1636, 868, 75535, 0}  (816, {64, 88, new_msg, 0, 1636, 868, 75535, 0} "\1\332\0\0A\2\10\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200\377\377\377\377t\333\243\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02411   644   NtSetEventBoostPriority  (292, ...
 02412   752   NtWaitForSingleObject  (292, 0, 0x0, ...
 02409  1736   NtResumeThread  ... 1, ) == 0x0
 02413  1288   NtWaitForSingleObject  (292, 0, 0x0, ...
 02378  1924   NtWaitForSingleObject  ... ) == 0x0
 02411   644   NtSetEventBoostPriority  ... ) == 0x0
 02414  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02415  1924   NtSetEventBoostPriority  (292, ...
 02416   312   NtWaitForSingleObject  (292, 0, 0x0, ...
 02417   644   NtWaitForSingleObject  (292, 0, 0x0, ...
 02410   868   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1636, 868, 75588, 0}  ... {52, 76, reply, 0, 1636, 868, 75588, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\360\317\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 02379  1316   NtWaitForSingleObject  ... ) == 0x0
 02415  1924   NtSetEventBoostPriority  ... ) == 0x0
 02418  1316   NtSetEventBoostPriority  (292, ...
 02419   868   NtWaitForSingleObject  (292, 0, 0x0, ...
 02414  1736   NtAllocateVirtualMemory  ... 90963968, 1048576, ) == 0x0
 02380   940   NtWaitForSingleObject  ... ) == 0x0
 02418  1316   NtSetEventBoostPriority  ... ) == 0x0
 02420   940   NtSetEventBoostPriority  (292, ...
 02421  1736   NtAllocateVirtualMemory  (-1, 92004352, 0, 8192, 4096, 4, ...
 02422  1924   NtWaitForSingleObject  (292, 0, 0x0, ...
 02381  1628   NtWaitForSingleObject  ... ) == 0x0
 02420   940   NtSetEventBoostPriority  ... ) == 0x0
 02421  1736   NtAllocateVirtualMemory  ... 92004352, 8192, ) == 0x0
 02423  1628   NtSetEventBoostPriority  (292, ...
 02424  1316   NtWaitForSingleObject  (292, 0, 0x0, ...
 02382   876   NtWaitForSingleObject  ... ) == 0x0
 02423  1628   NtSetEventBoostPriority  ... ) == 0x0
 02425  1736   NtProtectVirtualMemory  (-1, (0x57be000), 4096, 260, ...
 02426   876   NtSetEventBoostPriority  (292, ...
 02427   940   NtWaitForSingleObject  (292, 0, 0x0, ...
 02383  1612   NtWaitForSingleObject  ... ) == 0x0
 02426   876   NtSetEventBoostPriority  ... ) == 0x0
 02425  1736   NtProtectVirtualMemory  ... (0x57be000), 4096, 4, ) == 0x0
 02428  1612   NtSetEventBoostPriority  (292, ...
 02429  1628   NtWaitForSingleObject  (292, 0, 0x0, ...
 02384   520   NtWaitForSingleObject  ... ) == 0x0
 02428  1612   NtSetEventBoostPriority  ... ) == 0x0
 02430  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02431   520   NtSetEventBoostPriority  (292, ...
 02432   876   NtWaitForSingleObject  (292, 0, 0x0, ...
 02433  1612   NtWaitForSingleObject  (292, 0, 0x0, ...
 02385  1120   NtWaitForSingleObject  ... ) == 0x0
 02431   520   NtSetEventBoostPriority  ... ) == 0x0
 02434  1120   NtSetEventBoostPriority  (292, ...
 02430  1736   NtCreateThread  ... 820, {1636, 1124}, ) == 0x0
 02386  1484   NtWaitForSingleObject  ... ) == 0x0
 02434  1120   NtSetEventBoostPriority  ... ) == 0x0
 02435  1484   NtSetEventBoostPriority  (292, ...
 02436  1736   NtQueryInformationThread  (820, Basic, 28, ...
 02437   520   NtWaitForSingleObject  (292, 0, 0x0, ...
 02387   192   NtWaitForSingleObject  ... ) == 0x0
 02435  1484   NtSetEventBoostPriority  ... ) == 0x0
 02436  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1636,Tid=1124,}, 0x0, ) == 0x0
 02438   192   NtSetEventBoostPriority  (292, ...
 02439  1120   NtWaitForSingleObject  (292, 0, 0x0, ...
 02388  1792   NtWaitForSingleObject  ... ) == 0x0
 02438   192   NtSetEventBoostPriority  ... ) == 0x0
 02440  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75587, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\3\0\0d\6\0\0d\4\0\0" ...  ...
 02441  1792   NtSetEventBoostPriority  (292, ...
 02442  1484   NtWaitForSingleObject  (292, 0, 0x0, ...
 02389   784   NtWaitForSingleObject  ... ) == 0x0
 02441  1792   NtSetEventBoostPriority  ... ) == 0x0
 02440  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75589, 0}  ... {28, 56, reply, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\3\0\0d\6\0\0d\4\0\0" )  ) == 0x0
 02443   784   NtSetEventBoostPriority  (292, ...
 02444   192   NtWaitForSingleObject  (292, 0, 0x0, ...
 02445  1792   NtWaitForSingleObject  (292, 0, 0x0, ...
 02391   896   NtWaitForSingleObject  ... ) == 0x0
 02443   784   NtSetEventBoostPriority  ... ) == 0x0
 02446   896   NtSetEventBoostPriority  (292, ...
 02447  1736   NtResumeThread  (820, ...
 02392  1252   NtWaitForSingleObject  ... ) == 0x0
 02446   896   NtSetEventBoostPriority  ... ) == 0x0
 02448  1252   NtSetEventBoostPriority  (292, ...
 02447  1736   NtResumeThread  ... 1, ) == 0x0
 02449   784   NtWaitForSingleObject  (292, 0, 0x0, ...
 02396  1104   NtWaitForSingleObject  ... ) == 0x0
 02448  1252   NtSetEventBoostPriority  ... ) == 0x0
 02450  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02451  1104   NtSetEventBoostPriority  (292, ...
 02452   896   NtWaitForSingleObject  (292, 0, 0x0, ...
 02453  1124   NtWaitForSingleObject  (88, 0, 0x0, ...
 02397   776   NtWaitForSingleObject  ... ) == 0x0
 02451  1104   NtSetEventBoostPriority  ... ) == 0x0
 02450  1736   NtAllocateVirtualMemory  ... 92012544, 1048576, ) == 0x0
 02454   776   NtSetEventBoostPriority  (292, ...
 02455  1252   NtWaitForSingleObject  (292, 0, 0x0, ...
 02394  1568   NtWaitForSingleObject  ... ) == 0x0
 02454   776   NtSetEventBoostPriority  ... ) == 0x0
 02456  1736   NtAllocateVirtualMemory  (-1, 93052928, 0, 8192, 4096, 4, ...
 02457  1568   NtSetEventBoostPriority  (292, ...
 02458   776   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02401  2020   NtWaitForSingleObject  ... ) == 0x0
 02456  1736   NtAllocateVirtualMemory  ... 93052928, 8192, ) == 0x0
 02457  1568   NtSetEventBoostPriority  ... ) == 0x0
 02459  1104   NtWaitForSingleObject  (292, 0, 0x0, ...
 02460  2020   NtSetEventBoostPriority  (292, ...
 02458   776   NtDuplicateObject  ... 824, ) == 0x0
 02461  1568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02403   808   NtWaitForSingleObject  ... ) == 0x0
 02460  2020   NtSetEventBoostPriority  ... ) == 0x0
 02462   776   NtWaitForSingleObject  (292, 0, 0x0, ...
 02463   808   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ...
 02461  1568   NtDuplicateObject  ... 828, ) == 0x0
 02464  1736   NtProtectVirtualMemory  (-1, (0x58be000), 4096, 260, ...
 02463   808   NtAllocateVirtualMemory  ... 1413120, 4096, ) == 0x0
 02465  2020   NtWaitForSingleObject  (292, 0, 0x0, ...
 02466   808   NtSetEventBoostPriority  (292, ...
 02464  1736   NtProtectVirtualMemory  ... (0x58be000), 4096, 4, ) == 0x0
 02467  1568   NtWaitForSingleObject  (292, 0, 0x0, ...
 02468  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 832, {1636, 1404}, ) == 0x0
 02469  1736   NtQueryInformationThread  (832, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1636,Tid=1404,}, 0x0, ) == 0x0
 02470  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75589, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0d\6\0\0|\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0d\6\0\0|\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75590, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0d\6\0\0|\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0d\6\0\0|\5\0\0" )  ) == 0x0
 02471  1736   NtResumeThread  (832, ... 1, ) == 0x0
 02472  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02408   624   NtWaitForSingleObject  ... ) == 0x0
 02466   808   NtSetEventBoostPriority  ... ) == 0x0
 02473  1404   NtWaitForSingleObject  (88, 0, 0x0, ...
 02474   624   NtSetEventBoostPriority  (292, ...
 02475   808   NtWaitForSingleObject  (292, 0, 0x0, ...
 02412   752   NtWaitForSingleObject  ... ) == 0x0
 02474   624   NtSetEventBoostPriority  ... ) == 0x0
 02476   752   NtSetEventBoostPriority  (292, ...
 02413  1288   NtWaitForSingleObject  ... ) == 0x0
 02477  1288   NtSetEventBoostPriority  (292, ...
 02416   312   NtWaitForSingleObject  ... ) == 0x0
 02478   312   NtSetEventBoostPriority  (292, ...
 02417   644   NtWaitForSingleObject  ... ) == 0x0
 02479   644   NtSetEventBoostPriority  (292, ...
 02419   868   NtWaitForSingleObject  ... ) == 0x0
 02480   868   NtSetEventBoostPriority  (292, ...
 02422  1924   NtWaitForSingleObject  ... ) == 0x0
 02481  1924   NtSetEventBoostPriority  (292, ...
 02424  1316   NtWaitForSingleObject  ... ) == 0x0
 02482  1316   NtSetEventBoostPriority  (292, ...
 02427   940   NtWaitForSingleObject  ... ) == 0x0
 02483   940   NtSetEventBoostPriority  (292, ...
 02429  1628   NtWaitForSingleObject  ... ) == 0x0
 02484  1628   NtSetEventBoostPriority  (292, ...
 02432   876   NtWaitForSingleObject  ... ) == 0x0
 02485   876   NtSetEventBoostPriority  (292, ...
 02433  1612   NtWaitForSingleObject  ... ) == 0x0
 02486  1612   NtSetEventBoostPriority  (292, ...
 02437   520   NtWaitForSingleObject  ... ) == 0x0
 02487   520   NtSetEventBoostPriority  (292, ...
 02439  1120   NtWaitForSingleObject  ... ) == 0x0
 02488  1120   NtSetEventBoostPriority  (292, ...
 02442  1484   NtWaitForSingleObject  ... ) == 0x0
 02489  1484   NtSetEventBoostPriority  (292, ...
 02444   192   NtWaitForSingleObject  ... ) == 0x0
 02490   192   NtSetEventBoostPriority  (292, ...
 02445  1792   NtWaitForSingleObject  ... ) == 0x0
 02491  1792   NtSetEventBoostPriority  (292, ...
 02449   784   NtWaitForSingleObject  ... ) == 0x0
 02492   784   NtSetEventBoostPriority  (292, ...
 02452   896   NtWaitForSingleObject  ... ) == 0x0
 02493   896   NtSetEventBoostPriority  (292, ...
 02455  1252   NtWaitForSingleObject  ... ) == 0x0
 02494  1252   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ... 1417216, 4096, ) == 0x0
 02495  1252   NtSetEventBoostPriority  (292, ...
 02493   896   NtSetEventBoostPriority  ... ) == 0x0
 02492   784   NtSetEventBoostPriority  ... ) == 0x0
 02491  1792   NtSetEventBoostPriority  ... ) == 0x0
 02490   192   NtSetEventBoostPriority  ... ) == 0x0
 02489  1484   NtSetEventBoostPriority  ... ) == 0x0
 02488  1120   NtSetEventBoostPriority  ... ) == 0x0
 02487   520   NtSetEventBoostPriority  ... ) == 0x0
 02486  1612   NtSetEventBoostPriority  ... ) == 0x0
 02485   876   NtSetEventBoostPriority  ... ) == 0x0
 02484  1628   NtSetEventBoostPriority  ... ) == 0x0
 02483   940   NtSetEventBoostPriority  ... ) == 0x0
 02482  1316   NtSetEventBoostPriority  ... ) == 0x0
 02481  1924   NtSetEventBoostPriority  ... ) == 0x0
 02480   868   NtSetEventBoostPriority  ... ) == 0x0
 02479   644   NtSetEventBoostPriority  ... ) == 0x0
 02478   312   NtSetEventBoostPriority  ... ) == 0x0
 02477  1288   NtSetEventBoostPriority  ... ) == 0x0
 02476   752   NtSetEventBoostPriority  ... ) == 0x0
 02496   624   NtWaitForSingleObject  (292, 0, 0x0, ...
 02472  1736   NtAllocateVirtualMemory  ... 93061120, 1048576, ) == 0x0
 02497   896   NtWaitForSingleObject  (292, 0, 0x0, ...
 02498   784   NtWaitForSingleObject  (292, 0, 0x0, ...
 02499  1792   NtWaitForSingleObject  (292, 0, 0x0, ...
 02500   192   NtWaitForSingleObject  (292, 0, 0x0, ...
 02501  1484   NtWaitForSingleObject  (292, 0, 0x0, ...
 02502  1120   NtWaitForSingleObject  (292, 0, 0x0, ...
 02503   520   NtWaitForSingleObject  (292, 0, 0x0, ...
 02504  1612   NtWaitForSingleObject  (292, 0, 0x0, ...
 02505   876   NtWaitForSingleObject  (292, 0, 0x0, ...
 02506  1628   NtWaitForSingleObject  (292, 0, 0x0, ...
 02507   940   NtWaitForSingleObject  (292, 0, 0x0, ...
 02508  1316   NtWaitForSingleObject  (292, 0, 0x0, ...
 02509  1924   NtWaitForSingleObject  (292, 0, 0x0, ...
 02459  1104   NtWaitForSingleObject  ... ) == 0x0
 02495  1252   NtSetEventBoostPriority  ... ) == 0x0
 02510   644   NtWaitForSingleObject  (292, 0, 0x0, ...
 02511   868   NtClose  (728, ...
 02512  1288   NtWaitForSingleObject  (292, 0, 0x0, ...
 02513   752   NtWaitForSingleObject  (292, 0, 0x0, ...
 02514   312   NtSetEventBoostPriority  (88, ...
 02515  1736   NtAllocateVirtualMemory  (-1, 94101504, 0, 8192, 4096, 4, ...
 02516  1104   NtSetEventBoostPriority  (292, ...
 02517  1252   NtWaitForSingleObject  (292, 0, 0x0, ...
 02511   868   NtClose  ... ) == 0x0
 02453  1124   NtWaitForSingleObject  ... ) == 0x0
 02514   312   NtSetEventBoostPriority  ... ) == 0x0
 02515  1736   NtAllocateVirtualMemory  ... 94101504, 8192, ) == 0x0
 02462   776   NtWaitForSingleObject  ... ) == 0x0
 02516  1104   NtSetEventBoostPriority  ... ) == 0x0
 02518  1124   NtSetEventBoostPriority  (88, ...
 02519   868   NtClose  (816, ...
 02520   312   NtTestAlert  (...
 02521   776   NtSetEventBoostPriority  (292, ...
 02522  1736   NtProtectVirtualMemory  (-1, (0x59be000), 4096, 260, ...
 02473  1404   NtWaitForSingleObject  ... ) == 0x0
 02518  1124   NtSetEventBoostPriority  ... ) == 0x0
 02523  1104   NtWaitForSingleObject  (292, 0, 0x0, ...
 02519   868   NtClose  ... ) == 0x0
 02465  2020   NtWaitForSingleObject  ... ) == 0x0
 02521   776   NtSetEventBoostPriority  ... ) == 0x0
 02520   312   NtTestAlert  ... ) == 0x0
 02524  1404   NtAllocateVirtualMemory  (-1, 8810496, 0, 4096, 4096, 4, ...
 02522  1736   NtProtectVirtualMemory  ... (0x59be000), 4096, 4, ) == 0x0
 02525  1124   NtTestAlert  (...
 02526  2020   NtSetEventBoostPriority  (292, ...
 02527   868   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02524  1404   NtAllocateVirtualMemory  ... 8810496, 4096, ) == 0x0
 02528   312   NtContinue  (90963248, 1, ...
 02529  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02467  1568   NtWaitForSingleObject  ... ) == 0x0
 02526  2020   NtSetEventBoostPriority  ... ) == 0x0
 02525  1124   NtTestAlert  ... ) == 0x0
 02527   868   NtCreateKey  ... 816, 2, ) == 0x0
 02530   776   NtWaitForSingleObject  (292, 0, 0x0, ...
 02531   312   NtRegisterThreadTerminatePort  (24, ...
 02532  1404   NtTestAlert  (...
 02533  1568   NtSetEventBoostPriority  (292, ...
 02534  2020   NtWaitForSingleObject  (292, 0, 0x0, ...
 02535  1124   NtContinue  (92011824, 1, ...
 02529  1736   NtCreateThread  ... 728, {1636, 476}, ) == 0x0
 02536   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02475   808   NtWaitForSingleObject  ... ) == 0x0
 02533  1568   NtSetEventBoostPriority  ... ) == 0x0
 02532  1404   NtTestAlert  ... ) == 0x0
 02531   312   NtRegisterThreadTerminatePort  ... ) == 0x0
 02537  1124   NtRegisterThreadTerminatePort  (24, ...
 02538  1736   NtQueryInformationThread  (728, Basic, 28, ...
 02539   808   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ...
 02536   868   NtOpenKey  ... 836, ) == 0x0
 02540  1568   NtWaitForSingleObject  (292, 0, 0x0, ...
 02541  1404   NtContinue  (93060400, 1, ...
 02542   312   NtWaitForSingleObject  (292, 0, 0x0, ...
 02537  1124   NtRegisterThreadTerminatePort  ... ) == 0x0
 02539   808   NtAllocateVirtualMemory  ... 1421312, 4096, ) == 0x0
 02538  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1636,Tid=476,}, 0x0, ) == 0x0
 02543   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02544  1404   NtRegisterThreadTerminatePort  (24, ...
 02545  1124   NtWaitForSingleObject  (292, 0, 0x0, ...
 02546  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75590, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0d\6\0\0\334\1\0\0" ...  ...
 02543   868   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02544  1404   NtRegisterThreadTerminatePort  ... ) == 0x0
 02547   808   NtSetEventBoostPriority  (292, ...
 02546  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75592, 0}  ... {28, 56, reply, 0, 1636, 1736, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0d\6\0\0\334\1\0\0" )  ) == 0x0
 02548   868   NtQueryValueKey  (816,  (816, "Hostname", Partial, 144, ... , Partial, 144, ...
 02549  1404   NtWaitForSingleObject  (292, 0, 0x0, ...
 02496   624   NtWaitForSingleObject  ... ) == 0x0
 02547   808   NtSetEventBoostPriority  ... ) == 0x0
 02548   868   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02550  1736   NtResumeThread  (728, ...
 02551   624   NtSetEventBoostPriority  (292, ...
 02552   808   NtWaitForSingleObject  (292, 0, 0x0, ...
 02497   896   NtWaitForSingleObject  ... ) == 0x0
 02550  1736   NtResumeThread  ... 1, ) == 0x0
 02553   896   NtSetEventBoostPriority  (292, ...
 02554  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02498   784   NtWaitForSingleObject  ... ) == 0x0
 02554  1736   NtAllocateVirtualMemory  ... 94109696, 1048576, ) == 0x0
 02555   784   NtSetEventBoostPriority  (292, ...
 02556  1736   NtAllocateVirtualMemory  (-1, 95150080, 0, 8192, 4096, 4, ...
 02499  1792   NtWaitForSingleObject  ... ) == 0x0
 02556  1736   NtAllocateVirtualMemory  ... 95150080, 8192, ) == 0x0
 02557  1792   NtSetEventBoostPriority  (292, ...
 02555   784   NtSetEventBoostPriority  ... ) == 0x0
 02553   896   NtSetEventBoostPriority  ... ) == 0x0
 02551   624   NtSetEventBoostPriority  ... ) == 0x0
 02558   868   NtQueryValueKey  (816,  (816, "Hostname", Partial, 144, ... , Partial, 144, ...
 02559   476   NtTestAlert  (...
 02500   192   NtWaitForSingleObject  ... ) == 0x0
 02560   784   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02561   896   NtWaitForSingleObject  (292, 0, 0x0, ...
 02562   624   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02558   868   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02559   476   NtTestAlert  ... ) == 0x0
 02563   192   NtSetEventBoostPriority  (292, ...
 02564   868   NtWaitForSingleObject  (292, 0, 0x0, ...
 02565   476   NtContinue  (94108976, 1, ...
 02501  1484   NtWaitForSingleObject  ... ) == 0x0
 02566   476   NtRegisterThreadTerminatePort  (24, ...
 02567  1484   NtSetEventBoostPriority  (292, ...
 02566   476   NtRegisterThreadTerminatePort  ... ) == 0x0
 02502  1120   NtWaitForSingleObject  ... ) == 0x0
 02567  1484   NtSetEventBoostPriority  ... ) == 0x0
 02563   192   NtSetEventBoostPriority  ... ) == 0x0
 02557  1792   NtSetEventBoostPriority  ... ) == 0x0
 02568  1736   NtProtectVirtualMemory  (-1, (0x5abe000), 4096, 260, ...
 02560   784   NtWaitForSingleObject  ... ) == 0x102
 02562   624   NtWaitForSingleObject  ... ) == 0x102
 02569  1120   NtSetEventBoostPriority  (292, ...
 02570  1484   NtWaitForSingleObject  (292, 0, 0x0, ...
 02571   192   NtWaitForSingleObject  (332, 0, 0x0, ...
 02572  1792   NtWaitForSingleObject  (332, 0, 0x0, ...
 02568  1736   NtProtectVirtualMemory  ... (0x5abe000), 4096, 4, ) == 0x0
 02573   784   NtWaitForSingleObject  (132, 0, 0x0, ...
 02574   624   NtWaitForSingleObject  (132, 0, 0x0, ...
 02503   520   NtWaitForSingleObject  ... ) == 0x0
 02575  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02576   520   NtSetEventBoostPriority  (292, ...
 02575  1736   NtCreateThread  ... 840, {1636, 1964}, ) == 0x0
 02504  1612   NtWaitForSingleObject  ... ) == 0x0
 02577  1736   NtQueryInformationThread  (840, Basic, 28, ...
 02578  1612   NtSetEventBoostPriority  (292, ...
 02577  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1636,Tid=1964,}, 0x0, ) == 0x0
 02505   876   NtWaitForSingleObject  ... ) == 0x0
 02578  1612   NtSetEventBoostPriority  ... ) == 0x0
 02576   520   NtSetEventBoostPriority  ... ) == 0x0
 02569  1120   NtSetEventBoostPriority  ... ) == 0x0
 02579   476   NtWaitForSingleObject  (292, 0, 0x0, ...
 02580   876   NtSetEventBoostPriority  (292, ...
 02581  1612   NtWaitForSingleObject  (292, 0, 0x0, ...
 02582   520   NtWaitForSingleObject  (292, 0, 0x0, ...
 02583  1120   NtWaitForSingleObject  (292, 0, 0x0, ...
 02506  1628   NtWaitForSingleObject  ... ) == 0x0
 02584  1628   NtSetEventBoostPriority  (292, ...
 02507   940   NtWaitForSingleObject  ... ) == 0x0
 02585   940   NtSetEventBoostPriority  (292, ...
 02508  1316   NtWaitForSingleObject  ... ) == 0x0
 02586  1316   NtSetEventBoostPriority  (292, ...
 02509  1924   NtWaitForSingleObject  ... ) == 0x0
 02587  1924   NtSetEventBoostPriority  (292, ...
 02510   644   NtWaitForSingleObject  ... ) == 0x0
 02588   644   NtSetEventBoostPriority  (292, ...
 02512  1288   NtWaitForSingleObject  ... ) == 0x0
 02589  1288   NtSetEventBoostPriority  (292, ...
 02517  1252   NtWaitForSingleObject  ... ) == 0x0
 02590  1252   NtSetEventBoostPriority  (292, ...
 02513   752   NtWaitForSingleObject  ... ) == 0x0
 02591   752   NtSetEventBoostPriority  (292, ...
 02523  1104   NtWaitForSingleObject  ... ) == 0x0
 02592  1104   NtSetEventBoostPriority  (292, ...
 02530   776   NtWaitForSingleObject  ... ) == 0x0
 02593   776   NtSetEventBoostPriority  (292, ...
 02534  2020   NtWaitForSingleObject  ... ) == 0x0
 02594  2020   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 02595  2020   NtSetEventBoostPriority  (292, ...
 02542   312   NtWaitForSingleObject  ... ) == 0x0
 02596   312   NtSetEventBoostPriority  (292, ...
 02540  1568   NtWaitForSingleObject  ... ) == 0x0
 02597  1568   NtSetEventBoostPriority  (292, ...
 02545  1124   NtWaitForSingleObject  ... ) == 0x0
 02598  1124   NtSetEventBoostPriority  (292, ...
 02549  1404   NtWaitForSingleObject  ... ) == 0x0
 02599  1404   NtSetEventBoostPriority  (292, ...
 02552   808   NtWaitForSingleObject  ... ) == 0x0
 02600   808   NtSetEventBoostPriority  (292, ...
 02561   896   NtWaitForSingleObject  ... ) == 0x0
 02601   896   NtSetEventBoostPriority  (292, ...
 02564   868   NtWaitForSingleObject  ... ) == 0x0
 02602   868   NtSetEventBoostPriority  (292, ...
 02570  1484   NtWaitForSingleObject  ... ) == 0x0
 02603  1484   NtSetEventBoostPriority  (292, ...
 02579   476   NtWaitForSingleObject  ... ) == 0x0
 02604   476   NtSetEventBoostPriority  (292, ...
 02581  1612   NtWaitForSingleObject  ... ) == 0x0
 02605  1612   NtSetEventBoostPriority  (292, ...
 02582   520   NtWaitForSingleObject  ... ) == 0x0
 02606   520   NtSetEventBoostPriority  (292, ...
 02583  1120   NtWaitForSingleObject  ... ) == 0x0
 02607  1120   NtWaitForSingleObject  (332, 0, 0x0, ...
 02606   520   NtSetEventBoostPriority  ... ) == 0x0
 02605  1612   NtSetEventBoostPriority  ... ) == 0x0
 02604   476   NtSetEventBoostPriority  ... ) == 0x0
 02603  1484   NtSetEventBoostPriority  ... ) == 0x0
 02602   868   NtSetEventBoostPriority  ... ) == 0x0
 02601   896   NtSetEventBoostPriority  ... ) == 0x0
 02600   808   NtSetEventBoostPriority  ... ) == 0x0
 02596   312   NtSetEventBoostPriority  ... ) == 0x0
 02593   776   NtSetEventBoostPriority  ... ) == 0x0
 02590  1252   NtSetEventBoostPriority  ... ) == 0x0
 02599  1404   NtSetEventBoostPriority  ... ) == 0x0
 02598  1124   NtSetEventBoostPriority  ... ) == 0x0
 02597  1568   NtSetEventBoostPriority  ... ) == 0x0
 02595  2020   NtSetEventBoostPriority  ... ) == 0x0
 02592  1104   NtSetEventBoostPriority  ... ) == 0x0
 02591   752   NtSetEventBoostPriority  ... ) == 0x0
 02589  1288   NtSetEventBoostPriority  ... ) == 0x0
 02588   644   NtSetEventBoostPriority  ... ) == 0x0
 02587  1924   NtSetEventBoostPriority  ... ) == 0x0
 02586  1316   NtSetEventBoostPriority  ... ) == 0x0
 02585   940   NtSetEventBoostPriority  ... ) == 0x0
 02584  1628   NtSetEventBoostPriority  ... ) == 0x0
 02580   876   NtSetEventBoostPriority  ... ) == 0x0
 02608  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75592, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0d\6\0\0\254\7\0\0" ...  ...
 02609   520   NtWaitForSingleObject  (332, 0, 0x0, ...
 02610   476   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02611  1612   NtWaitForSingleObject  (332, 0, 0x0, ...
 02612  1484   NtSetEventBoostPriority  (332, ...
 02613   868   NtClose  (816, ...
 02614   896   NtSetEventBoostPriority  (132, ...
 02615   808   NtAllocateVirtualMemory  (-1, 13094912, 0, 4096, 4096, 260, ...
 02616   776   NtWaitForSingleObject  (332, 0, 0x0, ...
 02617   312   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02618  1404   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02619  1124   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02620  1568   NtWaitForSingleObject  (332, 0, 0x0, ...
 02621  1252   NtAllocateVirtualMemory  (-1, 16502784, 0, 4096, 4096, 260, ...
 02622  1104   NtWaitForSingleObject  (332, 0, 0x0, ...
 02623   752   NtWaitForSingleObject  (332, 0, 0x0, ...
 02624  1288   NtWaitForSingleObject  (332, 0, 0x0, ...
 02625   644   NtWaitForSingleObject  (332, 0, 0x0, ...
 02626  1924   NtWaitForSingleObject  (332, 0, 0x0, ...
 02627  1316   NtWaitForSingleObject  (332, 0, 0x0, ...
 02628   940   NtWaitForSingleObject  (332, 0, 0x0, ...
 02629  1628   NtWaitForSingleObject  (332, 0, 0x0, ...
 02630   876   NtWaitForSingleObject  (332, 0, 0x0, ...
 02608  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75593, 0}  ... {28, 56, reply, 0, 1636, 1736, 75593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0d\6\0\0\254\7\0\0" )  ) == 0x0
 02631  2020   NtAllocateVirtualMemory  (-1, 14405632, 0, 4096, 4096, 260, ...
 02571   192   NtWaitForSingleObject  ... ) == 0x0
 02612  1484   NtSetEventBoostPriority  ... ) == 0x0
 02613   868   NtClose  ... ) == 0x0
 00698  2016   NtWaitForSingleObject  ... ) == 0x0
 02614   896   NtSetEventBoostPriority  ... ) == 0x0
 02615   808   NtAllocateVirtualMemory  ... 13094912, 4096, ) == 0x0
 02610   476   NtDuplicateObject  ... 816, ) == 0x0
 02617   312   NtDuplicateObject  ... 844, ) == 0x0
 02618  1404   NtDuplicateObject  ... 848, ) == 0x0
 02619  1124   NtDuplicateObject  ... 852, ) == 0x0
 02621  1252   NtAllocateVirtualMemory  ... 16502784, 4096, ) == 0x0
 02632  1736   NtResumeThread  (840, ...
 02633   192   NtSetEventBoostPriority  (332, ...
 02631  2020   NtAllocateVirtualMemory  ... 14405632, 4096, ) == 0x0
 02634  1484   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02635  2016   NtSetEventBoostPriority  (132, ...
 02636   868   NtClose  (836, ...
 02637   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02638   808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02639   476   NtWaitForSingleObject  (332, 0, 0x0, ...
 02640   312   NtWaitForSingleObject  (332, 0, 0x0, ...
 02641  1404   NtWaitForSingleObject  (332, 0, 0x0, ...
 02642  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02572  1792   NtWaitForSingleObject  ... ) == 0x0
 02633   192   NtSetEventBoostPriority  ... ) == 0x0
 02632  1736   NtResumeThread  ... 1, ) == 0x0
 02643  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00775   384   NtWaitForSingleObject  ... ) == 0x0
 02634  1484   NtWaitForSingleObject  ... ) == 0x102
 02636   868   NtClose  ... ) == 0x0
 02637   896   NtCreateEvent  ... 836, ) == 0x0
 02638   808   NtCreateEvent  ... 856, ) == 0x0
 02644  1792   NtSetEventBoostPriority  (332, ...
 02642  1252   NtCreateEvent  ... 860, ) == 0x0
 02635  2016   NtSetEventBoostPriority  ... ) == 0x0
 02645  1124   NtWaitForSingleObject  (332, 0, 0x0, ...
 02646  1964   NtTestAlert  (...
 02647  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02643  2020   NtCreateEvent  ... 864, ) == 0x0
 02648   384   NtSetEventBoostPriority  (132, ...
 02649  1484   NtWaitForSingleObject  (132, 0, 0x0, ...
 02650   868   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02651   896   NtAllocateVirtualMemory  (-1, 15454208, 0, 4096, 4096, 260, ...
 02607  1120   NtWaitForSingleObject  ... ) == 0x0
 02644  1792   NtSetEventBoostPriority  ... ) == 0x0
 02652   808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02653  1252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02654  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02646  1964   NtTestAlert  ... ) == 0x0
 02655   192   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02656  2020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00786  1028   NtWaitForSingleObject  ... ) == 0x0
 02648   384   NtSetEventBoostPriority  ... ) == 0x0
 02647  1736   NtAllocateVirtualMemory  ... 95158272, 1048576, ) == 0x0
 02650   868   NtCreateKey  ... 868, 2, ) == 0x0
 02657  1120   NtSetEventBoostPriority  (332, ...
 02651   896   NtAllocateVirtualMemory  ... 15454208, 4096, ) == 0x0
 02652   808   NtDuplicateObject  ... 872, ) == 0x0
 02653  1252   NtDuplicateObject  ... 876, ) == 0x0
 02654  2016   NtCreateEvent  ... 880, ) == 0x0
 02658  1964   NtContinue  (95157552, 1, ...
 02655   192   NtWaitForSingleObject  ... ) == 0x102
 02659  1028   NtSetEventBoostPriority  (132, ...
 02656  2020   NtDuplicateObject  ... 884, ) == 0x0
 02660  1792   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02661  1736   NtAllocateVirtualMemory  (-1, 96198656, 0, 8192, 4096, 4, ...
 02662   384   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02609   520   NtWaitForSingleObject  ... ) == 0x0
 02657  1120   NtSetEventBoostPriority  ... ) == 0x0
 02663   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02664   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02665   808   NtWaitForSingleObject  (332, 0, 0x0, ...
 02666  1252   NtWaitForSingleObject  (332, 0, 0x0, ...
 02667  1964   NtRegisterThreadTerminatePort  (24, ...
 00788  2012   NtWaitForSingleObject  ... ) == 0x0
 02659  1028   NtSetEventBoostPriority  ... ) == 0x0
 02668   192   NtWaitForSingleObject  (132, 0, 0x0, ...
 02669  2016   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ...
 02660  1792   NtWaitForSingleObject  ... ) == 0x102
 02661  1736   NtAllocateVirtualMemory  ... 96198656, 8192, ) == 0x0
 02670   520   NtWaitForSingleObject  (292, 0, 0x0, ...
 02662   384   NtCreateEvent  ... 888, ) == 0x0
 02671  2020   NtWaitForSingleObject  (292, 0, 0x0, ...
 02663   868   NtOpenKey  ... 892, ) == 0x0
 02664   896   NtCreateEvent  ... 896, ) == 0x0
 02672  2012   NtWaitForSingleObject  (292, 0, 0x0, ...
 02667  1964   NtRegisterThreadTerminatePort  ... ) == 0x0
 02673  1120   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02669  2016   NtAllocateVirtualMemory  ... 1429504, 4096, ) == 0x0
 02674  1792   NtWaitForSingleObject  (292, 0, 0x0, ...
 02675  1736   NtProtectVirtualMemory  (-1, (0x5bbe000), 4096, 260, ...
 02676   384   NtWaitForSingleObject  (292, 0, 0x0, ...
 02677   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02678   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02679  1028   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02673  1120   NtWaitForSingleObject  ... ) == 0x102
 02680  2016   NtSetEventBoostPriority  (292, ...
 02675  1736   NtProtectVirtualMemory  ... (0x5bbe000), 4096, 4, ) == 0x0
 02677   868   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02678   896   NtDuplicateObject  ... 900, ) == 0x0
 02679  1028   NtCreateEvent  ... 904, ) == 0x0
 02681  1120   NtWaitForSingleObject  (292, 0, 0x0, ...
 02670   520   NtWaitForSingleObject  ... ) == 0x0
 02680  2016   NtSetEventBoostPriority  ... ) == 0x0
 02682  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02683   868   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 02684   896   NtWaitForSingleObject  (292, 0, 0x0, ...
 02685  1028   NtWaitForSingleObject  (292, 0, 0x0, ...
 02686   520   NtSetEventBoostPriority  (292, ...
 02687  2016   NtWaitForSingleObject  (292, 0, 0x0, ...
 02688  1964   NtWaitForSingleObject  (292, 0, 0x0, ...
 02683   868   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02671  2020   NtWaitForSingleObject  ... ) == 0x0
 02686   520   NtSetEventBoostPriority  ... ) == 0x0
 02682  1736   NtCreateThread  ... 908, {1636, 740}, ) == 0x0
 02689  2020   NtSetEventBoostPriority  (292, ...
 02690   868   NtQueryValueKey  (868,  (868, "Domain", Partial, 144, ... , Partial, 144, ...
 02672  2012   NtWaitForSingleObject  ... ) == 0x0
 02689  2020   NtSetEventBoostPriority  ... ) == 0x0
 02691  1736   NtQueryInformationThread  (908, Basic, 28, ...
 02692  2012   NtSetEventBoostPriority  (292, ...
 02690   868   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02693  2020   NtWaitForSingleObject  (292, 0, 0x0, ...
 02674  1792   NtWaitForSingleObject  ... ) == 0x0
 02692  2012   NtSetEventBoostPriority  ... ) == 0x0
 02691  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1636,Tid=740,}, 0x0, ) == 0x0
 02694   868   NtWaitForSingleObject  (292, 0, 0x0, ...
 02695   520   NtSetEventBoostPriority  (332, ...
 02696  1792   NtSetEventBoostPriority  (292, ...
 02697  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75593, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0d\6\0\0\344\2\0\0" ...  ...
 02676   384   NtWaitForSingleObject  ... ) == 0x0
 02696  1792   NtSetEventBoostPriority  ... ) == 0x0
 02611  1612   NtWaitForSingleObject  ... ) == 0x0
 02695   520   NtSetEventBoostPriority  ... ) == 0x0
 02698   384   NtSetEventBoostPriority  (292, ...
 02697  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75594, 0}  ... {28, 56, reply, 0, 1636, 1736, 75594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0d\6\0\0\344\2\0\0" )  ) == 0x0
 02699  2012   NtWaitForSingleObject  (292, 0, 0x0, ...
 02700  1612   NtWaitForSingleObject  (292, 0, 0x0, ...
 02681  1120   NtWaitForSingleObject  ... ) == 0x0
 02698   384   NtSetEventBoostPriority  ... ) == 0x0
 02701   520   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02702  1792   NtWaitForSingleObject  (132, 0, 0x0, ...
 02703  1120   NtSetEventBoostPriority  (292, ...
 02704  1736   NtResumeThread  (908, ...
 02701   520   NtWaitForSingleObject  ... ) == 0x102
 02684   896   NtWaitForSingleObject  ... ) == 0x0
 02703  1120   NtSetEventBoostPriority  ... ) == 0x0
 02704  1736   NtResumeThread  ... 1, ) == 0x0
 02705   896   NtSetEventBoostPriority  (292, ...
 02706   520   NtWaitForSingleObject  (292, 0, 0x0, ...
 02707   384   NtWaitForSingleObject  (292, 0, 0x0, ...
 02708   740   NtWaitForSingleObject  (292, 0, 0x0, ...
 02685  1028   NtWaitForSingleObject  ... ) == 0x0
 02705   896   NtSetEventBoostPriority  ... ) == 0x0
 02709  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02710  1120   NtWaitForSingleObject  (132, 0, 0x0, ...
 02711  1028   NtSetEventBoostPriority  (292, ...
 02709  1736   NtAllocateVirtualMemory  ... 96206848, 1048576, ) == 0x0
 02687  2016   NtWaitForSingleObject  ... ) == 0x0
 02711  1028   NtSetEventBoostPriority  ... ) == 0x0
 02712  2016   NtSetEventBoostPriority  (292, ...
 02713  1736   NtAllocateVirtualMemory  (-1, 97247232, 0, 8192, 4096, 4, ...
 02714   896   NtWaitForSingleObject  (292, 0, 0x0, ...
 02688  1964   NtWaitForSingleObject  ... ) == 0x0
 02712  2016   NtSetEventBoostPriority  ... ) == 0x0
 02713  1736   NtAllocateVirtualMemory  ... 97247232, 8192, ) == 0x0
 02715  1964   NtSetEventBoostPriority  (292, ...
 02716  1028   NtWaitForSingleObject  (292, 0, 0x0, ...
 02717  2016   NtWaitForSingleObject  (292, 0, 0x0, ...
 02693  2020   NtWaitForSingleObject  ... ) == 0x0
 02715  1964   NtSetEventBoostPriority  ... ) == 0x0
 02718  2020   NtSetEventBoostPriority  (292, ...
 02694   868   NtWaitForSingleObject  ... ) == 0x0
 02719   868   NtSetEventBoostPriority  (292, ...
 02700  1612   NtWaitForSingleObject  ... ) == 0x0
 02720  1612   NtSetEventBoostPriority  (292, ...
 02699  2012   NtWaitForSingleObject  ... ) == 0x0
 02721  2012   NtSetEventBoostPriority  (292, ...
 02707   384   NtWaitForSingleObject  ... ) == 0x0
 02722   384   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ... 1433600, 4096, ) == 0x0
 02723   384   NtSetEventBoostPriority  (292, ...
 02721  2012   NtSetEventBoostPriority  ... ) == 0x0
 02720  1612   NtSetEventBoostPriority  ... ) == 0x0
 02719   868   NtSetEventBoostPriority  ... ) == 0x0
 02724  1964   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02718  2020   NtSetEventBoostPriority  ... ) == 0x0
 02725  1736   NtProtectVirtualMemory  (-1, (0x5cbe000), 4096, 260, ...
 02726  2012   NtWaitForSingleObject  (292, 0, 0x0, ...
 02708   740   NtWaitForSingleObject  ... ) == 0x0
 02723   384   NtSetEventBoostPriority  ... ) == 0x0
 02727  1612   NtSetEventBoostPriority  (332, ...
 02728   868   NtQueryValueKey  (868,  (868, "Domain", Partial, 144, ... , Partial, 144, ...
 02729  2020   NtWaitForSingleObject  (292, 0, 0x0, ...
 02725  1736   NtProtectVirtualMemory  ... (0x5cbe000), 4096, 4, ) == 0x0
 02724  1964   NtDuplicateObject  ... 912, ) == 0x0
 02730   740   NtSetEventBoostPriority  (292, ...
 02731   384   NtWaitForSingleObject  (292, 0, 0x0, ...
 02620  1568   NtWaitForSingleObject  ... ) == 0x0
 02727  1612   NtSetEventBoostPriority  ... ) == 0x0
 02728   868   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02732  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02733  1964   NtWaitForSingleObject  (292, 0, 0x0, ...
 02706   520   NtWaitForSingleObject  ... ) == 0x0
 02730   740   NtSetEventBoostPriority  ... ) == 0x0
 02734  1568   NtWaitForSingleObject  (292, 0, 0x0, ...
 02735  1612   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02736   868   NtWaitForSingleObject  (292, 0, 0x0, ...
 02732  1736   NtCreateThread  ... 916, {1636, 1624}, ) == 0x0
 02737   520   NtSetEventBoostPriority  (292, ...
 02735  1612   NtWaitForSingleObject  ... ) == 0x102
 02714   896   NtWaitForSingleObject  ... ) == 0x0
 02738  1736   NtQueryInformationThread  (916, Basic, 28, ...
 02739  1612   NtWaitForSingleObject  (292, 0, 0x0, ...
 02740   896   NtSetEventBoostPriority  (292, ...
 02738  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1636,Tid=1624,}, 0x0, ) == 0x0
 02737   520   NtSetEventBoostPriority  ... ) == 0x0
 02741   740   NtTestAlert  (...
 02716  1028   NtWaitForSingleObject  ... ) == 0x0
 02740   896   NtSetEventBoostPriority  ... ) == 0x0
 02742   520   NtWaitForSingleObject  (132, 0, 0x0, ...
 02743  1028   NtSetEventBoostPriority  (292, ...
 02741   740   NtTestAlert  ... ) == 0x0
 02744   896   NtWaitForSingleObject  (292, 0, 0x0, ...
 02717  2016   NtWaitForSingleObject  ... ) == 0x0
 02743  1028   NtSetEventBoostPriority  ... ) == 0x0
 02745   740   NtContinue  (96206128, 1, ...
 02746  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75594, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0d\6\0\0X\6\0\0" ...  ...
 02747  2016   NtSetEventBoostPriority  (292, ...
 02748  1028   NtWaitForSingleObject  (292, 0, 0x0, ...
 02749   740   NtRegisterThreadTerminatePort  (24, ...
 02729  2020   NtWaitForSingleObject  ... ) == 0x0
 02747  2016   NtSetEventBoostPriority  ... ) == 0x0
 02746  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75595, 0}  ... {28, 56, reply, 0, 1636, 1736, 75595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0d\6\0\0X\6\0\0" )  ) == 0x0
 02750  2020   NtSetEventBoostPriority  (292, ...
 02749   740   NtRegisterThreadTerminatePort  ... ) == 0x0
 02751  2016   NtWaitForSingleObject  (292, 0, 0x0, ...
 02731   384   NtWaitForSingleObject  ... ) == 0x0
 02750  2020   NtSetEventBoostPriority  ... ) == 0x0
 02752  1736   NtResumeThread  (916, ...
 02753   740   NtWaitForSingleObject  (292, 0, 0x0, ...
 02754   384   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ...
 02752  1736   NtResumeThread  ... 1, ) == 0x0
 02755  2020   NtWaitForSingleObject  (292, 0, 0x0, ...
 02754   384   NtAllocateVirtualMemory  ... 1437696, 4096, ) == 0x0
 02756  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02757  1624   NtWaitForSingleObject  (292, 0, 0x0, ...
 02758   384   NtSetEventBoostPriority  (292, ...
 02733  1964   NtWaitForSingleObject  ... ) == 0x0
 02759  1964   NtSetEventBoostPriority  (292, ...
 02726  2012   NtWaitForSingleObject  ... ) == 0x0
 02760  2012   NtSetEventBoostPriority  (292, ...
 02734  1568   NtWaitForSingleObject  ... ) == 0x0
 02761  1568   NtSetEventBoostPriority  (292, ...
 02736   868   NtWaitForSingleObject  ... ) == 0x0
 02762   868   NtSetEventBoostPriority  (292, ...
 02739  1612   NtWaitForSingleObject  ... ) == 0x0
 02763  1612   NtSetEventBoostPriority  (292, ...
 02744   896   NtWaitForSingleObject  ... ) == 0x0
 02764   896   NtSetEventBoostPriority  (292, ...
 02748  1028   NtWaitForSingleObject  ... ) == 0x0
 02765  1028   NtSetEventBoostPriority  (292, ...
 02751  2016   NtWaitForSingleObject  ... ) == 0x0
 02766  2016   NtSetEventBoostPriority  (292, ...
 02755  2020   NtWaitForSingleObject  ... ) == 0x0
 02767  2020   NtSetEventBoostPriority  (292, ...
 02753   740   NtWaitForSingleObject  ... ) == 0x0
 02768   740   NtSetEventBoostPriority  (292, ...
 02757  1624   NtWaitForSingleObject  ... ) == 0x0
 02769  1624   NtTestAlert  (... ) == 0x0
 02767  2020   NtSetEventBoostPriority  ... ) == 0x0
 02762   868   NtSetEventBoostPriority  ... ) == 0x0
 02761  1568   NtSetEventBoostPriority  ... ) == 0x0
 02759  1964   NtSetEventBoostPriority  ... ) == 0x0
 02758   384   NtSetEventBoostPriority  ... ) == 0x0
 02768   740   NtSetEventBoostPriority  ... ) == 0x0
 02766  2016   NtSetEventBoostPriority  ... ) == 0x0
 02765  1028   NtSetEventBoostPriority  ... ) == 0x0
 02764   896   NtSetEventBoostPriority  ... ) == 0x0
 02763  1612   NtSetEventBoostPriority  ... ) == 0x0
 02760  2012   NtSetEventBoostPriority  ... ) == 0x0
 02756  1736   NtAllocateVirtualMemory  ... 97255424, 1048576, ) == 0x0
 02770  2020   NtWaitForSingleObject  (332, 0, 0x0, ...
 02771  1624   NtContinue  (97254704, 1, ...
 02772   868   NtClose  (868, ...
 02773  1568   NtSetEventBoostPriority  (332, ...
 02774   384   NtAllocateVirtualMemory  (-1, 20697088, 0, 4096, 4096, 260, ...
 02775   740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02776  2016   NtAllocateVirtualMemory  (-1, 17551360, 0, 4096, 4096, 260, ...
 02777  1028   NtAllocateVirtualMemory  (-1, 19648512, 0, 4096, 4096, 260, ...
 02778   896   NtWaitForSingleObject  (332, 0, 0x0, ...
 02779  1612   NtWaitForSingleObject  (132, 0, 0x0, ...
 02780  2012   NtSetEventBoostPriority  (132, ...
 02781  1736   NtAllocateVirtualMemory  (-1, 98295808, 0, 8192, 4096, 4, ...
 02782  1964   NtWaitForSingleObject  (332, 0, 0x0, ...
 02783  1624   NtRegisterThreadTerminatePort  (24, ...
 02772   868   NtClose  ... ) == 0x0
 02622  1104   NtWaitForSingleObject  ... ) == 0x0
 02773  1568   NtSetEventBoostPriority  ... ) == 0x0
 02774   384   NtAllocateVirtualMemory  ... 20697088, 4096, ) == 0x0
 02775   740   NtDuplicateObject  ... 868, ) == 0x0
 02776  2016   NtAllocateVirtualMemory  ... 17551360, 4096, ) == 0x0
 02777  1028   NtAllocateVirtualMemory  ... 19648512, 4096, ) == 0x0
 01046  1096   NtWaitForSingleObject  ... ) == 0x0
 02780  2012   NtSetEventBoostPriority  ... ) == 0x0
 02781  1736   NtAllocateVirtualMemory  ... 98295808, 8192, ) == 0x0
 02783  1624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02784  1104   NtSetEventBoostPriority  (332, ...
 02785   868   NtClose  (892, ...
 02786  1568   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02787   384   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02788   740   NtWaitForSingleObject  (332, 0, 0x0, ...
 02789  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02790  1096   NtSetEventBoostPriority  (132, ...
 02791  1028   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02792  2012   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02623   752   NtWaitForSingleObject  ... ) == 0x0
 02784  1104   NtSetEventBoostPriority  ... ) == 0x0
 02793  1624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02785   868   NtClose  ... ) == 0x0
 02786  1568   NtWaitForSingleObject  ... ) == 0x102
 02787   384   NtCreateEvent  ... 892, ) == 0x0
 01150   748   NtWaitForSingleObject  ... ) == 0x0
 02790  1096   NtSetEventBoostPriority  ... ) == 0x0
 02789  2016   NtCreateEvent  ... 920, ) == 0x0
 02791  1028   NtCreateEvent  ... 924, ) == 0x0
 02794   752   NtSetEventBoostPriority  (332, ...
 02792  2012   NtCreateEvent  ... 928, ) == 0x0
 02795  1736   NtProtectVirtualMemory  (-1, (0x5dbe000), 4096, 260, ...
 02793  1624   NtDuplicateObject  ... 932, ) == 0x0
 02796   868   NtWaitForSingleObject  (332, 0, 0x0, ...
 02797  1568   NtWaitForSingleObject  (132, 0, 0x0, ...
 02798  1104   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02799   748   NtSetEventBoostPriority  (132, ...
 02800   384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02801  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02624  1288   NtWaitForSingleObject  ... ) == 0x0
 02794   752   NtSetEventBoostPriority  ... ) == 0x0
 02802  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02803  2012   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ...
 02795  1736   NtProtectVirtualMemory  ... (0x5dbe000), 4096, 4, ) == 0x0
 02804  1624   NtWaitForSingleObject  (292, 0, 0x0, ...
 02805  1096   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01156   252   NtWaitForSingleObject  ... ) == 0x0
 02799   748   NtSetEventBoostPriority  ... ) == 0x0
 02798  1104   NtWaitForSingleObject  ... ) == 0x102
 02800   384   NtDuplicateObject  ... 936, ) == 0x0
 02806  1288   NtSetEventBoostPriority  (332, ...
 02801  2016   NtDuplicateObject  ... 940, ) == 0x0
 02802  1028   NtDuplicateObject  ... 944, ) == 0x0
 02803  2012   NtAllocateVirtualMemory  ... 1441792, 4096, ) == 0x0
 02807  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02808   752   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02809   252   NtWaitForSingleObject  (292, 0, 0x0, ...
 02805  1096   NtCreateEvent  ... 948, ) == 0x0
 02810  1104   NtWaitForSingleObject  (132, 0, 0x0, ...
 02625   644   NtWaitForSingleObject  ... ) == 0x0
 02806  1288   NtSetEventBoostPriority  ... ) == 0x0
 02811   384   NtWaitForSingleObject  (292, 0, 0x0, ...
 02812  2016   NtWaitForSingleObject  (292, 0, 0x0, ...
 02813  1028   NtWaitForSingleObject  (292, 0, 0x0, ...
 02814  2012   NtSetEventBoostPriority  (292, ...
 02807  1736   NtCreateThread  ... 952, {1636, 1716}, ) == 0x0
 02808   752   NtWaitForSingleObject  ... ) == 0x102
 02815  1096   NtWaitForSingleObject  (292, 0, 0x0, ...
 02816   644   NtWaitForSingleObject  (292, 0, 0x0, ...
 02817   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02804  1624   NtWaitForSingleObject  ... ) == 0x0
 02814  2012   NtSetEventBoostPriority  ... ) == 0x0
 02818  1736   NtQueryInformationThread  (952, Basic, 28, ...
 02819   752   NtWaitForSingleObject  (292, 0, 0x0, ...
 02820  1624   NtSetEventBoostPriority  (292, ...
 02817   748   NtCreateEvent  ... 956, ) == 0x0
 02821  1288   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02818  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1636,Tid=1716,}, 0x0, ) == 0x0
 02809   252   NtWaitForSingleObject  ... ) == 0x0
 02822   748   NtWaitForSingleObject  (292, 0, 0x0, ...
 02821  1288   NtWaitForSingleObject  ... ) == 0x102
 02820  1624   NtSetEventBoostPriority  ... ) == 0x0
 02823  2012   NtWaitForSingleObject  (292, 0, 0x0, ...
 02824   252   NtSetEventBoostPriority  (292, ...
 02825  1288   NtWaitForSingleObject  (292, 0, 0x0, ...
 02826  1624   NtWaitForSingleObject  (332, 0, 0x0, ...
 02811   384   NtWaitForSingleObject  ... ) == 0x0
 02824   252   NtSetEventBoostPriority  ... ) == 0x0
 02827   384   NtSetEventBoostPriority  (292, ...
 02828  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75595, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0d\6\0\0\264\6\0\0" ...  ...
 02812  2016   NtWaitForSingleObject  ... ) == 0x0
 02827   384   NtSetEventBoostPriority  ... ) == 0x0
 02829  2016   NtSetEventBoostPriority  (292, ...
 02828  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75596, 0}  ... {28, 56, reply, 0, 1636, 1736, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0d\6\0\0\264\6\0\0" )  ) == 0x0
 02830   252   NtWaitForSingleObject  (292, 0, 0x0, ...
 02813  1028   NtWaitForSingleObject  ... ) == 0x0
 02829  2016   NtSetEventBoostPriority  ... ) == 0x0
 02831  1736   NtResumeThread  (952, ...
 02832  1028   NtSetEventBoostPriority  (292, ...
 02833   384   NtWaitForSingleObject  (292, 0, 0x0, ...
 02816   644   NtWaitForSingleObject  ... ) == 0x0
 02832  1028   NtSetEventBoostPriority  ... ) == 0x0
 02831  1736   NtResumeThread  ... 1, ) == 0x0
 02834   644   NtSetEventBoostPriority  (292, ...
 02835  2016   NtWaitForSingleObject  (292, 0, 0x0, ...
 02836  1716   NtWaitForSingleObject  (292, 0, 0x0, ...
 02815  1096   NtWaitForSingleObject  ... ) == 0x0
 02834   644   NtSetEventBoostPriority  ... ) == 0x0
 02837  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02838  1096   NtSetEventBoostPriority  (292, ...
 02839  1028   NtWaitForSingleObject  (292, 0, 0x0, ...
 02840   644   NtSetEventBoostPriority  (332, ...
 02819   752   NtWaitForSingleObject  ... ) == 0x0
 02838  1096   NtSetEventBoostPriority  ... ) == 0x0
 02841   752   NtSetEventBoostPriority  (292, ...
 02626  1924   NtWaitForSingleObject  ... ) == 0x0
 02840   644   NtSetEventBoostPriority  ... ) == 0x0
 02837  1736   NtAllocateVirtualMemory  ... 98304000, 1048576, ) == 0x0
 02822   748   NtWaitForSingleObject  ... ) == 0x0
 02842  1924   NtWaitForSingleObject  (292, 0, 0x0, ...
 02841   752   NtSetEventBoostPriority  ... ) == 0x0
 02843   644   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02844   748   NtSetEventBoostPriority  (292, ...
 02845  1736   NtAllocateVirtualMemory  (-1, 99344384, 0, 8192, 4096, 4, ...
 02846  1096   NtWaitForSingleObject  (292, 0, 0x0, ...
 02823  2012   NtWaitForSingleObject  ... ) == 0x0
 02844   748   NtSetEventBoostPriority  ... ) == 0x0
 02843   644   NtWaitForSingleObject  ... ) == 0x102
 02845  1736   NtAllocateVirtualMemory  ... 99344384, 8192, ) == 0x0
 02847  2012   NtSetEventBoostPriority  (292, ...
 02848   752   NtWaitForSingleObject  (132, 0, 0x0, ...
 02849   644   NtWaitForSingleObject  (292, 0, 0x0, ...
 02825  1288   NtWaitForSingleObject  ... ) == 0x0
 02847  2012   NtSetEventBoostPriority  ... ) == 0x0
 02850  1736   NtProtectVirtualMemory  (-1, (0x5ebe000), 4096, 260, ...
 02851   748   NtWaitForSingleObject  (292, 0, 0x0, ...
 02852  1288   NtSetEventBoostPriority  (292, ...
 02853  2012   NtAllocateVirtualMemory  (-1, 18599936, 0, 4096, 4096, 260, ...
 02850  1736   NtProtectVirtualMemory  ... (0x5ebe000), 4096, 4, ) == 0x0
 02830   252   NtWaitForSingleObject  ... ) == 0x0
 02852  1288   NtSetEventBoostPriority  ... ) == 0x0
 02854   252   NtSetEventBoostPriority  (292, ...
 02855  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02853  2012   NtAllocateVirtualMemory  ... 18599936, 4096, ) == 0x0
 02833   384   NtWaitForSingleObject  ... ) == 0x0
 02854   252   NtSetEventBoostPriority  ... ) == 0x0
 02856  1288   NtWaitForSingleObject  (132, 0, 0x0, ...
 02857   384   NtSetEventBoostPriority  (292, ...
 02858  2012   NtWaitForSingleObject  (292, 0, 0x0, ...
 02859   252   NtSetEventBoostPriority  (132, ...
 02835  2016   NtWaitForSingleObject  ... ) == 0x0
 02857   384   NtSetEventBoostPriority  ... ) == 0x0
 02855  1736   NtCreateThread  ... 960, {1636, 1440}, ) == 0x0
 02860  2016   NtSetEventBoostPriority  (292, ...
 02861   384   NtWaitForSingleObject  (292, 0, 0x0, ...
 02836  1716   NtWaitForSingleObject  ... ) == 0x0
 02860  2016   NtSetEventBoostPriority  ... ) == 0x0
 02862  1736   NtQueryInformationThread  (960, Basic, 28, ...
 01157   420   NtWaitForSingleObject  ... ) == 0x0
 02859   252   NtSetEventBoostPriority  ... ) == 0x0
 02863  1716   NtSetEventBoostPriority  (292, ...
 02864  2016   NtWaitForSingleObject  (292, 0, 0x0, ...
 02862  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1636,Tid=1440,}, 0x0, ) == 0x0
 02865   420   NtWaitForSingleObject  (292, 0, 0x0, ...
 02839  1028   NtWaitForSingleObject  ... ) == 0x0
 02863  1716   NtSetEventBoostPriority  ... ) == 0x0
 02866   252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02867  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75596, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0d\6\0\0\240\5\0\0" ...  ...
 02868  1028   NtSetEventBoostPriority  (292, ...
 02866   252   NtCreateEvent  ... 964, ) == 0x0
 02842  1924   NtWaitForSingleObject  ... ) == 0x0
 02868  1028   NtSetEventBoostPriority  ... ) == 0x0
 02867  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75597, 0}  ... {28, 56, reply, 0, 1636, 1736, 75597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0d\6\0\0\240\5\0\0" )  ) == 0x0
 02869  1924   NtSetEventBoostPriority  (292, ...
 02870   252   NtWaitForSingleObject  (292, 0, 0x0, ...
 02871  1028   NtWaitForSingleObject  (292, 0, 0x0, ...
 02872  1716   NtTestAlert  (...
 02846  1096   NtWaitForSingleObject  ... ) == 0x0
 02869  1924   NtSetEventBoostPriority  ... ) == 0x0
 02873  1736   NtResumeThread  (960, ...
 02874  1096   NtSetEventBoostPriority  (292, ...
 02872  1716   NtTestAlert  ... ) == 0x0
 02851   748   NtWaitForSingleObject  ... ) == 0x0
 02874  1096   NtSetEventBoostPriority  ... ) == 0x0
 02873  1736   NtResumeThread  ... 1, ) == 0x0
 02875   748   NtAllocateVirtualMemory  (-1, 1445888, 0, 4096, 4096, 4, ...
 02876  1716   NtContinue  (98303280, 1, ...
 02877  1096   NtWaitForSingleObject  (292, 0, 0x0, ...
 02875   748   NtAllocateVirtualMemory  ... 1445888, 4096, ) == 0x0
 02878  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02879  1716   NtRegisterThreadTerminatePort  (24, ...
 02880  1924   NtSetEventBoostPriority  (332, ...
 02881  1440   NtWaitForSingleObject  (292, 0, 0x0, ...
 02882   748   NtSetEventBoostPriority  (292, ...
 02878  1736   NtAllocateVirtualMemory  ... 99352576, 1048576, ) == 0x0
 02879  1716   NtRegisterThreadTerminatePort  ... ) == 0x0
 02627  1316   NtWaitForSingleObject  ... ) == 0x0
 02880  1924   NtSetEventBoostPriority  ... ) == 0x0
 02883  1736   NtAllocateVirtualMemory  (-1, 100392960, 0, 8192, 4096, 4, ...
 02884  1316   NtWaitForSingleObject  (292, 0, 0x0, ...
 02885  1716   NtWaitForSingleObject  (292, 0, 0x0, ...
 02886  1924   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02883  1736   NtAllocateVirtualMemory  ... 100392960, 8192, ) == 0x0
 02849   644   NtWaitForSingleObject  ... ) == 0x0
 02882   748   NtSetEventBoostPriority  ... ) == 0x0
 02886  1924   NtWaitForSingleObject  ... ) == 0x102
 02887   644   NtSetEventBoostPriority  (292, ...
 02888   748   NtWaitForSingleObject  (292, 0, 0x0, ...
 02889  1924   NtWaitForSingleObject  (132, 0, 0x0, ...
 02858  2012   NtWaitForSingleObject  ... ) == 0x0
 02887   644   NtSetEventBoostPriority  ... ) == 0x0
 02890  1736   NtProtectVirtualMemory  (-1, (0x5fbe000), 4096, 260, ...
 02891  2012   NtSetEventBoostPriority  (292, ...
 02892   644   NtWaitForSingleObject  (132, 0, 0x0, ...
 02890  1736   NtProtectVirtualMemory  ... (0x5fbe000), 4096, 4, ) == 0x0
 02861   384   NtWaitForSingleObject  ... ) == 0x0
 02891  2012   NtSetEventBoostPriority  ... ) == 0x0
 02893   384   NtSetEventBoostPriority  (292, ...
 02894  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02865   420   NtWaitForSingleObject  ... ) == 0x0
 02894  1736   NtCreateThread  ... 968, {1636, 1516}, ) == 0x0
 02895   420   NtSetEventBoostPriority  (292, ...
 02896  1736   NtQueryInformationThread  (968, Basic, 28, ...
 02864  2016   NtWaitForSingleObject  ... ) == 0x0
 02895   420   NtSetEventBoostPriority  ... ) == 0x0
 02897  2016   NtSetEventBoostPriority  (292, ...
 02896  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1636,Tid=1516,}, 0x0, ) == 0x0
 02893   384   NtSetEventBoostPriority  ... ) == 0x0
 02898  2012   NtWaitForSingleObject  (292, 0, 0x0, ...
 02870   252   NtWaitForSingleObject  ... ) == 0x0
 02897  2016   NtSetEventBoostPriority  ... ) == 0x0
 02899   420   NtWaitForSingleObject  (292, 0, 0x0, ...
 02900   384   NtWaitForSingleObject  (332, 0, 0x0, ...
 02901   252   NtSetEventBoostPriority  (292, ...
 02902  2016   NtWaitForSingleObject  (292, 0, 0x0, ...
 02871  1028   NtWaitForSingleObject  ... ) == 0x0
 02901   252   NtSetEventBoostPriority  ... ) == 0x0
 02903  1028   NtSetEventBoostPriority  (292, ...
 02904  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75597, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0d\6\0\0\354\5\0\0" ...  ...
 02881  1440   NtWaitForSingleObject  ... ) == 0x0
 02904  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75598, 0}  ... {28, 56, reply, 0, 1636, 1736, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0d\6\0\0\354\5\0\0" )  ) == 0x0
 02905  1440   NtSetEventBoostPriority  (292, ...
 02906  1736   NtResumeThread  (968, ...
 02877  1096   NtWaitForSingleObject  ... ) == 0x0
 02905  1440   NtSetEventBoostPriority  ... ) == 0x0
 02907  1096   NtSetEventBoostPriority  (292, ...
 02906  1736   NtResumeThread  ... 1, ) == 0x0
 02903  1028   NtSetEventBoostPriority  ... ) == 0x0
 02908   252   NtWaitForSingleObject  (292, 0, 0x0, ...
 02884  1316   NtWaitForSingleObject  ... ) == 0x0
 02909  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02910  1028   NtWaitForSingleObject  (292, 0, 0x0, ...
 02911  1316   NtSetEventBoostPriority  (292, ...
 02907  1096   NtSetEventBoostPriority  ... ) == 0x0
 02912  1440   NtTestAlert  (...
 02913  1516   NtWaitForSingleObject  (292, 0, 0x0, ...
 02885  1716   NtWaitForSingleObject  ... ) == 0x0
 02911  1316   NtSetEventBoostPriority  ... ) == 0x0
 02914  1096   NtWaitForSingleObject  (292, 0, 0x0, ...
 02912  1440   NtTestAlert  ... ) == 0x0
 02915  1716   NtSetEventBoostPriority  (292, ...
 02909  1736   NtAllocateVirtualMemory  ... 100401152, 1048576, ) == 0x0
 02888   748   NtWaitForSingleObject  ... ) == 0x0
 02916  1440   NtContinue  (99351856, 1, ...
 02917  1736   NtAllocateVirtualMemory  (-1, 101441536, 0, 8192, 4096, 4, ...
 02918   748   NtAllocateVirtualMemory  (-1, 1449984, 0, 4096, 4096, 4, ...
 02919  1440   NtRegisterThreadTerminatePort  (24, ...
 02917  1736   NtAllocateVirtualMemory  ... 101441536, 8192, ) == 0x0
 02918   748   NtAllocateVirtualMemory  ... 1449984, 4096, ) == 0x0
 02919  1440   NtRegisterThreadTerminatePort  ... ) == 0x0
 02920  1736   NtProtectVirtualMemory  (-1, (0x60be000), 4096, 260, ...
 02915  1716   NtSetEventBoostPriority  ... ) == 0x0
 02921  1316   NtSetEventBoostPriority  (332, ...
 02922  1440   NtWaitForSingleObject  (292, 0, 0x0, ...
 02920  1736   NtProtectVirtualMemory  ... (0x60be000), 4096, 4, ) == 0x0
 02923  1716   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02628   940   NtWaitForSingleObject  ... ) == 0x0
 02921  1316   NtSetEventBoostPriority  ... ) == 0x0
 02924   748   NtSetEventBoostPriority  (292, ...
 02925  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02926   940   NtWaitForSingleObject  (292, 0, 0x0, ...
 02923  1716   NtDuplicateObject  ... 972, ) == 0x0
 02927  1316   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02898  2012   NtWaitForSingleObject  ... ) == 0x0
 02924   748   NtSetEventBoostPriority  ... ) == 0x0
 02925  1736   NtCreateThread  ... 976, {1636, 1664}, ) == 0x0
 02928  2012   NtSetEventBoostPriority  (292, ...
 02927  1316   NtWaitForSingleObject  ... ) == 0x102
 02929   748   NtWaitForSingleObject  (292, 0, 0x0, ...
 02899   420   NtWaitForSingleObject  ... ) == 0x0
 02928  2012   NtSetEventBoostPriority  ... ) == 0x0
 02930  1736   NtQueryInformationThread  (976, Basic, 28, ...
 02931  1316   NtWaitForSingleObject  (292, 0, 0x0, ...
 02932   420   NtSetEventBoostPriority  (292, ...
 02933  2012   NtWaitForSingleObject  (292, 0, 0x0, ...
 02930  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1636,Tid=1664,}, 0x0, ) == 0x0
 02934  1716   NtWaitForSingleObject  (292, 0, 0x0, ...
 02902  2016   NtWaitForSingleObject  ... ) == 0x0
 02932   420   NtSetEventBoostPriority  ... ) == 0x0
 02935  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75598, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\3\0\0d\6\0\0\200\6\0\0" ...  ...
 02936  2016   NtSetEventBoostPriority  (292, ...
 02937   420   NtWaitForSingleObject  (292, 0, 0x0, ...
 02908   252   NtWaitForSingleObject  ... ) == 0x0
 02936  2016   NtSetEventBoostPriority  ... ) == 0x0
 02935  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75599, 0}  ... {28, 56, reply, 0, 1636, 1736, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\3\0\0d\6\0\0\200\6\0\0" )  ) == 0x0
 02938   252   NtSetEventBoostPriority  (292, ...
 02939  2016   NtWaitForSingleObject  (292, 0, 0x0, ...
 02910  1028   NtWaitForSingleObject  ... ) == 0x0
 02938   252   NtSetEventBoostPriority  ... ) == 0x0
 02940  1028   NtSetEventBoostPriority  (292, ...
 02913  1516   NtWaitForSingleObject  ... ) == 0x0
 02941  1516   NtSetEventBoostPriority  (292, ...
 02914  1096   NtWaitForSingleObject  ... ) == 0x0
 02942  1096   NtSetEventBoostPriority  (292, ...
 02922  1440   NtWaitForSingleObject  ... ) == 0x0
 02943  1440   NtSetEventBoostPriority  (292, ...
 02926   940   NtWaitForSingleObject  ... ) == 0x0
 02944   940   NtSetEventBoostPriority  (292, ...
 02929   748   NtWaitForSingleObject  ... ) == 0x0
 02945   748   NtSetEventBoostPriority  (292, ...
 02931  1316   NtWaitForSingleObject  ... ) == 0x0
 02946  1316   NtSetEventBoostPriority  (292, ...
 02934  1716   NtWaitForSingleObject  ... ) == 0x0
 02947  1716   NtSetEventBoostPriority  (292, ...
 02933  2012   NtWaitForSingleObject  ... ) == 0x0
 02948  2012   NtSetEventBoostPriority  (292, ...
 02937   420   NtWaitForSingleObject  ... ) == 0x0
 02949   420   NtSetEventBoostPriority  (292, ...
 02939  2016   NtWaitForSingleObject  ... ) == 0x0
 02950  2016   NtWaitForSingleObject  (332, 0, 0x0, ...
 02947  1716   NtSetEventBoostPriority  ... ) == 0x0
 02951  1716   NtWaitForSingleObject  (332, 0, 0x0, ...
 02945   748   NtSetEventBoostPriority  ... ) == 0x0
 02944   940   NtSetEventBoostPriority  ... ) == 0x0
 02942  1096   NtSetEventBoostPriority  ... ) == 0x0
 02941  1516   NtSetEventBoostPriority  ... ) == 0x0
 02940  1028   NtSetEventBoostPriority  ... ) == 0x0
 02952   252   NtAllocateVirtualMemory  (-1, 1454080, 0, 4096, 4096, 4, ...
 02949   420   NtSetEventBoostPriority  ... ) == 0x0
 02948  2012   NtSetEventBoostPriority  ... ) == 0x0
 02946  1316   NtSetEventBoostPriority  ... ) == 0x0
 02943  1440   NtSetEventBoostPriority  ... ) == 0x0
 02953  1736   NtResumeThread  (976, ...
 02954   748   NtWaitForSingleObject  (292, 0, 0x0, ...
 02955   940   NtSetEventBoostPriority  (332, ...
 02956  1096   NtWaitForSingleObject  (292, 0, 0x0, ...
 02957  1516   NtTestAlert  (...
 02958  1028   NtWaitForSingleObject  (292, 0, 0x0, ...
 02959   420   NtSetEventBoostPriority  (132, ...
 02960  2012   NtWaitForSingleObject  (292, 0, 0x0, ...
 02961  1316   NtWaitForSingleObject  (132, 0, 0x0, ...
 02962  1440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02953  1736   NtResumeThread  ... 1, ) == 0x0
 02629  1628   NtWaitForSingleObject  ... ) == 0x0
 02955   940   NtSetEventBoostPriority  ... ) == 0x0
 02957  1516   NtTestAlert  ... ) == 0x0
 01171   596   NtWaitForSingleObject  ... ) == 0x0
 02959   420   NtSetEventBoostPriority  ... ) == 0x0
 02962  1440   NtDuplicateObject  ... 980, ) == 0x0
 02963  1628   NtWaitForSingleObject  (292, 0, 0x0, ...
 02964  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02965   940   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02966   596   NtWaitForSingleObject  (292, 0, 0x0, ...
 02967  1516   NtContinue  (100400432, 1, ...
 02952   252   NtAllocateVirtualMemory  ... 1454080, 4096, ) == 0x0
 02968  1664   NtWaitForSingleObject  (292, 0, 0x0, ...
 02969   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02964  1736   NtAllocateVirtualMemory  ... 101449728, 1048576, ) == 0x0
 02965   940   NtWaitForSingleObject  ... ) == 0x102
 02970  1516   NtRegisterThreadTerminatePort  (24, ...
 02971   252   NtSetEventBoostPriority  (292, ...
 02969   420   NtCreateEvent  ... 984, ) == 0x0
 02972  1736   NtAllocateVirtualMemory  (-1, 102490112, 0, 8192, 4096, 4, ...
 02973   940   NtWaitForSingleObject  (132, 0, 0x0, ...
 02970  1516   NtRegisterThreadTerminatePort  ... ) == 0x0
 02954   748   NtWaitForSingleObject  ... ) == 0x0
 02971   252   NtSetEventBoostPriority  ... ) == 0x0
 02974   420   NtWaitForSingleObject  (292, 0, 0x0, ...
 02972  1736   NtAllocateVirtualMemory  ... 102490112, 8192, ) == 0x0
 02975  1440   NtWaitForSingleObject  (292, 0, 0x0, ...
 02976   748   NtSetEventBoostPriority  (292, ...
 02977  1516   NtWaitForSingleObject  (292, 0, 0x0, ...
 02978   252   NtWaitForSingleObject  (292, 0, 0x0, ...
 02956  1096   NtWaitForSingleObject  ... ) == 0x0
 02976   748   NtSetEventBoostPriority  ... ) == 0x0
 02979  1736   NtProtectVirtualMemory  (-1, (0x61be000), 4096, 260, ...
 02980  1096   NtSetEventBoostPriority  (292, ...
 02981   748   NtWaitForSingleObject  (292, 0, 0x0, ...
 02958  1028   NtWaitForSingleObject  ... ) == 0x0
 02980  1096   NtSetEventBoostPriority  ... ) == 0x0
 02979  1736   NtProtectVirtualMemory  ... (0x61be000), 4096, 4, ) == 0x0
 02982  1028   NtSetEventBoostPriority  (292, ...
 02983  1096   NtWaitForSingleObject  (292, 0, 0x0, ...
 02960  2012   NtWaitForSingleObject  ... ) == 0x0
 02982  1028   NtSetEventBoostPriority  ... ) == 0x0
 02984  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02985  2012   NtSetEventBoostPriority  (292, ...
 02986  1028   NtWaitForSingleObject  (292, 0, 0x0, ...
 02963  1628   NtWaitForSingleObject  ... ) == 0x0
 02985  2012   NtSetEventBoostPriority  ... ) == 0x0
 02984  1736   NtCreateThread  ... 988, {1636, 1972}, ) == 0x0
 02987  1628   NtSetEventBoostPriority  (292, ...
 02966   596   NtWaitForSingleObject  ... ) == 0x0
 02988   596   NtSetEventBoostPriority  (292, ...
 02968  1664   NtWaitForSingleObject  ... ) == 0x0
 02989  1664   NtSetEventBoostPriority  (292, ...
 02974   420   NtWaitForSingleObject  ... ) == 0x0
 02990   420   NtSetEventBoostPriority  (292, ...
 02975  1440   NtWaitForSingleObject  ... ) == 0x0
 02991  1440   NtSetEventBoostPriority  (292, ...
 02978   252   NtWaitForSingleObject  ... ) == 0x0
 02992   252   NtSetEventBoostPriority  (292, ...
 02977  1516   NtWaitForSingleObject  ... ) == 0x0
 02993  1516   NtSetEventBoostPriority  (292, ...
 02981   748   NtWaitForSingleObject  ... ) == 0x0
 02994   748   NtSetEventBoostPriority  (292, ...
 02983  1096   NtWaitForSingleObject  ... ) == 0x0
 02995  1096   NtSetEventBoostPriority  (292, ...
 02986  1028   NtWaitForSingleObject  ... ) == 0x0
 02996  1028   NtWaitForSingleObject  (332, 0, 0x0, ...
 02992   252   NtSetEventBoostPriority  ... ) == 0x0
 02991  1440   NtSetEventBoostPriority  ... ) == 0x0
 02990   420   NtSetEventBoostPriority  ... ) == 0x0
 02989  1664   NtSetEventBoostPriority  ... ) == 0x0
 02988   596   NtSetEventBoostPriority  ... ) == 0x0
 02987  1628   NtSetEventBoostPriority  ... ) == 0x0
 02997  1736   NtQueryInformationThread  (988, Basic, 28, ...
 02995  1096   NtSetEventBoostPriority  ... ) == 0x0
 02994   748   NtSetEventBoostPriority  ... ) == 0x0
 02993  1516   NtSetEventBoostPriority  ... ) == 0x0
 02998  2012   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02999  1440   NtWaitForSingleObject  (332, 0, 0x0, ...
 03000   252   NtAllocateVirtualMemory  (-1, 34328576, 0, 4096, 4096, 260, ...
 03001   420   NtAllocateVirtualMemory  (-1, 22794240, 0, 4096, 4096, 260, ...
 03002  1664   NtTestAlert  (...
 03003   596   NtSetEventBoostPriority  (132, ...
 02997  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1636,Tid=1972,}, 0x0, ) == 0x0
 03004  1096   NtAllocateVirtualMemory  (-1, 33280000, 0, 4096, 4096, 260, ...
 03005   748   NtAllocateVirtualMemory  (-1, 31182848, 0, 4096, 4096, 260, ...
 03006  1516   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02998  2012   NtCreateEvent  ... 992, ) == 0x0
 03007  1628   NtSetEventBoostPriority  (332, ...
 03000   252   NtAllocateVirtualMemory  ... 34328576, 4096, ) == 0x0
 03001   420   NtAllocateVirtualMemory  ... 22794240, 4096, ) == 0x0
 03002  1664   NtTestAlert  ... ) == 0x0
 01172  1300   NtWaitForSingleObject  ... ) == 0x0
 03003   596   NtSetEventBoostPriority  ... ) == 0x0
 03004  1096   NtAllocateVirtualMemory  ... 33280000, 4096, ) == 0x0
 03005   748   NtAllocateVirtualMemory  ... 31182848, 4096, ) == 0x0
 03006  1516   NtDuplicateObject  ... 996, ) == 0x0
 03008  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02630   876   NtWaitForSingleObject  ... ) == 0x0
 03007  1628   NtSetEventBoostPriority  ... ) == 0x0
 03009   252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03010   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03011  1300   NtSetEventBoostPriority  (132, ...
 03012  1664   NtContinue  (101449008, 1, ...
 03013   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03014  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75599, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\3\0\0d\6\0\0\264\7\0\0" ...  ...
 03015  1096   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03016   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03017   876   NtSetEventBoostPriority  (332, ...
 03008  2012   NtDuplicateObject  ... 1000, ) == 0x0
 03018  1628   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03009   252   NtCreateEvent  ... 1004, ) == 0x0
 01173   376   NtWaitForSingleObject  ... ) == 0x0
 03011  1300   NtSetEventBoostPriority  ... ) == 0x0
 03010   420   NtCreateEvent  ... 1008, ) == 0x0
 03019  1664   NtRegisterThreadTerminatePort  (24, ...
 03013   596   NtCreateEvent  ... 1012, ) == 0x0
 03014  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75600, 0}  ... {28, 56, reply, 0, 1636, 1736, 75600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\3\0\0d\6\0\0\264\7\0\0" )  ) == 0x0
 03015  1096   NtCreateEvent  ... 1016, ) == 0x0
 02616   776   NtWaitForSingleObject  ... ) == 0x0
 03017   876   NtSetEventBoostPriority  ... ) == 0x0
 03016   748   NtCreateEvent  ... 1020, ) == 0x0
 03020  2012   NtWaitForSingleObject  (332, 0, 0x0, ...
 03018  1628   NtWaitForSingleObject  ... ) == 0x102
 03021   376   NtSetEventBoostPriority  (132, ...
 03022   252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03023  1300   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03024   420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03019  1664   NtRegisterThreadTerminatePort  ... ) == 0x0
 03025   596   NtAllocateVirtualMemory  (-1, 1458176, 0, 4096, 4096, 4, ...
 03026  1736   NtResumeThread  (988, ...
 03027   776   NtWaitForSingleObject  (292, 0, 0x0, ...
 03028  1096   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03029  1516   NtWaitForSingleObject  (292, 0, 0x0, ...
 03030   748   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01183  1168   NtWaitForSingleObject  ... ) == 0x0
 03021   376   NtSetEventBoostPriority  ... ) == 0x0
 03031  1628   NtWaitForSingleObject  (132, 0, 0x0, ...
 03022   252   NtDuplicateObject  ... 1024, ) == 0x0
 03032   876   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03024   420   NtDuplicateObject  ... 1028, ) == 0x0
 03033  1664   NtWaitForSingleObject  (292, 0, 0x0, ...
 03025   596   NtAllocateVirtualMemory  ... 1458176, 4096, ) == 0x0
 03026  1736   NtResumeThread  ... 1, ) == 0x0
 03028  1096   NtDuplicateObject  ... 1032, ) == 0x0
 03034  1168   NtWaitForSingleObject  (292, 0, 0x0, ...
 03030   748   NtDuplicateObject  ... 1036, ) == 0x0
 03023  1300   NtCreateEvent  ... 1040, ) == 0x0
 03035  1972   NtWaitForSingleObject  (292, 0, 0x0, ...
 03036   376   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03032   876   NtWaitForSingleObject  ... ) == 0x102
 03037   252   NtWaitForSingleObject  (292, 0, 0x0, ...
 03038   420   NtWaitForSingleObject  (292, 0, 0x0, ...
 03039  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03040  1096   NtWaitForSingleObject  (292, 0, 0x0, ...
 03041   748   NtWaitForSingleObject  (292, 0, 0x0, ...
 03042  1300   NtWaitForSingleObject  (292, 0, 0x0, ...
 03036   376   NtCreateEvent  ... 1044, ) == 0x0
 03043   876   NtWaitForSingleObject  (132, 0, 0x0, ...
 03044   596   NtSetEventBoostPriority  (292, ...
 03045   376   NtWaitForSingleObject  (292, 0, 0x0, ...
 03027   776   NtWaitForSingleObject  ... ) == 0x0
 03044   596   NtSetEventBoostPriority  ... ) == 0x0
 03046   776   NtSetEventBoostPriority  (292, ...
 03029  1516   NtWaitForSingleObject  ... ) == 0x0
 03047  1516   NtSetEventBoostPriority  (292, ...
 03033  1664   NtWaitForSingleObject  ... ) == 0x0
 03048  1664   NtSetEventBoostPriority  (292, ...
 03034  1168   NtWaitForSingleObject  ... ) == 0x0
 03049  1168   NtSetEventBoostPriority  (292, ...
 03035  1972   NtWaitForSingleObject  ... ) == 0x0
 03050  1972   NtSetEventBoostPriority  (292, ...
 03037   252   NtWaitForSingleObject  ... ) == 0x0
 03051   252   NtSetEventBoostPriority  (292, ...
 03038   420   NtWaitForSingleObject  ... ) == 0x0
 03052   420   NtSetEventBoostPriority  (292, ...
 03040  1096   NtWaitForSingleObject  ... ) == 0x0
 03053  1096   NtSetEventBoostPriority  (292, ...
 03041   748   NtWaitForSingleObject  ... ) == 0x0
 03054   748   NtSetEventBoostPriority  (292, ...
 03042  1300   NtWaitForSingleObject  ... ) == 0x0
 03055  1300   NtSetEventBoostPriority  (292, ...
 03045   376   NtWaitForSingleObject  ... ) == 0x0
 03056   376   NtAllocateVirtualMemory  (-1, 1462272, 0, 4096, 4096, 4, ... 1462272, 4096, ) == 0x0
 03055  1300   NtSetEventBoostPriority  ... ) == 0x0
 03054   748   NtSetEventBoostPriority  ... ) == 0x0
 03053  1096   NtSetEventBoostPriority  ... ) == 0x0
 03052   420   NtSetEventBoostPriority  ... ) == 0x0
 03051   252   NtSetEventBoostPriority  ... ) == 0x0
 03050  1972   NtSetEventBoostPriority  ... ) == 0x0
 03047  1516   NtSetEventBoostPriority  ... ) == 0x0
 03057   596   NtWaitForSingleObject  (292, 0, 0x0, ...
 03049  1168   NtSetEventBoostPriority  ... ) == 0x0
 03048  1664   NtSetEventBoostPriority  ... ) == 0x0
 03046   776   NtSetEventBoostPriority  ... ) == 0x0
 03039  1736   NtAllocateVirtualMemory  ... 102498304, 1048576, ) == 0x0
 03058   376   NtSetEventBoostPriority  (292, ...
 03059  1300   NtWaitForSingleObject  (292, 0, 0x0, ...
 03060   748   NtWaitForSingleObject  (292, 0, 0x0, ...
 03061   420   NtWaitForSingleObject  (292, 0, 0x0, ...
 03062   252   NtWaitForSingleObject  (292, 0, 0x0, ...
 03063  1096   NtWaitForSingleObject  (292, 0, 0x0, ...
 03064  1516   NtWaitForSingleObject  (332, 0, 0x0, ...
 03065  1972   NtTestAlert  (...
 03066  1664   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03067  1168   NtWaitForSingleObject  (292, 0, 0x0, ...
 03068  1736   NtAllocateVirtualMemory  (-1, 103538688, 0, 8192, 4096, 4, ...
 03057   596   NtWaitForSingleObject  ... ) == 0x0
 03058   376   NtSetEventBoostPriority  ... ) == 0x0
 03069   776   NtSetEventBoostPriority  (332, ...
 03065  1972   NtTestAlert  ... ) == 0x0
 03066  1664   NtDuplicateObject  ... 1048, ) == 0x0
 03070   596   NtSetEventBoostPriority  (292, ...
 03068  1736   NtAllocateVirtualMemory  ... 103538688, 8192, ) == 0x0
 03071   376   NtWaitForSingleObject  (292, 0, 0x0, ...
 02639   476   NtWaitForSingleObject  ... ) == 0x0
 03069   776   NtSetEventBoostPriority  ... ) == 0x0
 03072  1972   NtContinue  (102497584, 1, ...
 03059  1300   NtWaitForSingleObject  ... ) == 0x0
 03070   596   NtSetEventBoostPriority  ... ) == 0x0
 03073  1736   NtProtectVirtualMemory  (-1, (0x62be000), 4096, 260, ...
 03074   476   NtWaitForSingleObject  (292, 0, 0x0, ...
 03075   776   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03076  1300   NtSetEventBoostPriority  (292, ...
 03077  1972   NtRegisterThreadTerminatePort  (24, ...
 03078  1664   NtWaitForSingleObject  (292, 0, 0x0, ...
 03073  1736   NtProtectVirtualMemory  ... (0x62be000), 4096, 4, ) == 0x0
 03060   748   NtWaitForSingleObject  ... ) == 0x0
 03076  1300   NtSetEventBoostPriority  ... ) == 0x0
 03075   776   NtWaitForSingleObject  ... ) == 0x102
 03077  1972   NtRegisterThreadTerminatePort  ... ) == 0x0
 03079   748   NtSetEventBoostPriority  (292, ...
 03080  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03081  1300   NtWaitForSingleObject  (292, 0, 0x0, ...
 03082   776   NtWaitForSingleObject  (292, 0, 0x0, ...
 03061   420   NtWaitForSingleObject  ... ) == 0x0
 03079   748   NtSetEventBoostPriority  ... ) == 0x0
 03083  1972   NtWaitForSingleObject  (292, 0, 0x0, ...
 03084   596   NtWaitForSingleObject  (292, 0, 0x0, ...
 03080  1736   NtCreateThread  ... 1052, {1636, 780}, ) == 0x0
 03085   420   NtSetEventBoostPriority  (292, ...
 03086   748   NtWaitForSingleObject  (292, 0, 0x0, ...
 03063  1096   NtWaitForSingleObject  ... ) == 0x0
 03087  1736   NtQueryInformationThread  (1052, Basic, 28, ...
 03085   420   NtSetEventBoostPriority  ... ) == 0x0
 03088  1096   NtSetEventBoostPriority  (292, ...
 03087  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1636,Tid=780,}, 0x0, ) == 0x0
 03089   420   NtWaitForSingleObject  (292, 0, 0x0, ...
 03062   252   NtWaitForSingleObject  ... ) == 0x0
 03088  1096   NtSetEventBoostPriority  ... ) == 0x0
 03090  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75600, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\4\0\0d\6\0\0\14\3\0\0" ...  ...
 03091   252   NtSetEventBoostPriority  (292, ...
 03092  1096   NtWaitForSingleObject  (292, 0, 0x0, ...
 03067  1168   NtWaitForSingleObject  ... ) == 0x0
 03090  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75601, 0}  ... {28, 56, reply, 0, 1636, 1736, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\4\0\0d\6\0\0\14\3\0\0" )  ) == 0x0
 03091   252   NtSetEventBoostPriority  ... ) == 0x0
 03093  1168   NtSetEventBoostPriority  (292, ...
 03094   252   NtWaitForSingleObject  (292, 0, 0x0, ...
 03071   376   NtWaitForSingleObject  ... ) == 0x0
 03093  1168   NtSetEventBoostPriority  ... ) == 0x0
 03095   376   NtAllocateVirtualMemory  (-1, 1466368, 0, 4096, 4096, 4, ... 1466368, 4096, ) == 0x0
 03096  1168   NtWaitForSingleObject  (292, 0, 0x0, ...
 03097  1736   NtResumeThread  (1052, ...
 03098   376   NtSetEventBoostPriority  (292, ...
 03097  1736   NtResumeThread  ... 1, ) == 0x0
 03074   476   NtWaitForSingleObject  ... ) == 0x0
 03098   376   NtSetEventBoostPriority  ... ) == 0x0
 03099   476   NtSetEventBoostPriority  (292, ...
 03100  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03078  1664   NtWaitForSingleObject  ... ) == 0x0
 03099   476   NtSetEventBoostPriority  ... ) == 0x0
 03101   376   NtWaitForSingleObject  (292, 0, 0x0, ...
 03102  1664   NtSetEventBoostPriority  (292, ...
 03100  1736   NtAllocateVirtualMemory  ... 103546880, 1048576, ) == 0x0
 03103   780   NtWaitForSingleObject  (292, 0, 0x0, ...
 03081  1300   NtWaitForSingleObject  ... ) == 0x0
 03102  1664   NtSetEventBoostPriority  ... ) == 0x0
 03104  1736   NtAllocateVirtualMemory  (-1, 104587264, 0, 8192, 4096, 4, ...
 03105  1300   NtSetEventBoostPriority  (292, ...
 03106  1664   NtWaitForSingleObject  (292, 0, 0x0, ...
 03082   776   NtWaitForSingleObject  ... ) == 0x0
 03104  1736   NtAllocateVirtualMemory  ... 104587264, 8192, ) == 0x0
 03105  1300   NtSetEventBoostPriority  ... ) == 0x0
 03107   476   NtSetEventBoostPriority  (332, ...
 03108   776   NtSetEventBoostPriority  (292, ...
 03109  1300   NtWaitForSingleObject  (292, 0, 0x0, ...
 02640   312   NtWaitForSingleObject  ... ) == 0x0
 03107   476   NtSetEventBoostPriority  ... ) == 0x0
 03084   596   NtWaitForSingleObject  ... ) == 0x0
 03110   312   NtWaitForSingleObject  (292, 0, 0x0, ...
 03111   476   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03112   596   NtSetEventBoostPriority  (292, ...
 03111   476   NtWaitForSingleObject  ... ) == 0x102
 03083  1972   NtWaitForSingleObject  ... ) == 0x0
 03112   596   NtSetEventBoostPriority  ... ) == 0x0
 03113  1972   NtSetEventBoostPriority  (292, ...
 03114   476   NtWaitForSingleObject  (132, 0, 0x0, ...
 03089   420   NtWaitForSingleObject  ... ) == 0x0
 03115   596   NtWaitForSingleObject  (292, 0, 0x0, ...
 03113  1972   NtSetEventBoostPriority  ... ) == 0x0
 03108   776   NtSetEventBoostPriority  ... ) == 0x0
 03116  1736   NtProtectVirtualMemory  (-1, (0x63be000), 4096, 260, ...
 03117   420   NtSetEventBoostPriority  (292, ...
 03118  1972   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03119   776   NtWaitForSingleObject  (132, 0, 0x0, ...
 03116  1736   NtProtectVirtualMemory  ... (0x63be000), 4096, 4, ) == 0x0
 03086   748   NtWaitForSingleObject  ... ) == 0x0
 03117   420   NtSetEventBoostPriority  ... ) == 0x0
 03118  1972   NtDuplicateObject  ... 1056, ) == 0x0
 03120   748   NtSetEventBoostPriority  (292, ...
 03121  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03122   420   NtWaitForSingleObject  (292, 0, 0x0, ...
 03092  1096   NtWaitForSingleObject  ... ) == 0x0
 03121  1736   NtCreateThread  ... 1060, {1636, 1656}, ) == 0x0
 03123  1096   NtSetEventBoostPriority  (292, ...
 03124  1736   NtQueryInformationThread  (1060, Basic, 28, ...
 03094   252   NtWaitForSingleObject  ... ) == 0x0
 03124  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1636,Tid=1656,}, 0x0, ) == 0x0
 03125   252   NtSetEventBoostPriority  (292, ...
 03123  1096   NtSetEventBoostPriority  ... ) == 0x0
 03120   748   NtSetEventBoostPriority  ... ) == 0x0
 03126  1972   NtWaitForSingleObject  (292, 0, 0x0, ...
 03096  1168   NtWaitForSingleObject  ... ) == 0x0
 03125   252   NtSetEventBoostPriority  ... ) == 0x0
 03127  1096   NtWaitForSingleObject  (292, 0, 0x0, ...
 03128   748   NtWaitForSingleObject  (292, 0, 0x0, ...
 03129  1168   NtSetEventBoostPriority  (292, ...
 03130  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75601, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\4\0\0d\6\0\0x\6\0\0" ...  ...
 03101   376   NtWaitForSingleObject  ... ) == 0x0
 03130  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75602, 0}  ... {28, 56, reply, 0, 1636, 1736, 75602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\4\0\0d\6\0\0x\6\0\0" )  ) == 0x0
 03131   376   NtSetEventBoostPriority  (292, ...
 03132  1736   NtResumeThread  (1060, ...
 03103   780   NtWaitForSingleObject  ... ) == 0x0
 03131   376   NtSetEventBoostPriority  ... ) == 0x0
 03133   780   NtSetEventBoostPriority  (292, ...
 03132  1736   NtResumeThread  ... 1, ) == 0x0
 03129  1168   NtSetEventBoostPriority  ... ) == 0x0
 03134   252   NtWaitForSingleObject  (292, 0, 0x0, ...
 03106  1664   NtWaitForSingleObject  ... ) == 0x0
 03133   780   NtSetEventBoostPriority  ... ) == 0x0
 03135  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03136  1168   NtWaitForSingleObject  (292, 0, 0x0, ...
 03137  1664   NtSetEventBoostPriority  (292, ...
 03138   376   NtWaitForSingleObject  (292, 0, 0x0, ...
 03139  1656   NtWaitForSingleObject  (88, 0, 0x0, ...
 03140   780   NtSetEventBoostPriority  (88, ...
 03109  1300   NtWaitForSingleObject  ... ) == 0x0
 03139  1656   NtWaitForSingleObject  ... ) == 0x0
 03140   780   NtSetEventBoostPriority  ... ) == 0x0
 03141  1656   NtWaitForSingleObject  (292, 0, 0x0, ...
 03142  1300   NtSetEventBoostPriority  (292, ...
 03143   780   NtTestAlert  (...
 03110   312   NtWaitForSingleObject  ... ) == 0x0
 03142  1300   NtSetEventBoostPriority  ... ) == 0x0
 03144   312   NtSetEventBoostPriority  (292, ...
 03143   780   NtTestAlert  ... ) == 0x0
 03137  1664   NtSetEventBoostPriority  ... ) == 0x0
 03135  1736   NtAllocateVirtualMemory  ... 104595456, 1048576, ) == 0x0
 03115   596   NtWaitForSingleObject  ... ) == 0x0
 03144   312   NtSetEventBoostPriority  ... ) == 0x0
 03145   780   NtContinue  (103546160, 1, ...
 03146  1664   NtWaitForSingleObject  (332, 0, 0x0, ...
 03147   596   NtSetEventBoostPriority  (292, ...
 03148  1736   NtAllocateVirtualMemory  (-1, 105635840, 0, 8192, 4096, 4, ...
 03149  1300   NtWaitForSingleObject  (292, 0, 0x0, ...
 03150   780   NtRegisterThreadTerminatePort  (24, ...
 03122   420   NtWaitForSingleObject  ... ) == 0x0
 03148  1736   NtAllocateVirtualMemory  ... 105635840, 8192, ) == 0x0
 03147   596   NtSetEventBoostPriority  ... ) == 0x0
 03151   312   NtSetEventBoostPriority  (332, ...
 03152   420   NtSetEventBoostPriority  (292, ...
 03153  1736   NtProtectVirtualMemory  (-1, (0x64be000), 4096, 260, ...
 03154   596   NtWaitForSingleObject  (292, 0, 0x0, ...
 02641  1404   NtWaitForSingleObject  ... ) == 0x0
 03151   312   NtSetEventBoostPriority  ... ) == 0x0
 03126  1972   NtWaitForSingleObject  ... ) == 0x0
 03152   420   NtSetEventBoostPriority  ... ) == 0x0
 03153  1736   NtProtectVirtualMemory  ... (0x64be000), 4096, 4, ) == 0x0
 03155  1404   NtWaitForSingleObject  (292, 0, 0x0, ...
 03156  1972   NtSetEventBoostPriority  (292, ...
 03157   312   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03158   420   NtWaitForSingleObject  (292, 0, 0x0, ...
 03127  1096   NtWaitForSingleObject  ... ) == 0x0
 03156  1972   NtSetEventBoostPriority  ... ) == 0x0
 03159  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03157   312   NtWaitForSingleObject  ... ) == 0x102
 03150   780   NtRegisterThreadTerminatePort  ... ) == 0x0
 03160  1096   NtSetEventBoostPriority  (292, ...
 03161  1972   NtWaitForSingleObject  (292, 0, 0x0, ...
 03162   312   NtWaitForSingleObject  (132, 0, 0x0, ...