Summary:


NtAdjustPrivilegesToken(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryInformationFile(>)  7 
NtQueryAttributesFile(>)  62 

NtGdiCreateBitmap(>)  1 
NtNotifyChangeKey(>)  2 
NtQueryInformationProcess(>)  7 
NtCreateEvent(>)  88 

NtGdiInit(>)  1 
NtOpenDirectoryObject(>)  2 
NtCreateFile(>)  8 
NtContinue(>)  89 

NtGdiQueryFontAssocInfo(>)  1 
NtQueryDefaultUILanguage(>)  2 
NtQueryVirtualMemory(>)  9 
NtMapViewOfSection(>)  101 

NtGdiSelectBitmap(>)  1 
NtSecureConnectPort(>)  2 
NtUserFindExistingCursorIcon(>)  9 
NtWriteVirtualMemory(>)  116 

NtOpenKeyedEvent(>)  1 
NtSetInformationObject(>)  2 
NtFsControlFile(>)  10 
NtQuerySystemInformation(>)  123 

NtOpenSymbolicLinkObject(>)  1 
NtDelayExecution(>)  3 
NtOpenThreadToken(>)  11 
NtOpenKey(>)  125 

NtQueryInstallUILanguage(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtSetInformationThread(>)  11 
NtResumeThread(>)  127 

NtQueryObject(>)  1 
NtOpenProcessToken(>)  3 
NtQuerySection(>)  12 
NtCreateThread(>)  134 

NtQueryPerformanceCounter(>)  1 
NtOpenProcessTokenEx(>)  3 
NtSetInformationFile(>)  12 
NtQueryInformationThread(>)  144 

NtQuerySymbolicLinkObject(>)  1 
NtOpenThreadTokenEx(>)  3 
NtUserRegisterClassExWOW(>)  14 
NtTestAlert(>)  169 

NtQuerySystemTime(>)  1 
NtReadFile(>)  3 
NtSetValueKey(>)  17 
NtRegisterThreadTerminatePort(>)  172 

NtRaiseException(>)  1 
NtFreeVirtualMemory(>)  4 
NtCreateKey(>)  20 
NtRequestWaitReplyPort(>)  173 

NtSetInformationProcess(>)  1 
NtQueryDefaultLocale(>)  4 
NtCreateSection(>)  26 
NtDuplicateObject(>)  178 

NtUserCallNoParam(>)  1 
NtQueryVolumeInformationFile(>)  4 
NtOpenFile(>)  29 
NtQueryValueKey(>)  249 

NtUserGetObjectInformation(>)  1 
NtCreateMutant(>)  5 
NtOpenProcess(>)  29 
NtClose(>)  276 

NtUserGetProcessWindowStation(>)  1 
NtGdiGetStockObject(>)  5 
NtDeviceIoControlFile(>)  36 
NtProtectVirtualMemory(>)  362 

NtUserGetThreadDesktop(>)  1 
NtWriteFile(>)  5 
NtUnmapViewOfSection(>)  45 
NtAllocateVirtualMemory(>)  365 

NtCallbackReturn(>)  2 
NtConnectPort(>)  6 
NtOpenSection(>)  51 
NtSetEventBoostPriority(>)  617 

NtCreateIoCompletion(>)  2 
NtQueryInformationToken(>)  6 
NtFlushInstructionCache(>)  52 
NtWaitForSingleObject(>)  824 


Trace:
 00001  1744   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1744   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1744   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1744   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1744   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1744   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1744   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1744   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1744   NtClose  (12, ... ) == 0x0
 00015  1744   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1744   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1744   NtClose  (16, ... ) == 0x0
 00021  1744   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1744   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1744   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1744   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1744   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1744   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1744   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1744   NtClose  (16, ... ) == 0x0
 00030  1744   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1744   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1744   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1744   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75470, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75470, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75470, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ) == 0x0
 00036  1744   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1744   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1744   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1744   NtClose  (16, ... ) == 0x0
 00041  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1744   NtClose  (16, ... ) == 0x0
 00044  1744   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1744   NtClose  (16, ... ) == 0x0
 00048  1744   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1744   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1744   NtClose  (16, ... ) == 0x0
 00052  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1744   NtClose  (16, ... ) == 0x0
 00055  1744   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1744   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1744   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1736, 1744, 75471, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ... {24, 52, reply, 0, 1736, 1744, 75471, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1736, 1744, 75471, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ) == 0x0
 00060  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75472, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75472, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75472, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ) == 0x0
 00061  1744   NtProtectVirtualMemory  (-1, (0x409000), 118800, 4, ... (0x409000), 122880, 128, ) == 0x0
 00062  1744   NtProtectVirtualMemory  (-1, (0x409000), 122880, 128, ... (0x409000), 122880, 4, ) == 0x0
 00063  1744   NtFlushInstructionCache  (-1, 4231168, 118800, ... ) == 0x0
 00064  1744   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065  1744   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066  1744   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067  1744   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068  1744   NtClose  (16, ... ) == 0x0
 00069  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070  1744   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071  1744   NtClose  (16, ... ) == 0x0
 00072  1744   NtTestAlert  (... ) == 0x0
 00073  1744   NtContinue  (1244464, 1, ...
 00074  1744   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x420010,}, 4, ... ) == 0x0
 00075  1744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00076  1744   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00077  1744   NtClose  (16, ... ) == 0x0
 00078  1744   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00079  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, ".dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00081  1744   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00082  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00083  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00084  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00085  1744   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, ".dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00086  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\x86\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00088  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\x86\drvfast\scripts\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00089  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Perl\site\bin\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00090  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Perl\bin\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00092  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00093  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kktools\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00095  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00096  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00097  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\Tools\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\VC98\bin\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00099  1744   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 16, ) }, ... 16, ) == 0x0
 00100  1744   NtCreateEvent  (0x1f0003, {24, 16, 0x80, 1245092, 0,  (0x1f0003, {24, 16, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 28, ) }, 1, 0, ... 28, ) == 0x0
 00101  1744   NtCreateSection  (0xe, {24, 0, 0x40, 1245092, 0,  (0xe, {24, 0, 0x40, 1245092, 0, "\BaseNamedObjects\W32_Virtu"}, {27086, 0}, 64, 134217728, 0, ... 32, ) }, {27086, 0}, 64, 134217728, 0, ... 32, ) == 0x0
 00102  1744   NtMapViewOfSection  (32, -1, (0x0), 0, 27086, 0x0, 27086, 2, 0, 64, ... (0x320000), 0x0, 28672, ) == 0x0
 00103  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00104  1744   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00105  1744   NtClose  (36, ... ) == 0x0
 00106  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00107  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00108  1744   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00109  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00110  1744   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00111  1744   NtClose  (36, ... ) == 0x0
 00112  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00113  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00114  1744   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00115  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00116  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00117  1744   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00118  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00119  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00120  1744   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00121  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00122  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00123  1744   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00124  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00125  1744   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00126  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00127  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 36, ) }, ... 36, ) == 0x0
 00128  1744   NtQueryValueKey  (36,  (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00129  1744   NtQueryValueKey  (36,  (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00130  1744   NtClose  (36, ... ) == 0x0
 00131  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 36, ) }, ... 36, ) == 0x0
 00132  1744   NtQueryValueKey  (36,  (36, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00133  1744   NtClose  (36, ... ) == 0x0
 00134  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 36, ) }, ... 36, ) == 0x0
 00135  1744   NtSetInformationObject  (36, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00136  1744   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00137  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00139  1744   NtOpenProcessToken  (-1, 0x20, ... 40, ) == 0x0
 00140  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00141  1744   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00142  1744   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 44, ) }, ... 44, ) == 0x0
 00143  1744   NtQueryValueKey  (44,  (44, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00144  1744   NtClose  (44, ... ) == 0x0
 00145  1744   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00146  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 44, ) == 0x0
 00147  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 48, ) == 0x0
 00148  1744   NtQuerySystemTime  (... {1583520858, 29927927}, ) == 0x0
 00149  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00150  1744   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00151  1744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00152  1744   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00153  1744   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00154  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00155  1744   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 60, ) == 0x0
 00156  1744   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00157  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 64, ) }, ... 64, ) == 0x0
 00158  1744   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "ActiveComputerName"}, ... 68, ) }, ... 68, ) == 0x0
 00159  1744   NtQueryValueKey  (68,  (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00160  1744   NtClose  (68, ... ) == 0x0
 00161  1744   NtClose  (64, ... ) == 0x0
 00162  1744   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 64, ) == 0x0
 00163  1744   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 68, ) == 0x0
 00164  1744   NtDuplicateObject  (-1, 64, -1, 0x0, 0, 2, ... 72, ) == 0x0
 00165  1744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00166  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 76, ) == 0x0
 00167  1744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00168  1744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00169  1744   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243252,  (0xc0100080, {24, 0, 0x40, 0, 1243252, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 80, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 80, {status=0x0, info=1}, ) == 0x0
 00170  1744   NtSetInformationFile  (80, 1243308, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00171  1744   NtSetInformationFile  (80, 1243296, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00172  1744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00173  1744   NtWriteFile  (80, 57, 0, 0,  (80, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00174  1744   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00175  1744   NtReadFile  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00176  1744   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00177  1744   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340 \0"\0PD\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) \0PD\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340 \0"\0PD\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) == 0x103
 00178  1744   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00179  1744   NtClose  (76, ... ) == 0x0
 00180  1744   NtClose  (80, ... ) == 0x0
 00181  1744   NtAdjustPrivilegesToken  (40, 0, 1245096, 0, 0, 0, ... ) == 0x0
 00182  1744   NtClose  (40, ... ) == 0x0
 00183  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 3342336, 65536, ) == 0x0
 00184  1744   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00185  1744   NtCreateSection  (0xf0007, 0x0, {18400, 0}, 4, 134217728, 0, ... 40, ) == 0x0
 00186  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x340000), {0, 0}, 20480, ) == 0x0
 00187  1744   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00188  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x340000), {0, 0}, 20480, ) == 0x0
 00189  1744   NtFreeVirtualMemory  (-1, (0x330000), 0, 32768, ... (0x330000), 65536, ) == 0x0
 00190  1744   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00191  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00192  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00193  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00194  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00195  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00196  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00197  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00198  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00199  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00200  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00201  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {580, 0}, ... 80, ) == 0x0
 00202  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 76, ) }, ... 76, ) == 0x0
 00203  1744   NtMapViewOfSection  (76, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00204  1744   NtClose  (76, ... ) == 0x0
 00205  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00206  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00207  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00208  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00209  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00210  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00211  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00212  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00213  1744   NtAllocateVirtualMemory  (80, 0, 0, 1048576, 8192, 4, ... 27852800, 1048576, ) == 0x0
 00214  1744   NtAllocateVirtualMemory  (80, 28893184, 0, 8192, 4096, 4, ... 28893184, 8192, ) == 0x0
 00215  1744   NtProtectVirtualMemory  (80, (0x1b8e000), 4096, 260, ... (0x1b8e000), 4096, 4, ) == 0x0
 00216  1744   NtCreateThread  (0x1f03ff, 0x0, 80, 1243840, 1243784, 1, ... 76, {580, 1268}, ) == 0x0
 00217  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\364\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75473, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\364\4\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75473, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\364\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75473, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\364\4\0\0" )  ) == 0x0
 00218  1744   NtResumeThread  (76, ... 1, ) == 0x0
 00219  1744   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00220  1744   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00221  1744   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00222  1744   NtClose  (80, ... ) == 0x0
 00223  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00224  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00225  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {640, 0}, ... 80, ) == 0x0
 00226  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00227  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00228  1744   NtClose  (84, ... ) == 0x0
 00229  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00230  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00231  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00232  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00233  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00234  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00235  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00236  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00237  1744   NtClose  (80, ... ) == 0x0
 00238  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00239  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00240  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {652, 0}, ... 80, ) == 0x0
 00241  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00242  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00243  1744   NtClose  (84, ... ) == 0x0
 00244  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00245  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00246  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00247  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00248  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00249  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00250  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00251  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00252  1744   NtClose  (80, ... ) == 0x0
 00253  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00254  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00255  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {816, 0}, ... 80, ) == 0x0
 00256  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00257  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00258  1744   NtClose  (84, ... ) == 0x0
 00259  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00260  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00261  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00262  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00263  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00264  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00265  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00266  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00267  1744   NtClose  (80, ... ) == 0x0
 00268  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00269  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00270  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {904, 0}, ... 80, ) == 0x0
 00271  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00272  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00273  1744   NtClose  (84, ... ) == 0x0
 00274  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00275  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00276  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00277  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00278  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00279  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00280  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00281  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00282  1744   NtClose  (80, ... ) == 0x0
 00283  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00284  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00285  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1000, 0}, ... 80, ) == 0x0
 00286  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00287  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff50000), 0x0, 28672, ) == 0x0
 00288  1744   NtClose  (84, ... ) == 0x0
 00289  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00290  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Md\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00291  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00292  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fd\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00293  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00294  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00295  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00296  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00297  1744   NtClose  (80, ... ) == 0x0
 00298  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00299  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00300  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1044, 0}, ... 80, ) == 0x0
 00301  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00302  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00303  1744   NtClose  (84, ... ) == 0x0
 00304  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00305  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00306  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00307  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00308  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00309  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00310  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00311  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00312  1744   NtClose  (80, ... ) == 0x0
 00313  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00314  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00315  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1196, 0}, ... 80, ) == 0x0
 00316  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00317  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00318  1744   NtClose  (84, ... ) == 0x0
 00319  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00320  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00321  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00322  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00323  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00324  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00325  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00326  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00327  1744   NtClose  (80, ... ) == 0x0
 00328  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00329  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00330  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1468, 0}, ... 80, ) == 0x0
 00331  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00332  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00333  1744   NtClose  (84, ... ) == 0x0
 00334  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00335  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00336  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00337  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00338  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00339  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00340  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00341  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00342  1744   NtClose  (80, ... ) == 0x0
 00343  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00344  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00345  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1720, 0}, ... 80, ) == 0x0
 00346  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00347  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00348  1744   NtClose  (84, ... ) == 0x0
 00349  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00350  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00351  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00352  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00353  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00354  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00355  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00356  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00357  1744   NtClose  (80, ... ) == 0x0
 00358  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00359  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00360  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1888, 0}, ... 80, ) == 0x0
 00361  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00362  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00363  1744   NtClose  (84, ... ) == 0x0
 00364  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00365  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00366  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00367  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00368  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00369  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00370  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00371  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00372  1744   NtClose  (80, ... ) == 0x0
 00373  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00374  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00375  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 80, ) == 0x0
 00376  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00377  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00378  1744   NtClose  (84, ... ) == 0x0
 00379  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00380  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00381  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00382  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00383  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00384  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00385  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00386  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00387  1744   NtClose  (80, ... ) == 0x0
 00388  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00389  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00390  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {180, 0}, ... 80, ) == 0x0
 00391  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00392  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00393  1744   NtClose  (84, ... ) == 0x0
 00394  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00395  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00396  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00397  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00398  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00399  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00400  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00401  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00402  1744   NtClose  (80, ... ) == 0x0
 00403  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00404  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00405  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {196, 0}, ... 80, ) == 0x0
 00406  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00407  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00408  1744   NtClose  (84, ... ) == 0x0
 00409  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00410  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00411  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00412  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00413  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00414  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00415  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00416  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00417  1744   NtClose  (80, ... ) == 0x0
 00418  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00419  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00420  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {160, 0}, ... 80, ) == 0x0
 00421  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00422  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00423  1744   NtClose  (84, ... ) == 0x0
 00424  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00425  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00426  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00427  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00428  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00429  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00430  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00431  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00432  1744   NtClose  (80, ... ) == 0x0
 00433  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00434  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00435  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {260, 0}, ... 80, ) == 0x0
 00436  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00437  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00438  1744   NtClose  (84, ... ) == 0x0
 00439  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00440  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00441  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00442  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00443  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00444  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00445  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00446  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00447  1744   NtClose  (80, ... ) == 0x0
 00448  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00449  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00450  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {288, 0}, ... 80, ) == 0x0
 00451  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00452  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00453  1744   NtClose  (84, ... ) == 0x0
 00454  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00455  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00456  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00457  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00458  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00459  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00460  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00461  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00462  1744   NtClose  (80, ... ) == 0x0
 00463  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00464  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00465  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 80, ) == 0x0
 00466  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00467  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00468  1744   NtClose  (84, ... ) == 0x0
 00469  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00470  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00471  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00472  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00473  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00474  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00475  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00476  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00477  1744   NtClose  (80, ... ) == 0x0
 00478  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00479  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00480  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1408, 0}, ... 80, ) == 0x0
 00481  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00482  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00483  1744   NtClose  (84, ... ) == 0x0
 00484  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00485  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00486  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00487  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00488  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00489  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00490  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00491  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00492  1744   NtClose  (80, ... ) == 0x0
 00493  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00494  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00495  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {556, 0}, ... 80, ) == 0x0
 00496  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00497  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00498  1744   NtClose  (84, ... ) == 0x0
 00499  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00500  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00501  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00502  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00503  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00504  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00505  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00506  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00507  1744   NtClose  (80, ... ) == 0x0
 00508  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00509  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00510  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1204, 0}, ... 80, ) == 0x0
 00511  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00512  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00513  1744   NtClose  (84, ... ) == 0x0
 00514  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00515  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00516  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00517  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00518  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00519  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00520  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00521  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00522  1744   NtClose  (80, ... ) == 0x0
 00523  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00524  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00525  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1452, 0}, ... 80, ) == 0x0
 00526  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00527  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00528  1744   NtClose  (84, ... ) == 0x0
 00529  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00530  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00531  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00532  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00533  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00534  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00535  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00536  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00537  1744   NtClose  (80, ... ) == 0x0
 00538  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00539  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00540  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1200, 0}, ... 80, ) == 0x0
 00541  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00542  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00543  1744   NtClose  (84, ... ) == 0x0
 00544  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00545  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00546  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00547  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00548  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00549  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00550  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00551  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00552  1744   NtClose  (80, ... ) == 0x0
 00553  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00554  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00555  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {164, 0}, ... 80, ) == 0x0
 00556  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00557  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00558  1744   NtClose  (84, ... ) == 0x0
 00559  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00560  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00561  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00562  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00563  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00564  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00565  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00566  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00567  1744   NtClose  (80, ... ) == 0x0
 00568  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00569  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00570  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {888, 0}, ... 80, ) == 0x0
 00571  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00572  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00573  1744   NtClose  (84, ... ) == 0x0
 00574  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00575  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00576  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00577  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00578  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00579  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00580  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00581  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00582  1744   NtClose  (80, ... ) == 0x0
 00583  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00584  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00585  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1512, 0}, ... 80, ) == 0x0
 00586  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00587  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00588  1744   NtClose  (84, ... ) == 0x0
 00589  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00590  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00591  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00592  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00593  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00594  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00595  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00596  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00597  1744   NtClose  (80, ... ) == 0x0
 00598  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00599  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00600  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1228, 0}, ... 80, ) == 0x0
 00601  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00602  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00603  1744   NtClose  (84, ... ) == 0x0
 00604  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00605  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00606  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00607  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00608  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00609  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00610  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00611  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00612  1744   NtClose  (80, ... ) == 0x0
 00613  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00614  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00615  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1328, 0}, ... 80, ) == 0x0
 00616  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00617  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00618  1744   NtClose  (84, ... ) == 0x0
 00619  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00620  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00621  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00622  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00623  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00624  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00625  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00626  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00627  1744   NtClose  (80, ... ) == 0x0
 00628  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00629  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00630  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1736, 0}, ... 80, ) == 0x0
 00631  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00632  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00633  1744   NtClose  (84, ... ) == 0x0
 00634  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00635  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00636  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00637  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00638  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00639  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00640  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00641  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00642  1744   NtClose  (80, ... ) == 0x0
 00643  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00644  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00645  1744   NtClose  (40, ... ) == 0x0
 00646  1744   NtClose  (28, ... ) == 0x0
 00647  1744   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x4000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00648  1744   NtContinue  (1244400, 0, ...
 00649  1744   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3342336, 4096, ) == 0x0
 00650  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00651  1744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00652  1744   NtClose  (28, ... ) == 0x0
 00653  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00654  1744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00655  1744   NtClose  (28, ... ) == 0x0
 00656  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00657  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00658  1744   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00659  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00660  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00661  1744   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00662  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00663  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00664  1744   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00665  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00666  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00667  1744   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00668  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00669  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00670  1744   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00671  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00672  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00673  1744   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00674  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00676  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00677  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75480, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75480, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75480, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ) == 0x0
 00678  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00679  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00680  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 40, ) == 0x0
 00681  1744   NtClose  (28, ... ) == 0x0
 00682  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00683  1744   NtClose  (40, ... ) == 0x0
 00684  1744   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00685  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00686  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00687  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 40, ... 28, ) == 0x0
 00688  1744   NtClose  (40, ... ) == 0x0
 00689  1744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00690  1744   NtClose  (28, ... ) == 0x0
 00691  1744   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00692  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00693  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00694  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 40, ) == 0x0
 00695  1744   NtQuerySection  (40, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00696  1744   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00697  1744   NtQueryInformationToken  (80, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00698  1744   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00699  1744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 84, ) }, ... 84, ) == 0x0
 00700  1744   NtQueryValueKey  (84,  (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00701  1744   NtClose  (84, ... ) == 0x0
 00702  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00703  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00704  1744   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00705  1744   NtClose  (84, ... ) == 0x0
 00706  1744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00707  1744   NtClose  (80, ... ) == 0x0
 00708  1744   NtClose  (28, ... ) == 0x0
 00709  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00710  1744   NtClose  (40, ... ) == 0x0
 00711  1744   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00712  1744   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00713  1744   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00714  1744   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00715  1744   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00716  1744   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00717  1744   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00718  1744   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00719  1744   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00720  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00721  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00722  1744   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00723  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00724  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00725  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00726  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 40, ) }, ... 40, ) == 0x0
 00727  1744   NtQueryValueKey  (40,  (40, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00728  1744   NtClose  (40, ... ) == 0x0
 00729  1744   NtMapViewOfSection  (-2147482576, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x500000), 0x0, 1060864, ) == 0x0
 00730  1744   NtClose  (-2147482576, ... ) == 0x0
 00731  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 40, ) == 0x0
 00732  1744   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00733  1744   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482576, ) == 0x0
 00734  1744   NtQueryInformationToken  (-2147482576, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00735  1744   NtQueryInformationToken  (-2147482576, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00736  1744   NtClose  (-2147482576, ... ) == 0x0
 00737  1744   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00738  1744   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00739  1744   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 84, ) == 0x0
 00740  1744   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00741  1744   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00742  1744   NtClose  (-2147482576, ... ) == 0x0
 00743  1744   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00744  1744   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00745  1744   NtClose  (-2147482576, ... ) == 0x0
 00746  1744   NtQueryDefaultLocale  (0, -134534836, ... ) == 0x0
 00747  1744   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00748  1744   NtUserCallNoParam  (24, ... ) == 0x0
 00749  1744   NtGdiCreateCompatibleDC  (0, ...
 00750  1744   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00749  1744   NtGdiCreateCompatibleDC  ... ) == 0xf3010663
 00751  1744   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00752  1744   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00753  1744   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0xfd0505f7
 00754  1744   NtGdiCreateSolidBrush  (0, 0, ...
 00755  1744   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00754  1744   NtGdiCreateSolidBrush  ... ) == 0x4210057d
 00756  1744   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00757  1744   NtGdiCreateCompatibleDC  (0, ... ) == 0x69010363
 00758  1744   NtGdiSelectBitmap  (1761674083, -50002441, ... ) == 0x185000f
 00759  1744   NtUserGetThreadDesktop  (1744, 0, ... ) == 0x50
 00760  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 88, ) }, ... 88, ) == 0x0
 00761  1744   NtQueryValueKey  (88,  (88, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (88, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00762  1744   NtClose  (88, ... ) == 0x0
 00763  1744   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00764  1744   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8172c017
 00765  1744   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00766  1744   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8172c01c
 00767  1744   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00768  1744   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8172c01e
 00769  1744   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00770  1744   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81728002
 00771  1744   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00772  1744   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8172c018
 00773  1744   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00774  1744   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8172c01a
 00775  1744   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00776  1744   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8172c01d
 00777  1744   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00778  1744   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8172c026
 00779  1744   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00780  1744   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8172c019
 00781  1744   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8172c020
 00782  1744   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8172c022
 00783  1744   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8172c023
 00784  1744   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8172c024
 00785  1744   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8172c025
 00786  1744   NtCallbackReturn  (0, 0, 0, ...
 00787  1744   NtGdiInit  (... ) == 0x1
 00788  1744   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00789  1744   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00790  1744   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 3538944, 28672, ) == 0x0
 00791  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00792  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00793  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00794  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00795  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 92, ) == 0x0
 00796  1744   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00797  1744   NtClose  (88, ... ) == 0x0
 00798  1744   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00799  1744   NtClose  (92, ... ) == 0x0
 00800  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00801  1744   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00802  1744   NtClose  (92, ... ) == 0x0
 00803  1744   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00804  1744   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00805  1744   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00806  1744   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00807  1744   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00808  1744   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00809  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00810  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00811  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00812  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00813  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 88, ) == 0x0
 00814  1744   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00815  1744   NtClose  (92, ... ) == 0x0
 00816  1744   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00817  1744   NtClose  (88, ... ) == 0x0
 00818  1744   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00819  1744   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00820  1744   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00821  1744   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00822  1744   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00823  1744   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00824  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00825  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00826  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00827  1744   NtAllocateVirtualMemory  (-1, 3604480, 0, 4096, 4096, 4, ... 3604480, 4096, ) == 0x0
 00828  1744   NtAllocateVirtualMemory  (-1, 3608576, 0, 8192, 4096, 4, ... 3608576, 8192, ) == 0x0
 00829  1744   NtAllocateVirtualMemory  (-1, 3616768, 0, 4096, 4096, 4, ... 3616768, 4096, ) == 0x0
 00830  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 88, ) }, ... 88, ) == 0x0
 00831  1744   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x380000), 0x0, 12288, ) == 0x0
 00832  1744   NtClose  (88, ... ) == 0x0
 00833  1744   NtAllocateVirtualMemory  (-1, 3620864, 0, 4096, 4096, 4, ... 3620864, 4096, ) == 0x0
 00834  1744   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00835  1744   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00836  1744   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00837  1744   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00838  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00839  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00840  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00841  1744   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00842  1744   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 28672, ) == 0x0
 00843  1744   NtFreeVirtualMemory  (-1, (0x330144), 0, 32768, ... (0x330000), 4096, ) == 0x0
 00844  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00845  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3342336, 65536, ) == 0x0
 00846  1744   NtAllocateVirtualMemory  (-1, 3342336, 0, 4096, 4096, 4, ... 3342336, 4096, ) == 0x0
 00847  1744   NtAllocateVirtualMemory  (-1, 3346432, 0, 20480, 4096, 4, ... 3346432, 20480, ) == 0x0
 00848  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9502720, 1048576, ) == 0x0
 00849  1744   NtAllocateVirtualMemory  (-1, 9502720, 0, 32768, 4096, 4, ... 9502720, 32768, ) == 0x0
 00850  1744   NtCreateMutant  (0x1f0001, {24, 16, 0x80, 0, 0,  (0x1f0001, {24, 16, 0x80, 0, 0, "Jobaka3"}, 0, ... 88, ) }, 0, ... 88, ) == 0x0
 00851  1744   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 00852  1744   NtQueryValueKey  (92,  (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00853  1744   NtQueryValueKey  (92,  (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00854  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 96, ) == 0x0
 00855  1744   NtOpenKey  (0x2000000, {24, 92, 0x40, 0, 0,  (0x2000000, {24, 92, 0x40, 0, 0, "Protocol_Catalog9"}, ... 100, ) }, ... 100, ) == 0x0
 00856  1744   NtQueryValueKey  (100,  (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00857  1744   NtNotifyChangeKey  (100, 96, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00858  1744   NtQueryValueKey  (100,  (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00859  1744   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00860  1744   NtQueryValueKey  (100,  (100, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00861  1744   NtQueryValueKey  (100,  (100, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00862  1744   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Catalog_Entries"}, ... 104, ) }, ... 104, ) == 0x0
 00863  1744   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00864  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000001"}, ... 108, ) }, ... 108, ) == 0x0
 00865  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00866  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00867  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0d\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0d\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0e\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0f\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0d\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0d\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0e\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0f\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0d\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0d\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0e\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0f\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00868  1744   NtClose  (108, ... ) == 0x0
 00869  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000002"}, ... 108, ) }, ... 108, ) == 0x0
 00870  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00871  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00872  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0i\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0i\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0j\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0k\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0i\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0i\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0j\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0k\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0i\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0i\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0j\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0k\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00873  1744   NtClose  (108, ... ) == 0x0
 00874  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000003"}, ... 108, ) }, ... 108, ) == 0x0
 00875  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00876  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00877  1744   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00878  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0o\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0o\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0p\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0p\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0q\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0o\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0o\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0p\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0p\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0q\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0o\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0o\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0p\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0p\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0q\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00879  1744   NtClose  (108, ... ) == 0x0
 00880  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000004"}, ... 108, ) }, ... 108, ) == 0x0
 00881  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00882  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00883  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0t\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0t\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0u\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0v\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0t\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0t\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0u\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0v\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0t\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0t\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0u\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0v\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00884  1744   NtClose  (108, ... ) == 0x0
 00885  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000005"}, ... 108, ) }, ... 108, ) == 0x0
 00886  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00887  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00888  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0y\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0y\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0z\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0{\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0y\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0y\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0z\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0{\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0y\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0y\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0z\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0{\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00889  1744   NtClose  (108, ... ) == 0x0
 00890  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000006"}, ... 108, ) }, ... 108, ) == 0x0
 00891  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00892  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00893  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0~\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0~\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\177\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\200\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0~\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0~\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\177\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\200\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0~\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0~\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\177\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\200\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00894  1744   NtClose  (108, ... ) == 0x0
 00895  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000007"}, ... 108, ) }, ... 108, ) == 0x0
 00896  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00897  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00898  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\203\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\203\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\204\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\205\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\203\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\203\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\204\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\205\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\203\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\203\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\204\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\205\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00899  1744   NtClose  (108, ... ) == 0x0
 00900  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000008"}, ... 108, ) }, ... 108, ) == 0x0
 00901  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00902  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00903  1744   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00904  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\211\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\211\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\212\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\213\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\211\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\211\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\212\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\213\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\211\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\211\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\212\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\213\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00905  1744   NtClose  (108, ... ) == 0x0
 00906  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000009"}, ... 108, ) }, ... 108, ) == 0x0
 00907  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00908  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00909  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\216\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\216\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\217\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\220\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\216\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\216\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\217\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\220\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\216\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\216\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\217\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\220\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00910  1744   NtClose  (108, ... ) == 0x0
 00911  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000010"}, ... 108, ) }, ... 108, ) == 0x0
 00912  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00913  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00914  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\223\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\223\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\224\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\225\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\223\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\223\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\224\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\225\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\223\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\223\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\224\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\225\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00915  1744   NtClose  (108, ... ) == 0x0
 00916  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000011"}, ... 108, ) }, ... 108, ) == 0x0
 00917  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00918  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00919  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\230\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\230\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\231\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\232\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\230\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\230\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\231\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\232\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\230\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\230\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\231\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\232\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00920  1744   NtClose  (108, ... ) == 0x0
 00921  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000012"}, ... 108, ) }, ... 108, ) == 0x0
 00922  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00923  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00924  1744   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00925  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\236\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\236\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\237\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\240\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\236\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\236\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\237\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\240\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\236\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\236\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\237\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\240\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00926  1744   NtClose  (108, ... ) == 0x0
 00927  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000013"}, ... 108, ) }, ... 108, ) == 0x0
 00928  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00929  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00930  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\243\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\243\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\244\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\245\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\243\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\243\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\244\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\245\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\243\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\243\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\244\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\245\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00931  1744   NtClose  (108, ... ) == 0x0
 00932  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000014"}, ... 108, ) }, ... 108, ) == 0x0
 00933  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00934  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00935  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\250\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\250\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\251\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\252\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\250\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\250\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\251\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\252\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\250\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\250\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\251\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\252\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00936  1744   NtClose  (108, ... ) == 0x0
 00937  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000015"}, ... 108, ) }, ... 108, ) == 0x0
 00938  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00939  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00940  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\255\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\255\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\256\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\257\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\255\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\255\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\256\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\257\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\255\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\255\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\256\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\257\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00941  1744   NtClose  (108, ... ) == 0x0
 00942  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000016"}, ... 108, ) }, ... 108, ) == 0x0
 00943  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00944  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00945  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\262\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\262\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\263\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\264\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\262\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\262\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\263\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\264\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\262\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\262\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\263\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\264\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00946  1744   NtClose  (108, ... ) == 0x0
 00947  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000017"}, ... 108, ) }, ... 108, ) == 0x0
 00948  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00949  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00950  1744   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00951  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\270\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\270\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\271\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\271\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\272\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\272\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\273\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\270\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\270\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\271\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\271\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\272\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\272\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\273\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\272\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\273\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\270\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\270\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\271\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\271\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\272\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\272\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\273\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00952  1744   NtClose  (108, ... ) == 0x0
 00953  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000018"}, ... 108, ) }, ... 108, ) == 0x0
 00954  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00955  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00956  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\275\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\275\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\276\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\277\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\277\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\300\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\275\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\275\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\276\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\277\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\277\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\300\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\277\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\300\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\275\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\275\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\276\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\277\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\277\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\300\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00957  1744   NtClose  (108, ... ) == 0x0
 00958  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000019"}, ... 108, ) }, ... 108, ) == 0x0
 00959  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00960  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00961  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\302\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\302\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\303\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\303\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\304\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\304\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\305\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\302\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\302\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\303\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\303\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\304\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\304\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\305\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\304\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\305\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\302\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\302\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\303\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\303\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\304\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\304\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\305\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00962  1744   NtClose  (108, ... ) == 0x0
 00963  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000020"}, ... 108, ) }, ... 108, ) == 0x0
 00964  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00965  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00966  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\307\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\307\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\310\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\310\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\311\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\311\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\312\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\307\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\307\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\310\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\310\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\311\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\311\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\312\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\311\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\312\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\307\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\307\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\310\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\310\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\311\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\311\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\312\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00967  1744   NtClose  (108, ... ) == 0x0
 00968  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000021"}, ... 108, ) }, ... 108, ) == 0x0
 00969  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00970  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00971  1744   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00972  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\315\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\315\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\316\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\316\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\317\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\317\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\320\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\315\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\315\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\316\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\316\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\317\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\317\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\320\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\317\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\320\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\315\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\315\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\316\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\316\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\317\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\317\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\320\3\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00973  1744   NtClose  (108, ... ) == 0x0
 00974  1744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000022"}, ... 108, ) }, ... 108, ) == 0x0
 00975  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00976  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00977  1744   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\322\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\322\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\323\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\323\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\324\3\0\0\310\6\0\0\320\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\3\0\0\310\6\0\0\320\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\325\3\0\0\310\6\0\0\320\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\325\3\0\0\310\6\0\0\320\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\326\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0PD\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\322\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\322\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\323\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\323\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\324\3\0\0\310\6\0\0\320\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\3\0\0\310\6\0\0\320\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\325\3\0\0\310\6\0\0\320\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\325\3\0\0\310\6\0\0\320\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\326\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0PD\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\322\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\322\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\323\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\323\3\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\324\3\0\0\310\6\0\0\320\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\3\0\0\310\6\0\0\320\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\325\3\0\0\310\6\0\0\320\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\325\3\0\0\310\6\0\0\320\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\326\3\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0PD\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00978  1744   NtClose  (108, ... ) == 0x0
 00979  1744   NtClose  (104, ... ) == 0x0
 00980  1744   NtWaitForSingleObject  (96, 0, {0, 0}, ... ) == 0x102
 00981  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 104, ) == 0x0
 00982  1744   NtOpenKey  (0x2000000, {24, 92, 0x40, 0, 0,  (0x2000000, {24, 92, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 108, ) }, ... 108, ) == 0x0
 00983  1744   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00984  1744   NtNotifyChangeKey  (108, 104, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00985  1744   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00986  1744   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00987  1744   NtQueryValueKey  (108,  (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00988  1744   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "Catalog_Entries"}, ... 112, ) }, ... 112, ) == 0x0
 00989  1744   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000001"}, ... 116, ) }, ... 116, ) == 0x0
 00990  1744   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00991  1744   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00992  1744   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00993  1744   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00994  1744   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00995  1744   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00996  1744   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00997  1744   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00998  1744   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00999  1744   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01000  1744   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01001  1744   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01002  1744   NtClose  (116, ... ) == 0x0
 01003  1744   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000002"}, ... 116, ) }, ... 116, ) == 0x0
 01004  1744   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01005  1744   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01006  1744   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01007  1744   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01008  1744   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01009  1744   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01010  1744   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01011  1744   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01012  1744   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01013  1744   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01014  1744   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01015  1744   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01016  1744   NtClose  (116, ... ) == 0x0
 01017  1744   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000003"}, ... 116, ) }, ... 116, ) == 0x0
 01018  1744   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01019  1744   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01020  1744   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01021  1744   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01022  1744   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01023  1744   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01024  1744   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01025  1744   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026  1744   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01027  1744   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01028  1744   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01029  1744   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01030  1744   NtClose  (116, ... ) == 0x0
 01031  1744   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000004"}, ... 116, ) }, ... 116, ) == 0x0
 01032  1744   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01033  1744   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01034  1744   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01035  1744   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01036  1744   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01037  1744   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01038  1744   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 01039  1744   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01040  1744   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01041  1744   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01042  1744   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01043  1744   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01044  1744   NtClose  (116, ... ) == 0x0
 01045  1744   NtClose  (112, ... ) == 0x0
 01046  1744   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 01047  1744   NtClose  (92, ... ) == 0x0
 01048  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01049  1744   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01050  1744   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 01051  1744   NtQueryValueKey  (92,  (92, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01052  1744   NtClose  (92, ... ) == 0x0
 01053  1744   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01054  1744   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 92, ) == 0x0
 01055  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1241400, ... ) }, 1241400, ... ) == 0x0
 01056  1744   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 112, {status=0x0, info=1}, ) }, 7, 2113568, ... 112, {status=0x0, info=1}, ) == 0x0
 01057  1744   NtSetInformationFile  (112, 1241376, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01058  1744   NtClose  (112, ... ) == 0x0
 01059  1744   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 01060  1744   NtQueryInformationFile  (112, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01061  1744   NtQueryInformationFile  (112, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01062  1744   NtQueryInformationFile  (112, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01063  1744   NtAllocateVirtualMemory  (-1, 1368064, 0, 8192, 4096, 4, ... 1368064, 8192, ) == 0x0
 01064  1744   NtQueryInformationFile  (112, 1365056, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01065  1744   NtQueryInformationFile  (112, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01066  1744   NtQueryInformationFile  (112, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01067  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\AVSERVE2.EXE"}, 1239736, ... ) }, 1239736, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01068  1744   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01069  1744   NtClose  (-2147482576, ... ) == 0x0
 01068  1744   NtCreateFile  ... 116, {status=0x0, info=2}, ) == 0x0
 01070  1744   NtQueryVolumeInformationFile  (116, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01071  1744   NtQueryInformationFile  (116, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01072  1744   NtQueryVolumeInformationFile  (112, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01073  1744   NtQueryVolumeInformationFile  (112, 1239912, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01074  1744   NtSetInformationFile  (116, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01075  1744   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 112, ... 120, ) == 0x0
 01076  1744   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x390000), {0, 0}, 114688, ) == 0x0
 01077  1744   NtClose  (120, ... ) == 0x0
 01078  1744   NtWriteFile  (116, 0, 0, 0,  (116, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\2\0d\347\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0\20\0\2\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0p\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0`\0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \0\0\0\0\0\0\20\0\2\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0p\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0`\0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01079  1744   NtWriteFile  (116, 0, 0, 0,  (116, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 52752, 0x0, 0, ... {status=0x0, info=52752}, ) , 52752, 0x0, 0, ... {status=0x0, info=52752}, ) == 0x0
 01080  1744   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01081  1744   NtSetInformationFile  (116, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01082  1744   NtClose  (112, ... ) == 0x0
 01083  1744   NtClose  (116, ... ) == 0x0
 01084  1744   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 116, ) }, ... 116, ) == 0x0
 01085  1744   NtSetValueKey  (116,  (116, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (116, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 01086  1744   NtSetInformationFile  (-2147482448, -134535376, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01087  1744   NtSetInformationFile  (-2147482448, -134535468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01088  1744   NtSetInformationFile  (-2147482448, -134535776, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01085  1744   NtSetValueKey  ... ) == 0x0
 01089  1744   NtClose  (116, ... ) == 0x0
 01090  1744   NtCreateMutant  (0x1f0001, {24, 16, 0x80, 0, 0,  (0x1f0001, {24, 16, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 116, ) }, 0, ... 116, ) == 0x0
 01091  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10551296, 1048576, ) == 0x0
 01092  1744   NtAllocateVirtualMemory  (-1, 11591680, 0, 8192, 4096, 4, ... 11591680, 8192, ) == 0x0
 01093  1744   NtProtectVirtualMemory  (-1, (0xb0e000), 4096, 260, ... (0xb0e000), 4096, 4, ) == 0x0
 01094  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 112, {1736, 1384}, ) == 0x0
 01095  1744   NtQueryInformationThread  (112, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=1736,Tid=1384,}, 0x0, ) == 0x0
 01096  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\310\6\0\0h\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\310\6\0\0h\5\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75539, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\310\6\0\0h\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\310\6\0\0h\5\0\0" )  ) == 0x0
 01097  1744   NtResumeThread  (112, ... 1, ) == 0x0
 01098  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11599872, 1048576, ) == 0x0
 01099  1744   NtAllocateVirtualMemory  (-1, 12640256, 0, 8192, 4096, 4, ...
 01100  1384   NtTestAlert  (... ) == 0x0
 01101  1384   NtContinue  (11599152, 1, ...
 01102  1384   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01103  1384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 120, ) == 0x0
 01104  1384   NtWaitForSingleObject  (96, 0, {0, 0}, ... ) == 0x102
 01105  1384   NtAllocateVirtualMemory  (-1, 11587584, 0, 4096, 4096, 260, ...
 01099  1744   NtAllocateVirtualMemory  ... 12640256, 8192, ) == 0x0
 01106  1744   NtProtectVirtualMemory  (-1, (0xc0e000), 4096, 260, ... (0xc0e000), 4096, 4, ) == 0x0
 01107  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 124, {1736, 1600}, ) == 0x0
 01108  1744   NtQueryInformationThread  (124, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1736,Tid=1600,}, 0x0, ) == 0x0
 01109  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75539, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0\310\6\0\0@\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0\310\6\0\0@\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75540, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0\310\6\0\0@\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0\310\6\0\0@\6\0\0" )  ) == 0x0
 01110  1744   NtResumeThread  (124, ... 1, ) == 0x0
 01105  1384   NtAllocateVirtualMemory  ... 11587584, 4096, ) == 0x0
 01111  1600   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01112  1384   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11596276, ... }, 11596276, ...
 01111  1600   NtCreateEvent  ... 128, ) == 0x0
 01112  1384   NtQueryAttributesFile  ... ) == 0x0
 01113  1600   NtWaitForSingleObject  (128, 0, 0x0, ...
 01114  1384   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01115  1384   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 132, ... 136, ) == 0x0
 01116  1384   NtClose  (132, ... ) == 0x0
 01117  1384   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 245760, ) == 0x0
 01118  1384   NtClose  (136, ...
 01119  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12648448, 1048576, ) == 0x0
 01120  1744   NtAllocateVirtualMemory  (-1, 13688832, 0, 8192, 4096, 4, ... 13688832, 8192, ) == 0x0
 01121  1744   NtProtectVirtualMemory  (-1, (0xd0e000), 4096, 260, ... (0xd0e000), 4096, 4, ) == 0x0
 01122  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 132, {1736, 2040}, ) == 0x0
 01123  1744   NtQueryInformationThread  (132, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1736,Tid=2040,}, 0x0, ) == 0x0
 01124  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75540, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\310\6\0\0\370\7\0\0" ...  ...
 01118  1384   NtClose  ... ) == 0x0
 01125  1384   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01126  1384   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11596584, ... ) }, 11596584, ... ) == 0x0
 01127  1384   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... }, 5, 96, ...
 01124  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75541, 0}  ... {28, 56, reply, 0, 1736, 1744, 75541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\310\6\0\0\370\7\0\0" )  ) == 0x0
 01128  1744   NtResumeThread  (132, ... 1, ) == 0x0
 01129  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13697024, 1048576, ) == 0x0
 01130  1744   NtAllocateVirtualMemory  (-1, 14737408, 0, 8192, 4096, 4, ... 14737408, 8192, ) == 0x0
 01131  1744   NtProtectVirtualMemory  (-1, (0xe0e000), 4096, 260, ... (0xe0e000), 4096, 4, ) == 0x0
 01132  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 136, {1736, 152}, ) == 0x0
 01133  1744   NtQueryInformationThread  (136, Basic, 28, ...
 01127  1384   NtOpenFile  ... 140, {status=0x0, info=1}, ) == 0x0
 01134  2040   NtWaitForSingleObject  (128, 0, 0x0, ...
 01135  1384   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 140, ... 144, ) == 0x0
 01136  1384   NtQuerySection  (144, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01137  1384   NtClose  (140, ... ) == 0x0
 01138  1384   NtMapViewOfSection  (144, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 01139  1384   NtClose  (144, ... ) == 0x0
 01140  1384   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 01133  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1736,Tid=152,}, 0x0, ) == 0x0
 01141  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75541, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\310\6\0\0\230\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\310\6\0\0\230\0\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75542, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\310\6\0\0\230\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\310\6\0\0\230\0\0\0" )  ) == 0x0
 01142  1744   NtResumeThread  (136, ... 1, ) == 0x0
 01143  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14745600, 1048576, ) == 0x0
 01144  1744   NtAllocateVirtualMemory  (-1, 15785984, 0, 8192, 4096, 4, ... 15785984, 8192, ) == 0x0
 01145  1744   NtProtectVirtualMemory  (-1, (0xf0e000), 4096, 260, ... (0xf0e000), 4096, 4, ) == 0x0
 01140  1384   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 01146   152   NtWaitForSingleObject  (128, 0, 0x0, ...
 01147  1384   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01148  1384   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01149  1384   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01150  1384   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01151  1384   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01152  1384   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 01153  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 144, {1736, 1388}, ) == 0x0
 01154  1744   NtQueryInformationThread  (144, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1736,Tid=1388,}, 0x0, ) == 0x0
 01155  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75542, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\310\6\0\0l\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\310\6\0\0l\5\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75543, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\310\6\0\0l\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\310\6\0\0l\5\0\0" )  ) == 0x0
 01156  1744   NtResumeThread  (144, ... 1, ) == 0x0
 01157  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15794176, 1048576, ) == 0x0
 01158  1744   NtAllocateVirtualMemory  (-1, 16834560, 0, 8192, 4096, 4, ...
 01152  1384   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 01159  1388   NtWaitForSingleObject  (128, 0, 0x0, ...
 01160  1384   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01161  1384   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01162  1384   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01163  1384   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01164  1384   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01165  1384   NtSetEventBoostPriority  (128, ...
 01158  1744   NtAllocateVirtualMemory  ... 16834560, 8192, ) == 0x0
 01166  1744   NtProtectVirtualMemory  (-1, (0x100e000), 4096, 260, ... (0x100e000), 4096, 4, ) == 0x0
 01167  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 140, {1736, 2036}, ) == 0x0
 01168  1744   NtQueryInformationThread  (140, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1736,Tid=2036,}, 0x0, ) == 0x0
 01169  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75543, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\310\6\0\0\364\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\310\6\0\0\364\7\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75544, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\310\6\0\0\364\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\310\6\0\0\364\7\0\0" )  ) == 0x0
 01170  1744   NtResumeThread  (140, ... 1, ) == 0x0
 01113  1600   NtWaitForSingleObject  ... ) == 0x0
 01165  1384   NtSetEventBoostPriority  ... ) == 0x0
 01171  2036   NtWaitForSingleObject  (128, 0, 0x0, ...
 01172  1600   NtSetEventBoostPriority  (128, ...
 01173  1384   NtWaitForSingleObject  (128, 0, 0x0, ...
 01134  2040   NtWaitForSingleObject  ... ) == 0x0
 01172  1600   NtSetEventBoostPriority  ... ) == 0x0
 01174  2040   NtSetEventBoostPriority  (128, ...
 01175  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01146   152   NtWaitForSingleObject  ... ) == 0x0
 01174  2040   NtSetEventBoostPriority  ... ) == 0x0
 01176   152   NtSetEventBoostPriority  (128, ...
 01175  1744   NtAllocateVirtualMemory  ... 16842752, 1048576, ) == 0x0
 01177  1600   NtTestAlert  (...
 01159  1388   NtWaitForSingleObject  ... ) == 0x0
 01176   152   NtSetEventBoostPriority  ... ) == 0x0
 01178  1744   NtAllocateVirtualMemory  (-1, 17883136, 0, 8192, 4096, 4, ...
 01179  1388   NtSetEventBoostPriority  (128, ...
 01177  1600   NtTestAlert  ... ) == 0x0
 01180  2040   NtTestAlert  (...
 01171  2036   NtWaitForSingleObject  ... ) == 0x0
 01179  1388   NtSetEventBoostPriority  ... ) == 0x0
 01178  1744   NtAllocateVirtualMemory  ... 17883136, 8192, ) == 0x0
 01181  1600   NtContinue  (12647728, 1, ...
 01182  2036   NtSetEventBoostPriority  (128, ...
 01180  2040   NtTestAlert  ... ) == 0x0
 01183   152   NtTestAlert  (...
 01184  1744   NtProtectVirtualMemory  (-1, (0x110e000), 4096, 260, ...
 01173  1384   NtWaitForSingleObject  ... ) == 0x0
 01182  2036   NtSetEventBoostPriority  ... ) == 0x0
 01185  1600   NtRegisterThreadTerminatePort  (24, ...
 01186  2040   NtContinue  (13696304, 1, ...
 01183   152   NtTestAlert  ... ) == 0x0
 01187  1384   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01184  1744   NtProtectVirtualMemory  ... (0x110e000), 4096, 4, ) == 0x0
 01188  1388   NtTestAlert  (...
 01185  1600   NtRegisterThreadTerminatePort  ... ) == 0x0
 01189  2040   NtRegisterThreadTerminatePort  (24, ...
 01187  1384   NtCreateEvent  ... 148, ) == 0x0
 01190   152   NtContinue  (14744880, 1, ...
 01191  2036   NtTestAlert  (...
 01188  1388   NtTestAlert  ... ) == 0x0
 01192  1600   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01189  2040   NtRegisterThreadTerminatePort  ... ) == 0x0
 01193  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01194   152   NtRegisterThreadTerminatePort  (24, ...
 01191  2036   NtTestAlert  ... ) == 0x0
 01195  1388   NtContinue  (15793456, 1, ...
 01196  1384   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 01197  2040   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01193  1744   NtCreateThread  ... 152, {1736, 1324}, ) == 0x0
 01194   152   NtRegisterThreadTerminatePort  ... ) == 0x0
 01198  2036   NtContinue  (16842032, 1, ...
 01199  1388   NtRegisterThreadTerminatePort  (24, ...
 01196  1384   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01192  1600   NtDuplicateObject  ... 156, ) == 0x0
 01200  1744   NtQueryInformationThread  (152, Basic, 28, ...
 01201   152   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01202  2036   NtRegisterThreadTerminatePort  (24, ...
 01199  1388   NtRegisterThreadTerminatePort  ... ) == 0x0
 01203  1384   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11596196, ... }, 11596196, ...
 01204  1600   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01200  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1736,Tid=1324,}, 0x0, ) == 0x0
 01197  2040   NtDuplicateObject  ... 160, ) == 0x0
 01202  2036   NtRegisterThreadTerminatePort  ... ) == 0x0
 01205  1388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01204  1600   NtWaitForSingleObject  ... ) == 0x102
 01206  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75544, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\310\6\0\0,\5\0\0" ...  ...
 01207  2040   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01208  2036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01201   152   NtDuplicateObject  ... 164, ) == 0x0
 01209  1600   NtAllocateVirtualMemory  (-1, 12636160, 0, 4096, 4096, 260, ...
 01207  2040   NtWaitForSingleObject  ... ) == 0x102
 01205  1388   NtDuplicateObject  ... 168, ) == 0x0
 01206  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75545, 0}  ... {28, 56, reply, 0, 1736, 1744, 75545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\310\6\0\0,\5\0\0" )  ) == 0x0
 01210   152   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01209  1600   NtAllocateVirtualMemory  ... 12636160, 4096, ) == 0x0
 01211  2040   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01212  1388   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01213  1744   NtResumeThread  (152, ...
 01210   152   NtWaitForSingleObject  ... ) == 0x102
 01208  2036   NtDuplicateObject  ... 172, ) == 0x0
 01211  2040   NtCreateEvent  ... 176, ) == 0x0
 01212  1388   NtWaitForSingleObject  ... ) == 0x102
 01213  1744   NtResumeThread  ... 1, ) == 0x0
 01214   152   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01215  2036   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01216  1600   NtWaitForSingleObject  (128, 0, 0x0, ...
 01217  1324   NtWaitForSingleObject  (128, 0, 0x0, ...
 01218  1388   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01219  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01214   152   NtCreateEvent  ... 180, ) == 0x0
 01215  2036   NtWaitForSingleObject  ... ) == 0x102
 01218  1388   NtCreateEvent  ... 184, ) == 0x0
 01219  1744   NtAllocateVirtualMemory  ... 17891328, 1048576, ) == 0x0
 01220  2040   NtWaitForSingleObject  (176, 0, 0x0, ...
 01203  1384   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01221  2036   NtWaitForSingleObject  (176, 0, 0x0, ...
 01222   152   NtClose  (180, ...
 01223  1744   NtAllocateVirtualMemory  (-1, 18931712, 0, 8192, 4096, 4, ...
 01224  1384   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11596196, ... }, 11596196, ...
 01222   152   NtClose  ... ) == 0x0
 01225  1388   NtClose  (184, ...
 01224  1384   NtQueryAttributesFile  ... ) == 0x0
 01226   152   NtWaitForSingleObject  (176, 0, 0x0, ...
 01225  1388   NtClose  ... ) == 0x0
 01227  1384   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... }, 5, 96, ...
 01228  1388   NtWaitForSingleObject  (176, 0, 0x0, ...
 01227  1384   NtOpenFile  ... 184, {status=0x0, info=1}, ) == 0x0
 01229  1384   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01230  1384   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01231  1384   NtClose  (184, ... ) == 0x0
 01232  1384   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01223  1744   NtAllocateVirtualMemory  ... 18931712, 8192, ) == 0x0
 01233  1744   NtProtectVirtualMemory  (-1, (0x120e000), 4096, 260, ... (0x120e000), 4096, 4, ) == 0x0
 01234  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 184, {1736, 440}, ) == 0x0
 01235  1744   NtQueryInformationThread  (184, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1736,Tid=440,}, 0x0, ) == 0x0
 01236  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75545, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\310\6\0\0\270\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\310\6\0\0\270\1\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75546, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\310\6\0\0\270\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\310\6\0\0\270\1\0\0" )  ) == 0x0
 01237  1744   NtResumeThread  (184, ... 1, ) == 0x0
 01232  1384   NtMapViewOfSection  ... (0x662b0000), 0x0, 360448, ) == 0x0
 01238   440   NtWaitForSingleObject  (128, 0, 0x0, ...
 01239  1384   NtClose  (180, ... ) == 0x0
 01240  1384   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01241  1384   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01242  1384   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01243  1384   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01244  1384   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01245  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18939904, 1048576, ) == 0x0
 01246  1744   NtAllocateVirtualMemory  (-1, 19980288, 0, 8192, 4096, 4, ... 19980288, 8192, ) == 0x0
 01247  1744   NtProtectVirtualMemory  (-1, (0x130e000), 4096, 260, ... (0x130e000), 4096, 4, ) == 0x0
 01248  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 180, {1736, 1620}, ) == 0x0
 01249  1744   NtQueryInformationThread  (180, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1736,Tid=1620,}, 0x0, ) == 0x0
 01250  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75546, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\310\6\0\0T\6\0\0" ...  ...
 01244  1384   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01251  1384   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01252  1384   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01253  1384   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01250  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75547, 0}  ... {28, 56, reply, 0, 1736, 1744, 75547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\310\6\0\0T\6\0\0" )  ) == 0x0
 01254  1744   NtResumeThread  (180, ... 1, ) == 0x0
 01255  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19988480, 1048576, ) == 0x0
 01256  1744   NtAllocateVirtualMemory  (-1, 21028864, 0, 8192, 4096, 4, ... 21028864, 8192, ) == 0x0
 01257  1744   NtProtectVirtualMemory  (-1, (0x140e000), 4096, 260, ... (0x140e000), 4096, 4, ) == 0x0
 01258  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 188, {1736, 1588}, ) == 0x0
 01259  1744   NtQueryInformationThread  (188, Basic, 28, ...
 01253  1384   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01260  1620   NtWaitForSingleObject  (128, 0, 0x0, ...
 01261  1384   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01262  1384   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01263  1384   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01264  1384   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01265  1384   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01266  1384   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01259  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1736,Tid=1588,}, 0x0, ) == 0x0
 01267  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75547, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\310\6\0\04\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\310\6\0\04\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75548, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\310\6\0\04\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\310\6\0\04\6\0\0" )  ) == 0x0
 01268  1744   NtResumeThread  (188, ... 1, ) == 0x0
 01269  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21037056, 1048576, ) == 0x0
 01270  1744   NtAllocateVirtualMemory  (-1, 22077440, 0, 8192, 4096, 4, ... 22077440, 8192, ) == 0x0
 01271  1744   NtProtectVirtualMemory  (-1, (0x150e000), 4096, 260, ... (0x150e000), 4096, 4, ) == 0x0
 01266  1384   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01272  1588   NtWaitForSingleObject  (128, 0, 0x0, ...
 01273  1384   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01274  1384   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01275  1384   NtSetEventBoostPriority  (128, ...
 01216  1600   NtWaitForSingleObject  ... ) == 0x0
 01276  1600   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12643280, ... ) }, 12643280, ... ) == 0x0
 01277  1600   NtSetEventBoostPriority  (128, ...
 01217  1324   NtWaitForSingleObject  ... ) == 0x0
 01278  1324   NtSetEventBoostPriority  (128, ...
 01238   440   NtWaitForSingleObject  ... ) == 0x0
 01279   440   NtSetEventBoostPriority  (128, ...
 01260  1620   NtWaitForSingleObject  ... ) == 0x0
 01280  1620   NtSetEventBoostPriority  (128, ...
 01272  1588   NtWaitForSingleObject  ... ) == 0x0
 01281  1588   NtTestAlert  (... ) == 0x0
 01280  1620   NtSetEventBoostPriority  ... ) == 0x0
 01279   440   NtSetEventBoostPriority  ... ) == 0x0
 01278  1324   NtSetEventBoostPriority  ... ) == 0x0
 01277  1600   NtSetEventBoostPriority  ... ) == 0x0
 01275  1384   NtSetEventBoostPriority  ... ) == 0x0
 01282  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01283  1588   NtContinue  (21036336, 1, ...
 01284  1620   NtTestAlert  (...
 01285   440   NtTestAlert  (...
 01286  1600   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01287  1384   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01282  1744   NtCreateThread  ... 192, {1736, 1676}, ) == 0x0
 01288  1588   NtRegisterThreadTerminatePort  (24, ...
 01284  1620   NtTestAlert  ... ) == 0x0
 01285   440   NtTestAlert  ... ) == 0x0
 01286  1600   NtCreateEvent  ... 196, ) == 0x0
 01287  1384   NtCreateEvent  ... 200, ) == 0x0
 01289  1744   NtQueryInformationThread  (192, Basic, 28, ...
 01288  1588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01290  1620   NtContinue  (19987760, 1, ...
 01291   440   NtContinue  (18939184, 1, ...
 01292  1600   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 01293  1384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01289  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1736,Tid=1676,}, 0x0, ) == 0x0
 01294  1588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01295  1620   NtRegisterThreadTerminatePort  (24, ...
 01296   440   NtRegisterThreadTerminatePort  (24, ...
 01292  1600   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01293  1384   NtDuplicateObject  ... 204, ) == 0x0
 01297  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75548, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\310\6\0\0\214\6\0\0" ...  ...
 01294  1588   NtDuplicateObject  ... 208, ) == 0x0
 01295  1620   NtRegisterThreadTerminatePort  ... ) == 0x0
 01296   440   NtRegisterThreadTerminatePort  ... ) == 0x0
 01298  1600   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 12643384, ... }, 12643384, ...
 01299  1588   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01300  1620   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01301   440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01302  1324   NtTestAlert  (...
 01303  1384   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01297  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75549, 0}  ... {28, 56, reply, 0, 1736, 1744, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\310\6\0\0\214\6\0\0" )  ) == 0x0
 01299  1588   NtWaitForSingleObject  ... ) == 0x102
 01300  1620   NtDuplicateObject  ... 212, ) == 0x0
 01302  1324   NtTestAlert  ... ) == 0x0
 01303  1384   NtOpenKey  ... 216, ) == 0x0
 01304  1744   NtResumeThread  (192, ...
 01305  1588   NtWaitForSingleObject  (176, 0, 0x0, ...
 01306  1620   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01307  1324   NtContinue  (17890608, 1, ...
 01308  1384   NtQueryValueKey  (216,  (216, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01304  1744   NtResumeThread  ... 1, ) == 0x0
 01306  1620   NtWaitForSingleObject  ... ) == 0x102
 01309  1324   NtRegisterThreadTerminatePort  (24, ...
 01308  1384   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01310  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01311  1620   NtWaitForSingleObject  (176, 0, 0x0, ...
 01309  1324   NtRegisterThreadTerminatePort  ... ) == 0x0
 01312  1384   NtClose  (216, ...
 01310  1744   NtAllocateVirtualMemory  ... 22085632, 1048576, ) == 0x0
 01313  1324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01312  1384   NtClose  ... ) == 0x0
 01314  1744   NtAllocateVirtualMemory  (-1, 23126016, 0, 8192, 4096, 4, ...
 01301   440   NtDuplicateObject  ... 216, ) == 0x0
 01298  1600   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01315  1676   NtWaitForSingleObject  (128, 0, 0x0, ...
 01313  1324   NtDuplicateObject  ... 220, ) == 0x0
 01316  1384   NtOpenThreadToken  (-2, 0xc, 1, ...
 01317   440   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01318  1600   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 12643384, ... }, 12643384, ...
 01319  1324   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01316  1384   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01317   440   NtWaitForSingleObject  ... ) == 0x102
 01318  1600   NtQueryAttributesFile  ... ) == 0x0
 01319  1324   NtWaitForSingleObject  ... ) == 0x102
 01320  1384   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01321   440   NtWaitForSingleObject  (176, 0, 0x0, ...
 01314  1744   NtAllocateVirtualMemory  ... 23126016, 8192, ) == 0x0
 01322  1324   NtWaitForSingleObject  (176, 0, 0x0, ...
 01320  1384   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01323  1744   NtProtectVirtualMemory  (-1, (0x160e000), 4096, 260, ...
 01324  1384   NtWaitForSingleObject  (128, 0, 0x0, ...
 01323  1744   NtProtectVirtualMemory  ... (0x160e000), 4096, 4, ) == 0x0
 01325  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 224, {1736, 1276}, ) == 0x0
 01326  1744   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1736,Tid=1276,}, 0x0, ) == 0x0
 01327  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75549, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\310\6\0\0\374\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\310\6\0\0\374\4\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75550, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\310\6\0\0\374\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\310\6\0\0\374\4\0\0" )  ) == 0x0
 01328  1744   NtResumeThread  (224, ... 1, ) == 0x0
 01329  1600   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 01330  1276   NtWaitForSingleObject  (128, 0, 0x0, ...
 01329  1600   NtOpenFile  ... 228, {status=0x0, info=1}, ) == 0x0
 01331  1600   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 228, ... 232, ) == 0x0
 01332  1600   NtQuerySection  (232, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01333  1600   NtClose  (228, ... ) == 0x0
 01334  1600   NtMapViewOfSection  (232, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 01335  1600   NtClose  (232, ... ) == 0x0
 01336  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23134208, 1048576, ) == 0x0
 01337  1744   NtAllocateVirtualMemory  (-1, 24174592, 0, 8192, 4096, 4, ... 24174592, 8192, ) == 0x0
 01338  1744   NtProtectVirtualMemory  (-1, (0x170e000), 4096, 260, ... (0x170e000), 4096, 4, ) == 0x0
 01339  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 232, {1736, 704}, ) == 0x0
 01340  1744   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1736,Tid=704,}, 0x0, ) == 0x0
 01341  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75550, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\310\6\0\0\300\2\0\0" ...  ...
 01342  1600   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01343  1600   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01344  1600   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01341  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75551, 0}  ... {28, 56, reply, 0, 1736, 1744, 75551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\310\6\0\0\300\2\0\0" )  ) == 0x0
 01345  1744   NtResumeThread  (232, ... 1, ) == 0x0
 01346  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24182784, 1048576, ) == 0x0
 01347  1744   NtAllocateVirtualMemory  (-1, 25223168, 0, 8192, 4096, 4, ... 25223168, 8192, ) == 0x0
 01348  1744   NtProtectVirtualMemory  (-1, (0x180e000), 4096, 260, ... (0x180e000), 4096, 4, ) == 0x0
 01349  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {1736, 1568}, ) == 0x0
 01350  1744   NtQueryInformationThread  (228, Basic, 28, ...
 01351  1600   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01352   704   NtWaitForSingleObject  (128, 0, 0x0, ...
 01351  1600   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01353  1600   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01354  1600   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01355  1600   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01356  1600   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01357  1600   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01350  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1736,Tid=1568,}, 0x0, ) == 0x0
 01358  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75551, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\310\6\0\0 \6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\310\6\0\0 \6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75552, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\310\6\0\0 \6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\310\6\0\0 \6\0\0" )  ) == 0x0
 01359  1744   NtResumeThread  (228, ... 1, ) == 0x0
 01360  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25231360, 1048576, ) == 0x0
 01361  1744   NtAllocateVirtualMemory  (-1, 26271744, 0, 8192, 4096, 4, ... 26271744, 8192, ) == 0x0
 01362  1744   NtProtectVirtualMemory  (-1, (0x190e000), 4096, 260, ... (0x190e000), 4096, 4, ) == 0x0
 01363  1600   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01364  1568   NtWaitForSingleObject  (128, 0, 0x0, ...
 01363  1600   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01365  1600   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01366  1600   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01367  1600   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01368  1600   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01369  1600   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01370  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {1736, 784}, ) == 0x0
 01371  1744   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1736,Tid=784,}, 0x0, ) == 0x0
 01372  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75552, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\310\6\0\0\20\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\310\6\0\0\20\3\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75553, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\310\6\0\0\20\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\310\6\0\0\20\3\0\0" )  ) == 0x0
 01373  1744   NtResumeThread  (236, ... 1, ) == 0x0
 01374  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26279936, 1048576, ) == 0x0
 01375  1744   NtAllocateVirtualMemory  (-1, 27320320, 0, 8192, 4096, 4, ...
 01376  1600   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01377   784   NtWaitForSingleObject  (128, 0, 0x0, ...
 01376  1600   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01378  1600   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01379  1600   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01380  1600   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01381  1600   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 240, 2, ) }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 240, 2, ) , 0, ... 240, 2, ) == 0x0
 01382  1600   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 244, ) }, ... 244, ) == 0x0
 01375  1744   NtAllocateVirtualMemory  ... 27320320, 8192, ) == 0x0
 01383  1744   NtProtectVirtualMemory  (-1, (0x1a0e000), 4096, 260, ... (0x1a0e000), 4096, 4, ) == 0x0
 01384  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 248, {1736, 1792}, ) == 0x0
 01385  1744   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1736,Tid=1792,}, 0x0, ) == 0x0
 01386  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75553, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\310\6\0\0\0\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\310\6\0\0\0\7\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75554, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\310\6\0\0\0\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\310\6\0\0\0\7\0\0" )  ) == 0x0
 01387  1744   NtResumeThread  (248, ... 1, ) == 0x0
 01388  1600   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01389  1792   NtWaitForSingleObject  (128, 0, 0x0, ...
 01388  1600   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01390  1600   NtQueryValueKey  (244,  (244, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01391  1600   NtQueryValueKey  (240,  (240, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01392  1600   NtQueryValueKey  (244,  (244, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01393  1600   NtQueryValueKey  (240,  (240, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01394  1600   NtQueryValueKey  (244,  (244, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01395  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27328512, 1048576, ) == 0x0
 01396  1744   NtAllocateVirtualMemory  (-1, 28368896, 0, 8192, 4096, 4, ... 28368896, 8192, ) == 0x0
 01397  1744   NtProtectVirtualMemory  (-1, (0x1b0e000), 4096, 260, ... (0x1b0e000), 4096, 4, ) == 0x0
 01398  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 252, {1736, 1484}, ) == 0x0
 01399  1744   NtQueryInformationThread  (252, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1736,Tid=1484,}, 0x0, ) == 0x0
 01400  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75554, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\310\6\0\0\314\5\0\0" ...  ...
 01401  1600   NtQueryValueKey  (240,  (240, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01402  1600   NtQueryValueKey  (244,  (244, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01403  1600   NtQueryValueKey  (240,  (240, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01400  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75555, 0}  ... {28, 56, reply, 0, 1736, 1744, 75555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\310\6\0\0\314\5\0\0" )  ) == 0x0
 01404  1744   NtResumeThread  (252, ... 1, ) == 0x0
 01405  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28377088, 1048576, ) == 0x0
 01406  1744   NtAllocateVirtualMemory  (-1, 29417472, 0, 8192, 4096, 4, ... 29417472, 8192, ) == 0x0
 01407  1744   NtProtectVirtualMemory  (-1, (0x1c0e000), 4096, 260, ... (0x1c0e000), 4096, 4, ) == 0x0
 01408  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 256, {1736, 520}, ) == 0x0
 01409  1744   NtQueryInformationThread  (256, Basic, 28, ...
 01410  1600   NtQueryValueKey  (244,  (244, "AppendToMultiLabelName", Partial, 144, ... , Partial, 144, ...
 01411  1484   NtWaitForSingleObject  (128, 0, 0x0, ...
 01410  1600   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01412  1600   NtQueryValueKey  (244,  (244, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01413  1600   NtQueryValueKey  (244,  (244, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01414  1600   NtQueryValueKey  (244,  (244, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01415  1600   NtQueryValueKey  (244,  (244, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01416  1600   NtQueryValueKey  (244,  (244, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01409  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1736,Tid=520,}, 0x0, ) == 0x0
 01417  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75555, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\310\6\0\0\10\2\0\0" ... {28, 56, reply, 0, 1736, 1744, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\310\6\0\0\10\2\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75556, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\310\6\0\0\10\2\0\0" ... {28, 56, reply, 0, 1736, 1744, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\310\6\0\0\10\2\0\0" )  ) == 0x0
 01418  1744   NtResumeThread  (256, ... 1, ) == 0x0
 01419  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29425664, 1048576, ) == 0x0
 01420  1744   NtAllocateVirtualMemory  (-1, 30466048, 0, 8192, 4096, 4, ... 30466048, 8192, ) == 0x0
 01421  1744   NtProtectVirtualMemory  (-1, (0x1d0e000), 4096, 260, ... (0x1d0e000), 4096, 4, ) == 0x0
 01422  1600   NtQueryValueKey  (244,  (244, "QueryIpMatching", Partial, 144, ... , Partial, 144, ...
 01423   520   NtWaitForSingleObject  (128, 0, 0x0, ...
 01422  1600   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01424  1600   NtQueryValueKey  (244,  (244, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01425  1600   NtQueryValueKey  (244,  (244, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426  1600   NtQueryValueKey  (240,  (240, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01427  1600   NtQueryValueKey  (244,  (244, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01428  1600   NtQueryValueKey  (244,  (244, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01429  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 260, {1736, 1612}, ) == 0x0
 01430  1744   NtQueryInformationThread  (260, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1736,Tid=1612,}, 0x0, ) == 0x0
 01431  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75556, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\310\6\0\0L\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\310\6\0\0L\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75557, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\310\6\0\0L\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\310\6\0\0L\6\0\0" )  ) == 0x0
 01432  1744   NtResumeThread  (260, ... 1, ) == 0x0
 01433  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30474240, 1048576, ) == 0x0
 01434  1744   NtAllocateVirtualMemory  (-1, 31514624, 0, 8192, 4096, 4, ...
 01435  1600   NtQueryValueKey  (240,  (240, "EnableAdapterDomainNameRegistration", Partial, 144, ... , Partial, 144, ...
 01436  1612   NtWaitForSingleObject  (128, 0, 0x0, ...
 01435  1600   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01437  1600   NtQueryValueKey  (244,  (244, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01438  1600   NtQueryValueKey  (240,  (240, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439  1600   NtQueryValueKey  (244,  (244, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440  1600   NtQueryValueKey  (240,  (240, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441  1600   NtQueryValueKey  (244,  (244, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01434  1744   NtAllocateVirtualMemory  ... 31514624, 8192, ) == 0x0
 01442  1744   NtProtectVirtualMemory  (-1, (0x1e0e000), 4096, 260, ... (0x1e0e000), 4096, 4, ) == 0x0
 01443  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 264, {1736, 876}, ) == 0x0
 01444  1744   NtQueryInformationThread  (264, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1736,Tid=876,}, 0x0, ) == 0x0
 01445  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75557, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0\310\6\0\0l\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0\310\6\0\0l\3\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75558, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0\310\6\0\0l\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0\310\6\0\0l\3\0\0" )  ) == 0x0
 01446  1744   NtResumeThread  (264, ... 1, ) == 0x0
 01447  1600   NtQueryValueKey  (240,  (240, "DefaultRegistrationTTL", Partial, 144, ... , Partial, 144, ...
 01448   876   NtWaitForSingleObject  (128, 0, 0x0, ...
 01447  1600   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01449  1600   NtQueryValueKey  (244,  (244, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01450  1600   NtQueryValueKey  (240,  (240, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01451  1600   NtQueryValueKey  (244,  (244, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01452  1600   NtQueryValueKey  (240,  (240, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01453  1600   NtQueryValueKey  (244,  (244, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01454  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31522816, 1048576, ) == 0x0
 01455  1744   NtAllocateVirtualMemory  (-1, 32563200, 0, 8192, 4096, 4, ... 32563200, 8192, ) == 0x0
 01456  1744   NtProtectVirtualMemory  (-1, (0x1f0e000), 4096, 260, ... (0x1f0e000), 4096, 4, ) == 0x0
 01457  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 268, {1736, 1628}, ) == 0x0
 01458  1744   NtQueryInformationThread  (268, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1736,Tid=1628,}, 0x0, ) == 0x0
 01459  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75558, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\310\6\0\0\\6\0\0" ...  ...
 01460  1600   NtQueryValueKey  (240,  (240, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01461  1600   NtQueryValueKey  (244,  (244, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01462  1600   NtQueryValueKey  (244,  (244, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01459  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75559, 0}  ... {28, 56, reply, 0, 1736, 1744, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\310\6\0\0\\6\0\0" )  ) == 0x0
 01463  1744   NtResumeThread  (268, ... 1, ) == 0x0
 01464  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32571392, 1048576, ) == 0x0
 01465  1744   NtAllocateVirtualMemory  (-1, 33611776, 0, 8192, 4096, 4, ... 33611776, 8192, ) == 0x0
 01466  1744   NtProtectVirtualMemory  (-1, (0x200e000), 4096, 260, ... (0x200e000), 4096, 4, ) == 0x0
 01467  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 272, {1736, 940}, ) == 0x0
 01468  1744   NtQueryInformationThread  (272, Basic, 28, ...
 01469  1600   NtQueryValueKey  (244,  (244, "DnsTest", Partial, 144, ... , Partial, 144, ...
 01470  1628   NtWaitForSingleObject  (128, 0, 0x0, ...
 01469  1600   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01471  1600   NtQueryValueKey  (244,  (244, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01472  1600   NtQueryValueKey  (244,  (244, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01473  1600   NtQueryValueKey  (244,  (244, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474  1600   NtQueryValueKey  (244,  (244, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01475  1600   NtQueryValueKey  (244,  (244, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01468  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1736,Tid=940,}, 0x0, ) == 0x0
 01476  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75559, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\310\6\0\0\254\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\310\6\0\0\254\3\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75560, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\310\6\0\0\254\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\310\6\0\0\254\3\0\0" )  ) == 0x0
 01477  1744   NtResumeThread  (272, ... 1, ) == 0x0
 01478  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33619968, 1048576, ) == 0x0
 01479  1744   NtAllocateVirtualMemory  (-1, 34660352, 0, 8192, 4096, 4, ... 34660352, 8192, ) == 0x0
 01480  1744   NtProtectVirtualMemory  (-1, (0x210e000), 4096, 260, ... (0x210e000), 4096, 4, ) == 0x0
 01481  1600   NtQueryValueKey  (244,  (244, "MaxCachedSockets", Partial, 144, ... , Partial, 144, ...
 01482   940   NtWaitForSingleObject  (128, 0, 0x0, ...
 01481  1600   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01483  1600   NtQueryValueKey  (244,  (244, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484  1600   NtQueryValueKey  (244,  (244, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01485  1600   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\Setup"}, ... 276, ) }, ... 276, ) == 0x0
 01486  1600   NtQueryValueKey  (276,  (276, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (276, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01487  1600   NtClose  (276, ... ) == 0x0
 01488  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 276, {1736, 1924}, ) == 0x0
 01489  1744   NtQueryInformationThread  (276, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1736,Tid=1924,}, 0x0, ) == 0x0
 01490  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75560, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\310\6\0\0\204\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\310\6\0\0\204\7\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75561, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\310\6\0\0\204\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\310\6\0\0\204\7\0\0" )  ) == 0x0
 01491  1744   NtResumeThread  (276, ... 1, ) == 0x0
 01492  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34668544, 1048576, ) == 0x0
 01493  1744   NtAllocateVirtualMemory  (-1, 35708928, 0, 8192, 4096, 4, ...
 01494  1600   NtClose  (240, ...
 01495  1924   NtWaitForSingleObject  (128, 0, 0x0, ...
 01494  1600   NtClose  ... ) == 0x0
 01496  1600   NtClose  (244, ... ) == 0x0
 01497  1600   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 244, ) }, ... 244, ) == 0x0
 01498  1600   NtQueryValueKey  (244,  (244, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01499  1600   NtQueryValueKey  (244,  (244, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01500  1600   NtQueryValueKey  (244,  (244, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01493  1744   NtAllocateVirtualMemory  ... 35708928, 8192, ) == 0x0
 01501  1744   NtProtectVirtualMemory  (-1, (0x220e000), 4096, 260, ... (0x220e000), 4096, 4, ) == 0x0
 01502  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 240, {1736, 1288}, ) == 0x0
 01503  1744   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1736,Tid=1288,}, 0x0, ) == 0x0
 01504  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75561, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\310\6\0\0\10\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\310\6\0\0\10\5\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75562, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\310\6\0\0\10\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\310\6\0\0\10\5\0\0" )  ) == 0x0
 01505  1744   NtResumeThread  (240, ... 1, ) == 0x0
 01506  1600   NtClose  (244, ...
 01507  1288   NtWaitForSingleObject  (128, 0, 0x0, ...
 01506  1600   NtClose  ... ) == 0x0
 01508  1600   NtSetEventBoostPriority  (128, ...
 01315  1676   NtWaitForSingleObject  ... ) == 0x0
 01509  1676   NtSetEventBoostPriority  (128, ...
 01324  1384   NtWaitForSingleObject  ... ) == 0x0
 01510  1384   NtSetEventBoostPriority  (128, ...
 01330  1276   NtWaitForSingleObject  ... ) == 0x0
 01511  1276   NtSetEventBoostPriority  (128, ...
 01352   704   NtWaitForSingleObject  ... ) == 0x0
 01512   704   NtSetEventBoostPriority  (128, ...
 01364  1568   NtWaitForSingleObject  ... ) == 0x0
 01513  1568   NtSetEventBoostPriority  (128, ...
 01377   784   NtWaitForSingleObject  ... ) == 0x0
 01514   784   NtSetEventBoostPriority  (128, ...
 01389  1792   NtWaitForSingleObject  ... ) == 0x0
 01515  1792   NtSetEventBoostPriority  (128, ...
 01411  1484   NtWaitForSingleObject  ... ) == 0x0
 01516  1484   NtSetEventBoostPriority  (128, ...
 01423   520   NtWaitForSingleObject  ... ) == 0x0
 01517   520   NtSetEventBoostPriority  (128, ...
 01436  1612   NtWaitForSingleObject  ... ) == 0x0
 01518  1612   NtSetEventBoostPriority  (128, ...
 01448   876   NtWaitForSingleObject  ... ) == 0x0
 01519   876   NtSetEventBoostPriority  (128, ...
 01470  1628   NtWaitForSingleObject  ... ) == 0x0
 01520  1628   NtSetEventBoostPriority  (128, ...
 01482   940   NtWaitForSingleObject  ... ) == 0x0
 01521   940   NtSetEventBoostPriority  (128, ...
 01495  1924   NtWaitForSingleObject  ... ) == 0x0
 01522  1924   NtSetEventBoostPriority  (128, ...
 01507  1288   NtWaitForSingleObject  ... ) == 0x0
 01523  1288   NtTestAlert  (... ) == 0x0
 01522  1924   NtSetEventBoostPriority  ... ) == 0x0
 01521   940   NtSetEventBoostPriority  ... ) == 0x0
 01520  1628   NtSetEventBoostPriority  ... ) == 0x0
 01519   876   NtSetEventBoostPriority  ... ) == 0x0
 01518  1612   NtSetEventBoostPriority  ... ) == 0x0
 01517   520   NtSetEventBoostPriority  ... ) == 0x0
 01516  1484   NtSetEventBoostPriority  ... ) == 0x0
 01515  1792   NtSetEventBoostPriority  ... ) == 0x0
 01514   784   NtSetEventBoostPriority  ... ) == 0x0
 01513  1568   NtSetEventBoostPriority  ... ) == 0x0
 01512   704   NtSetEventBoostPriority  ... ) == 0x0
 01511  1276   NtSetEventBoostPriority  ... ) == 0x0
 01510  1384   NtSetEventBoostPriority  ... ) == 0x0
 01509  1676   NtSetEventBoostPriority  ... ) == 0x0
 01508  1600   NtSetEventBoostPriority  ... ) == 0x0
 01524  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01525  1288   NtContinue  (35716400, 1, ...
 01526  1924   NtTestAlert  (...
 01527   940   NtTestAlert  (...
 01528  1628   NtTestAlert  (...
 01529   876   NtTestAlert  (...
 01530  1612   NtTestAlert  (...
 01531   520   NtTestAlert  (...
 01532  1484   NtTestAlert  (...
 01533  1792   NtTestAlert  (...
 01534   784   NtTestAlert  (...
 01535  1568   NtTestAlert  (...
 01536   704   NtTestAlert  (...
 01537  1276   NtTestAlert  (...
 01538  1384   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11595888, ... }, 11595888, ...
 01539  1600   NtWaitForSingleObject  (128, 0, 0x0, ...
 01524  1744   NtAllocateVirtualMemory  ... 35717120, 1048576, ) == 0x0
 01540  1288   NtRegisterThreadTerminatePort  (24, ...
 01526  1924   NtTestAlert  ... ) == 0x0
 01527   940   NtTestAlert  ... ) == 0x0
 01528  1628   NtTestAlert  ... ) == 0x0
 01529   876   NtTestAlert  ... ) == 0x0
 01530  1612   NtTestAlert  ... ) == 0x0
 01531   520   NtTestAlert  ... ) == 0x0
 01532  1484   NtTestAlert  ... ) == 0x0
 01533  1792   NtTestAlert  ... ) == 0x0
 01534   784   NtTestAlert  ... ) == 0x0
 01535  1568   NtTestAlert  ... ) == 0x0
 01536   704   NtTestAlert  ... ) == 0x0
 01537  1276   NtTestAlert  ... ) == 0x0
 01538  1384   NtQueryAttributesFile  ... ) == 0x0
 01541  1744   NtAllocateVirtualMemory  (-1, 36757504, 0, 8192, 4096, 4, ...
 01540  1288   NtRegisterThreadTerminatePort  ... ) == 0x0
 01542  1924   NtContinue  (34667824, 1, ...
 01543   940   NtContinue  (33619248, 1, ...
 01544  1628   NtContinue  (32570672, 1, ...
 01545   876   NtContinue  (31522096, 1, ...
 01546  1612   NtContinue  (30473520, 1, ...
 01547   520   NtContinue  (29424944, 1, ...
 01548  1484   NtContinue  (28376368, 1, ...
 01549  1792   NtContinue  (27327792, 1, ...
 01550   784   NtContinue  (26279216, 1, ...
 01551  1568   NtContinue  (25230640, 1, ...
 01552   704   NtContinue  (24182064, 1, ...
 01553  1276   NtContinue  (23133488, 1, ...
 01554  1384   NtSetEventBoostPriority  (128, ...
 01541  1744   NtAllocateVirtualMemory  ... 36757504, 8192, ) == 0x0
 01555  1288   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01556  1924   NtRegisterThreadTerminatePort  (24, ...
 01557   940   NtRegisterThreadTerminatePort  (24, ...
 01558  1628   NtRegisterThreadTerminatePort  (24, ...
 01559   876   NtRegisterThreadTerminatePort  (24, ...
 01560  1612   NtRegisterThreadTerminatePort  (24, ...
 01561   520   NtRegisterThreadTerminatePort  (24, ...
 01562  1484   NtRegisterThreadTerminatePort  (24, ...
 01563  1792   NtRegisterThreadTerminatePort  (24, ...
 01564   784   NtRegisterThreadTerminatePort  (24, ...
 01565  1568   NtRegisterThreadTerminatePort  (24, ...
 01566   704   NtRegisterThreadTerminatePort  (24, ...
 01567  1276   NtRegisterThreadTerminatePort  (24, ...
 01539  1600   NtWaitForSingleObject  ... ) == 0x0
 01554  1384   NtSetEventBoostPriority  ... ) == 0x0
 01568  1744   NtProtectVirtualMemory  (-1, (0x230e000), 4096, 260, ...
 01555  1288   NtDuplicateObject  ... 244, ) == 0x0
 01556  1924   NtRegisterThreadTerminatePort  ... ) == 0x0
 01557   940   NtRegisterThreadTerminatePort  ... ) == 0x0
 01558  1628   NtRegisterThreadTerminatePort  ... ) == 0x0
 01559   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 01560  1612   NtRegisterThreadTerminatePort  ... ) == 0x0
 01561   520   NtRegisterThreadTerminatePort  ... ) == 0x0
 01562  1484   NtRegisterThreadTerminatePort  ... ) == 0x0
 01563  1792   NtRegisterThreadTerminatePort  ... ) == 0x0
 01564   784   NtRegisterThreadTerminatePort  ... ) == 0x0
 01565  1568   NtRegisterThreadTerminatePort  ... ) == 0x0
 01566   704   NtRegisterThreadTerminatePort  ... ) == 0x0
 01569  1600   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01567  1276   NtRegisterThreadTerminatePort  ... ) == 0x0
 01570  1384   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01568  1744   NtProtectVirtualMemory  ... (0x230e000), 4096, 4, ) == 0x0
 01571  1288   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01572  1924   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01573   940   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01574  1628   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01575   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01576  1612   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01577   520   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01578  1484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01579  1792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01580   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01581  1568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01569  1600   NtCreateEvent  ... 280, ) == 0x0
 01582   704   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01583  1276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01570  1384   NtOpenKey  ... 284, ) == 0x0
 01584  1676   NtTestAlert  (...
 01585  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01571  1288   NtWaitForSingleObject  ... ) == 0x102
 01572  1924   NtDuplicateObject  ... 288, ) == 0x0
 01573   940   NtDuplicateObject  ... 292, ) == 0x0
 01574  1628   NtDuplicateObject  ... 296, ) == 0x0
 01575   876   NtDuplicateObject  ... 300, ) == 0x0
 01576  1612   NtDuplicateObject  ... 304, ) == 0x0
 01577   520   NtDuplicateObject  ... 308, ) == 0x0
 01578  1484   NtDuplicateObject  ... 312, ) == 0x0
 01579  1792   NtDuplicateObject  ... 316, ) == 0x0
 01580   784   NtDuplicateObject  ... 320, ) == 0x0
 01581  1568   NtDuplicateObject  ... 324, ) == 0x0
 01586  1600   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01582   704   NtDuplicateObject  ... 328, ) == 0x0
 01583  1276   NtDuplicateObject  ... 332, ) == 0x0
 01584  1676   NtTestAlert  ... ) == 0x0
 01585  1744   NtCreateThread  ... 336, {1736, 380}, ) == 0x0
 01587  1288   NtWaitForSingleObject  (176, 0, 0x0, ...
 01588  1924   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01589   940   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01590  1628   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01591   876   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01592  1612   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01593   520   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01594  1484   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01595  1792   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01596   784   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01597  1568   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01586  1600   NtDuplicateObject  ... 340, ) == 0x0
 01598   704   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01599  1276   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01600  1676   NtContinue  (22084912, 1, ...
 01601  1744   NtQueryInformationThread  (336, Basic, 28, ...
 01588  1924   NtWaitForSingleObject  ... ) == 0x102
 01589   940   NtWaitForSingleObject  ... ) == 0x102
 01590  1628   NtWaitForSingleObject  ... ) == 0x102
 01591   876   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01592  1612   NtCreateEvent  ... 344, ) == 0x0
 01593   520   NtCreateEvent  ... 348, ) == 0x0
 01594  1484   NtCreateEvent  ... 352, ) == 0x0
 01595  1792   NtCreateEvent  ... 356, ) == 0x0
 01596   784   NtCreateEvent  ... 360, ) == 0x0
 01597  1568   NtCreateEvent  ... 364, ) == 0x0
 01602  1600   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01598   704   NtCreateEvent  ... 368, ) == 0x0
 01599  1276   NtCreateEvent  ... 372, ) == 0x0
 01603  1676   NtRegisterThreadTerminatePort  (24, ...
 01601  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1736,Tid=380,}, 0x0, ) == 0x0
 01604  1924   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01605   940   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01606  1628   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01607   876   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01608  1612   NtWaitForSingleObject  (344, 0, 0x0, ...
 01609   520   NtClose  (348, ...
 01610  1484   NtClose  (352, ...
 01611  1792   NtClose  (356, ...
 01612   784   NtClose  (360, ...
 01613  1568   NtClose  (364, ...
 01602  1600   NtCreateEvent  ... 376, ) == 0x0
 01614   704   NtClose  (368, ...
 01615  1276   NtClose  (372, ...
 01603  1676   NtRegisterThreadTerminatePort  ... ) == 0x0
 01616  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75562, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\310\6\0\0|\1\0\0" ...  ...
 01604  1924   NtCreateEvent  ... 380, ) == 0x0
 01605   940   NtCreateEvent  ... 384, ) == 0x0
 01606  1628   NtCreateEvent  ... 388, ) == 0x0
 01607   876   NtCreateEvent  ... 392, ) == 0x0
 01609   520   NtClose  ... ) == 0x0
 01610  1484   NtClose  ... ) == 0x0
 01611  1792   NtClose  ... ) == 0x0
 01612   784   NtClose  ... ) == 0x0
 01613  1568   NtClose  ... ) == 0x0
 01617  1600   NtClose  (376, ...
 01614   704   NtClose  ... ) == 0x0
 01615  1276   NtClose  ... ) == 0x0
 01618  1676   NtWaitForSingleObject  (344, 0, 0x0, ...
 01616  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75563, 0}  ... {28, 56, reply, 0, 1736, 1744, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\310\6\0\0|\1\0\0" )  ) == 0x0
 01619  1384   NtQueryValueKey  (284,  (284, "Transports", Partial, 144, ... , Partial, 144, ...
 01620  1924   NtClose  (380, ...
 01621   940   NtClose  (384, ...
 01622   876   NtClose  (392, ...
 01623   520   NtWaitForSingleObject  (344, 0, 0x0, ...
 01624  1484   NtWaitForSingleObject  (344, 0, 0x0, ...
 01625  1792   NtWaitForSingleObject  (344, 0, 0x0, ...
 01626   784   NtWaitForSingleObject  (344, 0, 0x0, ...
 01627  1568   NtWaitForSingleObject  (344, 0, 0x0, ...
 01617  1600   NtClose  ... ) == 0x0
 01628   704   NtWaitForSingleObject  (344, 0, 0x0, ...
 01629  1276   NtWaitForSingleObject  (344, 0, 0x0, ...
 01630  1628   NtClose  (388, ...
 01631  1744   NtResumeThread  (336, ...
 01619  1384   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01620  1924   NtClose  ... ) == 0x0
 01621   940   NtClose  ... ) == 0x0
 01622   876   NtClose  ... ) == 0x0
 01632  1600   NtWaitForSingleObject  (344, 0, 0x0, ...
 01630  1628   NtClose  ... ) == 0x0
 01631  1744   NtResumeThread  ... 1, ) == 0x0
 01633  1384   NtQueryValueKey  (284,  (284, "Transports", Partial, 144, ... , Partial, 144, ...
 01634  1924   NtWaitForSingleObject  (344, 0, 0x0, ...
 01635   940   NtWaitForSingleObject  (344, 0, 0x0, ...
 01636   876   NtSetEventBoostPriority  (344, ...
 01637  1628   NtWaitForSingleObject  (344, 0, 0x0, ...
 01638  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01633  1384   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01608  1612   NtWaitForSingleObject  ... ) == 0x0
 01636   876   NtSetEventBoostPriority  ... ) == 0x0
 01638  1744   NtAllocateVirtualMemory  ... 36765696, 1048576, ) == 0x0
 01639  1612   NtSetEventBoostPriority  (344, ...
 01640  1384   NtClose  (284, ...
 01641   876   NtWaitForSingleObject  (344, 0, 0x0, ...
 01618  1676   NtWaitForSingleObject  ... ) == 0x0
 01639  1612   NtSetEventBoostPriority  ... ) == 0x0
 01642  1744   NtAllocateVirtualMemory  (-1, 37806080, 0, 8192, 4096, 4, ...
 01640  1384   NtClose  ... ) == 0x0
 01643  1676   NtSetEventBoostPriority  (344, ...
 01644   380   NtAllocateVirtualMemory  (-1, 3624960, 0, 4096, 4096, 4, ...
 01645  1612   NtWaitForSingleObject  (344, 0, 0x0, ...
 01642  1744   NtAllocateVirtualMemory  ... 37806080, 8192, ) == 0x0
 01623   520   NtWaitForSingleObject  ... ) == 0x0
 01644   380   NtAllocateVirtualMemory  ... 3624960, 4096, ) == 0x0
 01646  1744   NtProtectVirtualMemory  (-1, (0x240e000), 4096, 260, ...
 01647   520   NtSetEventBoostPriority  (344, ...
 01648   380   NtTestAlert  (...
 01646  1744   NtProtectVirtualMemory  ... (0x240e000), 4096, 4, ) == 0x0
 01624  1484   NtWaitForSingleObject  ... ) == 0x0
 01648   380   NtTestAlert  ... ) == 0x0
 01649  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01650  1484   NtSetEventBoostPriority  (344, ...
 01651   380   NtContinue  (36764976, 1, ...
 01649  1744   NtCreateThread  ... 284, {1736, 776}, ) == 0x0
 01625  1792   NtWaitForSingleObject  ... ) == 0x0
 01650  1484   NtSetEventBoostPriority  ... ) == 0x0
 01647   520   NtSetEventBoostPriority  ... ) == 0x0
 01643  1676   NtSetEventBoostPriority  ... ) == 0x0
 01652  1384   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01653  1744   NtQueryInformationThread  (284, Basic, 28, ...
 01654  1792   NtSetEventBoostPriority  (344, ...
 01655  1484   NtWaitForSingleObject  (344, 0, 0x0, ...
 01656   520   NtWaitForSingleObject  (344, 0, 0x0, ...
 01657  1676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01652  1384   NtOpenKey  ... 388, ) == 0x0
 01658   380   NtRegisterThreadTerminatePort  (24, ...
 01626   784   NtWaitForSingleObject  ... ) == 0x0
 01657  1676   NtDuplicateObject  ... 392, ) == 0x0
 01659  1384   NtQueryValueKey  (388,  (388, "Mapping", Partial, 144, ... , Partial, 144, ...
 01658   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 01660   784   NtSetEventBoostPriority  (344, ...
 01654  1792   NtSetEventBoostPriority  ... ) == 0x0
 01653  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1736,Tid=776,}, 0x0, ) == 0x0
 01659  1384   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01661   380   NtWaitForSingleObject  (344, 0, 0x0, ...
 01627  1568   NtWaitForSingleObject  ... ) == 0x0
 01662  1792   NtWaitForSingleObject  (344, 0, 0x0, ...
 01663  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75563, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\310\6\0\0\10\3\0\0" ...  ...
 01664  1384   NtWaitForSingleObject  (344, 0, 0x0, ...
 01665  1568   NtSetEventBoostPriority  (344, ...
 01663  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75564, 0}  ... {28, 56, reply, 0, 1736, 1744, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\310\6\0\0\10\3\0\0" )  ) == 0x0
 01628   704   NtWaitForSingleObject  ... ) == 0x0
 01666  1744   NtResumeThread  (284, ...
 01667   704   NtSetEventBoostPriority  (344, ...
 01666  1744   NtResumeThread  ... 1, ) == 0x0
 01632  1600   NtWaitForSingleObject  ... ) == 0x0
 01667   704   NtSetEventBoostPriority  ... ) == 0x0
 01665  1568   NtSetEventBoostPriority  ... ) == 0x0
 01660   784   NtSetEventBoostPriority  ... ) == 0x0
 01668  1676   NtWaitForSingleObject  (344, 0, 0x0, ...
 01669   776   NtTestAlert  (...
 01670  1600   NtSetEventBoostPriority  (344, ...
 01671   704   NtWaitForSingleObject  (344, 0, 0x0, ...
 01672  1568   NtWaitForSingleObject  (344, 0, 0x0, ...
 01673   784   NtWaitForSingleObject  (344, 0, 0x0, ...
 01669   776   NtTestAlert  ... ) == 0x0
 01634  1924   NtWaitForSingleObject  ... ) == 0x0
 01670  1600   NtSetEventBoostPriority  ... ) == 0x0
 01674  1924   NtSetEventBoostPriority  (344, ...
 01675   776   NtContinue  (37813552, 1, ...
 01635   940   NtWaitForSingleObject  ... ) == 0x0
 01674  1924   NtSetEventBoostPriority  ... ) == 0x0
 01676  1600   NtWaitForSingleObject  (344, 0, 0x0, ...
 01677   940   NtSetEventBoostPriority  (344, ...
 01678   776   NtRegisterThreadTerminatePort  (24, ...
 01679  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01680  1924   NtWaitForSingleObject  (176, 0, 0x0, ...
 01637  1628   NtWaitForSingleObject  ... ) == 0x0
 01677   940   NtSetEventBoostPriority  ... ) == 0x0
 01678   776   NtRegisterThreadTerminatePort  ... ) == 0x0
 01679  1744   NtAllocateVirtualMemory  ... 37814272, 1048576, ) == 0x0
 01681  1628   NtSetEventBoostPriority  (344, ...
 01682   940   NtWaitForSingleObject  (176, 0, 0x0, ...
 01641   876   NtWaitForSingleObject  ... ) == 0x0
 01681  1628   NtSetEventBoostPriority  ... ) == 0x0
 01683  1744   NtAllocateVirtualMemory  (-1, 38854656, 0, 8192, 4096, 4, ...
 01684   876   NtSetEventBoostPriority  (344, ...
 01685   776   NtWaitForSingleObject  (344, 0, 0x0, ...
 01629  1276   NtWaitForSingleObject  ... ) == 0x0
 01684   876   NtSetEventBoostPriority  ... ) == 0x0
 01683  1744   NtAllocateVirtualMemory  ... 38854656, 8192, ) == 0x0
 01686  1276   NtSetEventBoostPriority  (344, ...
 01687  1628   NtWaitForSingleObject  (176, 0, 0x0, ...
 01645  1612   NtWaitForSingleObject  ... ) == 0x0
 01688  1744   NtProtectVirtualMemory  (-1, (0x250e000), 4096, 260, ...
 01689  1612   NtSetEventBoostPriority  (344, ...
 01688  1744   NtProtectVirtualMemory  ... (0x250e000), 4096, 4, ) == 0x0
 01655  1484   NtWaitForSingleObject  ... ) == 0x0
 01689  1612   NtSetEventBoostPriority  ... ) == 0x0
 01686  1276   NtSetEventBoostPriority  ... ) == 0x0
 01690   876   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01691  1484   NtSetEventBoostPriority  (344, ...
 01692  1612   NtWaitForSingleObject  (344, 0, 0x0, ...
 01693  1276   NtWaitForSingleObject  (344, 0, 0x0, ...
 01656   520   NtWaitForSingleObject  ... ) == 0x0
 01691  1484   NtSetEventBoostPriority  ... ) == 0x0
 01690   876   NtWaitForSingleObject  ... ) == 0x102
 01694  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01695   520   NtSetEventBoostPriority  (344, ...
 01696   876   NtWaitForSingleObject  (176, 0, 0x0, ...
 01661   380   NtWaitForSingleObject  ... ) == 0x0
 01695   520   NtSetEventBoostPriority  ... ) == 0x0
 01694  1744   NtCreateThread  ... 384, {1736, 312}, ) == 0x0
 01697   380   NtSetEventBoostPriority  (344, ...
 01698  1484   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01662  1792   NtWaitForSingleObject  ... ) == 0x0
 01697   380   NtSetEventBoostPriority  ... ) == 0x0
 01699  1744   NtQueryInformationThread  (384, Basic, 28, ...
 01700  1792   NtSetEventBoostPriority  (344, ...
 01698  1484   NtCreateEvent  ... 380, ) == 0x0
 01701   520   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01664  1384   NtWaitForSingleObject  ... ) == 0x0
 01700  1792   NtSetEventBoostPriority  ... ) == 0x0
 01699  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1736,Tid=312,}, 0x0, ) == 0x0
 01702  1484   NtWaitForSingleObject  (380, 0, 0x0, ...
 01703  1384   NtSetEventBoostPriority  (344, ...
 01701   520   NtCreateEvent  ... 376, ) == 0x0
 01704   380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01705  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75564, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\310\6\0\08\1\0\0" ...  ...
 01668  1676   NtWaitForSingleObject  ... ) == 0x0
 01703  1384   NtSetEventBoostPriority  ... ) == 0x0
 01706   520   NtClose  (376, ...
 01704   380   NtDuplicateObject  ... 372, ) == 0x0
 01707  1676   NtSetEventBoostPriority  (344, ...
 01705  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75565, 0}  ... {28, 56, reply, 0, 1736, 1744, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\310\6\0\08\1\0\0" )  ) == 0x0
 01708  1792   NtWaitForSingleObject  (380, 0, 0x0, ...
 01706   520   NtClose  ... ) == 0x0
 01671   704   NtWaitForSingleObject  ... ) == 0x0
 01707  1676   NtSetEventBoostPriority  ... ) == 0x0
 01709   380   NtWaitForSingleObject  (344, 0, 0x0, ...
 01710  1744   NtResumeThread  (384, ...
 01711   704   NtSetEventBoostPriority  (344, ...
 01712   520   NtWaitForSingleObject  (380, 0, 0x0, ...
 01713  1676   NtWaitForSingleObject  (344, 0, 0x0, ...
 01672  1568   NtWaitForSingleObject  ... ) == 0x0
 01711   704   NtSetEventBoostPriority  ... ) == 0x0
 01710  1744   NtResumeThread  ... 1, ) == 0x0
 01714  1384   NtQueryValueKey  (388,  (388, "Mapping", Partial, 144, ... , Partial, 144, ...
 01715   312   NtTestAlert  (...
 01716  1568   NtSetEventBoostPriority  (344, ...
 01717  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01714  1384   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01673   784   NtWaitForSingleObject  ... ) == 0x0
 01716  1568   NtSetEventBoostPriority  ... ) == 0x0
 01715   312   NtTestAlert  ... ) == 0x0
 01717  1744   NtAllocateVirtualMemory  ... 38862848, 1048576, ) == 0x0
 01718   784   NtSetEventBoostPriority  (344, ...
 01719  1384   NtWaitForSingleObject  (344, 0, 0x0, ...
 01720   704   NtWaitForSingleObject  (380, 0, 0x0, ...
 01721   312   NtContinue  (38862128, 1, ...
 01676  1600   NtWaitForSingleObject  ... ) == 0x0
 01718   784   NtSetEventBoostPriority  ... ) == 0x0
 01722  1744   NtAllocateVirtualMemory  (-1, 39903232, 0, 8192, 4096, 4, ...
 01723  1600   NtSetEventBoostPriority  (344, ...
 01724   312   NtRegisterThreadTerminatePort  (24, ...
 01725  1568   NtWaitForSingleObject  (380, 0, 0x0, ...
 01726   784   NtWaitForSingleObject  (380, 0, 0x0, ...
 01685   776   NtWaitForSingleObject  ... ) == 0x0
 01724   312   NtRegisterThreadTerminatePort  ... ) == 0x0
 01727   776   NtSetEventBoostPriority  (344, ...
 01723  1600   NtSetEventBoostPriority  ... ) == 0x0
 01722  1744   NtAllocateVirtualMemory  ... 39903232, 8192, ) == 0x0
 01693  1276   NtWaitForSingleObject  ... ) == 0x0
 01727   776   NtSetEventBoostPriority  ... ) == 0x0
 01728  1600   NtWaitForSingleObject  (344, 0, 0x0, ...
 01729  1276   NtSetEventBoostPriority  (344, ...
 01730  1744   NtProtectVirtualMemory  (-1, (0x260e000), 4096, 260, ...
 01731   776   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01692  1612   NtWaitForSingleObject  ... ) == 0x0
 01729  1276   NtSetEventBoostPriority  ... ) == 0x0
 01730  1744   NtProtectVirtualMemory  ... (0x260e000), 4096, 4, ) == 0x0
 01732   312   NtWaitForSingleObject  (344, 0, 0x0, ...
 01733  1612   NtSetEventBoostPriority  (344, ...
 01731   776   NtDuplicateObject  ... 376, ) == 0x0
 01734  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01709   380   NtWaitForSingleObject  ... ) == 0x0
 01735   776   NtWaitForSingleObject  (344, 0, 0x0, ...
 01734  1744   NtCreateThread  ... 368, {1736, 476}, ) == 0x0
 01736   380   NtSetEventBoostPriority  (344, ...
 01737  1744   NtQueryInformationThread  (368, Basic, 28, ...
 01713  1676   NtWaitForSingleObject  ... ) == 0x0
 01736   380   NtSetEventBoostPriority  ... ) == 0x0
 01733  1612   NtSetEventBoostPriority  ... ) == 0x0
 01738  1276   NtWaitForSingleObject  (380, 0, 0x0, ...
 01739  1676   NtSetEventBoostPriority  (344, ...
 01737  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1736,Tid=476,}, 0x0, ) == 0x0
 01740  1612   NtSetEventBoostPriority  (380, ...
 01719  1384   NtWaitForSingleObject  ... ) == 0x0
 01741  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75565, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\310\6\0\0\334\1\0\0" ...  ...
 01702  1484   NtWaitForSingleObject  ... ) == 0x0
 01740  1612   NtSetEventBoostPriority  ... ) == 0x0
 01742  1384   NtSetEventBoostPriority  (344, ...
 01743  1484   NtWaitForSingleObject  (344, 0, 0x0, ...
 01741  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75566, 0}  ... {28, 56, reply, 0, 1736, 1744, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\310\6\0\0\334\1\0\0" )  ) == 0x0
 01739  1676   NtSetEventBoostPriority  ... ) == 0x0
 01744   380   NtWaitForSingleObject  (344, 0, 0x0, ...
 01728  1600   NtWaitForSingleObject  ... ) == 0x0
 01742  1384   NtSetEventBoostPriority  ... ) == 0x0
 01745  1744   NtResumeThread  (368, ...
 01746  1676   NtWaitForSingleObject  (344, 0, 0x0, ...
 01747  1600   NtSetEventBoostPriority  (344, ...
 01748  1612   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01745  1744   NtResumeThread  ... 1, ) == 0x0
 01732   312   NtWaitForSingleObject  ... ) == 0x0
 01747  1600   NtSetEventBoostPriority  ... ) == 0x0
 01748  1612   NtWaitForSingleObject  ... ) == 0x102
 01749  1384   NtQueryValueKey  (388,  (388, "Mapping", Partial, 152, ... , Partial, 152, ...
 01750   476   NtTestAlert  (...
 01751   312   NtSetEventBoostPriority  (344, ...
 01752  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01753  1612   NtWaitForSingleObject  (344, 0, 0x0, ...
 01749  1384   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01735   776   NtWaitForSingleObject  ... ) == 0x0
 01751   312   NtSetEventBoostPriority  ... ) == 0x0
 01750   476   NtTestAlert  ... ) == 0x0
 01752  1744   NtAllocateVirtualMemory  ... 39911424, 1048576, ) == 0x0
 01754   776   NtSetEventBoostPriority  (344, ...
 01755  1384   NtClose  (388, ...
 01756   312   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01757   476   NtContinue  (39910704, 1, ...
 01743  1484   NtWaitForSingleObject  ... ) == 0x0
 01754   776   NtSetEventBoostPriority  ... ) == 0x0
 01758  1744   NtAllocateVirtualMemory  (-1, 40951808, 0, 8192, 4096, 4, ...
 01755  1384   NtClose  ... ) == 0x0
 01759  1600   NtWaitForSingleObject  (380, 0, 0x0, ...
 01760  1484   NtSetEventBoostPriority  (344, ...
 01761   476   NtRegisterThreadTerminatePort  (24, ...
 01756   312   NtDuplicateObject  ... 388, ) == 0x0
 01758  1744   NtAllocateVirtualMemory  ... 40951808, 8192, ) == 0x0
 01762  1384   NtWaitForSingleObject  (344, 0, 0x0, ...
 01744   380   NtWaitForSingleObject  ... ) == 0x0
 01760  1484   NtSetEventBoostPriority  ... ) == 0x0
 01761   476   NtRegisterThreadTerminatePort  ... ) == 0x0
 01763   312   NtWaitForSingleObject  (344, 0, 0x0, ...
 01764  1744   NtProtectVirtualMemory  (-1, (0x270e000), 4096, 260, ...
 01765   380   NtSetEventBoostPriority  (344, ...
 01766   776   NtWaitForSingleObject  (344, 0, 0x0, ...
 01767  1484   NtSetEventBoostPriority  (380, ...
 01746  1676   NtWaitForSingleObject  ... ) == 0x0
 01765   380   NtSetEventBoostPriority  ... ) == 0x0
 01764  1744   NtProtectVirtualMemory  ... (0x270e000), 4096, 4, ) == 0x0
 01768  1676   NtSetEventBoostPriority  (344, ...
 01708  1792   NtWaitForSingleObject  ... ) == 0x0
 01767  1484   NtSetEventBoostPriority  ... ) == 0x0
 01769   380   NtWaitForSingleObject  (344, 0, 0x0, ...
 01770   476   NtWaitForSingleObject  (344, 0, 0x0, ...
 01753  1612   NtWaitForSingleObject  ... ) == 0x0
 01771  1792   NtWaitForSingleObject  (344, 0, 0x0, ...
 01768  1676   NtSetEventBoostPriority  ... ) == 0x0
 01772  1484   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01773  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01774  1612   NtSetEventBoostPriority  (344, ...
 01772  1484   NtWaitForSingleObject  ... ) == 0x102
 01762  1384   NtWaitForSingleObject  ... ) == 0x0
 01774  1612   NtSetEventBoostPriority  ... ) == 0x0
 01773  1744   NtCreateThread  ... 364, {1736, 1716}, ) == 0x0
 01775  1384   NtSetEventBoostPriority  (344, ...
 01776  1484   NtWaitForSingleObject  (344, 0, 0x0, ...
 01777  1676   NtWaitForSingleObject  (344, 0, 0x0, ...
 01763   312   NtWaitForSingleObject  ... ) == 0x0
 01775  1384   NtSetEventBoostPriority  ... ) == 0x0
 01778  1744   NtQueryInformationThread  (364, Basic, 28, ...
 01779  1612   NtWaitForSingleObject  (176, 0, 0x0, ...
 01780   312   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01778  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1736,Tid=1716,}, 0x0, ) == 0x0
 01780   312   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01781  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75566, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\310\6\0\0\264\6\0\0" ...  ...
 01782  1384   NtWaitForSingleObject  (344, 0, 0x0, ...
 01783   312   NtSetEventBoostPriority  (344, ...
 01766   776   NtWaitForSingleObject  ... ) == 0x0
 01784   776   NtSetEventBoostPriority  (344, ...
 01771  1792   NtWaitForSingleObject  ... ) == 0x0
 01785  1792   NtSetEventBoostPriority  (344, ...
 01770   476   NtWaitForSingleObject  ... ) == 0x0
 01786   476   NtSetEventBoostPriority  (344, ...
 01769   380   NtWaitForSingleObject  ... ) == 0x0
 01787   380   NtSetEventBoostPriority  (344, ...
 01777  1676   NtWaitForSingleObject  ... ) == 0x0
 01788  1676   NtSetEventBoostPriority  (344, ...
 01776  1484   NtWaitForSingleObject  ... ) == 0x0
 01789  1484   NtSetEventBoostPriority  (344, ...
 01782  1384   NtWaitForSingleObject  ... ) == 0x0
 01790  1384   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 360, ) }, ... 360, ) == 0x0
 01791  1384   NtQueryValueKey  (360,  (360, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01788  1676   NtSetEventBoostPriority  ... ) == 0x0
 01786   476   NtSetEventBoostPriority  ... ) == 0x0
 01785  1792   NtSetEventBoostPriority  ... ) == 0x0
 01784   776   NtSetEventBoostPriority  ... ) == 0x0
 01789  1484   NtSetEventBoostPriority  ... ) == 0x0
 01787   380   NtSetEventBoostPriority  ... ) == 0x0
 01783   312   NtSetEventBoostPriority  ... ) == 0x0
 01781  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75567, 0}  ... {28, 56, reply, 0, 1736, 1744, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\310\6\0\0\264\6\0\0" )  ) == 0x0
 01792  1676   NtWaitForSingleObject  (380, 0, 0x0, ...
 01793   476   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01791  1384   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01794   776   NtWaitForSingleObject  (380, 0, 0x0, ...
 01795  1484   NtWaitForSingleObject  (176, 0, 0x0, ...
 01796   380   NtWaitForSingleObject  (380, 0, 0x0, ...
 01797   312   NtWaitForSingleObject  (380, 0, 0x0, ...
 01798  1744   NtResumeThread  (364, ...
 01799  1792   NtSetEventBoostPriority  (380, ...
 01800  1384   NtQueryValueKey  (360,  (360, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01793   476   NtDuplicateObject  ... 356, ) == 0x0
 01798  1744   NtResumeThread  ... 1, ) == 0x0
 01712   520   NtWaitForSingleObject  ... ) == 0x0
 01799  1792   NtSetEventBoostPriority  ... ) == 0x0
 01800  1384   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01801   476   NtWaitForSingleObject  (380, 0, 0x0, ...
 01802   520   NtSetEventBoostPriority  (380, ...
 01803  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01804  1792   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01805  1384   NtQueryValueKey  (360,  (360, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01720   704   NtWaitForSingleObject  ... ) == 0x0
 01802   520   NtSetEventBoostPriority  ... ) == 0x0
 01803  1744   NtAllocateVirtualMemory  ... 40960000, 1048576, ) == 0x0
 01804  1792   NtWaitForSingleObject  ... ) == 0x102
 01806   704   NtSetEventBoostPriority  (380, ...
 01805  1384   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01807  1716   NtTestAlert  (...
 01808  1744   NtAllocateVirtualMemory  (-1, 42000384, 0, 8192, 4096, 4, ...
 01725  1568   NtWaitForSingleObject  ... ) == 0x0
 01806   704   NtSetEventBoostPriority  ... ) == 0x0
 01809  1792   NtWaitForSingleObject  (176, 0, 0x0, ...
 01810  1384   NtQueryValueKey  (360,  (360, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01807  1716   NtTestAlert  ... ) == 0x0
 01811   520   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01812  1568   NtSetEventBoostPriority  (380, ...
 01813   704   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01808  1744   NtAllocateVirtualMemory  ... 42000384, 8192, ) == 0x0
 01814  1716   NtContinue  (40959280, 1, ...
 01726   784   NtWaitForSingleObject  ... ) == 0x0
 01812  1568   NtSetEventBoostPriority  ... ) == 0x0
 01811   520   NtWaitForSingleObject  ... ) == 0x102
 01810  1384   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01815  1744   NtProtectVirtualMemory  (-1, (0x280e000), 4096, 260, ...
 01816   784   NtSetEventBoostPriority  (380, ...
 01817  1716   NtRegisterThreadTerminatePort  (24, ...
 01818  1568   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01819   520   NtWaitForSingleObject  (176, 0, 0x0, ...
 01820  1384   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11596844, ... }, 11596844, ...
 01738  1276   NtWaitForSingleObject  ... ) == 0x0
 01816   784   NtSetEventBoostPriority  ... ) == 0x0
 01815  1744   NtProtectVirtualMemory  ... (0x280e000), 4096, 4, ) == 0x0
 01817  1716   NtRegisterThreadTerminatePort  ... ) == 0x0
 01813   704   NtWaitForSingleObject  ... ) == 0x102
 01821  1276   NtSetEventBoostPriority  (380, ...
 01820  1384   NtQueryAttributesFile  ... ) == 0x0
 01822   784   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01823  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01818  1568   NtWaitForSingleObject  ... ) == 0x102
 01759  1600   NtWaitForSingleObject  ... ) == 0x0
 01821  1276   NtSetEventBoostPriority  ... ) == 0x0
 01824   704   NtWaitForSingleObject  (176, 0, 0x0, ...
 01825  1384   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01826  1716   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01823  1744   NtCreateThread  ... 352, {1736, 1664}, ) == 0x0
 01827  1600   NtSetEventBoostPriority  (380, ...
 01828  1568   NtWaitForSingleObject  (176, 0, 0x0, ...
 01829  1276   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01825  1384   NtOpenFile  ... 348, {status=0x0, info=1}, ) == 0x0
 01826  1716   NtDuplicateObject  ... 396, ) == 0x0
 01792  1676   NtWaitForSingleObject  ... ) == 0x0
 01827  1600   NtSetEventBoostPriority  ... ) == 0x0
 01830  1744   NtQueryInformationThread  (352, Basic, 28, ...
 01822   784   NtWaitForSingleObject  ... ) == 0x102
 01831  1384   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 348, ...
 01832  1676   NtSetEventBoostPriority  (380, ...
 01833  1716   NtWaitForSingleObject  (380, 0, 0x0, ...
 01834  1600   NtWaitForSingleObject  (380, 0, 0x0, ...
 01829  1276   NtWaitForSingleObject  ... ) == 0x102
 01835   784   NtWaitForSingleObject  (176, 0, 0x0, ...
 01830  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1736,Tid=1664,}, 0x0, ) == 0x0
 01796   380   NtWaitForSingleObject  ... ) == 0x0
 01832  1676   NtSetEventBoostPriority  ... ) == 0x0
 01831  1384   NtCreateSection  ... 400, ) == 0x0
 01836  1276   NtWaitForSingleObject  (176, 0, 0x0, ...
 01837  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75567, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\310\6\0\0\200\6\0\0" ...  ...
 01838   380   NtSetEventBoostPriority  (380, ...
 01839  1676   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01840  1384   NtClose  (348, ...
 01837  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75568, 0}  ... {28, 56, reply, 0, 1736, 1744, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\310\6\0\0\200\6\0\0" )  ) == 0x0
 01797   312   NtWaitForSingleObject  ... ) == 0x0
 01838   380   NtSetEventBoostPriority  ... ) == 0x0
 01840  1384   NtClose  ... ) == 0x0
 01841   312   NtSetEventBoostPriority  (380, ...
 01842  1744   NtResumeThread  (352, ...
 01839  1676   NtWaitForSingleObject  ... ) == 0x102
 01801   476   NtWaitForSingleObject  ... ) == 0x0
 01841   312   NtSetEventBoostPriority  ... ) == 0x0
 01843  1384   NtMapViewOfSection  (400, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01842  1744   NtResumeThread  ... 1, ) == 0x0
 01844   476   NtSetEventBoostPriority  (380, ...
 01845  1676   NtWaitForSingleObject  (176, 0, 0x0, ...
 01846   380   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01847  1664   NtWaitForSingleObject  (128, 0, 0x0, ...
 01843  1384   NtMapViewOfSection  ... (0x360000), 0x0, 20480, ) == 0x0
 01848   312   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01794   776   NtWaitForSingleObject  ... ) == 0x0
 01844   476   NtSetEventBoostPriority  ... ) == 0x0
 01846   380   NtWaitForSingleObject  ... ) == 0x102
 01849  1384   NtClose  (400, ...
 01850   776   NtSetEventBoostPriority  (380, ...
 01848   312   NtWaitForSingleObject  ... ) == 0x102
 01851  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01852   380   NtWaitForSingleObject  (176, 0, 0x0, ...
 01853   476   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01833  1716   NtWaitForSingleObject  ... ) == 0x0
 01854   312   NtWaitForSingleObject  (176, 0, 0x0, ...
 01851  1744   NtAllocateVirtualMemory  ... 42008576, 1048576, ) == 0x0
 01853   476   NtWaitForSingleObject  ... ) == 0x102
 01855  1716   NtSetEventBoostPriority  (380, ...
 01856  1744   NtAllocateVirtualMemory  (-1, 43048960, 0, 8192, 4096, 4, ...
 01857   476   NtWaitForSingleObject  (176, 0, 0x0, ...
 01834  1600   NtWaitForSingleObject  ... ) == 0x0
 01855  1716   NtSetEventBoostPriority  ... ) == 0x0
 01856  1744   NtAllocateVirtualMemory  ... 43048960, 8192, ) == 0x0
 01858  1600   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 01850   776   NtSetEventBoostPriority  ... ) == 0x0
 01849  1384   NtClose  ... ) == 0x0
 01858  1600   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 01859  1744   NtProtectVirtualMemory  (-1, (0x290e000), 4096, 260, ...
 01860   776   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01861  1600   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 01859  1744   NtProtectVirtualMemory  ... (0x290e000), 4096, 4, ) == 0x0
 01861  1600   NtOpenFile  ... 400, {status=0x0, info=0}, ) == 0x0
 01862  1384   NtUnmapViewOfSection  (-1, 0x360000, ...
 01863  1716   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01864  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01860   776   NtWaitForSingleObject  ... ) == 0x102
 01862  1384   NtUnmapViewOfSection  ... ) == 0x0
 01863  1716   NtWaitForSingleObject  ... ) == 0x102
 01864  1744   NtCreateThread  ... 348, {1736, 780}, ) == 0x0
 01865   776   NtWaitForSingleObject  (176, 0, 0x0, ...
 01866  1384   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11597152, ... }, 11597152, ...
 01867  1716   NtWaitForSingleObject  (176, 0, 0x0, ...
 01868  1744   NtQueryInformationThread  (348, Basic, 28, ...
 01869  1600   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "h\2514\2660VsAPS1\214\31Zvp\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01868  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1736,Tid=780,}, 0x0, ) == 0x0
 01870  1600   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01871  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75568, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\310\6\0\0\14\3\0\0" ...  ...
 01870  1600   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01871  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75569, 0}  ... {28, 56, reply, 0, 1736, 1744, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\310\6\0\0\14\3\0\0" )  ) == 0x0
 01866  1384   NtQueryAttributesFile  ... ) == 0x0
 01872  1744   NtResumeThread  (348, ...
 01873  1384   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01872  1744   NtResumeThread  ... 1, ) == 0x0
 01873  1384   NtOpenFile  ... 404, {status=0x0, info=1}, ) == 0x0
 01874  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01875  1384   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 404, ...
 01874  1744   NtAllocateVirtualMemory  ... 43057152, 1048576, ) == 0x0
 01875  1384   NtCreateSection  ... 408, ) == 0x0
 01876  1744   NtAllocateVirtualMemory  (-1, 44097536, 0, 8192, 4096, 4, ...
 01877  1384   NtQuerySection  (408, Image, 48, ...
 01878  1600   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01879   780   NtWaitForSingleObject  (128, 0, 0x0, ...
 01876  1744   NtAllocateVirtualMemory  ... 44097536, 8192, ) == 0x0
 01878  1600   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01880  1744   NtProtectVirtualMemory  (-1, (0x2a0e000), 4096, 260, ...
 01881  1600   NtQuerySystemInformation  (Performance, 312, ...
 01880  1744   NtProtectVirtualMemory  ... (0x2a0e000), 4096, 4, ) == 0x0
 01881  1600   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01882  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01883  1600   NtQuerySystemInformation  (Exception, 16, ...
 01882  1744   NtCreateThread  ... 412, {1736, 1248}, ) == 0x0
 01883  1600   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01884  1744   NtQueryInformationThread  (412, Basic, 28, ...
 01877  1384   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01885  1600   NtQuerySystemInformation  (Lookaside, 32, ...
 01886  1384   NtClose  (404, ...
 01885  1600   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01886  1384   NtClose  ... ) == 0x0
 01887  1600   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01888  1384   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01887  1600   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01888  1384   NtMapViewOfSection  ... (0x71a90000), 0x0, 32768, ) == 0x0
 01889  1600   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01890  1384   NtClose  (408, ...
 01889  1600   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01884  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1736,Tid=1248,}, 0x0, ) == 0x0
 01890  1384   NtClose  ... ) == 0x0
 01891  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75569, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\310\6\0\0\340\4\0\0" ...  ...
 01892  1384   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ...
 01891  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75570, 0}  ... {28, 56, reply, 0, 1736, 1744, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\310\6\0\0\340\4\0\0" )  ) == 0x0
 01892  1384   NtProtectVirtualMemory  ... (0x71a91000), 4096, 32, ) == 0x0
 01893  1744   NtResumeThread  (412, ...
 01894  1384   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ...
 01893  1744   NtResumeThread  ... 1, ) == 0x0
 01895  1600   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01894  1384   NtProtectVirtualMemory  ... (0x71a91000), 4096, 4, ) == 0x0
 01896  1248   NtWaitForSingleObject  (128, 0, 0x0, ...
 01895  1600   NtCreateKey  ... -2147482576, 2, ) == 0x0
 01897  1384   NtFlushInstructionCache  (-1, 1906905088, 128, ...
 01898  1600   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\220wY\230Y\264+\240A~&\234\300c.i\22G\326\370\&\330\341\331\253Q\272g'\321\225\305\201o\252\370\23\231m\37736V\271\277\200\354\31\220\225\315e\207s]\\364>\250\5\203V\20xk~\237W\313\332G\222y\1\351gt\343\270", 80, ... , 0, 3,  (-2147482576, "Seed", 0, 3, "\220wY\230Y\264+\240A~&\234\300c.i\22G\326\370\&\330\341\331\253Q\272g'\321\225\305\201o\252\370\23\231m\37736V\271\277\200\354\31\220\225\315e\207s]\\364>\250\5\203V\20xk~\237W\313\332G\222y\1\351gt\343\270", 80, ... , 80, ...
 01897  1384   NtFlushInstructionCache  ... ) == 0x0
 01898  1600   NtSetValueKey  ... ) == 0x0
 01899  1384   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... }, ...
 01900  1600   NtClose  (-2147482576, ...
 01901  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01900  1600   NtClose  ... ) == 0x0
 01901  1744   NtAllocateVirtualMemory  ... 44105728, 1048576, ) == 0x0
 01899  1384   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01902  1744   NtAllocateVirtualMemory  (-1, 45146112, 0, 8192, 4096, 4, ...
 01903  1384   NtSetEventBoostPriority  (128, ...
 01902  1744   NtAllocateVirtualMemory  ... 45146112, 8192, ) == 0x0
 01847  1664   NtWaitForSingleObject  ... ) == 0x0
 01903  1384   NtSetEventBoostPriority  ... ) == 0x0
 01904  1664   NtSetEventBoostPriority  (128, ...
 01905  1744   NtProtectVirtualMemory  (-1, (0x2b0e000), 4096, 260, ...
 01879   780   NtWaitForSingleObject  ... ) == 0x0
 01904  1664   NtSetEventBoostPriority  ... ) == 0x0
 01906  1384   NtClose  (360, ...
 01907   780   NtSetEventBoostPriority  (128, ...
 01905  1744   NtProtectVirtualMemory  ... (0x2b0e000), 4096, 4, ) == 0x0
 01869  1600   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "_\230\265\243\301\203|\260\241pT\365\255\223\207vL\340S\337\321\340\263\376RX\213f\203\363\37#\267az\2304\30\26V\234#^\373\366:S\276w\361Jm\257c\23\222\327\207\231\232C\342.qw\300j\266#\302\207B\234\247u\14\213m:\200\14\342\;\372[\252\221\242u\221u\314\370\35\335\16\306 h\276\240\337?\275K\261*\327\333\323}\7\342\231:a0l\246\15\205)\353\267\324\34\3\347_\17$J\302\312\243\356\311\266\16\362\363\262)"L\313FP\32\377\344u\212\34\221:*=wT\220\327q\354\313_p\324\20S\4\204\310\260\234\347\334\206\221\6B\221]p\340\307\225K\15\2\222\216\302\341n\217\362\361\275z\2118\263A\0\322\332\177\1\24\23\17>\252\34\330\311e\315\356\345\357\377\350\3215\347f\270+%\305\17P\212\326\237\321\357\341\245\361^\216\21\212:?`\22\252\320\354\327o", ) L\313FP\32\377\344u\212\34\221:*=wT\220\327q\354\313_p\324\20S\4\204\310\260\234\347\334\206\221\6B\221]p\340\307\225K\15\2\222\216\302\341n\217\362\361\275z\2118\263A\0\322\332\177\1\24\23\17>\252\34\330\311e\315\356\345\357\377\350\3215\347f\270+%\305\17P\212\326\237\321\357\341\245\361^\216\21\212:?`\22\252\320\354\327o", ) == 0x0
 01896  1248   NtWaitForSingleObject  ... ) == 0x0
 01907   780   NtSetEventBoostPriority  ... ) == 0x0
 01906  1384   NtClose  ... ) == 0x0
 01908  1664   NtTestAlert  (...
 01909  1248   NtTestAlert  (...
 01910  1600   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01911  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01912  1384   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11599488, 67, ... }, 0x0, 0, 3, 3, 0, 11599488, 67, ...
 01909  1248   NtTestAlert  ... ) == 0x0
 01908  1664   NtTestAlert  ... ) == 0x0
 01910  1600   NtCreateEvent  ... 360, ) == 0x0
 01911  1744   NtCreateThread  ... 408, {1736, 760}, ) == 0x0
 01913   780   NtTestAlert  (...
 01912  1384   NtCreateFile  ... 404, {status=0x0, info=0}, ) == 0x0
 01914  1664   NtContinue  (42007856, 1, ...
 01915  1600   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 12643844, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 12643844, 188, ...
 01916  1744   NtQueryInformationThread  (408, Basic, 28, ...
 01913   780   NtTestAlert  ... ) == 0x0
 01917  1384   NtDeviceIoControlFile  (404, 148, 0x0, 0x0, 0x1207b,  (404, 148, 0x0, 0x0, 0x1207b, "\7\0\0\0\250q\250q%\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 01918  1664   NtRegisterThreadTerminatePort  (24, ...
 01916  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1736,Tid=760,}, 0x0, ) == 0x0
 01919   780   NtContinue  (43056432, 1, ...
 01915  1600   NtConnectPort  ... 416, 0x0, 0x0, 0x0, 188, ) == 0x0
 01917  1384   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0@\273\201\201", ) , ) == 0x0
 01918  1664   NtRegisterThreadTerminatePort  ... ) == 0x0
 01920  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75570, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\310\6\0\0\370\2\0\0" ...  ...
 01921   780   NtRegisterThreadTerminatePort  (24, ...
 01922  1248   NtContinue  (44105008, 1, ...
 01923  1384   NtDeviceIoControlFile  (404, 148, 0x0, 0x0, 0x1207b,  (404, 148, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0@\273\201\201", 16, 16, ... , 16, 16, ...
 01924  1664   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01921   780   NtRegisterThreadTerminatePort  ... ) == 0x0
 01925  1248   NtRegisterThreadTerminatePort  (24, ...
 01923  1384   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0@\273\201\201", ) , ) == 0x0
 01926  1600   NtRequestWaitReplyPort  (416, {200, 224, new_msg, 0, 1330592, 12, 2, 1310721}  (416, {200, 224, new_msg, 0, 1330592, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\220(\25\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0Q\314\235\21:\323p\24\210+\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0`+\25\0\372U\346\357x\1\24\0\200+\25\0h\1\24\0\0\0\0\0\0\0\0\0\200+\25\0P\0\0\0\210+\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\300\0\372\31\221|\30\364\300\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01920  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75572, 0}  ... {28, 56, reply, 0, 1736, 1744, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\310\6\0\0\370\2\0\0" )  ) == 0x0
 01927   780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01925  1248   NtRegisterThreadTerminatePort  ... ) == 0x0
 01928  1384   NtDeviceIoControlFile  (404, 148, 0x0, 0x0, 0x12047,  (404, 148, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\224\375\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01929  1744   NtResumeThread  (408, ...
 01926  1600   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1736, 1600, 75573, 0}  ... {200, 224, reply, 0, 1736, 1600, 75573, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0Q\314\235\21:\323p\24\210+\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0`+\25\0\372U\346\357x\1\24\0\200+\25\0h\1\24\0\0\0\0\0\0\0\0\0\200+\25\0P\0\0\0\210+\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\300\0\372\31\221|\30\364\300\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01924  1664   NtDuplicateObject  ... 420, ) == 0x0
 01930  1248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01927   780   NtDuplicateObject  ... 424, ) == 0x0
 01929  1744   NtResumeThread  ... 1, ) == 0x0
 01931  1600   NtRequestWaitReplyPort  (416, {64, 88, new_msg, 0, 0, 0, 0, 0}  (416, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01932  1664   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01930  1248   NtDuplicateObject  ... 428, ) == 0x0
 01933   780   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 01934  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01932  1664   NtWaitForSingleObject  ... ) == 0x102
 01935  1248   NtWaitForSingleObject  (344, 0, 0x0, ...
 01931  1600   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1736, 1600, 75574, 0}  ... {52, 76, reply, 0, 1736, 1600, 75574, 0} "\2\332\243\201\1\0\0\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200X\373`\371t\333\243\201\230\37\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 01933   780   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 01934  1744   NtAllocateVirtualMemory  ... 45154304, 1048576, ) == 0x0
 01936  1664   NtWaitForSingleObject  (344, 0, 0x0, ...
 01928  1384   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01937   760   NtTestAlert  (...
 01938   780   NtSetEventBoostPriority  (344, ...
 01939  1744   NtAllocateVirtualMemory  (-1, 46194688, 0, 8192, 4096, 4, ...
 01940  1384   NtWaitForSingleObject  (344, 0, 0x0, ...
 01937   760   NtTestAlert  ... ) == 0x0
 01935  1248   NtWaitForSingleObject  ... ) == 0x0
 01938   780   NtSetEventBoostPriority  ... ) == 0x0
 01941  1600   NtWaitForSingleObject  (344, 0, 0x0, ...
 01942  1248   NtSetEventBoostPriority  (344, ...
 01943   760   NtContinue  (45153584, 1, ...
 01944   780   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01936  1664   NtWaitForSingleObject  ... ) == 0x0
 01945   760   NtRegisterThreadTerminatePort  (24, ...
 01942  1248   NtSetEventBoostPriority  ... ) == 0x0
 01939  1744   NtAllocateVirtualMemory  ... 46194688, 8192, ) == 0x0
 01946  1664   NtSetEventBoostPriority  (344, ...
 01945   760   NtRegisterThreadTerminatePort  ... ) == 0x0
 01947  1248   NtWaitForSingleObject  (344, 0, 0x0, ...
 01948  1744   NtProtectVirtualMemory  (-1, (0x2c0e000), 4096, 260, ...
 01940  1384   NtWaitForSingleObject  ... ) == 0x0
 01946  1664   NtSetEventBoostPriority  ... ) == 0x0
 01944   780   NtWaitForSingleObject  ... ) == 0x102
 01949  1384   NtSetEventBoostPriority  (344, ...
 01948  1744   NtProtectVirtualMemory  ... (0x2c0e000), 4096, 4, ) == 0x0
 01950   760   NtWaitForSingleObject  (344, 0, 0x0, ...
 01941  1600   NtWaitForSingleObject  ... ) == 0x0
 01949  1384   NtSetEventBoostPriority  ... ) == 0x0
 01951   780   NtWaitForSingleObject  (176, 0, 0x0, ...
 01952  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01953  1600   NtSetEventBoostPriority  (344, ...
 01954  1664   NtWaitForSingleObject  (176, 0, 0x0, ...
 01947  1248   NtWaitForSingleObject  ... ) == 0x0
 01953  1600   NtSetEventBoostPriority  ... ) == 0x0
 01952  1744   NtCreateThread  ... 432, {1736, 484}, ) == 0x0
 01955  1248   NtSetEventBoostPriority  (344, ...
 01956  1600   NtClose  (360, ...
 01950   760   NtWaitForSingleObject  ... ) == 0x0
 01955  1248   NtSetEventBoostPriority  ... ) == 0x0
 01957  1744   NtQueryInformationThread  (432, Basic, 28, ...
 01958  1384   NtWaitForSingleObject  (96, 0, {0, 0}, ...
 01959   760   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01956  1600   NtClose  ... ) == 0x0
 01960  1248   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01959   760   NtDuplicateObject  ... 360, ) == 0x0
 01958  1384   NtWaitForSingleObject  ... ) == 0x102
 01961  1600   NtClose  (416, ...
 01962   760   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01960  1248   NtWaitForSingleObject  ... ) == 0x102
 01963  1384   NtDeviceIoControlFile  (404, 148, 0x0, 0x0, 0x12003,  (404, 148, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01961  1600   NtClose  ... ) == 0x0
 01957  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1736,Tid=484,}, 0x0, ) == 0x0
 01964  1248   NtWaitForSingleObject  (176, 0, 0x0, ...
 01963  1384   NtDeviceIoControlFile  ... {status=0x0, info=416},  ... {status=0x0, info=416}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01965  1600   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01966  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75572, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\310\6\0\0\344\1\0\0" ...  ...
 01962   760   NtWaitForSingleObject  ... ) == 0x102
 01965  1600   NtCreateKey  ... 436, 2, ) == 0x0
 01966  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75576, 0}  ... {28, 56, reply, 0, 1736, 1744, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\310\6\0\0\344\1\0\0" )  ) == 0x0
 01967   760   NtWaitForSingleObject  (176, 0, 0x0, ...
 01968  1600   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01969  1744   NtResumeThread  (432, ...
 01970  1384   NtDeviceIoControlFile  (404, 148, 0x0, 0x0, 0x12047,  (404, 148, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01969  1744   NtResumeThread  ... 1, ) == 0x0
 01970  1384   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01968  1600   NtOpenKey  ... 440, ) == 0x0
 01971   484   NtTestAlert  (...
 01972  1384   NtDeviceIoControlFile  (404, 148, 0x0, 0x0, 0x12037,  (404, 148, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 01973  1600   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01971   484   NtTestAlert  ... ) == 0x0
 01972  1384   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01973  1600   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01974   484   NtContinue  (46202160, 1, ...
 01975  1384   NtDeviceIoControlFile  (404, 148, 0x0, 0x0, 0x1200b,  (404, 148, 0x0, 0x0, 0x1200b, "\0\376\260\0\5\0\0\0\0\320\24\0", 12, 0, ... , 12, 0, ...
 01976  1600   NtQueryValueKey  (436,  (436, "Hostname", Partial, 144, ... , Partial, 144, ...
 01977   484   NtRegisterThreadTerminatePort  (24, ...
 01975  1384   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01976  1600   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01977   484   NtRegisterThreadTerminatePort  ... ) == 0x0
 01978  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01979  1600   NtQueryValueKey  (436,  (436, "Hostname", Partial, 144, ... , Partial, 144, ...
 01980  1384   NtDeviceIoControlFile  (404, 148, 0x0, 0x0, 0x12047,  (404, 148, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\260\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01978  1744   NtAllocateVirtualMemory  ... 46202880, 1048576, ) == 0x0
 01981   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01980  1384   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01982  1744   NtAllocateVirtualMemory  (-1, 47243264, 0, 8192, 4096, 4, ...
 01981   484   NtDuplicateObject  ... 444, ) == 0x0
 01983  1384   NtDeviceIoControlFile  (404, 148, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 01982  1744   NtAllocateVirtualMemory  ... 47243264, 8192, ) == 0x0
 01984   484   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01983  1384   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01985  1744   NtProtectVirtualMemory  (-1, (0x2d0e000), 4096, 260, ...
 01984   484   NtWaitForSingleObject  ... ) == 0x102
 01986  1384   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 01985  1744   NtProtectVirtualMemory  ... (0x2d0e000), 4096, 4, ) == 0x0
 01987   484   NtWaitForSingleObject  (176, 0, 0x0, ...
 01986  1384   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 01979  1600   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01988  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01989  1600   NtWaitForSingleObject  (344, 0, 0x0, ...
 01988  1744   NtCreateThread  ... 448, {1736, 1756}, ) == 0x0
 01990  1744   NtQueryInformationThread  (448, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1736,Tid=1756,}, 0x0, ) == 0x0
 01991  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75576, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\310\6\0\0\334\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\310\6\0\0\334\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75577, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\310\6\0\0\334\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\310\6\0\0\334\6\0\0" )  ) == 0x0
 01992  1744   NtResumeThread  (448, ... 1, ) == 0x0
 01993  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 47251456, 1048576, ) == 0x0
 01994  1744   NtAllocateVirtualMemory  (-1, 48291840, 0, 8192, 4096, 4, ...
 01995  1384   NtSetEventBoostPriority  (344, ...
 01996  1756   NtTestAlert  (...
 01989  1600   NtWaitForSingleObject  ... ) == 0x0
 01995  1384   NtSetEventBoostPriority  ... ) == 0x0
 01997  1600   NtClose  (436, ...
 01996  1756   NtTestAlert  ... ) == 0x0
 01997  1600   NtClose  ... ) == 0x0
 01998  1384   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "h\2514\2660Vs\3\256\316pjv\303\210{D^\220\3306\257~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01999  1756   NtContinue  (47250736, 1, ...
 01994  1744   NtAllocateVirtualMemory  ... 48291840, 8192, ) == 0x0
 02000  1384   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02001  1756   NtRegisterThreadTerminatePort  (24, ...
 02002  1744   NtProtectVirtualMemory  (-1, (0x2e0e000), 4096, 260, ...
 02000  1384   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02001  1756   NtRegisterThreadTerminatePort  ... ) == 0x0
 02002  1744   NtProtectVirtualMemory  ... (0x2e0e000), 4096, 4, ) == 0x0
 02003  1384   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02004  1600   NtClose  (440, ...
 02005  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02006  1756   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02004  1600   NtClose  ... ) == 0x0
 02005  1744   NtCreateThread  ... 440, {1736, 1292}, ) == 0x0
 02006  1756   NtDuplicateObject  ... 436, ) == 0x0
 02007  1600   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02008  1744   NtQueryInformationThread  (440, Basic, 28, ...
 02009  1756   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02007  1600   NtCreateEvent  ... 452, ) == 0x0
 02003  1384   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02009  1756   NtWaitForSingleObject  ... ) == 0x102
 02010  1600   NtWaitForSingleObject  (452, 0, 0x0, ...
 02011  1384   NtQuerySystemInformation  (Performance, 312, ...
 02012  1756   NtWaitForSingleObject  (176, 0, 0x0, ...
 02011  1384   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02008  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1736,Tid=1292,}, 0x0, ) == 0x0
 02013  1384   NtQuerySystemInformation  (Exception, 16, ...
 02014  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75577, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\310\6\0\0\14\5\0\0" ...  ...
 02013  1384   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02014  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75578, 0}  ... {28, 56, reply, 0, 1736, 1744, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\310\6\0\0\14\5\0\0" )  ) == 0x0
 02015  1384   NtQuerySystemInformation  (Lookaside, 32, ...
 02016  1744   NtResumeThread  (440, ... 1, ) == 0x0
 02017  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 48300032, 1048576, ) == 0x0
 02018  1744   NtAllocateVirtualMemory  (-1, 49340416, 0, 8192, 4096, 4, ... 49340416, 8192, ) == 0x0
 02019  1744   NtProtectVirtualMemory  (-1, (0x2f0e000), 4096, 260, ... (0x2f0e000), 4096, 4, ) == 0x0
 02015  1384   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02020  1292   NtTestAlert  (...
 02021  1384   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02020  1292   NtTestAlert  ... ) == 0x0
 02021  1384   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02022  1292   NtContinue  (48299312, 1, ...
 02023  1384   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02024  1292   NtRegisterThreadTerminatePort  (24, ...
 02023  1384   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02024  1292   NtRegisterThreadTerminatePort  ... ) == 0x0
 02025  1384   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02026  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02027  1292   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02026  1744   NtCreateThread  ... 456, {1736, 540}, ) == 0x0
 02027  1292   NtDuplicateObject  ... 460, ) == 0x0
 02028  1744   NtQueryInformationThread  (456, Basic, 28, ...
 02029  1292   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02028  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1736,Tid=540,}, 0x0, ) == 0x0
 02029  1292   NtWaitForSingleObject  ... ) == 0x102
 02030  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75578, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\310\6\0\0\34\2\0\0" ...  ...
 02031  1292   NtWaitForSingleObject  (176, 0, 0x0, ...
 02030  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75579, 0}  ... {28, 56, reply, 0, 1736, 1744, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\310\6\0\0\34\2\0\0" )  ) == 0x0
 02025  1384   NtCreateKey  ... -2147482564, 2, ) == 0x0
 02032  1744   NtResumeThread  (456, ...
 02033  1384   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\2640\267k$\246\2\335\224p\234\264\7\346\253K\232h\10l\202\277\261V\366P\246o\233w\332\363\247\37"w\272f\356\13\332+$x\26\376E:v>\275xt\224\2448\301{\361g\367\364\14#\376\257\37n\17\364\321\207\324w\314;\310\361d", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\2640\267k$\246\2\335\224p\234\264\7\346\253K\232h\10l\202\277\261V\366P\246o\233w\332\363\247\37"w\272f\356\13\332+$x\26\376E:v>\275xt\224\2448\301{\361g\367\364\14#\376\257\37n\17\364\321\207\324w\314;\310\361d", 80, ... w\272f\356\13\332+$x\26\376E:v>\275xt\224\2448\301{\361g\367\364\14#\376\257\37n\17\364\321\207\324w\314;\310\361d", 80, ...
 02032  1744   NtResumeThread  ... 1, ) == 0x0
 02033  1384   NtSetValueKey  ... ) == 0x0
 02034  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02035  1384   NtClose  (-2147482564, ...
 02034  1744   NtAllocateVirtualMemory  ... 49348608, 1048576, ) == 0x0
 02035  1384   NtClose  ... ) == 0x0
 02036  1744   NtAllocateVirtualMemory  (-1, 50388992, 0, 8192, 4096, 4, ...
 01998  1384   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\16W}\227\377\12\347\14W\263\276\361\362\356\314e*M\324G/j\16\260v\264\224@Bl+\32\334_\3031\26\201\350\330\1\250uYA\361\321\227m(q}u\200z\335p\263\300_\332n\312q\23b\372\306\5\234\232>\216D\255\320\360\355\334\211\17\271^n0\366\206\3655\234\362\260s\243\236\35\311\352\322?P\360\362\252E\27@O\216\241\225\215:T\355o\331\202\0\224\302\356l\274\375\301\202mN\341\206QQ%&\325\251v]~\230\273T\355\23\3546\367\260\271\220\373\213\177NH=\24Z\\223HK\361d\200\2646#\225e\363\310\202\1\313{$Q\207\326[\230QW\300xC\217\220\350}\267\224zv\377.\32\374\177[+"\204\2119\271W\225\221_\240\342?NO\376\34k\341il\330"\227\261V\23P~\217\362\325:\7)S"\271\334-\2\2555\30\305\15\260\252\363\215e\313\2426", ) \204\2119\271W\225\221_\240\342?NO\376\34k\341il\330 ... {status=0x0, info=256}, "\16W}\227\377\12\347\14W\263\276\361\362\356\314e*M\324G/j\16\260v\264\224@Bl+\32\334_\3031\26\201\350\330\1\250uYA\361\321\227m(q}u\200z\335p\263\300_\332n\312q\23b\372\306\5\234\232>\216D\255\320\360\355\334\211\17\271^n0\366\206\3655\234\362\260s\243\236\35\311\352\322?P\360\362\252E\27@O\216\241\225\215:T\355o\331\202\0\224\302\356l\274\375\301\202mN\341\206QQ%&\325\251v]~\230\273T\355\23\3546\367\260\271\220\373\213\177NH=\24Z\\223HK\361d\200\2646#\225e\363\310\202\1\313{$Q\207\326[\230QW\300xC\217\220\350}\267\224zv\377.\32\374\177[+"\204\2119\271W\225\221_\240\342?NO\376\34k\341il\330"\227\261V\23P~\217\362\325:\7)S"\271\334-\2\2555\30\305\15\260\252\363\215e\313\2426", ) \271\334-\2\2555\30\305\15\260\252\363\215e\313\2426", ) == 0x0
 02037   540   NtTestAlert  (...
 02036  1744   NtAllocateVirtualMemory  ... 50388992, 8192, ) == 0x0
 02037   540   NtTestAlert  ... ) == 0x0
 02038  1744   NtProtectVirtualMemory  (-1, (0x300e000), 4096, 260, ...
 02039   540   NtContinue  (49347888, 1, ...
 02038  1744   NtProtectVirtualMemory  ... (0x300e000), 4096, 4, ) == 0x0
 02040   540   NtRegisterThreadTerminatePort  (24, ...
 02041  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02040   540   NtRegisterThreadTerminatePort  ... ) == 0x0
 02041  1744   NtCreateThread  ... 464, {1736, 1956}, ) == 0x0
 02042  1384   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "h\2514\2660Vs\3\256\316pjv\303\312\205\331\37v\267\257QuD^\220\3306\257~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02043  1744   NtQueryInformationThread  (464, Basic, 28, ...
 02044  1384   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02045   540   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02044  1384   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02045   540   NtDuplicateObject  ... 468, ) == 0x0
 02046  1384   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02047   540   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ...
 02046  1384   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02047   540   NtAllocateVirtualMemory  ... 1396736, 4096, ) == 0x0
 02048  1384   NtQuerySystemInformation  (Performance, 312, ...
 02049   540   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02043  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1736,Tid=1956,}, 0x0, ) == 0x0
 02050  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75579, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\310\6\0\0\244\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\310\6\0\0\244\7\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75580, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\310\6\0\0\244\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\310\6\0\0\244\7\0\0" )  ) == 0x0
 02051  1744   NtResumeThread  (464, ... 1, ) == 0x0
 02052  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 50397184, 1048576, ) == 0x0
 02053  1744   NtAllocateVirtualMemory  (-1, 51437568, 0, 8192, 4096, 4, ... 51437568, 8192, ) == 0x0
 02054  1744   NtProtectVirtualMemory  (-1, (0x310e000), 4096, 260, ... (0x310e000), 4096, 4, ) == 0x0
 02048  1384   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02049   540   NtWaitForSingleObject  ... ) == 0x102
 02055  1956   NtTestAlert  (...
 02056  1384   NtQuerySystemInformation  (Exception, 16, ...
 02057   540   NtWaitForSingleObject  (176, 0, 0x0, ...
 02055  1956   NtTestAlert  ... ) == 0x0
 02056  1384   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02058  1956   NtContinue  (50396464, 1, ...
 02059  1384   NtQuerySystemInformation  (Lookaside, 32, ...
 02060  1956   NtRegisterThreadTerminatePort  (24, ...
 02059  1384   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02060  1956   NtRegisterThreadTerminatePort  ... ) == 0x0
 02061  1384   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02062  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02063  1956   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02062  1744   NtCreateThread  ... 472, {1736, 1480}, ) == 0x0
 02063  1956   NtDuplicateObject  ... 476, ) == 0x0
 02064  1744   NtQueryInformationThread  (472, Basic, 28, ...
 02065  1956   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02064  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1736,Tid=1480,}, 0x0, ) == 0x0
 02065  1956   NtWaitForSingleObject  ... ) == 0x102
 02066  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75580, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\310\6\0\0\310\5\0\0" ...  ...
 02067  1956   NtWaitForSingleObject  (176, 0, 0x0, ...
 02066  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75581, 0}  ... {28, 56, reply, 0, 1736, 1744, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\310\6\0\0\310\5\0\0" )  ) == 0x0
 02061  1384   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02068  1744   NtResumeThread  (472, ...
 02069  1384   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02068  1744   NtResumeThread  ... 1, ) == 0x0
 02069  1384   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02070  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02071  1384   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02070  1744   NtAllocateVirtualMemory  ... 51445760, 1048576, ) == 0x0
 02071  1384   NtCreateKey  ... -2147482564, 2, ) == 0x0
 02072  1744   NtAllocateVirtualMemory  (-1, 52486144, 0, 8192, 4096, 4, ...
 02073  1384   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "9\345\333 \365\306$f\23{F\340\320\203t\366m\232\307\201\274V\34Uj\15-\300\362\3H.\311\374F~G%\14a\25\337K\317\301\300\334\303\324\272\373\356\3158\252\325\3\234P\:\212\310\265\237\21\213Nn\265\261q\35f\3\372\364}y\321", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "9\345\333 \365\306$f\23{F\340\320\203t\366m\232\307\201\274V\34Uj\15-\300\362\3H.\311\374F~G%\14a\25\337K\317\301\300\334\303\324\272\373\356\3158\252\325\3\234P\:\212\310\265\237\21\213Nn\265\261q\35f\3\372\364}y\321", 80, ... , 80, ...
 02074  1480   NtTestAlert  (...
 02072  1744   NtAllocateVirtualMemory  ... 52486144, 8192, ) == 0x0
 02074  1480   NtTestAlert  ... ) == 0x0
 02075  1744   NtProtectVirtualMemory  (-1, (0x320e000), 4096, 260, ...
 02076  1480   NtContinue  (51445040, 1, ...
 02075  1744   NtProtectVirtualMemory  ... (0x320e000), 4096, 4, ) == 0x0
 02077  1480   NtRegisterThreadTerminatePort  (24, ...
 02078  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02077  1480   NtRegisterThreadTerminatePort  ... ) == 0x0
 02078  1744   NtCreateThread  ... 480, {1736, 1556}, ) == 0x0
 02073  1384   NtSetValueKey  ... ) == 0x0
 02079  1744   NtQueryInformationThread  (480, Basic, 28, ...
 02080  1384   NtClose  (-2147482564, ...
 02081  1480   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02080  1384   NtClose  ... ) == 0x0
 02081  1480   NtDuplicateObject  ... 484, ) == 0x0
 02042  1384   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "4\371"\236V\2#\230sdw\202\261C\215\323 w\204]\360]m\204\327\221_\241\2\333\371\302\7\344\273UvI\374r\3751\20\337T\361\336B\230\363\377i\253\366\334\34\351\210V\366C\264\263\202\251\346\225\306\305XO~T\364\275\331o\236=\2009t\1\267J\355M\346-l\240\350bD\240\224\245\265o?\32\0\327\211\305s\177M\15\177\235P\307\205\367;\10\270\326M\21\237o:}J\321\331\4\262\6\333\354@\2\357\254},\375\30\34\275\336\234\347\236\363\361\333\217\306\347\1:\236\220\230\334^7\305Xy\225\264i\374#\6\354\274N*X\230\223M\231\223$\203\265\235\345`\272\37\205\206\363Qc\36\177J\200\205\276]\257\177\11d\233JA\317\226\35\201p\341\225*\10\33h\246{3u\234\4\242.Y\372@/\351\27\313\347\4lu6\20\235\311\240\306\37\357'\5[\202\366\221\203\361\365\26", ) \236V\2#\230sdw\202\261C\215\323 w\204]\360]m\204\327\221_\241\2\333\371\302\7\344\273UvI\374r\3751\20\337T\361\336B\230\363\377i\253\366\334\34\351\210V\366C\264\263\202\251\346\225\306\305XO~T\364\275\331o\236=\2009t\1\267J\355M\346-l\240\350bD\240\224\245\265o?\32\0\327\211\305s\177M\15\177\235P\307\205\367;\10\270\326M\21\237o:}J\321\331\4\262\6\333\354@\2\357\254},\375\30\34\275\336\234\347\236\363\361\333\217\306\347\1:\236\220\230\334^7\305Xy\225\264i\374#\6\354\274N*X\230\223M\231\223$\203\265\235\345`\272\37\205\206\363Qc\36\177J\200\205\276]\257\177\11d\233JA\317\226\35\201p\341\225*\10\33h\246{3u\234\4\242.Y\372@/\351\27\313\347\4lu6\20\235\311\240\306\37\357'\5[\202\366\221\203\361\365\26", ) == 0x0
 02082  1480   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02083  1384   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "h\2514\2660Vs\3\256\316pjv\303\312\205\331\37v\267\257\23\213\331\37v\267\257QuD^\220\3306\257~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02082  1480   NtWaitForSingleObject  ... ) == 0x102
 02084  1384   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02085  1480   NtWaitForSingleObject  (176, 0, 0x0, ...
 02079  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1736,Tid=1556,}, 0x0, ) == 0x0
 02084  1384   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02086  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75581, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\310\6\0\0\24\6\0\0" ...  ...
 02087  1384   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02086  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75582, 0}  ... {28, 56, reply, 0, 1736, 1744, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\310\6\0\0\24\6\0\0" )  ) == 0x0
 02087  1384   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02088  1744   NtResumeThread  (480, ...
 02089  1384   NtQuerySystemInformation  (Performance, 312, ...
 02088  1744   NtResumeThread  ... 1, ) == 0x0
 02089  1384   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02090  1556   NtTestAlert  (...
 02091  1384   NtQuerySystemInformation  (Exception, 16, ...
 02090  1556   NtTestAlert  ... ) == 0x0
 02092  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02093  1556   NtContinue  (52493616, 1, ...
 02092  1744   NtAllocateVirtualMemory  ... 52494336, 1048576, ) == 0x0
 02094  1556   NtRegisterThreadTerminatePort  (24, ...
 02095  1744   NtAllocateVirtualMemory  (-1, 53534720, 0, 8192, 4096, 4, ...
 02094  1556   NtRegisterThreadTerminatePort  ... ) == 0x0
 02095  1744   NtAllocateVirtualMemory  ... 53534720, 8192, ) == 0x0
 02091  1384   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02096  1744   NtProtectVirtualMemory  (-1, (0x330e000), 4096, 260, ...
 02097  1384   NtQuerySystemInformation  (Lookaside, 32, ...
 02096  1744   NtProtectVirtualMemory  ... (0x330e000), 4096, 4, ) == 0x0
 02097  1384   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02098  1556   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02099  1384   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02098  1556   NtDuplicateObject  ... 488, ) == 0x0
 02099  1384   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02100  1556   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02101  1384   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02100  1556   NtWaitForSingleObject  ... ) == 0x102
 02102  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02103  1556   NtWaitForSingleObject  (176, 0, 0x0, ...
 02102  1744   NtCreateThread  ... 492, {1736, 1856}, ) == 0x0
 02101  1384   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02104  1744   NtQueryInformationThread  (492, Basic, 28, ...
 02105  1384   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02104  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1736,Tid=1856,}, 0x0, ) == 0x0
 02105  1384   NtCreateKey  ... -2147482564, 2, ) == 0x0
 02106  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75582, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\310\6\0\0@\7\0\0" ...  ...
 02107  1384   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\336\353C\201\345N\217v7\323E\206\266\257\221\36\217\331\356\0[\351\3520\252\7v\205\256\377\273\2324\344r\363\356\ut\247\16\23\343\217\266.\202Y\257\31yt\202[\211\350T'7`\225#\336\275\343\225\320\12\307ho\362\375\315'|\214\2052", 80, ... ) , 0, 3,  (-2147482564, "Seed", 0, 3, "\336\353C\201\345N\217v7\323E\206\266\257\221\36\217\331\356\0[\351\3520\252\7v\205\256\377\273\2324\344r\363\356\ut\247\16\23\343\217\266.\202Y\257\31yt\202[\211\350T'7`\225#\336\275\343\225\320\12\307ho\362\375\315'|\214\2052", 80, ... ) , 80, ... ) == 0x0
 02108  1384   NtClose  (-2147482564, ... ) == 0x0
 02083  1384   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\301\34\231\15j\1\31[\224A\327\234\322)\265D\311s\23.\315*\310BR\361q\262w\26)g\266|6 \3O!X8W\376\2\363((\17f*\217Q\330\10\330G@MX\303\322\300\230\256$\231\13\220\373\11\22\27322\370\12\354\353\327\225>\202\230\317\213%\372\210\267*[\367j\252Q\307\327\363\231\221\18up~\320\262\242\362\343\216h_\32\214\210g\233XQ\15\214\3Gz\2760\320\234R2\14x\203[%\353:\325EI\21\337\202\342\303\263\14\20j1\224Wj\0\37\221\263\235\23~\276\301\374\343p\24\30\317R&\304\270\203\21\231\246\272\20\336\243C7c\362\324\275\34g9zg\247NL\2204\375\0F\214\374\21\205\266\320\3649\252J\255H>\272\253\262\220\353\377\35\25\301\270\310\237\16\347R\305\355%\300;7\70@\345\377NZ\373:{\335h\367D\344\226'\13\177\300\31\357", ) , ) == 0x0
 02109  1384   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "h\2514\2660Vs\3\256\316pjv\303\312\205\331\37v\267\257\23\213\331\37v\267\257\23\213\331\37v\267\257QuD^\220\3306\257~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02110  1384   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02111  1384   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02106  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75583, 0}  ... {28, 56, reply, 0, 1736, 1744, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\310\6\0\0@\7\0\0" )  ) == 0x0
 02112  1744   NtResumeThread  (492, ... 1, ) == 0x0
 02113  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 53542912, 1048576, ) == 0x0
 02114  1744   NtAllocateVirtualMemory  (-1, 54583296, 0, 8192, 4096, 4, ... 54583296, 8192, ) == 0x0
 02115  1744   NtProtectVirtualMemory  (-1, (0x340e000), 4096, 260, ... (0x340e000), 4096, 4, ) == 0x0
 02116  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 496, {1736, 1604}, ) == 0x0
 02117  1744   NtQueryInformationThread  (496, Basic, 28, ...
 02111  1384   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02118  1856   NtTestAlert  (...
 02119  1384   NtQuerySystemInformation  (Performance, 312, ...
 02118  1856   NtTestAlert  ... ) == 0x0
 02119  1384   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02120  1856   NtContinue  (53542192, 1, ...
 02121  1384   NtQuerySystemInformation  (Exception, 16, ...
 02122  1856   NtRegisterThreadTerminatePort  (24, ...
 02121  1384   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02122  1856   NtRegisterThreadTerminatePort  ... ) == 0x0
 02123  1384   NtQuerySystemInformation  (Lookaside, 32, ...
 02117  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1736,Tid=1604,}, 0x0, ) == 0x0
 02124  1856   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02125  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75583, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\310\6\0\0D\6\0\0" ...  ...
 02124  1856   NtDuplicateObject  ... 500, ) == 0x0
 02125  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75584, 0}  ... {28, 56, reply, 0, 1736, 1744, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\310\6\0\0D\6\0\0" )  ) == 0x0
 02126  1856   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02127  1744   NtResumeThread  (496, ...
 02126  1856   NtWaitForSingleObject  ... ) == 0x102
 02127  1744   NtResumeThread  ... 1, ) == 0x0
 02128  1856   NtWaitForSingleObject  (176, 0, 0x0, ...
 02123  1384   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02129  1604   NtTestAlert  (...
 02130  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02131  1384   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02129  1604   NtTestAlert  ... ) == 0x0
 02130  1744   NtAllocateVirtualMemory  ... 54591488, 1048576, ) == 0x0
 02131  1384   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02132  1604   NtContinue  (54590768, 1, ...
 02133  1744   NtAllocateVirtualMemory  (-1, 55631872, 0, 8192, 4096, 4, ...
 02134  1384   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02135  1604   NtRegisterThreadTerminatePort  (24, ...
 02133  1744   NtAllocateVirtualMemory  ... 55631872, 8192, ) == 0x0
 02134  1384   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02135  1604   NtRegisterThreadTerminatePort  ... ) == 0x0
 02136  1744   NtProtectVirtualMemory  (-1, (0x350e000), 4096, 260, ...
 02137  1384   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02136  1744   NtProtectVirtualMemory  ... (0x350e000), 4096, 4, ) == 0x0
 02138  1604   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02137  1384   NtCreateKey  ... -2147482564, 2, ) == 0x0
 02138  1604   NtDuplicateObject  ... 504, ) == 0x0
 02139  1384   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "r\275\3262\245\346\2272\324}\11\353TJ\233Y\2>U\362\224X\341"b\221\350V\220;\333h\203\376t\230\36Gh\203\342\1\26\212\341`xy\241\266@,^\11\261\2\234p\237\371\303\255\366\353H\311!\35]\26\3643\321r>\20dS\260t", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "r\275\3262\245\346\2272\324}\11\353TJ\233Y\2>U\362\224X\341"b\221\350V\220;\333h\203\376t\230\36Gh\203\342\1\26\212\341`xy\241\266@,^\11\261\2\234p\237\371\303\255\366\353H\311!\35]\26\3643\321r>\20dS\260t", 80, ... b\221\350V\220;\333h\203\376t\230\36Gh\203\342\1\26\212\341`xy\241\266@,^\11\261\2\234p\237\371\303\255\366\353H\311!\35]\26\3643\321r>\20dS\260t", 80, ...
 02140  1604   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02139  1384   NtSetValueKey  ... ) == 0x0
 02140  1604   NtWaitForSingleObject  ... ) == 0x102
 02141  1384   NtClose  (-2147482564, ...
 02142  1604   NtWaitForSingleObject  (176, 0, 0x0, ...
 02141  1384   NtClose  ... ) == 0x0
 02143  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02109  1384   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\261~\342\323\310v\5\273C\321i\241y\202\315\362\3335\352,\312e\242T\307\23\272\365\306L\36zK\11 \326\273K\347\210\37\317)\361!\267\5\3433\305~\331\353\214W\205(\11P\254\370A\4`6\250M\212H\226\6W\243c&\373\343G/K\255"6\246\221\312\2775\341\313\36\276\263W\213\321\225\2069\200\13\347\250,\241\375h1\375>/o\3777s\7~\255\305r^~\247\237\232\347I\207h\350\301\342\367\354\0}\336\15\234\24e \240\325\360\255h\212\23$P\32\17\373|\360\242X,\15\253cN\320p\360\231\304"W\204\261\337\313@\213\26\255\17U4\335`\236O\357\3346\343<\227@\212\353\254\220a\272\345V\275>=\307N0\323\311\236u@\315\32l\237\204\203)\234\354\307T(hJdl\210\325\376\13\217\235\357\202\215e\341\22\303\353_\230\372x\337\37\232rr\20\340y^-J", ) 6\246\221\312\2775\341\313\36\276\263W\213\321\225\2069\200\13\347\250,\241\375h1\375>/o\3777s\7~\255\305r^~\247\237\232\347I\207h\350\301\342\367\354\0}\336\15\234\24e \240\325\360\255h\212\23$P\32\17\373|\360\242X,\15\253cN\320p\360\231\304 ... {status=0x0, info=256}, "\261~\342\323\310v\5\273C\321i\241y\202\315\362\3335\352,\312e\242T\307\23\272\365\306L\36zK\11 \326\273K\347\210\37\317)\361!\267\5\3433\305~\331\353\214W\205(\11P\254\370A\4`6\250M\212H\226\6W\243c&\373\343G/K\255"6\246\221\312\2775\341\313\36\276\263W\213\321\225\2069\200\13\347\250,\241\375h1\375>/o\3777s\7~\255\305r^~\247\237\232\347I\207h\350\301\342\367\354\0}\336\15\234\24e \240\325\360\255h\212\23$P\32\17\373|\360\242X,\15\253cN\320p\360\231\304"W\204\261\337\313@\213\26\255\17U4\335`\236O\357\3346\343<\227@\212\353\254\220a\272\345V\275>=\307N0\323\311\236u@\315\32l\237\204\203)\234\354\307T(hJdl\210\325\376\13\217\235\357\202\215e\341\22\303\353_\230\372x\337\37\232rr\20\340y^-J", ) , ) == 0x0
 02143  1744   NtCreateThread  ... 508, {1736, 1240}, ) == 0x0
 02144  1744   NtQueryInformationThread  (508, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1736,Tid=1240,}, 0x0, ) == 0x0
 02145  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75584, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\310\6\0\0\330\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\310\6\0\0\330\4\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75585, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\310\6\0\0\330\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\310\6\0\0\330\4\0\0" )  ) == 0x0
 02146  1744   NtResumeThread  (508, ... 1, ) == 0x0
 02147  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 55640064, 1048576, ) == 0x0
 02148  1744   NtAllocateVirtualMemory  (-1, 56680448, 0, 8192, 4096, 4, ...
 02149  1384   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "h\2514\2660Vs\3\256\316pjv\303\312\205\331\37v\267\257\23\213\331\37v\267\257\23\213\331\37v\267\257\23\213\331\37v\267\257QuD^\220\3306\257~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02150  1240   NtTestAlert  (...
 02151  1384   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02150  1240   NtTestAlert  ... ) == 0x0
 02151  1384   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02152  1240   NtContinue  (55639344, 1, ...
 02153  1384   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02154  1240   NtRegisterThreadTerminatePort  (24, ...
 02153  1384   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02154  1240   NtRegisterThreadTerminatePort  ... ) == 0x0
 02155  1384   NtQuerySystemInformation  (Performance, 312, ...
 02148  1744   NtAllocateVirtualMemory  ... 56680448, 8192, ) == 0x0
 02156  1240   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02157  1744   NtProtectVirtualMemory  (-1, (0x360e000), 4096, 260, ...
 02156  1240   NtDuplicateObject  ... 512, ) == 0x0
 02157  1744   NtProtectVirtualMemory  ... (0x360e000), 4096, 4, ) == 0x0
 02158  1240   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02159  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02158  1240   NtWaitForSingleObject  ... ) == 0x102
 02159  1744   NtCreateThread  ... 516, {1736, 1156}, ) == 0x0
 02160  1240   NtWaitForSingleObject  (176, 0, 0x0, ...
 02161  1744   NtQueryInformationThread  (516, Basic, 28, ...
 02155  1384   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02162  1384   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02163  1384   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02164  1384   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02165  1384   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02166  1384   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482564, 2, ) }, 0, 0x0, 0, ... -2147482564, 2, ) == 0x0
 02167  1384   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\354\212w\336g\253\34\177?bq>e\13K\17\237\2752\305\253\246U\331\346w\360\271\341\276\337\251r\2372\363f\366i\372\310\236\317\235\303\32\343\337I\217\326\374A\243\324='Q*\363\11\311b\6\311\11r\270s\333\3413v\314\272\214\316W\313\341", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\354\212w\336g\253\34\177?bq>e\13K\17\237\2752\305\253\246U\331\346w\360\271\341\276\337\251r\2372\363f\366i\372\310\236\317\235\303\32\343\337I\217\326\374A\243\324='Q*\363\11\311b\6\311\11r\270s\333\3413v\314\272\214\316W\313\341", 80, ... , 80, ...
 02161  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1736,Tid=1156,}, 0x0, ) == 0x0
 02168  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75585, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\310\6\0\0\204\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\310\6\0\0\204\4\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75586, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\310\6\0\0\204\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\310\6\0\0\204\4\0\0" )  ) == 0x0
 02169  1744   NtResumeThread  (516, ... 1, ) == 0x0
 02170  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 56688640, 1048576, ) == 0x0
 02171  1744   NtAllocateVirtualMemory  (-1, 57729024, 0, 8192, 4096, 4, ... 57729024, 8192, ) == 0x0
 02172  1744   NtProtectVirtualMemory  (-1, (0x370e000), 4096, 260, ... (0x370e000), 4096, 4, ) == 0x0
 02167  1384   NtSetValueKey  ... ) == 0x0
 02173  1156   NtTestAlert  (...
 02174  1384   NtClose  (-2147482564, ...
 02173  1156   NtTestAlert  ... ) == 0x0
 02174  1384   NtClose  ... ) == 0x0
 02175  1156   NtContinue  (56687920, 1, ...
 02149  1384   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\224x\13\277$\216\350\232\233\177\266C \317ZD*\345<\232p\275\200c]#on1*\34\177\17B\263\202\347\0\307\321\2314\2555\377\217\223\272\240Y\32\3374@\33\23\2565\362v\2768_\345\346\336\352 .\202j%G@\305\323^L\353\377q\355x|O\14\3\2534\325\366\177\315'5 \266\3407\342\204\357\243\273r\304\322\333}\204\31\15\351\274D\26\276\265*Q\265AX\204m_\276\3024 F\237\10\226J\11\253\252\327\270\341\314\245\347\214\202\36\34\203\235e\261\27u\232;\16\27\222\213\230\217\206\16\17\302\214X\2710b_\340\316\327\323\231\227pV\373\340\303\4\346-{\335ox\227\265I\177Vk\236Yh\15\16\345\334E\321%\2702\255\371\357T\364]\23P\23\261\33\216yQ\245\242\31\333\36\235\362\241x\250\36D@B,L\274.\324\\361;\217\1\2648\320\7\6\2244RN", ) , ) == 0x0
 02176  1156   NtRegisterThreadTerminatePort  (24, ...
 02177  1384   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "h\2514\2660Vs\3\256\316pjv\303\312\205\331\37v\267\257\23\213\331\37v\267\257\23\213\331\37v\267\257\23\213\331\37v\267\257\23\213\331\37v\267\257QuD^\220\3306\257~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02176  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 02178  1384   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02179  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02180  1156   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02179  1744   NtCreateThread  ... 520, {1736, 1728}, ) == 0x0
 02180  1156   NtDuplicateObject  ... 524, ) == 0x0
 02181  1744   NtQueryInformationThread  (520, Basic, 28, ...
 02182  1156   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02181  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1736,Tid=1728,}, 0x0, ) == 0x0
 02182  1156   NtWaitForSingleObject  ... ) == 0x102
 02183  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75586, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\310\6\0\0\300\6\0\0" ...  ...
 02184  1156   NtWaitForSingleObject  (176, 0, 0x0, ...
 02183  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75587, 0}  ... {28, 56, reply, 0, 1736, 1744, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\310\6\0\0\300\6\0\0" )  ) == 0x0
 02178  1384   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02185  1744   NtResumeThread  (520, ...
 02186  1384   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02185  1744   NtResumeThread  ... 1, ) == 0x0
 02186  1384   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02187  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02188  1384   NtQuerySystemInformation  (Performance, 312, ...
 02187  1744   NtAllocateVirtualMemory  ... 57737216, 1048576, ) == 0x0
 02188  1384   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02189  1744   NtAllocateVirtualMemory  (-1, 58777600, 0, 8192, 4096, 4, ...
 02190  1384   NtQuerySystemInformation  (Exception, 16, ...
 02191  1728   NtTestAlert  (...
 02189  1744   NtAllocateVirtualMemory  ... 58777600, 8192, ) == 0x0
 02191  1728   NtTestAlert  ... ) == 0x0
 02192  1744   NtProtectVirtualMemory  (-1, (0x380e000), 4096, 260, ...
 02193  1728   NtContinue  (57736496, 1, ...
 02192  1744   NtProtectVirtualMemory  ... (0x380e000), 4096, 4, ) == 0x0
 02194  1728   NtRegisterThreadTerminatePort  (24, ...
 02195  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02194  1728   NtRegisterThreadTerminatePort  ... ) == 0x0
 02195  1744   NtCreateThread  ... 528, {1736, 712}, ) == 0x0
 02190  1384   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02196  1744   NtQueryInformationThread  (528, Basic, 28, ...
 02197  1384   NtQuerySystemInformation  (Lookaside, 32, ...
 02198  1728   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02197  1384   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02198  1728   NtDuplicateObject  ... 532, ) == 0x0
 02199  1384   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02200  1728   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02199  1384   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02200  1728   NtWaitForSingleObject  ... ) == 0x102
 02201  1384   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02202  1728   NtWaitForSingleObject  (176, 0, 0x0, ...
 02196  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1736,Tid=712,}, 0x0, ) == 0x0
 02201  1384   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02203  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75587, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\310\6\0\0\310\2\0\0" ...  ...
 02204  1384   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02203  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75588, 0}  ... {28, 56, reply, 0, 1736, 1744, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\310\6\0\0\310\2\0\0" )  ) == 0x0
 02204  1384   NtCreateKey  ... -2147482564, 2, ) == 0x0
 02205  1744   NtResumeThread  (528, ...
 02206  1384   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\265\233x\206\37>%$[H\353\243\245?R<>\241.\325\246\303\202\300d\250\340]y\2203\361\35\31J\12\20\275\210*\20Mo\30_\307MM\350\342\6\274\4\316\33\15\324\353@\24707\343*\36\30\4c\366\200\373*\242\344\204\325\324S\34", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\265\233x\206\37>%$[H\353\243\245?R<>\241.\325\246\303\202\300d\250\340]y\2203\361\35\31J\12\20\275\210*\20Mo\30_\307MM\350\342\6\274\4\316\33\15\324\353@\24707\343*\36\30\4c\366\200\373*\242\344\204\325\324S\34", 80, ... , 80, ...
 02205  1744   NtResumeThread  ... 1, ) == 0x0
 02206  1384   NtSetValueKey  ... ) == 0x0
 02207   712   NtTestAlert  (...
 02208  1384   NtClose  (-2147482564, ...
 02207   712   NtTestAlert  ... ) == 0x0
 02209  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02210   712   NtContinue  (58785072, 1, ...
 02209  1744   NtAllocateVirtualMemory  ... 58785792, 1048576, ) == 0x0
 02211   712   NtRegisterThreadTerminatePort  (24, ...
 02212  1744   NtAllocateVirtualMemory  (-1, 59826176, 0, 8192, 4096, 4, ...
 02211   712   NtRegisterThreadTerminatePort  ... ) == 0x0
 02212  1744   NtAllocateVirtualMemory  ... 59826176, 8192, ) == 0x0
 02208  1384   NtClose  ... ) == 0x0
 02213  1744   NtProtectVirtualMemory  (-1, (0x390e000), 4096, 260, ...
 02177  1384   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\314+\355\240\360\311\32y3\273\13\177\275Q\313"8\247\266\32\26\335\6\23\14A\356\23\212\252n\6\221\257`\253\340P\353N\12v\231u/q\33\242\343\257\310\30\316Q<\22\27\252|\305\14\V\6\311\33\213b?\246\314\253\300\370kQF\250<\223\226l\313\2779v\373\0\347\36O5}T\267)\316\267\\342\15\204\371\263S(\24\221\205\250\200\316\307\314,\312N\244\372\301%\10{\31\215\212\324\214z\365\23\354\10\277`\367\323L{!\32'\377\270\@\306\274p\315\376C\240\272\22+\232v9c\234cx'S\257z\203,\276\277\237\245\341\302=\356\272\200\371\330\244d)\2]\267o\317\15\2.\276\220\307,\302\372\255\261\332\323\344\270n\4\255\220-\34\247\360\221(\13\367\2\334\36\247\366$(\231\355\362\7\20\263\207\273\205\376,]~\217l\314@\350s\264j\266\30\251\27X\352r_\231\24", ) 8\247\266\32\26\335\6\23\14A\356\23\212\252n\6\221\257`\253\340P\353N\12v\231u/q\33\242\343\257\310\30\316Q<\22\27\252|\305\14\V\6\311\33\213b?\246\314\253\300\370kQF\250<\223\226l\313\2779v\373\0\347\36O5}T\267)\316\267\\342\15\204\371\263S(\24\221\205\250\200\316\307\314,\312N\244\372\301%\10{\31\215\212\324\214z\365\23\354\10\277`\367\323L{!\32'\377\270\@\306\274p\315\376C\240\272\22+\232v9c\234cx'S\257z\203,\276\277\237\245\341\302=\356\272\200\371\330\244d)\2]\267o\317\15\2.\276\220\307,\302\372\255\261\332\323\344\270n\4\255\220-\34\247\360\221(\13\367\2\334\36\247\366$(\231\355\362\7\20\263\207\273\205\376,]~\217l\314@\350s\264j\266\30\251\27X\352r_\231\24", ) == 0x0
 02213  1744   NtProtectVirtualMemory  ... (0x390e000), 4096, 4, ) == 0x0
 02214  1384   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "h\2514\2660Vs\3\256\316pjv\303\312\205\331\37v\267\257\23\213\331\37v\267\257\23\213\331\37v\267\257\23\213\331\37v\267\257\23\213\331\37v\267\257\23\213\331\37v\267\257QuD^\220\3306\257~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02215   712   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02216  1384   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02215   712   NtDuplicateObject  ... 536, ) == 0x0
 02216  1384   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02217   712   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02218  1384   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02217   712   NtWaitForSingleObject  ... ) == 0x102
 02219  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02220   712   NtWaitForSingleObject  (176, 0, 0x0, ...
 02219  1744   NtCreateThread  ... 540, {1736, 1256}, ) == 0x0
 02218  1384   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02221  1744   NtQueryInformationThread  (540, Basic, 28, ...
 02222  1384   NtQuerySystemInformation  (Performance, 312, ...
 02221  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1736,Tid=1256,}, 0x0, ) == 0x0
 02222  1384   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02223  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75588, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\310\6\0\0\350\4\0\0" ...  ...
 02224  1384   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02225  1384   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02226  1384   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02227  1384   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02228  1384   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02223  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75589, 0}  ... {28, 56, reply, 0, 1736, 1744, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\310\6\0\0\350\4\0\0" )  ) == 0x0
 02229  1744   NtResumeThread  (540, ... 1, ) == 0x0
 02230  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 59834368, 1048576, ) == 0x0
 02231  1744   NtAllocateVirtualMemory  (-1, 60874752, 0, 8192, 4096, 4, ... 60874752, 8192, ) == 0x0
 02232  1744   NtProtectVirtualMemory  (-1, (0x3a0e000), 4096, 260, ... (0x3a0e000), 4096, 4, ) == 0x0
 02233  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 544, {1736, 1536}, ) == 0x0
 02234  1744   NtQueryInformationThread  (544, Basic, 28, ...
 02228  1384   NtCreateKey  ... -2147482564, 2, ) == 0x0
 02235  1256   NtTestAlert  (...
 02236  1384   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\366?\360pK\371\330\341\202\363\35437X\241\32"F\14\263?\367\257\31\254\177\241\0\3578\302 T&.\276\272\225\312\337x\370\375\322\362\17\252-h\235\242X\226\235\341\340\262\225\27\13\352\10\314jc\271\5\301\363\350\177\356`\17\254\206\241\27\20\240", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\366?\360pK\371\330\341\202\363\35437X\241\32"F\14\263?\367\257\31\254\177\241\0\3578\302 T&.\276\272\225\312\337x\370\375\322\362\17\252-h\235\242X\226\235\341\340\262\225\27\13\352\10\314jc\271\5\301\363\350\177\356`\17\254\206\241\27\20\240", 80, ... F\14\263?\367\257\31\254\177\241\0\3578\302 T&.\276\272\225\312\337x\370\375\322\362\17\252-h\235\242X\226\235\341\340\262\225\27\13\352\10\314jc\271\5\301\363\350\177\356`\17\254\206\241\27\20\240", 80, ...
 02235  1256   NtTestAlert  ... ) == 0x0
 02236  1384   NtSetValueKey  ... ) == 0x0
 02237  1256   NtContinue  (59833648, 1, ...
 02238  1384   NtClose  (-2147482564, ...
 02239  1256   NtRegisterThreadTerminatePort  (24, ...
 02238  1384   NtClose  ... ) == 0x0
 02239  1256   NtRegisterThreadTerminatePort  ... ) == 0x0
 02214  1384   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "LA*\27\367\0\30"\362\356\6\245\35\274\314^m\303\320\221\357gtJm"\272\3x\217dj\345\251\327\320\33\317\336\217\33\307\207Jz\327c\211;\367\6\363\31\207\15\327(0P\243\375BC\304\222N\233\17O\3\213K\243\237kgg#\255\350\215\202xzO\235\32 \240`\22 \14\335\275\343\3\255@\233\367E\361\265\24\356\320\314\357\134\23"gF\363\314z)eM\215i\27X\223\\324\361\377\23\354Y\177\314u.c\313\201\262\22\211W\264\303\34\10mw\322\367\32m\15:7\347!\311\351\337$\25sq\241\335\7\361\166\220\274&\365\302\204\366ZR\260W\365\341\262\207[K[\265\365\25\250\2239\266\375\274\241=6}\334\252\363\30\376\303\356\246\351\257#\12\363\2268s\331\235\2052\263\211"6j.LF\365\273\317\324\15Q\325\352\247\237_^Eg\235\261\367\370\233m \267{\256\36", ) \362\356\6\245\35\274\314^m\303\320\221\357gtJm ... {status=0x0, info=256}, "LA*\27\367\0\30"\362\356\6\245\35\274\314^m\303\320\221\357gtJm"\272\3x\217dj\345\251\327\320\33\317\336\217\33\307\207Jz\327c\211;\367\6\363\31\207\15\327(0P\243\375BC\304\222N\233\17O\3\213K\243\237kgg#\255\350\215\202xzO\235\32 \240`\22 \14\335\275\343\3\255@\233\367E\361\265\24\356\320\314\357\134\23"gF\363\314z)eM\215i\27X\223\\324\361\377\23\354Y\177\314u.c\313\201\262\22\211W\264\303\34\10mw\322\367\32m\15:7\347!\311\351\337$\25sq\241\335\7\361\166\220\274&\365\302\204\366ZR\260W\365\341\262\207[K[\265\365\25\250\2239\266\375\274\241=6}\334\252\363\30\376\303\356\246\351\257#\12\363\2268s\331\235\2052\263\211"6j.LF\365\273\317\324\15Q\325\352\247\237_^Eg\235\261\367\370\233m \267{\256\36", ) gF\363\314z)eM\215i\27X\223\\324\361\377\23\354Y\177\314u.c\313\201\262\22\211W\264\303\34\10mw\322\367\32m\15:7\347!\311\351\337$\25sq\241\335\7\361\166\220\274&\365\302\204\366ZR\260W\365\341\262\207[K[\265\365\25\250\2239\266\375\274\241=6}\334\252\363\30\376\303\356\246\351\257#\12\363\2268s\331\235\2052\263\211 ... {status=0x0, info=256}, "LA*\27\367\0\30"\362\356\6\245\35\274\314^m\303\320\221\357gtJm"\272\3x\217dj\345\251\327\320\33\317\336\217\33\307\207Jz\327c\211;\367\6\363\31\207\15\327(0P\243\375BC\304\222N\233\17O\3\213K\243\237kgg#\255\350\215\202xzO\235\32 \240`\22 \14\335\275\343\3\255@\233\367E\361\265\24\356\320\314\357\134\23"gF\363\314z)eM\215i\27X\223\\324\361\377\23\354Y\177\314u.c\313\201\262\22\211W\264\303\34\10mw\322\367\32m\15:7\347!\311\351\337$\25sq\241\335\7\361\166\220\274&\365\302\204\366ZR\260W\365\341\262\207[K[\265\365\25\250\2239\266\375\274\241=6}\334\252\363\30\376\303\356\246\351\257#\12\363\2268s\331\235\2052\263\211"6j.LF\365\273\317\324\15Q\325\352\247\237_^Eg\235\261\367\370\233m \267{\256\36", ) , ) == 0x0
 02234  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1736,Tid=1536,}, 0x0, ) == 0x0
 02240  1256   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ...
 02241  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75589, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\310\6\0\0\0\6\0\0" ...  ...
 02240  1256   NtAllocateVirtualMemory  ... 1400832, 4096, ) == 0x0
 02241  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75590, 0}  ... {28, 56, reply, 0, 1736, 1744, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\310\6\0\0\0\6\0\0" )  ) == 0x0
 02242  1256   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02243  1744   NtResumeThread  (544, ...
 02242  1256   NtDuplicateObject  ... 548, ) == 0x0
 02243  1744   NtResumeThread  ... 1, ) == 0x0
 02244  1256   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02245  1384   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02246  1536   NtTestAlert  (...
 02245  1384   NtCreateEvent  ... 552, ) == 0x0
 02246  1536   NtTestAlert  ... ) == 0x0
 02247  1384   NtSetEventBoostPriority  (452, ...
 02248  1536   NtContinue  (60882224, 1, ...
 02010  1600   NtWaitForSingleObject  ... ) == 0x0
 02247  1384   NtSetEventBoostPriority  ... ) == 0x0
 02249  1600   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02250  1536   NtRegisterThreadTerminatePort  (24, ...
 02249  1600   NtCreateEvent  ... 556, ) == 0x0
 02251  1384   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 11596408, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 11596408, 188, ...
 02250  1536   NtRegisterThreadTerminatePort  ... ) == 0x0
 02252  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02244  1256   NtWaitForSingleObject  ... ) == 0x102
 02253  1600   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 12643692, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 12643692, 188, ...
 02252  1744   NtAllocateVirtualMemory  ... 60882944, 1048576, ) == 0x0
 02254  1256   NtWaitForSingleObject  (176, 0, 0x0, ...
 02255  1744   NtAllocateVirtualMemory  (-1, 61923328, 0, 8192, 4096, 4, ...
 02253  1600   NtConnectPort  ... 560, 0x0, 0x0, 0x0, 188, ) == 0x0
 02255  1744   NtAllocateVirtualMemory  ... 61923328, 8192, ) == 0x0
 02256  1600   NtRequestWaitReplyPort  (560, {200, 224, new_msg, 0, 1330592, 12, 2, 1310721}  (560, {200, 224, new_msg, 0, 1330592, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\370b\25\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0t\324\367Rmo\235\273\310d\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\240d\25\0VkZ\342x\1\24\0\300d\25\0h\1\24\0\0\0\0\0\0\0\0\0\300d\25\0P\0\0\0\310d\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\300\0\372\31\221|\200\363\300\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02257  1744   NtProtectVirtualMemory  (-1, (0x3b0e000), 4096, 260, ... (0x3b0e000), 4096, 4, ) == 0x0
 02256  1600   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1736, 1600, 75593, 0}  ... {200, 224, reply, 0, 1736, 1600, 75593, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0t\324\367Rmo\235\273\310d\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\240d\25\0VkZ\342x\1\24\0\300d\25\0h\1\24\0\0\0\0\0\0\0\0\0\300d\25\0P\0\0\0\310d\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\300\0\372\31\221|\200\363\300\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02258  1536   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02251  1384   NtConnectPort  ... 564, 0x0, 0x0, 0x0, 188, ) == 0x0
 02259  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02258  1536   NtDuplicateObject  ... 568, ) == 0x0
 02260  1384   NtRequestWaitReplyPort  (564, {200, 224, new_msg, 0, 2883626, 1364448, 12, 2}  (564, {200, 224, new_msg, 0, 2883626, 1364448, 12, 2} "\0\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\3\0\4\0\0\0\0;\24\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\356\4\215i@aG\306Pd\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0xa\25\0u\246\234 ...  ...
 02259  1744   NtCreateThread  ... 572, {1736, 1936}, ) == 0x0
 02261  1536   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02262  1744   NtQueryInformationThread  (572, Basic, 28, ...
 02261  1536   NtWaitForSingleObject  ... ) == 0x102
 02260  1384   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1736, 1384, 75594, 0}  ... {200, 224, reply, 0, 1736, 1384, 75594, 0} "\7\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0;\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\356\4\215i@aG\306Pd\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0xa\25\0u\246\234 )  ) == 0x0
 02262  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1736,Tid=1936,}, 0x0, ) == 0x0
 02263  1536   NtWaitForSingleObject  (176, 0, 0x0, ...
 02264  1384   NtRequestWaitReplyPort  (564, {44, 68, new_msg, 56, 0, 0, 0, 0}  (564, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\320g\25\0\322\0\0\0" ...  ...
 02265  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75590, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\310\6\0\0\220\7\0\0" ...  ...
 02266  1600   NtRequestWaitReplyPort  (560, {44, 68, new_msg, 0, 1736, 1600, 75574, 0}  (560, {44, 68, new_msg, 0, 1736, 1600, 75574, 0} "\1\332\0\0A\2\4\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200\377\377\377\377t\333\243\201\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 1736, 1600, 75597, 0} "\2\356Q\200\4\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\320\1\0\0X-\12\0" )  ... {40, 64, reply, 0, 1736, 1600, 75597, 0}  (560, {44, 68, new_msg, 0, 1736, 1600, 75574, 0} "\1\332\0\0A\2\4\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200\377\377\377\377t\333\243\201\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 1736, 1600, 75597, 0} "\2\356Q\200\4\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\320\1\0\0X-\12\0" )  ) == 0x0
 02267  1600   NtRequestWaitReplyPort  (560, {64, 88, new_msg, 56, 1394880, 12644204, 12644304, 0}  (560, {64, 88, new_msg, 56, 1394880, 12644204, 12644304, 0} "\10\357\300\0@\0\25\0\346\277\347w\320\357\300\0l\357\300\0\20\0\0\0\250.\362v4I\25\0\1\0\0\0\310h\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\310\354\24\0" ...  ...
 02265  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75596, 0}  ... {28, 56, reply, 0, 1736, 1744, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\310\6\0\0\220\7\0\0" )  ) == 0x0
 02268  1744   NtResumeThread  (572, ... 1, ) == 0x0
 02269  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 61931520, 1048576, ) == 0x0
 02270  1744   NtAllocateVirtualMemory  (-1, 62971904, 0, 8192, 4096, 4, ...
 02267  1600   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1736, 1600, 75598, 0}  ... {64, 88, reply, 56, 1736, 1600, 75598, 0} "\10\357\300\0@\0\25\0\346\277\347w\320\357\300\0l\357\300\0\20\0\0\0\250.\362v4I\25\0\1\0\0\0\310h\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\310\354\24\0" )  ) == 0x0
 02264  1384   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1736, 1384, 75595, 0}  ... {40, 64, reply, 0, 1736, 1384, 75595, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300l\253S\371X\353Q\200\323\1\0\0\350\370\14\0" )  ) == 0x0
 02271  1936   NtTestAlert  (...
 02270  1744   NtAllocateVirtualMemory  ... 62971904, 8192, ) == 0x0
 02272  1384   NtRequestWaitReplyPort  (564, {64, 88, new_msg, 56, 1310720, 11596276, 1402824, 0}  (564, {64, 88, new_msg, 56, 1310720, 11596276, 1402824, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\240j\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02271  1936   NtTestAlert  ... ) == 0x0
 02273  1744   NtProtectVirtualMemory  (-1, (0x3c0e000), 4096, 260, ...
 02274  1936   NtContinue  (61930800, 1, ...
 02273  1744   NtProtectVirtualMemory  ... (0x3c0e000), 4096, 4, ) == 0x0
 02272  1384   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1736, 1384, 75599, 0}  ... {64, 88, reply, 56, 1736, 1384, 75599, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\240j\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02275  1936   NtRegisterThreadTerminatePort  (24, ...
 02276  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02277  1384   NtRequestWaitReplyPort  (564, {44, 68, new_msg, 56, 1736, 1384, 75595, 0}  (564, {44, 68, new_msg, 56, 1736, 1384, 75595, 0} "\1\356\0\0B\2\3\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\320g\25\0\322\0\0\0" ...  ...
 02275  1936   NtRegisterThreadTerminatePort  ... ) == 0x0
 02276  1744   NtCreateThread  ... 576, {1736, 148}, ) == 0x0
 02278  1600   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ...
 02279  1744   NtQueryInformationThread  (576, Basic, 28, ...
 02278  1600   NtAllocateVirtualMemory  ... 1404928, 4096, ) == 0x0
 02280  1936   NtWaitForSingleObject  (344, 0, 0x0, ...
 02277  1384   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1736, 1384, 75600, 0}  ... {40, 64, reply, 0, 1736, 1384, 75600, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300l\353\10\370X\353Q\200\351\1\0\0\350\232\14\0" )  ) == 0x0
 02281  1600   NtSetEventBoostPriority  (344, ...
 02282  1384   NtWaitForSingleObject  (344, 0, 0x0, ...
 02280  1936   NtWaitForSingleObject  ... ) == 0x0
 02281  1600   NtSetEventBoostPriority  ... ) == 0x0
 02283  1936   NtSetEventBoostPriority  (344, ...
 02282  1384   NtWaitForSingleObject  ... ) == 0x0
 02284  1384   NtRequestWaitReplyPort  (564, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0}  (564, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\310p\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02283  1936   NtSetEventBoostPriority  ... ) == 0x0
 02285  1936   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02286  1600   NtClose  (556, ...
 02279  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1736,Tid=148,}, 0x0, ) == 0x0
 02286  1600   NtClose  ... ) == 0x0
 02287  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75596, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\310\6\0\0\224\0\0\0" ...  ...
 02285  1936   NtDuplicateObject  ... 556, ) == 0x0
 02284  1384   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1736, 1384, 75601, 0}  ... {64, 88, reply, 56, 1736, 1384, 75601, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\310p\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02287  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75602, 0}  ... {28, 56, reply, 0, 1736, 1744, 75602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\310\6\0\0\224\0\0\0" )  ) == 0x0
 02288  1936   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02289  1384   NtRequestWaitReplyPort  (564, {44, 68, new_msg, 56, 1736, 1384, 75600, 0}  (564, {44, 68, new_msg, 56, 1736, 1384, 75600, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\320g\25\0\322\0\0\0" ...  ...
 02290  1744   NtResumeThread  (576, ...
 02288  1936   NtWaitForSingleObject  ... ) == 0x102
 02290  1744   NtResumeThread  ... 1, ) == 0x0
 02291  1936   NtWaitForSingleObject  (176, 0, 0x0, ...
 02289  1384   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1736, 1384, 75603, 0}  ... {40, 64, reply, 0, 1736, 1384, 75603, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0|\1\0\0h\236\14\0" )  ) == 0x0
 02292  1600   NtClose  (560, ...
 02293   148   NtTestAlert  (...
 02294  1384   NtRequestWaitReplyPort  (564, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0}  (564, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\230|\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02292  1600   NtClose  ... ) == 0x0
 02293   148   NtTestAlert  ... ) == 0x0
 02295  1600   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02296   148   NtContinue  (62979376, 1, ...
 02295  1600   NtCreateKey  ... 560, 2, ) == 0x0
 02297   148   NtRegisterThreadTerminatePort  (24, ...
 02298  1600   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02297   148   NtRegisterThreadTerminatePort  ... ) == 0x0
 02298  1600   NtOpenKey  ... 580, ) == 0x0
 02299  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02294  1384   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1736, 1384, 75605, 0}  ... {64, 88, reply, 56, 1736, 1384, 75605, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\230|\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02300   148   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02299  1744   NtAllocateVirtualMemory  ... 62980096, 1048576, ) == 0x0
 02301  1384   NtClose  (552, ...
 02300   148   NtDuplicateObject  ... 584, ) == 0x0
 02302  1744   NtAllocateVirtualMemory  (-1, 64020480, 0, 8192, 4096, 4, ...
 02301  1384   NtClose  ... ) == 0x0
 02303   148   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02302  1744   NtAllocateVirtualMemory  ... 64020480, 8192, ) == 0x0
 02304  1384   NtClose  (564, ...
 02303   148   NtWaitForSingleObject  ... ) == 0x102
 02305  1744   NtProtectVirtualMemory  (-1, (0x3d0e000), 4096, 260, ...
 02304  1384   NtClose  ... ) == 0x0
 02306   148   NtWaitForSingleObject  (176, 0, 0x0, ...
 02305  1744   NtProtectVirtualMemory  ... (0x3d0e000), 4096, 4, ) == 0x0
 02307  1384   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02308  1600   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02309  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02308  1600   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02309  1744   NtCreateThread  ... 564, {1736, 1896}, ) == 0x0
 02310  1600   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 02311  1744   NtQueryInformationThread  (564, Basic, 28, ...
 02310  1600   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02311  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1736,Tid=1896,}, 0x0, ) == 0x0
 02312  1600   NtQueryValueKey  (560,  (560, "Domain", Partial, 144, ... , Partial, 144, ...
 02313  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75602, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\310\6\0\0h\7\0\0" ...  ...
 02312  1600   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02313  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75607, 0}  ... {28, 56, reply, 0, 1736, 1744, 75607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\310\6\0\0h\7\0\0" )  ) == 0x0
 02307  1384   NtCreateEvent  ... 552, ) == 0x0
 02314  1744   NtResumeThread  (564, ...
 02315  1384   NtOpenThreadToken  (-2, 0xc, 1, ...
 02314  1744   NtResumeThread  ... 1, ) == 0x0
 02315  1384   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02316  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02317  1384   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02316  1744   NtAllocateVirtualMemory  ... 64028672, 1048576, ) == 0x0
 02317  1384   NtCreateEvent  ... 588, ) == 0x0
 02318  1744   NtAllocateVirtualMemory  (-1, 65069056, 0, 8192, 4096, 4, ...
 02319  1384   NtOpenThreadToken  (-2, 0xc, 1, ...
 02320  1600   NtQueryValueKey  (560,  (560, "Domain", Partial, 144, ... , Partial, 144, ...
 02321  1896   NtTestAlert  (...
 02318  1744   NtAllocateVirtualMemory  ... 65069056, 8192, ) == 0x0
 02320  1600   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02321  1896   NtTestAlert  ... ) == 0x0
 02322  1744   NtProtectVirtualMemory  (-1, (0x3e0e000), 4096, 260, ...
 02323  1600   NtClose  (560, ...
 02324  1896   NtContinue  (64027952, 1, ...
 02322  1744   NtProtectVirtualMemory  ... (0x3e0e000), 4096, 4, ) == 0x0
 02323  1600   NtClose  ... ) == 0x0
 02325  1896   NtRegisterThreadTerminatePort  (24, ...
 02326  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02327  1600   NtClose  (580, ...
 02325  1896   NtRegisterThreadTerminatePort  ... ) == 0x0
 02326  1744   NtCreateThread  ... 560, {1736, 1020}, ) == 0x0
 02327  1600   NtClose  ... ) == 0x0
 02319  1384   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02328  1744   NtQueryInformationThread  (560, Basic, 28, ...
 02329  1896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02330  1384   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02331  1600   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 02329  1896   NtDuplicateObject  ... 580, ) == 0x0
 02330  1384   NtSetInformationThread  ... ) == 0x0
 02331  1600   NtOpenKey  ... 592, ) == 0x0
 02332  1896   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02333  1384   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11595968,  (0xc0100080, {24, 0, 0x40, 0, 11595968, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 02334  1600   NtQueryValueKey  (592,  (592, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 02332  1896   NtWaitForSingleObject  ... ) == 0x102
 02333  1384   NtCreateFile  ... 596, {status=0x0, info=1}, ) == 0x0
 02334  1600   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02335  1896   NtWaitForSingleObject  (176, 0, 0x0, ...
 02336  1384   NtSetInformationFile  (596, 11596024, 8, Pipe, ...
 02337  1600   NtClose  (592, ...
 02328  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1736,Tid=1020,}, 0x0, ) == 0x0
 02337  1600   NtClose  ... ) == 0x0
 02338  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75607, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\310\6\0\0\374\3\0\0" ...  ...
 02336  1384   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02338  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75608, 0}  ... {28, 56, reply, 0, 1736, 1744, 75608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\310\6\0\0\374\3\0\0" )  ) == 0x0
 02339  1384   NtSetInformationFile  (596, 11596012, 8, Completion, ...
 02340  1744   NtResumeThread  (560, ...
 02339  1384   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02340  1744   NtResumeThread  ... 1, ) == 0x0
 02341  1384   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02342  1600   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12643280, ... }, 12643280, ...
 02343  1020   NtWaitForSingleObject  (128, 0, 0x0, ...
 02341  1384   NtSetInformationThread  ... ) == 0x0
 02342  1600   NtQueryAttributesFile  ... ) == 0x0
 02344  1384   NtWriteFile  (596, 201, 0, 0,  (596, 201, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 02345  1600   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02346  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02345  1600   NtOpenFile  ... 592, {status=0x0, info=1}, ) == 0x0
 02346  1744   NtAllocateVirtualMemory  ... 65077248, 1048576, ) == 0x0
 02347  1600   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 592, ...
 02348  1744   NtAllocateVirtualMemory  (-1, 66117632, 0, 8192, 4096, 4, ...
 02347  1600   NtCreateSection  ... 600, ) == 0x0
 02348  1744   NtAllocateVirtualMemory  ... 66117632, 8192, ) == 0x0
 02344  1384   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 02349  1744   NtProtectVirtualMemory  (-1, (0x3f0e000), 4096, 260, ...
 02350  1384   NtReadFile  (596, 201, 0, 0, 1024, {0, 0}, 0, ...
 02349  1744   NtProtectVirtualMemory  ... (0x3f0e000), 4096, 4, ) == 0x0
 02350  1384   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20P+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02351  1600   NtClose  (592, ...
 02352  1384   NtFsControlFile  (596, 201, 0x0, 0x0, 0x11c017,  (596, 201, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\260\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 02351  1600   NtClose  ... ) == 0x0
 02352  1384   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20P+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02353  1600   NtMapViewOfSection  (600, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02354  1384   NtFsControlFile  (596, 201, 0x0, 0x0, 0x11c017,  (596, 201, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\10\233 IE*dK\202\302\222yAZ\332\256\1\0\0\0\1\0\0\0&\0(\0@\177\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 02353  1600   NtMapViewOfSection  ... (0x360000), 0x0, 20480, ) == 0x0
 02355  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02356  1600   NtClose  (600, ...
 02355  1744   NtCreateThread  ... 592, {1736, 1524}, ) == 0x0
 02356  1600   NtClose  ... ) == 0x0
 02357  1744   NtQueryInformationThread  (592, Basic, 28, ...
 02354  1384   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\10\233 IE*dK\202\302\222yAZ\332\256\0\0\0\0", ) , ) == 0x103
 02357  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1736,Tid=1524,}, 0x0, ) == 0x0
 02358  1384   NtFsControlFile  (596, 201, 0x0, 0x0, 0x11c017,  (596, 201, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\10\233 IE*dK\202\302\222yAZ\332\256", 44, 1024, ... , 44, 1024, ...
 02359  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75608, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\310\6\0\0\364\5\0\0" ...  ...
 02358  1384   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\20|\25\0\1\0\0\0\34|\25\0 \0\0\0\1\0\0\0\30\0\32\0(|\25\0D|\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0\2107\25\0\1\0\0\0\5\0\15\0\2307\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02360  1384   NtClose  (588, ... ) == 0x0
 02361  1384   NtClose  (596, ... ) == 0x0
 02362  1384   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1330592, 0x0, 11597892, 188, ... 596, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 1}, 0x0, 1330592, 0x0, 11597892, 188, ... 596, 0x0, 0x0, 0x0, 188, ) == 0x0
 02363  1384   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02364  1600   NtUnmapViewOfSection  (-1, 0x360000, ...
 02359  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75609, 0}  ... {28, 56, reply, 0, 1736, 1744, 75609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\310\6\0\0\364\5\0\0" )  ) == 0x0
 02364  1600   NtUnmapViewOfSection  ... ) == 0x0
 02365  1744   NtResumeThread  (592, ...
 02366  1600   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12643588, ... }, 12643588, ...
 02365  1744   NtResumeThread  ... 1, ) == 0x0
 02366  1600   NtQueryAttributesFile  ... ) == 0x0
 02367  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02368  1600   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02367  1744   NtAllocateVirtualMemory  ... 66125824, 1048576, ) == 0x0
 02368  1600   NtOpenFile  ... 588, {status=0x0, info=1}, ) == 0x0
 02369  1744   NtAllocateVirtualMemory  (-1, 67166208, 0, 8192, 4096, 4, ...
 02370  1384   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02371  1524   NtWaitForSingleObject  (128, 0, 0x0, ...
 02372  1600   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 588, ...
 02370  1384   NtSetInformationThread  ... ) == 0x0
 02372  1600   NtCreateSection  ... 600, ) == 0x0
 02373  1384   NtRequestWaitReplyPort  (596, {200, 224, new_msg, 0, 1364448, 12, 2, 1310977}  (596, {200, 224, new_msg, 0, 1364448, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0D\312\302>\333x\31\367\351EQX\215\307.\360\12\0\0\0\2517Y\13\257\322\264\357\0\0\0\0\340o\25\0KH\307\2310\374*\11(\0\0\0\31\356\0\365\0\0\24\0\240\366\260\0E\3273\246\0\0\0\087\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\260\0\372\31\221|X\376\260\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02374  1600   NtQuerySection  (600, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02375  1600   NtClose  (588, ... ) == 0x0
 02373  1384   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1736, 1384, 75611, 0}  ... {200, 224, reply, 0, 1736, 1384, 75611, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0D\312\302>\333x\31\367\351EQX\215\307.\360\12\0\0\0\2517Y\13\257\322\264\357\0\0\0\0\340o\25\0KH\307\2310\374*\11(\0\0\0\31\356\0\365\0\0\24\0\240\366\260\0E\3273\246\0\0\0\087\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\260\0\372\31\221|X\376\260\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02369  1744   NtAllocateVirtualMemory  ... 67166208, 8192, ) == 0x0
 02376  1384   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02377  1744   NtProtectVirtualMemory  (-1, (0x400e000), 4096, 260, ...
 02378  1600   NtMapViewOfSection  (600, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02377  1744   NtProtectVirtualMemory  ... (0x400e000), 4096, 4, ) == 0x0
 02378  1600   NtMapViewOfSection  ... (0x76fb0000), 0x0, 32768, ) == 0x0
 02379  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02380  1600   NtClose  (600, ...
 02379  1744   NtCreateThread  ... 588, {1736, 240}, ) == 0x0
 02380  1600   NtClose  ... ) == 0x0
 02381  1744   NtQueryInformationThread  (588, Basic, 28, ...
 02382  1600   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02376  1384   NtSetInformationThread  ... ) == 0x0
 02382  1600   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02383  1384   NtRequestWaitReplyPort  (596, {56, 80, new_msg, 0, 44, 3, 20, 0}  (596, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0E*dK\202\302\222yAZ\332\256\1\0\0\0\0\0\0\0&\0(\0\224\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 02381  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1736,Tid=240,}, 0x0, ) == 0x0
 02384  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75609, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\310\6\0\0\360\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75613, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\310\6\0\0\360\0\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75613, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\310\6\0\0\360\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75613, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\310\6\0\0\360\0\0\0" )  ) == 0x0
 02385  1744   NtResumeThread  (588, ... 1, ) == 0x0
 02386  1600   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02387   240   NtWaitForSingleObject  (128, 0, 0x0, ...
 02386  1600   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02388  1600   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 02389  1600   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 02390  1600   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 02391  1600   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 02392  1600   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 600, ) }, ... 600, ) == 0x0
 02393  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 67174400, 1048576, ) == 0x0
 02394  1744   NtAllocateVirtualMemory  (-1, 68214784, 0, 8192, 4096, 4, ... 68214784, 8192, ) == 0x0
 02395  1744   NtProtectVirtualMemory  (-1, (0x410e000), 4096, 260, ... (0x410e000), 4096, 4, ) == 0x0
 02396  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 604, {1736, 308}, ) == 0x0
 02397  1744   NtQueryInformationThread  (604, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1736,Tid=308,}, 0x0, ) == 0x0
 02398  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75613, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75613, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\310\6\0\04\1\0\0" ...  ...
 02399  1600   NtMapViewOfSection  (600, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 02400  1600   NtClose  (600, ... ) == 0x0
 02401  1600   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02398  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75614, 0}  ... {28, 56, reply, 0, 1736, 1744, 75614, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\310\6\0\04\1\0\0" )  ) == 0x0
 02402  1744   NtResumeThread  (604, ... 1, ) == 0x0
 02403  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 68222976, 1048576, ) == 0x0
 02404  1744   NtAllocateVirtualMemory  (-1, 69263360, 0, 8192, 4096, 4, ... 69263360, 8192, ) == 0x0
 02405  1744   NtProtectVirtualMemory  (-1, (0x420e000), 4096, 260, ... (0x420e000), 4096, 4, ) == 0x0
 02406  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 600, {1736, 276}, ) == 0x0
 02407  1744   NtQueryInformationThread  (600, Basic, 28, ...
 02408  1600   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 02409   308   NtWaitForSingleObject  (128, 0, 0x0, ...
 02408  1600   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 02410  1600   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 02411  1600   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02412  1600   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 02413  1600   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 02414  1600   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 02407  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1736,Tid=276,}, 0x0, ) == 0x0
 02415  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75614, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75614, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\310\6\0\0\24\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75615, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\310\6\0\0\24\1\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75615, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75614, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\310\6\0\0\24\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75615, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\310\6\0\0\24\1\0\0" )  ) == 0x0
 02416  1744   NtResumeThread  (600, ... 1, ) == 0x0
 02417  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 69271552, 1048576, ) == 0x0
 02418  1744   NtAllocateVirtualMemory  (-1, 70311936, 0, 8192, 4096, 4, ... 70311936, 8192, ) == 0x0
 02419  1744   NtProtectVirtualMemory  (-1, (0x430e000), 4096, 260, ... (0x430e000), 4096, 4, ) == 0x0
 02420  1600   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02421   276   NtWaitForSingleObject  (128, 0, 0x0, ...
 02420  1600   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02422  1600   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 02423  1600   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02424  1600   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 608, ) == 0x0
 02425  1600   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 612, ) }, ... 612, ) == 0x0
 02426  1600   NtQueryValueKey  (612,  (612, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (612, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02427  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 616, {1736, 1496}, ) == 0x0
 02428  1744   NtQueryInformationThread  (616, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1736,Tid=1496,}, 0x0, ) == 0x0
 02429  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75615, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75615, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\310\6\0\0\330\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75616, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\310\6\0\0\330\5\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75616, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75615, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\310\6\0\0\330\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75616, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\310\6\0\0\330\5\0\0" )  ) == 0x0
 02430  1744   NtResumeThread  (616, ... 1, ) == 0x0
 02431  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 70320128, 1048576, ) == 0x0
 02432  1744   NtAllocateVirtualMemory  (-1, 71360512, 0, 8192, 4096, 4, ...
 02433  1600   NtClose  (612, ...
 02434  1496   NtWaitForSingleObject  (128, 0, 0x0, ...
 02433  1600   NtClose  ... ) == 0x0
 02435  1600   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02436  1600   NtAllocateVirtualMemory  (-1, 3629056, 0, 4096, 4096, 4, ... 3629056, 4096, ) == 0x0
 02437  1600   NtQueryPerformanceCounter  (... {1110437963, 16}, {3579545, 0}, ) == 0x0
 02438  1600   NtSetEventBoostPriority  (128, ...
 02343  1020   NtWaitForSingleObject  ... ) == 0x0
 02439  1020   NtSetEventBoostPriority  (128, ...
 02371  1524   NtWaitForSingleObject  ... ) == 0x0
 02440  1524   NtSetEventBoostPriority  (128, ...
 02387   240   NtWaitForSingleObject  ... ) == 0x0
 02441   240   NtSetEventBoostPriority  (128, ...
 02409   308   NtWaitForSingleObject  ... ) == 0x0
 02442   308   NtSetEventBoostPriority  (128, ...
 02421   276   NtWaitForSingleObject  ... ) == 0x0
 02443   276   NtSetEventBoostPriority  (128, ...
 02434  1496   NtWaitForSingleObject  ... ) == 0x0
 02444  1496   NtTestAlert  (... ) == 0x0
 02443   276   NtSetEventBoostPriority  ... ) == 0x0
 02442   308   NtSetEventBoostPriority  ... ) == 0x0
 02441   240   NtSetEventBoostPriority  ... ) == 0x0
 02440  1524   NtSetEventBoostPriority  ... ) == 0x0
 02439  1020   NtSetEventBoostPriority  ... ) == 0x0
 02438  1600   NtSetEventBoostPriority  ... ) == 0x0
 02432  1744   NtAllocateVirtualMemory  ... 71360512, 8192, ) == 0x0
 02445  1496   NtContinue  (70319408, 1, ...
 02446   276   NtTestAlert  (...
 02447   308   NtTestAlert  (...
 02448   240   NtTestAlert  (...
 02449  1524   NtTestAlert  (...
 02450  1600   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12643280, ... }, 12643280, ...
 02451  1744   NtProtectVirtualMemory  (-1, (0x440e000), 4096, 260, ...
 02452  1496   NtRegisterThreadTerminatePort  (24, ...
 02446   276   NtTestAlert  ... ) == 0x0
 02447   308   NtTestAlert  ... ) == 0x0
 02448   240   NtTestAlert  ... ) == 0x0
 02449  1524   NtTestAlert  ... ) == 0x0
 02450  1600   NtQueryAttributesFile  ... ) == 0x0
 02451  1744   NtProtectVirtualMemory  ... (0x440e000), 4096, 4, ) == 0x0
 02452  1496   NtRegisterThreadTerminatePort  ... ) == 0x0
 02453   276   NtContinue  (69270832, 1, ...
 02454   308   NtContinue  (68222256, 1, ...
 02455   240   NtContinue  (67173680, 1, ...
 02456  1524   NtContinue  (66125104, 1, ...
 02457  1020   NtTestAlert  (...
 02458  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02459  1496   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02460   276   NtRegisterThreadTerminatePort  (24, ...
 02461   308   NtRegisterThreadTerminatePort  (24, ...
 02462   240   NtRegisterThreadTerminatePort  (24, ...
 02463  1524   NtRegisterThreadTerminatePort  (24, ...
 02457  1020   NtTestAlert  ... ) == 0x0
 02458  1744   NtCreateThread  ... 612, {1736, 2032}, ) == 0x0
 02459  1496   NtDuplicateObject  ... 620, ) == 0x0
 02460   276   NtRegisterThreadTerminatePort  ... ) == 0x0
 02461   308   NtRegisterThreadTerminatePort  ... ) == 0x0
 02462   240   NtRegisterThreadTerminatePort  ... ) == 0x0
 02463  1524   NtRegisterThreadTerminatePort  ... ) == 0x0
 02464  1020   NtContinue  (65076528, 1, ...
 02465  1744   NtQueryInformationThread  (612, Basic, 28, ...
 02466  1496   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02467   276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02468   308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02469   240   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02470  1524   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02471  1020   NtRegisterThreadTerminatePort  (24, ...
 02472  1600   NtQuerySystemInformation  (Basic, 44, ...
 02465  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1736,Tid=2032,}, 0x0, ) == 0x0
 02466  1496   NtWaitForSingleObject  ... ) == 0x102
 02467   276   NtDuplicateObject  ... 624, ) == 0x0
 02468   308   NtDuplicateObject  ... 628, ) == 0x0
 02469   240   NtDuplicateObject  ... 632, ) == 0x0
 02471  1020   NtRegisterThreadTerminatePort  ... ) == 0x0
 02472  1600   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02473  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75616, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75616, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\310\6\0\0\360\7\0\0" ...  ...
 02474  1496   NtWaitForSingleObject  (176, 0, 0x0, ...
 02475   276   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02476   308   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02477   240   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02478  1020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02479  1600   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 02473  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75617, 0}  ... {28, 56, reply, 0, 1736, 1744, 75617, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\310\6\0\0\360\7\0\0" )  ) == 0x0
 02475   276   NtWaitForSingleObject  ... ) == 0x102
 02476   308   NtWaitForSingleObject  ... ) == 0x102
 02477   240   NtWaitForSingleObject  ... ) == 0x102
 02470  1524   NtDuplicateObject  ... 636, ) == 0x0
 02479  1600   NtAllocateVirtualMemory  ... 3538944, 65536, ) == 0x0
 02480  1744   NtResumeThread  (612, ...
 02481   276   NtWaitForSingleObject  (176, 0, 0x0, ...
 02482   308   NtWaitForSingleObject  (176, 0, 0x0, ...
 02483   240   NtWaitForSingleObject  (176, 0, 0x0, ...
 02484  1524   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02485  1600   NtAllocateVirtualMemory  (-1, 3538944, 0, 4096, 4096, 4, ...
 02480  1744   NtResumeThread  ... 1, ) == 0x0
 02484  1524   NtWaitForSingleObject  ... ) == 0x102
 02485  1600   NtAllocateVirtualMemory  ... 3538944, 4096, ) == 0x0
 02478  1020   NtDuplicateObject  ... 640, ) == 0x0
 02486  2032   NtTestAlert  (...
 02487  1524   NtWaitForSingleObject  (176, 0, 0x0, ...
 02488  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02489  1020   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02486  2032   NtTestAlert  ... ) == 0x0
 02488  1744   NtAllocateVirtualMemory  ... 71368704, 1048576, ) == 0x0
 02489  1020   NtWaitForSingleObject  ... ) == 0x102
 02490  2032   NtContinue  (71367984, 1, ...
 02491  1744   NtAllocateVirtualMemory  (-1, 72409088, 0, 8192, 4096, 4, ...
 02492  1020   NtWaitForSingleObject  (176, 0, 0x0, ...
 02493  2032   NtRegisterThreadTerminatePort  (24, ...
 02491  1744   NtAllocateVirtualMemory  ... 72409088, 8192, ) == 0x0
 02493  2032   NtRegisterThreadTerminatePort  ... ) == 0x0
 02494  1744   NtProtectVirtualMemory  (-1, (0x450e000), 4096, 260, ...
 02495  1600   NtAllocateVirtualMemory  (-1, 3543040, 0, 8192, 4096, 4, ...
 02494  1744   NtProtectVirtualMemory  ... (0x450e000), 4096, 4, ) == 0x0
 02495  1600   NtAllocateVirtualMemory  ... 3543040, 8192, ) == 0x0
 02496  2032   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02497  1600   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 12643280, ... }, 12643280, ...
 02496  2032   NtDuplicateObject  ... 644, ) == 0x0
 02498  2032   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 02499  2032   NtWaitForSingleObject  (176, 0, 0x0, ...
 02497  1600   NtQueryAttributesFile  ... ) == 0x0
 02500  1600   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 648, {status=0x0, info=1}, ) }, 5, 96, ... 648, {status=0x0, info=1}, ) == 0x0
 02501  1600   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 648, ... 652, ) == 0x0
 02502  1600   NtClose  (648, ...
 02503  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 656, {1736, 932}, ) == 0x0
 02504  1744   NtQueryInformationThread  (656, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1736,Tid=932,}, 0x0, ) == 0x0
 02505  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75617, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75617, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\310\6\0\0\244\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75618, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\310\6\0\0\244\3\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75618, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75617, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\310\6\0\0\244\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75618, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\310\6\0\0\244\3\0\0" )  ) == 0x0
 02506  1744   NtResumeThread  (656, ... 1, ) == 0x0
 02507  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 72417280, 1048576, ) == 0x0
 02508  1744   NtAllocateVirtualMemory  (-1, 73457664, 0, 8192, 4096, 4, ...
 02502  1600   NtClose  ... ) == 0x0
 02509   932   NtWaitForSingleObject  (128, 0, 0x0, ...
 02510  1600   NtMapViewOfSection  (652, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 110592, ) == 0x0
 02511  1600   NtClose  (652, ... ) == 0x0
 02512  1600   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 02513  1600   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 12643588, ... ) }, 12643588, ... ) == 0x0
 02514  1600   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 652, {status=0x0, info=1}, ) }, 5, 96, ... 652, {status=0x0, info=1}, ) == 0x0
 02515  1600   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 652, ...
 02508  1744   NtAllocateVirtualMemory  ... 73457664, 8192, ) == 0x0
 02516  1744   NtProtectVirtualMemory  (-1, (0x460e000), 4096, 260, ... (0x460e000), 4096, 4, ) == 0x0
 02517  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 648, {1736, 1780}, ) == 0x0
 02518  1744   NtQueryInformationThread  (648, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1736,Tid=1780,}, 0x0, ) == 0x0
 02519  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75618, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75618, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\310\6\0\0\364\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75619, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\310\6\0\0\364\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75619, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75618, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\310\6\0\0\364\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75619, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\310\6\0\0\364\6\0\0" )  ) == 0x0
 02520  1744   NtResumeThread  (648, ... 1, ) == 0x0
 02515  1600   NtCreateSection  ... 660, ) == 0x0
 02521  1780   NtWaitForSingleObject  (128, 0, 0x0, ...
 02522  1600   NtQuerySection  (660, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02523  1600   NtClose  (652, ... ) == 0x0
 02524  1600   NtMapViewOfSection  (660, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x751d0000), 0x0, 122880, ) == 0x0
 02525  1600   NtClose  (660, ... ) == 0x0
 02526  1600   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02527  1600   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ...
 02528  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 73465856, 1048576, ) == 0x0
 02529  1744   NtAllocateVirtualMemory  (-1, 74506240, 0, 8192, 4096, 4, ... 74506240, 8192, ) == 0x0
 02530  1744   NtProtectVirtualMemory  (-1, (0x470e000), 4096, 260, ... (0x470e000), 4096, 4, ) == 0x0
 02531  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 660, {1736, 1804}, ) == 0x0
 02532  1744   NtQueryInformationThread  (660, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1736,Tid=1804,}, 0x0, ) == 0x0
 02533  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75619, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75619, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\310\6\0\0\14\7\0\0" ...  ...
 02527  1600   NtProtectVirtualMemory  ... (0x751d1000), 4096, 4, ) == 0x0
 02534  1600   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02535  1600   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02536  1600   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ...
 02533  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75620, 0}  ... {28, 56, reply, 0, 1736, 1744, 75620, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\310\6\0\0\14\7\0\0" )  ) == 0x0
 02537  1744   NtResumeThread  (660, ... 1, ) == 0x0
 02538  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 74514432, 1048576, ) == 0x0
 02539  1744   NtAllocateVirtualMemory  (-1, 75554816, 0, 8192, 4096, 4, ... 75554816, 8192, ) == 0x0
 02540  1744   NtProtectVirtualMemory  (-1, (0x480e000), 4096, 260, ... (0x480e000), 4096, 4, ) == 0x0
 02541  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 652, {1736, 1644}, ) == 0x0
 02542  1744   NtQueryInformationThread  (652, Basic, 28, ...
 02536  1600   NtProtectVirtualMemory  ... (0x751d1000), 4096, 4, ) == 0x0
 02543  1804   NtWaitForSingleObject  (128, 0, 0x0, ...
 02544  1600   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02545  1600   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02546  1600   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 02547  1600   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 12642764, ... }, 12642764, ...
 02542  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1736,Tid=1644,}, 0x0, ) == 0x0
 02548  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75620, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75620, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\310\6\0\0l\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75621, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\310\6\0\0l\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75621, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75620, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\310\6\0\0l\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75621, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\310\6\0\0l\6\0\0" )  ) == 0x0
 02549  1744   NtResumeThread  (652, ... 1, ) == 0x0
 02550  1644   NtWaitForSingleObject  (128, 0, 0x0, ...
 02551  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 75563008, 1048576, ) == 0x0
 02552  1744   NtAllocateVirtualMemory  (-1, 76603392, 0, 8192, 4096, 4, ... 76603392, 8192, ) == 0x0
 02553  1744   NtProtectVirtualMemory  (-1, (0x490e000), 4096, 260, ... (0x490e000), 4096, 4, ) == 0x0
 02554  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 664, {1736, 336}, ) == 0x0
 02555  1744   NtQueryInformationThread  (664, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1736,Tid=336,}, 0x0, ) == 0x0
 02556  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75621, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75621, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\310\6\0\0P\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\310\6\0\0P\1\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75622, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75621, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\310\6\0\0P\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\310\6\0\0P\1\0\0" )  ) == 0x0
 02557  1744   NtResumeThread  (664, ... 1, ) == 0x0
 02558  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 76611584, 1048576, ) == 0x0
 02559  1744   NtAllocateVirtualMemory  (-1, 77651968, 0, 8192, 4096, 4, ...
 02560   336   NtWaitForSingleObject  (128, 0, 0x0, ...
 02559  1744   NtAllocateVirtualMemory  ... 77651968, 8192, ) == 0x0
 02561  1744   NtProtectVirtualMemory  (-1, (0x4a0e000), 4096, 260, ... (0x4a0e000), 4096, 4, ) == 0x0
 02562  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 668, {1736, 800}, ) == 0x0
 02563  1744   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1736,Tid=800,}, 0x0, ) == 0x0
 02564  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75622, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\310\6\0\0 \3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75623, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\310\6\0\0 \3\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75623, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\310\6\0\0 \3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75623, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\310\6\0\0 \3\0\0" )  ) == 0x0
 02565  1744   NtResumeThread  (668, ... 1, ) == 0x0
 02547  1600   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02566   800   NtWaitForSingleObject  (128, 0, 0x0, ...
 02567  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02383  1384   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 1736, 1384, 75612, 0}  ... {44, 68, reply, 0, 1736, 1384, 75612, 0} "\4\376\255\201\0\0\0\0\200Y\274\201\356\12$\342\264\311\275\201:\332R\200X\253v\367\324\376\255\201\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02567  1744   NtAllocateVirtualMemory  ... 77660160, 1048576, ) == 0x0
 02568  1384   NtRaiseException  (11598352, 11597612, 1, ...
 02569  1744   NtAllocateVirtualMemory  (-1, 78700544, 0, 8192, 4096, 4, ...
 02570  1384   NtQueryVirtualMemory  (-1, 0x77ea0470, BasicVlm, 16, ...
 02569  1744   NtAllocateVirtualMemory  ... 78700544, 8192, ) == 0x0
 02571  1600   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 12642764, ... }, 12642764, ...
 02572  1744   NtProtectVirtualMemory  (-1, (0x4b0e000), 4096, 260, ...
 02571  1600   NtQueryAttributesFile  ... ) == 0x0
 02572  1744   NtProtectVirtualMemory  ... (0x4b0e000), 4096, 4, ) == 0x0
 02573  1600   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... }, 5, 96, ...
 02570  1384   NtQueryVirtualMemory  ... {memory info, class 3, size 16}, 0x0, ) == 0x0
 02573  1600   NtOpenFile  ... 672, {status=0x0, info=1}, ) == 0x0
 02574  1384   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 02575  1600   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 672, ...
 02574  1384   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02575  1600   NtCreateSection  ... 676, ) == 0x0
 02576  1384   NtContinue  (11596580, 0, ...
 02577  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {1736, 488}, ) == 0x0
 02578  1744   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1736,Tid=488,}, 0x0, ) == 0x0
 02579  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75623, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75623, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\310\6\0\0\350\1\0\0" ...  ...
 02580  1600   NtQuerySection  (676, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02581  1600   NtClose  (672, ... ) == 0x0
 02582  1600   NtMapViewOfSection  (676, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 02579  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75624, 0}  ... {28, 56, reply, 0, 1736, 1744, 75624, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\310\6\0\0\350\1\0\0" )  ) == 0x0
 02583  1384   NtDeviceIoControlFile  (404, 148, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 02584  1744   NtResumeThread  (680, ...
 02583  1384   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 02584  1744   NtResumeThread  ... 1, ) == 0x0
 02585  1384   NtWaitForSingleObject  (148, 1, {-5000000, -1}, ...
 02586  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 78708736, 1048576, ) == 0x0
 02587  1744   NtAllocateVirtualMemory  (-1, 79749120, 0, 8192, 4096, 4, ... 79749120, 8192, ) == 0x0
 02588  1744   NtProtectVirtualMemory  (-1, (0x4c0e000), 4096, 260, ... (0x4c0e000), 4096, 4, ) == 0x0
 02589  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {1736, 1948}, ) == 0x0
 02590  1744   NtQueryInformationThread  (672, Basic, 28, ...
 02591  1600   NtClose  (676, ...
 02592   488   NtWaitForSingleObject  (128, 0, 0x0, ...
 02591  1600   NtClose  ... ) == 0x0
 02593  1600   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02594  1600   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02595  1600   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02596  1600   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02597  1600   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02590  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1736,Tid=1948,}, 0x0, ) == 0x0
 02598  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75624, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75624, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\310\6\0\0\234\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\310\6\0\0\234\7\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75625, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75624, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\310\6\0\0\234\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\310\6\0\0\234\7\0\0" )  ) == 0x0
 02599  1744   NtResumeThread  (672, ... 1, ) == 0x0
 02600  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 79757312, 1048576, ) == 0x0
 02601  1744   NtAllocateVirtualMemory  (-1, 80797696, 0, 8192, 4096, 4, ... 80797696, 8192, ) == 0x0
 02602  1744   NtProtectVirtualMemory  (-1, (0x4d0e000), 4096, 260, ... (0x4d0e000), 4096, 4, ) == 0x0
 02603  1600   NtFlushInstructionCache  (-1, 2006061056, 1368, ...
 02604  1948   NtWaitForSingleObject  (128, 0, 0x0, ...
 02603  1600   NtFlushInstructionCache  ... ) == 0x0
 02605  1600   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02606  1600   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02607  1600   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02608  1600   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02609  1600   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02610  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 676, {1736, 1692}, ) == 0x0
 02611  1744   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1736,Tid=1692,}, 0x0, ) == 0x0
 02612  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75625, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\310\6\0\0\234\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75626, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\310\6\0\0\234\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75626, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\310\6\0\0\234\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75626, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\310\6\0\0\234\6\0\0" )  ) == 0x0
 02613  1744   NtResumeThread  (676, ... 1, ) == 0x0
 02614  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 80805888, 1048576, ) == 0x0
 02615  1744   NtAllocateVirtualMemory  (-1, 81846272, 0, 8192, 4096, 4, ...
 02616  1600   NtFlushInstructionCache  (-1, 2006061056, 1368, ...
 02617  1692   NtWaitForSingleObject  (128, 0, 0x0, ...
 02616  1600   NtFlushInstructionCache  ... ) == 0x0
 02618  1600   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02619  1600   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02620  1600   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02621  1600   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02622  1600   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02615  1744   NtAllocateVirtualMemory  ... 81846272, 8192, ) == 0x0
 02623  1744   NtProtectVirtualMemory  (-1, (0x4e0e000), 4096, 260, ... (0x4e0e000), 4096, 4, ) == 0x0
 02624  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {1736, 1800}, ) == 0x0
 02625  1744   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1736,Tid=1800,}, 0x0, ) == 0x0
 02626  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75626, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75626, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\310\6\0\0\10\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75627, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\310\6\0\0\10\7\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75627, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75626, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\310\6\0\0\10\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75627, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\310\6\0\0\10\7\0\0" )  ) == 0x0
 02627  1744   NtResumeThread  (684, ... 1, ) == 0x0
 02628  1600   NtFlushInstructionCache  (-1, 1964838912, 224, ...
 02629  1800   NtWaitForSingleObject  (128, 0, 0x0, ...
 02628  1600   NtFlushInstructionCache  ... ) == 0x0
 02630  1600   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02631  1600   NtQueryDefaultUILanguage  (2090319928, ...
 02632  1600   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02633  1600   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482564, ) == 0x0
 02634  1600   NtQueryInformationToken  (-2147482564, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02635  1600   NtClose  (-2147482564, ...
 02636  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 81854464, 1048576, ) == 0x0
 02637  1744   NtAllocateVirtualMemory  (-1, 82894848, 0, 8192, 4096, 4, ... 82894848, 8192, ) == 0x0
 02638  1744   NtProtectVirtualMemory  (-1, (0x4f0e000), 4096, 260, ... (0x4f0e000), 4096, 4, ) == 0x0
 02639  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 688, {1736, 1520}, ) == 0x0
 02640  1744   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1736,Tid=1520,}, 0x0, ) == 0x0
 02641  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75627, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75627, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\310\6\0\0\360\5\0\0" ...  ...
 02635  1600   NtClose  ... ) == 0x0
 02642  1600   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482564, ) }, ... -2147482564, ) == 0x0
 02643  1600   NtOpenKey  (0x80000000, {24, -2147482564, 0x240, 0, 0,  (0x80000000, {24, -2147482564, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02644  1600   NtOpenKey  (0x80000000, {24, -2147482564, 0x640, 0, 0,  (0x80000000, {24, -2147482564, 0x640, 0, 0, "Control Panel\Desktop"}, ... }, ...
 02641  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75628, 0}  ... {28, 56, reply, 0, 1736, 1744, 75628, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\310\6\0\0\360\5\0\0" )  ) == 0x0
 02645  1744   NtResumeThread  (688, ... 1, ) == 0x0
 02646  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 82903040, 1048576, ) == 0x0
 02647  1744   NtAllocateVirtualMemory  (-1, 83943424, 0, 8192, 4096, 4, ... 83943424, 8192, ) == 0x0
 02648  1744   NtProtectVirtualMemory  (-1, (0x500e000), 4096, 260, ... (0x500e000), 4096, 4, ) == 0x0
 02649  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 692, {1736, 1348}, ) == 0x0
 02650  1744   NtQueryInformationThread  (692, Basic, 28, ...
 02644  1600   NtOpenKey  ... -2147481440, ) == 0x0
 02651  1520   NtWaitForSingleObject  (128, 0, 0x0, ...
 02652  1600   NtQueryValueKey  (-2147481440,  (-2147481440, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02653  1600   NtClose  (-2147481440, ... ) == 0x0
 02654  1600   NtClose  (-2147482564, ... ) == 0x0
 02631  1600   NtQueryDefaultUILanguage  ... ) == 0x0
 02655  1600   NtAllocateVirtualMemory  (-1, 12632064, 0, 4096, 4096, 260, ... 12632064, 4096, ) == 0x0
 02656  1600   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 02650  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1736,Tid=1348,}, 0x0, ) == 0x0
 02657  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75628, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75628, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\310\6\0\0D\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75629, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\310\6\0\0D\5\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75629, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75628, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\310\6\0\0D\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75629, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\310\6\0\0D\5\0\0" )  ) == 0x0
 02658  1744   NtResumeThread  (692, ... 1, ) == 0x0
 02659  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 83951616, 1048576, ) == 0x0
 02660  1744   NtAllocateVirtualMemory  (-1, 84992000, 0, 8192, 4096, 4, ... 84992000, 8192, ) == 0x0
 02661  1744   NtProtectVirtualMemory  (-1, (0x510e000), 4096, 260, ... (0x510e000), 4096, 4, ) == 0x0
 02662  1600   NtQueryDefaultLocale  (1, 12643484, ...
 02663  1348   NtWaitForSingleObject  (128, 0, 0x0, ...
 02662  1600   NtQueryDefaultLocale  ... ) == 0x0
 02664  1600   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02665  1600   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\Setup"}, ... 696, ) }, ... 696, ) == 0x0
 02666  1600   NtQueryValueKey  (696,  (696, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (696, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02667  1600   NtClose  (696, ... ) == 0x0
 02668  1600   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 696, ) == 0x0
 02669  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 700, {1736, 168}, ) == 0x0
 02670  1744   NtQueryInformationThread  (700, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1736,Tid=168,}, 0x0, ) == 0x0
 02671  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75629, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75629, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\310\6\0\0\250\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75630, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\310\6\0\0\250\0\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75630, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75629, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\310\6\0\0\250\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75630, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\310\6\0\0\250\0\0\0" )  ) == 0x0
 02672  1744   NtResumeThread  (700, ... 1, ) == 0x0
 02673  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 85000192, 1048576, ) == 0x0
 02674  1744   NtAllocateVirtualMemory  (-1, 86040576, 0, 8192, 4096, 4, ...
 02675  1600   NtCallbackReturn  (0, 0, 0, ...
 02676   168   NtWaitForSingleObject  (128, 0, 0x0, ...
 02677  1600   NtUserGetProcessWindowStation  (... ) == 0x1c
 02678  1600   NtUserGetObjectInformation  (28, 1, 12643080, 12, 12643092, ... ) == 0x1
 02679  1600   NtOpenKey  (0xf003f, {24, 36, 0x40, 0, 0,  (0xf003f, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02680  1600   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\WPA\PnP"}, ... 704, ) }, ... 704, ) == 0x0
 02681  1600   NtQueryValueKey  (704,  (704, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (704, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 02682  1600   NtClose  (704, ...
 02674  1744   NtAllocateVirtualMemory  ... 86040576, 8192, ) == 0x0
 02683  1744   NtProtectVirtualMemory  (-1, (0x520e000), 4096, 260, ... (0x520e000), 4096, 4, ) == 0x0
 02684  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 708, {1736, 1176}, ) == 0x0
 02685  1744   NtQueryInformationThread  (708, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1736,Tid=1176,}, 0x0, ) == 0x0
 02686  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75630, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75630, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\310\6\0\0\230\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75631, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\310\6\0\0\230\4\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75631, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75630, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\310\6\0\0\230\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75631, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\310\6\0\0\230\4\0\0" )  ) == 0x0
 02687  1744   NtResumeThread  (708, ... 1, ) == 0x0
 02682  1600   NtClose  ... ) == 0x0
 02688  1176   NtWaitForSingleObject  (128, 0, 0x0, ...
 02689  1600   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\Setup"}, ... 704, ) }, ... 704, ) == 0x0
 02690  1600   NtQueryValueKey  (704,  (704, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (704, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02691  1600   NtQueryValueKey  (704,  (704, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (704, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02692  1600   NtClose  (704, ... ) == 0x0
 02693  1600   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\Setup"}, ... 704, ) }, ... 704, ) == 0x0
 02694  1600   NtQueryValueKey  (704,  (704, "SystemPartition", Partial, 144, ... , Partial, 144, ...
 02695  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 86048768, 1048576, ) == 0x0
 02696  1744   NtAllocateVirtualMemory  (-1, 87089152, 0, 8192, 4096, 4, ... 87089152, 8192, ) == 0x0
 02697  1744   NtProtectVirtualMemory  (-1, (0x530e000), 4096, 260, ... (0x530e000), 4096, 4, ) == 0x0
 02698  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 712, {1736, 1740}, ) == 0x0
 02699  1744   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1736,Tid=1740,}, 0x0, ) == 0x0
 02700  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75631, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75631, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\310\6\0\0\314\6\0\0" ...  ...
 02694  1600   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02701  1600   NtQueryValueKey  (704,  (704, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (704, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02702  1600   NtClose  (704, ... ) == 0x0
 02703  1600   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... }, ...
 02700  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75632, 0}  ... {28, 56, reply, 0, 1736, 1744, 75632, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\310\6\0\0\314\6\0\0" )  ) == 0x0
 02704  1744   NtResumeThread  (712, ... 1, ) == 0x0
 02705  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 87097344, 1048576, ) == 0x0
 02706  1744   NtAllocateVirtualMemory  (-1, 88137728, 0, 8192, 4096, 4, ... 88137728, 8192, ) == 0x0
 02707  1744   NtProtectVirtualMemory  (-1, (0x540e000), 4096, 260, ... (0x540e000), 4096, 4, ) == 0x0
 02708  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 704, {1736, 1852}, ) == 0x0
 02709  1744   NtQueryInformationThread  (704, Basic, 28, ...
 02703  1600   NtOpenKey  ... 716, ) == 0x0
 02710  1740   NtWaitForSingleObject  (128, 0, 0x0, ...
 02711  1600   NtQueryValueKey  (716,  (716, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (716, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02712  1600   NtQueryValueKey  (716,  (716, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (716, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02713  1600   NtClose  (716, ... ) == 0x0
 02714  1600   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 716, ) }, ... 716, ) == 0x0
 02715  1600   NtQueryValueKey  (716,  (716, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (716, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02716  1600   NtQueryValueKey  (716,  (716, "ServicePackSourcePath", Partial, 144, ... , Partial, 144, ...
 02709  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1736,Tid=1852,}, 0x0, ) == 0x0
 02717  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75632, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75632, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\310\6\0\0<\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75633, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\310\6\0\0<\7\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75633, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75632, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\310\6\0\0<\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75633, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\310\6\0\0<\7\0\0" )  ) == 0x0
 02718  1744   NtResumeThread  (704, ... 1, ) == 0x0
 02719  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 88145920, 1048576, ) == 0x0
 02720  1744   NtAllocateVirtualMemory  (-1, 89186304, 0, 8192, 4096, 4, ... 89186304, 8192, ) == 0x0
 02721  1744   NtProtectVirtualMemory  (-1, (0x550e000), 4096, 260, ... (0x550e000), 4096, 4, ) == 0x0
 02716  1600   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02722  1852   NtWaitForSingleObject  (128, 0, 0x0, ...
 02723  1600   NtClose  (716, ... ) == 0x0
 02724  1600   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 716, ) }, ... 716, ) == 0x0
 02725  1600   NtQueryValueKey  (716,  (716, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (716, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02726  1600   NtQueryValueKey  (716,  (716, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (716, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02727  1600   NtClose  (716, ... ) == 0x0
 02728  1600   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... }, ...
 02729  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 716, {1736, 824}, ) == 0x0
 02730  1744   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1736,Tid=824,}, 0x0, ) == 0x0
 02731  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75633, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75633, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\310\6\0\08\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75634, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\310\6\0\08\3\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75634, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75633, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\310\6\0\08\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75634, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\310\6\0\08\3\0\0" )  ) == 0x0
 02732  1744   NtResumeThread  (716, ... 1, ) == 0x0
 02733  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 89194496, 1048576, ) == 0x0
 02734  1744   NtAllocateVirtualMemory  (-1, 90234880, 0, 8192, 4096, 4, ...
 02728  1600   NtOpenKey  ... 720, ) == 0x0
 02735   824   NtWaitForSingleObject  (128, 0, 0x0, ...
 02736  1600   NtQueryValueKey  (720,  (720, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (720, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02737  1600   NtQueryValueKey  (720,  (720, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (720, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02738  1600   NtClose  (720, ... ) == 0x0
 02739  1600   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 720, ) }, ... 720, ) == 0x0
 02740  1600   NtQueryValueKey  (720,  (720, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02741  1600   NtQueryValueKey  (720,  (720, "DevicePath", Partial, 346, ... , Partial, 346, ...
 02734  1744   NtAllocateVirtualMemory  ... 90234880, 8192, ) == 0x0
 02742  1744   NtProtectVirtualMemory  (-1, (0x560e000), 4096, 260, ... (0x560e000), 4096, 4, ) == 0x0
 02743  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 724, {1736, 2020}, ) == 0x0
 02744  1744   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1736,Tid=2020,}, 0x0, ) == 0x0
 02745  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75634, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75634, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\310\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75635, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\310\6\0\0\344\7\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75635, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75634, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\310\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75635, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\310\6\0\0\344\7\0\0" )  ) == 0x0
 02746  1744   NtResumeThread  (724, ... 1, ) == 0x0
 02741  1600   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 02747  2020   NtWaitForSingleObject  (128, 0, 0x0, ...
 02748  1600   NtClose  (720, ... ) == 0x0
 02749  1600   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 720, ) == 0x0
 02750  1600   NtCreateMutant  (0x1f0001, 0x0, 0, ... 728, ) == 0x0
 02751  1600   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 732, ) == 0x0
 02752  1600   NtCreateMutant  (0x1f0001, 0x0, 0, ... 736, ) == 0x0
 02753  1600   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02754  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 90243072, 1048576, ) == 0x0
 02755  1744   NtAllocateVirtualMemory  (-1, 91283456, 0, 8192, 4096, 4, ... 91283456, 8192, ) == 0x0
 02756  1744   NtProtectVirtualMemory  (-1, (0x570e000), 4096, 260, ... (0x570e000), 4096, 4, ) == 0x0
 02757  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 740, {1736, 896}, ) == 0x0
 02758  1744   NtQueryInformationThread  (740, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1736,Tid=896,}, 0x0, ) == 0x0
 02759  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75635, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75635, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\310\6\0\0\200\3\0\0" ...  ...
 02753  1600   NtCreateEvent  ... 744, ) == 0x0
 02760  1600   NtCreateMutant  (0x1f0001, 0x0, 0, ... 748, ) == 0x0
 02761  1600   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 752, ) }, ... 752, ) == 0x0
 02762  1600   NtQueryValueKey  (752,  (752, "LogLevel", Partial, 144, ... , Partial, 144, ...
 02759  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75636, 0}  ... {28, 56, reply, 0, 1736, 1744, 75636, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\310\6\0\0\200\3\0\0" )  ) == 0x0
 02763  1744   NtResumeThread  (740, ... 1, ) == 0x0
 02764  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 91291648, 1048576, ) == 0x0
 02765  1744   NtAllocateVirtualMemory  (-1, 92332032, 0, 8192, 4096, 4, ... 92332032, 8192, ) == 0x0
 02766  1744   NtProtectVirtualMemory  (-1, (0x580e000), 4096, 260, ... (0x580e000), 4096, 4, ) == 0x0
 02767  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 756, {1736, 1252}, ) == 0x0
 02768  1744   NtQueryInformationThread  (756, Basic, 28, ...
 02762  1600   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02769   896   NtWaitForSingleObject  (128, 0, 0x0, ...
 02770  1600   NtQueryValueKey  (752,  (752, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (752, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02771  1600   NtQueryValueKey  (752,  (752, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02772  1600   NtOpenKey  (0x1, {24, 752, 0x40, 0, 0,  (0x1, {24, 752, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02773  1600   NtClose  (752, ... ) == 0x0
 02774  1600   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 12642996, ... ) }, 12642996, ... ) == 0x0
 02775  1600   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... }, ...
 02768  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1736,Tid=1252,}, 0x0, ) == 0x0
 02776  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75636, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75636, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\310\6\0\0\344\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75637, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\310\6\0\0\344\4\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75637, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75636, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\310\6\0\0\344\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75637, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\310\6\0\0\344\4\0\0" )  ) == 0x0
 02777  1744   NtResumeThread  (756, ... 1, ) == 0x0
 02778  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 92340224, 1048576, ) == 0x0
 02779  1744   NtAllocateVirtualMemory  (-1, 93380608, 0, 8192, 4096, 4, ... 93380608, 8192, ) == 0x0
 02780  1744   NtProtectVirtualMemory  (-1, (0x590e000), 4096, 260, ... (0x590e000), 4096, 4, ) == 0x0
 02775  1600   NtOpenKey  ... 752, ) == 0x0
 02781  1252   NtWaitForSingleObject  (128, 0, 0x0, ...
 02782  1600   NtQueryValueKey  (752,  (752, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (752, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (752, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02783  1600   NtClose  (752, ... ) == 0x0
 02784  1600   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 752, ) }, ... 752, ) == 0x0
 02785  1600   NtQueryValueKey  (752,  (752, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (752, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (752, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 02786  1600   NtClose  (752, ... ) == 0x0
 02787  1600   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... }, ...
 02788  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 752, {1736, 1028}, ) == 0x0
 02789  1744   NtQueryInformationThread  (752, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1736,Tid=1028,}, 0x0, ) == 0x0
 02790  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75637, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75637, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\310\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75638, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\310\6\0\0\4\4\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75638, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75637, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\310\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75638, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\310\6\0\0\4\4\0\0" )  ) == 0x0
 02791  1744   NtResumeThread  (752, ... 1, ) == 0x0
 02792  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 93388800, 1048576, ) == 0x0
 02793  1744   NtAllocateVirtualMemory  (-1, 94429184, 0, 8192, 4096, 4, ...
 02787  1600   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02794  1028   NtWaitForSingleObject  (128, 0, 0x0, ...
 02795  1600   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 760, ) }, ... 760, ) == 0x0
 02796  1600   NtQueryValueKey  (760,  (760, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (760, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (760, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02797  1600   NtClose  (760, ... ) == 0x0
 02798  1600   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshbth.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02799  1600   NtSetEventBoostPriority  (128, ...
 02509   932   NtWaitForSingleObject  ... ) == 0x0
 02800   932   NtSetEventBoostPriority  (128, ...
 02521  1780   NtWaitForSingleObject  ... ) == 0x0
 02801  1780   NtSetEventBoostPriority  (128, ...
 02543  1804   NtWaitForSingleObject  ... ) == 0x0
 02802  1804   NtSetEventBoostPriority  (128, ...
 02550  1644   NtWaitForSingleObject  ... ) == 0x0
 02803  1644   NtSetEventBoostPriority  (128, ...
 02560   336   NtWaitForSingleObject  ... ) == 0x0
 02804   336   NtSetEventBoostPriority  (128, ...
 02566   800   NtWaitForSingleObject  ... ) == 0x0
 02805   800   NtSetEventBoostPriority  (128, ...
 02592   488   NtWaitForSingleObject  ... ) == 0x0
 02806   488   NtSetEventBoostPriority  (128, ...
 02604  1948   NtWaitForSingleObject  ... ) == 0x0
 02807  1948   NtSetEventBoostPriority  (128, ...
 02617  1692   NtWaitForSingleObject  ... ) == 0x0
 02808  1692   NtSetEventBoostPriority  (128, ...
 02629  1800   NtWaitForSingleObject  ... ) == 0x0
 02809  1800   NtSetEventBoostPriority  (128, ...
 02651  1520   NtWaitForSingleObject  ... ) == 0x0
 02810  1520   NtSetEventBoostPriority  (128, ...
 02663  1348   NtWaitForSingleObject  ... ) == 0x0
 02811  1348   NtSetEventBoostPriority  (128, ...
 02676   168   NtWaitForSingleObject  ... ) == 0x0
 02812   168   NtSetEventBoostPriority  (128, ...
 02688  1176   NtWaitForSingleObject  ... ) == 0x0
 02813  1176   NtSetEventBoostPriority  (128, ...
 02710  1740   NtWaitForSingleObject  ... ) == 0x0
 02814  1740   NtSetEventBoostPriority  (128, ...
 02722  1852   NtWaitForSingleObject  ... ) == 0x0
 02815  1852   NtSetEventBoostPriority  (128, ...
 02735   824   NtWaitForSingleObject  ... ) == 0x0
 02816   824   NtSetEventBoostPriority  (128, ...
 02747  2020   NtWaitForSingleObject  ... ) == 0x0
 02817  2020   NtSetEventBoostPriority  (128, ...
 02769   896   NtWaitForSingleObject  ... ) == 0x0
 02818   896   NtSetEventBoostPriority  (128, ...
 02781  1252   NtWaitForSingleObject  ... ) == 0x0
 02819  1252   NtSetEventBoostPriority  (128, ...
 02794  1028   NtWaitForSingleObject  ... ) == 0x0
 02820  1028   NtAllocateVirtualMemory  (-1, 3633152, 0, 4096, 4096, 4, ... 3633152, 4096, ) == 0x0
 02819  1252   NtSetEventBoostPriority  ... ) == 0x0
 02818   896   NtSetEventBoostPriority  ... ) == 0x0
 02817  2020   NtSetEventBoostPriority  ... ) == 0x0
 02816   824   NtSetEventBoostPriority  ... ) == 0x0
 02815  1852   NtSetEventBoostPriority  ... ) == 0x0
 02814  1740   NtSetEventBoostPriority  ... ) == 0x0
 02813  1176   NtSetEventBoostPriority  ... ) == 0x0
 02812   168   NtSetEventBoostPriority  ... ) == 0x0
 02811  1348   NtSetEventBoostPriority  ... ) == 0x0
 02810  1520   NtSetEventBoostPriority  ... ) == 0x0
 02809  1800   NtSetEventBoostPriority  ... ) == 0x0
 02808  1692   NtSetEventBoostPriority  ... ) == 0x0
 02807  1948   NtSetEventBoostPriority  ... ) == 0x0
 02806   488   NtSetEventBoostPriority  ... ) == 0x0
 02805   800   NtSetEventBoostPriority  ... ) == 0x0
 02804   336   NtSetEventBoostPriority  ... ) == 0x0
 02803  1644   NtSetEventBoostPriority  ... ) == 0x0
 02802  1804   NtSetEventBoostPriority  ... ) == 0x0
 02801  1780   NtSetEventBoostPriority  ... ) == 0x0
 02800   932   NtSetEventBoostPriority  ... ) == 0x0
 02799  1600   NtSetEventBoostPriority  ... ) == 0x0
 02793  1744   NtAllocateVirtualMemory  ... 94429184, 8192, ) == 0x0
 02821  1028   NtTestAlert  (...
 02822  1252   NtTestAlert  (...
 02823   896   NtTestAlert  (...
 02824  2020   NtTestAlert  (...
 02825   824   NtTestAlert  (...
 02826  1852   NtTestAlert  (...
 02827  1740   NtTestAlert  (...
 02828  1176   NtTestAlert  (...
 02829   168   NtTestAlert  (...
 02830  1348   NtTestAlert  (...
 02831  1520   NtTestAlert  (...
 02832  1800   NtTestAlert  (...
 02833  1692   NtTestAlert  (...
 02834  1948   NtTestAlert  (...
 02835   488   NtTestAlert  (...
 02836   800   NtTestAlert  (...
 02837   336   NtTestAlert  (...
 02838  1644   NtTestAlert  (...
 02839  1804   NtTestAlert  (...
 02840  1780   NtTestAlert  (...
 02841  1600   NtSetEventBoostPriority  (176, ...
 02842  1744   NtProtectVirtualMemory  (-1, (0x5a0e000), 4096, 260, ...
 02821  1028   NtTestAlert  ... ) == 0x0
 02822  1252   NtTestAlert  ... ) == 0x0
 02823   896   NtTestAlert  ... ) == 0x0
 02824  2020   NtTestAlert  ... ) == 0x0
 02825   824   NtTestAlert  ... ) == 0x0
 02826  1852   NtTestAlert  ... ) == 0x0
 02827  1740   NtTestAlert  ... ) == 0x0
 02828  1176   NtTestAlert  ... ) == 0x0
 02829   168   NtTestAlert  ... ) == 0x0
 02830  1348   NtTestAlert  ... ) == 0x0
 02831  1520   NtTestAlert  ... ) == 0x0
 02832  1800   NtTestAlert  ... ) == 0x0
 02833  1692   NtTestAlert  ... ) == 0x0
 02834  1948   NtTestAlert  ... ) == 0x0
 02835   488   NtTestAlert  ... ) == 0x0
 02836   800   NtTestAlert  ... ) == 0x0
 02837   336   NtTestAlert  ... ) == 0x0
 02838  1644   NtTestAlert  ... ) == 0x0
 02839  1804   NtTestAlert  ... ) == 0x0
 02840  1780   NtTestAlert  ... ) == 0x0
 02843   932   NtTestAlert  (...
 02842  1744   NtProtectVirtualMemory  ... (0x5a0e000), 4096, 4, ) == 0x0
 02844  1028   NtContinue  (93388080, 1, ...
 02845  1252   NtContinue  (92339504, 1, ...
 02846   896   NtContinue  (91290928, 1, ...
 02847  2020   NtContinue  (90242352, 1, ...
 02848   824   NtContinue  (89193776, 1, ...
 02849  1852   NtContinue  (88145200, 1, ...
 02850  1740   NtContinue  (87096624, 1, ...
 02851  1176   NtContinue  (86048048, 1, ...
 02852   168   NtContinue  (84999472, 1, ...
 02853  1348   NtContinue  (83950896, 1, ...
 02854  1520   NtContinue  (82902320, 1, ...
 02855  1800   NtContinue  (81853744, 1, ...
 02856  1692   NtContinue  (80805168, 1, ...
 02857  1948   NtContinue  (79756592, 1, ...
 02858   488   NtContinue  (78708016, 1, ...
 02859   800   NtContinue  (77659440, 1, ...
 02860   336   NtContinue  (76610864, 1, ...
 02861  1644   NtContinue  (75562288, 1, ...
 02862  1804   NtContinue  (74513712, 1, ...
 02863  1780   NtContinue  (73465136, 1, ...
 02843   932   NtTestAlert  ... ) == 0x0
 02864  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02865  1028   NtRegisterThreadTerminatePort  (24, ...
 02866  1252   NtRegisterThreadTerminatePort  (24, ...
 02867   896   NtRegisterThreadTerminatePort  (24, ...
 02868  2020   NtRegisterThreadTerminatePort  (24, ...
 02869   824   NtRegisterThreadTerminatePort  (24, ...
 02870  1852   NtRegisterThreadTerminatePort  (24, ...
 02871  1740   NtRegisterThreadTerminatePort  (24, ...
 02872  1176   NtRegisterThreadTerminatePort  (24, ...
 02873   168   NtRegisterThreadTerminatePort  (24, ...
 02874  1348   NtRegisterThreadTerminatePort  (24, ...
 02875  1520   NtRegisterThreadTerminatePort  (24, ...
 02876  1800   NtRegisterThreadTerminatePort  (24, ...
 02877  1692   NtRegisterThreadTerminatePort  (24, ...
 02878  1948   NtRegisterThreadTerminatePort  (24, ...
 02879   488   NtRegisterThreadTerminatePort  (24, ...
 02880   800   NtRegisterThreadTerminatePort  (24, ...
 02881   336   NtRegisterThreadTerminatePort  (24, ...
 02882  1644   NtRegisterThreadTerminatePort  (24, ...
 02883  1804   NtRegisterThreadTerminatePort  (24, ...
 02884  1780   NtRegisterThreadTerminatePort  (24, ...
 02885   932   NtContinue  (72416560, 1, ...
 02864  1744   NtCreateThread  ... 760, {1736, 1180}, ) == 0x0
 02865  1028   NtRegisterThreadTerminatePort  ... ) == 0x0
 02866  1252   NtRegisterThreadTerminatePort  ... ) == 0x0
 02867   896   NtRegisterThreadTerminatePort  ... ) == 0x0
 02868  2020   NtRegisterThreadTerminatePort  ... ) == 0x0
 02869   824   NtRegisterThreadTerminatePort  ... ) == 0x0
 02870  1852   NtRegisterThreadTerminatePort  ... ) == 0x0
 02871  1740   NtRegisterThreadTerminatePort  ... ) == 0x0
 02872  1176   NtRegisterThreadTerminatePort  ... ) == 0x0
 02873   168   NtRegisterThreadTerminatePort  ... ) == 0x0
 02874  1348   NtRegisterThreadTerminatePort  ... ) == 0x0
 02875  1520   NtRegisterThreadTerminatePort  ... ) == 0x0
 02876  1800   NtRegisterThreadTerminatePort  ... ) == 0x0
 02877  1692   NtRegisterThreadTerminatePort  ... ) == 0x0
 02878  1948   NtRegisterThreadTerminatePort  ... ) == 0x0
 02879   488   NtRegisterThreadTerminatePort  ... ) == 0x0
 02880   800   NtRegisterThreadTerminatePort  ... ) == 0x0
 02881   336   NtRegisterThreadTerminatePort  ... ) == 0x0
 02882  1644   NtRegisterThreadTerminatePort  ... ) == 0x0
 02883  1804   NtRegisterThreadTerminatePort  ... ) == 0x0
 02884  1780   NtRegisterThreadTerminatePort  ... ) == 0x0
 02886   932   NtRegisterThreadTerminatePort  (24, ...
 02887  1744   NtQueryInformationThread  (760, Basic, 28, ...
 02888  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02889  1252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02890   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02891  2020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02892   824   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02893  1852   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02894  1740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02895  1176   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02896   168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02897  1348   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02898  1520   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02899  1800   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02900  1692   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02901  1948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02902   488   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02903   800   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02904   336   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02905  1644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02906  1804   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02907  1780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02886   932   NtRegisterThreadTerminatePort  ... ) == 0x0
 01220  2040   NtWaitForSingleObject  ... ) == 0x0
 02841  1600   NtSetEventBoostPriority  ... ) == 0x0
 02887  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1736,Tid=1180,}, 0x0, ) == 0x0
 02888  1028   NtDuplicateObject  ... 764, ) == 0x0
 02889  1252   NtDuplicateObject  ... 768, ) == 0x0
 02890   896   NtDuplicateObject  ... 772, ) == 0x0
 02891  2020   NtDuplicateObject  ... 776, ) == 0x0
 02892   824   NtDuplicateObject  ... 780, ) == 0x0
 02893  1852   NtDuplicateObject  ... 784, ) == 0x0
 02894  1740   NtDuplicateObject  ... 788, ) == 0x0
 02895  1176   NtDuplicateObject  ... 792, ) == 0x0
 02896   168   NtDuplicateObject  ... 796, ) == 0x0
 02897  1348   NtDuplicateObject  ... 800, ) == 0x0
 02898  1520   NtDuplicateObject  ... 804, ) == 0x0
 02899  1800   NtDuplicateObject  ... 808, ) == 0x0
 02900  1692   NtDuplicateObject  ... 812, ) == 0x0
 02901  1948   NtDuplicateObject  ... 816, ) == 0x0
 02902   488   NtDuplicateObject  ... 820, ) == 0x0
 02903   800   NtDuplicateObject  ... 824, ) == 0x0
 02904   336   NtDuplicateObject  ... 828, ) == 0x0
 02905  1644   NtDuplicateObject  ... 832, ) == 0x0
 02906  1804   NtDuplicateObject  ... 836, ) == 0x0
 02908   932   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02909  2040   NtSetEventBoostPriority  (176, ...
 02910  1600   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ...
 02911  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75638, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75638, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\310\6\0\0\234\4\0\0" ...  ...
 02912  1028   NtWaitForSingleObject  (344, 0, 0x0, ...
 02913  1252   NtWaitForSingleObject  (344, 0, 0x0, ...
 02914   896   NtWaitForSingleObject  (344, 0, 0x0, ...
 02915  2020   NtWaitForSingleObject  (344, 0, 0x0, ...
 02916   824   NtWaitForSingleObject  (344, 0, 0x0, ...
 02917  1852   NtWaitForSingleObject  (344, 0, 0x0, ...
 02918  1740   NtWaitForSingleObject  (344, 0, 0x0, ...
 02919  1176   NtWaitForSingleObject  (344, 0, 0x0, ...
 02920   168   NtWaitForSingleObject  (344, 0, 0x0, ...
 02921  1348   NtWaitForSingleObject  (344, 0, 0x0, ...
 02922  1520   NtWaitForSingleObject  (344, 0, 0x0, ...
 02923  1800   NtWaitForSingleObject  (344, 0, 0x0, ...
 02924  1692   NtWaitForSingleObject  (344, 0, 0x0, ...
 02925  1948   NtWaitForSingleObject  (344, 0, 0x0, ...
 02926   488   NtWaitForSingleObject  (344, 0, 0x0, ...
 02927   800   NtWaitForSingleObject  (344, 0, 0x0, ...
 02928   336   NtWaitForSingleObject  (344, 0, 0x0, ...
 02929  1644   NtWaitForSingleObject  (344, 0, 0x0, ...
 02930  1804   NtWaitForSingleObject  (344, 0, 0x0, ...
 02907  1780   NtDuplicateObject  ... 840, ) == 0x0
 01221  2036   NtWaitForSingleObject  ... ) == 0x0
 02909  2040   NtSetEventBoostPriority  ... ) == 0x0
 02910  1600   NtAllocateVirtualMemory  ... 1413120, 4096, ) == 0x0
 02911  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75639, 0}  ... {28, 56, reply, 0, 1736, 1744, 75639, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\310\6\0\0\234\4\0\0" )  ) == 0x0
 02931  2036   NtWaitForSingleObject  (344, 0, 0x0, ...
 02932  1780   NtWaitForSingleObject  (344, 0, 0x0, ...
 02933  2040   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02934  1600   NtSetEventBoostPriority  (344, ...
 02935  1744   NtResumeThread  (760, ...
 02908   932   NtDuplicateObject  ... 844, ) == 0x0
 02912  1028   NtWaitForSingleObject  ... ) == 0x0
 02934  1600   NtSetEventBoostPriority  ... ) == 0x0
 02935  1744   NtResumeThread  ... 1, ) == 0x0
 02936  1028   NtSetEventBoostPriority  (344, ...
 02937   932   NtWaitForSingleObject  (344, 0, 0x0, ...
 02938  1600   NtWaitForSingleObject  (344, 0, 0x0, ...
 02933  2040   NtCreateEvent  ... 848, ) == 0x0
 02939  1180   NtWaitForSingleObject  (344, 0, 0x0, ...
 02913  1252   NtWaitForSingleObject  ... ) == 0x0
 02936  1028   NtSetEventBoostPriority  ... ) == 0x0
 02940  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02941  2040   NtWaitForSingleObject  (344, 0, 0x0, ...
 02942  1252   NtSetEventBoostPriority  (344, ...
 02940  1744   NtAllocateVirtualMemory  ... 94437376, 1048576, ) == 0x0
 02914   896   NtWaitForSingleObject  ... ) == 0x0
 02942  1252   NtSetEventBoostPriority  ... ) == 0x0
 02943   896   NtSetEventBoostPriority  (344, ...
 02944  1744   NtAllocateVirtualMemory  (-1, 95477760, 0, 8192, 4096, 4, ...
 02945  1028   NtWaitForSingleObject  (344, 0, 0x0, ...
 02915  2020   NtWaitForSingleObject  ... ) == 0x0
 02943   896   NtSetEventBoostPriority  ... ) == 0x0
 02944  1744   NtAllocateVirtualMemory  ... 95477760, 8192, ) == 0x0
 02946  2020   NtSetEventBoostPriority  (344, ...
 02947  1252   NtWaitForSingleObject  (344, 0, 0x0, ...
 02916   824   NtWaitForSingleObject  ... ) == 0x0
 02946  2020   NtSetEventBoostPriority  ... ) == 0x0
 02948  1744   NtProtectVirtualMemory  (-1, (0x5b0e000), 4096, 260, ...
 02949   824   NtSetEventBoostPriority  (344, ...
 02950   896   NtWaitForSingleObject  (344, 0, 0x0, ...
 02917  1852   NtWaitForSingleObject  ... ) == 0x0
 02949   824   NtSetEventBoostPriority  ... ) == 0x0
 02948  1744   NtProtectVirtualMemory  ... (0x5b0e000), 4096, 4, ) == 0x0
 02951  1852   NtSetEventBoostPriority  (344, ...
 02952  2020   NtWaitForSingleObject  (344, 0, 0x0, ...
 02953   824   NtWaitForSingleObject  (344, 0, 0x0, ...
 02918  1740   NtWaitForSingleObject  ... ) == 0x0
 02951  1852   NtSetEventBoostPriority  ... ) == 0x0
 02954  1740   NtSetEventBoostPriority  (344, ...
 02955  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02919  1176   NtWaitForSingleObject  ... ) == 0x0
 02954  1740   NtSetEventBoostPriority  ... ) == 0x0
 02956  1176   NtSetEventBoostPriority  (344, ...
 02955  1744   NtCreateThread  ... 852, {1736, 1732}, ) == 0x0
 02957  1852   NtWaitForSingleObject  (344, 0, 0x0, ...
 02920   168   NtWaitForSingleObject  ... ) == 0x0
 02956  1176   NtSetEventBoostPriority  ... ) == 0x0
 02958  1744   NtQueryInformationThread  (852, Basic, 28, ...
 02959   168   NtSetEventBoostPriority  (344, ...
 02960  1740   NtWaitForSingleObject  (344, 0, 0x0, ...
 02921  1348   NtWaitForSingleObject  ... ) == 0x0
 02959   168   NtSetEventBoostPriority  ... ) == 0x0
 02958  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1736,Tid=1732,}, 0x0, ) == 0x0
 02961  1348   NtSetEventBoostPriority  (344, ...
 02962  1176   NtWaitForSingleObject  (344, 0, 0x0, ...
 02922  1520   NtWaitForSingleObject  ... ) == 0x0
 02961  1348   NtSetEventBoostPriority  ... ) == 0x0
 02963  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75639, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75639, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\3\0\0\310\6\0\0\304\6\0\0" ...  ...
 02964  1520   NtSetEventBoostPriority  (344, ...
 02965   168   NtWaitForSingleObject  (344, 0, 0x0, ...
 02923  1800   NtWaitForSingleObject  ... ) == 0x0
 02964  1520   NtSetEventBoostPriority  ... ) == 0x0
 02966  1800   NtSetEventBoostPriority  (344, ...
 02967  1348   NtWaitForSingleObject  (344, 0, 0x0, ...
 02963  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75640, 0}  ... {28, 56, reply, 0, 1736, 1744, 75640, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\3\0\0\310\6\0\0\304\6\0\0" )  ) == 0x0
 02924  1692   NtWaitForSingleObject  ... ) == 0x0
 02966  1800   NtSetEventBoostPriority  ... ) == 0x0
 02968  1692   NtSetEventBoostPriority  (344, ...
 02969  1744   NtResumeThread  (852, ...
 02970  1520   NtWaitForSingleObject  (344, 0, 0x0, ...
 02925  1948   NtWaitForSingleObject  ... ) == 0x0
 02968  1692   NtSetEventBoostPriority  ... ) == 0x0
 02969  1744   NtResumeThread  ... 1, ) == 0x0
 02971  1948   NtSetEventBoostPriority  (344, ...
 02972  1800   NtWaitForSingleObject  (344, 0, 0x0, ...
 02973  1732   NtWaitForSingleObject  (128, 0, 0x0, ...
 02926   488   NtWaitForSingleObject  ... ) == 0x0
 02971  1948   NtSetEventBoostPriority  ... ) == 0x0
 02974  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02975   488   NtSetEventBoostPriority  (344, ...
 02976  1692   NtWaitForSingleObject  (344, 0, 0x0, ...
 02927   800   NtWaitForSingleObject  ... ) == 0x0
 02975   488   NtSetEventBoostPriority  ... ) == 0x0
 02974  1744   NtAllocateVirtualMemory  ... 95485952, 1048576, ) == 0x0
 02977   800   NtSetEventBoostPriority  (344, ...
 02978  1948   NtWaitForSingleObject  (344, 0, 0x0, ...
 02928   336   NtWaitForSingleObject  ... ) == 0x0
 02977   800   NtSetEventBoostPriority  ... ) == 0x0
 02979  1744   NtAllocateVirtualMemory  (-1, 96526336, 0, 8192, 4096, 4, ...
 02980   336   NtSetEventBoostPriority  (344, ...
 02981   488   NtWaitForSingleObject  (344, 0, 0x0, ...
 02982   800   NtWaitForSingleObject  (344, 0, 0x0, ...
 02929  1644   NtWaitForSingleObject  ... ) == 0x0
 02980   336   NtSetEventBoostPriority  ... ) == 0x0
 02983  1644   NtSetEventBoostPriority  (344, ...
 02979  1744   NtAllocateVirtualMemory  ... 96526336, 8192, ) == 0x0
 02930  1804   NtWaitForSingleObject  ... ) == 0x0
 02983  1644   NtSetEventBoostPriority  ... ) == 0x0
 02984  1804   NtSetEventBoostPriority  (344, ...
 02985  1744   NtProtectVirtualMemory  (-1, (0x5c0e000), 4096, 260, ...
 02986   336   NtWaitForSingleObject  (344, 0, 0x0, ...
 02931  2036   NtWaitForSingleObject  ... ) == 0x0
 02984  1804   NtSetEventBoostPriority  ... ) == 0x0
 02985  1744   NtProtectVirtualMemory  ... (0x5c0e000), 4096, 4, ) == 0x0
 02987  2036   NtSetEventBoostPriority  (344, ...
 02988  1644   NtWaitForSingleObject  (344, 0, 0x0, ...
 02932  1780   NtWaitForSingleObject  ... ) == 0x0
 02987  2036   NtSetEventBoostPriority  ... ) == 0x0
 02989  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02990  1780   NtSetEventBoostPriority  (344, ...
 02991  1804   NtWaitForSingleObject  (344, 0, 0x0, ...
 02937   932   NtWaitForSingleObject  ... ) == 0x0
 02990  1780   NtSetEventBoostPriority  ... ) == 0x0
 02989  1744   NtCreateThread  ... 856, {1736, 1300}, ) == 0x0
 02992   932   NtSetEventBoostPriority  (344, ...
 02993  2036   NtWaitForSingleObject  (344, 0, 0x0, ...
 02939  1180   NtWaitForSingleObject  ... ) == 0x0
 02992   932   NtSetEventBoostPriority  ... ) == 0x0
 02994  1744   NtQueryInformationThread  (856, Basic, 28, ...
 02995  1180   NtSetEventBoostPriority  (344, ...
 02996  1780   NtWaitForSingleObject  (344, 0, 0x0, ...
 02997   932   NtWaitForSingleObject  (344, 0, 0x0, ...
 02938  1600   NtWaitForSingleObject  ... ) == 0x0
 02995  1180   NtSetEventBoostPriority  ... ) == 0x0
 02998  1600   NtSetEventBoostPriority  (344, ...
 02994  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1736,Tid=1300,}, 0x0, ) == 0x0
 02941  2040   NtWaitForSingleObject  ... ) == 0x0
 02999  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75640, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75640, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\310\6\0\0\24\5\0\0" ...  ...
 03000  2040   NtSetEventBoostPriority  (344, ...
 02999  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75641, 0}  ... {28, 56, reply, 0, 1736, 1744, 75641, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\310\6\0\0\24\5\0\0" )  ) == 0x0
 02945  1028   NtWaitForSingleObject  ... ) == 0x0
 03000  2040   NtSetEventBoostPriority  ... ) == 0x0
 03001  1028   NtSetEventBoostPriority  (344, ...
 03002  1744   NtResumeThread  (856, ...
 02998  1600   NtSetEventBoostPriority  ... ) == 0x0
 03003  1180   NtSetEventBoostPriority  (128, ...
 02947  1252   NtWaitForSingleObject  ... ) == 0x0
 03001  1028   NtSetEventBoostPriority  ... ) == 0x0
 03002  1744   NtResumeThread  ... 1, ) == 0x0
 03004  1600   NtWaitForSingleObject  (344, 0, 0x0, ...
 03005  1252   NtSetEventBoostPriority  (344, ...
 02973  1732   NtWaitForSingleObject  ... ) == 0x0
 03003  1180   NtSetEventBoostPriority  ... ) == 0x0
 03006  1028   NtWaitForSingleObject  (344, 0, 0x0, ...
 03007  2040   NtWaitForSingleObject  (344, 0, 0x0, ...
 03008  1300   NtWaitForSingleObject  (128, 0, 0x0, ...
 02950   896   NtWaitForSingleObject  ... ) == 0x0
 03009  1732   NtWaitForSingleObject  (344, 0, 0x0, ...
 03005  1252   NtSetEventBoostPriority  ... ) == 0x0
 03010  1180   NtTestAlert  (...
 03011  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03012   896   NtSetEventBoostPriority  (344, ...
 03013  1252   NtWaitForSingleObject  (344, 0, 0x0, ...
 03010  1180   NtTestAlert  ... ) == 0x0
 02952  2020   NtWaitForSingleObject  ... ) == 0x0
 03012   896   NtSetEventBoostPriority  ... ) == 0x0
 03011  1744   NtAllocateVirtualMemory  ... 96534528, 1048576, ) == 0x0
 03014  2020   NtSetEventBoostPriority  (344, ...
 03015  1180   NtContinue  (94436656, 1, ...
 03016   896   NtWaitForSingleObject  (344, 0, 0x0, ...
 02953   824   NtWaitForSingleObject  ... ) == 0x0
 03014  2020   NtSetEventBoostPriority  ... ) == 0x0
 03017  1744   NtAllocateVirtualMemory  (-1, 97574912, 0, 8192, 4096, 4, ...
 03018  1180   NtRegisterThreadTerminatePort  (24, ...
 03019   824   NtSetEventBoostPriority  (344, ...
 03020  2020   NtWaitForSingleObject  (344, 0, 0x0, ...
 03017  1744   NtAllocateVirtualMemory  ... 97574912, 8192, ) == 0x0
 02957  1852   NtWaitForSingleObject  ... ) == 0x0
 03019   824   NtSetEventBoostPriority  ... ) == 0x0
 03018  1180   NtRegisterThreadTerminatePort  ... ) == 0x0
 03021  1852   NtSetEventBoostPriority  (344, ...
 03022  1744   NtProtectVirtualMemory  (-1, (0x5d0e000), 4096, 260, ...
 03023   824   NtWaitForSingleObject  (344, 0, 0x0, ...
 02960  1740   NtWaitForSingleObject  ... ) == 0x0
 03021  1852   NtSetEventBoostPriority  ... ) == 0x0
 03024  1180   NtWaitForSingleObject  (344, 0, 0x0, ...
 03022  1744   NtProtectVirtualMemory  ... (0x5d0e000), 4096, 4, ) == 0x0
 03025  1740   NtSetEventBoostPriority  (344, ...
 03026  1852   NtWaitForSingleObject  (344, 0, 0x0, ...
 02962  1176   NtWaitForSingleObject  ... ) == 0x0
 03025  1740   NtSetEventBoostPriority  ... ) == 0x0
 03027  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03028  1176   NtSetEventBoostPriority  (344, ...
 03029  1740   NtWaitForSingleObject  (344, 0, 0x0, ...
 02965   168   NtWaitForSingleObject  ... ) == 0x0
 03028  1176   NtSetEventBoostPriority  ... ) == 0x0
 03027  1744   NtCreateThread  ... 860, {1736, 252}, ) == 0x0
 03030   168   NtSetEventBoostPriority  (344, ...
 03031  1176   NtWaitForSingleObject  (344, 0, 0x0, ...
 02967  1348   NtWaitForSingleObject  ... ) == 0x0
 03030   168   NtSetEventBoostPriority  ... ) == 0x0
 03032  1744   NtQueryInformationThread  (860, Basic, 28, ...
 03033  1348   NtSetEventBoostPriority  (344, ...
 03034   168   NtWaitForSingleObject  (344, 0, 0x0, ...
 02970  1520   NtWaitForSingleObject  ... ) == 0x0
 03033  1348   NtSetEventBoostPriority  ... ) == 0x0
 03032  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1736,Tid=252,}, 0x0, ) == 0x0
 03035  1520   NtSetEventBoostPriority  (344, ...
 03036  1348   NtWaitForSingleObject  (344, 0, 0x0, ...
 02972  1800   NtWaitForSingleObject  ... ) == 0x0
 03035  1520   NtSetEventBoostPriority  ... ) == 0x0
 03037  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75641, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75641, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\3\0\0\310\6\0\0\374\0\0\0" ...  ...
 03038  1800   NtSetEventBoostPriority  (344, ...
 03039  1520   NtWaitForSingleObject  (344, 0, 0x0, ...
 02976  1692   NtWaitForSingleObject  ... ) == 0x0
 03038  1800   NtSetEventBoostPriority  ... ) == 0x0
 03037  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75642, 0}  ... {28, 56, reply, 0, 1736, 1744, 75642, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\3\0\0\310\6\0\0\374\0\0\0" )  ) == 0x0
 03040  1692   NtSetEventBoostPriority  (344, ...
 03041  1800   NtWaitForSingleObject  (344, 0, 0x0, ...
 02978  1948   NtWaitForSingleObject  ... ) == 0x0
 03040  1692   NtSetEventBoostPriority  ... ) == 0x0
 03042  1744   NtResumeThread  (860, ...
 03043  1948   NtSetEventBoostPriority  (344, ...
 03044  1692   NtWaitForSingleObject  (344, 0, 0x0, ...
 02981   488   NtWaitForSingleObject  ... ) == 0x0
 03043  1948   NtSetEventBoostPriority  ... ) == 0x0
 03042  1744   NtResumeThread  ... 1, ) == 0x0
 03045   488   NtSetEventBoostPriority  (344, ...
 03046  1948   NtWaitForSingleObject  (344, 0, 0x0, ...
 02982   800   NtWaitForSingleObject  ... ) == 0x0
 03045   488   NtSetEventBoostPriority  ... ) == 0x0
 03047  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03048   252   NtWaitForSingleObject  (128, 0, 0x0, ...
 03049   800   NtSetEventBoostPriority  (344, ...
 03050   488   NtWaitForSingleObject  (344, 0, 0x0, ...
 03047  1744   NtAllocateVirtualMemory  ... 97583104, 1048576, ) == 0x0
 02986   336   NtWaitForSingleObject  ... ) == 0x0
 03049   800   NtSetEventBoostPriority  ... ) == 0x0
 03051   336   NtSetEventBoostPriority  (344, ...
 03052  1744   NtAllocateVirtualMemory  (-1, 98623488, 0, 8192, 4096, 4, ...
 02988  1644   NtWaitForSingleObject  ... ) == 0x0
 03051   336   NtSetEventBoostPriority  ... ) == 0x0
 03053   800   NtWaitForSingleObject  (344, 0, 0x0, ...
 03054  1644   NtSetEventBoostPriority  (344, ...
 03055   336   NtWaitForSingleObject  (344, 0, 0x0, ...
 03052  1744   NtAllocateVirtualMemory  ... 98623488, 8192, ) == 0x0
 02991  1804   NtWaitForSingleObject  ... ) == 0x0
 03054  1644   NtSetEventBoostPriority  ... ) == 0x0
 03056  1804   NtSetEventBoostPriority  (344, ...
 03057  1744   NtProtectVirtualMemory  (-1, (0x5e0e000), 4096, 260, ...
 02993  2036   NtWaitForSingleObject  ... ) == 0x0
 03056  1804   NtSetEventBoostPriority  ... ) == 0x0
 03058  1644   NtWaitForSingleObject  (344, 0, 0x0, ...
 03059  2036   NtSetEventBoostPriority  (344, ...
 03057  1744   NtProtectVirtualMemory  ... (0x5e0e000), 4096, 4, ) == 0x0
 03060  1804   NtWaitForSingleObject  (344, 0, 0x0, ...
 02996  1780   NtWaitForSingleObject  ... ) == 0x0
 03059  2036   NtSetEventBoostPriority  ... ) == 0x0
 03061  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03062  1780   NtSetEventBoostPriority  (344, ...
 03063  2036   NtSetEventBoostPriority  (176, ...
 02997   932   NtWaitForSingleObject  ... ) == 0x0
 03062  1780   NtSetEventBoostPriority  ... ) == 0x0
 03061  1744   NtCreateThread  ... 864, {1736, 500}, ) == 0x0
 03064   932   NtSetEventBoostPriority  (344, ...
 03065  1780   NtWaitForSingleObject  (344, 0, 0x0, ...
 03004  1600   NtWaitForSingleObject  ... ) == 0x0
 03064   932   NtSetEventBoostPriority  ... ) == 0x0
 03066  1744   NtQueryInformationThread  (864, Basic, 28, ...
 01226   152   NtWaitForSingleObject  ... ) == 0x0
 03063  2036   NtSetEventBoostPriority  ... ) == 0x0
 03067  1600   NtSetEventBoostPriority  (344, ...
 03068   932   NtWaitForSingleObject  (344, 0, 0x0, ...
 03069   152   NtWaitForSingleObject  (344, 0, 0x0, ...
 03007  2040   NtWaitForSingleObject  ... ) == 0x0
 03067  1600   NtSetEventBoostPriority  ... ) == 0x0
 03070  2036   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03066  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1736,Tid=500,}, 0x0, ) == 0x0
 03071  2040   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ...
 03070  2036   NtCreateEvent  ... 868, ) == 0x0
 03071  2040   NtAllocateVirtualMemory  ... 1417216, 4096, ) == 0x0
 03072  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75642, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75642, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\310\6\0\0\364\1\0\0" ...  ...
 03073  2040   NtSetEventBoostPriority  (344, ...
 03074  2036   NtWaitForSingleObject  (344, 0, 0x0, ...
 03072  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75643, 0}  ... {28, 56, reply, 0, 1736, 1744, 75643, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\310\6\0\0\364\1\0\0" )  ) == 0x0
 03075  1600   NtWaitForSingleObject  (344, 0, 0x0, ...
 03076  1744   NtResumeThread  (864, ... 1, ) == 0x0
 03077  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 98631680, 1048576, ) == 0x0
 03078  1744   NtAllocateVirtualMemory  (-1, 99672064, 0, 8192, 4096, 4, ... 99672064, 8192, ) == 0x0
 03079  1744   NtProtectVirtualMemory  (-1, (0x5f0e000), 4096, 260, ... (0x5f0e000), 4096, 4, ) == 0x0
 03009  1732   NtWaitForSingleObject  ... ) == 0x0
 03073  2040   NtSetEventBoostPriority  ... ) == 0x0
 03080   500   NtWaitForSingleObject  (128, 0, 0x0, ...
 03081  1732   NtSetEventBoostPriority  (344, ...
 03082  2040   NtWaitForSingleObject  (344, 0, 0x0, ...
 03006  1028   NtWaitForSingleObject  ... ) == 0x0
 03081  1732   NtSetEventBoostPriority  ... ) == 0x0
 03083  1028   NtSetEventBoostPriority  (344, ...
 03084  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03013  1252   NtWaitForSingleObject  ... ) == 0x0
 03084  1744   NtCreateThread  ... 872, {1736, 1024}, ) == 0x0
 03085  1252   NtSetEventBoostPriority  (344, ...
 03086  1744   NtQueryInformationThread  (872, Basic, 28, ...
 03016   896   NtWaitForSingleObject  ... ) == 0x0
 03086  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1736,Tid=1024,}, 0x0, ) == 0x0
 03087   896   NtSetEventBoostPriority  (344, ...
 03088  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75643, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75643, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\310\6\0\0\0\4\0\0" ...  ...
 03020  2020   NtWaitForSingleObject  ... ) == 0x0
 03089  2020   NtSetEventBoostPriority  (344, ...
 03024  1180   NtWaitForSingleObject  ... ) == 0x0
 03090  1180   NtSetEventBoostPriority  (344, ...
 03023   824   NtWaitForSingleObject  ... ) == 0x0
 03091   824   NtSetEventBoostPriority  (344, ...
 03026  1852   NtWaitForSingleObject  ... ) == 0x0
 03092  1852   NtSetEventBoostPriority  (344, ...
 03029  1740   NtWaitForSingleObject  ... ) == 0x0
 03093  1740   NtSetEventBoostPriority  (344, ...
 03031  1176   NtWaitForSingleObject  ... ) == 0x0
 03094  1176   NtSetEventBoostPriority  (344, ...
 03034   168   NtWaitForSingleObject  ... ) == 0x0
 03095   168   NtSetEventBoostPriority  (344, ...
 03036  1348   NtWaitForSingleObject  ... ) == 0x0
 03096  1348   NtSetEventBoostPriority  (344, ...
 03039  1520   NtWaitForSingleObject  ... ) == 0x0
 03097  1520   NtSetEventBoostPriority  (344, ...
 03041  1800   NtWaitForSingleObject  ... ) == 0x0
 03098  1800   NtSetEventBoostPriority  (344, ...
 03044  1692   NtWaitForSingleObject  ... ) == 0x0
 03099  1692   NtSetEventBoostPriority  (344, ...
 03046  1948   NtWaitForSingleObject  ... ) == 0x0
 03100  1948   NtSetEventBoostPriority  (344, ...
 03050   488   NtWaitForSingleObject  ... ) == 0x0
 03101   488   NtSetEventBoostPriority  (344, ...
 03053   800   NtWaitForSingleObject  ... ) == 0x0
 03102   800   NtSetEventBoostPriority  (344, ...
 03055   336   NtWaitForSingleObject  ... ) == 0x0
 03103   336   NtSetEventBoostPriority  (344, ...
 03058  1644   NtWaitForSingleObject  ... ) == 0x0
 03104  1644   NtSetEventBoostPriority  (344, ...
 03060  1804   NtWaitForSingleObject  ... ) == 0x0
 03105  1804   NtSetEventBoostPriority  (344, ...
 03065  1780   NtWaitForSingleObject  ... ) == 0x0
 03106  1780   NtSetEventBoostPriority  (344, ...
 03069   152   NtWaitForSingleObject  ... ) == 0x0
 03107   152   NtSetEventBoostPriority  (344, ...
 03068   932   NtWaitForSingleObject  ... ) == 0x0
 03108   932   NtSetEventBoostPriority  (344, ...
 03074  2036   NtWaitForSingleObject  ... ) == 0x0
 03109  2036   NtSetEventBoostPriority  (344, ...
 03075  1600   NtWaitForSingleObject  ... ) == 0x0
 03110  1600   NtSetEventBoostPriority  (344, ...
 03082  2040   NtWaitForSingleObject  ... ) == 0x0
 03111  2040   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ... 1421312, 4096, ) == 0x0
 03110  1600   NtSetEventBoostPriority  ... ) == 0x0
 03109  2036   NtSetEventBoostPriority  ... ) == 0x0
 03107   152   NtSetEventBoostPriority  ... ) == 0x0
 03090  1180   NtSetEventBoostPriority  ... ) == 0x0
 03108   932   NtSetEventBoostPriority  ... ) == 0x0
 03106  1780   NtSetEventBoostPriority  ... ) == 0x0
 03105  1804   NtSetEventBoostPriority  ... ) == 0x0
 03104  1644   NtSetEventBoostPriority  ... ) == 0x0
 03103   336   NtSetEventBoostPriority  ... ) == 0x0
 03102   800   NtSetEventBoostPriority  ... ) == 0x0
 03101   488   NtSetEventBoostPriority  ... ) == 0x0
 03100  1948   NtSetEventBoostPriority  ... ) == 0x0
 03099  1692   NtSetEventBoostPriority  ... ) == 0x0
 03098  1800   NtSetEventBoostPriority  ... ) == 0x0
 03097  1520   NtSetEventBoostPriority  ... ) == 0x0
 03096  1348   NtSetEventBoostPriority  ... ) == 0x0
 03095   168   NtSetEventBoostPriority  ... ) == 0x0
 03094  1176   NtSetEventBoostPriority  ... ) == 0x0
 03093  1740   NtSetEventBoostPriority  ... ) == 0x0
 03092  1852   NtSetEventBoostPriority  ... ) == 0x0
 03091   824   NtSetEventBoostPriority  ... ) == 0x0
 03089  2020   NtSetEventBoostPriority  ... ) == 0x0
 03087   896   NtSetEventBoostPriority  ... ) == 0x0
 03085  1252   NtSetEventBoostPriority  ... ) == 0x0
 03083  1028   NtSetEventBoostPriority  ... ) == 0x0
 03112  1732   NtSetEventBoostPriority  (128, ...
 03088  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75644, 0}  ... {28, 56, reply, 0, 1736, 1744, 75644, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\310\6\0\0\0\4\0\0" )  ) == 0x0
 03113  1600   NtWaitForSingleObject  (344, 0, 0x0, ...
 03114  2040   NtSetEventBoostPriority  (344, ...
 03115  2036   NtWaitForSingleObject  (344, 0, 0x0, ...
 03116   152   NtWaitForSingleObject  (344, 0, 0x0, ...
 03117   932   NtWaitForSingleObject  (344, 0, 0x0, ...
 03118  1780   NtWaitForSingleObject  (344, 0, 0x0, ...
 03119  1804   NtWaitForSingleObject  (344, 0, 0x0, ...
 03120  1644   NtWaitForSingleObject  (344, 0, 0x0, ...
 03121   336   NtWaitForSingleObject  (344, 0, 0x0, ...
 03122   800   NtWaitForSingleObject  (344, 0, 0x0, ...
 03123   488   NtWaitForSingleObject  (344, 0, 0x0, ...
 03124  1948   NtWaitForSingleObject  (344, 0, 0x0, ...
 03125  1692   NtWaitForSingleObject  (344, 0, 0x0, ...
 03126  1800   NtWaitForSingleObject  (344, 0, 0x0, ...
 03127  1520   NtWaitForSingleObject  (344, 0, 0x0, ...
 03128  1348   NtWaitForSingleObject  (344, 0, 0x0, ...
 03129   168   NtWaitForSingleObject  (344, 0, 0x0, ...
 03130  1176   NtWaitForSingleObject  (344, 0, 0x0, ...
 03131  1740   NtWaitForSingleObject  (344, 0, 0x0, ...
 03132  1852   NtWaitForSingleObject  (344, 0, 0x0, ...
 03133   824   NtWaitForSingleObject  (344, 0, 0x0, ...
 03134  2020   NtWaitForSingleObject  (344, 0, 0x0, ...
 03135   896   NtWaitForSingleObject  (344, 0, 0x0, ...
 03136  1252   NtWaitForSingleObject  (380, 0, 0x0, ...
 03137  1028   NtWaitForSingleObject  (380, 0, 0x0, ...
 03008  1300   NtWaitForSingleObject  ... ) == 0x0
 03112  1732   NtSetEventBoostPriority  ... ) == 0x0
 03138  1744   NtResumeThread  (872, ...
 03139  1180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03114  2040   NtSetEventBoostPriority  ... ) == 0x0
 03115  2036   NtWaitForSingleObject  ... ) == 0x0
 03140  1300   NtWaitForSingleObject  (344, 0, 0x0, ...
 03141  1732   NtTestAlert  (...
 03138  1744   NtResumeThread  ... 1, ) == 0x0
 03139  1180   NtDuplicateObject  ... 876, ) == 0x0
 03142  2040   NtWaitForSingleObject  (344, 0, 0x0, ...
 03143  2036   NtSetEventBoostPriority  (344, ...
 03141  1732   NtTestAlert  ... ) == 0x0
 03144  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03145  1180   NtWaitForSingleObject  (344, 0, 0x0, ...
 03116   152   NtWaitForSingleObject  ... ) == 0x0
 03143  2036   NtSetEventBoostPriority  ... ) == 0x0
 03146  1732   NtContinue  (95485232, 1, ...
 03144  1744   NtAllocateVirtualMemory  ... 99680256, 1048576, ) == 0x0
 03147   152   NtSetEventBoostPriority  (344, ...
 03148  2036   NtWaitForSingleObject  (344, 0, 0x0, ...
 03149  1732   NtRegisterThreadTerminatePort  (24, ...
 03117   932   NtWaitForSingleObject  ... ) == 0x0
 03147   152   NtSetEventBoostPriority  ... ) == 0x0
 03150  1744   NtAllocateVirtualMemory  (-1, 100720640, 0, 8192, 4096, 4, ...
 03151  1024   NtWaitForSingleObject  (128, 0, 0x0, ...
 03152   932   NtSetEventBoostPriority  (344, ...
 03153   152   NtWaitForSingleObject  (344, 0, 0x0, ...
 03149  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 03118  1780   NtWaitForSingleObject  ... ) == 0x0
 03152   932   NtSetEventBoostPriority  ... ) == 0x0
 03150  1744   NtAllocateVirtualMemory  ... 100720640, 8192, ) == 0x0
 03154  1780   NtSetEventBoostPriority  (344, ...
 03155  1732   NtWaitForSingleObject  (344, 0, 0x0, ...
 03119  1804   NtWaitForSingleObject  ... ) == 0x0
 03154  1780   NtSetEventBoostPriority  ... ) == 0x0
 03156  1744   NtProtectVirtualMemory  (-1, (0x600e000), 4096, 260, ...
 03157  1804   NtSetEventBoostPriority  (344, ...
 03158   932   NtWaitForSingleObject  (380, 0, 0x0, ...
 03120  1644   NtWaitForSingleObject  ... ) == 0x0
 03157  1804   NtSetEventBoostPriority  ... ) == 0x0
 03156  1744   NtProtectVirtualMemory  ... (0x600e000), 4096, 4, ) == 0x0
 03159  1644   NtSetEventBoostPriority  (344, ...
 03160  1780   NtWaitForSingleObject  (380, 0, 0x0, ...
 03121   336   NtWaitForSingleObject  ... ) == 0x0
 03159  1644   NtSetEventBoostPriority  ... ) == 0x0
 03161  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03162   336   NtSetEventBoostPriority  (344, ...
 03163  1804   NtWaitForSingleObject  (380, 0, 0x0, ...
 03122   800   NtWaitForSingleObject  ... ) == 0x0
 03162   336   NtSetEventBoostPriority  ... ) == 0x0
 03161  1744   NtCreateThread  ... 880, {1736, 188}, ) == 0x0
 03164   800   NtSetEventBoostPriority  (344, ...
 03165  1644   NtWaitForSingleObject  (380, 0, 0x0, ...
 03123   488   NtWaitForSingleObject  ... ) == 0x0
 03164   800   NtSetEventBoostPriority  ... ) == 0x0
 03166  1744   NtQueryInformationThread  (880, Basic, 28, ...
 03167   488   NtSetEventBoostPriority  (344, ...
 03168   336   NtWaitForSingleObject  (380, 0, 0x0, ...
 03169   800   NtWaitForSingleObject  (380, 0, 0x0, ...
 03124  1948   NtWaitForSingleObject  ... ) == 0x0
 03167   488   NtSetEventBoostPriority  ... ) == 0x0
 03170  1948   NtSetEventBoostPriority  (344, ...
 03166  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1736,Tid=188,}, 0x0, ) == 0x0
 03125  1692   NtWaitForSingleObject  ... ) == 0x0
 03170  1948   NtSetEventBoostPriority  ... ) == 0x0
 03171  1692   NtSetEventBoostPriority  (344, ...
 03172  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75644, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75644, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0\310\6\0\0\274\0\0\0" ...  ...
 03173   488   NtWaitForSingleObject  (380, 0, 0x0, ...
 03126  1800   NtWaitForSingleObject  ... ) == 0x0
 03171  1692   NtSetEventBoostPriority  ... ) == 0x0
 03172  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75647, 0}  ... {28, 56, reply, 0, 1736, 1744, 75647, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0\310\6\0\0\274\0\0\0" )  ) == 0x0
 03174  1800   NtSetEventBoostPriority  (344, ...
 03175  1948   NtWaitForSingleObject  (380, 0, 0x0, ...
 03127  1520   NtWaitForSingleObject  ... ) == 0x0
 03174  1800   NtSetEventBoostPriority  ... ) == 0x0
 03176  1744   NtResumeThread  (880, ...
 03177  1520   NtSetEventBoostPriority  (344, ...
 03178  1692   NtWaitForSingleObject  (380, 0, 0x0, ...
 03128  1348   NtWaitForSingleObject  ... ) == 0x0
 03177  1520   NtSetEventBoostPriority  ... ) == 0x0
 03176  1744   NtResumeThread  ... 1, ) == 0x0
 03179  1348   NtSetEventBoostPriority  (344, ...
 03180  1800   NtWaitForSingleObject  (380, 0, 0x0, ...
 03181   188   NtWaitForSingleObject  (128, 0, 0x0, ...
 03182  1520   NtWaitForSingleObject  (380, 0, 0x0, ...
 03129   168   NtWaitForSingleObject  ... ) == 0x0
 03179  1348   NtSetEventBoostPriority  ... ) == 0x0
 03183   168   NtSetEventBoostPriority  (344, ...
 03184  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03130  1176   NtWaitForSingleObject  ... ) == 0x0
 03183   168   NtSetEventBoostPriority  ... ) == 0x0
 03185  1176   NtSetEventBoostPriority  (344, ...
 03184  1744   NtAllocateVirtualMemory  ... 100728832, 1048576, ) == 0x0
 03186  1348   NtWaitForSingleObject  (380, 0, 0x0, ...
 03131  1740   NtWaitForSingleObject  ... ) == 0x0
 03185  1176   NtSetEventBoostPriority  ... ) == 0x0
 03187  1744   NtAllocateVirtualMemory  (-1, 101769216, 0, 8192, 4096, 4, ...
 03188  1740   NtSetEventBoostPriority  (344, ...
 03189   168   NtWaitForSingleObject  (380, 0, 0x0, ...
 03132  1852   NtWaitForSingleObject  ... ) == 0x0
 03188  1740   NtSetEventBoostPriority  ... ) == 0x0
 03187  1744   NtAllocateVirtualMemory  ... 101769216, 8192, ) == 0x0
 03190  1852   NtSetEventBoostPriority  (344, ...
 03191  1176   NtWaitForSingleObject  (380, 0, 0x0, ...
 03133   824   NtWaitForSingleObject  ... ) == 0x0
 03190  1852   NtSetEventBoostPriority  ... ) == 0x0
 03192  1744   NtProtectVirtualMemory  (-1, (0x610e000), 4096, 260, ...
 03193   824   NtSetEventBoostPriority  (344, ...
 03194  1740   NtWaitForSingleObject  (380, 0, 0x0, ...
 03134  2020   NtWaitForSingleObject  ... ) == 0x0
 03193   824   NtSetEventBoostPriority  ... ) == 0x0
 03192  1744   NtProtectVirtualMemory  ... (0x610e000), 4096, 4, ) == 0x0
 03195  2020   NtSetEventBoostPriority  (344, ...
 03196  1852   NtWaitForSingleObject  (380, 0, 0x0, ...
 03197   824   NtWaitForSingleObject  (380, 0, 0x0, ...
 03135   896   NtWaitForSingleObject  ... ) == 0x0
 03195  2020   NtSetEventBoostPriority  ... ) == 0x0
 03198   896   NtSetEventBoostPriority  (344, ...
 03199  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03140  1300   NtWaitForSingleObject  ... ) == 0x0
 03198   896   NtSetEventBoostPriority  ... ) == 0x0
 03200  1300   NtSetEventBoostPriority  (344, ...
 03199  1744   NtCreateThread  ... 884, {1736, 1372}, ) == 0x0
 03201  2020   NtWaitForSingleObject  (380, 0, 0x0, ...
 03142  2040   NtWaitForSingleObject  ... ) == 0x0
 03200  1300   NtSetEventBoostPriority  ... ) == 0x0
 03202  1744   NtQueryInformationThread  (884, Basic, 28, ...
 03203  2040   NtSetEventBoostPriority  (344, ...
 03204   896   NtSetEventBoostPriority  (380, ...
 03145  1180   NtWaitForSingleObject  ... ) == 0x0
 03203  2040   NtSetEventBoostPriority  ... ) == 0x0
 03202  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1736,Tid=1372,}, 0x0, ) == 0x0
 03205  1180   NtSetEventBoostPriority  (344, ...
 03136  1252   NtWaitForSingleObject  ... ) == 0x0
 03204   896   NtSetEventBoostPriority  ... ) == 0x0
 03206  1300   NtSetEventBoostPriority  (128, ...
 03113  1600   NtWaitForSingleObject  ... ) == 0x0
 03207  1252   NtWaitForSingleObject  (344, 0, 0x0, ...
 03205  1180   NtSetEventBoostPriority  ... ) == 0x0
 03208  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75647, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75647, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0\310\6\0\0\\5\0\0" ...  ...
 03209   896   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03210  1600   NtSetEventBoostPriority  (344, ...
 03048   252   NtWaitForSingleObject  ... ) == 0x0
 03206  1300   NtSetEventBoostPriority  ... ) == 0x0
 03211  2040   NtWaitForSingleObject  (344, 0, 0x0, ...
 03148  2036   NtWaitForSingleObject  ... ) == 0x0
 03212   252   NtWaitForSingleObject  (344, 0, 0x0, ...
 03209   896   NtWaitForSingleObject  ... ) == 0x102
 03213  1300   NtTestAlert  (...
 03214  2036   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ...
 03215   896   NtWaitForSingleObject  (176, 0, 0x0, ...
 03213  1300   NtTestAlert  ... ) == 0x0
 03214  2036   NtAllocateVirtualMemory  ... 1425408, 4096, ) == 0x0
 03210  1600   NtSetEventBoostPriority  ... ) == 0x0
 03216  1180   NtWaitForSingleObject  (380, 0, 0x0, ...
 03208  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75648, 0}  ... {28, 56, reply, 0, 1736, 1744, 75648, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0\310\6\0\0\\5\0\0" )  ) == 0x0
 03217  1300   NtContinue  (96533808, 1, ...
 03218  2036   NtSetEventBoostPriority  (344, ...
 03219  1600   NtWaitForSingleObject  (344, 0, 0x0, ...
 03220  1744   NtResumeThread  (884, ...
 03221  1300   NtRegisterThreadTerminatePort  (24, ...
 03153   152   NtWaitForSingleObject  ... ) == 0x0
 03220  1744   NtResumeThread  ... 1, ) == 0x0
 03218  2036   NtSetEventBoostPriority  ... ) == 0x0
 03222   152   NtSetEventBoostPriority  (344, ...
 03223  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03221  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 03224  1372   NtWaitForSingleObject  (128, 0, 0x0, ...
 03155  1732   NtWaitForSingleObject  ... ) == 0x0
 03223  1744   NtAllocateVirtualMemory  ... 101777408, 1048576, ) == 0x0
 03225  1300   NtWaitForSingleObject  (344, 0, 0x0, ...
 03226  1732   NtSetEventBoostPriority  (344, ...
 03227  1744   NtAllocateVirtualMemory  (-1, 102817792, 0, 8192, 4096, 4, ...
 03207  1252   NtWaitForSingleObject  ... ) == 0x0
 03226  1732   NtSetEventBoostPriority  ... ) == 0x0
 03222   152   NtSetEventBoostPriority  ... ) == 0x0
 03228  2036   NtWaitForSingleObject  (344, 0, 0x0, ...
 03229  1252   NtSetEventBoostPriority  (344, ...
 03227  1744   NtAllocateVirtualMemory  ... 102817792, 8192, ) == 0x0
 03230   152   NtWaitForSingleObject  (344, 0, 0x0, ...
 03211  2040   NtWaitForSingleObject  ... ) == 0x0
 03229  1252   NtSetEventBoostPriority  ... ) == 0x0
 03231  1744   NtProtectVirtualMemory  (-1, (0x620e000), 4096, 260, ...
 03232  2040   NtSetEventBoostPriority  (344, ...
 03233  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03212   252   NtWaitForSingleObject  ... ) == 0x0
 03232  2040   NtSetEventBoostPriority  ... ) == 0x0
 03231  1744   NtProtectVirtualMemory  ... (0x620e000), 4096, 4, ) == 0x0
 03234   252   NtSetEventBoostPriority  (344, ...
 03233  1732   NtDuplicateObject  ... 888, ) == 0x0
 03235  2040   NtWaitForSingleObject  (344, 0, 0x0, ...
 03219  1600   NtWaitForSingleObject  ... ) == 0x0
 03234   252   NtSetEventBoostPriority  ... ) == 0x0
 03236  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03237  1732   NtWaitForSingleObject  (344, 0, 0x0, ...
 03238  1252   NtSetEventBoostPriority  (380, ...
 03239  1600   NtSetEventBoostPriority  (344, ...
 03236  1744   NtCreateThread  ... 892, {1736, 216}, ) == 0x0
 03225  1300   NtWaitForSingleObject  ... ) == 0x0
 03239  1600   NtSetEventBoostPriority  ... ) == 0x0
 03137  1028   NtWaitForSingleObject  ... ) == 0x0
 03238  1252   NtSetEventBoostPriority  ... ) == 0x0
 03240  1300   NtSetEventBoostPriority  (344, ...
 03241  1744   NtQueryInformationThread  (892, Basic, 28, ...
 03242   252   NtSetEventBoostPriority  (128, ...
 03243  1028   NtWaitForSingleObject  (344, 0, 0x0, ...
 03228  2036   NtWaitForSingleObject  ... ) == 0x0
 03240  1300   NtSetEventBoostPriority  ... ) == 0x0
 03244  1252   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03245  1600   NtWaitForSingleObject  (344, 0, 0x0, ...
 03246  2036   NtSetEventBoostPriority  (344, ...
 03080   500   NtWaitForSingleObject  ... ) == 0x0
 03242   252   NtSetEventBoostPriority  ... ) == 0x0
 03241  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=1736,Tid=216,}, 0x0, ) == 0x0
 03244  1252   NtWaitForSingleObject  ... ) == 0x102
 03230   152   NtWaitForSingleObject  ... ) == 0x0
 03247   500   NtWaitForSingleObject  (344, 0, 0x0, ...
 03246  2036   NtSetEventBoostPriority  ... ) == 0x0
 03248   252   NtTestAlert  (...
 03249  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75648, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75648, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0\310\6\0\0\330\0\0\0" ...  ...
 03250   152   NtSetEventBoostPriority  (344, ...
 03251  1252   NtWaitForSingleObject  (176, 0, 0x0, ...
 03252  2036   NtWaitForSingleObject  (344, 0, 0x0, ...
 03248   252   NtTestAlert  ... ) == 0x0
 03235  2040   NtWaitForSingleObject  ... ) == 0x0
 03250   152   NtSetEventBoostPriority  ... ) == 0x0
 03249  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75649, 0}  ... {28, 56, reply, 0, 1736, 1744, 75649, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0\310\6\0\0\330\0\0\0" )  ) == 0x0
 03253  1300   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03254  2040   NtSetEventBoostPriority  (344, ...
 03255   252   NtContinue  (97582384, 1, ...
 03256  1744   NtResumeThread  (892, ...
 03237  1732   NtWaitForSingleObject  ... ) == 0x0
 03253  1300   NtDuplicateObject  ... 896, ) == 0x0
 03257   252   NtRegisterThreadTerminatePort  (24, ...
 03256  1744   NtResumeThread  ... 1, ) == 0x0
 03258  1732   NtSetEventBoostPriority  (344, ...
 03259  1300   NtWaitForSingleObject  (344, 0, 0x0, ...
 03254  2040   NtSetEventBoostPriority  ... ) == 0x0
 03260   152   NtSetEventBoostPriority  (176, ...
 03261   216   NtWaitForSingleObject  (128, 0, 0x0, ...
 03257   252   NtRegisterThreadTerminatePort  ... ) == 0x0
 03243  1028   NtWaitForSingleObject  ... ) == 0x0
 03258  1732   NtSetEventBoostPriority  ... ) == 0x0
 03262  2040   NtWaitForSingleObject  (344, 0, 0x0, ...
 01228  1388   NtWaitForSingleObject  ... ) == 0x0
 03260   152   NtSetEventBoostPriority  ... ) == 0x0
 03263  1028   NtSetEventBoostPriority  (344, ...
 03264   252   NtWaitForSingleObject  (344, 0, 0x0, ...
 03265  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03266  1388   NtWaitForSingleObject  (344, 0, 0x0, ...
 03245  1600   NtWaitForSingleObject  ... ) == 0x0
 03263  1028   NtSetEventBoostPriority  ... ) == 0x0
 03267   152   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03268  1600   NtSetEventBoostPriority  (344, ...
 03265  1744   NtAllocateVirtualMemory  ... 102825984, 1048576, ) == 0x0
 03269  1732   NtWaitForSingleObject  (380, 0, 0x0, ...
 03247   500   NtWaitForSingleObject  ... ) == 0x0
 03268  1600   NtSetEventBoostPriority  ... ) == 0x0
 03267   152   NtCreateEvent  ... 900, ) == 0x0
 03270  1744   NtAllocateVirtualMemory  (-1, 103866368, 0, 8192, 4096, 4, ...
 03271   500   NtSetEventBoostPriority  (344, ...
 03272  1600   NtWaitForSingleObject  (344, 0, 0x0, ...
 03273   152   NtWaitForSingleObject  (344, 0, 0x0, ...
 03252  2036   NtWaitForSingleObject  ... ) == 0x0
 03271   500   NtSetEventBoostPriority  ... ) == 0x0
 03270  1744   NtAllocateVirtualMemory  ... 103866368, 8192, ) == 0x0
 03274  1028   NtSetEventBoostPriority  (380, ...
 03275  2036   NtSetEventBoostPriority  (344, ...
 03276  1744   NtProtectVirtualMemory  (-1, (0x630e000), 4096, 260, ...
 03259  1300   NtWaitForSingleObject  ... ) == 0x0
 03158   932   NtWaitForSingleObject  ... ) == 0x0
 03274  1028   NtSetEventBoostPriority  ... ) == 0x0
 03276  1744   NtProtectVirtualMemory  ... (0x630e000), 4096, 4, ) == 0x0
 03277   932   NtWaitForSingleObject  (344, 0, 0x0, ...
 03278  1300   NtSetEventBoostPriority  (344, ...
 03279  1028   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03275  2036   NtSetEventBoostPriority  ... ) == 0x0
 03280   500   NtSetEventBoostPriority  (128, ...
 03262  2040   NtWaitForSingleObject  ... ) == 0x0
 03278  1300   NtSetEventBoostPriority  ... ) == 0x0
 03279  1028   NtWaitForSingleObject  ... ) == 0x102
 03281  2036   NtWaitForSingleObject  (344, 0, 0x0, ...
 03282  2040   NtSetEventBoostPriority  (344, ...
 03151  1024   NtWaitForSingleObject  ... ) == 0x0
 03280   500   NtSetEventBoostPriority  ... ) == 0x0
 03283  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03284  1028   NtWaitForSingleObject  (176, 0, 0x0, ...
 03264   252   NtWaitForSingleObject  ... ) == 0x0
 03285  1024   NtWaitForSingleObject  (344, 0, 0x0, ...
 03282  2040   NtSetEventBoostPriority  ... ) == 0x0
 03286   500   NtTestAlert  (...
 03283  1744   NtCreateThread  ... 904, {1736, 1708}, ) == 0x0
 03287  1300   NtWaitForSingleObject  (344, 0, 0x0, ...
 03288   252   NtSetEventBoostPriority  (344, ...
 03286   500   NtTestAlert  ... ) == 0x0
 03289  1744   NtQueryInformationThread  (904, Basic, 28, ...
 03266  1388   NtWaitForSingleObject  ... ) == 0x0
 03288   252   NtSetEventBoostPriority  ... ) == 0x0
 03290   500   NtContinue  (98630960, 1, ...
 03291  1388   NtSetEventBoostPriority  (344, ...
 03289  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=1736,Tid=1708,}, 0x0, ) == 0x0
 03292  2040   NtWaitForSingleObject  (344, 0, 0x0, ...
 03273   152   NtWaitForSingleObject  ... ) == 0x0
 03291  1388   NtSetEventBoostPriority  ... ) == 0x0
 03293   500   NtRegisterThreadTerminatePort  (24, ...
 03294  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75649, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75649, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0\310\6\0\0\254\6\0\0" ...  ...
 03295   152   NtSetEventBoostPriority  (344, ...
 03296   252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03297  1388   NtSetEventBoostPriority  (176, ...
 03272  1600   NtWaitForSingleObject  ... ) == 0x0
 03295   152   NtSetEventBoostPriority  ... ) == 0x0
 03296   252   NtDuplicateObject  ... 908, ) == 0x0
 03298  1600   NtSetEventBoostPriority  (344, ...
 01305  1588   NtWaitForSingleObject  ... ) == 0x0
 03297  1388   NtSetEventBoostPriority  ... ) == 0x0
 03293   500   NtRegisterThreadTerminatePort  ... ) == 0x0
 03294  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75650, 0}  ... {28, 56, reply, 0, 1736, 1744, 75650, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0\310\6\0\0\254\6\0\0" )  ) == 0x0
 03277   932   NtWaitForSingleObject  ... ) == 0x0
 03299  1588   NtWaitForSingleObject  (344, 0, 0x0, ...
 03300   252   NtWaitForSingleObject  (344, 0, 0x0, ...
 03301  1388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03302   500   NtWaitForSingleObject  (344, 0, 0x0, ...
 03303   932   NtSetEventBoostPriority  (344, ...
 03304  1744   NtResumeThread  (904, ...
 03301  1388   NtCreateEvent  ... 912, ) == 0x0
 03281  2036   NtWaitForSingleObject  ... ) == 0x0
 03303   932   NtSetEventBoostPriority  ... ) == 0x0
 03304  1744   NtResumeThread  ... 1, ) == 0x0
 03305  2036   NtSetEventBoostPriority  (344, ...
 03306  1388   NtWaitForSingleObject  (344, 0, 0x0, ...
 03298  1600   NtSetEventBoostPriority  ... ) == 0x0
 03307   152   NtWaitForSingleObject  (344, 0, 0x0, ...
 03308  1708   NtWaitForSingleObject  (128, 0, 0x0, ...
 03285  1024   NtWaitForSingleObject  ... ) == 0x0
 03305  2036   NtSetEventBoostPriority  ... ) == 0x0
 03309  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03310  1600   NtWaitForSingleObject  (380, 0, 0x0, ...
 03311  1024   NtSetEventBoostPriority  (344, ...
 03312   932   NtSetEventBoostPriority  (380, ...
 03309  1744   NtAllocateVirtualMemory  ... 103874560, 1048576, ) == 0x0
 03287  1300   NtWaitForSingleObject  ... ) == 0x0
 03311  1024   NtSetEventBoostPriority  ... ) == 0x0
 03160  1780   NtWaitForSingleObject  ... ) == 0x0
 03312   932   NtSetEventBoostPriority  ... ) == 0x0
 03313  1300   NtSetEventBoostPriority  (344, ...
 03314  1744   NtAllocateVirtualMemory  (-1, 104914944, 0, 8192, 4096, 4, ...
 03315  2036   NtWaitForSingleObject  (344, 0, 0x0, ...
 03316  1780   NtWaitForSingleObject  (344, 0, 0x0, ...
 03292  2040   NtWaitForSingleObject  ... ) == 0x0
 03313  1300   NtSetEventBoostPriority  ... ) == 0x0
 03317   932   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03318  1024   NtSetEventBoostPriority  (128, ...
 03319  2040   NtSetEventBoostPriority  (344, ...
 03320  1300   NtWaitForSingleObject  (380, 0, 0x0, ...
 03317   932   NtWaitForSingleObject  ... ) == 0x102
 03299  1588   NtWaitForSingleObject  ... ) == 0x0
 03319  2040   NtSetEventBoostPriority  ... ) == 0x0
 03181   188   NtWaitForSingleObject  ... ) == 0x0
 03318  1024   NtSetEventBoostPriority  ... ) == 0x0
 03314  1744   NtAllocateVirtualMemory  ... 104914944, 8192, ) == 0x0
 03321  1588   NtSetEventBoostPriority  (344, ...
 03322   932   NtWaitForSingleObject  (344, 0, 0x0, ...
 03323   188   NtWaitForSingleObject  (344, 0, 0x0, ...
 03324  2040   NtAllocateVirtualMemory  (-1, 13684736, 0, 4096, 4096, 260, ...
 03325  1024   NtTestAlert  (...
 03300   252   NtWaitForSingleObject  ... ) == 0x0
 03321  1588   NtSetEventBoostPriority  ... ) == 0x0
 03326  1744   NtProtectVirtualMemory  (-1, (0x640e000), 4096, 260, ...
 03327   252   NtSetEventBoostPriority  (344, ...
 03325  1024   NtTestAlert  ... ) == 0x0
 03324  2040   NtAllocateVirtualMemory  ... 13684736, 4096, ) == 0x0
 03302   500   NtWaitForSingleObject  ... ) == 0x0
 03327   252   NtSetEventBoostPriority  ... ) == 0x0
 03326  1744   NtProtectVirtualMemory  ... (0x640e000), 4096, 4, ) == 0x0
 03328  1024   NtContinue  (99679536, 1, ...
 03329   500   NtSetEventBoostPriority  (344, ...
 03330  2040   NtWaitForSingleObject  (344, 0, 0x0, ...
 03331  1588   NtSetEventBoostPriority  (176, ...
 03332  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03306  1388   NtWaitForSingleObject  ... ) == 0x0
 03329   500   NtSetEventBoostPriority  ... ) == 0x0
 03333  1024   NtRegisterThreadTerminatePort  (24, ...
 01311  1620   NtWaitForSingleObject  ... ) == 0x0
 03331  1588   NtSetEventBoostPriority  ... ) == 0x0
 03334  1388   NtSetEventBoostPriority  (344, ...
 03332  1744   NtCreateThread  ... 916, {1736, 248}, ) == 0x0
 03335   252   NtWaitForSingleObject  (344, 0, 0x0, ...
 03336   500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03337  1620   NtWaitForSingleObject  (344, 0, 0x0, ...
 03307   152   NtWaitForSingleObject  ... ) == 0x0
 03334  1388   NtSetEventBoostPriority  ... ) == 0x0
 03338  1588   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03339  1744   NtQueryInformationThread  (916, Basic, 28, ...
 03340   152   NtSetEventBoostPriority  (344, ...
 03336   500   NtDuplicateObject  ... 920, ) == 0x0
 03333  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 03338  1588   NtCreateEvent  ... 924, ) == 0x0
 03341  1388   NtWaitForSingleObject  (344, 0, 0x0, ...
 03316  1780   NtWaitForSingleObject  ... ) == 0x0
 03340   152   NtSetEventBoostPriority  ... ) == 0x0
 03342   500   NtWaitForSingleObject  (344, 0, 0x0, ...
 03343  1024   NtWaitForSingleObject  (344, 0, 0x0, ...
 03344  1588   NtWaitForSingleObject  (344, 0, 0x0, ...
 03345  1780   NtSetEventBoostPriority  (344, ...
 03346   152   NtWaitForSingleObject  (344, 0, 0x0, ...
 03315  2036   NtWaitForSingleObject  ... ) == 0x0
 03345  1780   NtSetEventBoostPriority  ... ) == 0x0
 03339  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=1736,Tid=248,}, 0x0, ) == 0x0
 03347  2036   NtSetEventBoostPriority  (344, ...
 03323   188   NtWaitForSingleObject  ... ) == 0x0
 03348   188   NtSetEventBoostPriority  (344, ...
 03322   932   NtWaitForSingleObject  ... ) == 0x0
 03349   932   NtSetEventBoostPriority  (344, ...
 03330  2040   NtWaitForSingleObject  ... ) == 0x0
 03350  2040   NtSetEventBoostPriority  (344, ...
 03335   252   NtWaitForSingleObject  ... ) == 0x0
 03351   252   NtSetEventBoostPriority  (344, ...
 03337  1620   NtWaitForSingleObject  ... ) == 0x0
 03352  1620   NtSetEventBoostPriority  (344, ...
 03341  1388   NtWaitForSingleObject  ... ) == 0x0
 03353  1388   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ... 1429504, 4096, ) == 0x0
 03354  1388   NtSetEventBoostPriority  (344, ...
 03352  1620   NtSetEventBoostPriority  ... ) == 0x0
 03351   252   NtSetEventBoostPriority  ... ) == 0x0
 03350  2040   NtSetEventBoostPriority  ... ) == 0x0
 03348   188   NtSetEventBoostPriority  ... ) == 0x0
 03347  2036   NtSetEventBoostPriority  ... ) == 0x0
 03355  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75650, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75650, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0\310\6\0\0\370\0\0\0" ...  ...
 03349   932   NtSetEventBoostPriority  ... ) == 0x0
 03356  1780   NtSetEventBoostPriority  (380, ...
 03342   500   NtWaitForSingleObject  ... ) == 0x0
 03354  1388   NtSetEventBoostPriority  ... ) == 0x0
 03357   252   NtWaitForSingleObject  (380, 0, 0x0, ...
 03358  1620   NtWaitForSingleObject  (344, 0, 0x0, ...
 03359  2040   NtWaitForSingleObject  (344, 0, 0x0, ...
 03360  2036   NtWaitForSingleObject  (344, 0, 0x0, ...
 03355  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75651, 0}  ... {28, 56, reply, 0, 1736, 1744, 75651, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0\310\6\0\0\370\0\0\0" )  ) == 0x0
 03361   932   NtWaitForSingleObject  (176, 0, 0x0, ...
 03163  1804   NtWaitForSingleObject  ... ) == 0x0
 03356  1780   NtSetEventBoostPriority  ... ) == 0x0
 03362   500   NtSetEventBoostPriority  (344, ...
 03363  1388   NtWaitForSingleObject  (344, 0, 0x0, ...
 03364   188   NtSetEventBoostPriority  (128, ...
 03365  1744   NtResumeThread  (916, ...
 03366  1804   NtWaitForSingleObject  (344, 0, 0x0, ...
 03367  1780   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03343  1024   NtWaitForSingleObject  ... ) == 0x0
 03362   500   NtSetEventBoostPriority  ... ) == 0x0
 03224  1372   NtWaitForSingleObject  ... ) == 0x0
 03364   188   NtSetEventBoostPriority  ... ) == 0x0
 03365  1744   NtResumeThread  ... 1, ) == 0x0
 03368  1024   NtSetEventBoostPriority  (344, ...
 03367  1780   NtWaitForSingleObject  ... ) == 0x102
 03369   248   NtWaitForSingleObject  (128, 0, 0x0, ...
 03370  1372   NtWaitForSingleObject  (344, 0, 0x0, ...
 03371   188   NtTestAlert  (...
 03372   500   NtWaitForSingleObject  (344, 0, 0x0, ...
 03344  1588   NtWaitForSingleObject  ... ) == 0x0
 03368  1024   NtSetEventBoostPriority  ... ) == 0x0
 03373  1780   NtWaitForSingleObject  (176, 0, 0x0, ...
 03371   188   NtTestAlert  ... ) == 0x0
 03374  1588   NtSetEventBoostPriority  (344, ...
 03375  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03376  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03346   152   NtWaitForSingleObject  ... ) == 0x0
 03374  1588   NtSetEventBoostPriority  ... ) == 0x0
 03377   188   NtContinue  (100728112, 1, ...
 03375  1744   NtAllocateVirtualMemory  ... 104923136, 1048576, ) == 0x0
 03378   152   NtSetEventBoostPriority  (344, ...
 03376  1024   NtDuplicateObject  ... 928, ) == 0x0
 03379   188   NtRegisterThreadTerminatePort  (24, ...
 03358  1620   NtWaitForSingleObject  ... ) == 0x0
 03380  1744   NtAllocateVirtualMemory  (-1, 105963520, 0, 8192, 4096, 4, ...
 03381  1024   NtWaitForSingleObject  (344, 0, 0x0, ...
 03378   152   NtSetEventBoostPriority  ... ) == 0x0
 03382  1588   NtWaitForSingleObject  (344, 0, 0x0, ...
 03383  1620   NtSetEventBoostPriority  (344, ...
 03380  1744   NtAllocateVirtualMemory  ... 105963520, 8192, ) == 0x0
 03384   152   NtWaitForSingleObject  (344, 0, 0x0, ...
 03359  2040   NtWaitForSingleObject  ... ) == 0x0
 03383  1620   NtSetEventBoostPriority  ... ) == 0x0
 03385  1744   NtProtectVirtualMemory  (-1, (0x650e000), 4096, 260, ...
 03386  2040   NtSetEventBoostPriority  (344, ...
 03387  1620   NtWaitForSingleObject  (344, 0, 0x0, ...
 03363  1388   NtWaitForSingleObject  ... ) == 0x0
 03386  2040   NtSetEventBoostPriority  ... ) == 0x0
 03385  1744   NtProtectVirtualMemory  ... (0x650e000), 4096, 4, ) == 0x0
 03379   188   NtRegisterThreadTerminatePort  ... ) == 0x0
 03388  1388   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ...
 03389  2040   NtWaitForSingleObject  (344, 0, 0x0, ...
 03388  1388   NtAllocateVirtualMemory  ... 1433600, 4096, ) == 0x0
 03390   188   NtWaitForSingleObject  (344, 0, 0x0, ...
 03391  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 932, {1736, 588}, ) == 0x0
 03392  1744   NtQueryInformationThread  (932, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff58000,Pid=1736,Tid=588,}, 0x0, ) == 0x0
 03393  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75651, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75651, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\3\0\0\310\6\0\0L\2\0\0" ... {28, 56, reply, 0, 1736, 1744, 75652, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\3\0\0\310\6\0\0L\2\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75652, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75651, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\3\0\0\310\6\0\0L\2\0\0" ... {28, 56, reply, 0, 1736, 1744, 75652, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\3\0\0\310\6\0\0L\2\0\0" )  ) == 0x0
 03394  1744   NtResumeThread  (932, ... 1, ) == 0x0
 03395  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 105971712, 1048576, ) == 0x0
 03396  1744   NtAllocateVirtualMemory  (-1, 107012096, 0, 8192, 4096, 4, ...
 03397  1388   NtSetEventBoostPriority  (344, ...
 03398   588   NtWaitForSingleObject  (128, 0, 0x0, ...
 03366  1804   NtWaitForSingleObject  ... ) == 0x0
 03397  1388   NtSetEventBoostPriority  ... ) == 0x0
 03399  1804   NtSetEventBoostPriority  (344, ...
 03360  2036   NtWaitForSingleObject  ... ) == 0x0
 03400  2036   NtSetEventBoostPriority  (344, ...
 03370  1372   NtWaitForSingleObject  ... ) == 0x0
 03401  1372   NtSetEventBoostPriority  (344, ...
 03372   500   NtWaitForSingleObject  ... ) == 0x0
 03402   500   NtSetEventBoostPriority  (344, ...
 03381  1024   NtWaitForSingleObject  ... ) == 0x0
 03403  1024   NtSetEventBoostPriority  (344, ...
 03382  1588   NtWaitForSingleObject  ... ) == 0x0
 03404  1588   NtSetEventBoostPriority  (344, ...
 03384   152   NtWaitForSingleObject  ... ) == 0x0
 03405   152   NtSetEventBoostPriority  (344, ...
 03387  1620   NtWaitForSingleObject  ... ) == 0x0
 03406  1620   NtSetEventBoostPriority  (344, ...
 03389  2040   NtWaitForSingleObject  ... ) == 0x0
 03407  2040   NtSetEventBoostPriority  (344, ...
 03390   188   NtWaitForSingleObject  ... ) == 0x0
 03408   188   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 936, ) == 0x0
 03405   152   NtSetEventBoostPriority  ... ) == 0x0
 03404  1588   NtSetEventBoostPriority  ... ) == 0x0
 03403  1024   NtSetEventBoostPriority  ... ) == 0x0
 03402   500   NtSetEventBoostPriority  ... ) == 0x0
 03401  1372   NtSetEventBoostPriority  ... ) == 0x0
 03399  1804   NtSetEventBoostPriority  ... ) == 0x0
 03409  1388   NtAllocateVirtualMemory  (-1, 15781888, 0, 4096, 4096, 260, ...
 03407  2040   NtSetEventBoostPriority  ... ) == 0x0
 03406  1620   NtSetEventBoostPriority  ... ) == 0x0
 03400  2036   NtSetEventBoostPriority  ... ) == 0x0
 03396  1744   NtAllocateVirtualMemory  ... 107012096, 8192, ) == 0x0
 03410   188   NtWaitForSingleObject  (380, 0, 0x0, ...
 03411  1588   NtAllocateVirtualMemory  (-1, 21024768, 0, 4096, 4096, 260, ...
 03412   152   NtAllocateVirtualMemory  (-1, 14733312, 0, 4096, 4096, 260, ...
 03413   500   NtWaitForSingleObject  (380, 0, 0x0, ...
 03414  1024   NtWaitForSingleObject  (380, 0, 0x0, ...
 03415  1372   NtSetEventBoostPriority  (128, ...
 03409  1388   NtAllocateVirtualMemory  ... 15781888, 4096, ) == 0x0
 03416  2040   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03417  1620   NtSetEventBoostPriority  (176, ...
 03418  2036   NtAllocateVirtualMemory  (-1, 16830464, 0, 4096, 4096, 260, ...
 03419  1744   NtProtectVirtualMemory  (-1, (0x660e000), 4096, 260, ...
 03411  1588   NtAllocateVirtualMemory  ... 21024768, 4096, ) == 0x0
 03412   152   NtAllocateVirtualMemory  ... 14733312, 4096, ) == 0x0
 03420  1804   NtSetEventBoostPriority  (380, ...
 03261   216   NtWaitForSingleObject  ... ) == 0x0
 03415  1372   NtSetEventBoostPriority  ... ) == 0x0
 03421  1388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03416  2040   NtCreateEvent  ... 940, ) == 0x0
 01321   440   NtWaitForSingleObject  ... ) == 0x0
 03417  1620   NtSetEventBoostPriority  ... ) == 0x0
 03418  2036   NtAllocateVirtualMemory  ... 16830464, 4096, ) == 0x0
 03419  1744   NtProtectVirtualMemory  ... (0x660e000), 4096, 4, ) == 0x0
 03422  1588   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03423   152   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03424   216   NtSetEventBoostPriority  (128, ...
 03165  1644   NtWaitForSingleObject  ... ) == 0x0
 03420  1804   NtSetEventBoostPriority  ... ) == 0x0
NtAdjustPrivilegesToken(>)	1	NtGdiCreateSolidBrush(>)	2	NtQueryInformationFile(>)	7	NtQueryAttributesFile(>)	62
NtGdiCreateBitmap(>)	1	NtNotifyChangeKey(>)	2	NtQueryInformationProcess(>)	7	NtCreateEvent(>)	88
NtGdiInit(>)	1	NtOpenDirectoryObject(>)	2	NtCreateFile(>)	8	NtContinue(>)	89
NtGdiQueryFontAssocInfo(>)	1	NtQueryDefaultUILanguage(>)	2	NtQueryVirtualMemory(>)	9	NtMapViewOfSection(>)	101
NtGdiSelectBitmap(>)	1	NtSecureConnectPort(>)	2	NtUserFindExistingCursorIcon(>)	9	NtWriteVirtualMemory(>)	116
NtOpenKeyedEvent(>)	1	NtSetInformationObject(>)	2	NtFsControlFile(>)	10	NtQuerySystemInformation(>)	123
NtOpenSymbolicLinkObject(>)	1	NtDelayExecution(>)	3	NtOpenThreadToken(>)	11	NtOpenKey(>)	125
NtQueryInstallUILanguage(>)	1	NtGdiCreateCompatibleDC(>)	3	NtSetInformationThread(>)	11	NtResumeThread(>)	127
NtQueryObject(>)	1	NtOpenProcessToken(>)	3	NtQuerySection(>)	12	NtCreateThread(>)	134
NtQueryPerformanceCounter(>)	1	NtOpenProcessTokenEx(>)	3	NtSetInformationFile(>)	12	NtQueryInformationThread(>)	144
NtQuerySymbolicLinkObject(>)	1	NtOpenThreadTokenEx(>)	3	NtUserRegisterClassExWOW(>)	14	NtTestAlert(>)	169
NtQuerySystemTime(>)	1	NtReadFile(>)	3	NtSetValueKey(>)	17	NtRegisterThreadTerminatePort(>)	172
NtRaiseException(>)	1	NtFreeVirtualMemory(>)	4	NtCreateKey(>)	20	NtRequestWaitReplyPort(>)	173
NtSetInformationProcess(>)	1	NtQueryDefaultLocale(>)	4	NtCreateSection(>)	26	NtDuplicateObject(>)	178
NtUserCallNoParam(>)	1	NtQueryVolumeInformationFile(>)	4	NtOpenFile(>)	29	NtQueryValueKey(>)	249
NtUserGetObjectInformation(>)	1	NtCreateMutant(>)	5	NtOpenProcess(>)	29	NtClose(>)	276
NtUserGetProcessWindowStation(>)	1	NtGdiGetStockObject(>)	5	NtDeviceIoControlFile(>)	36	NtProtectVirtualMemory(>)	362
NtUserGetThreadDesktop(>)	1	NtWriteFile(>)	5	NtUnmapViewOfSection(>)	45	NtAllocateVirtualMemory(>)	365
NtCallbackReturn(>)	2	NtConnectPort(>)	6	NtOpenSection(>)	51	NtSetEventBoostPriority(>)	617
NtCreateIoCompletion(>)	2	NtQueryInformationToken(>)	6	NtFlushInstructionCache(>)	52	NtWaitForSingleObject(>)	824