Summary:


NtAdjustPrivilegesToken(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryInformationFile(>)  7 
NtQueryAttributesFile(>)  59 

NtDelayExecution(>)  1 
NtNotifyChangeKey(>)  2 
NtQueryInformationProcess(>)  7 
NtCreateEvent(>)  87 

NtGdiCreateBitmap(>)  1 
NtOpenDirectoryObject(>)  2 
NtCreateFile(>)  8 
NtContinue(>)  97 

NtGdiInit(>)  1 
NtQueryDefaultUILanguage(>)  2 
NtQueryVirtualMemory(>)  9 
NtMapViewOfSection(>)  102 

NtGdiQueryFontAssocInfo(>)  1 
NtQueryPerformanceCounter(>)  2 
NtUserFindExistingCursorIcon(>)  9 
NtWriteVirtualMemory(>)  116 

NtGdiSelectBitmap(>)  1 
NtSetInformationObject(>)  2 
NtFsControlFile(>)  10 
NtQuerySystemInformation(>)  124 

NtOpenKeyedEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtOpenThreadToken(>)  10 
NtOpenKey(>)  125 

NtOpenSymbolicLinkObject(>)  1 
NtOpenProcessToken(>)  3 
NtSetInformationThread(>)  11 
NtResumeThread(>)  132 

NtQueryInstallUILanguage(>)  1 
NtOpenProcessTokenEx(>)  3 
NtSetInformationFile(>)  12 
NtQueryInformationThread(>)  135 

NtQueryObject(>)  1 
NtOpenThreadTokenEx(>)  3 
NtQuerySection(>)  14 
NtCreateThread(>)  148 

NtQuerySymbolicLinkObject(>)  1 
NtQueryDefaultLocale(>)  3 
NtUserRegisterClassExWOW(>)  14 
NtRequestWaitReplyPort(>)  168 

NtQuerySystemTime(>)  1 
NtQueryVolumeInformationFile(>)  3 
NtSetValueKey(>)  17 
NtTestAlert(>)  185 

NtRaiseException(>)  1 
NtReadFile(>)  3 
NtCreateKey(>)  19 
NtRegisterThreadTerminatePort(>)  188 

NtSetInformationProcess(>)  1 
NtSecureConnectPort(>)  3 
NtCreateSection(>)  25 
NtDuplicateObject(>)  198 

NtUserCallNoParam(>)  1 
NtFreeVirtualMemory(>)  4 
NtOpenFile(>)  27 
NtQueryValueKey(>)  251 

NtUserGetObjectInformation(>)  1 
NtWriteFile(>)  4 
NtOpenProcess(>)  29 
NtClose(>)  278 

NtUserGetProcessWindowStation(>)  1 
NtGdiGetStockObject(>)  5 
NtDeviceIoControlFile(>)  36 
NtProtectVirtualMemory(>)  361 

NtUserGetThreadDesktop(>)  1 
NtConnectPort(>)  6 
NtUnmapViewOfSection(>)  45 
NtAllocateVirtualMemory(>)  369 

NtCallbackReturn(>)  2 
NtCreateMutant(>)  6 
NtFlushInstructionCache(>)  53 
NtSetEventBoostPriority(>)  554 

NtCreateIoCompletion(>)  2 
NtQueryInformationToken(>)  6 
NtOpenSection(>)  53 
NtWaitForSingleObject(>)  819 


Trace:
 00001   464   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003   464   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006   464   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007   464   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009   464   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010   464   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011   464   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012   464   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013   464   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014   464   NtClose  (12, ... ) == 0x0
 00015   464   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016   464   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   464   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020   464   NtClose  (16, ... ) == 0x0
 00021   464   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022   464   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023   464   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024   464   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025   464   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027   464   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028   464   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029   464   NtClose  (16, ... ) == 0x0
 00030   464   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031   464   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033   464   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034   464   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1036, 464, 57957, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 1036, 464, 57957, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1036, 464, 57957, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036   464   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037   464   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039   464   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040   464   NtClose  (16, ... ) == 0x0
 00041   464   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042   464   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043   464   NtClose  (16, ... ) == 0x0
 00044   464   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045   464   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046   464   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047   464   NtClose  (16, ... ) == 0x0
 00048   464   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049   464   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050   464   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051   464   NtClose  (16, ... ) == 0x0
 00052   464   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053   464   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054   464   NtClose  (16, ... ) == 0x0
 00055   464   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056   464   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057   464   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058   464   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059   464   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1036, 464, 57958, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 1036, 464, 57958, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1036, 464, 57958, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1036, 464, 57959, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 1036, 464, 57959, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1036, 464, 57959, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061   464   NtProtectVirtualMemory  (-1, (0x409000), 94224, 4, ... (0x409000), 98304, 128, ) == 0x0
 00062   464   NtProtectVirtualMemory  (-1, (0x409000), 98304, 128, ... (0x409000), 98304, 4, ) == 0x0
 00063   464   NtFlushInstructionCache  (-1, 4231168, 94224, ... ) == 0x0
 00064   464   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065   464   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066   464   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067   464   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068   464   NtClose  (16, ... ) == 0x0
 00069   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070   464   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071   464   NtClose  (16, ... ) == 0x0
 00072   464   NtTestAlert  (... ) == 0x0
 00073   464   NtContinue  (1244464, 1, ...
 00074   464   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x40283e,}, 4, ... ) == 0x0
 00075   464   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00076   464   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00077   464   NtClose  (16, ... ) == 0x0
 00078   464   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00079   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, ".dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00081   464   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00082   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00083   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00084   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00085   464   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, ".dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00086   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\x86\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00088   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\x86\drvfast\scripts\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00089   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Perl\site\bin\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00090   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Perl\bin\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00092   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00093   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kktools\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00095   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00096   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00097   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\Tools\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\VC98\bin\.dll"}, 1242976, ... ) }, 1242976, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00099   464   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 16, ) }, ... 16, ) == 0x0
 00100   464   NtCreateEvent  (0x1f0003, {24, 16, 0x80, 1245092, 0,  (0x1f0003, {24, 16, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 28, ) }, 1, 0, ... 28, ) == 0x0
 00101   464   NtCreateSection  (0xe, {24, 0, 0x40, 1245092, 0,  (0xe, {24, 0, 0x40, 1245092, 0, "\BaseNamedObjects\W32_Virtu"}, {27086, 0}, 64, 134217728, 0, ... 32, ) }, {27086, 0}, 64, 134217728, 0, ... 32, ) == 0x0
 00102   464   NtMapViewOfSection  (32, -1, (0x0), 0, 27086, 0x0, 27086, 2, 0, 64, ... (0x320000), 0x0, 28672, ) == 0x0
 00103   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00104   464   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00105   464   NtClose  (36, ... ) == 0x0
 00106   464   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00107   464   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00108   464   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00109   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00110   464   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00111   464   NtClose  (36, ... ) == 0x0
 00112   464   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00113   464   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00114   464   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00115   464   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00116   464   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00117   464   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00118   464   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00119   464   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00120   464   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00121   464   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00122   464   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00123   464   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00124   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00125   464   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00126   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00127   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 36, ) }, ... 36, ) == 0x0
 00128   464   NtQueryValueKey  (36,  (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00129   464   NtQueryValueKey  (36,  (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00130   464   NtClose  (36, ... ) == 0x0
 00131   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 36, ) }, ... 36, ) == 0x0
 00132   464   NtQueryValueKey  (36,  (36, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00133   464   NtClose  (36, ... ) == 0x0
 00134   464   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 36, ) }, ... 36, ) == 0x0
 00135   464   NtSetInformationObject  (36, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00136   464   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00137   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00139   464   NtOpenProcessToken  (-1, 0x20, ... 40, ) == 0x0
 00140   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00141   464   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00142   464   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 44, ) }, ... 44, ) == 0x0
 00143   464   NtQueryValueKey  (44,  (44, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00144   464   NtClose  (44, ... ) == 0x0
 00145   464   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00146   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 44, ) == 0x0
 00147   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 48, ) == 0x0
 00148   464   NtQuerySystemTime  (... {2075206772, 29917043}, ) == 0x0
 00149   464   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00150   464   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00151   464   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00152   464   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00153   464   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00154   464   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00155   464   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 60, ) == 0x0
 00156   464   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00157   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 64, ) }, ... 64, ) == 0x0
 00158   464   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "ActiveComputerName"}, ... 68, ) }, ... 68, ) == 0x0
 00159   464   NtQueryValueKey  (68,  (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00160   464   NtClose  (68, ... ) == 0x0
 00161   464   NtClose  (64, ... ) == 0x0
 00162   464   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 64, ) == 0x0
 00163   464   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 68, ) == 0x0
 00164   464   NtDuplicateObject  (-1, 64, -1, 0x0, 0, 2, ... 72, ) == 0x0
 00165   464   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00166   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 76, ) == 0x0
 00167   464   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00168   464   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00169   464   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243252,  (0xc0100080, {24, 0, 0x40, 0, 1243252, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 80, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 80, {status=0x0, info=1}, ) == 0x0
 00170   464   NtSetInformationFile  (80, 1243308, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00171   464   NtSetInformationFile  (80, 1243296, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00172   464   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00173   464   NtWriteFile  (80, 57, 0, 0,  (80, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00174   464   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00175   464   NtReadFile  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00176   464   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00177   464   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse \0"\0PD\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\0\0\0\0", ) \0PD\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse \0"\0PD\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\0\0\0\0", ) == 0x103
 00178   464   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00179   464   NtClose  (76, ... ) == 0x0
 00180   464   NtClose  (80, ... ) == 0x0
 00181   464   NtAdjustPrivilegesToken  (40, 0, 1245096, 0, 0, 0, ... ) == 0x0
 00182   464   NtClose  (40, ... ) == 0x0
 00183   464   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 3342336, 65536, ) == 0x0
 00184   464   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00185   464   NtCreateSection  (0xf0007, 0x0, {18400, 0}, 4, 134217728, 0, ... 40, ) == 0x0
 00186   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x340000), {0, 0}, 20480, ) == 0x0
 00187   464   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00188   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x340000), {0, 0}, 20480, ) == 0x0
 00189   464   NtFreeVirtualMemory  (-1, (0x330000), 0, 32768, ... (0x330000), 65536, ) == 0x0
 00190   464   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00191   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00192   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00193   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00194   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00195   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00196   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00197   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00198   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00199   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00200   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00201   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {580, 0}, ... 80, ) == 0x0
 00202   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 76, ) }, ... 76, ) == 0x0
 00203   464   NtMapViewOfSection  (76, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00204   464   NtClose  (76, ... ) == 0x0
 00205   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00206   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00207   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00208   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00209   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00210   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00211   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00212   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00213   464   NtAllocateVirtualMemory  (80, 0, 0, 1048576, 8192, 4, ... 27852800, 1048576, ) == 0x0
 00214   464   NtAllocateVirtualMemory  (80, 28893184, 0, 8192, 4096, 4, ... 28893184, 8192, ) == 0x0
 00215   464   NtProtectVirtualMemory  (80, (0x1b8e000), 4096, 260, ... (0x1b8e000), 4096, 4, ) == 0x0
 00216   464   NtCreateThread  (0x1f03ff, 0x0, 80, 1243840, 1243784, 1, ... 76, {580, 860}, ) == 0x0
 00217   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\\3\0\0" ... {28, 56, reply, 0, 1036, 464, 57960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\\3\0\0" )  ... {28, 56, reply, 0, 1036, 464, 57960, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\\3\0\0" ... {28, 56, reply, 0, 1036, 464, 57960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\\3\0\0" )  ) == 0x0
 00218   464   NtResumeThread  (76, ... 1, ) == 0x0
 00219   464   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00220   464   NtClose  (80, ... ) == 0x0
 00221   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00222   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00223   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {640, 0}, ... 80, ) == 0x0
 00224   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00225   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00226   464   NtClose  (84, ... ) == 0x0
 00227   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00228   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00229   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00230   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00231   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00232   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00233   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00234   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00235   464   NtClose  (80, ... ) == 0x0
 00236   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00237   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00238   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {652, 0}, ... 80, ) == 0x0
 00239   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00240   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00241   464   NtClose  (84, ... ) == 0x0
 00242   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00243   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00244   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00245   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00246   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00247   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00248   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00249   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00250   464   NtClose  (80, ... ) == 0x0
 00251   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00252   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00253   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {816, 0}, ... 80, ) == 0x0
 00254   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00255   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00256   464   NtClose  (84, ... ) == 0x0
 00257   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00258   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00259   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00260   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00261   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00262   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00263   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00264   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00265   464   NtClose  (80, ... ) == 0x0
 00266   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00267   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00268   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {904, 0}, ... 80, ) == 0x0
 00269   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00270   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00271   464   NtClose  (84, ... ) == 0x0
 00272   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00273   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00274   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00275   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00276   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00277   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00278   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00279   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00280   464   NtClose  (80, ... ) == 0x0
 00281   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00282   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00283   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1000, 0}, ... 80, ) == 0x0
 00284   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00285   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff50000), 0x0, 28672, ) == 0x0
 00286   464   NtClose  (84, ... ) == 0x0
 00287   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00288   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Md\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00289   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00290   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fd\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00291   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00292   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00293   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00294   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00295   464   NtClose  (80, ... ) == 0x0
 00296   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00297   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00298   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1044, 0}, ... 80, ) == 0x0
 00299   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00300   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00301   464   NtClose  (84, ... ) == 0x0
 00302   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00303   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00304   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00305   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00306   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00307   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00308   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00309   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00310   464   NtClose  (80, ... ) == 0x0
 00311   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00312   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00313   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1196, 0}, ... 80, ) == 0x0
 00314   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00315   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00316   464   NtClose  (84, ... ) == 0x0
 00317   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00318   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00319   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00320   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00321   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00322   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00323   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00324   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00325   464   NtClose  (80, ... ) == 0x0
 00326   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00327   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00328   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1468, 0}, ... 80, ) == 0x0
 00329   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00330   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00331   464   NtClose  (84, ... ) == 0x0
 00332   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00333   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00334   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00335   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00336   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00337   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00338   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00339   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00340   464   NtClose  (80, ... ) == 0x0
 00341   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00342   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00343   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1720, 0}, ... 80, ) == 0x0
 00344   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00345   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00346   464   NtClose  (84, ... ) == 0x0
 00347   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00348   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00349   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00350   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00351   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00352   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00353   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00354   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00355   464   NtClose  (80, ... ) == 0x0
 00356   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00357   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00358   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1888, 0}, ... 80, ) == 0x0
 00359   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00360   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00361   464   NtClose  (84, ... ) == 0x0
 00362   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00363   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00364   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00365   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00366   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00367   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00368   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00369   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00370   464   NtClose  (80, ... ) == 0x0
 00371   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00372   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00373   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 80, ) == 0x0
 00374   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00375   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00376   464   NtClose  (84, ... ) == 0x0
 00377   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00378   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00379   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00380   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00381   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00382   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00383   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00384   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00385   464   NtClose  (80, ... ) == 0x0
 00386   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00387   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00388   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {180, 0}, ... 80, ) == 0x0
 00389   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00390   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00391   464   NtClose  (84, ... ) == 0x0
 00392   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00393   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00394   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00395   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00396   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00397   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00398   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00399   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00400   464   NtClose  (80, ... ) == 0x0
 00401   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00402   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00403   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {196, 0}, ... 80, ) == 0x0
 00404   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00405   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00406   464   NtClose  (84, ... ) == 0x0
 00407   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00408   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00409   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00410   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00411   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00412   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00413   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00414   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00415   464   NtClose  (80, ... ) == 0x0
 00416   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00417   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00418   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {160, 0}, ... 80, ) == 0x0
 00419   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00420   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00421   464   NtClose  (84, ... ) == 0x0
 00422   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00423   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00424   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00425   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00426   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00427   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00428   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00429   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00430   464   NtClose  (80, ... ) == 0x0
 00431   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00432   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00433   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {260, 0}, ... 80, ) == 0x0
 00434   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00435   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00436   464   NtClose  (84, ... ) == 0x0
 00437   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00438   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00439   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00440   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00441   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00442   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00443   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00444   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00445   464   NtClose  (80, ... ) == 0x0
 00446   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00447   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00448   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {288, 0}, ... 80, ) == 0x0
 00449   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00450   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00451   464   NtClose  (84, ... ) == 0x0
 00452   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00453   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00454   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00455   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00456   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00457   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00458   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00459   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00460   464   NtClose  (80, ... ) == 0x0
 00461   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00462   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00463   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 80, ) == 0x0
 00464   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00465   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00466   464   NtClose  (84, ... ) == 0x0
 00467   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00468   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00469   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00470   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00471   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00472   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00473   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00474   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00475   464   NtClose  (80, ... ) == 0x0
 00476   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00477   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00478   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1408, 0}, ... 80, ) == 0x0
 00479   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00480   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00481   464   NtClose  (84, ... ) == 0x0
 00482   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00483   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00484   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00485   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00486   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00487   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00488   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00489   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00490   464   NtClose  (80, ... ) == 0x0
 00491   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00492   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00493   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {556, 0}, ... 80, ) == 0x0
 00494   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00495   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00496   464   NtClose  (84, ... ) == 0x0
 00497   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00498   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00499   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00500   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00501   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00502   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00503   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00504   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00505   464   NtClose  (80, ... ) == 0x0
 00506   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00507   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00508   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1204, 0}, ... 80, ) == 0x0
 00509   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00510   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00511   464   NtClose  (84, ... ) == 0x0
 00512   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00513   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00514   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00515   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00516   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00517   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00518   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00519   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00520   464   NtClose  (80, ... ) == 0x0
 00521   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00522   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00523   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1452, 0}, ... 80, ) == 0x0
 00524   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00525   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00526   464   NtClose  (84, ... ) == 0x0
 00527   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00528   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00529   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00530   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00531   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00532   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00533   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00534   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00535   464   NtClose  (80, ... ) == 0x0
 00536   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00537   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00538   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1708, 0}, ... 80, ) == 0x0
 00539   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00540   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00541   464   NtClose  (84, ... ) == 0x0
 00542   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00543   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00544   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00545   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00546   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00547   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00548   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00549   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00550   464   NtClose  (80, ... ) == 0x0
 00551   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00552   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00553   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1180, 0}, ... 80, ) == 0x0
 00554   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00555   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00556   464   NtClose  (84, ... ) == 0x0
 00557   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00558   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00559   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00560   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00561   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00562   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00563   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00564   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00565   464   NtClose  (80, ... ) == 0x0
 00566   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00567   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00568   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1512, 0}, ... 80, ) == 0x0
 00569   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00570   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00571   464   NtClose  (84, ... ) == 0x0
 00572   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00573   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00574   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00575   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00576   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00577   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00578   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00579   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00580   464   NtClose  (80, ... ) == 0x0
 00581   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00582   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00583   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1028, 0}, ... 80, ) == 0x0
 00584   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00585   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00586   464   NtClose  (84, ... ) == 0x0
 00587   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00588   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00589   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00590   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00591   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00592   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00593   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00594   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00595   464   NtClose  (80, ... ) == 0x0
 00596   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00597   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00598   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1516, 0}, ... 80, ) == 0x0
 00599   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00600   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00601   464   NtClose  (84, ... ) == 0x0
 00602   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00603   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00604   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00605   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00606   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00607   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00608   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00609   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00610   464   NtClose  (80, ... ) == 0x0
 00611   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00612   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00613   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1740, 0}, ... 80, ) == 0x0
 00614   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00615   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00616   464   NtClose  (84, ... ) == 0x0
 00617   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00618   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00619   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00620   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00621   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00622   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00623   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00624   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00625   464   NtClose  (80, ... ) == 0x0
 00626   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00627   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00628   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1036, 0}, ... 80, ) == 0x0
 00629   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00630   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00631   464   NtClose  (84, ... ) == 0x0
 00632   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00633   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00634   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00635   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00636   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00637   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00638   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00639   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00640   464   NtClose  (80, ... ) == 0x0
 00641   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00642   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00643   464   NtClose  (40, ... ) == 0x0
 00644   464   NtClose  (28, ... ) == 0x0
 00645   464   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x4000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00646   464   NtContinue  (1244400, 0, ...
 00647   464   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3342336, 4096, ) == 0x0
 00648   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00649   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00650   464   NtClose  (28, ... ) == 0x0
 00651   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00652   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00653   464   NtClose  (28, ... ) == 0x0
 00654   464   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00655   464   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00656   464   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00657   464   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00658   464   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00659   464   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00660   464   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00661   464   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00662   464   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00663   464   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00664   464   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00665   464   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00666   464   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00667   464   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00668   464   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00669   464   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00670   464   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00671   464   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00672   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00673   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00674   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00675   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1036, 464, 58020, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58020, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1036, 464, 58020, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00676   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00677   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00678   464   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 40, ) == 0x0
 00679   464   NtClose  (28, ... ) == 0x0
 00680   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00681   464   NtClose  (40, ... ) == 0x0
 00682   464   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00683   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00684   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00685   464   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 40, ... 28, ) == 0x0
 00686   464   NtClose  (40, ... ) == 0x0
 00687   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00688   464   NtClose  (28, ... ) == 0x0
 00689   464   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00690   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00691   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00692   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 40, ) == 0x0
 00693   464   NtQuerySection  (40, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00694   464   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00695   464   NtQueryInformationToken  (80, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00696   464   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00697   464   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 84, ) }, ... 84, ) == 0x0
 00698   464   NtQueryValueKey  (84,  (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00699   464   NtClose  (84, ... ) == 0x0
 00700   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00701   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00702   464   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00703   464   NtClose  (84, ... ) == 0x0
 00704   464   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00705   464   NtClose  (80, ... ) == 0x0
 00706   464   NtClose  (28, ... ) == 0x0
 00707   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00708   464   NtClose  (40, ... ) == 0x0
 00709   464   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00710   464   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00711   464   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00712   464   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00713   464   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00714   464   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00715   464   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00716   464   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00717   464   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00718   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00719   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00720   464   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00721   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00722   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00723   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00724   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 40, ) }, ... 40, ) == 0x0
 00725   464   NtQueryValueKey  (40,  (40, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00726   464   NtClose  (40, ... ) == 0x0
 00727   464   NtMapViewOfSection  (-2147482740, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x500000), 0x0, 1060864, ) == 0x0
 00728   464   NtClose  (-2147482740, ... ) == 0x0
 00729   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 40, ) == 0x0
 00730   464   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00731   464   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482740, ) == 0x0
 00732   464   NtQueryInformationToken  (-2147482740, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00733   464   NtQueryInformationToken  (-2147482740, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00734   464   NtClose  (-2147482740, ... ) == 0x0
 00735   464   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00736   464   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00737   464   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 84, ) == 0x0
 00738   464   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00739   464   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00740   464   NtClose  (-2147482740, ... ) == 0x0
 00741   464   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00742   464   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00743   464   NtClose  (-2147482740, ... ) == 0x0
 00744   464   NtQueryDefaultLocale  (0, -140494516, ... ) == 0x0
 00745   464   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00746   464   NtUserCallNoParam  (24, ... ) == 0x0
 00747   464   NtGdiCreateCompatibleDC  (0, ...
 00748   464   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00747   464   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00749   464   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00750   464   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00751   464   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00752   464   NtGdiCreateSolidBrush  (0, 0, ...
 00753   464   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00752   464   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00754   464   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00755   464   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00756   464   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00757   464   NtUserGetThreadDesktop  (464, 0, ... ) == 0x50
 00758   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 88, ) }, ... 88, ) == 0x0
 00759   464   NtQueryValueKey  (88,  (88, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (88, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00760   464   NtClose  (88, ... ) == 0x0
 00761   464   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00762   464   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x81aec017
 00763   464   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00764   464   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x81aec01c
 00765   464   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00766   464   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x81aec01e
 00767   464   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00768   464   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81ae8002
 00769   464   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00770   464   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x81aec018
 00771   464   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00772   464   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x81aec01a
 00773   464   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00774   464   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x81aec01d
 00775   464   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00776   464   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x81aec026
 00777   464   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00778   464   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x81aec019
 00779   464   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x81aec020
 00780   464   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x81aec022
 00781   464   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x81aec023
 00782   464   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x81aec024
 00783   464   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x81aec025
 00784   464   NtCallbackReturn  (0, 0, 0, ...
 00785   464   NtGdiInit  (... ) == 0x1
 00786   464   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00787   464   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00788   464   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 3538944, 28672, ) == 0x0
 00789   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00790   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00791   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00792   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00793   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 92, ) == 0x0
 00794   464   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00795   464   NtClose  (88, ... ) == 0x0
 00796   464   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00797   464   NtClose  (92, ... ) == 0x0
 00798   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00799   464   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00800   464   NtClose  (92, ... ) == 0x0
 00801   464   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00802   464   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00803   464   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00804   464   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00805   464   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00806   464   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00807   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00808   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00809   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00810   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00811   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 88, ) == 0x0
 00812   464   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00813   464   NtClose  (92, ... ) == 0x0
 00814   464   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00815   464   NtClose  (88, ... ) == 0x0
 00816   464   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00817   464   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00818   464   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00819   464   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00820   464   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00821   464   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00822   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00823   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00824   464   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00825   464   NtAllocateVirtualMemory  (-1, 3604480, 0, 4096, 4096, 4, ... 3604480, 4096, ) == 0x0
 00826   464   NtAllocateVirtualMemory  (-1, 3608576, 0, 8192, 4096, 4, ... 3608576, 8192, ) == 0x0
 00827   464   NtAllocateVirtualMemory  (-1, 3616768, 0, 4096, 4096, 4, ... 3616768, 4096, ) == 0x0
 00828   464   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 88, ) }, ... 88, ) == 0x0
 00829   464   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x380000), 0x0, 12288, ) == 0x0
 00830   464   NtClose  (88, ... ) == 0x0
 00831   464   NtAllocateVirtualMemory  (-1, 3620864, 0, 4096, 4096, 4, ... 3620864, 4096, ) == 0x0
 00832   464   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00833   464   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00834   464   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00835   464   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00836   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00837   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00838   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00839   464   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00840   464   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 28672, ) == 0x0
 00841   464   NtFreeVirtualMemory  (-1, (0x330144), 0, 32768, ... (0x330000), 4096, ) == 0x0
 00842   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00843   464   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3342336, 65536, ) == 0x0
 00844   464   NtAllocateVirtualMemory  (-1, 3342336, 0, 4096, 4096, 4, ... 3342336, 4096, ) == 0x0
 00845   464   NtAllocateVirtualMemory  (-1, 3346432, 0, 20480, 4096, 4, ... 3346432, 20480, ) == 0x0
 00846   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9502720, 1048576, ) == 0x0
 00847   464   NtAllocateVirtualMemory  (-1, 9502720, 0, 32768, 4096, 4, ... 9502720, 32768, ) == 0x0
 00848   464   NtCreateMutant  (0x1f0001, {24, 16, 0x80, 0, 0,  (0x1f0001, {24, 16, 0x80, 0, 0, "Jobaka3"}, 0, ... 88, ) }, 0, ... 88, ) == 0x0
 00849   464   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 00850   464   NtQueryValueKey  (92,  (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00851   464   NtQueryValueKey  (92,  (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00852   464   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 96, ) == 0x0
 00853   464   NtOpenKey  (0x2000000, {24, 92, 0x40, 0, 0,  (0x2000000, {24, 92, 0x40, 0, 0, "Protocol_Catalog9"}, ... 100, ) }, ... 100, ) == 0x0
 00854   464   NtQueryValueKey  (100,  (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00855   464   NtNotifyChangeKey  (100, 96, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00856   464   NtQueryValueKey  (100,  (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00857   464   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00858   464   NtQueryValueKey  (100,  (100, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00859   464   NtQueryValueKey  (100,  (100, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00860   464   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Catalog_Entries"}, ... 104, ) }, ... 104, ) == 0x0
 00861   464   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00862   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000001"}, ... 108, ) }, ... 108, ) == 0x0
 00863   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00864   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00865   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0b\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0b\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0c\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0d\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0b\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0b\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0c\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0d\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0b\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0b\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0c\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0d\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00866   464   NtClose  (108, ... ) == 0x0
 00867   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000002"}, ... 108, ) }, ... 108, ) == 0x0
 00868   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00869   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00870   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0g\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0g\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0h\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0i\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0g\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0g\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0h\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0i\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0g\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0g\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0h\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0i\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00871   464   NtClose  (108, ... ) == 0x0
 00872   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000003"}, ... 108, ) }, ... 108, ) == 0x0
 00873   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00874   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00875   464   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00876   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0m\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0m\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0n\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0n\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0o\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0o\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0p\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0m\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0m\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0n\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0n\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0o\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0o\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0p\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0o\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0p\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0m\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0m\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0n\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0n\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0o\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0o\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0p\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00877   464   NtClose  (108, ... ) == 0x0
 00878   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000004"}, ... 108, ) }, ... 108, ) == 0x0
 00879   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00880   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00881   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0r\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0r\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0s\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0s\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0t\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0t\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0u\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0r\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0r\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0s\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0s\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0t\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0t\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0u\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0t\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0u\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0r\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0r\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0s\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0s\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0t\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0t\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0u\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00882   464   NtClose  (108, ... ) == 0x0
 00883   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000005"}, ... 108, ) }, ... 108, ) == 0x0
 00884   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00885   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00886   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0w\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0w\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0x\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0y\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0w\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0w\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0x\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0y\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0w\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0w\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0x\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0y\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00887   464   NtClose  (108, ... ) == 0x0
 00888   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000006"}, ... 108, ) }, ... 108, ) == 0x0
 00889   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00890   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00891   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0|\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0|\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0}\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0~\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0|\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0|\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0}\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0~\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0|\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0|\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0}\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0~\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00892   464   NtClose  (108, ... ) == 0x0
 00893   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000007"}, ... 108, ) }, ... 108, ) == 0x0
 00894   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00895   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00896   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\201\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\201\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\202\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\203\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\201\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\201\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\202\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\203\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\201\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\201\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\202\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\203\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00897   464   NtClose  (108, ... ) == 0x0
 00898   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000008"}, ... 108, ) }, ... 108, ) == 0x0
 00899   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00900   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00901   464   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00902   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\207\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\207\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\210\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\210\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\211\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\211\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\212\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\207\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\207\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\210\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\210\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\211\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\211\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\212\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\211\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\212\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\207\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\207\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\210\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\210\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\211\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\211\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\212\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00903   464   NtClose  (108, ... ) == 0x0
 00904   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000009"}, ... 108, ) }, ... 108, ) == 0x0
 00905   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00906   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00907   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\214\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\214\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\215\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\215\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\216\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\216\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\214\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\214\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\215\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\215\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\216\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\216\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\216\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\214\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\214\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\215\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\215\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\216\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\216\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00908   464   NtClose  (108, ... ) == 0x0
 00909   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000010"}, ... 108, ) }, ... 108, ) == 0x0
 00910   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00911   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00912   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\221\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\221\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\222\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\223\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\221\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\221\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\222\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\223\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\221\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\221\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\222\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\223\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00913   464   NtClose  (108, ... ) == 0x0
 00914   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000011"}, ... 108, ) }, ... 108, ) == 0x0
 00915   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00916   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00917   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\226\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\226\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\227\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\230\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\226\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\226\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\227\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\230\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\226\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\226\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\227\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\230\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00918   464   NtClose  (108, ... ) == 0x0
 00919   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000012"}, ... 108, ) }, ... 108, ) == 0x0
 00920   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00921   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00922   464   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00923   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\234\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\234\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\235\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\235\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\236\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\236\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\237\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\234\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\234\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\235\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\235\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\236\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\236\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\237\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\236\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\237\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\234\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\234\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\235\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\235\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\236\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\236\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\237\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00924   464   NtClose  (108, ... ) == 0x0
 00925   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000013"}, ... 108, ) }, ... 108, ) == 0x0
 00926   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00927   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00928   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\241\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\241\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\242\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\242\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\243\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\243\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\244\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\241\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\241\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\242\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\242\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\243\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\243\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\244\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\243\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\244\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\241\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\241\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\242\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\242\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\243\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\243\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\244\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00929   464   NtClose  (108, ... ) == 0x0
 00930   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000014"}, ... 108, ) }, ... 108, ) == 0x0
 00931   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00932   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00933   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\246\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\246\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\247\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\250\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\246\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\246\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\247\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\250\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\246\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\246\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\247\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\250\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00934   464   NtClose  (108, ... ) == 0x0
 00935   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000015"}, ... 108, ) }, ... 108, ) == 0x0
 00936   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00937   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00938   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\253\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\253\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\254\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\255\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\253\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\253\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\254\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\255\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\253\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\253\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\254\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\255\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00939   464   NtClose  (108, ... ) == 0x0
 00940   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000016"}, ... 108, ) }, ... 108, ) == 0x0
 00941   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00942   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00943   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\260\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\260\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\261\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\262\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\260\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\260\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\261\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\262\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\260\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\260\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\261\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\262\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00944   464   NtClose  (108, ... ) == 0x0
 00945   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000017"}, ... 108, ) }, ... 108, ) == 0x0
 00946   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00947   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00948   464   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00949   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\266\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\266\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\267\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\267\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\270\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\270\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\271\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\266\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\266\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\267\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\267\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\270\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\270\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\271\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\270\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\271\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\266\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\266\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\267\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\267\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\270\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\270\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\271\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00950   464   NtClose  (108, ... ) == 0x0
 00951   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000018"}, ... 108, ) }, ... 108, ) == 0x0
 00952   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00953   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00954   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\273\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\273\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\274\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\274\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\275\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\275\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\276\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\273\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\273\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\274\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\274\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\275\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\275\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\276\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\275\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\276\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\273\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\273\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\274\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\274\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\275\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\275\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\276\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00955   464   NtClose  (108, ... ) == 0x0
 00956   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000019"}, ... 108, ) }, ... 108, ) == 0x0
 00957   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00958   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00959   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\300\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\300\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\301\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\302\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\300\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\300\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\301\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\302\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\300\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\300\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\301\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\302\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00960   464   NtClose  (108, ... ) == 0x0
 00961   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000020"}, ... 108, ) }, ... 108, ) == 0x0
 00962   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00963   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00964   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\305\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\305\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\306\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\307\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\305\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\305\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\306\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\307\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\305\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\305\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\306\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\307\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00965   464   NtClose  (108, ... ) == 0x0
 00966   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000021"}, ... 108, ) }, ... 108, ) == 0x0
 00967   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00968   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00969   464   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00970   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\313\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\313\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\314\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\314\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\315\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\315\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\316\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\313\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\313\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\314\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\314\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\315\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\315\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\316\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\315\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\316\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\313\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\313\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\314\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\314\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\315\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\315\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\316\3\0\0\14\4\0\0\320\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00971   464   NtClose  (108, ... ) == 0x0
 00972   464   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000022"}, ... 108, ) }, ... 108, ) == 0x0
 00973   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00974   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00975   464   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\320\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\320\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\321\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\321\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\322\3\0\0\14\4\0\0\320\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\322\3\0\0\14\4\0\0\320\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\323\3\0\0\14\4\0\0\320\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\323\3\0\0\14\4\0\0\320\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\324\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0PD\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\320\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\320\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\321\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\321\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\322\3\0\0\14\4\0\0\320\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\322\3\0\0\14\4\0\0\320\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\323\3\0\0\14\4\0\0\320\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\323\3\0\0\14\4\0\0\320\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\324\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0PD\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\320\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\320\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\321\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\321\3\0\0\14\4\0\0\320\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\322\3\0\0\14\4\0\0\320\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\322\3\0\0\14\4\0\0\320\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\323\3\0\0\14\4\0\0\320\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\323\3\0\0\14\4\0\0\320\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\324\3\0\0\14\4\0\0\320\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0PD\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00976   464   NtClose  (108, ... ) == 0x0
 00977   464   NtClose  (104, ... ) == 0x0
 00978   464   NtWaitForSingleObject  (96, 0, {0, 0}, ... ) == 0x102
 00979   464   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 104, ) == 0x0
 00980   464   NtOpenKey  (0x2000000, {24, 92, 0x40, 0, 0,  (0x2000000, {24, 92, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 108, ) }, ... 108, ) == 0x0
 00981   464   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00982   464   NtNotifyChangeKey  (108, 104, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00983   464   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00984   464   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00985   464   NtQueryValueKey  (108,  (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00986   464   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "Catalog_Entries"}, ... 112, ) }, ... 112, ) == 0x0
 00987   464   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000001"}, ... 116, ) }, ... 116, ) == 0x0
 00988   464   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00989   464   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00990   464   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00991   464   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00992   464   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00993   464   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00994   464   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00995   464   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00996   464   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00997   464   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00998   464   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00999   464   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01000   464   NtClose  (116, ... ) == 0x0
 01001   464   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000002"}, ... 116, ) }, ... 116, ) == 0x0
 01002   464   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01003   464   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01004   464   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01005   464   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01006   464   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01007   464   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01008   464   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01009   464   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01010   464   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01011   464   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01012   464   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01013   464   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01014   464   NtClose  (116, ... ) == 0x0
 01015   464   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000003"}, ... 116, ) }, ... 116, ) == 0x0
 01016   464   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01017   464   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01018   464   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01019   464   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01020   464   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01021   464   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01022   464   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01023   464   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024   464   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01025   464   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01026   464   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01027   464   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01028   464   NtClose  (116, ... ) == 0x0
 01029   464   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000004"}, ... 116, ) }, ... 116, ) == 0x0
 01030   464   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01031   464   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01032   464   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01033   464   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01034   464   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01035   464   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01036   464   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 01037   464   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01038   464   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01039   464   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01040   464   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01041   464   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01042   464   NtClose  (116, ... ) == 0x0
 01043   464   NtClose  (112, ... ) == 0x0
 01044   464   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 01045   464   NtClose  (92, ... ) == 0x0
 01046   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01047   464   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01048   464   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 01049   464   NtQueryValueKey  (92,  (92, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01050   464   NtClose  (92, ... ) == 0x0
 01051   464   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01052   464   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 92, ) == 0x0
 01053   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1241400, ... ) }, 1241400, ... ) == 0x0
 01054   464   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 112, {status=0x0, info=1}, ) }, 7, 2113568, ... 112, {status=0x0, info=1}, ) == 0x0
 01055   464   NtSetInformationFile  (112, 1241376, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01056   464   NtClose  (112, ... ) == 0x0
 01057   464   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 01058   464   NtQueryInformationFile  (112, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01059   464   NtQueryInformationFile  (112, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01060   464   NtQueryInformationFile  (112, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01061   464   NtAllocateVirtualMemory  (-1, 1368064, 0, 8192, 4096, 4, ... 1368064, 8192, ) == 0x0
 01062   464   NtQueryInformationFile  (112, 1365056, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01063   464   NtQueryInformationFile  (112, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01064   464   NtQueryInformationFile  (112, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01065   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\AVSERVE2.EXE"}, 1239736, ... ) }, 1239736, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01066   464   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01067   464   NtClose  (-2147482740, ... ) == 0x0
 01066   464   NtCreateFile  ... 116, {status=0x0, info=2}, ) == 0x0
 01068   464   NtQueryVolumeInformationFile  (116, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01069   464   NtQueryInformationFile  (116, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01070   464   NtQueryVolumeInformationFile  (112, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01071   464   NtSetInformationFile  (116, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01072   464   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 112, ... 120, ) == 0x0
 01073   464   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x360000), {0, 0}, 28672, ) == 0x0
 01074   464   NtClose  (120, ... ) == 0x0
 01075   464   NtWriteFile  (116, 0, 0, 0,  (116, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0a\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\2\0\204\214\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\20\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0`\0\0\340.rsr", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) \0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\20\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0`\0\0\340.rsr", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) == 0x0
 01076   464   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 01077   464   NtSetInformationFile  (116, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01078   464   NtClose  (112, ... ) == 0x0
 01079   464   NtClose  (116, ... ) == 0x0
 01080   464   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 116, ) }, ... 116, ) == 0x0
 01081   464   NtSetValueKey  (116,  (116, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (116, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 01082   464   NtSetInformationFile  (-2147482448, -140495056, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01083   464   NtSetInformationFile  (-2147482448, -140495148, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01084   464   NtSetInformationFile  (-2147482448, -140495456, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01081   464   NtSetValueKey  ... ) == 0x0
 01085   464   NtClose  (116, ... ) == 0x0
 01086   464   NtCreateMutant  (0x1f0001, {24, 16, 0x80, 0, 0,  (0x1f0001, {24, 16, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 116, ) }, 0, ... 116, ) == 0x0
 01087   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10551296, 1048576, ) == 0x0
 01088   464   NtAllocateVirtualMemory  (-1, 11591680, 0, 8192, 4096, 4, ... 11591680, 8192, ) == 0x0
 01089   464   NtProtectVirtualMemory  (-1, (0xb0e000), 4096, 260, ... (0xb0e000), 4096, 4, ) == 0x0
 01090   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 112, {1036, 1256}, ) == 0x0
 01091   464   NtQueryInformationThread  (112, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=1036,Tid=1256,}, 0x0, ) == 0x0
 01092   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\14\4\0\0\350\4\0\0" ... {28, 56, reply, 0, 1036, 464, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\14\4\0\0\350\4\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58022, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\14\4\0\0\350\4\0\0" ... {28, 56, reply, 0, 1036, 464, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\14\4\0\0\350\4\0\0" )  ) == 0x0
 01093   464   NtResumeThread  (112, ... 1, ) == 0x0
 01094   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11599872, 1048576, ) == 0x0
 01095   464   NtAllocateVirtualMemory  (-1, 12640256, 0, 8192, 4096, 4, ... 12640256, 8192, ) == 0x0
 01096  1256   NtTestAlert  (... ) == 0x0
 01097  1256   NtContinue  (11599152, 1, ...
 01098  1256   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01099  1256   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 120, ) == 0x0
 01100  1256   NtWaitForSingleObject  (96, 0, {0, 0}, ... ) == 0x102
 01101  1256   NtAllocateVirtualMemory  (-1, 11587584, 0, 4096, 4096, 260, ...
 01102   464   NtProtectVirtualMemory  (-1, (0xc0e000), 4096, 260, ... (0xc0e000), 4096, 4, ) == 0x0
 01103   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 124, {1036, 220}, ) == 0x0
 01104   464   NtQueryInformationThread  (124, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1036,Tid=220,}, 0x0, ) == 0x0
 01105   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58022, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0\14\4\0\0\334\0\0\0" ... {28, 56, reply, 0, 1036, 464, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0\14\4\0\0\334\0\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58023, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0\14\4\0\0\334\0\0\0" ... {28, 56, reply, 0, 1036, 464, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0\14\4\0\0\334\0\0\0" )  ) == 0x0
 01106   464   NtResumeThread  (124, ... 1, ) == 0x0
 01107   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01101  1256   NtAllocateVirtualMemory  ... 11587584, 4096, ) == 0x0
 01108   220   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01109  1256   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11596276, ... }, 11596276, ...
 01108   220   NtCreateEvent  ... 128, ) == 0x0
 01109  1256   NtQueryAttributesFile  ... ) == 0x0
 01110   220   NtWaitForSingleObject  (128, 0, 0x0, ...
 01111  1256   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01112  1256   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 132, ... 136, ) == 0x0
 01113  1256   NtClose  (132, ... ) == 0x0
 01114  1256   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 245760, ) == 0x0
 01115  1256   NtClose  (136, ...
 01107   464   NtAllocateVirtualMemory  ... 12648448, 1048576, ) == 0x0
 01116   464   NtAllocateVirtualMemory  (-1, 13688832, 0, 8192, 4096, 4, ... 13688832, 8192, ) == 0x0
 01117   464   NtProtectVirtualMemory  (-1, (0xd0e000), 4096, 260, ... (0xd0e000), 4096, 4, ) == 0x0
 01118   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 132, {1036, 1800}, ) == 0x0
 01119   464   NtQueryInformationThread  (132, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1036,Tid=1800,}, 0x0, ) == 0x0
 01120   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58023, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\14\4\0\0\10\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\14\4\0\0\10\7\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58024, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\14\4\0\0\10\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\14\4\0\0\10\7\0\0" )  ) == 0x0
 01115  1256   NtClose  ... ) == 0x0
 01121  1256   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01122  1256   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11596584, ... ) }, 11596584, ... ) == 0x0
 01123  1256   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 01124  1256   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 136, ... 140, ) == 0x0
 01125  1256   NtQuerySection  (140, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01126  1256   NtClose  (136, ...
 01127   464   NtResumeThread  (132, ... 1, ) == 0x0
 01128   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13697024, 1048576, ) == 0x0
 01129   464   NtAllocateVirtualMemory  (-1, 14737408, 0, 8192, 4096, 4, ... 14737408, 8192, ) == 0x0
 01130   464   NtProtectVirtualMemory  (-1, (0xe0e000), 4096, 260, ... (0xe0e000), 4096, 4, ) == 0x0
 01131   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 144, {1036, 1796}, ) == 0x0
 01132   464   NtQueryInformationThread  (144, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1036,Tid=1796,}, 0x0, ) == 0x0
 01126  1256   NtClose  ... ) == 0x0
 01133  1800   NtWaitForSingleObject  (128, 0, 0x0, ...
 01134  1256   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 01135  1256   NtClose  (140, ... ) == 0x0
 01136  1256   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01137  1256   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01138  1256   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01139  1256   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 01140   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58024, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\14\4\0\0\4\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\14\4\0\0\4\7\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58025, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\14\4\0\0\4\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\14\4\0\0\4\7\0\0" )  ) == 0x0
 01141   464   NtResumeThread  (144, ... 1, ) == 0x0
 01142   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14745600, 1048576, ) == 0x0
 01143   464   NtAllocateVirtualMemory  (-1, 15785984, 0, 8192, 4096, 4, ... 15785984, 8192, ) == 0x0
 01144   464   NtProtectVirtualMemory  (-1, (0xf0e000), 4096, 260, ... (0xf0e000), 4096, 4, ) == 0x0
 01145   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01139  1256   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 01146  1796   NtWaitForSingleObject  (128, 0, 0x0, ...
 01147  1256   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01148  1256   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01149  1256   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01150  1256   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01151  1256   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01152  1256   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... }, ...
 01145   464   NtCreateThread  ... 140, {1036, 1808}, ) == 0x0
 01153   464   NtQueryInformationThread  (140, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1036,Tid=1808,}, 0x0, ) == 0x0
 01154   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58025, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\14\4\0\0\20\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\14\4\0\0\20\7\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58026, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\14\4\0\0\20\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\14\4\0\0\20\7\0\0" )  ) == 0x0
 01155   464   NtResumeThread  (140, ... 1, ) == 0x0
 01156   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15794176, 1048576, ) == 0x0
 01157   464   NtAllocateVirtualMemory  (-1, 16834560, 0, 8192, 4096, 4, ... 16834560, 8192, ) == 0x0
 01152  1256   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01158  1808   NtWaitForSingleObject  (128, 0, 0x0, ...
 01159  1256   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01160  1256   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01161  1256   NtSetEventBoostPriority  (128, ...
 01110   220   NtWaitForSingleObject  ... ) == 0x0
 01162   220   NtSetEventBoostPriority  (128, ...
 01133  1800   NtWaitForSingleObject  ... ) == 0x0
 01163  1800   NtSetEventBoostPriority  (128, ...
 01146  1796   NtWaitForSingleObject  ... ) == 0x0
 01164  1796   NtSetEventBoostPriority  (128, ...
 01158  1808   NtWaitForSingleObject  ... ) == 0x0
 01165  1808   NtTestAlert  (... ) == 0x0
 01164  1796   NtSetEventBoostPriority  ... ) == 0x0
 01163  1800   NtSetEventBoostPriority  ... ) == 0x0
 01162   220   NtSetEventBoostPriority  ... ) == 0x0
 01161  1256   NtSetEventBoostPriority  ... ) == 0x0
 01166   464   NtProtectVirtualMemory  (-1, (0x100e000), 4096, 260, ...
 01167  1808   NtContinue  (15793456, 1, ...
 01168  1796   NtTestAlert  (...
 01169  1800   NtTestAlert  (...
 01170  1256   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01166   464   NtProtectVirtualMemory  ... (0x100e000), 4096, 4, ) == 0x0
 01171  1808   NtRegisterThreadTerminatePort  (24, ...
 01168  1796   NtTestAlert  ... ) == 0x0
 01169  1800   NtTestAlert  ... ) == 0x0
 01170  1256   NtCreateEvent  ... 136, ) == 0x0
 01172   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01171  1808   NtRegisterThreadTerminatePort  ... ) == 0x0
 01173  1796   NtContinue  (14744880, 1, ...
 01174  1800   NtContinue  (13696304, 1, ...
 01175  1256   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 01172   464   NtCreateThread  ... 148, {1036, 1700}, ) == 0x0
 01176  1808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01177  1796   NtRegisterThreadTerminatePort  (24, ...
 01178  1800   NtRegisterThreadTerminatePort  (24, ...
 01175  1256   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01179   464   NtQueryInformationThread  (148, Basic, 28, ...
 01176  1808   NtDuplicateObject  ... 152, ) == 0x0
 01177  1796   NtRegisterThreadTerminatePort  ... ) == 0x0
 01178  1800   NtRegisterThreadTerminatePort  ... ) == 0x0
 01180  1256   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11596196, ... }, 11596196, ...
 01179   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1036,Tid=1700,}, 0x0, ) == 0x0
 01181  1808   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01182  1796   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01183  1800   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01184   220   NtTestAlert  (...
 01185   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58026, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\14\4\0\0\244\6\0\0" ...  ...
 01181  1808   NtWaitForSingleObject  ... ) == 0x102
 01182  1796   NtDuplicateObject  ... 156, ) == 0x0
 01184   220   NtTestAlert  ... ) == 0x0
 01185   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58027, 0}  ... {28, 56, reply, 0, 1036, 464, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\14\4\0\0\244\6\0\0" )  ) == 0x0
 01186  1808   NtAllocateVirtualMemory  (-1, 15781888, 0, 4096, 4096, 260, ...
 01187  1796   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01188   220   NtContinue  (12647728, 1, ...
 01189   464   NtResumeThread  (148, ...
 01186  1808   NtAllocateVirtualMemory  ... 15781888, 4096, ) == 0x0
 01187  1796   NtWaitForSingleObject  ... ) == 0x102
 01190   220   NtRegisterThreadTerminatePort  (24, ...
 01189   464   NtResumeThread  ... 1, ) == 0x0
 01191  1808   NtWaitForSingleObject  (128, 0, 0x0, ...
 01192  1796   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01190   220   NtRegisterThreadTerminatePort  ... ) == 0x0
 01193   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01192  1796   NtCreateEvent  ... 160, ) == 0x0
 01194   220   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01183  1800   NtDuplicateObject  ... 164, ) == 0x0
 01195  1700   NtWaitForSingleObject  (128, 0, 0x0, ...
 01193   464   NtAllocateVirtualMemory  ... 16842752, 1048576, ) == 0x0
 01180  1256   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01196  1796   NtWaitForSingleObject  (160, 0, 0x0, ...
 01197  1800   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01198   464   NtAllocateVirtualMemory  (-1, 17883136, 0, 8192, 4096, 4, ...
 01199  1256   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11596196, ... }, 11596196, ...
 01197  1800   NtWaitForSingleObject  ... ) == 0x102
 01198   464   NtAllocateVirtualMemory  ... 17883136, 8192, ) == 0x0
 01199  1256   NtQueryAttributesFile  ... ) == 0x0
 01200  1800   NtWaitForSingleObject  (160, 0, 0x0, ...
 01201   464   NtProtectVirtualMemory  (-1, (0x110e000), 4096, 260, ...
 01194   220   NtDuplicateObject  ... 168, ) == 0x0
 01201   464   NtProtectVirtualMemory  ... (0x110e000), 4096, 4, ) == 0x0
 01202   220   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01203   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01202   220   NtWaitForSingleObject  ... ) == 0x102
 01204  1256   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... }, 5, 96, ...
 01205   220   NtWaitForSingleObject  (160, 0, 0x0, ...
 01204  1256   NtOpenFile  ... 172, {status=0x0, info=1}, ) == 0x0
 01206  1256   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 172, ... 176, ) == 0x0
 01207  1256   NtQuerySection  (176, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01208  1256   NtClose  (172, ... ) == 0x0
 01209  1256   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x662b0000), 0x0, 360448, ) == 0x0
 01210  1256   NtClose  (176, ... ) == 0x0
 01203   464   NtCreateThread  ... 176, {1036, 712}, ) == 0x0
 01211   464   NtQueryInformationThread  (176, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1036,Tid=712,}, 0x0, ) == 0x0
 01212   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58027, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\14\4\0\0\310\2\0\0" ... {28, 56, reply, 0, 1036, 464, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\14\4\0\0\310\2\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58028, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\14\4\0\0\310\2\0\0" ... {28, 56, reply, 0, 1036, 464, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\14\4\0\0\310\2\0\0" )  ) == 0x0
 01213   464   NtResumeThread  (176, ... 1, ) == 0x0
 01214   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17891328, 1048576, ) == 0x0
 01215   464   NtAllocateVirtualMemory  (-1, 18931712, 0, 8192, 4096, 4, ... 18931712, 8192, ) == 0x0
 01216  1256   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01217   712   NtWaitForSingleObject  (128, 0, 0x0, ...
 01216  1256   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01218  1256   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01219  1256   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01220  1256   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01221  1256   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01222  1256   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01223   464   NtProtectVirtualMemory  (-1, (0x120e000), 4096, 260, ... (0x120e000), 4096, 4, ) == 0x0
 01224   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 172, {1036, 1728}, ) == 0x0
 01225   464   NtQueryInformationThread  (172, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1036,Tid=1728,}, 0x0, ) == 0x0
 01226   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58028, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0\14\4\0\0\300\6\0\0" ... {28, 56, reply, 0, 1036, 464, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0\14\4\0\0\300\6\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58029, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0\14\4\0\0\300\6\0\0" ... {28, 56, reply, 0, 1036, 464, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0\14\4\0\0\300\6\0\0" )  ) == 0x0
 01227   464   NtResumeThread  (172, ... 1, ) == 0x0
 01228   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01229  1256   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01230  1728   NtWaitForSingleObject  (128, 0, 0x0, ...
 01229  1256   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01231  1256   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01232  1256   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01233  1256   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01234  1256   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01235  1256   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01228   464   NtAllocateVirtualMemory  ... 18939904, 1048576, ) == 0x0
 01236   464   NtAllocateVirtualMemory  (-1, 19980288, 0, 8192, 4096, 4, ... 19980288, 8192, ) == 0x0
 01237   464   NtProtectVirtualMemory  (-1, (0x130e000), 4096, 260, ... (0x130e000), 4096, 4, ) == 0x0
 01238   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 180, {1036, 1356}, ) == 0x0
 01239   464   NtQueryInformationThread  (180, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1036,Tid=1356,}, 0x0, ) == 0x0
 01240   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58029, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\14\4\0\0L\5\0\0" ... {28, 56, reply, 0, 1036, 464, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\14\4\0\0L\5\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58030, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\14\4\0\0L\5\0\0" ... {28, 56, reply, 0, 1036, 464, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\14\4\0\0L\5\0\0" )  ) == 0x0
 01241  1256   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01242  1256   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01243  1256   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01244  1256   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01245  1256   NtSetEventBoostPriority  (128, ...
 01191  1808   NtWaitForSingleObject  ... ) == 0x0
 01246  1808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15789008, ... ) }, 15789008, ... ) == 0x0
 01247  1808   NtSetEventBoostPriority  (128, ...
 01195  1700   NtWaitForSingleObject  ... ) == 0x0
 01248  1700   NtSetEventBoostPriority  (128, ...
 01217   712   NtWaitForSingleObject  ... ) == 0x0
 01249   712   NtSetEventBoostPriority  (128, ...
 01230  1728   NtWaitForSingleObject  ... ) == 0x0
 01250  1728   NtTestAlert  (... ) == 0x0
 01249   712   NtSetEventBoostPriority  ... ) == 0x0
 01248  1700   NtSetEventBoostPriority  ... ) == 0x0
 01247  1808   NtSetEventBoostPriority  ... ) == 0x0
 01245  1256   NtSetEventBoostPriority  ... ) == 0x0
 01251   464   NtResumeThread  (180, ...
 01252  1728   NtContinue  (18939184, 1, ...
 01253   712   NtTestAlert  (...
 01254  1808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01255  1256   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01251   464   NtResumeThread  ... 1, ) == 0x0
 01256  1728   NtRegisterThreadTerminatePort  (24, ...
 01253   712   NtTestAlert  ... ) == 0x0
 01254  1808   NtCreateEvent  ... 184, ) == 0x0
 01255  1256   NtCreateEvent  ... 188, ) == 0x0
 01257   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01256  1728   NtRegisterThreadTerminatePort  ... ) == 0x0
 01258   712   NtContinue  (17890608, 1, ...
 01259  1808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 01260  1700   NtTestAlert  (...
 01261  1356   NtWaitForSingleObject  (128, 0, 0x0, ...
 01257   464   NtAllocateVirtualMemory  ... 19988480, 1048576, ) == 0x0
 01262  1728   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01263   712   NtRegisterThreadTerminatePort  (24, ...
 01259  1808   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01260  1700   NtTestAlert  ... ) == 0x0
 01264   464   NtAllocateVirtualMemory  (-1, 21028864, 0, 8192, 4096, 4, ...
 01262  1728   NtDuplicateObject  ... 192, ) == 0x0
 01263   712   NtRegisterThreadTerminatePort  ... ) == 0x0
 01265  1256   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01266  1700   NtContinue  (16842032, 1, ...
 01264   464   NtAllocateVirtualMemory  ... 21028864, 8192, ) == 0x0
 01267  1728   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01268   712   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01265  1256   NtDuplicateObject  ... 196, ) == 0x0
 01269  1700   NtRegisterThreadTerminatePort  (24, ...
 01270  1808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 15789112, ... }, 15789112, ...
 01271   464   NtProtectVirtualMemory  (-1, (0x140e000), 4096, 260, ...
 01267  1728   NtWaitForSingleObject  ... ) == 0x102
 01272  1256   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01269  1700   NtRegisterThreadTerminatePort  ... ) == 0x0
 01271   464   NtProtectVirtualMemory  ... (0x140e000), 4096, 4, ) == 0x0
 01273  1728   NtWaitForSingleObject  (160, 0, 0x0, ...
 01272  1256   NtOpenKey  ... 200, ) == 0x0
 01274  1700   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01275   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01276  1256   NtQueryValueKey  (200,  (200, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01268   712   NtDuplicateObject  ... 204, ) == 0x0
 01275   464   NtCreateThread  ... 208, {1036, 1536}, ) == 0x0
 01276  1256   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01277   712   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01278   464   NtQueryInformationThread  (208, Basic, 28, ...
 01274  1700   NtDuplicateObject  ... 212, ) == 0x0
 01277   712   NtWaitForSingleObject  ... ) == 0x102
 01278   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1036,Tid=1536,}, 0x0, ) == 0x0
 01279  1700   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01280   712   NtWaitForSingleObject  (160, 0, 0x0, ...
 01281  1256   NtClose  (200, ...
 01279  1700   NtWaitForSingleObject  ... ) == 0x102
 01281  1256   NtClose  ... ) == 0x0
 01282  1700   NtWaitForSingleObject  (160, 0, 0x0, ...
 01283  1256   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01284  1256   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 01285  1256   NtWaitForSingleObject  (128, 0, 0x0, ...
 01286   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58030, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\14\4\0\0\0\6\0\0" ... {28, 56, reply, 0, 1036, 464, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\14\4\0\0\0\6\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58031, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\14\4\0\0\0\6\0\0" ... {28, 56, reply, 0, 1036, 464, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\14\4\0\0\0\6\0\0" )  ) == 0x0
 01287   464   NtResumeThread  (208, ... 1, ) == 0x0
 01288   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01289  1536   NtWaitForSingleObject  (128, 0, 0x0, ...
 01288   464   NtAllocateVirtualMemory  ... 21037056, 1048576, ) == 0x0
 01290   464   NtAllocateVirtualMemory  (-1, 22077440, 0, 8192, 4096, 4, ... 22077440, 8192, ) == 0x0
 01291   464   NtProtectVirtualMemory  (-1, (0x150e000), 4096, 260, ... (0x150e000), 4096, 4, ) == 0x0
 01292   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 200, {1036, 1904}, ) == 0x0
 01293   464   NtQueryInformationThread  (200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1036,Tid=1904,}, 0x0, ) == 0x0
 01294   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58031, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\14\4\0\0p\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\14\4\0\0p\7\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58032, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\14\4\0\0p\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\14\4\0\0p\7\0\0" )  ) == 0x0
 01295   464   NtResumeThread  (200, ... 1, ) == 0x0
 01296   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01297  1904   NtWaitForSingleObject  (128, 0, 0x0, ...
 01296   464   NtAllocateVirtualMemory  ... 22085632, 1048576, ) == 0x0
 01298   464   NtAllocateVirtualMemory  (-1, 23126016, 0, 8192, 4096, 4, ... 23126016, 8192, ) == 0x0
 01299   464   NtProtectVirtualMemory  (-1, (0x160e000), 4096, 260, ... (0x160e000), 4096, 4, ) == 0x0
 01300   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 216, {1036, 1936}, ) == 0x0
 01301   464   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1036,Tid=1936,}, 0x0, ) == 0x0
 01302   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58032, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\14\4\0\0\220\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\14\4\0\0\220\7\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58033, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\14\4\0\0\220\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\14\4\0\0\220\7\0\0" )  ) == 0x0
 01303   464   NtResumeThread  (216, ... 1, ) == 0x0
 01304   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23134208, 1048576, ) == 0x0
 01305   464   NtAllocateVirtualMemory  (-1, 24174592, 0, 8192, 4096, 4, ... 24174592, 8192, ) == 0x0
 01306  1936   NtWaitForSingleObject  (128, 0, 0x0, ...
 01307   464   NtProtectVirtualMemory  (-1, (0x170e000), 4096, 260, ... (0x170e000), 4096, 4, ) == 0x0
 01308   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 220, {1036, 1648}, ) == 0x0
 01309   464   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1036,Tid=1648,}, 0x0, ) == 0x0
 01310   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58033, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\14\4\0\0p\6\0\0" ... {28, 56, reply, 0, 1036, 464, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\14\4\0\0p\6\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58034, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\14\4\0\0p\6\0\0" ... {28, 56, reply, 0, 1036, 464, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\14\4\0\0p\6\0\0" )  ) == 0x0
 01311   464   NtResumeThread  (220, ... 1, ) == 0x0
 01312   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01313  1648   NtWaitForSingleObject  (128, 0, 0x0, ...
 01312   464   NtAllocateVirtualMemory  ... 24182784, 1048576, ) == 0x0
 01314   464   NtAllocateVirtualMemory  (-1, 25223168, 0, 8192, 4096, 4, ... 25223168, 8192, ) == 0x0
 01315   464   NtProtectVirtualMemory  (-1, (0x180e000), 4096, 260, ... (0x180e000), 4096, 4, ) == 0x0
 01316   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 224, {1036, 148}, ) == 0x0
 01317   464   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1036,Tid=148,}, 0x0, ) == 0x0
 01318   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58034, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\14\4\0\0\224\0\0\0" ... {28, 56, reply, 0, 1036, 464, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\14\4\0\0\224\0\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58035, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\14\4\0\0\224\0\0\0" ... {28, 56, reply, 0, 1036, 464, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\14\4\0\0\224\0\0\0" )  ) == 0x0
 01319   464   NtResumeThread  (224, ... 1, ) == 0x0
 01320   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25231360, 1048576, ) == 0x0
 01321   464   NtAllocateVirtualMemory  (-1, 26271744, 0, 8192, 4096, 4, ... 26271744, 8192, ) == 0x0
 01322   148   NtWaitForSingleObject  (128, 0, 0x0, ...
 01323   464   NtProtectVirtualMemory  (-1, (0x190e000), 4096, 260, ... (0x190e000), 4096, 4, ) == 0x0
 01324   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {1036, 1828}, ) == 0x0
 01325   464   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1036,Tid=1828,}, 0x0, ) == 0x0
 01326   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58035, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\14\4\0\0$\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\14\4\0\0$\7\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58036, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\14\4\0\0$\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\14\4\0\0$\7\0\0" )  ) == 0x0
 01327   464   NtResumeThread  (228, ... 1, ) == 0x0
 01328   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01329  1828   NtWaitForSingleObject  (128, 0, 0x0, ...
 01328   464   NtAllocateVirtualMemory  ... 26279936, 1048576, ) == 0x0
 01330   464   NtAllocateVirtualMemory  (-1, 27320320, 0, 8192, 4096, 4, ... 27320320, 8192, ) == 0x0
 01331   464   NtProtectVirtualMemory  (-1, (0x1a0e000), 4096, 260, ... (0x1a0e000), 4096, 4, ) == 0x0
 01332   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 232, {1036, 1864}, ) == 0x0
 01333   464   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1036,Tid=1864,}, 0x0, ) == 0x0
 01334   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58036, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\14\4\0\0H\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\14\4\0\0H\7\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58037, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\14\4\0\0H\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\14\4\0\0H\7\0\0" )  ) == 0x0
 01335   464   NtResumeThread  (232, ... 1, ) == 0x0
 01336   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27328512, 1048576, ) == 0x0
 01337   464   NtAllocateVirtualMemory  (-1, 28368896, 0, 8192, 4096, 4, ... 28368896, 8192, ) == 0x0
 01338  1864   NtWaitForSingleObject  (128, 0, 0x0, ...
 01339   464   NtProtectVirtualMemory  (-1, (0x1b0e000), 4096, 260, ... (0x1b0e000), 4096, 4, ) == 0x0
 01340   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {1036, 1896}, ) == 0x0
 01341   464   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1036,Tid=1896,}, 0x0, ) == 0x0
 01342   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58037, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\14\4\0\0h\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\14\4\0\0h\7\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58038, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\14\4\0\0h\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\14\4\0\0h\7\0\0" )  ) == 0x0
 01343   464   NtResumeThread  (236, ... 1, ) == 0x0
 01344   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01345  1896   NtWaitForSingleObject  (128, 0, 0x0, ...
 01344   464   NtAllocateVirtualMemory  ... 28377088, 1048576, ) == 0x0
 01346   464   NtAllocateVirtualMemory  (-1, 29417472, 0, 8192, 4096, 4, ... 29417472, 8192, ) == 0x0
 01347   464   NtProtectVirtualMemory  (-1, (0x1c0e000), 4096, 260, ... (0x1c0e000), 4096, 4, ) == 0x0
 01348   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 240, {1036, 1524}, ) == 0x0
 01349   464   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1036,Tid=1524,}, 0x0, ) == 0x0
 01350   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58038, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\14\4\0\0\364\5\0\0" ... {28, 56, reply, 0, 1036, 464, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\14\4\0\0\364\5\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58039, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\14\4\0\0\364\5\0\0" ... {28, 56, reply, 0, 1036, 464, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\14\4\0\0\364\5\0\0" )  ) == 0x0
 01351   464   NtResumeThread  (240, ... 1, ) == 0x0
 01352   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29425664, 1048576, ) == 0x0
 01353   464   NtAllocateVirtualMemory  (-1, 30466048, 0, 8192, 4096, 4, ... 30466048, 8192, ) == 0x0
 01354  1524   NtWaitForSingleObject  (128, 0, 0x0, ...
 01355   464   NtProtectVirtualMemory  (-1, (0x1d0e000), 4096, 260, ... (0x1d0e000), 4096, 4, ) == 0x0
 01356   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 244, {1036, 1944}, ) == 0x0
 01357   464   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1036,Tid=1944,}, 0x0, ) == 0x0
 01358   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58039, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\14\4\0\0\230\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\14\4\0\0\230\7\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58040, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\14\4\0\0\230\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\14\4\0\0\230\7\0\0" )  ) == 0x0
 01359   464   NtResumeThread  (244, ... 1, ) == 0x0
 01360   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01361  1944   NtWaitForSingleObject  (128, 0, 0x0, ...
 01360   464   NtAllocateVirtualMemory  ... 30474240, 1048576, ) == 0x0
 01362   464   NtAllocateVirtualMemory  (-1, 31514624, 0, 8192, 4096, 4, ... 31514624, 8192, ) == 0x0
 01363   464   NtProtectVirtualMemory  (-1, (0x1e0e000), 4096, 260, ... (0x1e0e000), 4096, 4, ) == 0x0
 01364   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 248, {1036, 2044}, ) == 0x0
 01365   464   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1036,Tid=2044,}, 0x0, ) == 0x0
 01366   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58040, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\14\4\0\0\374\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\14\4\0\0\374\7\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58041, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\14\4\0\0\374\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\14\4\0\0\374\7\0\0" )  ) == 0x0
 01367   464   NtResumeThread  (248, ... 1, ) == 0x0
 01368   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31522816, 1048576, ) == 0x0
 01369   464   NtAllocateVirtualMemory  (-1, 32563200, 0, 8192, 4096, 4, ... 32563200, 8192, ) == 0x0
 01370  2044   NtWaitForSingleObject  (128, 0, 0x0, ...
 01371   464   NtProtectVirtualMemory  (-1, (0x1f0e000), 4096, 260, ... (0x1f0e000), 4096, 4, ) == 0x0
 01372   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 252, {1036, 240}, ) == 0x0
 01373   464   NtQueryInformationThread  (252, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1036,Tid=240,}, 0x0, ) == 0x0
 01374   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58041, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\14\4\0\0\360\0\0\0" ... {28, 56, reply, 0, 1036, 464, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\14\4\0\0\360\0\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58042, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\14\4\0\0\360\0\0\0" ... {28, 56, reply, 0, 1036, 464, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\14\4\0\0\360\0\0\0" )  ) == 0x0
 01375   464   NtResumeThread  (252, ... 1, ) == 0x0
 01376   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01377   240   NtWaitForSingleObject  (128, 0, 0x0, ...
 01376   464   NtAllocateVirtualMemory  ... 32571392, 1048576, ) == 0x0
 01378   464   NtAllocateVirtualMemory  (-1, 33611776, 0, 8192, 4096, 4, ... 33611776, 8192, ) == 0x0
 01379   464   NtProtectVirtualMemory  (-1, (0x200e000), 4096, 260, ... (0x200e000), 4096, 4, ) == 0x0
 01380   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 256, {1036, 968}, ) == 0x0
 01381   464   NtQueryInformationThread  (256, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1036,Tid=968,}, 0x0, ) == 0x0
 01382   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58042, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\14\4\0\0\310\3\0\0" ... {28, 56, reply, 0, 1036, 464, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\14\4\0\0\310\3\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58043, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\14\4\0\0\310\3\0\0" ... {28, 56, reply, 0, 1036, 464, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\14\4\0\0\310\3\0\0" )  ) == 0x0
 01270  1808   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01383  1808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 15789112, ... ) }, 15789112, ... ) == 0x0
 01384  1808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... 260, {status=0x0, info=1}, ) }, 5, 96, ... 260, {status=0x0, info=1}, ) == 0x0
 01385  1808   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 260, ... 264, ) == 0x0
 01386  1808   NtQuerySection  (264, Image, 48, ...
 01387   464   NtResumeThread  (256, ... 1, ) == 0x0
 01388   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33619968, 1048576, ) == 0x0
 01389   464   NtAllocateVirtualMemory  (-1, 34660352, 0, 8192, 4096, 4, ... 34660352, 8192, ) == 0x0
 01390   464   NtProtectVirtualMemory  (-1, (0x210e000), 4096, 260, ... (0x210e000), 4096, 4, ) == 0x0
 01391   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 268, {1036, 308}, ) == 0x0
 01392   464   NtQueryInformationThread  (268, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1036,Tid=308,}, 0x0, ) == 0x0
 01386  1808   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01393   968   NtWaitForSingleObject  (128, 0, 0x0, ...
 01394  1808   NtClose  (260, ... ) == 0x0
 01395  1808   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 01396  1808   NtClose  (264, ... ) == 0x0
 01397  1808   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01398  1808   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01399  1808   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01400   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58043, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\14\4\0\04\1\0\0" ... {28, 56, reply, 0, 1036, 464, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\14\4\0\04\1\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58044, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\14\4\0\04\1\0\0" ... {28, 56, reply, 0, 1036, 464, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\14\4\0\04\1\0\0" )  ) == 0x0
 01401   464   NtResumeThread  (268, ... 1, ) == 0x0
 01402   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34668544, 1048576, ) == 0x0
 01403   464   NtAllocateVirtualMemory  (-1, 35708928, 0, 8192, 4096, 4, ... 35708928, 8192, ) == 0x0
 01404   464   NtProtectVirtualMemory  (-1, (0x220e000), 4096, 260, ... (0x220e000), 4096, 4, ) == 0x0
 01405   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01399  1808   NtFlushInstructionCache  ... ) == 0x0
 01406   308   NtWaitForSingleObject  (128, 0, 0x0, ...
 01407  1808   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01408  1808   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01409  1808   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01410  1808   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01411  1808   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01412  1808   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01405   464   NtCreateThread  ... 264, {1036, 764}, ) == 0x0
 01413   464   NtQueryInformationThread  (264, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1036,Tid=764,}, 0x0, ) == 0x0
 01414   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58044, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0\14\4\0\0\374\2\0\0" ... {28, 56, reply, 0, 1036, 464, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0\14\4\0\0\374\2\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58045, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0\14\4\0\0\374\2\0\0" ... {28, 56, reply, 0, 1036, 464, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0\14\4\0\0\374\2\0\0" )  ) == 0x0
 01415   464   NtResumeThread  (264, ... 1, ) == 0x0
 01416   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35717120, 1048576, ) == 0x0
 01417   464   NtAllocateVirtualMemory  (-1, 36757504, 0, 8192, 4096, 4, ... 36757504, 8192, ) == 0x0
 01412  1808   NtFlushInstructionCache  ... ) == 0x0
 01418   764   NtWaitForSingleObject  (128, 0, 0x0, ...
 01419  1808   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01420  1808   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01421  1808   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01422  1808   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01423  1808   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01424  1808   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01425   464   NtProtectVirtualMemory  (-1, (0x230e000), 4096, 260, ... (0x230e000), 4096, 4, ) == 0x0
 01426   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 260, {1036, 2000}, ) == 0x0
 01427   464   NtQueryInformationThread  (260, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1036,Tid=2000,}, 0x0, ) == 0x0
 01428   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58045, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\14\4\0\0\320\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\14\4\0\0\320\7\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58046, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\14\4\0\0\320\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\14\4\0\0\320\7\0\0" )  ) == 0x0
 01429   464   NtResumeThread  (260, ... 1, ) == 0x0
 01430   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01424  1808   NtFlushInstructionCache  ... ) == 0x0
 01431  2000   NtWaitForSingleObject  (128, 0, 0x0, ...
 01432  1808   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01433  1808   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01434  1808   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01435  1808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01436  1808   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 272, 2, ) }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 272, 2, ) , 0, ... 272, 2, ) == 0x0
 01437  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01430   464   NtAllocateVirtualMemory  ... 36765696, 1048576, ) == 0x0
 01438   464   NtAllocateVirtualMemory  (-1, 37806080, 0, 8192, 4096, 4, ... 37806080, 8192, ) == 0x0
 01439   464   NtProtectVirtualMemory  (-1, (0x240e000), 4096, 260, ... (0x240e000), 4096, 4, ) == 0x0
 01440   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 276, {1036, 1852}, ) == 0x0
 01441   464   NtQueryInformationThread  (276, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1036,Tid=1852,}, 0x0, ) == 0x0
 01442   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58046, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\14\4\0\0<\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\14\4\0\0<\7\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58047, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\14\4\0\0<\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\14\4\0\0<\7\0\0" )  ) == 0x0
 01437  1808   NtOpenKey  ... 280, ) == 0x0
 01443  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01444  1808   NtQueryValueKey  (280,  (280, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445  1808   NtQueryValueKey  (272,  (272, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446  1808   NtQueryValueKey  (280,  (280, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01447  1808   NtQueryValueKey  (272,  (272, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01448  1808   NtQueryValueKey  (280,  (280, "PrioritizeRecordData", Partial, 144, ... , Partial, 144, ...
 01449   464   NtResumeThread  (276, ... 1, ) == 0x0
 01450   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 37814272, 1048576, ) == 0x0
 01451   464   NtAllocateVirtualMemory  (-1, 38854656, 0, 8192, 4096, 4, ... 38854656, 8192, ) == 0x0
 01452   464   NtProtectVirtualMemory  (-1, (0x250e000), 4096, 260, ... (0x250e000), 4096, 4, ) == 0x0
 01453   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 284, {1036, 1420}, ) == 0x0
 01454   464   NtQueryInformationThread  (284, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1036,Tid=1420,}, 0x0, ) == 0x0
 01448  1808   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01455  1852   NtWaitForSingleObject  (128, 0, 0x0, ...
 01456  1808   NtQueryValueKey  (272,  (272, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01457  1808   NtQueryValueKey  (280,  (280, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01458  1808   NtQueryValueKey  (272,  (272, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01459  1808   NtQueryValueKey  (280,  (280, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01460  1808   NtQueryValueKey  (280,  (280, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01461  1808   NtQueryValueKey  (280,  (280, "ScreenUnreachableServers", Partial, 144, ... , Partial, 144, ...
 01462   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58047, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\14\4\0\0\214\5\0\0" ... {28, 56, reply, 0, 1036, 464, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\14\4\0\0\214\5\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58048, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\14\4\0\0\214\5\0\0" ... {28, 56, reply, 0, 1036, 464, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\14\4\0\0\214\5\0\0" )  ) == 0x0
 01463   464   NtResumeThread  (284, ... 1, ) == 0x0
 01464   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38862848, 1048576, ) == 0x0
 01465   464   NtAllocateVirtualMemory  (-1, 39903232, 0, 8192, 4096, 4, ... 39903232, 8192, ) == 0x0
 01466   464   NtProtectVirtualMemory  (-1, (0x260e000), 4096, 260, ... (0x260e000), 4096, 4, ) == 0x0
 01467   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01461  1808   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01468  1420   NtWaitForSingleObject  (128, 0, 0x0, ...
 01469  1808   NtQueryValueKey  (280,  (280, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01470  1808   NtQueryValueKey  (280,  (280, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01471  1808   NtQueryValueKey  (280,  (280, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01472  1808   NtQueryValueKey  (280,  (280, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01473  1808   NtQueryValueKey  (280,  (280, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474  1808   NtQueryValueKey  (280,  (280, "RegistrationEnabled", Partial, 144, ... , Partial, 144, ...
 01467   464   NtCreateThread  ... 288, {1036, 164}, ) == 0x0
 01475   464   NtQueryInformationThread  (288, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1036,Tid=164,}, 0x0, ) == 0x0
 01476   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58048, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0\14\4\0\0\244\0\0\0" ... {28, 56, reply, 0, 1036, 464, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0\14\4\0\0\244\0\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58049, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0\14\4\0\0\244\0\0\0" ... {28, 56, reply, 0, 1036, 464, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0\14\4\0\0\244\0\0\0" )  ) == 0x0
 01477   464   NtResumeThread  (288, ... 1, ) == 0x0
 01478   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 39911424, 1048576, ) == 0x0
 01479   464   NtAllocateVirtualMemory  (-1, 40951808, 0, 8192, 4096, 4, ... 40951808, 8192, ) == 0x0
 01474  1808   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01480   164   NtWaitForSingleObject  (128, 0, 0x0, ...
 01481  1808   NtQueryValueKey  (272,  (272, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01482  1808   NtQueryValueKey  (280,  (280, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01483  1808   NtQueryValueKey  (280,  (280, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484  1808   NtQueryValueKey  (272,  (272, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01485  1808   NtQueryValueKey  (280,  (280, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01486  1808   NtQueryValueKey  (272,  (272, "DisableReverseAddressRegistrations", Partial, 144, ... , Partial, 144, ...
 01487   464   NtProtectVirtualMemory  (-1, (0x270e000), 4096, 260, ... (0x270e000), 4096, 4, ) == 0x0
 01488   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 292, {1036, 1564}, ) == 0x0
 01489   464   NtQueryInformationThread  (292, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1036,Tid=1564,}, 0x0, ) == 0x0
 01490   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58049, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\14\4\0\0\34\6\0\0" ... {28, 56, reply, 0, 1036, 464, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\14\4\0\0\34\6\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58050, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\14\4\0\0\34\6\0\0" ... {28, 56, reply, 0, 1036, 464, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\14\4\0\0\34\6\0\0" )  ) == 0x0
 01491   464   NtResumeThread  (292, ... 1, ) == 0x0
 01492   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01486  1808   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01493  1564   NtWaitForSingleObject  (128, 0, 0x0, ...
 01494  1808   NtQueryValueKey  (280,  (280, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01495  1808   NtQueryValueKey  (272,  (272, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01496  1808   NtQueryValueKey  (280,  (280, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01497  1808   NtQueryValueKey  (272,  (272, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01498  1808   NtQueryValueKey  (280,  (280, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01499  1808   NtQueryValueKey  (272,  (272, "DefaultRegistrationRefreshInterval", Partial, 144, ... , Partial, 144, ...
 01492   464   NtAllocateVirtualMemory  ... 40960000, 1048576, ) == 0x0
 01500   464   NtAllocateVirtualMemory  (-1, 42000384, 0, 8192, 4096, 4, ... 42000384, 8192, ) == 0x0
 01501   464   NtProtectVirtualMemory  (-1, (0x280e000), 4096, 260, ... (0x280e000), 4096, 4, ) == 0x0
 01502   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 296, {1036, 1592}, ) == 0x0
 01503   464   NtQueryInformationThread  (296, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1036,Tid=1592,}, 0x0, ) == 0x0
 01504   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58050, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0\14\4\0\08\6\0\0" ... {28, 56, reply, 0, 1036, 464, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0\14\4\0\08\6\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58051, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0\14\4\0\08\6\0\0" ... {28, 56, reply, 0, 1036, 464, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0\14\4\0\08\6\0\0" )  ) == 0x0
 01499  1808   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01505  1808   NtQueryValueKey  (280,  (280, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01506  1808   NtQueryValueKey  (272,  (272, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01507  1808   NtQueryValueKey  (280,  (280, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01508  1808   NtQueryValueKey  (272,  (272, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01509  1808   NtQueryValueKey  (280,  (280, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01510  1808   NtQueryValueKey  (280,  (280, "UpdateTopLevelDomainZones", Partial, 144, ... , Partial, 144, ...
 01511   464   NtResumeThread  (296, ... 1, ) == 0x0
 01512   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 42008576, 1048576, ) == 0x0
 01513   464   NtAllocateVirtualMemory  (-1, 43048960, 0, 8192, 4096, 4, ... 43048960, 8192, ) == 0x0
 01514   464   NtProtectVirtualMemory  (-1, (0x290e000), 4096, 260, ... (0x290e000), 4096, 4, ) == 0x0
 01515   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 300, {1036, 2032}, ) == 0x0
 01516   464   NtQueryInformationThread  (300, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1036,Tid=2032,}, 0x0, ) == 0x0
 01510  1808   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01517  1592   NtWaitForSingleObject  (128, 0, 0x0, ...
 01518  1808   NtQueryValueKey  (280,  (280, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01519  1808   NtQueryValueKey  (280,  (280, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01520  1808   NtQueryValueKey  (280,  (280, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01521  1808   NtQueryValueKey  (280,  (280, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01522  1808   NtQueryValueKey  (280,  (280, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01523  1808   NtQueryValueKey  (280,  (280, "ServerPriorityTimeLimit", Partial, 144, ... , Partial, 144, ...
 01524   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58051, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\1\0\0\14\4\0\0\360\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\1\0\0\14\4\0\0\360\7\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58052, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\1\0\0\14\4\0\0\360\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\1\0\0\14\4\0\0\360\7\0\0" )  ) == 0x0
 01525   464   NtResumeThread  (300, ... 1, ) == 0x0
 01526   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 43057152, 1048576, ) == 0x0
 01527   464   NtAllocateVirtualMemory  (-1, 44097536, 0, 8192, 4096, 4, ... 44097536, 8192, ) == 0x0
 01528   464   NtProtectVirtualMemory  (-1, (0x2a0e000), 4096, 260, ... (0x2a0e000), 4096, 4, ) == 0x0
 01529   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01523  1808   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01530  2032   NtWaitForSingleObject  (128, 0, 0x0, ...
 01531  1808   NtQueryValueKey  (280,  (280, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532  1808   NtQueryValueKey  (280,  (280, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01533  1808   NtQueryValueKey  (280,  (280, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01534  1808   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\Setup"}, ... 304, ) }, ... 304, ) == 0x0
 01535  1808   NtQueryValueKey  (304,  (304, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (304, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01536  1808   NtClose  (304, ...
 01529   464   NtCreateThread  ... 308, {1036, 1500}, ) == 0x0
 01537   464   NtQueryInformationThread  (308, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1036,Tid=1500,}, 0x0, ) == 0x0
 01538   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58052, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\14\4\0\0\334\5\0\0" ... {28, 56, reply, 0, 1036, 464, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\14\4\0\0\334\5\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58053, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\14\4\0\0\334\5\0\0" ... {28, 56, reply, 0, 1036, 464, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\14\4\0\0\334\5\0\0" )  ) == 0x0
 01539   464   NtResumeThread  (308, ... 1, ) == 0x0
 01540   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 44105728, 1048576, ) == 0x0
 01541   464   NtAllocateVirtualMemory  (-1, 45146112, 0, 8192, 4096, 4, ... 45146112, 8192, ) == 0x0
 01536  1808   NtClose  ... ) == 0x0
 01542  1500   NtWaitForSingleObject  (128, 0, 0x0, ...
 01543  1808   NtClose  (272, ... ) == 0x0
 01544  1808   NtClose  (280, ... ) == 0x0
 01545  1808   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 280, ) }, ... 280, ) == 0x0
 01546  1808   NtQueryValueKey  (280,  (280, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01547  1808   NtQueryValueKey  (280,  (280, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01548  1808   NtQueryValueKey  (280,  (280, "DnsMulticastQueryTimeouts", Partial, 144, ... , Partial, 144, ...
 01549   464   NtProtectVirtualMemory  (-1, (0x2b0e000), 4096, 260, ... (0x2b0e000), 4096, 4, ) == 0x0
 01550   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 272, {1036, 932}, ) == 0x0
 01551   464   NtQueryInformationThread  (272, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1036,Tid=932,}, 0x0, ) == 0x0
 01552   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58053, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\14\4\0\0\244\3\0\0" ... {28, 56, reply, 0, 1036, 464, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\14\4\0\0\244\3\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58054, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\14\4\0\0\244\3\0\0" ... {28, 56, reply, 0, 1036, 464, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\14\4\0\0\244\3\0\0" )  ) == 0x0
 01548  1808   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01553  1808   NtClose  (280, ... ) == 0x0
 01554  1808   NtSetEventBoostPriority  (128, ...
 01261  1356   NtWaitForSingleObject  ... ) == 0x0
 01555  1356   NtSetEventBoostPriority  (128, ...
 01285  1256   NtWaitForSingleObject  ... ) == 0x0
 01556  1256   NtSetEventBoostPriority  (128, ...
 01289  1536   NtWaitForSingleObject  ... ) == 0x0
 01557  1536   NtSetEventBoostPriority  (128, ...
 01297  1904   NtWaitForSingleObject  ... ) == 0x0
 01558  1904   NtSetEventBoostPriority  (128, ...
 01306  1936   NtWaitForSingleObject  ... ) == 0x0
 01559  1936   NtSetEventBoostPriority  (128, ...
 01313  1648   NtWaitForSingleObject  ... ) == 0x0
 01560  1648   NtSetEventBoostPriority  (128, ...
 01322   148   NtWaitForSingleObject  ... ) == 0x0
 01561   148   NtSetEventBoostPriority  (128, ...
 01329  1828   NtWaitForSingleObject  ... ) == 0x0
 01562  1828   NtSetEventBoostPriority  (128, ...
 01338  1864   NtWaitForSingleObject  ... ) == 0x0
 01563  1864   NtSetEventBoostPriority  (128, ...
 01345  1896   NtWaitForSingleObject  ... ) == 0x0
 01564  1896   NtSetEventBoostPriority  (128, ...
 01354  1524   NtWaitForSingleObject  ... ) == 0x0
 01565  1524   NtSetEventBoostPriority  (128, ...
 01361  1944   NtWaitForSingleObject  ... ) == 0x0
 01566  1944   NtSetEventBoostPriority  (128, ...
 01370  2044   NtWaitForSingleObject  ... ) == 0x0
 01567  2044   NtSetEventBoostPriority  (128, ...
 01377   240   NtWaitForSingleObject  ... ) == 0x0
 01568   240   NtSetEventBoostPriority  (128, ...
 01393   968   NtWaitForSingleObject  ... ) == 0x0
 01569   968   NtSetEventBoostPriority  (128, ...
 01406   308   NtWaitForSingleObject  ... ) == 0x0
 01570   308   NtSetEventBoostPriority  (128, ...
 01418   764   NtWaitForSingleObject  ... ) == 0x0
 01571   764   NtSetEventBoostPriority  (128, ...
 01431  2000   NtWaitForSingleObject  ... ) == 0x0
 01572  2000   NtAllocateVirtualMemory  (-1, 3624960, 0, 4096, 4096, 4, ... 3624960, 4096, ) == 0x0
 01571   764   NtSetEventBoostPriority  ... ) == 0x0
 01570   308   NtSetEventBoostPriority  ... ) == 0x0
 01569   968   NtSetEventBoostPriority  ... ) == 0x0
 01568   240   NtSetEventBoostPriority  ... ) == 0x0
 01567  2044   NtSetEventBoostPriority  ... ) == 0x0
 01566  1944   NtSetEventBoostPriority  ... ) == 0x0
 01565  1524   NtSetEventBoostPriority  ... ) == 0x0
 01564  1896   NtSetEventBoostPriority  ... ) == 0x0
 01563  1864   NtSetEventBoostPriority  ... ) == 0x0
 01562  1828   NtSetEventBoostPriority  ... ) == 0x0
 01561   148   NtSetEventBoostPriority  ... ) == 0x0
 01560  1648   NtSetEventBoostPriority  ... ) == 0x0
 01559  1936   NtSetEventBoostPriority  ... ) == 0x0
 01558  1904   NtSetEventBoostPriority  ... ) == 0x0
 01557  1536   NtSetEventBoostPriority  ... ) == 0x0
 01555  1356   NtSetEventBoostPriority  ... ) == 0x0
 01554  1808   NtSetEventBoostPriority  ... ) == 0x0
 01556  1256   NtSetEventBoostPriority  ... ) == 0x0
 01573   464   NtResumeThread  (272, ...
 01574  2000   NtSetEventBoostPriority  (128, ...
 01575   764   NtTestAlert  (...
 01576   308   NtTestAlert  (...
 01577   968   NtTestAlert  (...
 01578   240   NtTestAlert  (...
 01579  2044   NtTestAlert  (...
 01580  1944   NtTestAlert  (...
 01581  1524   NtTestAlert  (...
 01582  1896   NtTestAlert  (...
 01583  1864   NtTestAlert  (...
 01584  1828   NtTestAlert  (...
 01585   148   NtTestAlert  (...
 01586  1648   NtTestAlert  (...
 01587  1936   NtTestAlert  (...
 01588  1904   NtTestAlert  (...
 01589  1536   NtTestAlert  (...
 01590  1808   NtWaitForSingleObject  (128, 0, 0x0, ...
 01591  1256   NtWaitForSingleObject  (128, 0, 0x0, ...
 01573   464   NtResumeThread  ... 1, ) == 0x0
 01455  1852   NtWaitForSingleObject  ... ) == 0x0
 01574  2000   NtSetEventBoostPriority  ... ) == 0x0
 01575   764   NtTestAlert  ... ) == 0x0
 01576   308   NtTestAlert  ... ) == 0x0
 01577   968   NtTestAlert  ... ) == 0x0
 01578   240   NtTestAlert  ... ) == 0x0
 01579  2044   NtTestAlert  ... ) == 0x0
 01580  1944   NtTestAlert  ... ) == 0x0
 01581  1524   NtTestAlert  ... ) == 0x0
 01582  1896   NtTestAlert  ... ) == 0x0
 01583  1864   NtTestAlert  ... ) == 0x0
 01584  1828   NtTestAlert  ... ) == 0x0
 01585   148   NtTestAlert  ... ) == 0x0
 01586  1648   NtTestAlert  ... ) == 0x0
 01587  1936   NtTestAlert  ... ) == 0x0
 01588  1904   NtTestAlert  ... ) == 0x0
 01589  1536   NtTestAlert  ... ) == 0x0
 01592  1356   NtTestAlert  (...
 01593   932   NtWaitForSingleObject  (128, 0, 0x0, ...
 01594  1852   NtSetEventBoostPriority  (128, ...
 01595   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01596  2000   NtTestAlert  (...
 01597   764   NtContinue  (35716400, 1, ...
 01598   308   NtContinue  (34667824, 1, ...
 01599   968   NtContinue  (33619248, 1, ...
 01600   240   NtContinue  (32570672, 1, ...
 01601  2044   NtContinue  (31522096, 1, ...
 01602  1944   NtContinue  (30473520, 1, ...
 01603  1524   NtContinue  (29424944, 1, ...
 01604  1896   NtContinue  (28376368, 1, ...
 01605  1864   NtContinue  (27327792, 1, ...
 01606  1828   NtContinue  (26279216, 1, ...
 01607   148   NtContinue  (25230640, 1, ...
 01608  1648   NtContinue  (24182064, 1, ...
 01609  1936   NtContinue  (23133488, 1, ...
 01610  1904   NtContinue  (22084912, 1, ...
 01611  1536   NtContinue  (21036336, 1, ...
 01592  1356   NtTestAlert  ... ) == 0x0
 01468  1420   NtWaitForSingleObject  ... ) == 0x0
 01594  1852   NtSetEventBoostPriority  ... ) == 0x0
 01595   464   NtAllocateVirtualMemory  ... 45154304, 1048576, ) == 0x0
 01596  2000   NtTestAlert  ... ) == 0x0
 01612   764   NtRegisterThreadTerminatePort  (24, ...
 01613   308   NtRegisterThreadTerminatePort  (24, ...
 01614   968   NtRegisterThreadTerminatePort  (24, ...
 01615   240   NtRegisterThreadTerminatePort  (24, ...
 01616  2044   NtRegisterThreadTerminatePort  (24, ...
 01617  1944   NtRegisterThreadTerminatePort  (24, ...
 01618  1524   NtRegisterThreadTerminatePort  (24, ...
 01619  1896   NtRegisterThreadTerminatePort  (24, ...
 01620  1864   NtRegisterThreadTerminatePort  (24, ...
 01621  1828   NtRegisterThreadTerminatePort  (24, ...
 01622   148   NtRegisterThreadTerminatePort  (24, ...
 01623  1648   NtRegisterThreadTerminatePort  (24, ...
 01624  1936   NtRegisterThreadTerminatePort  (24, ...
 01625  1904   NtRegisterThreadTerminatePort  (24, ...
 01626  1536   NtRegisterThreadTerminatePort  (24, ...
 01627  1420   NtSetEventBoostPriority  (128, ...
 01628  1356   NtContinue  (19987760, 1, ...
 01629   464   NtAllocateVirtualMemory  (-1, 46194688, 0, 8192, 4096, 4, ...
 01630  2000   NtContinue  (36764976, 1, ...
 01612   764   NtRegisterThreadTerminatePort  ... ) == 0x0
 01613   308   NtRegisterThreadTerminatePort  ... ) == 0x0
 01614   968   NtRegisterThreadTerminatePort  ... ) == 0x0
 01615   240   NtRegisterThreadTerminatePort  ... ) == 0x0
 01616  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 01617  1944   NtRegisterThreadTerminatePort  ... ) == 0x0
 01618  1524   NtRegisterThreadTerminatePort  ... ) == 0x0
 01619  1896   NtRegisterThreadTerminatePort  ... ) == 0x0
 01620  1864   NtRegisterThreadTerminatePort  ... ) == 0x0
 01621  1828   NtRegisterThreadTerminatePort  ... ) == 0x0
 01622   148   NtRegisterThreadTerminatePort  ... ) == 0x0
 01623  1648   NtRegisterThreadTerminatePort  ... ) == 0x0
 01624  1936   NtRegisterThreadTerminatePort  ... ) == 0x0
 01625  1904   NtRegisterThreadTerminatePort  ... ) == 0x0
 01480   164   NtWaitForSingleObject  ... ) == 0x0
 01627  1420   NtSetEventBoostPriority  ... ) == 0x0
 01626  1536   NtRegisterThreadTerminatePort  ... ) == 0x0
 01631  1356   NtRegisterThreadTerminatePort  (24, ...
 01629   464   NtAllocateVirtualMemory  ... 46194688, 8192, ) == 0x0
 01632  2000   NtRegisterThreadTerminatePort  (24, ...
 01633   764   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01634   308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01635   968   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01636   240   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01637  2044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01638  1944   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01639  1524   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01640  1896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01641  1864   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01642  1828   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01643   148   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01644  1648   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01645  1936   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01646   164   NtSetEventBoostPriority  (128, ...
 01647  1904   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01648  1852   NtTestAlert  (...
 01649  1536   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01631  1356   NtRegisterThreadTerminatePort  ... ) == 0x0
 01650  1420   NtTestAlert  (...
 01651   464   NtProtectVirtualMemory  (-1, (0x2c0e000), 4096, 260, ...
 01632  2000   NtRegisterThreadTerminatePort  ... ) == 0x0
 01633   764   NtDuplicateObject  ... 280, ) == 0x0
 01634   308   NtDuplicateObject  ... 304, ) == 0x0
 01635   968   NtDuplicateObject  ... 312, ) == 0x0
 01636   240   NtDuplicateObject  ... 316, ) == 0x0
 01637  2044   NtDuplicateObject  ... 320, ) == 0x0
 01638  1944   NtDuplicateObject  ... 324, ) == 0x0
 01639  1524   NtDuplicateObject  ... 328, ) == 0x0
 01640  1896   NtDuplicateObject  ... 332, ) == 0x0
 01641  1864   NtDuplicateObject  ... 336, ) == 0x0
 01642  1828   NtDuplicateObject  ... 340, ) == 0x0
 01643   148   NtDuplicateObject  ... 344, ) == 0x0
 01644  1648   NtDuplicateObject  ... 348, ) == 0x0
 01493  1564   NtWaitForSingleObject  ... ) == 0x0
 01646   164   NtSetEventBoostPriority  ... ) == 0x0
 01645  1936   NtDuplicateObject  ... 352, ) == 0x0
 01648  1852   NtTestAlert  ... ) == 0x0
 01647  1904   NtDuplicateObject  ... 356, ) == 0x0
 01652  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01650  1420   NtTestAlert  ... ) == 0x0
 01651   464   NtProtectVirtualMemory  ... (0x2c0e000), 4096, 4, ) == 0x0
 01653  2000   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01654   764   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01655   308   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01656   968   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01657   240   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01658  2044   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01659  1944   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01660  1524   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01661  1896   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01662  1864   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01663  1828   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01664   148   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01665  1564   NtSetEventBoostPriority  (128, ...
 01666  1648   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01649  1536   NtDuplicateObject  ... 360, ) == 0x0
 01667  1936   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01668  1852   NtContinue  (37813552, 1, ...
 01669  1904   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01670   164   NtTestAlert  (...
 01671  1420   NtContinue  (38862128, 1, ...
 01672   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01653  2000   NtDuplicateObject  ... 364, ) == 0x0
 01654   764   NtWaitForSingleObject  ... ) == 0x102
 01655   308   NtWaitForSingleObject  ... ) == 0x102
 01656   968   NtWaitForSingleObject  ... ) == 0x102
 01657   240   NtWaitForSingleObject  ... ) == 0x102
 01658  2044   NtWaitForSingleObject  ... ) == 0x102
 01659  1944   NtWaitForSingleObject  ... ) == 0x102
 01660  1524   NtWaitForSingleObject  ... ) == 0x102
 01661  1896   NtWaitForSingleObject  ... ) == 0x102
 01662  1864   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01663  1828   NtCreateEvent  ... 368, ) == 0x0
 01517  1592   NtWaitForSingleObject  ... ) == 0x0
 01665  1564   NtSetEventBoostPriority  ... ) == 0x0
 01664   148   NtCreateEvent  ... 372, ) == 0x0
 01666  1648   NtCreateEvent  ... 376, ) == 0x0
 01673  1536   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01667  1936   NtCreateEvent  ... 380, ) == 0x0
 01674  1852   NtRegisterThreadTerminatePort  (24, ...
 01669  1904   NtCreateEvent  ... 384, ) == 0x0
 01670   164   NtTestAlert  ... ) == 0x0
 01675  1420   NtRegisterThreadTerminatePort  (24, ...
 01672   464   NtCreateThread  ... 388, {1036, 1780}, ) == 0x0
 01676  2000   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01677   764   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01678   308   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01679   968   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01680   240   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01681  2044   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01682  1944   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01683  1524   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01684  1896   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01685  1864   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01686  1592   NtSetEventBoostPriority  (128, ...
 01687  1828   NtWaitForSingleObject  (368, 0, 0x0, ...
 01652  1356   NtDuplicateObject  ... 392, ) == 0x0
 01688   148   NtClose  (372, ...
 01689  1648   NtClose  (376, ...
 01673  1536   NtCreateEvent  ... 396, ) == 0x0
 01690  1936   NtClose  (380, ...
 01674  1852   NtRegisterThreadTerminatePort  ... ) == 0x0
 01691  1904   NtClose  (384, ...
 01692   164   NtContinue  (39910704, 1, ...
 01675  1420   NtRegisterThreadTerminatePort  ... ) == 0x0
 01693   464   NtQueryInformationThread  (388, Basic, 28, ...
 01676  2000   NtCreateEvent  ... 400, ) == 0x0
 01677   764   NtCreateEvent  ... 404, ) == 0x0
 01678   308   NtCreateEvent  ... 408, ) == 0x0
 01679   968   NtCreateEvent  ... 412, ) == 0x0
 01680   240   NtCreateEvent  ... 416, ) == 0x0
 01681  2044   NtCreateEvent  ... 420, ) == 0x0
 01682  1944   NtCreateEvent  ... 424, ) == 0x0
 01683  1524   NtCreateEvent  ... 428, ) == 0x0
 01684  1896   NtCreateEvent  ... 432, ) == 0x0
 01530  2032   NtWaitForSingleObject  ... ) == 0x0
 01686  1592   NtSetEventBoostPriority  ... ) == 0x0
 01685  1864   NtCreateEvent  ... 436, ) == 0x0
 01694  1356   NtWaitForSingleObject  (368, 0, 0x0, ...
 01688   148   NtClose  ... ) == 0x0
 01689  1648   NtClose  ... ) == 0x0
 01695  1536   NtClose  (396, ...
 01690  1936   NtClose  ... ) == 0x0
 01696  1852   NtWaitForSingleObject  (368, 0, 0x0, ...
 01691  1904   NtClose  ... ) == 0x0
 01697   164   NtRegisterThreadTerminatePort  (24, ...
 01698  1420   NtWaitForSingleObject  (368, 0, 0x0, ...
 01693   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1036,Tid=1780,}, 0x0, ) == 0x0
 01699  2000   NtClose  (400, ...
 01700  1564   NtTestAlert  (...
 01701   764   NtClose  (404, ...
 01702   308   NtClose  (408, ...
 01703   968   NtClose  (412, ...
 01704   240   NtClose  (416, ...
 01705  2044   NtClose  (420, ...
 01706  1944   NtClose  (424, ...
 01707  1524   NtClose  (428, ...
 01708  2032   NtSetEventBoostPriority  (128, ...
 01709  1896   NtClose  (432, ...
 01710  1864   NtClose  (436, ...
 01711   148   NtWaitForSingleObject  (368, 0, 0x0, ...
 01712  1648   NtWaitForSingleObject  (368, 0, 0x0, ...
 01695  1536   NtClose  ... ) == 0x0
 01713  1936   NtWaitForSingleObject  (368, 0, 0x0, ...
 01714  1592   NtTestAlert  (...
 01715  1904   NtWaitForSingleObject  (368, 0, 0x0, ...
 01697   164   NtRegisterThreadTerminatePort  ... ) == 0x0
 01716   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58054, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\14\4\0\0\364\6\0\0" ...  ...
 01700  1564   NtTestAlert  ... ) == 0x0
 01701   764   NtClose  ... ) == 0x0
 01702   308   NtClose  ... ) == 0x0
 01703   968   NtClose  ... ) == 0x0
 01704   240   NtClose  ... ) == 0x0
 01705  2044   NtClose  ... ) == 0x0
 01706  1944   NtClose  ... ) == 0x0
 01542  1500   NtWaitForSingleObject  ... ) == 0x0
 01708  2032   NtSetEventBoostPriority  ... ) == 0x0
 01707  1524   NtClose  ... ) == 0x0
 01709  1896   NtClose  ... ) == 0x0
 01699  2000   NtClose  ... ) == 0x0
 01710  1864   NtClose  ... ) == 0x0
 01717  1536   NtWaitForSingleObject  (368, 0, 0x0, ...
 01714  1592   NtTestAlert  ... ) == 0x0
 01718   164   NtWaitForSingleObject  (368, 0, 0x0, ...
 01716   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58055, 0}  ... {28, 56, reply, 0, 1036, 464, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\14\4\0\0\364\6\0\0" )  ) == 0x0
 01719  1564   NtContinue  (40959280, 1, ...
 01720   764   NtWaitForSingleObject  (368, 0, 0x0, ...
 01721   308   NtWaitForSingleObject  (368, 0, 0x0, ...
 01722   968   NtWaitForSingleObject  (368, 0, 0x0, ...
 01723   240   NtWaitForSingleObject  (368, 0, 0x0, ...
 01724  2044   NtWaitForSingleObject  (368, 0, 0x0, ...
 01725  1500   NtSetEventBoostPriority  (128, ...
 01726  1944   NtWaitForSingleObject  (368, 0, 0x0, ...
 01727  1524   NtWaitForSingleObject  (368, 0, 0x0, ...
 01728  1896   NtWaitForSingleObject  (368, 0, 0x0, ...
 01729  2000   NtWaitForSingleObject  (368, 0, 0x0, ...
 01730  1864   NtSetEventBoostPriority  (368, ...
 01731  2032   NtTestAlert  (...
 01732  1592   NtContinue  (42007856, 1, ...
 01733   464   NtResumeThread  (388, ...
 01734  1564   NtRegisterThreadTerminatePort  (24, ...
 01590  1808   NtWaitForSingleObject  ... ) == 0x0
 01725  1500   NtSetEventBoostPriority  ... ) == 0x0
 01687  1828   NtWaitForSingleObject  ... ) == 0x0
 01730  1864   NtSetEventBoostPriority  ... ) == 0x0
 01731  2032   NtTestAlert  ... ) == 0x0
 01735  1592   NtRegisterThreadTerminatePort  (24, ...
 01733   464   NtResumeThread  ... 1, ) == 0x0
 01736  1808   NtSetEventBoostPriority  (128, ...
 01734  1564   NtRegisterThreadTerminatePort  ... ) == 0x0
 01737  1780   NtWaitForSingleObject  (128, 0, 0x0, ...
 01738  1828   NtSetEventBoostPriority  (368, ...
 01739  1864   NtWaitForSingleObject  (368, 0, 0x0, ...
 01740  2032   NtContinue  (43056432, 1, ...
 01735  1592   NtRegisterThreadTerminatePort  ... ) == 0x0
 01593   932   NtWaitForSingleObject  ... ) == 0x0
 01741   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01742  1564   NtWaitForSingleObject  (368, 0, 0x0, ...
 01694  1356   NtWaitForSingleObject  ... ) == 0x0
 01738  1828   NtSetEventBoostPriority  ... ) == 0x0
 01743  2032   NtRegisterThreadTerminatePort  (24, ...
 01744  1592   NtWaitForSingleObject  (368, 0, 0x0, ...
 01745   932   NtSetEventBoostPriority  (128, ...
 01736  1808   NtSetEventBoostPriority  ... ) == 0x0
 01746  1500   NtTestAlert  (...
 01741   464   NtAllocateVirtualMemory  ... 46202880, 1048576, ) == 0x0
 01747  1356   NtSetEventBoostPriority  (368, ...
 01743  2032   NtRegisterThreadTerminatePort  ... ) == 0x0
 01748  1828   NtWaitForSingleObject  (368, 0, 0x0, ...
 01591  1256   NtWaitForSingleObject  ... ) == 0x0
 01745   932   NtSetEventBoostPriority  ... ) == 0x0
 01749  1808   NtWaitForSingleObject  (368, 0, 0x0, ...
 01746  1500   NtTestAlert  ... ) == 0x0
 01696  1852   NtWaitForSingleObject  ... ) == 0x0
 01747  1356   NtSetEventBoostPriority  ... ) == 0x0
 01750   464   NtAllocateVirtualMemory  (-1, 47243264, 0, 8192, 4096, 4, ...
 01751  2032   NtWaitForSingleObject  (368, 0, 0x0, ...
 01752  1256   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11595888, ... }, 11595888, ...
 01753  1852   NtSetEventBoostPriority  (368, ...
 01754  1500   NtContinue  (44105008, 1, ...
 01755   932   NtTestAlert  (...
 01750   464   NtAllocateVirtualMemory  ... 47243264, 8192, ) == 0x0
 01756  1356   NtWaitForSingleObject  (368, 0, 0x0, ...
 01752  1256   NtQueryAttributesFile  ... ) == 0x0
 01698  1420   NtWaitForSingleObject  ... ) == 0x0
 01757  1500   NtRegisterThreadTerminatePort  (24, ...
 01755   932   NtTestAlert  ... ) == 0x0
 01758   464   NtProtectVirtualMemory  (-1, (0x2d0e000), 4096, 260, ...
 01759  1256   NtSetEventBoostPriority  (128, ...
 01760  1420   NtSetEventBoostPriority  (368, ...
 01757  1500   NtRegisterThreadTerminatePort  ... ) == 0x0
 01761   932   NtContinue  (45153584, 1, ...
 01737  1780   NtWaitForSingleObject  ... ) == 0x0
 01758   464   NtProtectVirtualMemory  ... (0x2d0e000), 4096, 4, ) == 0x0
 01711   148   NtWaitForSingleObject  ... ) == 0x0
 01762  1500   NtWaitForSingleObject  (368, 0, 0x0, ...
 01763   932   NtRegisterThreadTerminatePort  (24, ...
 01764  1780   NtTestAlert  (...
 01765   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01766   148   NtSetEventBoostPriority  (368, ...
 01760  1420   NtSetEventBoostPriority  ... ) == 0x0
 01759  1256   NtSetEventBoostPriority  ... ) == 0x0
 01753  1852   NtSetEventBoostPriority  ... ) == 0x0
 01763   932   NtRegisterThreadTerminatePort  ... ) == 0x0
 01764  1780   NtTestAlert  ... ) == 0x0
 01712  1648   NtWaitForSingleObject  ... ) == 0x0
 01767  1420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01766   148   NtSetEventBoostPriority  ... ) == 0x0
 01765   464   NtCreateThread  ... 436, {1036, 1644}, ) == 0x0
 01768  1852   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01769   932   NtWaitForSingleObject  (368, 0, 0x0, ...
 01770  1256   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01771  1648   NtSetEventBoostPriority  (368, ...
 01767  1420   NtDuplicateObject  ... 400, ) == 0x0
 01772   148   NtWaitForSingleObject  (368, 0, 0x0, ...
 01773   464   NtQueryInformationThread  (436, Basic, 28, ...
 01768  1852   NtDuplicateObject  ... 432, ) == 0x0
 01774  1780   NtContinue  (46202160, 1, ...
 01770  1256   NtOpenKey  ... 428, ) == 0x0
 01713  1936   NtWaitForSingleObject  ... ) == 0x0
 01771  1648   NtSetEventBoostPriority  ... ) == 0x0
 01773   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1036,Tid=1644,}, 0x0, ) == 0x0
 01775  1420   NtWaitForSingleObject  (368, 0, 0x0, ...
 01776  1780   NtRegisterThreadTerminatePort  (24, ...
 01777  1256   NtQueryValueKey  (428,  (428, "Transports", Partial, 144, ... , Partial, 144, ...
 01778  1936   NtSetEventBoostPriority  (368, ...
 01779  1648   NtWaitForSingleObject  (368, 0, 0x0, ...
 01780   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58055, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\14\4\0\0l\6\0\0" ...  ...
 01776  1780   NtRegisterThreadTerminatePort  ... ) == 0x0
 01777  1256   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01715  1904   NtWaitForSingleObject  ... ) == 0x0
 01780   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58056, 0}  ... {28, 56, reply, 0, 1036, 464, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\14\4\0\0l\6\0\0" )  ) == 0x0
 01781  1780   NtWaitForSingleObject  (368, 0, 0x0, ...
 01782  1256   NtQueryValueKey  (428,  (428, "Transports", Partial, 144, ... , Partial, 144, ...
 01783  1904   NtSetEventBoostPriority  (368, ...
 01778  1936   NtSetEventBoostPriority  ... ) == 0x0
 01784  1852   NtWaitForSingleObject  (368, 0, 0x0, ...
 01782  1256   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01717  1536   NtWaitForSingleObject  ... ) == 0x0
 01785  1936   NtWaitForSingleObject  (368, 0, 0x0, ...
 01783  1904   NtSetEventBoostPriority  ... ) == 0x0
 01786   464   NtResumeThread  (436, ...
 01787  1536   NtSetEventBoostPriority  (368, ...
 01788  1904   NtWaitForSingleObject  (368, 0, 0x0, ...
 01786   464   NtResumeThread  ... 1, ) == 0x0
 01720   764   NtWaitForSingleObject  ... ) == 0x0
 01789   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01790   764   NtSetEventBoostPriority  (368, ...
 01789   464   NtAllocateVirtualMemory  ... 47251456, 1048576, ) == 0x0
 01721   308   NtWaitForSingleObject  ... ) == 0x0
 01790   764   NtSetEventBoostPriority  ... ) == 0x0
 01791   308   NtSetEventBoostPriority  (368, ...
 01792   464   NtAllocateVirtualMemory  (-1, 48291840, 0, 8192, 4096, 4, ...
 01787  1536   NtSetEventBoostPriority  ... ) == 0x0
 01793  1256   NtClose  (428, ...
 01794  1644   NtTestAlert  (...
 01722   968   NtWaitForSingleObject  ... ) == 0x0
 01791   308   NtSetEventBoostPriority  ... ) == 0x0
 01792   464   NtAllocateVirtualMemory  ... 48291840, 8192, ) == 0x0
 01795  1536   NtWaitForSingleObject  (368, 0, 0x0, ...
 01793  1256   NtClose  ... ) == 0x0
 01796   968   NtSetEventBoostPriority  (368, ...
 01794  1644   NtTestAlert  ... ) == 0x0
 01797   764   NtWaitForSingleObject  (160, 0, 0x0, ...
 01798   308   NtWaitForSingleObject  (160, 0, 0x0, ...
 01723   240   NtWaitForSingleObject  ... ) == 0x0
 01796   968   NtSetEventBoostPriority  ... ) == 0x0
 01799  1256   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01800  1644   NtContinue  (47250736, 1, ...
 01801   240   NtSetEventBoostPriority  (368, ...
 01802   464   NtProtectVirtualMemory  (-1, (0x2e0e000), 4096, 260, ...
 01799  1256   NtOpenKey  ... 428, ) == 0x0
 01724  2044   NtWaitForSingleObject  ... ) == 0x0
 01801   240   NtSetEventBoostPriority  ... ) == 0x0
 01803  1644   NtRegisterThreadTerminatePort  (24, ...
 01802   464   NtProtectVirtualMemory  ... (0x2e0e000), 4096, 4, ) == 0x0
 01804  2044   NtSetEventBoostPriority  (368, ...
 01805  1256   NtQueryValueKey  (428,  (428, "Mapping", Partial, 144, ... , Partial, 144, ...
 01806   968   NtWaitForSingleObject  (160, 0, 0x0, ...
 01803  1644   NtRegisterThreadTerminatePort  ... ) == 0x0
 01726  1944   NtWaitForSingleObject  ... ) == 0x0
 01804  2044   NtSetEventBoostPriority  ... ) == 0x0
 01807   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01805  1256   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01808   240   NtWaitForSingleObject  (160, 0, 0x0, ...
 01809  1944   NtSetEventBoostPriority  (368, ...
 01810  1644   NtWaitForSingleObject  (368, 0, 0x0, ...
 01807   464   NtCreateThread  ... 424, {1036, 800}, ) == 0x0
 01811  2044   NtWaitForSingleObject  (160, 0, 0x0, ...
 01727  1524   NtWaitForSingleObject  ... ) == 0x0
 01809  1944   NtSetEventBoostPriority  ... ) == 0x0
 01812   464   NtQueryInformationThread  (424, Basic, 28, ...
 01813  1524   NtSetEventBoostPriority  (368, ...
 01814  1256   NtWaitForSingleObject  (368, 0, 0x0, ...
 01728  1896   NtWaitForSingleObject  ... ) == 0x0
 01813  1524   NtSetEventBoostPriority  ... ) == 0x0
 01812   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1036,Tid=800,}, 0x0, ) == 0x0
 01815  1896   NtSetEventBoostPriority  (368, ...
 01816  1944   NtWaitForSingleObject  (160, 0, 0x0, ...
 01817  1524   NtWaitForSingleObject  (160, 0, 0x0, ...
 01729  2000   NtWaitForSingleObject  ... ) == 0x0
 01815  1896   NtSetEventBoostPriority  ... ) == 0x0
 01818  2000   NtSetEventBoostPriority  (368, ...
 01819   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58056, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\14\4\0\0 \3\0\0" ...  ...
 01718   164   NtWaitForSingleObject  ... ) == 0x0
 01818  2000   NtSetEventBoostPriority  ... ) == 0x0
 01820   164   NtSetEventBoostPriority  (368, ...
 01819   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58057, 0}  ... {28, 56, reply, 0, 1036, 464, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\14\4\0\0 \3\0\0" )  ) == 0x0
 01821  1896   NtWaitForSingleObject  (160, 0, 0x0, ...
 01739  1864   NtWaitForSingleObject  ... ) == 0x0
 01822   464   NtResumeThread  (424, ...
 01823  1864   NtSetEventBoostPriority  (368, ...
 01822   464   NtResumeThread  ... 1, ) == 0x0
 01742  1564   NtWaitForSingleObject  ... ) == 0x0
 01823  1864   NtSetEventBoostPriority  ... ) == 0x0
 01824  1564   NtSetEventBoostPriority  (368, ...
 01825   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01820   164   NtSetEventBoostPriority  ... ) == 0x0
 01826  2000   NtWaitForSingleObject  (368, 0, 0x0, ...
 01827   800   NtTestAlert  (...
 01748  1828   NtWaitForSingleObject  ... ) == 0x0
 01824  1564   NtSetEventBoostPriority  ... ) == 0x0
 01828  1864   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01829   164   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01827   800   NtTestAlert  ... ) == 0x0
 01830  1828   NtSetEventBoostPriority  (368, ...
 01831  1564   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01828  1864   NtWaitForSingleObject  ... ) == 0x102
 01829   164   NtDuplicateObject  ... 420, ) == 0x0
 01832   800   NtContinue  (48299312, 1, ...
 01744  1592   NtWaitForSingleObject  ... ) == 0x0
 01830  1828   NtSetEventBoostPriority  ... ) == 0x0
 01831  1564   NtDuplicateObject  ... 416, ) == 0x0
 01833  1864   NtWaitForSingleObject  (368, 0, 0x0, ...
 01825   464   NtAllocateVirtualMemory  ... 48300032, 1048576, ) == 0x0
 01834  1592   NtSetEventBoostPriority  (368, ...
 01835   800   NtRegisterThreadTerminatePort  (24, ...
 01836  1828   NtWaitForSingleObject  (368, 0, 0x0, ...
 01837   164   NtWaitForSingleObject  (368, 0, 0x0, ...
 01749  1808   NtWaitForSingleObject  ... ) == 0x0
 01838   464   NtAllocateVirtualMemory  (-1, 49340416, 0, 8192, 4096, 4, ...
 01835   800   NtRegisterThreadTerminatePort  ... ) == 0x0
 01834  1592   NtSetEventBoostPriority  ... ) == 0x0
 01839  1564   NtWaitForSingleObject  (368, 0, 0x0, ...
 01840  1808   NtSetEventBoostPriority  (368, ...
 01838   464   NtAllocateVirtualMemory  ... 49340416, 8192, ) == 0x0
 01841  1592   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01756  1356   NtWaitForSingleObject  ... ) == 0x0
 01840  1808   NtSetEventBoostPriority  ... ) == 0x0
 01842   464   NtProtectVirtualMemory  (-1, (0x2f0e000), 4096, 260, ...
 01843  1356   NtSetEventBoostPriority  (368, ...
 01841  1592   NtDuplicateObject  ... 412, ) == 0x0
 01844   800   NtWaitForSingleObject  (368, 0, 0x0, ...
 01751  2032   NtWaitForSingleObject  ... ) == 0x0
 01843  1356   NtSetEventBoostPriority  ... ) == 0x0
 01842   464   NtProtectVirtualMemory  ... (0x2f0e000), 4096, 4, ) == 0x0
 01845  1808   NtWaitForSingleObject  (368, 0, 0x0, ...
 01846  2032   NtSetEventBoostPriority  (368, ...
 01847  1356   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01848   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01762  1500   NtWaitForSingleObject  ... ) == 0x0
 01846  2032   NtSetEventBoostPriority  ... ) == 0x0
 01849  1592   NtWaitForSingleObject  (368, 0, 0x0, ...
 01847  1356   NtCreateEvent  ... 408, ) == 0x0
 01850  1500   NtSetEventBoostPriority  (368, ...
 01851  2032   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01852  1356   NtWaitForSingleObject  (408, 0, 0x0, ...
 01769   932   NtWaitForSingleObject  ... ) == 0x0
 01851  2032   NtDuplicateObject  ... 404, ) == 0x0
 01853   932   NtSetEventBoostPriority  (368, ...
 01850  1500   NtSetEventBoostPriority  ... ) == 0x0
 01848   464   NtCreateThread  ... 396, {1036, 888}, ) == 0x0
 01772   148   NtWaitForSingleObject  ... ) == 0x0
 01854  1500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01855   464   NtQueryInformationThread  (396, Basic, 28, ...
 01856   148   NtSetEventBoostPriority  (368, ...
 01854  1500   NtDuplicateObject  ... 384, ) == 0x0
 01855   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1036,Tid=888,}, 0x0, ) == 0x0
 01775  1420   NtWaitForSingleObject  ... ) == 0x0
 01856   148   NtSetEventBoostPriority  ... ) == 0x0
 01853   932   NtSetEventBoostPriority  ... ) == 0x0
 01857  2032   NtWaitForSingleObject  (368, 0, 0x0, ...
 01858  1420   NtSetEventBoostPriority  (368, ...
 01859   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58057, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\14\4\0\0x\3\0\0" ...  ...
 01860  1500   NtWaitForSingleObject  (368, 0, 0x0, ...
 01861   932   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01779  1648   NtWaitForSingleObject  ... ) == 0x0
 01858  1420   NtSetEventBoostPriority  ... ) == 0x0
 01859   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58058, 0}  ... {28, 56, reply, 0, 1036, 464, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\14\4\0\0x\3\0\0" )  ) == 0x0
 01862  1648   NtSetEventBoostPriority  (368, ...
 01861   932   NtDuplicateObject  ... 380, ) == 0x0
 01863  1420   NtWaitForSingleObject  (368, 0, 0x0, ...
 01864   148   NtWaitForSingleObject  (408, 0, 0x0, ...
 01781  1780   NtWaitForSingleObject  ... ) == 0x0
 01862  1648   NtSetEventBoostPriority  ... ) == 0x0
 01865   464   NtResumeThread  (396, ...
 01866   932   NtWaitForSingleObject  (368, 0, 0x0, ...
 01867  1780   NtSetEventBoostPriority  (368, ...
 01865   464   NtResumeThread  ... 1, ) == 0x0
 01784  1852   NtWaitForSingleObject  ... ) == 0x0
 01867  1780   NtSetEventBoostPriority  ... ) == 0x0
 01868  1852   NtSetEventBoostPriority  (368, ...
 01869   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01870  1648   NtWaitForSingleObject  (368, 0, 0x0, ...
 01871   888   NtTestAlert  (...
 01785  1936   NtWaitForSingleObject  ... ) == 0x0
 01868  1852   NtSetEventBoostPriority  ... ) == 0x0
 01869   464   NtAllocateVirtualMemory  ... 49348608, 1048576, ) == 0x0
 01872  1936   NtSetEventBoostPriority  (368, ...
 01871   888   NtTestAlert  ... ) == 0x0
 01873  1852   NtWaitForSingleObject  (368, 0, 0x0, ...
 01788  1904   NtWaitForSingleObject  ... ) == 0x0
 01872  1936   NtSetEventBoostPriority  ... ) == 0x0
 01874   464   NtAllocateVirtualMemory  (-1, 50388992, 0, 8192, 4096, 4, ...
 01875   888   NtContinue  (49347888, 1, ...
 01876  1780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01877  1904   NtSetEventBoostPriority  (368, ...
 01874   464   NtAllocateVirtualMemory  ... 50388992, 8192, ) == 0x0
 01878   888   NtRegisterThreadTerminatePort  (24, ...
 01795  1536   NtWaitForSingleObject  ... ) == 0x0
 01877  1904   NtSetEventBoostPriority  ... ) == 0x0
 01876  1780   NtDuplicateObject  ... 376, ) == 0x0
 01879  1936   NtWaitForSingleObject  (368, 0, 0x0, ...
 01880  1536   NtSetEventBoostPriority  (368, ...
 01878   888   NtRegisterThreadTerminatePort  ... ) == 0x0
 01881   464   NtProtectVirtualMemory  (-1, (0x300e000), 4096, 260, ...
 01882  1780   NtWaitForSingleObject  (368, 0, 0x0, ...
 01810  1644   NtWaitForSingleObject  ... ) == 0x0
 01880  1536   NtSetEventBoostPriority  ... ) == 0x0
 01883  1904   NtWaitForSingleObject  (368, 0, 0x0, ...
 01881   464   NtProtectVirtualMemory  ... (0x300e000), 4096, 4, ) == 0x0
 01884  1644   NtSetEventBoostPriority  (368, ...
 01885   888   NtWaitForSingleObject  (368, 0, 0x0, ...
 01814  1256   NtWaitForSingleObject  ... ) == 0x0
 01884  1644   NtSetEventBoostPriority  ... ) == 0x0
 01886   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01887  1256   NtSetEventBoostPriority  (368, ...
 01888  1644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01826  2000   NtWaitForSingleObject  ... ) == 0x0
 01887  1256   NtSetEventBoostPriority  ... ) == 0x0
 01886   464   NtCreateThread  ... 372, {1036, 1392}, ) == 0x0
 01889  1536   NtWaitForSingleObject  (368, 0, 0x0, ...
 01890  2000   NtSetEventBoostPriority  (368, ...
 01891  1256   NtQueryValueKey  (428,  (428, "Mapping", Partial, 144, ... , Partial, 144, ...
 01892   464   NtQueryInformationThread  (372, Basic, 28, ...
 01833  1864   NtWaitForSingleObject  ... ) == 0x0
 01890  2000   NtSetEventBoostPriority  ... ) == 0x0
 01888  1644   NtDuplicateObject  ... 440, ) == 0x0
 01893  1864   NtSetEventBoostPriority  (368, ...
 01892   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1036,Tid=1392,}, 0x0, ) == 0x0
 01894  2000   NtWaitForSingleObject  (368, 0, 0x0, ...
 01837   164   NtWaitForSingleObject  ... ) == 0x0
 01893  1864   NtSetEventBoostPriority  ... ) == 0x0
 01895  1644   NtWaitForSingleObject  (368, 0, 0x0, ...
 01891  1256   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01896   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58058, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0\14\4\0\0p\5\0\0" ...  ...
 01897   164   NtSetEventBoostPriority  (368, ...
 01898  1256   NtWaitForSingleObject  (368, 0, 0x0, ...
 01836  1828   NtWaitForSingleObject  ... ) == 0x0
 01897   164   NtSetEventBoostPriority  ... ) == 0x0
 01896   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58059, 0}  ... {28, 56, reply, 0, 1036, 464, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0\14\4\0\0p\5\0\0" )  ) == 0x0
 01899  1828   NtSetEventBoostPriority  (368, ...
 01900   164   NtWaitForSingleObject  (368, 0, 0x0, ...
 01839  1564   NtWaitForSingleObject  ... ) == 0x0
 01901   464   NtResumeThread  (372, ...
 01899  1828   NtSetEventBoostPriority  ... ) == 0x0
 01902  1864   NtWaitForSingleObject  (160, 0, 0x0, ...
 01903  1564   NtSetEventBoostPriority  (368, ...
 01901   464   NtResumeThread  ... 1, ) == 0x0
 01904  1828   NtSetEventBoostPriority  (408, ...
 01844   800   NtWaitForSingleObject  ... ) == 0x0
 01903  1564   NtSetEventBoostPriority  ... ) == 0x0
 01905   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01906   800   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01852  1356   NtWaitForSingleObject  ... ) == 0x0
 01904  1828   NtSetEventBoostPriority  ... ) == 0x0
 01907  1564   NtWaitForSingleObject  (368, 0, 0x0, ...
 01908  1392   NtTestAlert  (...
 01906   800   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01909  1356   NtWaitForSingleObject  (368, 0, 0x0, ...
 01905   464   NtAllocateVirtualMemory  ... 50397184, 1048576, ) == 0x0
 01910  1828   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01911   800   NtSetEventBoostPriority  (368, ...
 01908  1392   NtTestAlert  ... ) == 0x0
 01912   464   NtAllocateVirtualMemory  (-1, 51437568, 0, 8192, 4096, 4, ...
 01910  1828   NtWaitForSingleObject  ... ) == 0x102
 01913  1392   NtContinue  (50396464, 1, ...
 01912   464   NtAllocateVirtualMemory  ... 51437568, 8192, ) == 0x0
 01914  1828   NtWaitForSingleObject  (160, 0, 0x0, ...
 01915  1392   NtRegisterThreadTerminatePort  (24, ...
 01916   464   NtProtectVirtualMemory  (-1, (0x310e000), 4096, 260, ...
 01915  1392   NtRegisterThreadTerminatePort  ... ) == 0x0
 01916   464   NtProtectVirtualMemory  ... (0x310e000), 4096, 4, ) == 0x0
 01845  1808   NtWaitForSingleObject  ... ) == 0x0
 01911   800   NtSetEventBoostPriority  ... ) == 0x0
 01917   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01918  1808   NtSetEventBoostPriority  (368, ...
 01919   800   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01920  1392   NtWaitForSingleObject  (368, 0, 0x0, ...
 01849  1592   NtWaitForSingleObject  ... ) == 0x0
 01918  1808   NtSetEventBoostPriority  ... ) == 0x0
 01919   800   NtDuplicateObject  ... 444, ) == 0x0
 01921  1592   NtSetEventBoostPriority  (368, ...
 01922  1808   NtWaitForSingleObject  (368, 0, 0x0, ...
 01857  2032   NtWaitForSingleObject  ... ) == 0x0
 01921  1592   NtSetEventBoostPriority  ... ) == 0x0
 01923   800   NtWaitForSingleObject  (368, 0, 0x0, ...
 01917   464   NtCreateThread  ... 448, {1036, 740}, ) == 0x0
 01924  2032   NtSetEventBoostPriority  (368, ...
 01925  1592   NtWaitForSingleObject  (368, 0, 0x0, ...
 01860  1500   NtWaitForSingleObject  ... ) == 0x0
 01924  2032   NtSetEventBoostPriority  ... ) == 0x0
 01926   464   NtQueryInformationThread  (448, Basic, 28, ...
 01927  1500   NtSetEventBoostPriority  (368, ...
 01928  2032   NtWaitForSingleObject  (368, 0, 0x0, ...
 01863  1420   NtWaitForSingleObject  ... ) == 0x0
 01927  1500   NtSetEventBoostPriority  ... ) == 0x0
 01926   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1036,Tid=740,}, 0x0, ) == 0x0
 01929  1420   NtSetEventBoostPriority  (368, ...
 01930  1500   NtWaitForSingleObject  (368, 0, 0x0, ...
 01866   932   NtWaitForSingleObject  ... ) == 0x0
 01931   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58059, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\14\4\0\0\344\2\0\0" ...  ...
 01929  1420   NtSetEventBoostPriority  ... ) == 0x0
 01932   932   NtSetEventBoostPriority  (368, ...
 01931   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58060, 0}  ... {28, 56, reply, 0, 1036, 464, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\14\4\0\0\344\2\0\0" )  ) == 0x0
 01933  1420   NtWaitForSingleObject  (408, 0, 0x0, ...
 01870  1648   NtWaitForSingleObject  ... ) == 0x0
 01932   932   NtSetEventBoostPriority  ... ) == 0x0
 01934  1648   NtSetEventBoostPriority  (368, ...
 01873  1852   NtWaitForSingleObject  ... ) == 0x0
 01935  1852   NtSetEventBoostPriority  (368, ...
 01879  1936   NtWaitForSingleObject  ... ) == 0x0
 01936  1936   NtSetEventBoostPriority  (368, ...
 01882  1780   NtWaitForSingleObject  ... ) == 0x0
 01937  1780   NtSetEventBoostPriority  (368, ...
 01883  1904   NtWaitForSingleObject  ... ) == 0x0
 01938  1904   NtSetEventBoostPriority  (368, ...
 01885   888   NtWaitForSingleObject  ... ) == 0x0
 01939   888   NtSetEventBoostPriority  (368, ...
 01889  1536   NtWaitForSingleObject  ... ) == 0x0
 01940  1536   NtSetEventBoostPriority  (368, ...
 01894  2000   NtWaitForSingleObject  ... ) == 0x0
 01941  2000   NtSetEventBoostPriority  (368, ...
 01895  1644   NtWaitForSingleObject  ... ) == 0x0
 01942  1644   NtSetEventBoostPriority  (368, ...
 01898  1256   NtWaitForSingleObject  ... ) == 0x0
 01943  1256   NtSetEventBoostPriority  (368, ...
 01900   164   NtWaitForSingleObject  ... ) == 0x0
 01944   164   NtSetEventBoostPriority  (368, ...
 01909  1356   NtWaitForSingleObject  ... ) == 0x0
 01945  1356   NtSetEventBoostPriority  (368, ...
 01907  1564   NtWaitForSingleObject  ... ) == 0x0
 01946  1564   NtSetEventBoostPriority  (368, ...
 01920  1392   NtWaitForSingleObject  ... ) == 0x0
 01947  1392   NtSetEventBoostPriority  (368, ...
 01923   800   NtWaitForSingleObject  ... ) == 0x0
 01948   800   NtSetEventBoostPriority  (368, ...
 01922  1808   NtWaitForSingleObject  ... ) == 0x0
 01949  1808   NtSetEventBoostPriority  (368, ...
 01925  1592   NtWaitForSingleObject  ... ) == 0x0
 01950  1592   NtSetEventBoostPriority  (368, ...
 01928  2032   NtWaitForSingleObject  ... ) == 0x0
 01951  2032   NtSetEventBoostPriority  (368, ...
 01930  1500   NtWaitForSingleObject  ... ) == 0x0
 01952  1500   NtWaitForSingleObject  (408, 0, 0x0, ...
 01948   800   NtSetEventBoostPriority  ... ) == 0x0
 01947  1392   NtSetEventBoostPriority  ... ) == 0x0
 01945  1356   NtSetEventBoostPriority  ... ) == 0x0
 01943  1256   NtSetEventBoostPriority  ... ) == 0x0
 01942  1644   NtSetEventBoostPriority  ... ) == 0x0
 01940  1536   NtSetEventBoostPriority  ... ) == 0x0
 01939   888   NtSetEventBoostPriority  ... ) == 0x0
 01938  1904   NtSetEventBoostPriority  ... ) == 0x0
 01937  1780   NtSetEventBoostPriority  ... ) == 0x0
 01936  1936   NtSetEventBoostPriority  ... ) == 0x0
 01934  1648   NtSetEventBoostPriority  ... ) == 0x0
 01953   932   NtWaitForSingleObject  (408, 0, 0x0, ...
 01951  2032   NtSetEventBoostPriority  ... ) == 0x0
 01950  1592   NtSetEventBoostPriority  ... ) == 0x0
 01949  1808   NtSetEventBoostPriority  ... ) == 0x0
 01946  1564   NtSetEventBoostPriority  ... ) == 0x0
 01944   164   NtSetEventBoostPriority  ... ) == 0x0
 01941  2000   NtSetEventBoostPriority  ... ) == 0x0
 01935  1852   NtSetEventBoostPriority  ... ) == 0x0
 01954   464   NtResumeThread  (448, ...
 01955  1392   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01956   800   NtWaitForSingleObject  (408, 0, 0x0, ...
 01957  1356   NtSetEventBoostPriority  (408, ...
 01958  1256   NtQueryValueKey  (428,  (428, "Mapping", Partial, 152, ... , Partial, 152, ...
 01959  1536   NtWaitForSingleObject  (408, 0, 0x0, ...
 01960   888   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01961  1904   NtWaitForSingleObject  (408, 0, 0x0, ...
 01962  1644   NtWaitForSingleObject  (408, 0, 0x0, ...
 01963  1936   NtWaitForSingleObject  (408, 0, 0x0, ...
 01964  1648   NtWaitForSingleObject  (408, 0, 0x0, ...
 01965  1780   NtWaitForSingleObject  (408, 0, 0x0, ...
 01966  2032   NtWaitForSingleObject  (408, 0, 0x0, ...
 01967  1592   NtWaitForSingleObject  (408, 0, 0x0, ...
 01968  1808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01969  1564   NtWaitForSingleObject  (408, 0, 0x0, ...
 01970   164   NtWaitForSingleObject  (408, 0, 0x0, ...
 01971  2000   NtWaitForSingleObject  (408, 0, 0x0, ...
 01972  1852   NtWaitForSingleObject  (408, 0, 0x0, ...
 01954   464   NtResumeThread  ... 1, ) == 0x0
 01864   148   NtWaitForSingleObject  ... ) == 0x0
 01957  1356   NtSetEventBoostPriority  ... ) == 0x0
 01958  1256   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01955  1392   NtDuplicateObject  ... 452, ) == 0x0
 01973   740   NtTestAlert  (...
 01960   888   NtDuplicateObject  ... 456, ) == 0x0
 01968  1808   NtCreateEvent  ... 460, ) == 0x0
 01974   148   NtSetEventBoostPriority  (408, ...
 01975   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01976  1356   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01977  1256   NtClose  (428, ...
 01978  1392   NtWaitForSingleObject  (408, 0, 0x0, ...
 01973   740   NtTestAlert  ... ) == 0x0
 01979   888   NtWaitForSingleObject  (408, 0, 0x0, ...
 01933  1420   NtWaitForSingleObject  ... ) == 0x0
 01974   148   NtSetEventBoostPriority  ... ) == 0x0
 01975   464   NtAllocateVirtualMemory  ... 51445760, 1048576, ) == 0x0
 01976  1356   NtWaitForSingleObject  ... ) == 0x102
 01977  1256   NtClose  ... ) == 0x0
 01980   740   NtContinue  (51445040, 1, ...
 01981  1420   NtSetEventBoostPriority  (408, ...
 01982   148   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01983   464   NtAllocateVirtualMemory  (-1, 52486144, 0, 8192, 4096, 4, ...
 01984  1356   NtWaitForSingleObject  (160, 0, 0x0, ...
 01985  1256   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 01952  1500   NtWaitForSingleObject  ... ) == 0x0
 01981  1420   NtSetEventBoostPriority  ... ) == 0x0
 01986   740   NtRegisterThreadTerminatePort  (24, ...
 01987  1808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01983   464   NtAllocateVirtualMemory  ... 52486144, 8192, ) == 0x0
 01982   148   NtWaitForSingleObject  ... ) == 0x102
 01988  1500   NtWaitForSingleObject  (368, 0, 0x0, ...
 01985  1256   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 01986   740   NtRegisterThreadTerminatePort  ... ) == 0x0
 01987  1808   NtDuplicateObject  ... 428, ) == 0x0
 01989  1420   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01990   148   NtWaitForSingleObject  (368, 0, 0x0, ...
 01991   464   NtProtectVirtualMemory  (-1, (0x320e000), 4096, 260, ...
 01992  1256   NtSetEventBoostPriority  (368, ...
 01993  1808   NtWaitForSingleObject  (368, 0, 0x0, ...
 01989  1420   NtWaitForSingleObject  ... ) == 0x102
 01991   464   NtProtectVirtualMemory  ... (0x320e000), 4096, 4, ) == 0x0
 01988  1500   NtWaitForSingleObject  ... ) == 0x0
 01992  1256   NtSetEventBoostPriority  ... ) == 0x0
 01994  1420   NtWaitForSingleObject  (368, 0, 0x0, ...
 01995  1500   NtSetEventBoostPriority  (368, ...
 01996   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01997  1256   NtWaitForSingleObject  (368, 0, 0x0, ...
 01990   148   NtWaitForSingleObject  ... ) == 0x0
 01996   464   NtCreateThread  ... 464, {1036, 1676}, ) == 0x0
 01998   148   NtSetEventBoostPriority  (368, ...
 01999   464   NtQueryInformationThread  (464, Basic, 28, ...
 01993  1808   NtWaitForSingleObject  ... ) == 0x0
 01998   148   NtSetEventBoostPriority  ... ) == 0x0
 02000  1808   NtSetEventBoostPriority  (368, ...
 01999   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1036,Tid=1676,}, 0x0, ) == 0x0
 01995  1500   NtSetEventBoostPriority  ... ) == 0x0
 02001   740   NtWaitForSingleObject  (368, 0, 0x0, ...
 01994  1420   NtWaitForSingleObject  ... ) == 0x0
 02000  1808   NtSetEventBoostPriority  ... ) == 0x0
 02002   148   NtWaitForSingleObject  (160, 0, 0x0, ...
 02003   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58060, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\14\4\0\0\214\6\0\0" ...  ...
 02004  1420   NtSetEventBoostPriority  (368, ...
 02005  1500   NtSetEventBoostPriority  (408, ...
 01997  1256   NtWaitForSingleObject  ... ) == 0x0
 02004  1420   NtSetEventBoostPriority  ... ) == 0x0
 02003   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58061, 0}  ... {28, 56, reply, 0, 1036, 464, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\14\4\0\0\214\6\0\0" )  ) == 0x0
 02006  1256   NtSetEventBoostPriority  (368, ...
 01953   932   NtWaitForSingleObject  ... ) == 0x0
 02005  1500   NtSetEventBoostPriority  ... ) == 0x0
 02007  1808   NtWaitForSingleObject  (368, 0, 0x0, ...
 02001   740   NtWaitForSingleObject  ... ) == 0x0
 02008   932   NtWaitForSingleObject  (368, 0, 0x0, ...
 02006  1256   NtSetEventBoostPriority  ... ) == 0x0
 02009   464   NtResumeThread  (464, ...
 02010  1500   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02011   740   NtSetEventBoostPriority  (368, ...
 02012  1420   NtWaitForSingleObject  (160, 0, 0x0, ...
 02009   464   NtResumeThread  ... 1, ) == 0x0
 02008   932   NtWaitForSingleObject  ... ) == 0x0
 02011   740   NtSetEventBoostPriority  ... ) == 0x0
 02010  1500   NtWaitForSingleObject  ... ) == 0x102
 02013   932   NtSetEventBoostPriority  (368, ...
 02014   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02015   740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02007  1808   NtWaitForSingleObject  ... ) == 0x0
 02016  1500   NtWaitForSingleObject  (368, 0, 0x0, ...
 02013   932   NtSetEventBoostPriority  ... ) == 0x0
 02017  1256   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 02018  1676   NtTestAlert  (...
 02014   464   NtAllocateVirtualMemory  ... 52494336, 1048576, ) == 0x0
 02019  1808   NtSetEventBoostPriority  (368, ...
 02015   740   NtDuplicateObject  ... 468, ) == 0x0
 02017  1256   NtOpenKey  ... 472, ) == 0x0
 02018  1676   NtTestAlert  ... ) == 0x0
 02020   464   NtAllocateVirtualMemory  (-1, 53534720, 0, 8192, 4096, 4, ...
 02016  1500   NtWaitForSingleObject  ... ) == 0x0
 02019  1808   NtSetEventBoostPriority  ... ) == 0x0
 02021   740   NtWaitForSingleObject  (368, 0, 0x0, ...
 02022  1256   NtQueryValueKey  (472,  (472, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 02023  1676   NtContinue  (52493616, 1, ...
 02024  1500   NtSetEventBoostPriority  (368, ...
 02020   464   NtAllocateVirtualMemory  ... 53534720, 8192, ) == 0x0
 02025  1808   NtWaitForSingleObject  (368, 0, 0x0, ...
 02022  1256   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 02021   740   NtWaitForSingleObject  ... ) == 0x0
 02026  1676   NtRegisterThreadTerminatePort  (24, ...
 02027   464   NtProtectVirtualMemory  (-1, (0x330e000), 4096, 260, ...
 02024  1500   NtSetEventBoostPriority  ... ) == 0x0
 02028   932   NtSetEventBoostPriority  (408, ...
 02029  1256   NtQueryValueKey  (472,  (472, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 02030   740   NtSetEventBoostPriority  (368, ...
 02026  1676   NtRegisterThreadTerminatePort  ... ) == 0x0
 02027   464   NtProtectVirtualMemory  ... (0x330e000), 4096, 4, ) == 0x0
 02031  1500   NtWaitForSingleObject  (160, 0, 0x0, ...
 01956   800   NtWaitForSingleObject  ... ) == 0x0
 02028   932   NtSetEventBoostPriority  ... ) == 0x0
 02029  1256   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 02030   740   NtSetEventBoostPriority  ... ) == 0x0
 02025  1808   NtWaitForSingleObject  ... ) == 0x0
 02032   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02033   800   NtWaitForSingleObject  (368, 0, 0x0, ...
 02034   932   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02035  1676   NtWaitForSingleObject  (368, 0, 0x0, ...
 02036  1256   NtQueryValueKey  (472,  (472, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 02037  1808   NtSetEventBoostPriority  (368, ...
 02038   740   NtWaitForSingleObject  (368, 0, 0x0, ...
 02034   932   NtWaitForSingleObject  ... ) == 0x102
 02036  1256   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02033   800   NtWaitForSingleObject  ... ) == 0x0
 02037  1808   NtSetEventBoostPriority  ... ) == 0x0
 02039   932   NtWaitForSingleObject  (368, 0, 0x0, ...
 02040   800   NtSetEventBoostPriority  (368, ...
 02041  1256   NtQueryValueKey  (472,  (472, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 02042  1808   NtWaitForSingleObject  (408, 0, 0x0, ...
 02032   464   NtCreateThread  ... 476, {1036, 496}, ) == 0x0
 02035  1676   NtWaitForSingleObject  ... ) == 0x0
 02040   800   NtSetEventBoostPriority  ... ) == 0x0
 02041  1256   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02043  1676   NtSetEventBoostPriority  (368, ...
 02044   464   NtQueryInformationThread  (476, Basic, 28, ...
 02038   740   NtWaitForSingleObject  ... ) == 0x0
 02043  1676   NtSetEventBoostPriority  ... ) == 0x0
 02045  1256   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11596844, ... }, 11596844, ...
 02046   740   NtSetEventBoostPriority  (368, ...
 02044   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1036,Tid=496,}, 0x0, ) == 0x0
 02047  1676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02039   932   NtWaitForSingleObject  ... ) == 0x0
 02046   740   NtSetEventBoostPriority  ... ) == 0x0
 02045  1256   NtQueryAttributesFile  ... ) == 0x0
 02048   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58061, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\14\4\0\0\360\1\0\0" ...  ...
 02049   800   NtSetEventBoostPriority  (408, ...
 02050   932   NtWaitForSingleObject  (160, 0, 0x0, ...
 02051   740   NtWaitForSingleObject  (408, 0, 0x0, ...
 02047  1676   NtDuplicateObject  ... 480, ) == 0x0
 02048   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58062, 0}  ... {28, 56, reply, 0, 1036, 464, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\14\4\0\0\360\1\0\0" )  ) == 0x0
 01959  1536   NtWaitForSingleObject  ... ) == 0x0
 02049   800   NtSetEventBoostPriority  ... ) == 0x0
 02052  1256   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 02053  1676   NtWaitForSingleObject  (408, 0, 0x0, ...
 02054  1536   NtSetEventBoostPriority  (408, ...
 02055   800   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02052  1256   NtOpenFile  ... 484, {status=0x0, info=1}, ) == 0x0
 01962  1644   NtWaitForSingleObject  ... ) == 0x0
 02055   800   NtWaitForSingleObject  ... ) == 0x102
 02056  1256   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 484, ...
 02057  1644   NtSetEventBoostPriority  (408, ...
 02058   800   NtWaitForSingleObject  (160, 0, 0x0, ...
 02056  1256   NtCreateSection  ... 488, ) == 0x0
 01961  1904   NtWaitForSingleObject  ... ) == 0x0
 02057  1644   NtSetEventBoostPriority  ... ) == 0x0
 02054  1536   NtSetEventBoostPriority  ... ) == 0x0
 02059   464   NtResumeThread  (476, ...
 02060  1904   NtSetEventBoostPriority  (408, ...
 02061  1256   NtClose  (484, ...
 02062  1644   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02063  1536   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01963  1936   NtWaitForSingleObject  ... ) == 0x0
 02059   464   NtResumeThread  ... 1, ) == 0x0
 02061  1256   NtClose  ... ) == 0x0
 02060  1904   NtSetEventBoostPriority  ... ) == 0x0
 02064   496   NtWaitForSingleObject  (128, 0, 0x0, ...
 02065  1936   NtSetEventBoostPriority  (408, ...
 02066   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02062  1644   NtWaitForSingleObject  ... ) == 0x102
 02063  1536   NtWaitForSingleObject  ... ) == 0x102
 02067  1904   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01965  1780   NtWaitForSingleObject  ... ) == 0x0
 02066   464   NtAllocateVirtualMemory  ... 53542912, 1048576, ) == 0x0
 02068  1644   NtWaitForSingleObject  (160, 0, 0x0, ...
 02069  1536   NtWaitForSingleObject  (160, 0, 0x0, ...
 02070  1780   NtSetEventBoostPriority  (408, ...
 02071   464   NtAllocateVirtualMemory  (-1, 54583296, 0, 8192, 4096, 4, ...
 01966  2032   NtWaitForSingleObject  ... ) == 0x0
 02070  1780   NtSetEventBoostPriority  ... ) == 0x0
 02072  2032   NtSetEventBoostPriority  (408, ...
 02071   464   NtAllocateVirtualMemory  ... 54583296, 8192, ) == 0x0
 01967  1592   NtWaitForSingleObject  ... ) == 0x0
 02072  2032   NtSetEventBoostPriority  ... ) == 0x0
 02073  1780   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02065  1936   NtSetEventBoostPriority  ... ) == 0x0
 02074  1256   NtMapViewOfSection  (488, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02067  1904   NtWaitForSingleObject  ... ) == 0x102
 02075  1592   NtSetEventBoostPriority  (408, ...
 02076   464   NtProtectVirtualMemory  (-1, (0x340e000), 4096, 260, ...
 02077  2032   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02078  1936   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02074  1256   NtMapViewOfSection  ... (0x360000), 0x0, 20480, ) == 0x0
 01969  1564   NtWaitForSingleObject  ... ) == 0x0
 02075  1592   NtSetEventBoostPriority  ... ) == 0x0
 02079  1904   NtWaitForSingleObject  (160, 0, 0x0, ...
 02076   464   NtProtectVirtualMemory  ... (0x340e000), 4096, 4, ) == 0x0
 02077  2032   NtWaitForSingleObject  ... ) == 0x102
 02080  1564   NtSetEventBoostPriority  (408, ...
 02081  1256   NtClose  (488, ...
 02073  1780   NtWaitForSingleObject  ... ) == 0x102
 02078  1936   NtWaitForSingleObject  ... ) == 0x102
 02082   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01970   164   NtWaitForSingleObject  ... ) == 0x0
 02080  1564   NtSetEventBoostPriority  ... ) == 0x0
 02083  2032   NtWaitForSingleObject  (160, 0, 0x0, ...
 02081  1256   NtClose  ... ) == 0x0
 02084  1780   NtWaitForSingleObject  (160, 0, 0x0, ...
 02085  1936   NtWaitForSingleObject  (160, 0, 0x0, ...
 02086   164   NtSetEventBoostPriority  (408, ...
 02082   464   NtCreateThread  ... 488, {1036, 1020}, ) == 0x0
 02087  1592   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01971  2000   NtWaitForSingleObject  ... ) == 0x0
 02086   164   NtSetEventBoostPriority  ... ) == 0x0
 02088   464   NtQueryInformationThread  (488, Basic, 28, ...
 02089  2000   NtSetEventBoostPriority  (408, ...
 02087  1592   NtWaitForSingleObject  ... ) == 0x102
 02090  1564   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02091  1256   NtUnmapViewOfSection  (-1, 0x360000, ...
 01972  1852   NtWaitForSingleObject  ... ) == 0x0
 02089  2000   NtSetEventBoostPriority  ... ) == 0x0
 02088   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1036,Tid=1020,}, 0x0, ) == 0x0
 02092  1592   NtWaitForSingleObject  (160, 0, 0x0, ...
 02090  1564   NtWaitForSingleObject  ... ) == 0x102
 02093  1852   NtSetEventBoostPriority  (408, ...
 02091  1256   NtUnmapViewOfSection  ... ) == 0x0
 02094   164   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02095  2000   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01964  1648   NtWaitForSingleObject  ... ) == 0x0
 02093  1852   NtSetEventBoostPriority  ... ) == 0x0
 02096  1564   NtWaitForSingleObject  (160, 0, 0x0, ...
 02097  1256   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11597152, ... }, 11597152, ...
 02094   164   NtWaitForSingleObject  ... ) == 0x102
 02098  1648   NtSetEventBoostPriority  (408, ...
 02095  2000   NtWaitForSingleObject  ... ) == 0x102
 02099   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58062, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\14\4\0\0\374\3\0\0" ...  ...
 02097  1256   NtQueryAttributesFile  ... ) == 0x0
 01978  1392   NtWaitForSingleObject  ... ) == 0x0
 02100   164   NtWaitForSingleObject  (160, 0, 0x0, ...
 02101  2000   NtWaitForSingleObject  (160, 0, 0x0, ...
 02099   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58063, 0}  ... {28, 56, reply, 0, 1036, 464, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\14\4\0\0\374\3\0\0" )  ) == 0x0
 02102  1256   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 02103  1392   NtSetEventBoostPriority  (408, ...
 02104   464   NtResumeThread  (488, ...
 02102  1256   NtOpenFile  ... 484, {status=0x0, info=1}, ) == 0x0
 01979   888   NtWaitForSingleObject  ... ) == 0x0
 02103  1392   NtSetEventBoostPriority  ... ) == 0x0
 02104   464   NtResumeThread  ... 1, ) == 0x0
 02098  1648   NtSetEventBoostPriority  ... ) == 0x0
 02105  1852   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02106   888   NtSetEventBoostPriority  (408, ...
 02107  1256   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 484, ...
 02108  1020   NtWaitForSingleObject  (128, 0, 0x0, ...
 02109   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02110  1648   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02042  1808   NtWaitForSingleObject  ... ) == 0x0
 02106   888   NtSetEventBoostPriority  ... ) == 0x0
 02105  1852   NtWaitForSingleObject  ... ) == 0x102
 02107  1256   NtCreateSection  ... 492, ) == 0x0
 02111  1392   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02112  1808   NtSetEventBoostPriority  (408, ...
 02110  1648   NtWaitForSingleObject  ... ) == 0x102
 02109   464   NtAllocateVirtualMemory  ... 54591488, 1048576, ) == 0x0
 02113  1852   NtWaitForSingleObject  (160, 0, 0x0, ...
 02114  1256   NtQuerySection  (492, Image, 48, ...
 02051   740   NtWaitForSingleObject  ... ) == 0x0
 02112  1808   NtSetEventBoostPriority  ... ) == 0x0
 02111  1392   NtWaitForSingleObject  ... ) == 0x102
 02115  1648   NtWaitForSingleObject  (160, 0, 0x0, ...
 02116   464   NtAllocateVirtualMemory  (-1, 55631872, 0, 8192, 4096, 4, ...
 02117   740   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 02114  1256   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02118   888   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02119  1392   NtWaitForSingleObject  (368, 0, 0x0, ...
 02117   740   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 02116   464   NtAllocateVirtualMemory  ... 55631872, 8192, ) == 0x0
 02120  1256   NtClose  (484, ...
 02118   888   NtWaitForSingleObject  ... ) == 0x102
 02121   740   NtSetEventBoostPriority  (368, ...
 02122   464   NtProtectVirtualMemory  (-1, (0x350e000), 4096, 260, ...
 02120  1256   NtClose  ... ) == 0x0
 02119  1392   NtWaitForSingleObject  ... ) == 0x0
 02123   888   NtWaitForSingleObject  (368, 0, 0x0, ...
 02122   464   NtProtectVirtualMemory  ... (0x350e000), 4096, 4, ) == 0x0
 02121   740   NtSetEventBoostPriority  ... ) == 0x0
 02124  1808   NtWaitForSingleObject  (368, 0, 0x0, ...
 02125  1392   NtSetEventBoostPriority  (368, ...
 02126   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02127  1256   NtMapViewOfSection  (492, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02123   888   NtWaitForSingleObject  ... ) == 0x0
 02125  1392   NtSetEventBoostPriority  ... ) == 0x0
 02128   740   NtSetEventBoostPriority  (408, ...
 02129   888   NtSetEventBoostPriority  (368, ...
 02127  1256   NtMapViewOfSection  ... (0x71a90000), 0x0, 32768, ) == 0x0
 02126   464   NtCreateThread  ... 484, {1036, 1332}, ) == 0x0
 02124  1808   NtWaitForSingleObject  ... ) == 0x0
 02129   888   NtSetEventBoostPriority  ... ) == 0x0
 02053  1676   NtWaitForSingleObject  ... ) == 0x0
 02128   740   NtSetEventBoostPriority  ... ) == 0x0
 02130  1256   NtClose  (492, ...
 02131  1808   NtWaitForSingleObject  (408, 0, 0x0, ...
 02132   464   NtQueryInformationThread  (484, Basic, 28, ...
 02133  1392   NtWaitForSingleObject  (160, 0, 0x0, ...
 02134  1676   NtSetEventBoostPriority  (408, ...
 02135   740   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02130  1256   NtClose  ... ) == 0x0
 02132   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1036,Tid=1332,}, 0x0, ) == 0x0
 02131  1808   NtWaitForSingleObject  ... ) == 0x0
 02134  1676   NtSetEventBoostPriority  ... ) == 0x0
 02135   740   NtWaitForSingleObject  ... ) == 0x102
 02136  1256   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ...
 02137  1808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 02138   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58063, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\14\4\0\04\5\0\0" ...  ...
 02139   888   NtWaitForSingleObject  (160, 0, 0x0, ...
 02140   740   NtWaitForSingleObject  (160, 0, 0x0, ...
 02137  1808   NtOpenFile  ... 492, {status=0x0, info=0}, ) == 0x0
 02136  1256   NtProtectVirtualMemory  ... (0x71a91000), 4096, 32, ) == 0x0
 02138   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58064, 0}  ... {28, 56, reply, 0, 1036, 464, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\14\4\0\04\5\0\0" )  ) == 0x0
 02141  1676   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02142  1808   NtDeviceIoControlFile  (492, 0, 0x0, 0x0, 0x390008,  (492, 0, 0x0, 0x0, 0x390008, "Fg0c\23\303\202\323+Zz\7\22\262\264\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02143  1256   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ...
 02141  1676   NtWaitForSingleObject  ... ) == 0x102
 02144  1808   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02143  1256   NtProtectVirtualMemory  ... (0x71a91000), 4096, 4, ) == 0x0
 02145  1676   NtWaitForSingleObject  (160, 0, 0x0, ...
 02144  1808   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02146  1256   NtFlushInstructionCache  (-1, 1906905088, 128, ... ) == 0x0
 02147  1256   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02148  1256   NtSetEventBoostPriority  (128, ...
 02064   496   NtWaitForSingleObject  ... ) == 0x0
 02149   496   NtSetEventBoostPriority  (128, ...
 02108  1020   NtWaitForSingleObject  ... ) == 0x0
 02150  1020   NtTestAlert  (... ) == 0x0
 02149   496   NtSetEventBoostPriority  ... ) == 0x0
 02148  1256   NtSetEventBoostPriority  ... ) == 0x0
 02151  1808   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02152   464   NtResumeThread  (484, ...
 02153  1020   NtContinue  (54590768, 1, ...
 02154   496   NtTestAlert  (...
 02151  1808   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02152   464   NtResumeThread  ... 1, ) == 0x0
 02155  1020   NtRegisterThreadTerminatePort  (24, ...
 02154   496   NtTestAlert  ... ) == 0x0
 02156  1808   NtQuerySystemInformation  (Performance, 312, ...
 02157   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02155  1020   NtRegisterThreadTerminatePort  ... ) == 0x0
 02158   496   NtContinue  (53542192, 1, ...
 02156  1808   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02157   464   NtAllocateVirtualMemory  ... 55640064, 1048576, ) == 0x0
 02159  1020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02160   496   NtRegisterThreadTerminatePort  (24, ...
 02161  1808   NtQuerySystemInformation  (Exception, 16, ...
 02162   464   NtAllocateVirtualMemory  (-1, 56680448, 0, 8192, 4096, 4, ...
 02159  1020   NtDuplicateObject  ... 496, ) == 0x0
 02160   496   NtRegisterThreadTerminatePort  ... ) == 0x0
 02161  1808   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02162   464   NtAllocateVirtualMemory  ... 56680448, 8192, ) == 0x0
 02163  1020   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02164   496   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02165  1256   NtClose  (472, ...
 02166  1332   NtTestAlert  (...
 02167  1808   NtQuerySystemInformation  (Lookaside, 32, ...
 02168   464   NtProtectVirtualMemory  (-1, (0x360e000), 4096, 260, ...
 02163  1020   NtWaitForSingleObject  ... ) == 0x102
 02165  1256   NtClose  ... ) == 0x0
 02166  1332   NtTestAlert  ... ) == 0x0
 02167  1808   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02168   464   NtProtectVirtualMemory  ... (0x360e000), 4096, 4, ) == 0x0
 02169  1020   NtWaitForSingleObject  (160, 0, 0x0, ...
 02170  1256   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 02171  1332   NtContinue  (55639344, 1, ...
 02172  1808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02173   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02170  1256   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 02174  1332   NtRegisterThreadTerminatePort  (24, ...
 02172  1808   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02173   464   NtCreateThread  ... 472, {1036, 1328}, ) == 0x0
 02175  1256   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11599488, 67, ... }, 0x0, 0, 3, 3, 0, 11599488, 67, ...
 02174  1332   NtRegisterThreadTerminatePort  ... ) == 0x0
 02176  1808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02177   464   NtQueryInformationThread  (472, Basic, 28, ...
 02175  1256   NtCreateFile  ... 500, {status=0x0, info=0}, ) == 0x0
 02164   496   NtDuplicateObject  ... 504, ) == 0x0
 02176  1808   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02177   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1036,Tid=1328,}, 0x0, ) == 0x0
 02178  1332   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02179   496   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02180  1256   NtDeviceIoControlFile  (500, 136, 0x0, 0x0, 0x1207b,  (500, 136, 0x0, 0x0, 0x1207b, "\7\0\0\0\250q\250q%\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 02181  1808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02178  1332   NtDuplicateObject  ... 508, ) == 0x0
 02179   496   NtWaitForSingleObject  ... ) == 0x102
 02180  1256   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0\300\332\243\201", ) , ) == 0x0
 02181  1808   NtCreateKey  ... -2147482740, 2, ) == 0x0
 02182  1332   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02183   496   NtWaitForSingleObject  (160, 0, 0x0, ...
 02184  1256   NtDeviceIoControlFile  (500, 136, 0x0, 0x0, 0x1207b,  (500, 136, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0\300\332\243\201", 16, 16, ... , 16, 16, ...
 02185  1808   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "pY\313\234\304\3224\322\205\232o\366\205\203\30&\211MX\230\32\/\327\367\263qo\373\310\230\214c\221Z\4\366\11\273\324\251;\33\5\216=O\322\236)w\361\312\31/=D_\374\7\205\33\33\20193G\177a\177\205e\317\332/}\306\26\36\235", 80, ... , 0, 3,  (-2147482740, "Seed", 0, 3, "pY\313\234\304\3224\322\205\232o\366\205\203\30&\211MX\230\32\/\327\367\263qo\373\310\230\214c\221Z\4\366\11\273\324\251;\33\5\216=O\322\236)w\361\312\31/=D_\374\7\205\33\33\20193G\177a\177\205e\317\332/}\306\26\36\235", 80, ... , 80, ...
 02182  1332   NtWaitForSingleObject  ... ) == 0x102
 02184  1256   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0\300\332\243\201", ) , ) == 0x0
 02185  1808   NtSetValueKey  ... ) == 0x0
 02186  1332   NtWaitForSingleObject  (160, 0, 0x0, ...
 02187  1256   NtDeviceIoControlFile  (500, 136, 0x0, 0x0, 0x12047,  (500, 136, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\224\375\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 02188  1808   NtClose  (-2147482740, ...
 02189   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58064, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\14\4\0\00\5\0\0" ...  ...
 02187  1256   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02188  1808   NtClose  ... ) == 0x0
 02189   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58065, 0}  ... {28, 56, reply, 0, 1036, 464, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\14\4\0\00\5\0\0" )  ) == 0x0
 02190  1256   NtWaitForSingleObject  (96, 0, {0, 0}, ...
 02191   464   NtResumeThread  (472, ...
 02190  1256   NtWaitForSingleObject  ... ) == 0x102
 02191   464   NtResumeThread  ... 1, ) == 0x0
 02192  1256   NtDeviceIoControlFile  (500, 136, 0x0, 0x0, 0x12003,  (500, 136, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02193   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02192  1256   NtDeviceIoControlFile  ... {status=0x0, info=512},  ... {status=0x0, info=512}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02142  1808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\25\346\272\237\3\304/T\263\230\303\365\336\3101\377w\326\355\367\266\206e\22]\23\3\300\216(l4\262L\257,\234\227rK\17\24y\375\335k\35\331\10]\33\214\344\337\245^Na\214\132P\240\233\304\223\251\11\251\3259N\206\310x:\257zD\25t\354\351\257\310M\374Y\23\24\305\313\225\340O\223\HGJ\207\243\34.\11\204'u\363:\34\276\275\2y\340\363\26z\376Cc\362HH\206o\235\223\235P0\35\224\260\254\317\3123.\302\17\203\216\237\303\2047f\257\326\236!\347\226\20O\257\316\13rS\241\25\374W#\243"\253|.\362\324\226\243\276z\365\331\34\30\356>\331t2^Kq$[\356'\241k7\200\254\327\246\214=\376\374\361\250\11#`\315\247so\16\235N~\22\337\240\262J\331z+jc5\351p\5D\316\265(\355\315\350\247\356\21g\347d\317\323L\251_\1\340\337\272^\271", ) \253|.\362\324\226\243\276z\365\331\34\30\356>\331t2^Kq$[\356'\241k7\200\254\327\246\214=\376\374\361\250\11#`\315\247so\16\235N~\22\337\240\262J\331z+jc5\351p\5D\316\265(\355\315\350\247\356\21g\347d\317\323L\251_\1\340\337\272^\271", ) == 0x0
 02194  1328   NtTestAlert  (...
 02193   464   NtAllocateVirtualMemory  ... 56688640, 1048576, ) == 0x0
 02195  1808   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02194  1328   NtTestAlert  ... ) == 0x0
 02196   464   NtAllocateVirtualMemory  (-1, 57729024, 0, 8192, 4096, 4, ...
 02195  1808   NtCreateEvent  ... 516, ) == 0x0
 02197  1328   NtContinue  (56687920, 1, ...
 02196   464   NtAllocateVirtualMemory  ... 57729024, 8192, ) == 0x0
 02198  1808   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15789572, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15789572, 188, ...
 02199  1328   NtRegisterThreadTerminatePort  (24, ...
 02200   464   NtProtectVirtualMemory  (-1, (0x370e000), 4096, 260, ...
 02199  1328   NtRegisterThreadTerminatePort  ... ) == 0x0
 02200   464   NtProtectVirtualMemory  ... (0x370e000), 4096, 4, ) == 0x0
 02198  1808   NtConnectPort  ... 520, 0x0, 0x0, 0x0, 188, ) == 0x0
 02201  1256   NtDeviceIoControlFile  (500, 136, 0x0, 0x0, 0x12047,  (500, 136, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02202   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02203  1328   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02201  1256   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02204  1808   NtRequestWaitReplyPort  (520, {200, 224, new_msg, 0, 1330592, 12, 2, 1310721}  (520, {200, 224, new_msg, 0, 1330592, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\310D\25\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\337*\215'\277x\310%HF\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0 F\25\0\22\364Tgx\1\24\0@F\25\0h\1\24\0\0\0\0\0\0\0\0\0@F\25\0P\0\0\0HF\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\360\0\372\31\221|\30\364\360\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02203  1328   NtDuplicateObject  ... 524, ) == 0x0
 02205  1256   NtDeviceIoControlFile  (500, 136, 0x0, 0x0, 0x12037,  (500, 136, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 02206  1328   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02205  1256   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02204  1808   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1036, 1808, 58067, 0}  ... {200, 224, reply, 0, 1036, 1808, 58067, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\337*\215'\277x\310%HF\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0 F\25\0\22\364Tgx\1\24\0@F\25\0h\1\24\0\0\0\0\0\0\0\0\0@F\25\0P\0\0\0HF\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\360\0\372\31\221|\30\364\360\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02206  1328   NtWaitForSingleObject  ... ) == 0x102
 02207  1256   NtDeviceIoControlFile  (500, 136, 0x0, 0x0, 0x1200b,  (500, 136, 0x0, 0x0, 0x1200b, "\0\376\260\0\5\0\0\0\0\320\24\0", 12, 0, ... , 12, 0, ...
 02208  1808   NtRequestWaitReplyPort  (520, {64, 88, new_msg, 0, 0, 0, 0, 0}  (520, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02209  1328   NtWaitForSingleObject  (160, 0, 0x0, ...
 02207  1256   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02208  1808   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1036, 1808, 58068, 0}  ... {52, 76, reply, 0, 1036, 1808, 58068, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\260\37\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 02202   464   NtCreateThread  ... 528, {1036, 120}, ) == 0x0
 02210  1256   NtDeviceIoControlFile  (500, 136, 0x0, 0x0, 0x12047,  (500, 136, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\260\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02211   464   NtQueryInformationThread  (528, Basic, 28, ...
 02210  1256   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02211   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1036,Tid=120,}, 0x0, ) == 0x0
 02212  1256   NtDeviceIoControlFile  (500, 136, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 02213   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58065, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\14\4\0\0x\0\0\0" ...  ...
 02212  1256   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02213   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58069, 0}  ... {28, 56, reply, 0, 1036, 464, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\14\4\0\0x\0\0\0" )  ) == 0x0
 02214  1256   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ...
 02215  1808   NtWaitForSingleObject  (368, 0, 0x0, ...
 02214  1256   NtAllocateVirtualMemory  ... 1396736, 4096, ) == 0x0
 02216   464   NtResumeThread  (528, ... 1, ) == 0x0
 02217   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 57737216, 1048576, ) == 0x0
 02218   464   NtAllocateVirtualMemory  (-1, 58777600, 0, 8192, 4096, 4, ... 58777600, 8192, ) == 0x0
 02219   464   NtProtectVirtualMemory  (-1, (0x380e000), 4096, 260, ... (0x380e000), 4096, 4, ) == 0x0
 02220   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 532, {1036, 1732}, ) == 0x0
 02221   464   NtQueryInformationThread  (532, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1036,Tid=1732,}, 0x0, ) == 0x0
 02222  1256   NtSetEventBoostPriority  (368, ...
 02223   120   NtTestAlert  (...
 02215  1808   NtWaitForSingleObject  ... ) == 0x0
 02222  1256   NtSetEventBoostPriority  ... ) == 0x0
 02224  1808   NtClose  (516, ...
 02223   120   NtTestAlert  ... ) == 0x0
 02224  1808   NtClose  ... ) == 0x0
 02225  1256   NtDeviceIoControlFile  (492, 0, 0x0, 0x0, 0x390008,  (492, 0, 0x0, 0x0, 0x390008, "Fg0c\23\303\202\30\23\376\375\0\36m\261=\304\14uR\260"\251\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \251\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 02226  1808   NtClose  (520, ...
 02227   120   NtContinue  (57736496, 1, ...
 02228  1256   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02229   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58069, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\14\4\0\0\304\6\0\0" ...  ...
 02230   120   NtRegisterThreadTerminatePort  (24, ...
 02228  1256   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02229   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58070, 0}  ... {28, 56, reply, 0, 1036, 464, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\14\4\0\0\304\6\0\0" )  ) == 0x0
 02230   120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02231  1256   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02232   464   NtResumeThread  (532, ...
 02226  1808   NtClose  ... ) == 0x0
 02233   120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02232   464   NtResumeThread  ... 1, ) == 0x0
 02234  1808   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02233   120   NtDuplicateObject  ... 520, ) == 0x0
 02235   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02234  1808   NtCreateKey  ... 516, 2, ) == 0x0
 02236   120   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02231  1256   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02237  1732   NtTestAlert  (...
 02238  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02236   120   NtWaitForSingleObject  ... ) == 0x102
 02239  1256   NtQuerySystemInformation  (Performance, 312, ...
 02237  1732   NtTestAlert  ... ) == 0x0
 02238  1808   NtOpenKey  ... 536, ) == 0x0
 02240   120   NtWaitForSingleObject  (160, 0, 0x0, ...
 02239  1256   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02241  1732   NtContinue  (58785072, 1, ...
 02242  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02235   464   NtAllocateVirtualMemory  ... 58785792, 1048576, ) == 0x0
 02243  1256   NtQuerySystemInformation  (Exception, 16, ...
 02244  1732   NtRegisterThreadTerminatePort  (24, ...
 02245   464   NtAllocateVirtualMemory  (-1, 59826176, 0, 8192, 4096, 4, ...
 02243  1256   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02244  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 02245   464   NtAllocateVirtualMemory  ... 59826176, 8192, ) == 0x0
 02246  1256   NtQuerySystemInformation  (Lookaside, 32, ...
 02242  1808   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02247   464   NtProtectVirtualMemory  (-1, (0x390e000), 4096, 260, ...
 02248  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02249  1808   NtQueryValueKey  (516,  (516, "Hostname", Partial, 144, ... , Partial, 144, ...
 02247   464   NtProtectVirtualMemory  ... (0x390e000), 4096, 4, ) == 0x0
 02248  1732   NtDuplicateObject  ... 540, ) == 0x0
 02249  1808   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02250   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02251  1732   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ...
 02252  1808   NtWaitForSingleObject  (368, 0, 0x0, ...
 02246  1256   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02251  1732   NtAllocateVirtualMemory  ... 1400832, 4096, ) == 0x0
 02253  1256   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02254  1732   NtSetEventBoostPriority  (368, ...
 02253  1256   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02252  1808   NtWaitForSingleObject  ... ) == 0x0
 02254  1732   NtSetEventBoostPriority  ... ) == 0x0
 02255  1808   NtQueryValueKey  (516,  (516, "Hostname", Partial, 144, ... , Partial, 144, ...
 02256  1256   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02250   464   NtCreateThread  ... 544, {1036, 624}, ) == 0x0
 02255  1808   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02256  1256   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02257   464   NtQueryInformationThread  (544, Basic, 28, ...
 02258  1732   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02259  1256   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02257   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1036,Tid=624,}, 0x0, ) == 0x0
 02258  1732   NtWaitForSingleObject  ... ) == 0x102
 02260  1808   NtClose  (516, ...
 02261   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58070, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\14\4\0\0p\2\0\0" ...  ...
 02262  1732   NtWaitForSingleObject  (160, 0, 0x0, ...
 02260  1808   NtClose  ... ) == 0x0
 02261   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58072, 0}  ... {28, 56, reply, 0, 1036, 464, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\14\4\0\0p\2\0\0" )  ) == 0x0
 02263  1808   NtClose  (536, ...
 02259  1256   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02263  1808   NtClose  ... ) == 0x0
 02264  1256   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\345i=\340wl\341g\315\0\253\376\242M\3162\\365^\255\373\224\323\316"U\200\362\15\346Uf\2216M\327\301\375\211\226\128[\230\20+My\242$p\210W\243\2414Lfo\367s\310_\346`\31\260\14\321q\360\377\313~'\375\244UA\3", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\345i=\340wl\341g\315\0\253\376\242M\3162\\365^\255\373\224\323\316"U\200\362\15\346Uf\2216M\327\301\375\211\226\128[\230\20+My\242$p\210W\243\2414Lfo\367s\310_\346`\31\260\14\321q\360\377\313~'\375\244UA\3", 80, ... U\200\362\15\346Uf\2216M\327\301\375\211\226\128[\230\20+My\242$p\210W\243\2414Lfo\367s\310_\346`\31\260\14\321q\360\377\313~'\375\244UA\3", 80, ...
 02265  1808   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02264  1256   NtSetValueKey  ... ) == 0x0
 02265  1808   NtCreateEvent  ... 536, ) == 0x0
 02266  1256   NtClose  (-2147481344, ...
 02267   464   NtResumeThread  (544, ...
 02266  1256   NtClose  ... ) == 0x0
 02267   464   NtResumeThread  ... 1, ) == 0x0
 02225  1256   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\262\260}\250\264\10\310\211\350q\325U\276(\253\335\323\344C\211?J\342'\35\322d\351p\346\346!\15\240i\310\177\260=}1\@"\230\222\223$\37\320\242c\2tfB\204E\321'\301\250Z\250\212\205}\375\25\264A\316\346\35\234\7X\212/!\247\32\314\262=\32\1d|\7\307\25\314\231\4(\370/\274\353\30\311\30\3dHNh\213\202\330\310AwyH\323Yw>4\31C\256\242\374\342\322\332\305\202-\272\32\250\221d\363J\31!i\220\373\215Y\300:\2062\272Xh\250\355t\306t\27\331\372\326\216\274\213"\335t\12b;m\240\7\262\3517wg\204Dl8m\224I\13\205\210\231\7\341F\371jQ\2173\274\306F\316g\15\201\231\325\25\21UK8\13(4\374+\37\305\207\355&\224!\271\4U\326\304\251f\374\354n\336\262\10\302\5*\212\232\206W%\231\326\375\203\245H\211\255P%\27", ) \230\222\223$\37\320\242c\2tfB\204E\321'\301\250Z\250\212\205}\375\25\264A\316\346\35\234\7X\212/!\247\32\314\262=\32\1d|\7\307\25\314\231\4(\370/\274\353\30\311\30\3dHNh\213\202\330\310AwyH\323Yw>4\31C\256\242\374\342\322\332\305\202-\272\32\250\221d\363J\31!i\220\373\215Y\300:\2062\272Xh\250\355t\306t\27\331\372\326\216\274\213 ... {status=0x0, info=256}, "\262\260}\250\264\10\310\211\350q\325U\276(\253\335\323\344C\211?J\342'\35\322d\351p\346\346!\15\240i\310\177\260=}1\@"\230\222\223$\37\320\242c\2tfB\204E\321'\301\250Z\250\212\205}\375\25\264A\316\346\35\234\7X\212/!\247\32\314\262=\32\1d|\7\307\25\314\231\4(\370/\274\353\30\311\30\3dHNh\213\202\330\310AwyH\323Yw>4\31C\256\242\374\342\322\332\305\202-\272\32\250\221d\363J\31!i\220\373\215Y\300:\2062\272Xh\250\355t\306t\27\331\372\326\216\274\213"\335t\12b;m\240\7\262\3517wg\204Dl8m\224I\13\205\210\231\7\341F\371jQ\2173\274\306F\316g\15\201\231\325\25\21UK8\13(4\374+\37\305\207\355&\224!\271\4U\326\304\251f\374\354n\336\262\10\302\5*\212\232\206W%\231\326\375\203\245H\211\255P%\27", ) , ) == 0x0
 02268   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02269  1808   NtWaitForSingleObject  (536, 0, 0x0, ...
 02270   624   NtTestAlert  (...
 02268   464   NtAllocateVirtualMemory  ... 59834368, 1048576, ) == 0x0
 02270   624   NtTestAlert  ... ) == 0x0
 02271   464   NtAllocateVirtualMemory  (-1, 60874752, 0, 8192, 4096, 4, ...
 02272   624   NtContinue  (59833648, 1, ...
 02271   464   NtAllocateVirtualMemory  ... 60874752, 8192, ) == 0x0
 02273   624   NtRegisterThreadTerminatePort  (24, ...
 02274  1256   NtDeviceIoControlFile  (492, 0, 0x0, 0x0, 0x390008,  (492, 0, 0x0, 0x0, 0x390008, "Fg0c\23\303\202\30\23\376\375\0\36mz\5`\213r^o'\237\304\14uR\260"\251\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \251\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 02273   624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02275  1256   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02276   464   NtProtectVirtualMemory  (-1, (0x3a0e000), 4096, 260, ...
 02275  1256   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02276   464   NtProtectVirtualMemory  ... (0x3a0e000), 4096, 4, ) == 0x0
 02277  1256   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02278   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02277  1256   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02278   464   NtCreateThread  ... 516, {1036, 468}, ) == 0x0
 02279  1256   NtQuerySystemInformation  (Performance, 312, ...
 02280   464   NtQueryInformationThread  (516, Basic, 28, ...
 02281   624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02280   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1036,Tid=468,}, 0x0, ) == 0x0
 02281   624   NtDuplicateObject  ... 548, ) == 0x0
 02279  1256   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02282   624   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02283  1256   NtQuerySystemInformation  (Exception, 16, ...
 02282   624   NtWaitForSingleObject  ... ) == 0x102
 02283  1256   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02284   624   NtWaitForSingleObject  (160, 0, 0x0, ...
 02285  1256   NtQuerySystemInformation  (Lookaside, 32, ...
 02286   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58072, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\14\4\0\0\324\1\0\0" ...  ...
 02285  1256   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02286   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58073, 0}  ... {28, 56, reply, 0, 1036, 464, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\14\4\0\0\324\1\0\0" )  ) == 0x0
 02287  1256   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02288   464   NtResumeThread  (516, ... 1, ) == 0x0
 02289   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 60882944, 1048576, ) == 0x0
 02290   464   NtAllocateVirtualMemory  (-1, 61923328, 0, 8192, 4096, 4, ... 61923328, 8192, ) == 0x0
 02291   464   NtProtectVirtualMemory  (-1, (0x3b0e000), 4096, 260, ... (0x3b0e000), 4096, 4, ) == 0x0
 02292   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02287  1256   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02293   468   NtTestAlert  (...
 02294  1256   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02293   468   NtTestAlert  ... ) == 0x0
 02294  1256   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02295   468   NtContinue  (60882224, 1, ...
 02296  1256   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02297   468   NtRegisterThreadTerminatePort  (24, ...
 02296  1256   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02297   468   NtRegisterThreadTerminatePort  ... ) == 0x0
 02298  1256   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\263/\311\257\2420\344\14{G\14k\275O\333\314\337\215w\236}\237^j\327\250\222\\12<\3nM\351B8\265\236X\224\343n\331\356\37HU\345r\324\334B>\7\273\371K\264\202L1\260\326#X\305\34Gab\17\273\256\341\3426\247\22\314\304", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\263/\311\257\2420\344\14{G\14k\275O\333\314\337\215w\236}\237^j\327\250\222\\12<\3nM\351B8\265\236X\224\343n\331\356\37HU\345r\324\334B>\7\273\371K\264\202L1\260\326#X\305\34Gab\17\273\256\341\3426\247\22\314\304", 80, ... , 80, ...
 02292   464   NtCreateThread  ... 552, {1036, 380}, ) == 0x0
 02299   468   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02300   464   NtQueryInformationThread  (552, Basic, 28, ...
 02299   468   NtDuplicateObject  ... 556, ) == 0x0
 02300   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1036,Tid=380,}, 0x0, ) == 0x0
 02301   468   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02302   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58073, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\14\4\0\0|\1\0\0" ...  ...
 02301   468   NtWaitForSingleObject  ... ) == 0x102
 02302   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58074, 0}  ... {28, 56, reply, 0, 1036, 464, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\14\4\0\0|\1\0\0" )  ) == 0x0
 02303   468   NtWaitForSingleObject  (160, 0, 0x0, ...
 02298  1256   NtSetValueKey  ... ) == 0x0
 02304   464   NtResumeThread  (552, ...
 02305  1256   NtClose  (-2147481344, ...
 02304   464   NtResumeThread  ... 1, ) == 0x0
 02305  1256   NtClose  ... ) == 0x0
 02306   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02274  1256   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\36\305\342\266\251\254w\213\200Q@-\276\2577\20\221\345}\332\223H9\226)\352oG\373JgZj\366^4DW\222\346:\326\2\322\315z \17\50_\2465 \344\305\257\263\373p\266\316\342\200\256~A(\313\320VWL\377\200\207D\243\231\240D\241Vt}=\330\220\2\314\206Ie\371\261\32\244\267s'\232Wm\2\327\211\347\222Uf\12\200a.|\325\367{\314\255\234u\217R\177#}\34k\304q\340\254\1\214 \250\316\303,Y\374]\265\200R\334\300\302\232\32\357\374\16R\312gg\316\257G\217\213\201Q\301\231c\351\330r\2730\251\235\313\31\322\277\3\343\306V\237\215\3128F\243O\237\327tSU\247$\261\364\32\323\14Q\242g\4 \376\15\253\347s\327%\262\25\233\33\7\35$\15\33\254\244\331\327f\367o\264\3Q\340\24+"\234\310\247p\341\10\23\325w\275\270\341\236"\274\27 T", ) \234\310\247p\341\10\23\325w\275\270\341\236 ... {status=0x0, info=256}, "\36\305\342\266\251\254w\213\200Q@-\276\2577\20\221\345}\332\223H9\226)\352oG\373JgZj\366^4DW\222\346:\326\2\322\315z \17\50_\2465 \344\305\257\263\373p\266\316\342\200\256~A(\313\320VWL\377\200\207D\243\231\240D\241Vt}=\330\220\2\314\206Ie\371\261\32\244\267s'\232Wm\2\327\211\347\222Uf\12\200a.|\325\367{\314\255\234u\217R\177#}\34k\304q\340\254\1\214 \250\316\303,Y\374]\265\200R\334\300\302\232\32\357\374\16R\312gg\316\257G\217\213\201Q\301\231c\351\330r\2730\251\235\313\31\322\277\3\343\306V\237\215\3128F\243O\237\327tSU\247$\261\364\32\323\14Q\242g\4 \376\15\253\347s\327%\262\25\233\33\7\35$\15\33\254\244\331\327f\367o\264\3Q\340\24+"\234\310\247p\341\10\23\325w\275\270\341\236"\274\27 T", ) , ) == 0x0
 02306   464   NtAllocateVirtualMemory  ... 61931520, 1048576, ) == 0x0
 02307  1256   NtDeviceIoControlFile  (492, 0, 0x0, 0x0, 0x390008,  (492, 0, 0x0, 0x0, 0x390008, "Fg0c\23\303\202\30\23\376\375\0\36mz\5`\213r^o\354\247`\213r^o'\237\304\14uR\260"\251\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \251\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 02308   464   NtAllocateVirtualMemory  (-1, 62971904, 0, 8192, 4096, 4, ...
 02309  1256   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02308   464   NtAllocateVirtualMemory  ... 62971904, 8192, ) == 0x0
 02310   380   NtTestAlert  (...
 02309  1256   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02310   380   NtTestAlert  ... ) == 0x0
 02311  1256   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02312   380   NtContinue  (61930800, 1, ...
 02311  1256   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02313   380   NtRegisterThreadTerminatePort  (24, ...
 02314  1256   NtQuerySystemInformation  (Performance, 312, ...
 02313   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 02314  1256   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02315   464   NtProtectVirtualMemory  (-1, (0x3c0e000), 4096, 260, ...
 02316  1256   NtQuerySystemInformation  (Exception, 16, ...
 02315   464   NtProtectVirtualMemory  ... (0x3c0e000), 4096, 4, ) == 0x0
 02317   380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02318   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02317   380   NtDuplicateObject  ... 560, ) == 0x0
 02318   464   NtCreateThread  ... 564, {1036, 1692}, ) == 0x0
 02319   380   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02320   464   NtQueryInformationThread  (564, Basic, 28, ...
 02319   380   NtWaitForSingleObject  ... ) == 0x102
 02320   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1036,Tid=1692,}, 0x0, ) == 0x0
 02321   380   NtWaitForSingleObject  (160, 0, 0x0, ...
 02316  1256   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02322   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58074, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\14\4\0\0\234\6\0\0" ...  ...
 02323  1256   NtQuerySystemInformation  (Lookaside, 32, ...
 02322   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58075, 0}  ... {28, 56, reply, 0, 1036, 464, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\14\4\0\0\234\6\0\0" )  ) == 0x0
 02323  1256   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02324   464   NtResumeThread  (564, ...
 02325  1256   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02324   464   NtResumeThread  ... 1, ) == 0x0
 02325  1256   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02326   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02327  1256   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02328  1692   NtTestAlert  (...
 02326   464   NtAllocateVirtualMemory  ... 62980096, 1048576, ) == 0x0
 02328  1692   NtTestAlert  ... ) == 0x0
 02329   464   NtAllocateVirtualMemory  (-1, 64020480, 0, 8192, 4096, 4, ...
 02330  1692   NtContinue  (62979376, 1, ...
 02329   464   NtAllocateVirtualMemory  ... 64020480, 8192, ) == 0x0
 02331  1692   NtRegisterThreadTerminatePort  (24, ...
 02332   464   NtProtectVirtualMemory  (-1, (0x3d0e000), 4096, 260, ...
 02331  1692   NtRegisterThreadTerminatePort  ... ) == 0x0
 02332   464   NtProtectVirtualMemory  ... (0x3d0e000), 4096, 4, ) == 0x0
 02327  1256   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02333   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02334  1256   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02335  1692   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02334  1256   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02335  1692   NtDuplicateObject  ... 568, ) == 0x0
 02336  1256   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "p\256\242\301\354\12\230\331\216\274M\366\215\215\353\212\2117\361\331\257\377\346\262\212\362\377\210\231\217\352M\14\216\225>\262\340\362\261\11\235)\256\224\224\5\370F\322\205<\23,\271B\365\363\265\272-fz'\327>\355\270\20\200\360 \260:, 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "p\256\242\301\354\12\230\331\216\274M\366\215\215\353\212\2117\361\331\257\377\346\262\212\362\377\210\231\217\352M\14\216\225>\262\340\362\261\11\235)\256\224\224\5\370F\322\205<\23,\271B\365\363\265\272-fz'\327>\355\270\20\200\360 \260:, 80, ... , 80, ...
 02337  1692   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02336  1256   NtSetValueKey  ... ) == 0x0
 02337  1692   NtWaitForSingleObject  ... ) == 0x102
 02338  1256   NtClose  (-2147481344, ...
 02339  1692   NtWaitForSingleObject  (160, 0, 0x0, ...
 02333   464   NtCreateThread  ... 572, {1036, 1792}, ) == 0x0
 02338  1256   NtClose  ... ) == 0x0
 02340   464   NtQueryInformationThread  (572, Basic, 28, ...
 02307  1256   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\312\271+dy\36\252\246JJ5N\7\31\214\375a\306iJ\306\271\337\203\11\363W\245\5\245k\246\25\215\376\243\212\12\21\17"\17\36\346]\376L$\375#\367\241r\355W\322\344\30\214\333H\325[v\311\6\264\236Z\352Y\5~\244^En\257\227\2725\363M.\231S\264\305\30\2`\235|iB.\325\255F\360G\177\4\2174L\3537|f\16\370\317P\245\324\220\267-\305\273\3419!\267\366r\20\20Xh\213\356L\203\360T\271\312\324#\275\15\245\317\16I*3X\352H\220\11\13:7\2716\375\300\300\310y\7\334\32\307d\232\313:\33\200a\333\277\206W\263~_\203\322\374#\316%K\254\221?\301\236\10\220\376^5\362Z\251#\17\344\207\271\360+\367\23R\16\325\361\326\331", ) \17\36\346]\376L$\375#\367\241r\355W\322\344\30\214\333H\325[v\311\6\264\236Z\352Y\5~\244^En\257\227\2725\363M.\231S\264\305\30\2`\235|iB.\325\255F\360G\177\4\2174L\3537|f\16\370\317P\245\324\220\267-\305\273\3419!\267\366r\20\20Xh\213\356L\203\360T\271\312\324#\275\15\245\317\16I*3X\352H\220\11\13:7\2716\375\300\300\310y\7\334\32\307d\232\313:\33\200a\333\277\206W\263~_\203\322\374#\316%K\254\221?\301\236\10\220\376^5\362Z\251#\17\344\207\271\360+\367\23R\16\325\361\326\331", ) == 0x0
 02340   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1036,Tid=1792,}, 0x0, ) == 0x0
 02341  1256   NtDeviceIoControlFile  (492, 0, 0x0, 0x0, 0x390008,  (492, 0, 0x0, 0x0, 0x390008, "Fg0c\23\303\202\30\23\376\375\0\36mz\5`\213r^o\354\247`\213r^o\354\247`\213r^o'\237\304\14uR\260"\251\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \251\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 02342   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58075, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\14\4\0\0\0\7\0\0" ...  ...
 02343  1256   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02342   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58076, 0}  ... {28, 56, reply, 0, 1036, 464, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\14\4\0\0\0\7\0\0" )  ) == 0x0
 02343  1256   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02344  1256   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02345  1256   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02346  1256   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02347  1256   NtQuerySystemInformation  (Lookaside, 32, ...
 02348   464   NtResumeThread  (572, ... 1, ) == 0x0
 02349   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 64028672, 1048576, ) == 0x0
 02350   464   NtAllocateVirtualMemory  (-1, 65069056, 0, 8192, 4096, 4, ... 65069056, 8192, ) == 0x0
 02351   464   NtProtectVirtualMemory  (-1, (0x3e0e000), 4096, 260, ... (0x3e0e000), 4096, 4, ) == 0x0
 02352   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 576, {1036, 1744}, ) == 0x0
 02353   464   NtQueryInformationThread  (576, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1036,Tid=1744,}, 0x0, ) == 0x0
 02347  1256   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02354  1792   NtTestAlert  (...
 02355  1256   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02354  1792   NtTestAlert  ... ) == 0x0
 02355  1256   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02356  1792   NtContinue  (64027952, 1, ...
 02357  1256   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02358  1792   NtRegisterThreadTerminatePort  (24, ...
 02357  1256   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02358  1792   NtRegisterThreadTerminatePort  ... ) == 0x0
 02359  1256   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02360   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58076, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\14\4\0\0\320\6\0\0" ...  ...
 02361  1792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02360   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58077, 0}  ... {28, 56, reply, 0, 1036, 464, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\14\4\0\0\320\6\0\0" )  ) == 0x0
 02361  1792   NtDuplicateObject  ... 580, ) == 0x0
 02362   464   NtResumeThread  (576, ...
 02363  1792   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02362   464   NtResumeThread  ... 1, ) == 0x0
 02363  1792   NtWaitForSingleObject  ... ) == 0x102
 02364   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02365  1792   NtWaitForSingleObject  (160, 0, 0x0, ...
 02359  1256   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02366  1744   NtTestAlert  (...
 02364   464   NtAllocateVirtualMemory  ... 65077248, 1048576, ) == 0x0
 02367  1256   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "eJ\203\344\241\253\244\350U\311\11\217\302\203|`\231u\347\273P\220\270\321\25\223\273k\211^\327~\307\315g\276[!\250\264*A\234\216\220\2009\247\323\5E\11\325}mE>\32\240\306,_Z\217\226j\22\322k\221\0\14Sm\30\267\231\343\20\277", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "eJ\203\344\241\253\244\350U\311\11\217\302\203|`\231u\347\273P\220\270\321\25\223\273k\211^\327~\307\315g\276[!\250\264*A\234\216\220\2009\247\323\5E\11\325}mE>\32\240\306,_Z\217\226j\22\322k\221\0\14Sm\30\267\231\343\20\277", 80, ... , 80, ...
 02366  1744   NtTestAlert  ... ) == 0x0
 02368   464   NtAllocateVirtualMemory  (-1, 66117632, 0, 8192, 4096, 4, ...
 02367  1256   NtSetValueKey  ... ) == 0x0
 02369  1744   NtContinue  (65076528, 1, ...
 02368   464   NtAllocateVirtualMemory  ... 66117632, 8192, ) == 0x0
 02370  1256   NtClose  (-2147481344, ...
 02371  1744   NtRegisterThreadTerminatePort  (24, ...
 02372   464   NtProtectVirtualMemory  (-1, (0x3f0e000), 4096, 260, ...
 02370  1256   NtClose  ... ) == 0x0
 02371  1744   NtRegisterThreadTerminatePort  ... ) == 0x0
 02372   464   NtProtectVirtualMemory  ... (0x3f0e000), 4096, 4, ) == 0x0
 02341  1256   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "_\27\5\2\37\304\202h\262s\331S\224\340\237@\6\15\202\307\2273\312\2345l\276K\330\364\3131'\22Q\317\356Yu\316\214\277\213;:]X\222.wf\300]\320\210\347\221p[r\257QA>\322\17M\223\361\207\202\365w\11\365\2626\23u\1\307,\325\203Q\3277B\262\203N\302\7jU\367\371\364B.\266\352\277\324\333{\322\312\200\36\265\275o\306o@\1\317\212\14Ao4\6\26\12*\22\3306\226"\3326\313\13\6<\3s+\267\22\213I\320Y\266\273\36\204f\302\17P\207+e\344?\331\362\256\1\205\207\212\2724\22\244\37\257\34\375\375\23h\357('p\2\251\302\16\331$\312"y\227\203\207\35e\257\264\364p\356\275_\271\177\211\367\300y\263\341aI\3621\363\375\244#\246\34\220\11\307Q\372#a=I\14\255C\301c\223\224\351\225\254m<\312\353\2\344\233\3149\375Z\376\6\2;", ) \3326\313\13\6<\3s+\267\22\213I\320Y\266\273\36\204f\302\17P\207+e\344?\331\362\256\1\205\207\212\2724\22\244\37\257\34\375\375\23h\357('p\2\251\302\16\331$\312 ... {status=0x0, info=256}, "_\27\5\2\37\304\202h\262s\331S\224\340\237@\6\15\202\307\2273\312\2345l\276K\330\364\3131'\22Q\317\356Yu\316\214\277\213;:]X\222.wf\300]\320\210\347\221p[r\257QA>\322\17M\223\361\207\202\365w\11\365\2626\23u\1\307,\325\203Q\3277B\262\203N\302\7jU\367\371\364B.\266\352\277\324\333{\322\312\200\36\265\275o\306o@\1\317\212\14Ao4\6\26\12*\22\3306\226"\3326\313\13\6<\3s+\267\22\213I\320Y\266\273\36\204f\302\17P\207+e\344?\331\362\256\1\205\207\212\2724\22\244\37\257\34\375\375\23h\357('p\2\251\302\16\331$\312"y\227\203\207\35e\257\264\364p\356\275_\271\177\211\367\300y\263\341aI\3621\363\375\244#\246\34\220\11\307Q\372#a=I\14\255C\301c\223\224\351\225\254m<\312\353\2\344\233\3149\375Z\376\6\2;", ) , ) == 0x0
 02373   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02374  1744   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02375  1256   NtDeviceIoControlFile  (492, 0, 0x0, 0x0, 0x390008,  (492, 0, 0x0, 0x0, 0x390008, "Fg0c\23\303\202\30\23\376\375\0\36mz\5`\213r^o\354\247`\213r^o\354\247`\213r^o\354\247`\213r^o'\237\304\14uR\260"\251\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \251\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 02374  1744   NtDuplicateObject  ... 584, ) == 0x0
 02376  1256   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02377  1744   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02376  1256   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02377  1744   NtWaitForSingleObject  ... ) == 0x102
 02378  1256   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02379  1744   NtWaitForSingleObject  (160, 0, 0x0, ...
 02378  1256   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02373   464   NtCreateThread  ... 588, {1036, 1124}, ) == 0x0
 02380  1256   NtQuerySystemInformation  (Performance, 312, ...
 02381   464   NtQueryInformationThread  (588, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1036,Tid=1124,}, 0x0, ) == 0x0
 02382   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58077, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\14\4\0\0d\4\0\0" ... {28, 56, reply, 0, 1036, 464, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\14\4\0\0d\4\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58078, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\14\4\0\0d\4\0\0" ... {28, 56, reply, 0, 1036, 464, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\14\4\0\0d\4\0\0" )  ) == 0x0
 02383   464   NtResumeThread  (588, ... 1, ) == 0x0
 02384   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 66125824, 1048576, ) == 0x0
 02385   464   NtAllocateVirtualMemory  (-1, 67166208, 0, 8192, 4096, 4, ... 67166208, 8192, ) == 0x0
 02380  1256   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02386  1124   NtAllocateVirtualMemory  (-1, 3629056, 0, 4096, 4096, 4, ...
 02387  1256   NtQuerySystemInformation  (Exception, 16, ...
 02386  1124   NtAllocateVirtualMemory  ... 3629056, 4096, ) == 0x0
 02387  1256   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02388  1124   NtTestAlert  (...
 02389  1256   NtQuerySystemInformation  (Lookaside, 32, ...
 02388  1124   NtTestAlert  ... ) == 0x0
 02389  1256   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02390  1124   NtContinue  (66125104, 1, ...
 02391  1256   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02392   464   NtProtectVirtualMemory  (-1, (0x400e000), 4096, 260, ...
 02393  1124   NtRegisterThreadTerminatePort  (24, ...
 02392   464   NtProtectVirtualMemory  ... (0x400e000), 4096, 4, ) == 0x0
 02393  1124   NtRegisterThreadTerminatePort  ... ) == 0x0
 02394   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02395  1124   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02394   464   NtCreateThread  ... 592, {1036, 1496}, ) == 0x0
 02395  1124   NtDuplicateObject  ... 596, ) == 0x0
 02396   464   NtQueryInformationThread  (592, Basic, 28, ...
 02397  1124   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02396   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1036,Tid=1496,}, 0x0, ) == 0x0
 02397  1124   NtWaitForSingleObject  ... ) == 0x102
 02391  1256   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02398  1124   NtWaitForSingleObject  (160, 0, 0x0, ...
 02399  1256   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02400  1256   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481344, 2, ) }, 0, 0x0, 0, ... -2147481344, 2, ) == 0x0
 02401  1256   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "mQ\254fdH\24\15\360\243\321\277\1\275wlc\364\244\362\257\364\262\341Db\202\242!|\203\367\252\304\354\13w\302\25\3636s\233\1\307]\333\306\371\231\230d\27c\274\16\320>\272i\214\333\323#r\212?\333\22'=\207IcB\345U\17g\36", 80, ... ) , 0, 3,  (-2147481344, "Seed", 0, 3, "mQ\254fdH\24\15\360\243\321\277\1\275wlc\364\244\362\257\364\262\341Db\202\242!|\203\367\252\304\354\13w\302\25\3636s\233\1\307]\333\306\371\231\230d\27c\274\16\320>\272i\214\333\323#r\212?\333\22'=\207IcB\345U\17g\36", 80, ... ) , 80, ... ) == 0x0
 02402  1256   NtClose  (-2147481344, ... ) == 0x0
 02375  1256   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "n\306\366\340>fz\3006M\203\332e\202\224\234\264]VP\276Y\330\234-\230\304\2776\203\262\312z\306|\352\336\6\325j\301\351\351\300\317\377\267\231\232\266R\370\33#\376\20\13>\365\235\255\355\246\205Ak\320\361(\366\20\22"\365\226\303\367r\11E\362\206\25\23\363\237\250\313f\245\4Y\2.\12\346\377\224\370\221\341\245\313\336\21<\301B\2123\265\323\364o\32\325\36E?\33\20Q\7\273\204\1\205\217\345}\223\220\236\270rJ\306\34\263\334\353\220I\265\371e4<\375F\265\310d\2309\374[\315\177\262\310\232\36\311R\25[r\271\5\303\222Y\260\213;\30\366T\310\264\333\347\201\15S\305\21\316\177\2262\225\263\276\247B\326\335\316\240\206\275\326\356\337N\234\210\346\30\266\33\307\276q\213U\373c\12\347\235\333-@\302\206\202|\220\206\232\276\21\237\326\337X\373@5I\26\334\201"x\14\330\22,]\265\215", ) \365\226\303\367r\11E\362\206\25\23\363\237\250\313f\245\4Y\2.\12\346\377\224\370\221\341\245\313\336\21<\301B\2123\265\323\364o\32\325\36E?\33\20Q\7\273\204\1\205\217\345}\223\220\236\270rJ\306\34\263\334\353\220I\265\371e4<\375F\265\310d\2309\374[\315\177\262\310\232\36\311R\25[r\271\5\303\222Y\260\213;\30\366T\310\264\333\347\201\15S\305\21\316\177\2262\225\263\276\247B\326\335\316\240\206\275\326\356\337N\234\210\346\30\266\33\307\276q\213U\373c\12\347\235\333-@\302\206\202|\220\206\232\276\21\237\326\337X\373@5I\26\334\201 ... {status=0x0, info=256}, "n\306\366\340>fz\3006M\203\332e\202\224\234\264]VP\276Y\330\234-\230\304\2776\203\262\312z\306|\352\336\6\325j\301\351\351\300\317\377\267\231\232\266R\370\33#\376\20\13>\365\235\255\355\246\205Ak\320\361(\366\20\22"\365\226\303\367r\11E\362\206\25\23\363\237\250\313f\245\4Y\2.\12\346\377\224\370\221\341\245\313\336\21<\301B\2123\265\323\364o\32\325\36E?\33\20Q\7\273\204\1\205\217\345}\223\220\236\270rJ\306\34\263\334\353\220I\265\371e4<\375F\265\310d\2309\374[\315\177\262\310\232\36\311R\25[r\271\5\303\222Y\260\213;\30\366T\310\264\333\347\201\15S\305\21\316\177\2262\225\263\276\247B\326\335\316\240\206\275\326\356\337N\234\210\346\30\266\33\307\276q\213U\373c\12\347\235\333-@\302\206\202|\220\206\232\276\21\237\326\337X\373@5I\26\334\201"x\14\330\22,]\265\215", ) , ) == 0x0
 02403  1256   NtDeviceIoControlFile  (492, 0, 0x0, 0x0, 0x390008,  (492, 0, 0x0, 0x0, 0x390008, "Fg0c\23\303\202\30\23\376\375\0\36mz\5`\213r^o\354\247`\213r^o\354\247`\213r^o\354\247`\213r^o\354\247`\213r^o'\237\304\14uR\260"\251\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \251\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 02404  1256   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02405   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58078, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\14\4\0\0\330\5\0\0" ... {28, 56, reply, 0, 1036, 464, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\14\4\0\0\330\5\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58079, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\14\4\0\0\330\5\0\0" ... {28, 56, reply, 0, 1036, 464, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\14\4\0\0\330\5\0\0" )  ) == 0x0
 02406   464   NtResumeThread  (592, ... 1, ) == 0x0
 02407   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 67174400, 1048576, ) == 0x0
 02408   464   NtAllocateVirtualMemory  (-1, 68214784, 0, 8192, 4096, 4, ... 68214784, 8192, ) == 0x0
 02409   464   NtProtectVirtualMemory  (-1, (0x410e000), 4096, 260, ... (0x410e000), 4096, 4, ) == 0x0
 02410   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02404  1256   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02411  1496   NtTestAlert  (...
 02412  1256   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02411  1496   NtTestAlert  ... ) == 0x0
 02412  1256   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02413  1496   NtContinue  (67173680, 1, ...
 02414  1256   NtQuerySystemInformation  (Performance, 312, ...
 02415  1496   NtRegisterThreadTerminatePort  (24, ...
 02414  1256   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02415  1496   NtRegisterThreadTerminatePort  ... ) == 0x0
 02416  1256   NtQuerySystemInformation  (Exception, 16, ...
 02410   464   NtCreateThread  ... 600, {1036, 168}, ) == 0x0
 02417  1496   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02418   464   NtQueryInformationThread  (600, Basic, 28, ...
 02417  1496   NtDuplicateObject  ... 604, ) == 0x0
 02418   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1036,Tid=168,}, 0x0, ) == 0x0
 02419  1496   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02420   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58079, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\14\4\0\0\250\0\0\0" ...  ...
 02419  1496   NtWaitForSingleObject  ... ) == 0x102
 02420   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58080, 0}  ... {28, 56, reply, 0, 1036, 464, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\14\4\0\0\250\0\0\0" )  ) == 0x0
 02421  1496   NtWaitForSingleObject  (160, 0, 0x0, ...
 02416  1256   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02422   464   NtResumeThread  (600, ...
 02423  1256   NtQuerySystemInformation  (Lookaside, 32, ...
 02422   464   NtResumeThread  ... 1, ) == 0x0
 02423  1256   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02424   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02425  1256   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02424   464   NtAllocateVirtualMemory  ... 68222976, 1048576, ) == 0x0
 02425  1256   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02426   464   NtAllocateVirtualMemory  (-1, 69263360, 0, 8192, 4096, 4, ...
 02427  1256   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02426   464   NtAllocateVirtualMemory  ... 69263360, 8192, ) == 0x0
 02428   168   NtTestAlert  (...
 02427  1256   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02428   168   NtTestAlert  ... ) == 0x0
 02429  1256   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02430   168   NtContinue  (68222256, 1, ...
 02429  1256   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02431   168   NtRegisterThreadTerminatePort  (24, ...
 02432  1256   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\365\360\342S\206;\35\346\255\251T\32\360\206\2649\363s\366\267V\206;\270\367`\326>e`\15Q\14\327\267\32FT\347\257d,\265\3640\213\351\214\27\337\305!136\346#\1\362*#\245\250\206!\223a(\3524\252\202\345\372,\302\24"\366;", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\365\360\342S\206;\35\346\255\251T\32\360\206\2649\363s\366\267V\206;\270\367`\326>e`\15Q\14\327\267\32FT\347\257d,\265\3640\213\351\214\27\337\305!136\346#\1\362*#\245\250\206!\223a(\3524\252\202\345\372,\302\24"\366;", 80, ... \366;", 80, ...
 02431   168   NtRegisterThreadTerminatePort  ... ) == 0x0
 02432  1256   NtSetValueKey  ... ) == 0x0
 02433   464   NtProtectVirtualMemory  (-1, (0x420e000), 4096, 260, ...
 02434  1256   NtClose  (-2147481344, ...
 02433   464   NtProtectVirtualMemory  ... (0x420e000), 4096, 4, ) == 0x0
 02435   168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02436   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02435   168   NtDuplicateObject  ... 608, ) == 0x0
 02436   464   NtCreateThread  ... 612, {1036, 1284}, ) == 0x0
 02437   168   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ...
 02438   464   NtQueryInformationThread  (612, Basic, 28, ...
 02437   168   NtAllocateVirtualMemory  ... 1404928, 4096, ) == 0x0
 02438   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1036,Tid=1284,}, 0x0, ) == 0x0
 02439   168   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02434  1256   NtClose  ... ) == 0x0
 02403  1256   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\266N\21\204\262\304]\227U\207h\20\221\361V`\10\240\314,\36\317\301\273\225\273\3013{\5s\&U\275$\7\217{;&\341\24\341\34\334B\241\332\11+1=e\3020\363G\311\16\5\205\35\352\177\27S\372\360\371\210\331\223q\202\237\210\303\346\0\332!\223\7\216\340\33l\300\370\2004\350\213\355y\306\234\17\376$\337\376M\202\374r\314HF|\23T\246\304^\325d\324-X\354\227\313y\263ar\11V\375\25\262\0!V\327\20\2778q6\265!\20L\33. a\12Z\335\3323\323\324\246\222\372\354\353\2239y\357\243\301qP-\36\2$\21M\262\31@|\220=\245\1\343\337\26\12Z\10g\321\270W5T\324\367f\30-e\314&\220\332\32\345H\226\247\31\237\312=\37\377\23N)a\236\4>y\36^\217\352N\206V\2269z\346\375n\205\233\340\363\2568\332\363\260["\245\276;\33\302\4", ) \245\276;\33\302\4", ) == 0x0
 02440  1256   NtDeviceIoControlFile  (492, 0, 0x0, 0x0, 0x390008,  (492, 0, 0x0, 0x0, 0x390008, "Fg0c\23\303\202\30\23\376\375\0\36mz\5`\213r^o\354\247`\213r^o\354\247`\213r^o\354\247`\213r^o\354\247`\213r^o\354\247`\213r^o'\237\304\14uR\260"\251\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \251\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 02441  1256   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02442  1256   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02443  1256   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02444  1256   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02445  1256   NtQuerySystemInformation  (Lookaside, 32, ...
 02446   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58080, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\14\4\0\0\4\5\0\0" ...  ...
 02439   168   NtWaitForSingleObject  ... ) == 0x102
 02446   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58081, 0}  ... {28, 56, reply, 0, 1036, 464, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\14\4\0\0\4\5\0\0" )  ) == 0x0
 02447   168   NtWaitForSingleObject  (160, 0, 0x0, ...
 02448   464   NtResumeThread  (612, ... 1, ) == 0x0
 02449   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 69271552, 1048576, ) == 0x0
 02450   464   NtAllocateVirtualMemory  (-1, 70311936, 0, 8192, 4096, 4, ... 70311936, 8192, ) == 0x0
 02451   464   NtProtectVirtualMemory  (-1, (0x430e000), 4096, 260, ... (0x430e000), 4096, 4, ) == 0x0
 02452   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02445  1256   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02453  1284   NtTestAlert  (...
 02454  1256   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02453  1284   NtTestAlert  ... ) == 0x0
 02454  1256   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02455  1284   NtContinue  (69270832, 1, ...
 02456  1256   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02457  1284   NtRegisterThreadTerminatePort  (24, ...
 02456  1256   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02457  1284   NtRegisterThreadTerminatePort  ... ) == 0x0
 02458  1256   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02452   464   NtCreateThread  ... 616, {1036, 1268}, ) == 0x0
 02459  1284   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02460   464   NtQueryInformationThread  (616, Basic, 28, ...
 02459  1284   NtDuplicateObject  ... 620, ) == 0x0
 02460   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1036,Tid=1268,}, 0x0, ) == 0x0
 02461  1284   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02462   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58081, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\14\4\0\0\364\4\0\0" ...  ...
 02461  1284   NtWaitForSingleObject  ... ) == 0x102
 02462   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58082, 0}  ... {28, 56, reply, 0, 1036, 464, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\14\4\0\0\364\4\0\0" )  ) == 0x0
 02463  1284   NtWaitForSingleObject  (160, 0, 0x0, ...
 02458  1256   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02464   464   NtResumeThread  (616, ...
 02465  1256   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\236\256H\37\376\367\231\30@\236\201VC\236v\33_&\341Qu\276\216"^\343\304\306\240~U\362\222iuT \255F\327N\374\33\274_7\215\27\212S\277^\235\240\336\241\265:\327\277\364~\310D\206}3\330\330!\1>e\340\203\215\355\234\32", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\236\256H\37\376\367\231\30@\236\201VC\236v\33_&\341Qu\276\216"^\343\304\306\240~U\362\222iuT \255F\327N\374\33\274_7\215\27\212S\277^\235\240\336\241\265:\327\277\364~\310D\206}3\330\330!\1>e\340\203\215\355\234\32", 80, ... ^\343\304\306\240~U\362\222iuT \255F\327N\374\33\274_7\215\27\212S\277^\235\240\336\241\265:\327\277\364~\310D\206}3\330\330!\1>e\340\203\215\355\234\32", 80, ...
 02464   464   NtResumeThread  ... 1, ) == 0x0
 02465  1256   NtSetValueKey  ... ) == 0x0
 02466   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02467  1256   NtClose  (-2147481344, ...
 02466   464   NtAllocateVirtualMemory  ... 70320128, 1048576, ) == 0x0
 02467  1256   NtClose  ... ) == 0x0
 02468   464   NtAllocateVirtualMemory  (-1, 71360512, 0, 8192, 4096, 4, ...
 02440  1256   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\3\302\271\370\251\372u{\367\236uP\3\346\377j\231\267G\331}\225\302qP\327\337blG\234w\375\332\244\3\374\15(-\263\204\5,1A\303w\201p \364 \311\364,?\371\304\335b<\5i\327T\11\22\237F\323'\201\240.\237\273\342\25E\2218\20\371\335\205\375of\245\220V\277\261\226\360\337b\272O\260Q\2275\207\26%<\202\33=r_\374\314\335\274\4\210vr\302\375\2\226\20\136\303\263\325\306A^\313\3336\241\213#\252i\372\2175\2\254\374\31D\206\334\1?\311\311\363\316\262\26057\211\265\251\234g\162\236\201Wx\375\306\364\346\27=\262\271\24\31ixT\235w\372\273\211\250\311\352\227\210h\317\25\257\205\275\324\205Q\31\361xn\30\223]\237\2)\254q\332z!\365\223x#\360|r\353\376\336\334\377\271W\35Qsr\306\212\37;\33\14\356\17\331<\301re\225`{\226", ) , ) == 0x0
 02468   464   NtAllocateVirtualMemory  ... 71360512, 8192, ) == 0x0
 02469  1268   NtTestAlert  (...
 02470  1256   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02469  1268   NtTestAlert  ... ) == 0x0
 02470  1256   NtCreateEvent  ... 624, ) == 0x0
 02471  1268   NtContinue  (70319408, 1, ...
 02472  1256   NtSetEventBoostPriority  (536, ...
 02473  1268   NtRegisterThreadTerminatePort  (24, ...
 02269  1808   NtWaitForSingleObject  ... ) == 0x0
 02472  1256   NtSetEventBoostPriority  ... ) == 0x0
 02474  1808   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02473  1268   NtRegisterThreadTerminatePort  ... ) == 0x0
 02474  1808   NtCreateEvent  ... 628, ) == 0x0
 02475  1256   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 11596408, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 11596408, 188, ...
 02476   464   NtProtectVirtualMemory  (-1, (0x440e000), 4096, 260, ...
 02477  1808   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15789420, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15789420, 188, ...
 02476   464   NtProtectVirtualMemory  ... (0x440e000), 4096, 4, ) == 0x0
 02478  1268   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02479   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02478  1268   NtDuplicateObject  ... 632, ) == 0x0
 02479   464   NtCreateThread  ... 636, {1036, 840}, ) == 0x0
 02480  1268   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02481   464   NtQueryInformationThread  (636, Basic, 28, ...
 02480  1268   NtWaitForSingleObject  ... ) == 0x102
 02481   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1036,Tid=840,}, 0x0, ) == 0x0
 02482  1268   NtWaitForSingleObject  (160, 0, 0x0, ...
 02477  1808   NtConnectPort  ... 640, 0x0, 0x0, 0x0, 188, ) == 0x0
 02475  1256   NtConnectPort  ... 644, 0x0, 0x0, 0x0, 188, ) == 0x0
 02483   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58082, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\14\4\0\0H\3\0\0" ...  ...
 02484  1808   NtRequestWaitReplyPort  (640, {200, 224, new_msg, 0, 1330592, 12, 2, 1310721}  (640, {200, 224, new_msg, 0, 1330592, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\08r\25\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0L\323\2735)\235\27\231\10t\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\340s\25\0\225y10x\1\24\0\0t\25\0h\1\24\0\0\0\0\0\0\0\0\0\0t\25\0P\0\0\0\10t\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\360\0\372\31\221|\200\363\360\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02485  1256   NtRequestWaitReplyPort  (644, {200, 224, new_msg, 0, 2883626, 1380480, 12, 2}  (644, {200, 224, new_msg, 0, 2883626, 1380480, 12, 2} "\0\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\3\0\4\0\0\0\0;\24\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\276s7c\301]\37J\220s\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\350q\25\0'\220^\12x\1\24\0\210s\25\0h\1\24\0\0\0\0\0\0\0\0\0\210s\25\0P\0\0\0\220s\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\260\0\372\31\221|\214\370\260\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 02483   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58085, 0}  ... {28, 56, reply, 0, 1036, 464, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\14\4\0\0H\3\0\0" )  ) == 0x0
 02486   464   NtResumeThread  (636, ... 1, ) == 0x0
 02487   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02484  1808   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1036, 1808, 58086, 0}  ... {200, 224, reply, 0, 1036, 1808, 58086, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0L\323\2735)\235\27\231\10t\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\340s\25\0\225y10x\1\24\0\0t\25\0h\1\24\0\0\0\0\0\0\0\0\0\0t\25\0P\0\0\0\10t\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\360\0\372\31\221|\200\363\360\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02485  1256   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1036, 1256, 58087, 0}  ... {200, 224, reply, 0, 1036, 1256, 58087, 0} "\7\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0;\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\276s7c\301]\37J\220s\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\350q\25\0'\220^\12x\1\24\0\210s\25\0h\1\24\0\0\0\0\0\0\0\0\0\210s\25\0P\0\0\0\220s\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\260\0\372\31\221|\214\370\260\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 02488   840   NtTestAlert  (...
 02489  1808   NtRequestWaitReplyPort  (640, {44, 68, new_msg, 0, 1036, 1808, 58068, 0}  (640, {44, 68, new_msg, 0, 1036, 1808, 58068, 0} "\1\356\0\0A\2\4\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 02490  1256   NtRequestWaitReplyPort  (644, {44, 68, new_msg, 56, 0, 0, 0, 0}  (644, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\20w\25\0\322\0\0\0" ...  ...
 02488   840   NtTestAlert  ... ) == 0x0
 02487   464   NtAllocateVirtualMemory  ... 71368704, 1048576, ) == 0x0
 02491   840   NtContinue  (71367984, 1, ...
 02492   464   NtAllocateVirtualMemory  (-1, 72409088, 0, 8192, 4096, 4, ...
 02493   840   NtRegisterThreadTerminatePort  (24, ...
 02492   464   NtAllocateVirtualMemory  ... 72409088, 8192, ) == 0x0
 02493   840   NtRegisterThreadTerminatePort  ... ) == 0x0
 02494   464   NtProtectVirtualMemory  (-1, (0x450e000), 4096, 260, ...
 02489  1808   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1036, 1808, 58089, 0}  ... {40, 64, reply, 0, 1036, 1808, 58089, 0} "\2\356Q\200\4\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\320\1\0\0X-\12\0" )  ) == 0x0
 02490  1256   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1036, 1256, 58088, 0}  ... {40, 64, reply, 0, 1036, 1256, 58088, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\362\367\370\37`\300l\353\362\367X\353Q\200\323\1\0\0\350\370\14\0" )  ) == 0x0
 02494   464   NtProtectVirtualMemory  ... (0x450e000), 4096, 4, ) == 0x0
 02495  1808   NtRequestWaitReplyPort  (640, {64, 88, new_msg, 56, 1385848, 15789932, 15790032, 0}  (640, {64, 88, new_msg, 56, 1385848, 15789932, 15790032, 0} "\10\357\360\0@\0\25\0\346\277\347w\320\357\360\0l\357\360\0\20\0\0\0\250.\362v\354%\25\0\1\0\0\0\10x\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\300\26\25\0" ...  ...
 02496  1256   NtRequestWaitReplyPort  (644, {64, 88, new_msg, 56, 1310720, 11596276, 1406728, 0}  (644, {64, 88, new_msg, 56, 1310720, 11596276, 1406728, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\340y\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02497   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02495  1808   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1036, 1808, 58090, 0}  ... {64, 88, reply, 56, 1036, 1808, 58090, 0} "\10\357\360\0@\0\25\0\346\277\347w\320\357\360\0l\357\360\0\20\0\0\0\250.\362v\354%\25\0\1\0\0\0\10x\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\300\26\25\0" )  ) == 0x0
 02496  1256   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1036, 1256, 58091, 0}  ... {64, 88, reply, 56, 1036, 1256, 58091, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\340y\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02498   840   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02499  1808   NtClose  (628, ...
 02500  1256   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ...
 02498   840   NtDuplicateObject  ... 648, ) == 0x0
 02497   464   NtCreateThread  ... 652, {1036, 2016}, ) == 0x0
 02500  1256   NtAllocateVirtualMemory  ... 1409024, 4096, ) == 0x0
 02501   840   NtWaitForSingleObject  (368, 0, 0x0, ...
 02502   464   NtQueryInformationThread  (652, Basic, 28, ...
 02499  1808   NtClose  ... ) == 0x0
 02502   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1036,Tid=2016,}, 0x0, ) == 0x0
 02503  1808   NtClose  (640, ...
 02504   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58085, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\14\4\0\0\340\7\0\0" ...  ...
 02503  1808   NtClose  ... ) == 0x0
 02504   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58093, 0}  ... {28, 56, reply, 0, 1036, 464, 58093, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\14\4\0\0\340\7\0\0" )  ) == 0x0
 02505  1808   NtWaitForSingleObject  (368, 0, 0x0, ...
 02506  1256   NtSetEventBoostPriority  (368, ...
 02501   840   NtWaitForSingleObject  ... ) == 0x0
 02507   840   NtSetEventBoostPriority  (368, ...
 02505  1808   NtWaitForSingleObject  ... ) == 0x0
 02508  1808   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 640, 2, ) }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 640, 2, ) , 0, ... 640, 2, ) == 0x0
 02507   840   NtSetEventBoostPriority  ... ) == 0x0
 02506  1256   NtSetEventBoostPriority  ... ) == 0x0
 02509   464   NtResumeThread  (652, ...
 02510  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02511  1256   NtRequestWaitReplyPort  (644, {44, 68, new_msg, 56, 1036, 1256, 58088, 0}  (644, {44, 68, new_msg, 56, 1036, 1256, 58088, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\362\367\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\20w\25\0\322\0\0\0" ...  ...
 02509   464   NtResumeThread  ... 1, ) == 0x0
 02510  1808   NtOpenKey  ... 628, ) == 0x0
 02512   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02513  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02512   464   NtAllocateVirtualMemory  ... 72417280, 1048576, ) == 0x0
 02513  1808   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02514   464   NtAllocateVirtualMemory  (-1, 73457664, 0, 8192, 4096, 4, ...
 02515  1808   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 02514   464   NtAllocateVirtualMemory  ... 73457664, 8192, ) == 0x0
 02515  1808   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02516   840   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02517  2016   NtTestAlert  (...
 02511  1256   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1036, 1256, 58094, 0}  ... {40, 64, reply, 0, 1036, 1256, 58094, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\351\1\0\0\350\232\14\0" )  ) == 0x0
 02518   464   NtProtectVirtualMemory  (-1, (0x460e000), 4096, 260, ...
 02516   840   NtWaitForSingleObject  ... ) == 0x102
 02517  2016   NtTestAlert  ... ) == 0x0
 02519  1256   NtRequestWaitReplyPort  (644, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0}  (644, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\210\211\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02518   464   NtProtectVirtualMemory  ... (0x460e000), 4096, 4, ) == 0x0
 02520   840   NtWaitForSingleObject  (160, 0, 0x0, ...
 02521  2016   NtContinue  (72416560, 1, ...
 02522  1808   NtQueryValueKey  (640,  (640, "Domain", Partial, 144, ... , Partial, 144, ...
 02523   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02524  2016   NtRegisterThreadTerminatePort  (24, ...
 02522  1808   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02523   464   NtCreateThread  ... 656, {1036, 2012}, ) == 0x0
 02524  2016   NtRegisterThreadTerminatePort  ... ) == 0x0
 02525  1808   NtQueryValueKey  (640,  (640, "Domain", Partial, 144, ... , Partial, 144, ...
 02526   464   NtQueryInformationThread  (656, Basic, 28, ...
 02519  1256   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1036, 1256, 58095, 0}  ... {64, 88, reply, 56, 1036, 1256, 58095, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\210\211\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02525  1808   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02526   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1036,Tid=2012,}, 0x0, ) == 0x0
 02527  1256   NtRequestWaitReplyPort  (644, {44, 68, new_msg, 56, 1036, 1256, 58094, 0}  (644, {44, 68, new_msg, 56, 1036, 1256, 58094, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0\20w\25\0\322\0\0\0" ...  ...
 02528  1808   NtClose  (640, ...
 02529  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02528  1808   NtClose  ... ) == 0x0
 02529  2016   NtDuplicateObject  ... 640, ) == 0x0
 02527  1256   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1036, 1256, 58096, 0}  ... {40, 64, reply, 0, 1036, 1256, 58096, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\300\372\177\220k\3\370\370\37`\300lk\3\370X\353Q\200|\1\0\0h\236\14\0" )  ) == 0x0
 02530   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58093, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58093, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\14\4\0\0\334\7\0\0" ...  ...
 02531  2016   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02532  1256   NtRequestWaitReplyPort  (644, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0}  (644, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\220\214\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02530   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58097, 0}  ... {28, 56, reply, 0, 1036, 464, 58097, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\14\4\0\0\334\7\0\0" )  ) == 0x0
 02531  2016   NtWaitForSingleObject  ... ) == 0x102
 02533  1808   NtClose  (628, ...
 02534   464   NtResumeThread  (656, ...
 02535  2016   NtWaitForSingleObject  (160, 0, 0x0, ...
 02533  1808   NtClose  ... ) == 0x0
 02534   464   NtResumeThread  ... 1, ) == 0x0
 02532  1256   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1036, 1256, 58098, 0}  ... {64, 88, reply, 56, 1036, 1256, 58098, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\220\214\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02536  1808   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 02537   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02538  1256   NtClose  (624, ...
 02536  1808   NtOpenKey  ... 628, ) == 0x0
 02539  2012   NtTestAlert  (...
 02538  1256   NtClose  ... ) == 0x0
 02540  1808   NtQueryValueKey  (628,  (628, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 02539  2012   NtTestAlert  ... ) == 0x0
 02541  1256   NtClose  (644, ...
 02540  1808   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02542  2012   NtContinue  (73465136, 1, ...
 02541  1256   NtClose  ... ) == 0x0
 02537   464   NtAllocateVirtualMemory  ... 73465856, 1048576, ) == 0x0
 02543  2012   NtRegisterThreadTerminatePort  (24, ...
 02544  1808   NtClose  (628, ...
 02545   464   NtAllocateVirtualMemory  (-1, 74506240, 0, 8192, 4096, 4, ...
 02543  2012   NtRegisterThreadTerminatePort  ... ) == 0x0
 02544  1808   NtClose  ... ) == 0x0
 02545   464   NtAllocateVirtualMemory  ... 74506240, 8192, ) == 0x0
 02546  1256   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02547  1808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15789008, ... }, 15789008, ...
 02548   464   NtProtectVirtualMemory  (-1, (0x470e000), 4096, 260, ...
 02546  1256   NtCreateEvent  ... 628, ) == 0x0
 02547  1808   NtQueryAttributesFile  ... ) == 0x0
 02548   464   NtProtectVirtualMemory  ... (0x470e000), 4096, 4, ) == 0x0
 02549  1256   NtOpenThreadToken  (-2, 0xc, 1, ...
 02550  1808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02551   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02549  1256   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02550  1808   NtOpenFile  ... 644, {status=0x0, info=1}, ) == 0x0
 02552  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02553  1256   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02551   464   NtCreateThread  ... 624, {1036, 1604}, ) == 0x0
 02552  2012   NtDuplicateObject  ... 660, ) == 0x0
 02553  1256   NtCreateEvent  ... 664, ) == 0x0
 02554   464   NtQueryInformationThread  (624, Basic, 28, ...
 02555  2012   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02556  1808   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 644, ...
 02554   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1036,Tid=1604,}, 0x0, ) == 0x0
 02555  2012   NtWaitForSingleObject  ... ) == 0x102
 02556  1808   NtCreateSection  ... 668, ) == 0x0
 02557   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58097, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58097, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\14\4\0\0D\6\0\0" ...  ...
 02558  2012   NtWaitForSingleObject  (160, 0, 0x0, ...
 02559  1808   NtClose  (644, ...
 02557   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58100, 0}  ... {28, 56, reply, 0, 1036, 464, 58100, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\14\4\0\0D\6\0\0" )  ) == 0x0
 02560  1256   NtOpenThreadToken  (-2, 0xc, 1, ...
 02559  1808   NtClose  ... ) == 0x0
 02560  1256   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02561  1808   NtMapViewOfSection  (668, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02562  1256   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02561  1808   NtMapViewOfSection  ... (0x360000), 0x0, 20480, ) == 0x0
 02562  1256   NtSetInformationThread  ... ) == 0x0
 02563   464   NtResumeThread  (624, ...
 02564  1256   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11595968,  (0xc0100080, {24, 0, 0x40, 0, 11595968, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 02563   464   NtResumeThread  ... 1, ) == 0x0
 02564  1256   NtCreateFile  ... 644, {status=0x0, info=1}, ) == 0x0
 02565   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 74514432, 1048576, ) == 0x0
 02566   464   NtAllocateVirtualMemory  (-1, 75554816, 0, 8192, 4096, 4, ... 75554816, 8192, ) == 0x0
 02567   464   NtProtectVirtualMemory  (-1, (0x480e000), 4096, 260, ... (0x480e000), 4096, 4, ) == 0x0
 02568   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {1036, 1572}, ) == 0x0
 02569   464   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1036,Tid=1572,}, 0x0, ) == 0x0
 02570  1256   NtSetInformationFile  (644, 11596024, 8, Pipe, ...
 02571  1808   NtClose  (668, ...
 02572  1604   NtWaitForSingleObject  (128, 0, 0x0, ...
 02570  1256   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02571  1808   NtClose  ... ) == 0x0
 02573  1256   NtSetInformationFile  (644, 11596012, 8, Completion, ...
 02574  1808   NtUnmapViewOfSection  (-1, 0x360000, ...
 02573  1256   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02574  1808   NtUnmapViewOfSection  ... ) == 0x0
 02575  1256   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02576  1808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15789316, ... }, 15789316, ...
 02575  1256   NtSetInformationThread  ... ) == 0x0
 02576  1808   NtQueryAttributesFile  ... ) == 0x0
 02577   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58100, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58100, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\14\4\0\0$\6\0\0" ...  ...
 02578  1256   NtWriteFile  (644, 189, 0, 0,  (644, 189, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 02577   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58101, 0}  ... {28, 56, reply, 0, 1036, 464, 58101, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\14\4\0\0$\6\0\0" )  ) == 0x0
 02578  1256   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 02579   464   NtResumeThread  (672, ...
 02580  1256   NtReadFile  (644, 189, 0, 0, 1024, {0, 0}, 0, ...
 02579   464   NtResumeThread  ... 1, ) == 0x0
 02580  1256   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02581   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02582  1256   NtFsControlFile  (644, 189, 0x0, 0x0, 0x11c017,  (644, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\260\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 02583  1808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02584  1572   NtWaitForSingleObject  (128, 0, 0x0, ...
 02582  1256   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02583  1808   NtOpenFile  ... 668, {status=0x0, info=1}, ) == 0x0
 02581   464   NtAllocateVirtualMemory  ... 75563008, 1048576, ) == 0x0
 02585  1808   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 668, ...
 02586   464   NtAllocateVirtualMemory  (-1, 76603392, 0, 8192, 4096, 4, ...
 02585  1808   NtCreateSection  ... 676, ) == 0x0
 02586   464   NtAllocateVirtualMemory  ... 76603392, 8192, ) == 0x0
 02587  1808   NtQuerySection  (676, Image, 48, ...
 02588   464   NtProtectVirtualMemory  (-1, (0x490e000), 4096, 260, ...
 02587  1808   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02588   464   NtProtectVirtualMemory  ... (0x490e000), 4096, 4, ) == 0x0
 02589  1256   NtFsControlFile  (644, 189, 0x0, 0x0, 0x11c017,  (644, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\315\15\336=\343\232\6H\216[cS\333\362\3\321\1\0\0\0\1\0\0\0&\0(\0\10\217\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 02590   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02589  1256   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\315\15\336=\343\232\6H\216[cS\333\362\3\321\0\0\0\0", ) , ) == 0x103
 02591  1808   NtClose  (668, ...
 02592  1256   NtFsControlFile  (644, 189, 0x0, 0x0, 0x11c017,  (644, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\315\15\336=\343\232\6H\216[cS\333\362\3\321", 44, 1024, ... , 44, 1024, ...
 02591  1808   NtClose  ... ) == 0x0
 02592  1256   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0`\177\25\0\1\0\0\0l\177\25\0 \0\0\0\1\0\0\0\30\0\32\0x\177\25\0\224\177\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0p[\25\0\1\0\0\0\5\0i\0\200[\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02593  1808   NtMapViewOfSection  (676, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02594  1256   NtClose  (664, ...
 02593  1808   NtMapViewOfSection  ... (0x76fb0000), 0x0, 32768, ) == 0x0
 02594  1256   NtClose  ... ) == 0x0
 02595  1808   NtClose  (676, ...
 02590   464   NtCreateThread  ... 664, {1036, 596}, ) == 0x0
 02595  1808   NtClose  ... ) == 0x0
 02596   464   NtQueryInformationThread  (664, Basic, 28, ...
 02597  1256   NtClose  (644, ...
 02596   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1036,Tid=596,}, 0x0, ) == 0x0
 02597  1256   NtClose  ... ) == 0x0
 02598   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58101, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58101, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\14\4\0\0T\2\0\0" ...  ...
 02599  1256   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1330592, 0x0, 11597892, 188, ... , {12, 2, 1, 1}, 0x0, 1330592, 0x0, 11597892, 188, ...
 02598   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58102, 0}  ... {28, 56, reply, 0, 1036, 464, 58102, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\14\4\0\0T\2\0\0" )  ) == 0x0
 02599  1256   NtSecureConnectPort  ... 644, 0x0, 0x0, 0x0, 188, ) == 0x0
 02600  1808   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02601  1256   NtOpenThreadToken  (-2, 0xc, 1, ...
 02600  1808   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02602   464   NtResumeThread  (664, ...
 02603  1808   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02602   464   NtResumeThread  ... 1, ) == 0x0
 02603  1808   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02604   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02605  1808   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 02604   464   NtAllocateVirtualMemory  ... 76611584, 1048576, ) == 0x0
 02605  1808   NtFlushInstructionCache  ... ) == 0x0
 02606   464   NtAllocateVirtualMemory  (-1, 77651968, 0, 8192, 4096, 4, ...
 02601  1256   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02607   596   NtWaitForSingleObject  (128, 0, 0x0, ...
 02606   464   NtAllocateVirtualMemory  ... 77651968, 8192, ) == 0x0
 02608  1256   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02609  1808   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02608  1256   NtSetInformationThread  ... ) == 0x0
 02609  1808   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02610  1256   NtRequestWaitReplyPort  (644, {200, 224, new_msg, 0, 1380480, 12, 2, 1310977}  (644, {200, 224, new_msg, 0, 1380480, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\341\4\311\372\260\13\231\247\261\323o\222\224\220y\247\12\0\0\0H-+c\304\366\275r\0\0\0\0\340s\25\0q\200\At}\375e(\0\0\0\0\244\0*\0\0\24\0\240\366\260\0K\225\4\271\0\0\0\0\220s\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\260\0\372\31\221|X\376\260\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02611  1808   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 02612  1808   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 02610  1256   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1036, 1256, 58104, 0}  ... {200, 224, reply, 0, 1036, 1256, 58104, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\341\4\311\372\260\13\231\247\261\323o\222\224\220y\247\12\0\0\0H-+c\304\366\275r\0\0\0\0\340s\25\0q\200\At}\375e(\0\0\0\0\244\0*\0\0\24\0\240\366\260\0K\225\4\271\0\0\0\0\220s\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\260\0\372\31\221|X\376\260\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02613   464   NtProtectVirtualMemory  (-1, (0x4a0e000), 4096, 260, ...
 02614  1808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... }, ...
 02613   464   NtProtectVirtualMemory  ... (0x4a0e000), 4096, 4, ) == 0x0
 02614  1808   NtOpenSection  ... 676, ) == 0x0
 02615   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02616  1808   NtMapViewOfSection  (676, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02615   464   NtCreateThread  ... 668, {1036, 1344}, ) == 0x0
 02616  1808   NtMapViewOfSection  ... (0x76f60000), 0x0, 180224, ) == 0x0
 02617   464   NtQueryInformationThread  (668, Basic, 28, ...
 02618  1808   NtClose  (676, ...
 02617   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1036,Tid=1344,}, 0x0, ) == 0x0
 02618  1808   NtClose  ... ) == 0x0
 02619  1256   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02620   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58102, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58102, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\14\4\0\0@\5\0\0" ...  ...
 02619  1256   NtSetInformationThread  ... ) == 0x0
 02620   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58105, 0}  ... {28, 56, reply, 0, 1036, 464, 58105, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\14\4\0\0@\5\0\0" )  ) == 0x0
 02621  1256   NtRequestWaitReplyPort  (644, {56, 80, new_msg, 0, 44, 3, 20, 0}  (644, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0\343\232\6H\216[cS\333\362\3\321\1\0\0\0\0\0\0\0&\0(\0\364\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 02622   464   NtResumeThread  (668, ... 1, ) == 0x0
 02623   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 77660160, 1048576, ) == 0x0
 02624   464   NtAllocateVirtualMemory  (-1, 78700544, 0, 8192, 4096, 4, ... 78700544, 8192, ) == 0x0
 02625   464   NtProtectVirtualMemory  (-1, (0x4b0e000), 4096, 260, ... (0x4b0e000), 4096, 4, ) == 0x0
 02626   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02627  1808   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ...
 02628  1344   NtWaitForSingleObject  (128, 0, 0x0, ...
 02627  1808   NtProtectVirtualMemory  ... (0x76f61000), 4096, 32, ) == 0x0
 02629  1808   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 02630  1808   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 02631  1808   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02632  1808   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 02633  1808   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 02626   464   NtCreateThread  ... 676, {1036, 1300}, ) == 0x0
 02634   464   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1036,Tid=1300,}, 0x0, ) == 0x0
 02635   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58105, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58105, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\14\4\0\0\24\5\0\0" ... {28, 56, reply, 0, 1036, 464, 58107, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\14\4\0\0\24\5\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58107, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58105, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\14\4\0\0\24\5\0\0" ... {28, 56, reply, 0, 1036, 464, 58107, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\14\4\0\0\24\5\0\0" )  ) == 0x0
 02636   464   NtResumeThread  (676, ... 1, ) == 0x0
 02637   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 78708736, 1048576, ) == 0x0
 02638   464   NtAllocateVirtualMemory  (-1, 79749120, 0, 8192, 4096, 4, ... 79749120, 8192, ) == 0x0
 02639  1808   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02640  1300   NtWaitForSingleObject  (128, 0, 0x0, ...
 02621  1256   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 1036, 1256, 58106, 0}  ... {44, 68, reply, 0, 1036, 1256, 58106, 0} "\4\31\221|\0\0\221|\200\300\227|p\31\221|\0\276\21\0\330\0\0\0\204-|\2\0\220\366\177\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02639  1808   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02641  1256   NtRaiseException  (11598352, 11597612, 1, ...
 02642  1808   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02643   464   NtProtectVirtualMemory  (-1, (0x4c0e000), 4096, 260, ...
 02642  1808   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02643   464   NtProtectVirtualMemory  ... (0x4c0e000), 4096, 4, ) == 0x0
 02644  1808   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 02645   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02644  1808   NtFlushInstructionCache  ... ) == 0x0
 02645   464   NtCreateThread  ... 680, {1036, 1096}, ) == 0x0
 02646  1256   NtQueryVirtualMemory  (-1, 0x77ea0470, BasicVlm, 16, ...
 02647   464   NtQueryInformationThread  (680, Basic, 28, ...
 02646  1256   NtQueryVirtualMemory  ... {memory info, class 3, size 16}, 0x0, ) == 0x0
 02647   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1036,Tid=1096,}, 0x0, ) == 0x0
 02648  1256   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 02649  1808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... }, ...
 02648  1256   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02649  1808   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02650  1256   NtContinue  (11596580, 0, ...
 02651  1808   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 684, ) == 0x0
 02652  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 688, ) }, ... 688, ) == 0x0
 02653  1808   NtQueryValueKey  (688,  (688, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (688, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02654  1808   NtClose  (688, ... ) == 0x0
 02655  1808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02656   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58107, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58107, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\14\4\0\0H\4\0\0" ... {28, 56, reply, 0, 1036, 464, 58108, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\14\4\0\0H\4\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58108, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58107, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\14\4\0\0H\4\0\0" ... {28, 56, reply, 0, 1036, 464, 58108, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\14\4\0\0H\4\0\0" )  ) == 0x0
 02657   464   NtResumeThread  (680, ... 1, ) == 0x0
 02658   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 79757312, 1048576, ) == 0x0
 02659   464   NtAllocateVirtualMemory  (-1, 80797696, 0, 8192, 4096, 4, ... 80797696, 8192, ) == 0x0
 02660   464   NtProtectVirtualMemory  (-1, (0x4d0e000), 4096, 260, ... (0x4d0e000), 4096, 4, ) == 0x0
 02661   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02662  1808   NtQueryPerformanceCounter  (...
 02663  1256   NtDeviceIoControlFile  (500, 136, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 02664  1096   NtWaitForSingleObject  (128, 0, 0x0, ...
 02662  1808   NtQueryPerformanceCounter  ... {927140282, 10}, {3579545, 0}, ) == 0x0
 02663  1256   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 02665  1808   NtSetEventBoostPriority  (128, ...
 02666  1256   NtWaitForSingleObject  (136, 1, {-5000000, -1}, ...
 02572  1604   NtWaitForSingleObject  ... ) == 0x0
 02665  1808   NtSetEventBoostPriority  ... ) == 0x0
 02661   464   NtCreateThread  ... 688, {1036, 252}, ) == 0x0
 02667  1604   NtSetEventBoostPriority  (128, ...
 02668  1808   NtWaitForSingleObject  (128, 0, 0x0, ...
 02584  1572   NtWaitForSingleObject  ... ) == 0x0
 02667  1604   NtSetEventBoostPriority  ... ) == 0x0
 02669   464   NtQueryInformationThread  (688, Basic, 28, ...
 02670  1572   NtSetEventBoostPriority  (128, ...
 02607   596   NtWaitForSingleObject  ... ) == 0x0
 02671   596   NtSetEventBoostPriority  (128, ...
 02628  1344   NtWaitForSingleObject  ... ) == 0x0
 02672  1344   NtSetEventBoostPriority  (128, ...
 02640  1300   NtWaitForSingleObject  ... ) == 0x0
 02673  1300   NtSetEventBoostPriority  (128, ...
 02664  1096   NtWaitForSingleObject  ... ) == 0x0
 02674  1096   NtSetEventBoostPriority  (128, ...
 02668  1808   NtWaitForSingleObject  ... ) == 0x0
 02675  1808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15789008, ... ) }, 15789008, ... ) == 0x0
 02674  1096   NtSetEventBoostPriority  ... ) == 0x0
 02673  1300   NtSetEventBoostPriority  ... ) == 0x0
 02672  1344   NtSetEventBoostPriority  ... ) == 0x0
 02671   596   NtSetEventBoostPriority  ... ) == 0x0
 02670  1572   NtSetEventBoostPriority  ... ) == 0x0
 02669   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1036,Tid=252,}, 0x0, ) == 0x0
 02676  1604   NtTestAlert  (...
 02677  1808   NtQuerySystemInformation  (Basic, 44, ...
 02678  1096   NtTestAlert  (...
 02679  1300   NtTestAlert  (...
 02680  1344   NtTestAlert  (...
 02681   596   NtTestAlert  (...
 02682   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58108, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58108, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\14\4\0\0\374\0\0\0" ...  ...
 02676  1604   NtTestAlert  ... ) == 0x0
 02677  1808   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02678  1096   NtTestAlert  ... ) == 0x0
 02679  1300   NtTestAlert  ... ) == 0x0
 02680  1344   NtTestAlert  ... ) == 0x0
 02681   596   NtTestAlert  ... ) == 0x0
 02682   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58109, 0}  ... {28, 56, reply, 0, 1036, 464, 58109, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\14\4\0\0\374\0\0\0" )  ) == 0x0
 02683  1604   NtContinue  (74513712, 1, ...
 02684  1808   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 02685  1096   NtContinue  (79756592, 1, ...
 02686  1300   NtContinue  (78708016, 1, ...
 02687  1344   NtContinue  (77659440, 1, ...
 02688   596   NtContinue  (76610864, 1, ...
 02689  1572   NtTestAlert  (...
 02690  1604   NtRegisterThreadTerminatePort  (24, ...
 02684  1808   NtAllocateVirtualMemory  ... 3538944, 65536, ) == 0x0
 02691  1096   NtRegisterThreadTerminatePort  (24, ...
 02692  1300   NtRegisterThreadTerminatePort  (24, ...
 02693  1344   NtRegisterThreadTerminatePort  (24, ...
 02694   596   NtRegisterThreadTerminatePort  (24, ...
 02689  1572   NtTestAlert  ... ) == 0x0
 02690  1604   NtRegisterThreadTerminatePort  ... ) == 0x0
 02695  1808   NtAllocateVirtualMemory  (-1, 3538944, 0, 4096, 4096, 4, ...
 02691  1096   NtRegisterThreadTerminatePort  ... ) == 0x0
 02692  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 02693  1344   NtRegisterThreadTerminatePort  ... ) == 0x0
 02694   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 02696  1572   NtContinue  (75562288, 1, ...
 02697  1604   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02695  1808   NtAllocateVirtualMemory  ... 3538944, 4096, ) == 0x0
 02698  1096   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02699  1300   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02700  1344   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02701   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02702  1572   NtRegisterThreadTerminatePort  (24, ...
 02703   464   NtResumeThread  (688, ...
 02697  1604   NtDuplicateObject  ... 692, ) == 0x0
 02704  1808   NtAllocateVirtualMemory  (-1, 3543040, 0, 8192, 4096, 4, ...
 02698  1096   NtDuplicateObject  ... 696, ) == 0x0
 02699  1300   NtDuplicateObject  ... 700, ) == 0x0
 02700  1344   NtDuplicateObject  ... 704, ) == 0x0
 02702  1572   NtRegisterThreadTerminatePort  ... ) == 0x0
 02703   464   NtResumeThread  ... 1, ) == 0x0
 02705  1604   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02704  1808   NtAllocateVirtualMemory  ... 3543040, 8192, ) == 0x0
 02706  1096   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02707  1300   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02708  1344   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02709  1572   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02710   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02705  1604   NtWaitForSingleObject  ... ) == 0x102
 02711  1808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 15789008, ... }, 15789008, ...
 02706  1096   NtWaitForSingleObject  ... ) == 0x102
 02707  1300   NtWaitForSingleObject  ... ) == 0x102
 02708  1344   NtWaitForSingleObject  ... ) == 0x102
 02701   596   NtDuplicateObject  ... 708, ) == 0x0
 02712   252   NtWaitForSingleObject  (128, 0, 0x0, ...
 02710   464   NtAllocateVirtualMemory  ... 80805888, 1048576, ) == 0x0
 02713  1604   NtWaitForSingleObject  (160, 0, 0x0, ...
 02711  1808   NtQueryAttributesFile  ... ) == 0x0
 02714  1096   NtWaitForSingleObject  (160, 0, 0x0, ...
 02715  1300   NtWaitForSingleObject  (160, 0, 0x0, ...
 02716  1344   NtWaitForSingleObject  (160, 0, 0x0, ...
 02717   596   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02718   464   NtAllocateVirtualMemory  (-1, 81846272, 0, 8192, 4096, 4, ...
 02719  1808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... }, 5, 96, ...
 02717   596   NtWaitForSingleObject  ... ) == 0x102
 02718   464   NtAllocateVirtualMemory  ... 81846272, 8192, ) == 0x0
 02719  1808   NtOpenFile  ... 712, {status=0x0, info=1}, ) == 0x0
 02720   596   NtWaitForSingleObject  (160, 0, 0x0, ...
 02709  1572   NtDuplicateObject  ... 716, ) == 0x0
 02721   464   NtProtectVirtualMemory  (-1, (0x4e0e000), 4096, 260, ...
 02722  1572   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02721   464   NtProtectVirtualMemory  ... (0x4e0e000), 4096, 4, ) == 0x0
 02722  1572   NtWaitForSingleObject  ... ) == 0x102
 02723   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02724  1572   NtWaitForSingleObject  (160, 0, 0x0, ...
 02723   464   NtCreateThread  ... 720, {1036, 948}, ) == 0x0
 02725   464   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1036,Tid=948,}, 0x0, ) == 0x0
 02726   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58109, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58109, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\14\4\0\0\264\3\0\0" ... {28, 56, reply, 0, 1036, 464, 58110, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\14\4\0\0\264\3\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58110, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58109, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\14\4\0\0\264\3\0\0" ... {28, 56, reply, 0, 1036, 464, 58110, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\14\4\0\0\264\3\0\0" )  ) == 0x0
 02727   464   NtResumeThread  (720, ... 1, ) == 0x0
 02728   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02729  1808   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 712, ...
 02730   948   NtWaitForSingleObject  (128, 0, 0x0, ...
 02729  1808   NtCreateSection  ... 724, ) == 0x0
 02731  1808   NtClose  (712, ... ) == 0x0
 02732  1808   NtMapViewOfSection  (724, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 110592, ) == 0x0
 02733  1808   NtClose  (724, ... ) == 0x0
 02734  1808   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 02735  1808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 15789316, ... ) }, 15789316, ... ) == 0x0
 02728   464   NtAllocateVirtualMemory  ... 81854464, 1048576, ) == 0x0
 02736   464   NtAllocateVirtualMemory  (-1, 82894848, 0, 8192, 4096, 4, ... 82894848, 8192, ) == 0x0
 02737   464   NtProtectVirtualMemory  (-1, (0x4f0e000), 4096, 260, ... (0x4f0e000), 4096, 4, ) == 0x0
 02738   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 724, {1036, 1388}, ) == 0x0
 02739   464   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1036,Tid=1388,}, 0x0, ) == 0x0
 02740   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58110, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58110, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\14\4\0\0l\5\0\0" ... {28, 56, reply, 0, 1036, 464, 58111, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\14\4\0\0l\5\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58111, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58110, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\14\4\0\0l\5\0\0" ... {28, 56, reply, 0, 1036, 464, 58111, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\14\4\0\0l\5\0\0" )  ) == 0x0
 02741  1808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 712, {status=0x0, info=1}, ) }, 5, 96, ... 712, {status=0x0, info=1}, ) == 0x0
 02742  1808   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 712, ... 728, ) == 0x0
 02743  1808   NtQuerySection  (728, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02744  1808   NtClose  (712, ... ) == 0x0
 02745  1808   NtMapViewOfSection  (728, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x751d0000), 0x0, 122880, ) == 0x0
 02746  1808   NtClose  (728, ... ) == 0x0
 02747   464   NtResumeThread  (724, ... 1, ) == 0x0
 02748   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 82903040, 1048576, ) == 0x0
 02749   464   NtAllocateVirtualMemory  (-1, 83943424, 0, 8192, 4096, 4, ... 83943424, 8192, ) == 0x0
 02750   464   NtProtectVirtualMemory  (-1, (0x500e000), 4096, 260, ... (0x500e000), 4096, 4, ) == 0x0
 02751   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 728, {1036, 520}, ) == 0x0
 02752   464   NtQueryInformationThread  (728, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1036,Tid=520,}, 0x0, ) == 0x0
 02753  1808   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ...
 02754  1388   NtWaitForSingleObject  (128, 0, 0x0, ...
 02753  1808   NtProtectVirtualMemory  ... (0x751d1000), 4096, 32, ) == 0x0
 02755  1808   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02756  1808   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02757  1808   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02758  1808   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02759  1808   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02760   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58111, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58111, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\14\4\0\0\10\2\0\0" ... {28, 56, reply, 0, 1036, 464, 58112, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\14\4\0\0\10\2\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58112, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58111, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\14\4\0\0\10\2\0\0" ... {28, 56, reply, 0, 1036, 464, 58112, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\14\4\0\0\10\2\0\0" )  ) == 0x0
 02761   464   NtResumeThread  (728, ... 1, ) == 0x0
 02762   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 83951616, 1048576, ) == 0x0
 02763   464   NtAllocateVirtualMemory  (-1, 84992000, 0, 8192, 4096, 4, ... 84992000, 8192, ) == 0x0
 02764   464   NtProtectVirtualMemory  (-1, (0x510e000), 4096, 260, ... (0x510e000), 4096, 4, ) == 0x0
 02765   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02766  1808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... }, ...
 02767   520   NtWaitForSingleObject  (128, 0, 0x0, ...
 02766  1808   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02768  1808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 15788492, ... }, 15788492, ...
 02765   464   NtCreateThread  ... 712, {1036, 276}, ) == 0x0
 02769   464   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1036,Tid=276,}, 0x0, ) == 0x0
 02770   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58112, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58112, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\14\4\0\0\24\1\0\0" ... {28, 56, reply, 0, 1036, 464, 58113, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\14\4\0\0\24\1\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58113, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58112, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\14\4\0\0\24\1\0\0" ... {28, 56, reply, 0, 1036, 464, 58113, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\14\4\0\0\24\1\0\0" )  ) == 0x0
 02771   464   NtResumeThread  (712, ... 1, ) == 0x0
 02772   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 85000192, 1048576, ) == 0x0
 02773   464   NtAllocateVirtualMemory  (-1, 86040576, 0, 8192, 4096, 4, ... 86040576, 8192, ) == 0x0
 02774   276   NtWaitForSingleObject  (128, 0, 0x0, ...
 02775   464   NtProtectVirtualMemory  (-1, (0x520e000), 4096, 260, ... (0x520e000), 4096, 4, ) == 0x0
 02776   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 732, {1036, 2040}, ) == 0x0
 02777   464   NtQueryInformationThread  (732, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1036,Tid=2040,}, 0x0, ) == 0x0
 02778   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58113, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58113, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\14\4\0\0\370\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58114, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\14\4\0\0\370\7\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58114, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58113, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\14\4\0\0\370\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58114, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\14\4\0\0\370\7\0\0" )  ) == 0x0
 02779   464   NtResumeThread  (732, ... 1, ) == 0x0
 02780   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02781  2040   NtWaitForSingleObject  (128, 0, 0x0, ...
 02780   464   NtAllocateVirtualMemory  ... 86048768, 1048576, ) == 0x0
 02782   464   NtAllocateVirtualMemory  (-1, 87089152, 0, 8192, 4096, 4, ... 87089152, 8192, ) == 0x0
 02783   464   NtProtectVirtualMemory  (-1, (0x530e000), 4096, 260, ... (0x530e000), 4096, 4, ) == 0x0
 02784   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02768  1808   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02785  1808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 15788492, ... ) }, 15788492, ... ) == 0x0
 02786  1808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 736, {status=0x0, info=1}, ) }, 5, 96, ... 736, {status=0x0, info=1}, ) == 0x0
 02787  1808   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 736, ... 740, ) == 0x0
 02788  1808   NtQuerySection  (740, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02789  1808   NtClose  (736, ... ) == 0x0
 02790  1808   NtMapViewOfSection  (740, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02784   464   NtCreateThread  ... 736, {1036, 216}, ) == 0x0
 02791   464   NtQueryInformationThread  (736, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1036,Tid=216,}, 0x0, ) == 0x0
 02792   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58114, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58114, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\14\4\0\0\330\0\0\0" ... {28, 56, reply, 0, 1036, 464, 58115, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\14\4\0\0\330\0\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58115, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58114, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\14\4\0\0\330\0\0\0" ... {28, 56, reply, 0, 1036, 464, 58115, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\14\4\0\0\330\0\0\0" )  ) == 0x0
 02793   464   NtResumeThread  (736, ... 1, ) == 0x0
 02794   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 87097344, 1048576, ) == 0x0
 02795   464   NtAllocateVirtualMemory  (-1, 88137728, 0, 8192, 4096, 4, ... 88137728, 8192, ) == 0x0
 02790  1808   NtMapViewOfSection  ... (0x77920000), 0x0, 995328, ) == 0x0
 02796   216   NtWaitForSingleObject  (128, 0, 0x0, ...
 02797  1808   NtClose  (740, ... ) == 0x0
 02798  1808   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02799  1808   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02800  1808   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02801  1808   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02802  1808   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ...
 02803   464   NtProtectVirtualMemory  (-1, (0x540e000), 4096, 260, ... (0x540e000), 4096, 4, ) == 0x0
 02804   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 740, {1036, 152}, ) == 0x0
 02805   464   NtQueryInformationThread  (740, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1036,Tid=152,}, 0x0, ) == 0x0
 02806   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58115, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58115, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\14\4\0\0\230\0\0\0" ... {28, 56, reply, 0, 1036, 464, 58116, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\14\4\0\0\230\0\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58116, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58115, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\14\4\0\0\230\0\0\0" ... {28, 56, reply, 0, 1036, 464, 58116, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\14\4\0\0\230\0\0\0" )  ) == 0x0
 02807   464   NtResumeThread  (740, ... 1, ) == 0x0
 02808   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02802  1808   NtProtectVirtualMemory  ... (0x77921000), 4096, 4, ) == 0x0
 02809   152   NtWaitForSingleObject  (128, 0, 0x0, ...
 02810  1808   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02811  1808   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02812  1808   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02813  1808   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02814  1808   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02815  1808   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ...
 02808   464   NtAllocateVirtualMemory  ... 88145920, 1048576, ) == 0x0
 02816   464   NtAllocateVirtualMemory  (-1, 89186304, 0, 8192, 4096, 4, ... 89186304, 8192, ) == 0x0
 02817   464   NtProtectVirtualMemory  (-1, (0x550e000), 4096, 260, ... (0x550e000), 4096, 4, ) == 0x0
 02818   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 744, {1036, 900}, ) == 0x0
 02819   464   NtQueryInformationThread  (744, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1036,Tid=900,}, 0x0, ) == 0x0
 02820   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58116, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58116, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\14\4\0\0\204\3\0\0" ... {28, 56, reply, 0, 1036, 464, 58117, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\14\4\0\0\204\3\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58117, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58116, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\14\4\0\0\204\3\0\0" ... {28, 56, reply, 0, 1036, 464, 58117, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\14\4\0\0\204\3\0\0" )  ) == 0x0
 02815  1808   NtProtectVirtualMemory  ... (0x77921000), 4096, 4, ) == 0x0
 02821  1808   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02822  1808   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02823  1808   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02824  1808   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02825  1808   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02826  1808   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ...
 02827   464   NtResumeThread  (744, ... 1, ) == 0x0
 02828   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 89194496, 1048576, ) == 0x0
 02829   464   NtAllocateVirtualMemory  (-1, 90234880, 0, 8192, 4096, 4, ... 90234880, 8192, ) == 0x0
 02830   464   NtProtectVirtualMemory  (-1, (0x560e000), 4096, 260, ... (0x560e000), 4096, 4, ) == 0x0
 02831   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 748, {1036, 1272}, ) == 0x0
 02832   464   NtQueryInformationThread  (748, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1036,Tid=1272,}, 0x0, ) == 0x0
 02826  1808   NtProtectVirtualMemory  ... (0x751d1000), 4096, 4, ) == 0x0
 02833   900   NtWaitForSingleObject  (128, 0, 0x0, ...
 02834  1808   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02835  1808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02836  1808   NtQueryDefaultUILanguage  (2090319928, ...
 02837  1808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02838  1808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481344, ) == 0x0
 02839  1808   NtQueryInformationToken  (-2147481344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02840   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58117, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58117, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\14\4\0\0\370\4\0\0" ... {28, 56, reply, 0, 1036, 464, 58118, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\14\4\0\0\370\4\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58118, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58117, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\14\4\0\0\370\4\0\0" ... {28, 56, reply, 0, 1036, 464, 58118, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\14\4\0\0\370\4\0\0" )  ) == 0x0
 02841   464   NtResumeThread  (748, ... 1, ) == 0x0
 02842   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 90243072, 1048576, ) == 0x0
 02843   464   NtAllocateVirtualMemory  (-1, 91283456, 0, 8192, 4096, 4, ... 91283456, 8192, ) == 0x0
 02844   464   NtProtectVirtualMemory  (-1, (0x570e000), 4096, 260, ... (0x570e000), 4096, 4, ) == 0x0
 02845   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02846  1808   NtClose  (-2147481344, ...
 02847  1272   NtWaitForSingleObject  (128, 0, 0x0, ...
 02846  1808   NtClose  ... ) == 0x0
 02848  1808   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481344, ) }, ... -2147481344, ) == 0x0
 02849  1808   NtOpenKey  (0x80000000, {24, -2147481344, 0x240, 0, 0,  (0x80000000, {24, -2147481344, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02850  1808   NtOpenKey  (0x80000000, {24, -2147481344, 0x640, 0, 0,  (0x80000000, {24, -2147481344, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482132, ) }, ... -2147482132, ) == 0x0
 02851  1808   NtQueryValueKey  (-2147482132,  (-2147482132, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02852  1808   NtClose  (-2147482132, ... ) == 0x0
 02845   464   NtCreateThread  ... 752, {1036, 1240}, ) == 0x0
 02853   464   NtQueryInformationThread  (752, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1036,Tid=1240,}, 0x0, ) == 0x0
 02854   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58118, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58118, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\14\4\0\0\330\4\0\0" ... {28, 56, reply, 0, 1036, 464, 58119, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\14\4\0\0\330\4\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58119, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58118, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\14\4\0\0\330\4\0\0" ... {28, 56, reply, 0, 1036, 464, 58119, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\14\4\0\0\330\4\0\0" )  ) == 0x0
 02855   464   NtResumeThread  (752, ... 1, ) == 0x0
 02856   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 91291648, 1048576, ) == 0x0
 02857   464   NtAllocateVirtualMemory  (-1, 92332032, 0, 8192, 4096, 4, ... 92332032, 8192, ) == 0x0
 02858  1808   NtClose  (-2147481344, ...
 02859  1240   NtWaitForSingleObject  (128, 0, 0x0, ...
 02858  1808   NtClose  ... ) == 0x0
 02836  1808   NtQueryDefaultUILanguage  ... ) == 0x0
 02860  1808   NtAllocateVirtualMemory  (-1, 15777792, 0, 4096, 4096, 260, ... 15777792, 4096, ) == 0x0
 02861  1808   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 02862  1808   NtQueryDefaultLocale  (1, 15789212, ... ) == 0x0
 02863  1808   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02864  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\Setup"}, ... }, ...
 02865   464   NtProtectVirtualMemory  (-1, (0x580e000), 4096, 260, ... (0x580e000), 4096, 4, ) == 0x0
 02866   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 756, {1036, 1776}, ) == 0x0
 02867   464   NtQueryInformationThread  (756, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1036,Tid=1776,}, 0x0, ) == 0x0
 02868   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58119, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58119, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\14\4\0\0\360\6\0\0" ... {28, 56, reply, 0, 1036, 464, 58120, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\14\4\0\0\360\6\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58120, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58119, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\14\4\0\0\360\6\0\0" ... {28, 56, reply, 0, 1036, 464, 58120, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\14\4\0\0\360\6\0\0" )  ) == 0x0
 02869   464   NtResumeThread  (756, ... 1, ) == 0x0
 02870   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02864  1808   NtOpenKey  ... 760, ) == 0x0
 02871  1776   NtWaitForSingleObject  (128, 0, 0x0, ...
 02872  1808   NtQueryValueKey  (760,  (760, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (760, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02873  1808   NtClose  (760, ... ) == 0x0
 02874  1808   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 760, ) == 0x0
 02875  1808   NtCallbackReturn  (0, 0, 0, ...
 02876  1808   NtUserGetProcessWindowStation  (... ) == 0x1c
 02877  1808   NtUserGetObjectInformation  (28, 1, 15788808, 12, 15788820, ... ) == 0x1
 02870   464   NtAllocateVirtualMemory  ... 92340224, 1048576, ) == 0x0
 02878   464   NtAllocateVirtualMemory  (-1, 93380608, 0, 8192, 4096, 4, ... 93380608, 8192, ) == 0x0
 02879   464   NtProtectVirtualMemory  (-1, (0x590e000), 4096, 260, ... (0x590e000), 4096, 4, ) == 0x0
 02880   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 764, {1036, 1324}, ) == 0x0
 02881   464   NtQueryInformationThread  (764, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1036,Tid=1324,}, 0x0, ) == 0x0
 02882   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58120, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58120, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\14\4\0\0,\5\0\0" ... {28, 56, reply, 0, 1036, 464, 58121, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\14\4\0\0,\5\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58121, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58120, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\14\4\0\0,\5\0\0" ... {28, 56, reply, 0, 1036, 464, 58121, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\14\4\0\0,\5\0\0" )  ) == 0x0
 02883  1808   NtOpenKey  (0xf003f, {24, 36, 0x40, 0, 0,  (0xf003f, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02884  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\WPA\PnP"}, ... 768, ) }, ... 768, ) == 0x0
 02885  1808   NtQueryValueKey  (768,  (768, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (768, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 02886  1808   NtClose  (768, ... ) == 0x0
 02887  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\Setup"}, ... 768, ) }, ... 768, ) == 0x0
 02888  1808   NtQueryValueKey  (768,  (768, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (768, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02889   464   NtResumeThread  (764, ... 1, ) == 0x0
 02890   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 93388800, 1048576, ) == 0x0
 02891   464   NtAllocateVirtualMemory  (-1, 94429184, 0, 8192, 4096, 4, ... 94429184, 8192, ) == 0x0
 02892   464   NtProtectVirtualMemory  (-1, (0x5a0e000), 4096, 260, ... (0x5a0e000), 4096, 4, ) == 0x0
 02893   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 772, {1036, 1884}, ) == 0x0
 02894   464   NtQueryInformationThread  (772, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1036,Tid=1884,}, 0x0, ) == 0x0
 02895  1808   NtQueryValueKey  (768,  (768, "OsLoaderPath", Partial, 144, ... , Partial, 144, ...
 02896  1324   NtWaitForSingleObject  (128, 0, 0x0, ...
 02895  1808   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02897  1808   NtClose  (768, ... ) == 0x0
 02898  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\Setup"}, ... 768, ) }, ... 768, ) == 0x0
 02899  1808   NtQueryValueKey  (768,  (768, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (768, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02900  1808   NtQueryValueKey  (768,  (768, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (768, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02901  1808   NtClose  (768, ... ) == 0x0
 02902   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58121, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58121, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\14\4\0\0\\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58122, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\14\4\0\0\\7\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58122, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58121, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\14\4\0\0\\7\0\0" ... {28, 56, reply, 0, 1036, 464, 58122, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\14\4\0\0\\7\0\0" )  ) == 0x0
 02903   464   NtResumeThread  (772, ... 1, ) == 0x0
 02904   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 94437376, 1048576, ) == 0x0
 02905   464   NtAllocateVirtualMemory  (-1, 95477760, 0, 8192, 4096, 4, ... 95477760, 8192, ) == 0x0
 02906   464   NtProtectVirtualMemory  (-1, (0x5b0e000), 4096, 260, ... (0x5b0e000), 4096, 4, ) == 0x0
 02907   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02908  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... }, ...
 02909  1884   NtWaitForSingleObject  (128, 0, 0x0, ...
 02908  1808   NtOpenKey  ... 768, ) == 0x0
 02910  1808   NtQueryValueKey  (768,  (768, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (768, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02911  1808   NtQueryValueKey  (768,  (768, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (768, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02912  1808   NtClose  (768, ... ) == 0x0
 02913  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 768, ) }, ... 768, ) == 0x0
 02914  1808   NtQueryValueKey  (768,  (768, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (768, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02907   464   NtCreateThread  ... 776, {1036, 248}, ) == 0x0
 02915   464   NtQueryInformationThread  (776, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1036,Tid=248,}, 0x0, ) == 0x0
 02916   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58122, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58122, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\14\4\0\0\370\0\0\0" ... {28, 56, reply, 0, 1036, 464, 58123, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\14\4\0\0\370\0\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58123, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58122, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\14\4\0\0\370\0\0\0" ... {28, 56, reply, 0, 1036, 464, 58123, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\14\4\0\0\370\0\0\0" )  ) == 0x0
 02917   464   NtResumeThread  (776, ... 1, ) == 0x0
 02918   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 95485952, 1048576, ) == 0x0
 02919   464   NtAllocateVirtualMemory  (-1, 96526336, 0, 8192, 4096, 4, ... 96526336, 8192, ) == 0x0
 02920  1808   NtQueryValueKey  (768,  (768, "ServicePackSourcePath", Partial, 144, ... , Partial, 144, ...
 02921   248   NtWaitForSingleObject  (128, 0, 0x0, ...
 02920  1808   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02922  1808   NtClose  (768, ... ) == 0x0
 02923  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 768, ) }, ... 768, ) == 0x0
 02924  1808   NtQueryValueKey  (768,  (768, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (768, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02925  1808   NtQueryValueKey  (768,  (768, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (768, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02926  1808   NtClose  (768, ... ) == 0x0
 02927   464   NtProtectVirtualMemory  (-1, (0x5c0e000), 4096, 260, ... (0x5c0e000), 4096, 4, ) == 0x0
 02928   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 768, {1036, 1652}, ) == 0x0
 02929   464   NtQueryInformationThread  (768, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1036,Tid=1652,}, 0x0, ) == 0x0
 02930   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58123, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58123, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\14\4\0\0t\6\0\0" ... {28, 56, reply, 0, 1036, 464, 58124, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\14\4\0\0t\6\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58124, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58123, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\14\4\0\0t\6\0\0" ... {28, 56, reply, 0, 1036, 464, 58124, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\14\4\0\0t\6\0\0" )  ) == 0x0
 02931   464   NtResumeThread  (768, ... 1, ) == 0x0
 02932   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02933  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... }, ...
 02934  1652   NtWaitForSingleObject  (128, 0, 0x0, ...
 02933  1808   NtOpenKey  ... 780, ) == 0x0
 02935  1808   NtQueryValueKey  (780,  (780, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (780, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02936  1808   NtQueryValueKey  (780,  (780, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (780, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02937  1808   NtClose  (780, ... ) == 0x0
 02938  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 780, ) }, ... 780, ) == 0x0
 02939  1808   NtQueryValueKey  (780,  (780, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02932   464   NtAllocateVirtualMemory  ... 96534528, 1048576, ) == 0x0
 02940   464   NtAllocateVirtualMemory  (-1, 97574912, 0, 8192, 4096, 4, ... 97574912, 8192, ) == 0x0
 02941   464   NtProtectVirtualMemory  (-1, (0x5d0e000), 4096, 260, ... (0x5d0e000), 4096, 4, ) == 0x0
 02942   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 784, {1036, 588}, ) == 0x0
 02943   464   NtQueryInformationThread  (784, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1036,Tid=588,}, 0x0, ) == 0x0
 02944   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58124, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58124, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\14\4\0\0L\2\0\0" ... {28, 56, reply, 0, 1036, 464, 58125, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\14\4\0\0L\2\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58125, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58124, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\14\4\0\0L\2\0\0" ... {28, 56, reply, 0, 1036, 464, 58125, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\14\4\0\0L\2\0\0" )  ) == 0x0
 02945  1808   NtQueryValueKey  (780,  (780, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (780, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 02946  1808   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 02947  1808   NtClose  (780, ... ) == 0x0
 02948  1808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 780, ) == 0x0
 02949  1808   NtCreateMutant  (0x1f0001, 0x0, 0, ... 788, ) == 0x0
 02950  1808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 792, ) == 0x0
 02951   464   NtResumeThread  (784, ... 1, ) == 0x0
 02952   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 97583104, 1048576, ) == 0x0
 02953   464   NtAllocateVirtualMemory  (-1, 98623488, 0, 8192, 4096, 4, ... 98623488, 8192, ) == 0x0
 02954   464   NtProtectVirtualMemory  (-1, (0x5e0e000), 4096, 260, ... (0x5e0e000), 4096, 4, ) == 0x0
 02955   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 796, {1036, 440}, ) == 0x0
 02956   464   NtQueryInformationThread  (796, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1036,Tid=440,}, 0x0, ) == 0x0
 02957  1808   NtCreateMutant  (0x1f0001, 0x0, 0, ...
 02958   588   NtWaitForSingleObject  (128, 0, 0x0, ...
 02957  1808   NtCreateMutant  ... 800, ) == 0x0
 02959  1808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 804, ) == 0x0
 02960  1808   NtCreateMutant  (0x1f0001, 0x0, 0, ... 808, ) == 0x0
 02961  1808   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 812, ) }, ... 812, ) == 0x0
 02962  1808   NtQueryValueKey  (812,  (812, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (812, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02963  1808   NtQueryValueKey  (812,  (812, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (812, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02964   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58125, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58125, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\3\0\0\14\4\0\0\270\1\0\0" ... {28, 56, reply, 0, 1036, 464, 58126, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\3\0\0\14\4\0\0\270\1\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58126, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58125, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\3\0\0\14\4\0\0\270\1\0\0" ... {28, 56, reply, 0, 1036, 464, 58126, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\3\0\0\14\4\0\0\270\1\0\0" )  ) == 0x0
 02965   464   NtResumeThread  (796, ... 1, ) == 0x0
 02966   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 98631680, 1048576, ) == 0x0
 02967   464   NtAllocateVirtualMemory  (-1, 99672064, 0, 8192, 4096, 4, ... 99672064, 8192, ) == 0x0
 02968   464   NtProtectVirtualMemory  (-1, (0x5f0e000), 4096, 260, ... (0x5f0e000), 4096, 4, ) == 0x0
 02969   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02970  1808   NtQueryValueKey  (812,  (812, "LogPath", Partial, 144, ... , Partial, 144, ...
 02971   440   NtWaitForSingleObject  (128, 0, 0x0, ...
 02970  1808   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02972  1808   NtOpenKey  (0x1, {24, 812, 0x40, 0, 0,  (0x1, {24, 812, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02973  1808   NtClose  (812, ... ) == 0x0
 02974  1808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 15788724, ... ) }, 15788724, ... ) == 0x0
 02975  1808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 812, ) }, ... 812, ) == 0x0
 02976  1808   NtQueryValueKey  (812,  (812, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (812, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (812, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02969   464   NtCreateThread  ... 816, {1036, 1296}, ) == 0x0
 02977   464   NtQueryInformationThread  (816, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1036,Tid=1296,}, 0x0, ) == 0x0
 02978   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58126, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58126, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\3\0\0\14\4\0\0\20\5\0\0" ... {28, 56, reply, 0, 1036, 464, 58127, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\3\0\0\14\4\0\0\20\5\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58127, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58126, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\3\0\0\14\4\0\0\20\5\0\0" ... {28, 56, reply, 0, 1036, 464, 58127, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\3\0\0\14\4\0\0\20\5\0\0" )  ) == 0x0
 02979   464   NtResumeThread  (816, ... 1, ) == 0x0
 02980   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 99680256, 1048576, ) == 0x0
 02981   464   NtAllocateVirtualMemory  (-1, 100720640, 0, 8192, 4096, 4, ... 100720640, 8192, ) == 0x0
 02982  1808   NtClose  (812, ...
 02983  1296   NtWaitForSingleObject  (128, 0, 0x0, ...
 02982  1808   NtClose  ... ) == 0x0
 02984  1808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 812, ) }, ... 812, ) == 0x0
 02985  1808   NtQueryValueKey  (812,  (812, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (812, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (812, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 02986  1808   NtClose  (812, ... ) == 0x0
 02987  1808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02988  1808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 812, ) }, ... 812, ) == 0x0
 02989   464   NtProtectVirtualMemory  (-1, (0x600e000), 4096, 260, ... (0x600e000), 4096, 4, ) == 0x0
 02990   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 820, {1036, 1612}, ) == 0x0
 02991   464   NtQueryInformationThread  (820, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1036,Tid=1612,}, 0x0, ) == 0x0
 02992   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58127, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58127, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\3\0\0\14\4\0\0L\6\0\0" ... {28, 56, reply, 0, 1036, 464, 58128, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\3\0\0\14\4\0\0L\6\0\0" )  ... {28, 56, reply, 0, 1036, 464, 58128, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58127, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\3\0\0\14\4\0\0L\6\0\0" ... {28, 56, reply, 0, 1036, 464, 58128, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\3\0\0\14\4\0\0L\6\0\0" )  ) == 0x0
 02993   464   NtResumeThread  (820, ... 1, ) == 0x0
 02994   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02995  1808   NtQueryValueKey  (812,  (812, "Domain", Full, 128, ... , Full, 128, ...
 02996  1612   NtWaitForSingleObject  (128, 0, 0x0, ...
 02995  1808   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02997  1808   NtClose  (812, ... ) == 0x0
 02998  1808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshbth.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02999  1808   NtSetEventBoostPriority  (128, ...
 02712   252   NtWaitForSingleObject  ... ) == 0x0
 03000   252   NtSetEventBoostPriority  (128, ...
 02730   948   NtWaitForSingleObject  ... ) == 0x0
 03001   948   NtSetEventBoostPriority  (128, ...
 02754  1388   NtWaitForSingleObject  ... ) == 0x0
 03002  1388   NtSetEventBoostPriority  (128, ...
 02767   520   NtWaitForSingleObject  ... ) == 0x0
 03003   520   NtSetEventBoostPriority  (128, ...
 02774   276   NtWaitForSingleObject  ... ) == 0x0
 03004   276   NtSetEventBoostPriority  (128, ...
 02781  2040   NtWaitForSingleObject  ... ) == 0x0
 03005  2040   NtSetEventBoostPriority  (128, ...
 02796   216   NtWaitForSingleObject  ... ) == 0x0
 03006   216   NtSetEventBoostPriority  (128, ...
 02809   152   NtWaitForSingleObject  ... ) == 0x0
 03007   152   NtSetEventBoostPriority  (128, ...
 02833   900   NtWaitForSingleObject  ... ) == 0x0
 03008   900   NtSetEventBoostPriority  (128, ...
 02847  1272   NtWaitForSingleObject  ... ) == 0x0
 03009  1272   NtSetEventBoostPriority  (128, ...
 02859  1240   NtWaitForSingleObject  ... ) == 0x0
 03010  1240   NtSetEventBoostPriority  (128, ...
 02871  1776   NtWaitForSingleObject  ... ) == 0x0
 03011  1776   NtSetEventBoostPriority  (128, ...
 02896  1324   NtWaitForSingleObject  ... ) == 0x0
 03012  1324   NtAllocateVirtualMemory  (-1, 3633152, 0, 4096, 4096, 4, ... 3633152, 4096, ) == 0x0
 03011  1776   NtSetEventBoostPriority  ... ) == 0x0
 03010  1240   NtSetEventBoostPriority  ... ) == 0x0
 03009  1272   NtSetEventBoostPriority  ... ) == 0x0
 03008   900   NtSetEventBoostPriority  ... ) == 0x0
 03007   152   NtSetEventBoostPriority  ... ) == 0x0
 03006   216   NtSetEventBoostPriority  ... ) == 0x0
 03005  2040   NtSetEventBoostPriority  ... ) == 0x0
 03004   276   NtSetEventBoostPriority  ... ) == 0x0
 03003   520   NtSetEventBoostPriority  ... ) == 0x0
 03002  1388   NtSetEventBoostPriority  ... ) == 0x0
 03001   948   NtSetEventBoostPriority  ... ) == 0x0
 03000   252   NtSetEventBoostPriority  ... ) == 0x0
 02999  1808   NtSetEventBoostPriority  ... ) == 0x0
 02994   464   NtAllocateVirtualMemory  ... 100728832, 1048576, ) == 0x0
 03013  1324   NtSetEventBoostPriority  (128, ...
 03014  1776   NtTestAlert  (...
 03015  1240   NtTestAlert  (...
 03016  1272   NtTestAlert  (...
 03017   900   NtTestAlert  (...
 03018   152   NtTestAlert  (...
 03019   216   NtTestAlert  (...
 03020  2040   NtTestAlert  (...
 03021   276   NtTestAlert  (...
 03022   520   NtTestAlert  (...
 03023  1388   NtTestAlert  (...
 03024   948   NtTestAlert  (...
 03025  1808   NtWaitForSingleObject  (128, 0, 0x0, ...
 03026   464   NtAllocateVirtualMemory  (-1, 101769216, 0, 8192, 4096, 4, ...
 02909  1884   NtWaitForSingleObject  ... ) == 0x0
 03013  1324   NtSetEventBoostPriority  ... ) == 0x0
 03014  1776   NtTestAlert  ... ) == 0x0
 03015  1240   NtTestAlert  ... ) == 0x0
 03016  1272   NtTestAlert  ... ) == 0x0
 03017   900   NtTestAlert  ... ) == 0x0
 03018   152   NtTestAlert  ... ) == 0x0
 03019   216   NtTestAlert  ... ) == 0x0
 03020  2040   NtTestAlert  ... ) == 0x0
 03021   276   NtTestAlert  ... ) == 0x0
 03022   520   NtTestAlert  ... ) == 0x0
 03023  1388   NtTestAlert  ... ) == 0x0
 03024   948   NtTestAlert  ... ) == 0x0
 03027  1884   NtSetEventBoostPriority  (128, ...
 03026   464   NtAllocateVirtualMemory  ... 101769216, 8192, ) == 0x0
 03028  1324   NtTestAlert  (...
 03029  1776   NtContinue  (92339504, 1, ...
 03030  1240   NtContinue  (91290928, 1, ...
 03031  1272   NtContinue  (90242352, 1, ...
 03032   900   NtContinue  (89193776, 1, ...
 03033   152   NtContinue  (88145200, 1, ...
 03034   216   NtContinue  (87096624, 1, ...
 03035  2040   NtContinue  (86048048, 1, ...
 03036   276   NtContinue  (84999472, 1, ...
 03037   520   NtContinue  (83950896, 1, ...
 03038  1388   NtContinue  (82902320, 1, ...
 02921   248   NtWaitForSingleObject  ... ) == 0x0
 03027  1884   NtSetEventBoostPriority  ... ) == 0x0
 03039   948   NtContinue  (81853744, 1, ...
 03040   464   NtProtectVirtualMemory  (-1, (0x610e000), 4096, 260, ...
 03028  1324   NtTestAlert  ... ) == 0x0
 03041  1776   NtRegisterThreadTerminatePort  (24, ...
 03042  1240   NtRegisterThreadTerminatePort  (24, ...
 03043  1272   NtRegisterThreadTerminatePort  (24, ...
 03044   900   NtRegisterThreadTerminatePort  (24, ...
 03045   152   NtRegisterThreadTerminatePort  (24, ...
 03046   216   NtRegisterThreadTerminatePort  (24, ...
 03047  2040   NtRegisterThreadTerminatePort  (24, ...
 03048   276   NtRegisterThreadTerminatePort  (24, ...
 03049   520   NtRegisterThreadTerminatePort  (24, ...
 03050   248   NtSetEventBoostPriority  (128, ...
 03051  1388   NtRegisterThreadTerminatePort  (24, ...
 03052   252   NtTestAlert  (...
 03053   948   NtRegisterThreadTerminatePort  (24, ...
 03040   464   NtProtectVirtualMemory  ... (0x610e000), 4096, 4, ) == 0x0
 03054  1324   NtContinue  (93388080, 1, ...
 03041  1776   NtRegisterThreadTerminatePort  ... ) == 0x0
 03042  1240   NtRegisterThreadTerminatePort  ... ) == 0x0
 03043  1272   NtRegisterThreadTerminatePort  ... ) == 0x0
 03044   900   NtRegisterThreadTerminatePort  ... ) == 0x0
 03045   152   NtRegisterThreadTerminatePort  ... ) == 0x0
 03046   216   NtRegisterThreadTerminatePort  ... ) == 0x0
 03047  2040   NtRegisterThreadTerminatePort  ... ) == 0x0
 03048   276   NtRegisterThreadTerminatePort  ... ) == 0x0
 02934  1652   NtWaitForSingleObject  ... ) == 0x0
 03050   248   NtSetEventBoostPriority  ... ) == 0x0
 03049   520   NtRegisterThreadTerminatePort  ... ) == 0x0
 03051  1388   NtRegisterThreadTerminatePort  ... ) == 0x0
 03052   252   NtTestAlert  ... ) == 0x0
 03053   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 03055  1324   NtRegisterThreadTerminatePort  (24, ...
 03056  1776   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03057  1240   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03058  1272   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03059   900   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03060   152   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03061   216   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03062  2040   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03063  1652   NtSetEventBoostPriority  (128, ...
 03064   276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03065   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03066  1884   NtTestAlert  (...
 03067   520   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03068  1388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03069   252   NtContinue  (80805168, 1, ...
 03070   948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03071   248   NtTestAlert  (...
 03055  1324   NtRegisterThreadTerminatePort  ... ) == 0x0
 03056  1776   NtDuplicateObject  ... 812, ) == 0x0
 03057  1240   NtDuplicateObject  ... 824, ) == 0x0
 03058  1272   NtDuplicateObject  ... 828, ) == 0x0
 03059   900   NtDuplicateObject  ... 832, ) == 0x0
 03060   152   NtDuplicateObject  ... 836, ) == 0x0
 03061   216   NtDuplicateObject  ... 840, ) == 0x0
 02958   588   NtWaitForSingleObject  ... ) == 0x0
 03063  1652   NtSetEventBoostPriority  ... ) == 0x0
 03062  2040   NtDuplicateObject  ... 844, ) == 0x0
 03065   464   NtCreateThread  ... 848, {1036, 876}, ) == 0x0
 03066  1884   NtTestAlert  ... ) == 0x0
 03064   276   NtDuplicateObject  ... 852, ) == 0x0
 03067   520   NtDuplicateObject  ... 856, ) == 0x0
 03072   252   NtRegisterThreadTerminatePort  (24, ...
 03068  1388   NtDuplicateObject  ... 860, ) == 0x0
 03071   248   NtTestAlert  ... ) == 0x0
 03073  1324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03074  1776   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03075  1240   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03076  1272   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03077   900   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03078   152   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03079   588   NtSetEventBoostPriority  (128, ...
 03080   216   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03070   948   NtDuplicateObject  ... 864, ) == 0x0
 03081  2040   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03082   464   NtQueryInformationThread  (848, Basic, 28, ...
 03083  1884   NtContinue  (94436656, 1, ...
 03084   276   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03085   520   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03072   252   NtRegisterThreadTerminatePort  ... ) == 0x0
 03086  1388   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03087   248   NtContinue  (95485232, 1, ...
 03073  1324   NtDuplicateObject  ... 868, ) == 0x0
 03074  1776   NtWaitForSingleObject  ... ) == 0x102
 03075  1240   NtWaitForSingleObject  ... ) == 0x102
 03076  1272   NtWaitForSingleObject  ... ) == 0x102
 03077   900   NtWaitForSingleObject  ... ) == 0x102
 02971   440   NtWaitForSingleObject  ... ) == 0x0
 03079   588   NtSetEventBoostPriority  ... ) == 0x0
 03078   152   NtWaitForSingleObject  ... ) == 0x102
 03080   216   NtWaitForSingleObject  ... ) == 0x102
 03088   948   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03081  2040   NtWaitForSingleObject  ... ) == 0x102
 03082   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1036,Tid=876,}, 0x0, ) == 0x0
 03089  1884   NtRegisterThreadTerminatePort  (24, ...
 03084   276   NtWaitForSingleObject  ... ) == 0x102
 03085   520   NtWaitForSingleObject  ... ) == 0x102
 03090   252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03086  1388   NtWaitForSingleObject  ... ) == 0x102
 03091   248   NtRegisterThreadTerminatePort  (24, ...
 03092  1324   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ...
 03093  1776   NtWaitForSingleObject  (368, 0, 0x0, ...
 03094  1240   NtWaitForSingleObject  (368, 0, 0x0, ...
 03095  1272   NtWaitForSingleObject  (368, 0, 0x0, ...
 03096   440   NtWaitForSingleObject  (368, 0, 0x0, ...
 03097   900   NtWaitForSingleObject  (368, 0, 0x0, ...
 03098  1652   NtTestAlert  (...
 03099   152   NtWaitForSingleObject  (368, 0, 0x0, ...
 03100   216   NtWaitForSingleObject  (368, 0, 0x0, ...
 03088   948   NtWaitForSingleObject  ... ) == 0x102
 03101  2040   NtWaitForSingleObject  (368, 0, 0x0, ...
 03102   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58128, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58128, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0\14\4\0\0l\3\0\0" ...  ...
 03089  1884   NtRegisterThreadTerminatePort  ... ) == 0x0
 03103   276   NtWaitForSingleObject  (368, 0, 0x0, ...
 03104   520   NtWaitForSingleObject  (368, 0, 0x0, ...
 03105   588   NtTestAlert  (...
 03106  1388   NtWaitForSingleObject  (368, 0, 0x0, ...
 03091   248   NtRegisterThreadTerminatePort  ... ) == 0x0
 03092  1324   NtAllocateVirtualMemory  ... 1417216, 4096, ) == 0x0
 03098  1652   NtTestAlert  ... ) == 0x0
 03107   948   NtWaitForSingleObject  (368, 0, 0x0, ...
 03108  1884   NtWaitForSingleObject  (368, 0, 0x0, ...
 03105   588   NtTestAlert  ... ) == 0x0
 03109   248   NtWaitForSingleObject  (368, 0, 0x0, ...
 03110  1324   NtSetEventBoostPriority  (368, ...
 03111  1652   NtContinue  (96533808, 1, ...
 03090   252   NtDuplicateObject  ... 872, ) == 0x0
 03102   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58129, 0}  ... {28, 56, reply, 0, 1036, 464, 58129, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0\14\4\0\0l\3\0\0" )  ) == 0x0
 03112   588   NtContinue  (97582384, 1, ...
 03113  1652   NtRegisterThreadTerminatePort  (24, ...
 03114   252   NtWaitForSingleObject  (368, 0, 0x0, ...
 03115   464   NtResumeThread  (848, ...
 03116   588   NtRegisterThreadTerminatePort  (24, ...
 03113  1652   NtRegisterThreadTerminatePort  ... ) == 0x0
 03115   464   NtResumeThread  ... 1, ) == 0x0
 03116   588   NtRegisterThreadTerminatePort  ... ) == 0x0
 03117  1652   NtWaitForSingleObject  (368, 0, 0x0, ...
 03118   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03119   588   NtWaitForSingleObject  (368, 0, 0x0, ...
 03093  1776   NtWaitForSingleObject  ... ) == 0x0
 03110  1324   NtSetEventBoostPriority  ... ) == 0x0
 03120   876   NtWaitForSingleObject  (128, 0, 0x0, ...
 03118   464   NtAllocateVirtualMemory  ... 101777408, 1048576, ) == 0x0
 03121  1776   NtSetEventBoostPriority  (368, ...
 03122  1324   NtWaitForSingleObject  (368, 0, 0x0, ...
 03123   464   NtAllocateVirtualMemory  (-1, 102817792, 0, 8192, 4096, 4, ...
 03094  1240   NtWaitForSingleObject  ... ) == 0x0
 03121  1776   NtSetEventBoostPriority  ... ) == 0x0
 03124  1240   NtSetEventBoostPriority  (368, ...
 03123   464   NtAllocateVirtualMemory  ... 102817792, 8192, ) == 0x0
 03096   440   NtWaitForSingleObject  ... ) == 0x0
 03124  1240   NtSetEventBoostPriority  ... ) == 0x0
 03125   440   NtSetEventBoostPriority  (368, ...
 03126   464   NtProtectVirtualMemory  (-1, (0x620e000), 4096, 260, ...
 03127  1776   NtWaitForSingleObject  (160, 0, 0x0, ...
 03095  1272   NtWaitForSingleObject  ... ) == 0x0
 03125   440   NtSetEventBoostPriority  ... ) == 0x0
 03126   464   NtProtectVirtualMemory  ... (0x620e000), 4096, 4, ) == 0x0
 03128  1272   NtSetEventBoostPriority  (368, ...
 03129  1240   NtWaitForSingleObject  (160, 0, 0x0, ...
 03097   900   NtWaitForSingleObject  ... ) == 0x0
 03128  1272   NtSetEventBoostPriority  ... ) == 0x0
 03130   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03131   900   NtSetEventBoostPriority  (368, ...
 03132   440   NtSetEventBoostPriority  (128, ...
 03099   152   NtWaitForSingleObject  ... ) == 0x0
 03131   900   NtSetEventBoostPriority  ... ) == 0x0
 03130   464   NtCreateThread  ... 876, {1036, 1436}, ) == 0x0
 03133   152   NtSetEventBoostPriority  (368, ...
 02983  1296   NtWaitForSingleObject  ... ) == 0x0
 03132   440   NtSetEventBoostPriority  ... ) == 0x0
 03134  1272   NtWaitForSingleObject  (160, 0, 0x0, ...
 03100   216   NtWaitForSingleObject  ... ) == 0x0
 03135  1296   NtWaitForSingleObject  (368, 0, 0x0, ...
 03133   152   NtSetEventBoostPriority  ... ) == 0x0
 03136   464   NtQueryInformationThread  (876, Basic, 28, ...
 03137   440   NtTestAlert  (...
 03138   216   NtSetEventBoostPriority  (368, ...
 03139   900   NtWaitForSingleObject  (160, 0, 0x0, ...
 03140   152   NtWaitForSingleObject  (160, 0, 0x0, ...
 03101  2040   NtWaitForSingleObject  ... ) == 0x0
 03138   216   NtSetEventBoostPriority  ... ) == 0x0
 03137   440   NtTestAlert  ... ) == 0x0
 03141  2040   NtSetEventBoostPriority  (368, ...
 03136   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=1036,Tid=1436,}, 0x0, ) == 0x0
 03103   276   NtWaitForSingleObject  ... ) == 0x0
 03141  2040   NtSetEventBoostPriority  ... ) == 0x0
 03142   440   NtContinue  (98630960, 1, ...
 03143   276   NtSetEventBoostPriority  (368, ...
 03144   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58129, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58129, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\14\4\0\0\234\5\0\0" ...  ...
 03145   216   NtWaitForSingleObject  (160, 0, 0x0, ...
 03104   520   NtWaitForSingleObject  ... ) == 0x0
 03143   276   NtSetEventBoostPriority  ... ) == 0x0
 03146   440   NtRegisterThreadTerminatePort  (24, ...
 03144   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58130, 0}  ... {28, 56, reply, 0, 1036, 464, 58130, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\14\4\0\0\234\5\0\0" )  ) == 0x0
 03147   520   NtSetEventBoostPriority  (368, ...
 03148  2040   NtWaitForSingleObject  (160, 0, 0x0, ...
 03149   276   NtWaitForSingleObject  (160, 0, 0x0, ...
 03106  1388   NtWaitForSingleObject  ... ) == 0x0
 03147   520   NtSetEventBoostPriority  ... ) == 0x0
 03150   464   NtResumeThread  (876, ...
 03151  1388   NtSetEventBoostPriority  (368, ...
 03146   440   NtRegisterThreadTerminatePort  ... ) == 0x0
 03107   948   NtWaitForSingleObject  ... ) == 0x0
 03151  1388   NtSetEventBoostPriority  ... ) == 0x0
 03150   464   NtResumeThread  ... 1, ) == 0x0
 03152   948   NtSetEventBoostPriority  (368, ...
 03153   440   NtWaitForSingleObject  (368, 0, 0x0, ...
 03154   520   NtWaitForSingleObject  (160, 0, 0x0, ...
 03155  1436   NtWaitForSingleObject  (128, 0, 0x0, ...
 03156  1388   NtWaitForSingleObject  (160, 0, 0x0, ...
 03108  1884   NtWaitForSingleObject  ... ) == 0x0
 03152   948   NtSetEventBoostPriority  ... ) == 0x0
 03157  1884   NtSetEventBoostPriority  (368, ...
 03158   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03109   248   NtWaitForSingleObject  ... ) == 0x0
 03158   464   NtAllocateVirtualMemory  ... 102825984, 1048576, ) == 0x0
 03159   248   NtSetEventBoostPriority  (368, ...
 03160   464   NtAllocateVirtualMemory  (-1, 103866368, 0, 8192, 4096, 4, ...
 03114   252   NtWaitForSingleObject  ... ) == 0x0
 03160   464   NtAllocateVirtualMemory  ... 103866368, 8192, ) == 0x0
 03161   252   NtSetEventBoostPriority  (368, ...
 03162   464   NtProtectVirtualMemory  (-1, (0x630e000), 4096, 260, ...
 03117  1652   NtWaitForSingleObject  ... ) == 0x0
 03161   252   NtSetEventBoostPriority  ... ) == 0x0
 03163  1652   NtSetEventBoostPriority  (368, ...
 03162   464   NtProtectVirtualMemory  ... (0x630e000), 4096, 4, ) == 0x0
 03159   248   NtSetEventBoostPriority  ... ) == 0x0
 03157  1884   NtSetEventBoostPriority  ... ) == 0x0
 03164   948   NtWaitForSingleObject  (160, 0, 0x0, ...
 03122  1324   NtWaitForSingleObject  ... ) == 0x0
 03163  1652   NtSetEventBoostPriority  ... ) == 0x0
 03165   252   NtWaitForSingleObject  (368, 0, 0x0, ...
 03166   248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03167  1884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03168  1324   NtSetEventBoostPriority  (368, ...
 03169  1652   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03166   248   NtDuplicateObject  ... 880, ) == 0x0
 03167  1884   NtDuplicateObject  ... 884, ) == 0x0
 03119   588   NtWaitForSingleObject  ... ) == 0x0
 03168  1324   NtSetEventBoostPriority  ... ) == 0x0
 03169  1652   NtDuplicateObject  ... 888, ) == 0x0
 03170   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03171   248   NtWaitForSingleObject  (368, 0, 0x0, ...
 03172   588   NtSetEventBoostPriority  (368, ...
 03173  1884   NtWaitForSingleObject  (368, 0, 0x0, ...
 03174  1324   NtWaitForSingleObject  (368, 0, 0x0, ...
 03170   464   NtCreateThread  ... 892, {1036, 480}, ) == 0x0
 03135  1296   NtWaitForSingleObject  ... ) == 0x0
 03175  1296   NtSetEventBoostPriority  (368, ...
 03153   440   NtWaitForSingleObject  ... ) == 0x0
 03176   440   NtSetEventBoostPriority  (368, ...
 03165   252   NtWaitForSingleObject  ... ) == 0x0
 03177   252   NtSetEventBoostPriority  (368, ...
 03171   248   NtWaitForSingleObject  ... ) == 0x0
 03178   248   NtSetEventBoostPriority  (368, ...
 03173  1884   NtWaitForSingleObject  ... ) == 0x0
 03179  1884   NtSetEventBoostPriority  (368, ...
 03174  1324   NtWaitForSingleObject  ... ) == 0x0
 03180  1324   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03179  1884   NtSetEventBoostPriority  ... ) == 0x0
 03178   248   NtSetEventBoostPriority  ... ) == 0x0
 03177   252   NtSetEventBoostPriority  ... ) == 0x0
 03176   440   NtSetEventBoostPriority  ... ) == 0x0
 03175  1296   NtSetEventBoostPriority  ... ) == 0x0
 03181   464   NtQueryInformationThread  (892, Basic, 28, ...
 03172   588   NtSetEventBoostPriority  ... ) == 0x0
 03182  1652   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03183  1884   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03184   248   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03185   252   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03186  1324   NtWaitForSingleObject  (160, 0, 0x0, ...
 03187   440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03181   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=1036,Tid=480,}, 0x0, ) == 0x0
 03188   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03182  1652   NtWaitForSingleObject  ... ) == 0x102
 03189  1296   NtSetEventBoostPriority  (128, ...
 03183  1884   NtWaitForSingleObject  ... ) == 0x102
 03184   248   NtWaitForSingleObject  ... ) == 0x102
 03187   440   NtDuplicateObject  ... 896, ) == 0x0
 03190   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58130, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58130, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0\14\4\0\0\340\1\0\0" ...  ...
 03188   588   NtDuplicateObject  ... 900, ) == 0x0
 03191  1652   NtWaitForSingleObject  (160, 0, 0x0, ...
 02996  1612   NtWaitForSingleObject  ... ) == 0x0
 03189  1296   NtSetEventBoostPriority  ... ) == 0x0
 03192  1884   NtWaitForSingleObject  (160, 0, 0x0, ...
 03193   248   NtWaitForSingleObject  (160, 0, 0x0, ...
 03194   440   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03190   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58131, 0}  ... {28, 56, reply, 0, 1036, 464, 58131, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0\14\4\0\0\340\1\0\0" )  ) == 0x0
 03185   252   NtWaitForSingleObject  ... ) == 0x102
 03195  1612   NtSetEventBoostPriority  (128, ...
 03196  1296   NtTestAlert  (...
 03194   440   NtWaitForSingleObject  ... ) == 0x102
 03197   464   NtResumeThread  (892, ...
 03025  1808   NtWaitForSingleObject  ... ) == 0x0
 03195  1612   NtSetEventBoostPriority  ... ) == 0x0
 03198   252   NtWaitForSingleObject  (160, 0, 0x0, ...
 03196  1296   NtTestAlert  ... ) == 0x0
 03199   440   NtWaitForSingleObject  (160, 0, 0x0, ...
 03200  1808   NtSetEventBoostPriority  (128, ...
 03197   464   NtResumeThread  ... 1, ) == 0x0
 03201   588   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03202  1296   NtContinue  (99679536, 1, ...
 03203  1612   NtTestAlert  (...
 03204   480   NtWaitForSingleObject  (128, 0, 0x0, ...
 03120   876   NtWaitForSingleObject  ... ) == 0x0
 03200  1808   NtSetEventBoostPriority  ... ) == 0x0
 03205   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03201   588   NtWaitForSingleObject  ... ) == 0x102
 03206  1296   NtRegisterThreadTerminatePort  (24, ...
 03203  1612   NtTestAlert  ... ) == 0x0
 03207   876   NtSetEventBoostPriority  (128, ...
 03205   464   NtAllocateVirtualMemory  ... 103874560, 1048576, ) == 0x0
 03208   588   NtWaitForSingleObject  (160, 0, 0x0, ...
 03209  1808   NtSetEventBoostPriority  (160, ...
 03155  1436   NtWaitForSingleObject  ... ) == 0x0
 03207   876   NtSetEventBoostPriority  ... ) == 0x0
 03210  1612   NtContinue  (100728112, 1, ...
 03211   464   NtAllocateVirtualMemory  (-1, 104914944, 0, 8192, 4096, 4, ...
 03212  1436   NtSetEventBoostPriority  (128, ...
 01196  1796   NtWaitForSingleObject  ... ) == 0x0
 03209  1808   NtSetEventBoostPriority  ... ) == 0x0
 03206  1296   NtRegisterThreadTerminatePort  ... ) == 0x0
 03213  1612   NtRegisterThreadTerminatePort  (24, ...
 03214   876   NtTestAlert  (...
 03204   480   NtWaitForSingleObject  ... ) == 0x0
 03215  1796   NtSetEventBoostPriority  (160, ...
 03212  1436   NtSetEventBoostPriority  ... ) == 0x0
 03216  1808   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ...
 03217  1296   NtWaitForSingleObject  (368, 0, 0x0, ...
 03213  1612   NtRegisterThreadTerminatePort  ... ) == 0x0
 03218   480   NtWaitForSingleObject  (368, 0, 0x0, ...
 01200  1800   NtWaitForSingleObject  ... ) == 0x0
 03215  1796   NtSetEventBoostPriority  ... ) == 0x0
 03214   876   NtTestAlert  ... ) == 0x0
 03211   464   NtAllocateVirtualMemory  ... 104914944, 8192, ) == 0x0
 03216  1808   NtAllocateVirtualMemory  ... 1421312, 4096, ) == 0x0
 03219  1800   NtWaitForSingleObject  (368, 0, 0x0, ...
 03220  1612   NtWaitForSingleObject  (368, 0, 0x0, ...
 03221  1796   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03222   876   NtContinue  (101776688, 1, ...
 03223   464   NtProtectVirtualMemory  (-1, (0x640e000), 4096, 260, ...
 03224  1808   NtSetEventBoostPriority  (368, ...
 03225  1436   NtTestAlert  (...
 03226   876   NtRegisterThreadTerminatePort  (24, ...
 03223   464   NtProtectVirtualMemory  ... (0x640e000), 4096, 4, ) == 0x0
 03217  1296   NtWaitForSingleObject  ... ) == 0x0
 03224  1808   NtSetEventBoostPriority  ... ) == 0x0
 03225  1436   NtTestAlert  ... ) == 0x0
 03226   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 03227  1296   NtSetEventBoostPriority  (368, ...
 03228   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03221  1796   NtCreateEvent  ... 904, ) == 0x0
 03229  1436   NtContinue  (102825264, 1, ...
 03218   480   NtWaitForSingleObject  ... ) == 0x0
 03227  1296   NtSetEventBoostPriority  ... ) == 0x0
 03230   876   NtWaitForSingleObject  (368, 0, 0x0, ...
 03228   464   NtCreateThread  ... 908, {1036, 1192}, ) == 0x0
 03231  1796   NtWaitForSingleObject  (368, 0, 0x0, ...
 03232   480   NtSetEventBoostPriority  (368, ...
 03233  1436   NtRegisterThreadTerminatePort  (24, ...
 03234  1808   NtWaitForSingleObject  (368, 0, 0x0, ...
 03235  1296   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03236   464   NtQueryInformationThread  (908, Basic, 28, ...
 03219  1800   NtWaitForSingleObject  ... ) == 0x0
 03232   480   NtSetEventBoostPriority  ... ) == 0x0
 03233  1436   NtRegisterThreadTerminatePort  ... ) == 0x0
 03235  1296   NtDuplicateObject  ... 912, ) == 0x0
 03237  1800   NtSetEventBoostPriority  (368, ...
 03236   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=1036,Tid=1192,}, 0x0, ) == 0x0
 03238  1436   NtWaitForSingleObject  (368, 0, 0x0, ...
 03220  1612   NtWaitForSingleObject  ... ) == 0x0
 03237  1800   NtSetEventBoostPriority  ... ) == 0x0
 03239  1296   NtWaitForSingleObject  (368, 0, 0x0, ...
 03240   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58131, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58131, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0\14\4\0\0\250\4\0\0" ...  ...
 03241   480   NtTestAlert  (...
 03242  1612   NtSetEventBoostPriority  (368, ...
 03240   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58132, 0}  ... {28, 56, reply, 0, 1036, 464, 58132, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0\14\4\0\0\250\4\0\0" )  ) == 0x0
 03231  1796   NtWaitForSingleObject  ... ) == 0x0
 03241   480   NtTestAlert  ... ) == 0x0
 03243   464   NtResumeThread  (908, ...
 03244  1796   NtSetEventBoostPriority  (368, ...
 03245   480   NtContinue  (103873840, 1, ...
 03243   464   NtResumeThread  ... 1, ) == 0x0
 03234  1808   NtWaitForSingleObject  ... ) == 0x0
 03244  1796   NtSetEventBoostPriority  ... ) == 0x0
 03246   480   NtRegisterThreadTerminatePort  (24, ...
 03242  1612   NtSetEventBoostPriority  ... ) == 0x0
 03247  1800   NtWaitForSingleObject  (368, 0, 0x0, ...
 03248  1192   NtWaitForSingleObject  (368, 0, 0x0, ...
 03249  1808   NtSetEventBoostPriority  (368, ...
 03250   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03246   480   NtRegisterThreadTerminatePort  ... ) == 0x0
 03251  1612   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03230   876   NtWaitForSingleObject  ... ) == 0x0
 03249  1808   NtSetEventBoostPriority  ... ) == 0x0
 03250   464   NtAllocateVirtualMemory  ... 104923136, 1048576, ) == 0x0
 03252   480   NtWaitForSingleObject  (368, 0, 0x0, ...
 03253   876   NtSetEventBoostPriority  (368, ...
 03251  1612   NtDuplicateObject  ... 916, ) == 0x0
 03254  1808   NtWaitForSingleObject  (368, 0, 0x0, ...
 03255   464   NtAllocateVirtualMemory  (-1, 105963520, 0, 8192, 4096, 4, ...
 03256  1796   NtWaitForSingleObject  (368, 0, 0x0, ...
 03238  1436   NtWaitForSingleObject  ... ) == 0x0
 03253   876   NtSetEventBoostPriority  ... ) == 0x0
 03257  1612   NtWaitForSingleObject  (368, 0, 0x0, ...
 03255   464   NtAllocateVirtualMemory  ... 105963520, 8192, ) == 0x0
 03258  1436   NtSetEventBoostPriority  (368, ...
 03259   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03260   464   NtProtectVirtualMemory  (-1, (0x650e000), 4096, 260, ...
 03239  1296   NtWaitForSingleObject  ... ) == 0x0
 03259   876   NtDuplicateObject  ... 920, ) == 0x0
 03260   464   NtProtectVirtualMemory  ... (0x650e000), 4096, 4, ) == 0x0
 03261  1296   NtSetEventBoostPriority  (368, ...
 03258  1436   NtSetEventBoostPriority  ... ) == 0x0
 03262   876   NtWaitForSingleObject  (368, 0, 0x0, ...
 03247  1800   NtWaitForSingleObject  ... ) == 0x0
 03261  1296   NtSetEventBoostPriority  ... ) == 0x0
 03263  1436   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03264  1800   NtSetEventBoostPriority  (368, ...
 03265   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03248  1192   NtWaitForSingleObject  ... ) == 0x0
 03264  1800   NtSetEventBoostPriority  ... ) == 0x0
 03263  1436   NtDuplicateObject  ... 924, ) == 0x0
 03266  1192   NtSetEventBoostPriority  (368, ...
 03265   464   NtCreateThread  ... 928, {1036, 724}, ) == 0x0
 03267  1800   NtSetEventBoostPriority  (160, ...
 03268  1296   NtWaitForSingleObject  (368, 0, 0x0, ...
 03252   480   NtWaitForSingleObject  ... ) == 0x0
 03266  1192   NtSetEventBoostPriority  ... ) == 0x0
 03269   464   NtQueryInformationThread  (928, Basic, 28, ...
 03270  1436   NtWaitForSingleObject  (368, 0, 0x0, ...
 03271   480   NtSetEventBoostPriority  (368, ...
 01205   220   NtWaitForSingleObject  ... ) == 0x0
 03267  1800   NtSetEventBoostPriority  ... ) == 0x0
 03269   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff58000,Pid=1036,Tid=724,}, 0x0, ) == 0x0
 03256  1796   NtWaitForSingleObject  ... ) == 0x0
 03272   220   NtWaitForSingleObject  (368, 0, 0x0, ...
 03273  1800   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03274   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58132, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58132, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0\14\4\0\0\324\2\0\0" ...  ...
 03275  1796   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ...
 03273  1800   NtCreateEvent  ... 932, ) == 0x0
 03275  1796   NtAllocateVirtualMemory  ... 1425408, 4096, ) == 0x0
 03276  1800   NtWaitForSingleObject  (368, 0, 0x0, ...
 03277  1796   NtSetEventBoostPriority  (368, ...
 03271   480   NtSetEventBoostPriority  ... ) == 0x0
 03278  1192   NtTestAlert  (...
 03274   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58133, 0}  ... {28, 56, reply, 0, 1036, 464, 58133, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0\14\4\0\0\324\2\0\0" )  ) == 0x0
 03279   480   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03278  1192   NtTestAlert  ... ) == 0x0
 03280   464   NtResumeThread  (928, ...
 03279   480   NtDuplicateObject  ... 936, ) == 0x0
 03281  1192   NtContinue  (104922416, 1, ...
 03280   464   NtResumeThread  ... 1, ) == 0x0
 03257  1612   NtWaitForSingleObject  ... ) == 0x0
 03277  1796   NtSetEventBoostPriority  ... ) == 0x0
 03282  1192   NtRegisterThreadTerminatePort  (24, ...
 03283   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03284  1612   NtSetEventBoostPriority  (368, ...
 03285  1796   NtWaitForSingleObject  (368, 0, 0x0, ...
 03282  1192   NtRegisterThreadTerminatePort  ... ) == 0x0
 03283   464   NtAllocateVirtualMemory  ... 105971712, 1048576, ) == 0x0
 03254  1808   NtWaitForSingleObject  ... ) == 0x0
 03284  1612   NtSetEventBoostPriority  ... ) == 0x0
 03286  1192   NtWaitForSingleObject  (368, 0, 0x0, ...
 03287  1808   NtSetEventBoostPriority  (368, ...
 03288   464   NtAllocateVirtualMemory  (-1, 107012096, 0, 8192, 4096, 4, ...
 03289  1612   NtWaitForSingleObject  (368, 0, 0x0, ...
 03290   480   NtWaitForSingleObject  (368, 0, 0x0, ...
 03291   724   NtWaitForSingleObject  (368, 0, 0x0, ...
 03262   876   NtWaitForSingleObject  ... ) == 0x0
 03287  1808   NtSetEventBoostPriority  ... ) == 0x0
 03288   464   NtAllocateVirtualMemory  ... 107012096, 8192, ) == 0x0
 03292   876   NtSetEventBoostPriority  (368, ...
 03293  1808   NtWaitForSingleObject  (368, 0, 0x0, ...
 03294   464   NtProtectVirtualMemory  (-1, (0x660e000), 4096, 260, ...
 03268  1296   NtWaitForSingleObject  ... ) == 0x0
 03292   876   NtSetEventBoostPriority  ... ) == 0x0
 03295  1296   NtSetEventBoostPriority  (368, ...
 03294   464   NtProtectVirtualMemory  ... (0x660e000), 4096, 4, ) == 0x0
 03270  1436   NtWaitForSingleObject  ... ) == 0x0
 03295  1296   NtSetEventBoostPriority  ... ) == 0x0
 03296   876   NtWaitForSingleObject  (368, 0, 0x0, ...
 03297  1436   NtSetEventBoostPriority  (368, ...
 03298   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03299  1296   NtWaitForSingleObject  (368, 0, 0x0, ...
 03272   220   NtWaitForSingleObject  ... ) == 0x0
 03297  1436   NtSetEventBoostPriority  ... ) == 0x0
 03298   464   NtCreateThread  ... 940, {1036, 1276}, ) == 0x0
 03300   220   NtSetEventBoostPriority  (368, ...
 03301  1436   NtWaitForSingleObject  (368, 0, 0x0, ...
 03276  1800   NtWaitForSingleObject  ... ) == 0x0
 03300   220   NtSetEventBoostPriority  ... ) == 0x0
 03302   464   NtQueryInformationThread  (940, Basic, 28, ...
 03303  1800   NtSetEventBoostPriority  (368, ...
 03304   220   NtWaitForSingleObject  (368, 0, 0x0, ...
 03285  1796   NtWaitForSingleObject  ... ) == 0x0
 03303  1800   NtSetEventBoostPriority  ... ) == 0x0
 03305  1796   NtSetEventBoostPriority  (368, ...
 03302   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff57000,Pid=1036,Tid=1276,}, 0x0, ) == 0x0
 03286  1192   NtWaitForSingleObject  ... ) == 0x0
 03305  1796   NtSetEventBoostPriority  ... ) == 0x0
 03306  1192   NtSetEventBoostPriority  (368, ...
 03307   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58133, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58133, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\3\0\0\14\4\0\0\374\4\0\0" ...  ...
 03308  1800   NtWaitForSingleObject  (368, 0, 0x0, ...
 03290   480   NtWaitForSingleObject  ... ) == 0x0
 03307   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58134, 0}  ... {28, 56, reply, 0, 1036, 464, 58134, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\3\0\0\14\4\0\0\374\4\0\0" )  ) == 0x0
 03309   480   NtSetEventBoostPriority  (368, ...
 03310   464   NtResumeThread  (940, ...
 03291   724   NtWaitForSingleObject  ... ) == 0x0
 03309   480   NtSetEventBoostPriority  ... ) == 0x0
 03311   724   NtSetEventBoostPriority  (368, ...
 03310   464   NtResumeThread  ... 1, ) == 0x0
 03293  1808   NtWaitForSingleObject  ... ) == 0x0
 03311   724   NtSetEventBoostPriority  ... ) == 0x0
 03312   480   NtWaitForSingleObject  (368, 0, 0x0, ...
 03306  1192   NtSetEventBoostPriority  ... ) == 0x0
 03313  1796   NtWaitForSingleObject  (368, 0, 0x0, ...
 03314  1276   NtWaitForSingleObject  (128, 0, 0x0, ...
 03315  1808   NtSetEventBoostPriority  (368, ...
 03316   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03317   724   NtSetEventBoostPriority  (128, ...
 03318  1192   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03289  1612   NtWaitForSingleObject  ... ) == 0x0
 03315  1808   NtSetEventBoostPriority  ... ) == 0x0
 03316   464   NtAllocateVirtualMemory  ... 107020288, 1048576, ) == 0x0
 03314  1276   NtWaitForSingleObject  ... ) == 0x0
 03317   724   NtSetEventBoostPriority  ... ) == 0x0
 03319  1612   NtSetEventBoostPriority  (368, ...
 03318  1192   NtDuplicateObject  ... 944, ) == 0x0
 03320  1276   NtWaitForSingleObject  (368, 0, 0x0, ...
 03321   464   NtAllocateVirtualMemory  (-1, 108060672, 0, 8192, 4096, 4, ...
 03296   876   NtWaitForSingleObject  ... ) == 0x0
 03322   724   NtTestAlert  (...
 03319  1612   NtSetEventBoostPriority  ... ) == 0x0
 03323  1808   NtWaitForSingleObject  (368, 0, 0x0, ...
 03321   464   NtAllocateVirtualMemory  ... 108060672, 8192, ) == 0x0
 03324   876   NtSetEventBoostPriority  (368, ...
 03322   724   NtTestAlert  ... ) == 0x0
 03325  1612   NtWaitForSingleObject  (368, 0, 0x0, ...
 03326   464   NtProtectVirtualMemory  (-1, (0x670e000), 4096, 260, ...
 03299  1296   NtWaitForSingleObject  ... ) == 0x0
 03327   724   NtContinue  (105970992, 1, ...
 03326   464   NtProtectVirtualMemory  ... (0x670e000), 4096, 4, ) == 0x0
 03328  1296   NtSetEventBoostPriority  (368, ...
 03329   724   NtRegisterThreadTerminatePort  (24, ...
 03324   876   NtSetEventBoostPriority  ... ) == 0x0
 03330  1192   NtWaitForSingleObject  (368, 0, 0x0, ...
 03301  1436   NtWaitForSingleObject  ... ) == 0x0
 03328  1296   NtSetEventBoostPriority  ... ) == 0x0
 03331   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03332   876   NtWaitForSingleObject  (368, 0, 0x0, ...
 03333  1436   NtSetEventBoostPriority  (368, ...
 03334  1296   NtWaitForSingleObject  (408, 0, 0x0, ...
 03331   464   NtCreateThread  ... 948, {1036, 704}, ) == 0x0
 03304   220   NtWaitForSingleObject  ... ) == 0x0
 03335   464   NtQueryInformationThread  (948, Basic, 28, ...
 03336   220   NtSetEventBoostPriority  (368, ...
 03335   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff56000,Pid=1036,Tid=704,}, 0x0, ) == 0x0
 03308  1800   NtWaitForSingleObject  ... ) == 0x0
 03336   220   NtSetEventBoostPriority  ... ) == 0x0
 03337  1800   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ...
 03338   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58134, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58134, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0\14\4\0\0\300\2\0\0" ...  ...
 03337  1800   NtAllocateVirtualMemory  ... 1429504, 4096, ) == 0x0
 03339   220   NtWaitForSingleObject  (368, 0, 0x0, ...
 03340  1800   NtSetEventBoostPriority  (368, ...
 03338   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58135, 0}  ... {28, 56, reply, 0, 1036, 464, 58135, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0\14\4\0\0\300\2\0\0" )  ) == 0x0
 03333  1436   NtSetEventBoostPriority  ... ) == 0x0
 03329   724   NtRegisterThreadTerminatePort  ... ) == 0x0
 03341   464   NtResumeThread  (948, ...
 03342  1436   NtWaitForSingleObject  (408, 0, 0x0, ...
 03343   724   NtWaitForSingleObject  (368, 0, 0x0, ...
 03341   464   NtResumeThread  ... 1, ) == 0x0
 03344   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 108068864, 1048576, ) == 0x0
 03345   464   NtAllocateVirtualMemory  (-1, 109109248, 0, 8192, 4096, 4, ... 109109248, 8192, ) == 0x0
 03346   464   NtProtectVirtualMemory  (-1, (0x680e000), 4096, 260, ... (0x680e000), 4096, 4, ) == 0x0
 03347   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 952, {1036, 1568}, ) == 0x0
 03348   464   NtQueryInformationThread  (952, Basic, 28, ...
 03313  1796   NtWaitForSingleObject  ... ) == 0x0
 03340  1800   NtSetEventBoostPriority  ... ) == 0x0
 03349   704   NtWaitForSingleObject  (128, 0, 0x0, ...
 03350  1796   NtSetEventBoostPriority  (368, ...
 03351  1800   NtWaitForSingleObject  (368, 0, 0x0, ...
 03312   480   NtWaitForSingleObject  ... ) == 0x0
 03350  1796   NtSetEventBoostPriority  ... ) == 0x0
 03352   480   NtSetEventBoostPriority  (368, ...
 03320  1276   NtWaitForSingleObject  ... ) == 0x0
 03353  1276   NtSetEventBoostPriority  (368, ...
 03323  1808   NtWaitForSingleObject  ... ) == 0x0
 03354  1808   NtSetEventBoostPriority  (368, ...
 03325  1612   NtWaitForSingleObject  ... ) == 0x0
 03355  1612   NtSetEventBoostPriority  (368, ...
 03330  1192   NtWaitForSingleObject  ... ) == 0x0
 03356  1192   NtSetEventBoostPriority  (368, ...
 03332   876   NtWaitForSingleObject  ... ) == 0x0
 03357   876   NtSetEventBoostPriority  (368, ...
 03339   220   NtWaitForSingleObject  ... ) == 0x0
 03358   220   NtSetEventBoostPriority  (368, ...
 03343   724   NtWaitForSingleObject  ... ) == 0x0
 03359   724   NtSetEventBoostPriority  (368, ...
 03351  1800   NtWaitForSingleObject  ... ) == 0x0
 03360  1800   NtAllocateVirtualMemory  (-1, 13684736, 0, 4096, 4096, 260, ... 13684736, 4096, ) == 0x0
 03359   724   NtSetEventBoostPriority  ... ) == 0x0
 03357   876   NtSetEventBoostPriority  ... ) == 0x0
 03356  1192   NtSetEventBoostPriority  ... ) == 0x0
 03355  1612   NtSetEventBoostPriority  ... ) == 0x0
 03354  1808   NtSetEventBoostPriority  ... ) == 0x0
 03353  1276   NtSetEventBoostPriority  ... ) == 0x0
 03361  1796   NtAllocateVirtualMemory  (-1, 14733312, 0, 4096, 4096, 260, ...
 03358   220   NtSetEventBoostPriority  ... ) == 0x0
 03352   480   NtSetEventBoostPriority  ... ) == 0x0
 03348   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff55000,Pid=1036,Tid=1568,}, 0x0, ) == 0x0
 03362  1800   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03363   724   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03364  1192   NtWaitForSingleObject  (408, 0, 0x0, ...
 03365   876   NtWaitForSingleObject  (408, 0, 0x0, ...
 03366  1808   NtWaitForSingleObject  (408, 0, 0x0, ...
 03367  1612   NtSetEventBoostPriority  (408, ...
 03368  1276   NtSetEventBoostPriority  (128, ...
 03369   220   NtSetEventBoostPriority  (160, ...
 03370   480   NtWaitForSingleObject  (408, 0, 0x0, ...
 03371   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58135, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58135, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\14\4\0\0 \6\0\0" ...  ...
 03362  1800   NtCreateEvent  ... 956, ) == 0x0
 03363   724   NtDuplicateObject  ... 960, ) == 0x0
 03361  1796   NtAllocateVirtualMemory  ... 14733312, 4096, ) == 0x0
 03334  1296   NtWaitForSingleObject  ... ) == 0x0
 03367  1612   NtSetEventBoostPriority  ... ) == 0x0
 03349   704   NtWaitForSingleObject  ... ) == 0x0
 03368  1276   NtSetEventBoostPriority  ... ) == 0x0
 01273  1728   NtWaitForSingleObject  ... ) == 0x0
 03369   220   NtSetEventBoostPriority  ... ) == 0x0
 03371   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58136, 0}  ... {28, 56, reply, 0, 1036, 464, 58136, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\14\4\0\0 \6\0\0" )  ) == 0x0
 03372  1800   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03373   724   NtWaitForSingleObject  (408, 0, 0x0, ...
 03374  1296   NtSetEventBoostPriority  (408, ...
 03375  1796   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03376   704   NtTestAlert  (...
 03377  1612   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03378  1728   NtSetEventBoostPriority  (160, ...
 03379  1276   NtTestAlert  (...
 03380   464   NtResumeThread  (952, ...
 03372  1800   NtDuplicateObject  ... 964, ) == 0x0
 03342  1436   NtWaitForSingleObject  ... ) == 0x0
 03374  1296   NtSetEventBoostPriority  ... ) == 0x0
 03376   704   NtTestAlert  ... ) == 0x0
 03375  1796   NtCreateEvent  ... 968, ) == 0x0
 01280   712   NtWaitForSingleObject  ... ) == 0x0
 03378  1728   NtSetEventBoostPriority  ... ) == 0x0
 03377  1612   NtWaitForSingleObject  ... ) == 0x102
 03379  1276   NtTestAlert  ... ) == 0x0
 03380   464   NtResumeThread  ... 1, ) == 0x0
 03381  1436   NtSetEventBoostPriority  (408, ...
 03382  1800   NtWaitForSingleObject  (408, 0, 0x0, ...
 03383   220   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03384  1568   NtTestAlert  (...
 03385  1296   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03386   712   NtSetEventBoostPriority  (160, ...
 03387  1796   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03388   704   NtContinue  (108068144, 1, ...
 03389  1612   NtWaitForSingleObject  (160, 0, 0x0, ...
 03390  1276   NtContinue  (107019568, 1, ...
 03391  1728   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03365   876   NtWaitForSingleObject  ... ) == 0x0
 03381  1436   NtSetEventBoostPriority  ... ) == 0x0
 03383   220   NtCreateEvent  ... 972, ) == 0x0
 03384  1568   NtTestAlert  ... ) == 0x0
 01282  1700   NtWaitForSingleObject  ... ) == 0x0
 03386   712   NtSetEventBoostPriority  ... ) == 0x0
 03385  1296   NtWaitForSingleObject  ... ) == 0x102
 03387  1796   NtDuplicateObject  ... 976, ) == 0x0
 03392   704   NtRegisterThreadTerminatePort  (24, ...
 03393   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03394  1276   NtRegisterThreadTerminatePort  (24, ...
 03395   876   NtSetEventBoostPriority  (408, ...
 03391  1728   NtCreateEvent  ... 980, ) == 0x0
 03396   220   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ...
 03397  1700   NtWaitForSingleObject  (368, 0, 0x0, ...
 03398  1568   NtContinue  (109116720, 1, ...
 03399  1436   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03400  1296   NtWaitForSingleObject  (160, 0, 0x0, ...
 03401  1796   NtWaitForSingleObject  (368, 0, 0x0, ...
 03392   704   NtRegisterThreadTerminatePort  ... ) == 0x0
 03393   464   NtAllocateVirtualMemory  ... 109117440, 1048576, ) == 0x0
 03402   712   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03364  1192   NtWaitForSingleObject  ... ) == 0x0
 03395   876   NtSetEventBoostPriority  ... ) == 0x0
 03403  1728   NtWaitForSingleObject  (368, 0, 0x0, ...
 03396   220   NtAllocateVirtualMemory  ... 1433600, 4096, ) == 0x0
 03404  1568   NtRegisterThreadTerminatePort  (24, ...
 03399  1436   NtWaitForSingleObject  ... ) == 0x102
 03394  1276   NtRegisterThreadTerminatePort  ... ) == 0x0
 03405   704   NtWaitForSingleObject  (368, 0, 0x0, ...
 03406   464   NtAllocateVirtualMemory  (-1, 110157824, 0, 8192, 4096, 4, ...
 03407  1192   NtWaitForSingleObject  (368, 0, 0x0, ...
 03402   712   NtCreateEvent  ... 984, ) == 0x0
 03408   876   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03409   220   NtSetEventBoostPriority  (368, ...
 03404  1568   NtRegisterThreadTerminatePort  ... ) == 0x0
 03410  1436   NtWaitForSingleObject  (160, 0, 0x0, ...
 03411  1276   NtWaitForSingleObject  (368, 0, 0x0, ...
 03406   464   NtAllocateVirtualMemory  ... 110157824, 8192, ) == 0x0
 03412   712   NtWaitForSingleObject  (368, 0, 0x0, ...
 03397  1700   NtWaitForSingleObject  ... ) == 0x0
 03409   220   NtSetEventBoostPriority  ... ) == 0x0
 03408   876   NtWaitForSingleObject  ... ) == 0x102
 03413   464   NtProtectVirtualMemory  (-1, (0x690e000), 4096, 260, ...
 03414  1700   NtSetEventBoostPriority  (368, ...
 03415  1568   NtWaitForSingleObject  (368, 0, 0x0, ...
 03416   876   NtWaitForSingleObject  (368, 0, 0x0, ...
 03403  1728   NtWaitForSingleObject  ... ) == 0x0
 03414  1700   NtSetEventBoostPriority  ... ) == 0x0
 03413   464   NtProtectVirtualMemory  ... (0x690e000), 4096, 4, ) == 0x0
 03417  1728   NtSetEventBoostPriority  (368, ...
 03418   220   NtWaitForSingleObject  (368, 0, 0x0, ...
 03419  1700   NtWaitForSingleObject  (368, 0, 0x0, ...
 03405   704   NtWaitForSingleObject  ... ) == 0x0
 03417  1728   NtSetEventBoostPriority  ... ) == 0x0
 03420   704   NtSetEventBoostPriority  (368, ...
 03421   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03407  1192   NtWaitForSingleObject  ... ) == 0x0
 03420   704   NtSetEventBoostPriority  ... ) == 0x0
 03422  1192   NtSetEventBoostPriority  (368, ...
 03421   464   NtCreateThread  ... 988, {1036, 192}, ) == 0x0
 03423  1728   NtWaitForSingleObject  (368, 0, 0x0, ...
 03401  1796   NtWaitForSingleObject  ... ) == 0x0
 03424   464   NtQueryInformationThread  (988, Basic, 28, ...
 03425  1796   NtSetEventBoostPriority  (368, ...
 03424   464   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff54000,Pid=1036,Tid=192,}, 0x0, ) == 0x0
 03411  1276   NtWaitForSingleObject  ... ) == 0x0
 03426   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1036, 464, 58136, 0}  (24, {28, 56, new_msg, 0, 1036, 464, 58136, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\3\0\0\14\4\0\0\300\0\0\0" ...  ...
 03427  1276   NtSetEventBoostPriority  (368, ...
 03412   712   NtWaitForSingleObject  ... ) == 0x0
 03428   712   NtSetEventBoostPriority  (368, ...
 03415  1568   NtWaitForSingleObject  ... ) == 0x0
 03429  1568   NtSetEventBoostPriority  (368, ...
 03416   876   NtWaitForSingleObject  ... ) == 0x0
 03430   876   NtSetEventBoostPriority  (368, ...
 03418   220   NtWaitForSingleObject  ... ) == 0x0
 03431   220   NtSetEventBoostPriority  (368, ...
 03419  1700   NtWaitForSingleObject  ... ) == 0x0
 03432  1700   NtSetEventBoostPriority  (368, ...
 03423  1728   NtWaitForSingleObject  ... ) == 0x0
 03433  1728   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ... 1437696, 4096, ) == 0x0
 03434  1728   NtAllocateVirtualMemory  (-1, 18927616, 0, 4096, 4096, 260, ...
 03432  1700   NtSetEventBoostPriority  ... ) == 0x0
 03431   220   NtSetEventBoostPriority  ... ) == 0x0
 03430   876   NtSetEventBoostPriority  ... ) == 0x0
 03429  1568   NtSetEventBoostPriority  ... ) == 0x0
 03428   712   NtSetEventBoostPriority  ... ) == 0x0
 03427  1276   NtSetEventBoostPriority  ... ) == 0x0
 03425  1796   NtSetEventBoostPriority  ... ) == 0x0
 03422  1192   NtSetEventBoostPriority  ... ) == 0x0
 03435   704   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03426   464   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1036, 464, 58137, 0}  ... {28, 56, reply, 0, 1036, 464, 58137, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\3\0\0\14\4\0\0\300\0\0\0" )  ) == 0x0
 03436  1700   NtSetEventBoostPriority  (160, ...
 03437   220   NtAllocateVirtualMemory  (-1, 12636160, 0, 4096, 4096, 260, ...
 03434  1728   NtAllocateVirtualMemory  ... 18927616, 4096, ) == 0x0
 03438  1568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03439   876   NtWaitForSingleObject  (160, 0, 0x0, ...
 03440   712   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ...
 03441  1796   NtWaitForSingleObject  (368, 0, 0x0, ...
 03442  1276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03435   704   NtDuplicateObject  ... 992, ) == 0x0
 03443   464   NtResumeThread  (988, ...
 03444  1192   NtSetEventBoostPriority  (408, ...
 01797   764   NtWaitForSingleObject  ... ) == 0x0
 03436  1700   NtSetEventBoostPriority  ... ) == 0x0
 03445  1728   NtWaitForSingleObject  (368, 0, 0x0, ...
 03437   220   NtAllocateVirtualMemory  ... 12636160, 4096, ) == 0x0
 03440   712   NtAllocateVirtualMemory  ... 1441792, 4096, ) == 0x0
 03442  1276   NtDuplicateObject  ... 996, ) == 0x0
 03446   704   NtWaitForSingleObject  (368, 0, 0x0, ...
 03443   464   NtResumeThread  ... 1, ) == 0x0
 03370   480   NtWaitForSingleObject  ... ) == 0x0
 03444  1192   NtSetEventBoostPriority  ... ) == 0x0
 03447   764   NtWaitForSingleObject  (368, 0, 0x0, ...
 03448  1700   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
NtAdjustPrivilegesToken(>)	1	NtGdiCreateSolidBrush(>)	2	NtQueryInformationFile(>)	7	NtQueryAttributesFile(>)	59
NtDelayExecution(>)	1	NtNotifyChangeKey(>)	2	NtQueryInformationProcess(>)	7	NtCreateEvent(>)	87
NtGdiCreateBitmap(>)	1	NtOpenDirectoryObject(>)	2	NtCreateFile(>)	8	NtContinue(>)	97
NtGdiInit(>)	1	NtQueryDefaultUILanguage(>)	2	NtQueryVirtualMemory(>)	9	NtMapViewOfSection(>)	102
NtGdiQueryFontAssocInfo(>)	1	NtQueryPerformanceCounter(>)	2	NtUserFindExistingCursorIcon(>)	9	NtWriteVirtualMemory(>)	116
NtGdiSelectBitmap(>)	1	NtSetInformationObject(>)	2	NtFsControlFile(>)	10	NtQuerySystemInformation(>)	124
NtOpenKeyedEvent(>)	1	NtGdiCreateCompatibleDC(>)	3	NtOpenThreadToken(>)	10	NtOpenKey(>)	125
NtOpenSymbolicLinkObject(>)	1	NtOpenProcessToken(>)	3	NtSetInformationThread(>)	11	NtResumeThread(>)	132
NtQueryInstallUILanguage(>)	1	NtOpenProcessTokenEx(>)	3	NtSetInformationFile(>)	12	NtQueryInformationThread(>)	135
NtQueryObject(>)	1	NtOpenThreadTokenEx(>)	3	NtQuerySection(>)	14	NtCreateThread(>)	148
NtQuerySymbolicLinkObject(>)	1	NtQueryDefaultLocale(>)	3	NtUserRegisterClassExWOW(>)	14	NtRequestWaitReplyPort(>)	168
NtQuerySystemTime(>)	1	NtQueryVolumeInformationFile(>)	3	NtSetValueKey(>)	17	NtTestAlert(>)	185
NtRaiseException(>)	1	NtReadFile(>)	3	NtCreateKey(>)	19	NtRegisterThreadTerminatePort(>)	188
NtSetInformationProcess(>)	1	NtSecureConnectPort(>)	3	NtCreateSection(>)	25	NtDuplicateObject(>)	198
NtUserCallNoParam(>)	1	NtFreeVirtualMemory(>)	4	NtOpenFile(>)	27	NtQueryValueKey(>)	251
NtUserGetObjectInformation(>)	1	NtWriteFile(>)	4	NtOpenProcess(>)	29	NtClose(>)	278
NtUserGetProcessWindowStation(>)	1	NtGdiGetStockObject(>)	5	NtDeviceIoControlFile(>)	36	NtProtectVirtualMemory(>)	361
NtUserGetThreadDesktop(>)	1	NtConnectPort(>)	6	NtUnmapViewOfSection(>)	45	NtAllocateVirtualMemory(>)	369
NtCallbackReturn(>)	2	NtCreateMutant(>)	6	NtFlushInstructionCache(>)	53	NtSetEventBoostPriority(>)	554
NtCreateIoCompletion(>)	2	NtQueryInformationToken(>)	6	NtOpenSection(>)	53	NtWaitForSingleObject(>)	819