Summary:


NtGdiCreateBitmap(>)  1 
NtOpenProcessToken(>)  2 
NtQueryInformationProcess(>)  9 
NtFlushInstructionCache(>)  57 

NtGdiInit(>)  1 
NtQueryDefaultUILanguage(>)  2 
NtSetInformationThread(>)  9 
NtCreateEvent(>)  60 

NtGdiQueryFontAssocInfo(>)  1 
NtQuerySystemTime(>)  2 
NtUserFindExistingCursorIcon(>)  9 
NtContinue(>)  114 

NtGdiSelectBitmap(>)  1 
NtFreeVirtualMemory(>)  3 
NtOpenThreadToken(>)  10 
NtQuerySystemInformation(>)  120 

NtOpenKeyedEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryVirtualMemory(>)  10 
NtOpenKey(>)  139 

NtOpenSymbolicLinkObject(>)  1 
NtQueryDebugFilterState(>)  3 
NtSetInformationFile(>)  10 
NtResumeThread(>)  150 

NtQueryInstallUILanguage(>)  1 
NtQueryDefaultLocale(>)  3 
NtUnmapViewOfSection(>)  11 
NtQueryInformationThread(>)  153 

NtQueryObject(>)  1 
NtQueryVolumeInformationFile(>)  3 
NtCreateFile(>)  12 
NtCreateThread(>)  167 

NtQueryPerformanceCounter(>)  1 
NtSecureConnectPort(>)  3 
NtQuerySection(>)  13 
NtRequestWaitReplyPort(>)  191 

NtQuerySymbolicLinkObject(>)  1 
NtSetInformationObject(>)  3 
NtUserRegisterClassExWOW(>)  14 
NtTestAlert(>)  214 

NtRaiseException(>)  1 
NtCreateIoCompletion(>)  4 
NtSetValueKey(>)  17 
NtRegisterThreadTerminatePort(>)  217 

NtSetInformationProcess(>)  1 
NtOpenProcessTokenEx(>)  4 
NtReadFile(>)  21 
NtDuplicateObject(>)  223 

NtUserCallNoParam(>)  1 
NtOpenThreadTokenEx(>)  4 
NtOpenSection(>)  22 
NtClose(>)  224 

NtUserGetObjectInformation(>)  1 
NtGdiGetStockObject(>)  5 
NtWriteFile(>)  22 
NtQueryValueKey(>)  261 

NtUserGetProcessWindowStation(>)  1 
NtCreateMutant(>)  6 
NtCreateKey(>)  23 
NtProtectVirtualMemory(>)  269 

NtUserGetThreadDesktop(>)  1 
NtQueryDirectoryFile(>)  6 
NtCreateSection(>)  23 
NtAllocateVirtualMemory(>)  407 

NtCallbackReturn(>)  2 
NtFsControlFile(>)  7 
NtOpenFile(>)  27 
NtSetEventBoostPriority(>)  632 

NtGdiCreateSolidBrush(>)  2 
NtQueryInformationFile(>)  7 
NtDeviceIoControlFile(>)  36 
NtWaitForSingleObject(>)  915 

NtNotifyChangeKey(>)  2 
NtQueryInformationToken(>)  7 
NtMapViewOfSection(>)  39 

NtOpenDirectoryObject(>)  2 
NtConnectPort(>)  8 

Trace:
 00001  1972   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1972   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1972   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1972   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1972   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1972   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1972   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1972   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1972   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1972   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1972   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1972   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1972   NtClose  (12, ... ) == 0x0
 00015  1972   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1972   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1972   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1972   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1972   NtClose  (16, ... ) == 0x0
 00021  1972   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1972   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1972   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1972   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1972   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1972   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1972   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1972   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1972   NtClose  (16, ... ) == 0x0
 00030  1972   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1972   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1972   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1972   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1972   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1664, 1972, 57930, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57930, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1664, 1972, 57930, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036  1972   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1972   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1972   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1972   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1972   NtClose  (16, ... ) == 0x0
 00041  1972   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1972   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1972   NtClose  (16, ... ) == 0x0
 00044  1972   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1972   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1972   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1972   NtClose  (16, ... ) == 0x0
 00048  1972   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1972   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1972   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1972   NtClose  (16, ... ) == 0x0
 00052  1972   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1972   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1972   NtClose  (16, ... ) == 0x0
 00055  1972   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1972   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1972   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1972   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1972   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1664, 1972, 57931, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 1664, 1972, 57931, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1664, 1972, 57931, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 57932, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57932, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 57932, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061  1972   NtProtectVirtualMemory  (-1, (0x409000), 65552, 4, ... (0x409000), 69632, 128, ) == 0x0
 00062  1972   NtProtectVirtualMemory  (-1, (0x409000), 69632, 128, ... (0x409000), 69632, 4, ) == 0x0
 00063  1972   NtFlushInstructionCache  (-1, 4231168, 65552, ... ) == 0x0
 00064  1972   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065  1972   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00066  1972   NtReadFile  (16, 0, 0, 0, 4, {62698, 0}, 0, ... {status=0x0, info=4},  (16, 0, 0, 0, 4, {62698, 0}, 0, ... {status=0x0, info=4}, "!\246B3", ) , ) == 0x0
 00067  1972   NtClose  (16, ... ) == 0x0
 00068  1972   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00069  1972   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00070  1972   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00071  1972   NtClose  (16, ... ) == 0x0
 00072  1972   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00073  1972   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00074  1972   NtClose  (16, ... ) == 0x0
 00075  1972   NtTestAlert  (... ) == 0x0
 00076  1972   NtContinue  (1244464, 1, ...
 00077  1972   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x41a000,}, 4, ... ) == 0x0
 00078  1972   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00079  1972   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080  1972   NtClose  (16, ... ) == 0x0
 00081  1972   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00082  1972   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00083  1972   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00084  1972   NtClose  (16, ... ) == 0x0
 00085  1972   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00086  1972   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00087  1972   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00088  1972   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00089  1972   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00090  1972   NtClose  (16, ... ) == 0x0
 00091  1972   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00092  1972   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00093  1972   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00094  1972   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00095  1972   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00096  1972   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00097  1972   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00098  1972   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00099  1972   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00100  1972   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00101  1972   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00102  1972   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00103  1972   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00104  1972   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00105  1972   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106  1972   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00107  1972   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00108  1972   NtQueryValueKey  (16,  (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00109  1972   NtClose  (16, ... ) == 0x0
 00110  1972   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 16, ) }, ... 16, ) == 0x0
 00111  1972   NtQueryValueKey  (16,  (16, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00112  1972   NtClose  (16, ... ) == 0x0
 00113  1972   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 16, ) }, ... 16, ) == 0x0
 00114  1972   NtSetInformationObject  (16, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00115  1972   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00116  1972   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00117  1972   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00118  1972   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00119  1972   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 28, ) == 0x0
 00120  1972   NtQueryInformationToken  (28, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00121  1972   NtClose  (28, ... ) == 0x0
 00122  1972   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 28, ) }, ... 28, ) == 0x0
 00123  1972   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00124  1972   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 32, ) }, ... 32, ) == 0x0
 00125  1972   NtQueryValueKey  (32,  (32, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126  1972   NtClose  (32, ... ) == 0x0
 00127  1972   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00128  1972   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00129  1972   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 32, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 32, {status=0x0, info=1}, ) == 0x0
 00130  1972   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00131  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp"}, 1233816, ... ) }, 1233816, ... ) == 0x0
 00132  1972   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1234168, 2089878865, 1315608, 2089878893}  (24, {20, 48, new_msg, 0, 1234168, 2089878865, 1315608, 2089878893} "\0\0\0\0\2\0\1\0\250C\24\0\10\221\0\0\2\0\0\0" ... {20, 48, reply, 0, 1664, 1972, 57933, 0} "\0\0\0\0\2\0\1\0\2\0\0\0\10\221\0\0\2\0\0\0" )  ... {20, 48, reply, 0, 1664, 1972, 57933, 0}  (24, {20, 48, new_msg, 0, 1234168, 2089878865, 1315608, 2089878893} "\0\0\0\0\2\0\1\0\250C\24\0\10\221\0\0\2\0\0\0" ... {20, 48, reply, 0, 1664, 1972, 57933, 0} "\0\0\0\0\2\0\1\0\2\0\0\0\10\221\0\0\2\0\0\0" )  ) == 0x0
 00133  1972   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233824,  (0x80100080, {24, 0, 0x40, 0, 1233824, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\vas2.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 00134  1972   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 00135  1972   NtClose  (-2147482740, ... ) == 0x0
 00136  1972   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00137  1972   NtClose  (-2147482740, ... ) == 0x0
 00138  1972   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00139  1972   NtClose  (-2147482740, ... ) == 0x0
 00133  1972   NtCreateFile  ... 36, {status=0x0, info=2}, ) == 0x0
 00140  1972   NtClose  (36, ... ) == 0x0
 00141  1972   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\vas2.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00142  1972   NtClose  (-2147482740, ... ) == 0x0
 00143  1972   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 00144  1972   NtClose  (-2147482740, ... ) == 0x0
 00145  1972   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00146  1972   NtClose  (-2147482740, ... ) == 0x0
 00147  1972   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00148  1972   NtClose  (-2147482740, ... ) == 0x0
 00141  1972   NtCreateFile  ... 36, {status=0x0, info=3}, ) == 0x0
 00149  1972   NtSetInformationFile  (32, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00150  1972   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\356\233P\0\241\301\0\0\247\301\17\0\>\0\0\33\301\0\0\243\301\0\0\343\301\32\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\303\0\0\31\321\0\16\274u\11\315\202y\1Ln\340\220\220\367\251is\203\261ro\304\263am\203\254us\327\341be\203\263un\203\264nd\306\263 W\312\25732\256\313$7\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0", ) , ) == 0x0
 00151  1972   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... , 10240, 0x0, 0, ...
 00152  1972   NtContinue  (-139186732, 0, ...
 00151  1972   NtWriteFile  ... {status=0x0, info=10240}, ) == 0x0
 00153  1972   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\366\3116\34\314\375ME\314\263y,\3\254a\10\223\302\201\7k\11f\331\301\1A\304k\202\310<\241\215r\334K0jD\311\241Q\271\247\332|\377\205\3X}&n\16D\370i\310\270+\220\177\300\305JP\1\363Wkg\302\303@\315\337\376\1\2\35\205-\32 \3\5RV\364Q\21)\303e\203q\252K\335\251C,Kc\322\305\240\370\350\353\375\226\334\200\244F\200\302t\312wC\217\320"\301\262\301\12^\376\275\168\356P\3311\376\332\26\313Q\330\225\30sP\12\17\326\213Q\354\311d\2033\305\10#o\23,\210\223\7{\22\342\317\341\311[\207(IG\367\33\37\247\16\360fs=\2643\245\2\341\15\222C\3704}\255B\266\363\245\360X\235\367\322 g\363GWkE\310\257\357\357qPJ\205\0(\242\35\200\24 \373*\12\323\304\5\34\310j\326\12K\221\322<\205\261\256\10\365\265u\310\346G\25\212~\14\354\10e\301g) \370\370\251X\345\312\232\341\2029R\271\201W\3443\3671\15(\2004\324\12h\315\\352\324\5-o\345\230\365\343\314R\314\363R\200\221\16S\356\334:\20$\370\6\274UucJ]\304h\230\226\357/\2\250\306\17q\264F\363\317\341\224\233\11S\1=i7\225\205\25(\217\20r\305\223U\373'\250\2\301\276m\314\371\203x\373\2540\213\27JJX\216\345\7\220\334\11 ^\272"+\227\267>\377\12\217\271<\231\202\331d\360wPx]\236\357\243\261w\244\347\354\242\32\14p\251\37\363P\304\242\310\266\275\203#\350\332)\135\312w\344&G\231\17\11~\340\2\241\241@\31\211\250\211\341\231;2\207\232\347\324w\222\243\17'\320\262\1O\336\261\22\307\211\310\324\244\5Z\274\306h\347$\250\312\33a%\15\206[\171\335\17", ) \301\262\301\12^\376\275\168\356P\3311\376\332\26\313Q\330\225\30sP\12\17\326\213Q\354\311d\2033\305\10#o\23,\210\223\7{\22\342\317\341\311[\207(IG\367\33\37\247\16\360fs=\2643\245\2\341\15\222C\3704}\255B\266\363\245\360X\235\367\322 g\363GWkE\310\257\357\357qPJ\205\0(\242\35\200\24 \373*\12\323\304\5\34\310j\326\12K\221\322<\205\261\256\10\365\265u\310\346G\25\212~\14\354\10e\301g) \370\370\251X\345\312\232\341\2029R\271\201W\3443\3671\15(\2004\324\12h\315\\352\324\5-o\345\230\365\343\314R\314\363R\200\221\16S\356\334:\20$\370\6\274UucJ]\304h\230\226\357/\2\250\306\17q\264F\363\317\341\224\233\11S\1=i7\225\205\25(\217\20r\305\223U\373'\250\2\301\276m\314\371\203x\373\2540\213\27JJX\216\345\7\220\334\11 ^\272 (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\366\3116\34\314\375ME\314\263y,\3\254a\10\223\302\201\7k\11f\331\301\1A\304k\202\310<\241\215r\334K0jD\311\241Q\271\247\332|\377\205\3X}&n\16D\370i\310\270+\220\177\300\305JP\1\363Wkg\302\303@\315\337\376\1\2\35\205-\32 \3\5RV\364Q\21)\303e\203q\252K\335\251C,Kc\322\305\240\370\350\353\375\226\334\200\244F\200\302t\312wC\217\320"\301\262\301\12^\376\275\168\356P\3311\376\332\26\313Q\330\225\30sP\12\17\326\213Q\354\311d\2033\305\10#o\23,\210\223\7{\22\342\317\341\311[\207(IG\367\33\37\247\16\360fs=\2643\245\2\341\15\222C\3704}\255B\266\363\245\360X\235\367\322 g\363GWkE\310\257\357\357qPJ\205\0(\242\35\200\24 \373*\12\323\304\5\34\310j\326\12K\221\322<\205\261\256\10\365\265u\310\346G\25\212~\14\354\10e\301g) \370\370\251X\345\312\232\341\2029R\271\201W\3443\3671\15(\2004\324\12h\315\\352\324\5-o\345\230\365\343\314R\314\363R\200\221\16S\356\334:\20$\370\6\274UucJ]\304h\230\226\357/\2\250\306\17q\264F\363\317\341\224\233\11S\1=i7\225\205\25(\217\20r\305\223U\373'\250\2\301\276m\314\371\203x\373\2540\213\27JJX\216\345\7\220\334\11 ^\272"+\227\267>\377\12\217\271<\231\202\331d\360wPx]\236\357\243\261w\244\347\354\242\32\14p\251\37\363P\304\242\310\266\275\203#\350\332)\135\312w\344&G\231\17\11~\340\2\241\241@\31\211\250\211\341\231;2\207\232\347\324w\222\243\17'\320\262\1O\336\261\22\307\211\310\324\244\5Z\274\306h\347$\250\312\33a%\15\206[\171\335\17", ) , ) == 0x0
 00154  1972   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "U\106\34o\301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00155  1972   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "t\3\13X\33\323\25w\222\313\14Hp\214\303\30\351WL\340\366d\262H\243j\222\345\23D\267}\273\205@\221FQeZ\307\235XY\255\232\232\0\361\212cT\363\2459d\270\243\246\307\241\221\3453\244j!\317\251Q\226\340Wr\14\327\261,\35j\241\313z\337\364x@\211@\230C\263\275\32\301\334D\224\2358\241g\20\15\261\273\363\232jV%\261I\149\210E\20\274\244J\20699\200\214\14+\256@\323\6*\276\213KG\10\231\21t9U\207\2733\11\210\325\256;\35W\4Z\255E]\24\305F4P\207\37\306\25\203\24\270\15-\24\5\257\217\5>\247VJV\223\267\242\310IG=\366\246\312\200K\343\231\303\131FU?\250\261\303k\14\354\353\221\37%\310\257\227\11\1\367\242\357\370\27G\207al\320Fn\31GBST\321\264e\1\215\302\210\4\31441\322)\221\26D\263\3037\304&\277\213w\230\360\311\212\353\202D\10_>B\267\374\301\10\215\326\316\213|\253\3061\300)\317;J_\264\267~\2\232\216\\2513\34\16U\2\337\237\352\264\342o\370j\361\371\264\201$\16\242\370\370~~dg\5\216\5;\200\233\346\17M\247\232\373\302\321%\205\257\314v\277\202\327n\211\321\252\240\13\212\344K*\201S\223\356\356B>\337\177xKXc7K^\12&\232So\317\275\36\13\265\331\217\36\256\370\364\355\256?X\32#&\3379h=\267\0\354\320\30\33\326-\355\355\225\303\261 4*\310?#$\337:\25\1\355\355\271*\342\35)\255\32\221\317\331B\3051>\302\11[&KuSN\243:(\376\263\4#\376\5\266\376b\7\203r\216\1\267\2543\377\255\11vJ\20\331\306\376\261\321\312w\15\254~\311\3\351\35\252\5\237\6\377\321-\33\377BFO9\1", ) , ) == 0x0
 00156  1972   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\327\302\13X\270\22\25w1\12\14H\323M\303\30J\226L\340U\245\262H\0\253\222\345\260\205\267}\30D@\221\345\220eZd\XY\16[\232\0RKcTPd9d\33b\246d`\221\345\220ej!lhQ\226C\226r\14tp,\35\311`\313z|5x@*\201\230C\20|\32\301\177\205\224\235\233`g\20\256p\273\3639\253V%\22\210\149+\204\20\274\7\213\2069\232A\214\14\210o@\323\377\367*\276(\212G\10:\320t9\366F\2733\252I\325\256\230\334W\4\371lE]\267\4F4\363F\37\306\266B\24\270\256\354\24\5\14N\5>\4\227JV0v\242\310\352\206=\366\5\13\200K@X\303\13\222\207U?\13p\303k\257-\353\221\274\344\310\2574\310\1\367\1.\370\27\344Fals\207n\31\344\203STrue\1.\3\210\4o\3651\322\212P\26D\20\27\304\205~\213w;1\311\212HCD\10\374\377B\267_\0\10\215u\17\213|\10\71\300\212\16;J\374u\267~\241[\216\\12\362\34\16\366\303\337\237Iu\342o[\253\361\371\27@$\16\19\370~\335\245g\5-\304;\2008'\17M\4[\373\302r\344\205\257o\267\277\202t\257\211\321\11a\13\212G\212*\201\360R\356\356\341\377\337\177\333\212Xc\224\212^\12\205[Sol|\36\13\26\30\217\36\159\364\355\15\376X\32\200\347\3379\313\374\267\0O\21\30\33u\354\355\3556\2\261 \227\353\310?\200\345\337:\266\300\355\355\32\353\342\35\212l\32\221l\30B\305\222\377\302\11\370\347Ku\360\217\243:\213?\263\4\200?\5\266]\243\7\203\321O\1\267\17\362\377\255\252\267J\20z\7\376\261r\13w\15\17\277\311\3J\334\252\5<\307\377\321\216\332\377B\345\2169\1", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00157  1972   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "5*\375\265#\26\254f\360H\205\6\265A\212\265\324\7\205\227\334\317w\21\305~\264\22\366\315e\211\252aY\6\20\6a\35\223}\34\210\27\272\237\240)L\225>\251\301\264\274\304\357G\263\322\353\3000\272\230\2334\242\6\2\316'c_\271*V4t\253\233\4\310>E\226\244\210\37\361t\300\232S\364\366\223$\361\366\311R"\344A\3065+ME\13\353C\253\200\15K\14&\212A1\254\236%\353\12\276\312w\266UG\375\13\354KU\373\264\220Ev\226\247\301i\223@\3441d\235v\214\206\271,\2\251\201\202\32'\312\370B\4\327\200{\226w\20\31m_p\353\244\345\324\350\220A\226t \203'!\313\230@{0\303\215\5\267'\303\377\216\354\354N\305`\227\360\305f \364\266G\240\266w\313\364\364s\13\20\240\201\221\260\326\216\30\7C_\214o\0\230\221"\16\242\335A\340\303Vb\364\340K\22\20W\233\246\266\245\310o\21[1\254\0\273!\4U\215\310)*\252\305\247\26\253\221l\253\375\23\4hI'\247\341\307*HKY\3639z\217\265jV\307\360\354M\252R\321p\201\370\234a\3034\0\360\266~\350\334\261k\330\17\321\37\322[\224]8", ) \344A\3065+ME\13\353C\253\200\15K\14&\212A1\254\236%\353\12\276\312w\266UG\375\13\354KU\373\264\220Ev\226\247\301i\223@\3441d\235v\214\206\271,\2\251\201\202\32'\312\370B\4\327\200{\226w\20\31m_p\353\244\345\324\350\220A\226t \203'!\313\230@{0\303\215\5\267'\303\377\216\354\354N\305`\227\360\305f \364\266G\240\266w\313\364\364s\13\20\240\201\221\260\326\216\30\7C_\214o\0\230\221217\340#\207\263\266<8\270\263\310\310\237\371<8\212\340&\205\4&O\210\244\32;w\370\317\224\341\242\315\240\346b\\0\233\253\273\6\243\270\303.,f\6V\272\11\360\26zU\3\20\360\362L\222` \327\24\310G\235\222\246\3rOXS*\34\30\377a\253akr\20\35\220\10T\174K\33\0$-\30\1a\261\331\22\1\317\303^\234\300\362\204\370F+\271\366?\364\15\267\4\322\3367E\376\324\227\330\353\211\320,\332\241\207\374\26}\2743:\237\274\13`7\330J\33\255[hO2\205]\25\253\345 (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "5*\375\265#\26\254f\360H\205\6\265A\212\265\324\7\205\227\334\317w\21\305~\264\22\366\315e\211\252aY\6\20\6a\35\223}\34\210\27\272\237\240)L\225>\251\301\264\274\304\357G\263\322\353\3000\272\230\2334\242\6\2\316'c_\271*V4t\253\233\4\310>E\226\244\210\37\361t\300\232S\364\366\223$\361\366\311R"\344A\3065+ME\13\353C\253\200\15K\14&\212A1\254\236%\353\12\276\312w\266UG\375\13\354KU\373\264\220Ev\226\247\301i\223@\3441d\235v\214\206\271,\2\251\201\202\32'\312\370B\4\327\200{\226w\20\31m_p\353\244\345\324\350\220A\226t \203'!\313\230@{0\303\215\5\267'\303\377\216\354\354N\305`\227\360\305f \364\266G\240\266w\313\364\364s\13\20\240\201\221\260\326\216\30\7C_\214o\0\230\221"\16\242\335A\340\303Vb\364\340K\22\20W\233\246\266\245\310o\21[1\254\0\273!\4U\215\310)*\252\305\247\26\253\221l\253\375\23\4hI'\247\341\307*HKY\3639z\217\265jV\307\360\354M\252R\321p\201\370\234a\3034\0\360\266~\350\334\261k\330\17\321\37\322[\224]8", ) , ) == 0x0
 00158  1972   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240 (36, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00159  1972   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=4372},  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=4372}, "\274\256\302#\202\321\300\11\33\355\322\345\307\316\251y\305\3\201\307\343\243\33\341\275\343\202|\242\311\202.\373\327\25&\200j\350{\342s\303\270\255\315\270%\342}\321\273*\231&wuLp\30\264y\261\263d\313\211\34j\323}\314\345{\13 \253\227\233\3015i\332\233\316\314\346{/\301\356Yy\253\34\334\177\351\7\361\326\24\255\210\241\305\307]\243\177!\264E)\21x\231\247\37a\23\11`\315W\334\374\252\366S*\262\11\301U\315\335V8\322\226\267%_\327\336W\307\255\312\2C\206\351\2328H\300\357\305\1\342n\5\23\10vYO\254\15P\215\234\354\271\324\215x\353\236p\272\370\263\265\11F\177\331n\303\253g'\25\177\337\10D\334Y\355\242\300\341\265\347c\201\271\14\220\200\325\222\337\300\276v+\340\2070\27\17p\302\272\10Iq\364\222;\370\20\236\24\237\326\210\244;\346Au>\307\254\330C\367\2674J\367\2\210=\243\313\352\4\23\373 m\231\250\273\303\305\10h*\225\330\325\241SN(\30\226q\253\366\221\31d$=\250\15X\224\3'h/\362\333\265\270A\3540\224\10\364\246\272\312\2105\11f6\31\225\357q\265\253\327\20\214I\326\211\342\217\14\335q\313i\260$\347tI\4\243\324\210\367\251\237P\345\233Zl\362\261\261E\344\363y\31F9M\13\254&\241\211\24uA\204\35\311\2054=\245\241#FxL\246H\15~\214\2\345\177\353 \313\243\227\213/\300\1X\33C\245I\257\230\347\362\261!c\2qQ\344i\257\257\340\14Q\304\5\333\242\333\340\262\254F\235\330\251I;t\221?\276j\251X\340\340\361m;\205\36\266\246\21\37\340\260\177\23\10\226\30\257WS|\365cA\357#pHi\260\333\27\217\364\23[\370\312\374\26\311\221\31\222\215\265\15)\343\250\213H\7", ) , ) == 0x0
 00160  1972   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00161  1972   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00162  1972   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\274\256\302#\202\321\300\11\33\355\322\345\307\316\251y\305\3\201\307\343\243\33\341\275\343\202|\242\311\202.\373\327\25&\200j\350{\342s\303\270\255\315\270%\342}\321\273*\231&wuLp\30\264y\261\263d\313\211\34j\323}\314\345{\13 \253\227\233\3015i\332\233\316\314\346{/\301\356Yy\253\34\334\177\351\7\361\326\24\255\210\241\305\307]\243\177!\264E)\21x\231\247\37a\23\11`\315W\334\374\252\366S*\262\11\301U\315\335V8\322\226\267%_\327\336W\307\255\312\2C\206\351\2328H\300\357\305\1\342n\5\23\10vYO\254\15P\215\234\354\271\324\215x\353\236p\272\370\263\265\11F\177\331n\303\253g'\25\177\337\10D\334Y\355\242\300\341\265\347c\201\271\14\220\200\325\222\337\300\276v+\340\2070\27\17p\302\272\10Iq\364\222;\370\20\236\24\237\326\210\244;\346Au>\307\254\330C\367\2674J\367\2\210=\243\313\352\4\23\373 m\231\250\273\303\305\10h*\225\330\325\241SN(\30\226q\253\366\221\31d$=\250\15X\224\3'h/\362\333\265\270A\3540\224\10\364\246\272\312\2105\11f6\31\225\357q\265\253\327\20\214I\326\211\342\217\14\335q\313i\260$\347tI\4\243\324\210\367\251\237P\345\233Zl\362\261\261E\344\363y\31F9M\13\254&\241\211\24uA\204\35\311\2054=\245\241#FxL\246H\15~\214\2\345\177\353 \313\243\227\213/\300\1X\33C\245I\257\230\347\362\261!c\2qQ\344i\257\257\340\14Q\304\5\333\242\333\340\262\254F\235\330\251I;t\221?\276j\251X\340\340\361m;\205\36\266\246\21\37\340\260\177\23\10\226\30\257WS|\365cA\357#pHi\260\333\27\217\364\23[\370\312\374\26\311\221\31\222\215\265\15)\343\250\213H\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00163  1972   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00164  1972   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00165  1972   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00166  1972   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\274\256\302#\202\321\300\11\33\355\322\345\307\316\251y\305\3\201\307\343\243\33\341\275\343\202|\242\311\202.\373\327\25&\200j\350{\342s\303\270\255\315\270%\342}\321\273*\231&wuLp\30\264y\261\263d\313\211\34j\323}\314\345{\13 \253\227\233\3015i\332\233\316\314\346{/\301\356Yy\253\34\334\177\351\7\361\326\24\255\210\241\305\307]\243\177!\264E)\21x\231\247\37a\23\11`\315W\334\374\252\366S*\262\11\301U\315\335V8\322\226\267%_\327\336W\307\255\312\2C\206\351\2328H\300\357\305\1\342n\5\23\10vYO\254\15P\215\234\354\271\324\215x\353\236p\272\370\263\265\11F\177\331n\303\253g'\25\177\337\10D\334Y\355\242\300\341\265\347c\201\271\14\220\200\325\222\337\300\276v+\340\2070\27\17p\302\272\10Iq\364\222;\370\20\236\24\237\326\210\244;\346Au>\307\254\330C\367\2674J\367\2\210=\243\313\352\4\23\373 m\231\250\273\303\305\10h*\225\330\325\241SN(\30\226q\253\366\221\31d$=\250\15X\224\3'h/\362\333\265\270A\3540\224\10\364\246\272\312\2105\11f6\31\225\357q\265\253\327\20\214I\326\211\342\217\14\335q\313i\260$\347tI\4\243\324\210\367\251\237P\345\233Zl\362\261\261E\344\363y\31F9M\13\254&\241\211\24uA\204\35\311\2054=\245\241#FxL\246H\15~\214\2\345\177\353 \313\243\227\213/\300\1X\33C\245I\257\230\347\362\261!c\2qQ\344i\257\257\340\14Q\304\5\333\242\333\340\262\254F\235\330\251I;t\221?\276j\251X\340\340\361m;\205\36\266\246\21\37\340\260\177\23\10\226\30\257WS|\365cA\357#pHi\260\333\27\217\364\23[\370\312\374\26\311\221\31\222\215\265\15)\343\250\213H\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00167  1972   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00168  1972   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00169  1972   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00170  1972   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\274\256\302#\202\321\300\11\33\355\322\345\307\316\251y\305\3\201\307\343\243\33\341\275\343\202|\242\311\202.\373\327\25&\200j\350{\342s\303\270\255\315\270%\342}\321\273*\231&wuLp\30\264y\261\263d\313\211\34j\323}\314\345{\13 \253\227\233\3015i\332\233\316\314\346{/\301\356Yy\253\34\334\177\351\7\361\326\24\255\210\241\305\307]\243\177!\264E)\21x\231\247\37a\23\11`\315W\334\374\252\366S*\262\11\301U\315\335V8\322\226\267%_\327\336W\307\255\312\2C\206\351\2328H\300\357\305\1\342n\5\23\10vYO\254\15P\215\234\354\271\324\215x\353\236p\272\370\263\265\11F\177\331n\303\253g'\25\177\337\10D\334Y\355\242\300\341\265\347c\201\271\14\220\200\325\222\337\300\276v+\340\2070\27\17p\302\272\10Iq\364\222;\370\20\236\24\237\326\210\244;\346Au>\307\254\330C\367\2674J\367\2\210=\243\313\352\4\23\373 m\231\250\273\303\305\10h*\225\330\325\241SN(\30\226q\253\366\221\31d$=\250\15X\224\3'h/\362\333\265\270A\3540\224\10\364\246\272\312\2105\11f6\31\225\357q\265\253\327\20\214I\326\211\342\217\14\335q\313i\260$\347tI\4\243\324\210\367\251\237P\345\233Zl\362\261\261E\344\363y\31F9M\13\254&\241\211\24uA\204\35\311\2054=\245\241#FxL\246H\15~\214\2\345\177\353 \313\243\227\213/\300\1X\33C\245I\257\230\347\362\261!c\2qQ\344i\257\257\340\14Q\304\5\333\242\333\340\262\254F\235\330\251I;t\221?\276j\251X\340\340\361m;\205\36\266\246\21\37\340\260\177\23\10\226\30\257WS|\365cA\357#pHi\260\333\27\217\364\23[\370\312\374\26\311\221\31\222\215\265\15)\343\250\213H\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00171  1972   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00172  1972   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00173  1972   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00174  1972   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\274\256\302#\202\321\300\11\33\355\322\345\307\316\251y\305\3\201\307\343\243\33\341\275\343\202|\242\311\202.\373\327\25&\200j\350{\342s\303\270\255\315\270%\342}\321\273*\231&wuLp\30\264y\261\263d\313\211\34j\323}\314\345{\13 \253\227\233\3015i\332\233\316\314\346{/\301\356Yy\253\34\334\177\351\7\361\326\24\255\210\241\305\307]\243\177!\264E)\21x\231\247\37a\23\11`\315W\334\374\252\366S*\262\11\301U\315\335V8\322\226\267%_\327\336W\307\255\312\2C\206\351\2328H\300\357\305\1\342n\5\23\10vYO\254\15P\215\234\354\271\324\215x\353\236p\272\370\263\265\11F\177\331n\303\253g'\25\177\337\10D\334Y\355\242\300\341\265\347c\201\271\14\220\200\325\222\337\300\276v+\340\2070\27\17p\302\272\10Iq\364\222;\370\20\236\24\237\326\210\244;\346Au>\307\254\330C\367\2674J\367\2\210=\243\313\352\4\23\373 m\231\250\273\303\305\10h*\225\330\325\241SN(\30\226q\253\366\221\31d$=\250\15X\224\3'h/\362\333\265\270A\3540\224\10\364\246\272\312\2105\11f6\31\225\357q\265\253\327\20\214I\326\211\342\217\14\335q\313i\260$\347tI\4\243\324\210\367\251\237P\345\233Zl\362\261\261E\344\363y\31F9M\13\254&\241\211\24uA\204\35\311\2054=\245\241#FxL\246H\15~\214\2\345\177\353 \313\243\227\213/\300\1X\33C\245I\257\230\347\362\261!c\2qQ\344i\257\257\340\14Q\304\5\333\242\333\340\262\254F\235\330\251I;t\221?\276j\251X\340\340\361m;\205\36\266\246\21\37\340\260\177\23\10\226\30\257WS|\365cA\357#pHi\260\333\27\217\364\23[\370\312\374\26\311\221\31\222\215\265\15)\343\250\213H\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00175  1972   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00176  1972   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00177  1972   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00178  1972   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\274\256\302#\202\321\300\11\33\355\322\345\307\316\251y\305\3\201\307\343\243\33\341\275\343\202|\242\311\202.\373\327\25&\200j\350{\342s\303\270\255\315\270%\342}\321\273*\231&wuLp\30\264y\261\263d\313\211\34j\323}\314\345{\13 \253\227\233\3015i\332\233\316\314\346{/\301\356Yy\253\34\334\177\351\7\361\326\24\255\210\241\305\307]\243\177!\264E)\21x\231\247\37a\23\11`\315W\334\374\252\366S*\262\11\301U\315\335V8\322\226\267%_\327\336W\307\255\312\2C\206\351\2328H\300\357\305\1\342n\5\23\10vYO\254\15P\215\234\354\271\324\215x\353\236p\272\370\263\265\11F\177\331n\303\253g'\25\177\337\10D\334Y\355\242\300\341\265\347c\201\271\14\220\200\325\222\337\300\276v+\340\2070\27\17p\302\272\10Iq\364\222;\370\20\236\24\237\326\210\244;\346Au>\307\254\330C\367\2674J\367\2\210=\243\313\352\4\23\373 m\231\250\273\303\305\10h*\225\330\325\241SN(\30\226q\253\366\221\31d$=\250\15X\224\3'h/\362\333\265\270A\3540\224\10\364\246\272\312\2105\11f6\31\225\357q\265\253\327\20\214I\326\211\342\217\14\335q\313i\260$\347tI\4\243\324\210\367\251\237P\345\233Zl\362\261\261E\344\363y\31F9M\13\254&\241\211\24uA\204\35\311\2054=\245\241#FxL\246H\15~\214\2\345\177\353 \313\243\227\213/\300\1X\33C\245I\257\230\347\362\261!c\2qQ\344i\257\257\340\14Q\304\5\333\242\333\340\262\254F\235\330\251I;t\221?\276j\251X\340\340\361m;\205\36\266\246\21\37\340\260\177\23\10\226\30\257WS|\365cA\357#pHi\260\333\27\217\364\23[\370\312\374\26\311\221\31\222\215\265\15)\343\250\213H\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00179  1972   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00180  1972   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00181  1972   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00182  1972   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\274\256\302#\202\321\300\11\33\355\322\345\307\316\251y\305\3\201\307\343\243\33\341\275\343\202|\242\311\202.\373\327\25&\200j\350{\342s\303\270\255\315\270%\342}\321\273*\231&wuLp\30\264y\261\263d\313\211\34j\323}\314\345{\13 \253\227\233\3015i\332\233\316\314\346{/\301\356Yy\253\34\334\177\351\7\361\326\24\255\210\241\305\307]\243\177!\264E)\21x\231\247\37a\23\11`\315W\334\374\252\366S*\262\11\301U\315\335V8\322\226\267%_\327\336W\307\255\312\2C\206\351\2328H\300\357\305\1\342n\5\23\10vYO\254\15P\215\234\354\271\324\215x\353\236p\272\370\263\265\11F\177\331n\303\253g'\25\177\337\10D\334Y\355\242\300\341\265\347c\201\271\14\220\200\325\222\337\300\276v+\340\2070\27\17p\302\272\10Iq\364\222;\370\20\236\24\237\326\210\244;\346Au>\307\254\330C\367\2674J\367\2\210=\243\313\352\4\23\373 m\231\250\273\303\305\10h*\225\330\325\241SN(\30\226q\253\366\221\31d$=\250\15X\224\3'h/\362\333\265\270A\3540\224\10\364\246\272\312\2105\11f6\31\225\357q\265\253\327\20\214I\326\211\342\217\14\335q\313i\260$\347tI\4\243\324\210\367\251\237P\345\233Zl\362\261\261E\344\363y\31F9M\13\254&\241\211\24uA\204\35\311\2054=\245\241#FxL\246H\15~\214\2\345\177\353 \313\243\227\213/\300\1X\33C\245I\257\230\347\362\261!c\2qQ\344i\257\257\340\14Q\304\5\333\242\333\340\262\254F\235\330\251I;t\221?\276j\251X\340\340\361m;\205\36\266\246\21\37\340\260\177\23\10\226\30\257WS|\365cA\357#pHi\260\333\27\217\364\23[\370\312\374\26\311\221\31\222\215\265\15)\343\250\213H\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00183  1972   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00184  1972   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00185  1972   NtReadFile  (32, 0, 0, 0, 2048, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00186  1972   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\274\256\302#\202\321\300\11\33\355\322\345\307\316\251y\305\3\201\307\343\243\33\341\275\343\202|\242\311\202.\373\327\25&\200j\350{\342s\303\270\255\315\270%\342}\321\273*\231&wuLp\30\264y\261\263d\313\211\34j\323}\314\345{\13 \253\227\233\3015i\332\233\316\314\346{/\301\356Yy\253\34\334\177\351\7\361\326\24\255\210\241\305\307]\243\177!\264E)\21x\231\247\37a\23\11`\315W\334\374\252\366S*\262\11\301U\315\335V8\322\226\267%_\327\336W\307\255\312\2C\206\351\2328H\300\357\305\1\342n\5\23\10vYO\254\15P\215\234\354\271\324\215x\353\236p\272\370\263\265\11F\177\331n\303\253g'\25\177\337\10D\334Y\355\242\300\341\265\347c\201\271\14\220\200\325\222\337\300\276v+\340\2070\27\17p\302\272\10Iq\364\222;\370\20\236\24\237\326\210\244;\346Au>\307\254\330C\367\2674J\367\2\210=\243\313\352\4\23\373 m\231\250\273\303\305\10h*\225\330\325\241SN(\30\226q\253\366\221\31d$=\250\15X\224\3'h/\362\333\265\270A\3540\224\10\364\246\272\312\2105\11f6\31\225\357q\265\253\327\20\214I\326\211\342\217\14\335q\313i\260$\347tI\4\243\324\210\367\251\237P\345\233Zl\362\261\261E\344\363y\31F9M\13\254&\241\211\24uA\204\35\311\2054=\245\241#FxL\246H\15~\214\2\345\177\353 \313\243\227\213/\300\1X\33C\245I\257\230\347\362\261!c\2qQ\344i\257\257\340\14Q\304\5\333\242\333\340\262\254F\235\330\251I;t\221?\276j\251X\340\340\361m;\205\36\266\246\21\37\340\260\177\23\10\226\30\257WS|\365cA\357#pHi\260\333\27\217\364\23[\370\312\374\26\311\221\31\222\215\265\15)\343\250\213H\7", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) , 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00187  1972   NtClose  (36, ... ) == 0x0
 00188  1972   NtClose  (32, ... ) == 0x0
 00189  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\vas2.tmp"}, 1242360, ... ) }, 1242360, ... ) == 0x0
 00190  1972   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\vas2.tmp"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00191  1972   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 36, ) == 0x0
 00192  1972   NtClose  (32, ... ) == 0x0
 00193  1972   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x320000), 0x0, 176128, ) == 0x0
 00194  1972   NtClose  (36, ... ) == 0x0
 00195  1972   NtUnmapViewOfSection  (-1, 0x320000, ... ) == 0x0
 00196  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\vas2.tmp"}, 1242668, ... ) }, 1242668, ... ) == 0x0
 00197  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\vas2.tmp"}, 1242668, ... ) }, 1242668, ... ) == 0x0
 00198  1972   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\vas2.tmp"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00199  1972   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 32, ) == 0x0
 00200  1972   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00201  1972   NtOpenProcessToken  (-1, 0x8, ... 40, ) == 0x0
 00202  1972   NtQueryInformationToken  (40, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00203  1972   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00204  1972   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 44, ) }, ... 44, ) == 0x0
 00205  1972   NtQueryValueKey  (44,  (44, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (44, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00206  1972   NtClose  (44, ... ) == 0x0
 00207  1972   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00208  1972   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 44, ) == 0x0
 00209  1972   NtQueryInformationToken  (44, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00210  1972   NtClose  (44, ... ) == 0x0
 00211  1972   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00212  1972   NtClose  (40, ... ) == 0x0
 00213  1972   NtClose  (36, ... ) == 0x0
 00214  1972   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x320000), 0x0, 471040, ) == STATUS_IMAGE_NOT_AT_BASE
 00215  1972   NtQueryVirtualMemory  (-1, 0x7c91c5c0, Basic, 28, ... {BaseAddress=0x7c91c000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x60000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00216  1972   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00217  1972   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00218  1972   NtContinue  (1241096, 0, ...
 00219  1972   NtUnmapViewOfSection  (-1, 0x320000, ... ) == 0x0
 00220  1972   NtClose  (32, ... ) == 0x0
 00221  1972   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00222  1972   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00223  1972   NtContinue  (1244400, 0, ...
 00224  1972   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00225  1972   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00226  1972   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00227  1972   NtClose  (32, ... ) == 0x0
 00228  1972   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00229  1972   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00230  1972   NtClose  (32, ... ) == 0x0
 00231  1972   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00232  1972   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00233  1972   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00234  1972   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00235  1972   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00236  1972   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00237  1972   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00238  1972   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00239  1972   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00240  1972   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00241  1972   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00242  1972   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00243  1972   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00244  1972   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00245  1972   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00246  1972   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00247  1972   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00248  1972   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00249  1972   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00250  1972   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251  1972   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00252  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 1241830, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 1241830, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 57941, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57941, 0}  (24, {28, 56, new_msg, 0, 2089900645, 1241830, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 57941, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00253  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00254  1972   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00255  1972   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 36, ) == 0x0
 00256  1972   NtClose  (32, ... ) == 0x0
 00257  1972   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00258  1972   NtClose  (36, ... ) == 0x0
 00259  1972   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00260  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00261  1972   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00262  1972   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 36, ... 32, ) == 0x0
 00263  1972   NtClose  (36, ... ) == 0x0
 00264  1972   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00265  1972   NtClose  (32, ... ) == 0x0
 00266  1972   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00267  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00268  1972   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00269  1972   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 36, ) == 0x0
 00270  1972   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00271  1972   NtClose  (32, ... ) == 0x0
 00272  1972   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00273  1972   NtClose  (36, ... ) == 0x0
 00274  1972   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00275  1972   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00276  1972   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00277  1972   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00278  1972   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00279  1972   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00280  1972   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00281  1972   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00282  1972   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00283  1972   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284  1972   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00285  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00286  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00287  1972   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00288  1972   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 36, ) }, ... 36, ) == 0x0
 00289  1972   NtQueryValueKey  (36,  (36, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00290  1972   NtClose  (36, ... ) == 0x0
 00291  1972   NtMapViewOfSection  (-2147482740, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x420000), 0x0, 1060864, ) == 0x0
 00292  1972   NtClose  (-2147482740, ... ) == 0x0
 00293  1972   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00294  1972   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00295  1972   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482740, ) == 0x0
 00296  1972   NtQueryInformationToken  (-2147482740, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00297  1972   NtQueryInformationToken  (-2147482740, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00298  1972   NtClose  (-2147482740, ... ) == 0x0
 00299  1972   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5439488, 4096, ) == 0x0
 00300  1972   NtFreeVirtualMemory  (-1, (0x530000), 4096, 32768, ... (0x530000), 4096, ) == 0x0
 00301  1972   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 44, ) == 0x0
 00302  1972   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00303  1972   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304  1972   NtClose  (-2147482740, ... ) == 0x0
 00305  1972   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00306  1972   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00307  1972   NtClose  (-2147482740, ... ) == 0x0
 00308  1972   NtQueryDefaultLocale  (0, -106645172, ... ) == 0x0
 00309  1972   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00310  1972   NtUserCallNoParam  (24, ... ) == 0x0
 00311  1972   NtGdiCreateCompatibleDC  (0, ...
 00312  1972   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5439488, 4096, ) == 0x0
 00311  1972   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00313  1972   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00314  1972   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00315  1972   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00316  1972   NtGdiCreateSolidBrush  (0, 0, ...
 00317  1972   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8650752, 4096, ) == 0x0
 00316  1972   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00318  1972   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00319  1972   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00320  1972   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00321  1972   NtUserGetThreadDesktop  (1972, 0, ... ) == 0x28
 00322  1972   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 48, ) }, ... 48, ) == 0x0
 00323  1972   NtQueryValueKey  (48,  (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00324  1972   NtClose  (48, ... ) == 0x0
 00325  1972   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00326  1972   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x81aec017
 00327  1972   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00328  1972   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x81aec01c
 00329  1972   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00330  1972   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x81aec01e
 00331  1972   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00332  1972   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81ae8002
 00333  1972   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00334  1972   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x81aec018
 00335  1972   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00336  1972   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x81aec01a
 00337  1972   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00338  1972   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x81aec01d
 00339  1972   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00340  1972   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x81aec026
 00341  1972   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00342  1972   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x81aec019
 00343  1972   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x81aec020
 00344  1972   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x81aec022
 00345  1972   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x81aec023
 00346  1972   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x81aec024
 00347  1972   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x81aec025
 00348  1972   NtCallbackReturn  (0, 0, 0, ...
 00349  1972   NtGdiInit  (... ) == 0x1
 00350  1972   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00351  1972   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00352  1972   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 8716288, 28672, ) == 0x0
 00353  1972   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00354  1972   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00355  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00356  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00357  1972   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00358  1972   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 52, ) == 0x0
 00359  1972   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00360  1972   NtClose  (48, ... ) == 0x0
 00361  1972   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00362  1972   NtClose  (52, ... ) == 0x0
 00363  1972   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00364  1972   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00365  1972   NtClose  (52, ... ) == 0x0
 00366  1972   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00367  1972   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00368  1972   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00369  1972   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00370  1972   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00371  1972   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00372  1972   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00373  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00374  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00375  1972   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00376  1972   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 48, ) == 0x0
 00377  1972   NtQuerySection  (48, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00378  1972   NtClose  (52, ... ) == 0x0
 00379  1972   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00380  1972   NtClose  (48, ... ) == 0x0
 00381  1972   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00382  1972   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00383  1972   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00384  1972   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00385  1972   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00386  1972   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00387  1972   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00388  1972   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00389  1972   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8781824, 65536, ) == 0x0
 00390  1972   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00391  1972   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ... 8785920, 8192, ) == 0x0
 00392  1972   NtAllocateVirtualMemory  (-1, 8794112, 0, 4096, 4096, 4, ... 8794112, 4096, ) == 0x0
 00393  1972   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 48, ) }, ... 48, ) == 0x0
 00394  1972   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x870000), 0x0, 12288, ) == 0x0
 00395  1972   NtClose  (48, ... ) == 0x0
 00396  1972   NtAllocateVirtualMemory  (-1, 8798208, 0, 4096, 4096, 4, ... 8798208, 4096, ) == 0x0
 00397  1972   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00398  1972   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00399  1972   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00400  1972   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00401  1972   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402  1972   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00403  1972   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00404  1972   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00405  1972   NtFreeVirtualMemory  (-1, (0x850000), 0, 32768, ... (0x850000), 28672, ) == 0x0
 00406  1972   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00407  1972   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00408  1972   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00409  1972   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00410  1972   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00411  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 8912896, 1048576, ) == 0x0
 00412  1972   NtAllocateVirtualMemory  (-1, 8912896, 0, 32768, 4096, 4, ... 8912896, 32768, ) == 0x0
 00413  1972   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 48, ) }, ... 48, ) == 0x0
 00414  1972   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "Jobaka3"}, 0, ... 52, ) }, 0, ... 52, ) == 0x0
 00415  1972   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 56, ) }, ... 56, ) == 0x0
 00416  1972   NtQueryValueKey  (56,  (56, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00417  1972   NtQueryValueKey  (56,  (56, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00418  1972   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 60, ) == 0x0
 00419  1972   NtOpenKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "Protocol_Catalog9"}, ... 64, ) }, ... 64, ) == 0x0
 00420  1972   NtQueryValueKey  (64,  (64, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00421  1972   NtNotifyChangeKey  (64, 60, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00422  1972   NtQueryValueKey  (64,  (64, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00423  1972   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00424  1972   NtQueryValueKey  (64,  (64, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00425  1972   NtQueryValueKey  (64,  (64, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00426  1972   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Catalog_Entries"}, ... 68, ) }, ... 68, ) == 0x0
 00427  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000001"}, ... 72, ) }, ... 72, ) == 0x0
 00428  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00429  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00430  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\257\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\257\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\260\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\261\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\257\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\257\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\260\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\261\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\257\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\257\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\260\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\261\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00431  1972   NtClose  (72, ... ) == 0x0
 00432  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000002"}, ... 72, ) }, ... 72, ) == 0x0
 00433  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00434  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00435  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\264\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\264\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\265\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\265\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\266\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\264\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\264\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\265\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\265\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\266\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\264\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\264\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\265\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\265\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\266\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00436  1972   NtClose  (72, ... ) == 0x0
 00437  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000003"}, ... 72, ) }, ... 72, ) == 0x0
 00438  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00439  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00440  1972   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00441  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\272\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\272\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\273\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\274\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\272\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\272\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\273\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\274\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\272\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\272\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\273\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\274\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00442  1972   NtClose  (72, ... ) == 0x0
 00443  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000004"}, ... 72, ) }, ... 72, ) == 0x0
 00444  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00445  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00446  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\277\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\277\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\300\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\300\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\301\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\277\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\277\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\300\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\300\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\301\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\277\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\277\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\300\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\300\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\301\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00447  1972   NtClose  (72, ... ) == 0x0
 00448  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000005"}, ... 72, ) }, ... 72, ) == 0x0
 00449  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00450  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00451  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\304\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\304\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\305\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\306\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\304\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\304\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\305\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\306\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\304\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\304\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\305\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\306\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00452  1972   NtClose  (72, ... ) == 0x0
 00453  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000006"}, ... 72, ) }, ... 72, ) == 0x0
 00454  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00455  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00456  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\311\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\311\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\312\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\312\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\313\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\311\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\311\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\312\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\312\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\313\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\311\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\311\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\312\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\312\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\313\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00457  1972   NtClose  (72, ... ) == 0x0
 00458  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000007"}, ... 72, ) }, ... 72, ) == 0x0
 00459  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00460  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00461  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\316\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\316\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\317\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\320\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\320\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\321\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\316\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\316\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\317\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\320\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\320\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\321\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\320\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\321\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\316\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\316\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\317\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\320\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\320\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\321\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00462  1972   NtClose  (72, ... ) == 0x0
 00463  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000008"}, ... 72, ) }, ... 72, ) == 0x0
 00464  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00465  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00466  1972   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00467  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\324\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\324\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\325\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\325\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\326\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\324\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\324\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\325\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\325\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\326\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\324\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\324\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\325\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\325\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\326\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00468  1972   NtClose  (72, ... ) == 0x0
 00469  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000009"}, ... 72, ) }, ... 72, ) == 0x0
 00470  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00471  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00472  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\331\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\331\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\332\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\332\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\333\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\333\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\334\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\331\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\331\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\332\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\332\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\333\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\333\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\334\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\333\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\334\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\331\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\331\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\332\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\332\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\333\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\333\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\334\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00473  1972   NtClose  (72, ... ) == 0x0
 00474  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000010"}, ... 72, ) }, ... 72, ) == 0x0
 00475  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00476  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00477  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\336\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\336\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\337\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\337\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\340\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\340\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\341\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\336\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\336\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\337\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\337\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\340\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\340\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\341\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\340\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\341\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\336\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\336\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\337\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\337\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\340\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\340\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\341\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00478  1972   NtClose  (72, ... ) == 0x0
 00479  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000011"}, ... 72, ) }, ... 72, ) == 0x0
 00480  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00481  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00482  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\343\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\343\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\344\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\344\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\345\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\345\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\346\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\343\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\343\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\344\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\344\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\345\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\345\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\346\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\345\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\346\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\343\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\343\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\344\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\344\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\345\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\345\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\346\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00483  1972   NtClose  (72, ... ) == 0x0
 00484  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000012"}, ... 72, ) }, ... 72, ) == 0x0
 00485  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00486  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00487  1972   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00488  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\351\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\351\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\352\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\352\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\353\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\351\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\351\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\352\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\352\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\353\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\351\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\351\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\352\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\352\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\353\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00489  1972   NtClose  (72, ... ) == 0x0
 00490  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000013"}, ... 72, ) }, ... 72, ) == 0x0
 00491  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00492  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00493  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\356\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\356\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\357\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\357\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\360\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\360\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\361\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\356\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\356\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\357\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\357\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\360\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\360\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\361\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\360\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\361\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\356\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\356\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\357\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\357\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\360\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\360\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\361\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00494  1972   NtClose  (72, ... ) == 0x0
 00495  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000014"}, ... 72, ) }, ... 72, ) == 0x0
 00496  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00497  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00498  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\363\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\363\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\364\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\364\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\365\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\365\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\366\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\363\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\363\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\364\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\364\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\365\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\365\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\366\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\365\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\366\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\363\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\363\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\364\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\364\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\365\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\365\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\366\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00499  1972   NtClose  (72, ... ) == 0x0
 00500  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000015"}, ... 72, ) }, ... 72, ) == 0x0
 00501  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00502  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00503  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\370\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\370\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\371\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\371\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\372\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\370\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\370\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\371\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\371\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\372\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\370\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\370\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\371\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\371\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\372\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00504  1972   NtClose  (72, ... ) == 0x0
 00505  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000016"}, ... 72, ) }, ... 72, ) == 0x0
 00506  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00507  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00508  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\375\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\375\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\376\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\376\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\377\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\377\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\375\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\375\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\376\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\376\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\377\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\377\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\377\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\375\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\375\1\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\376\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\376\1\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\377\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\377\1\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00509  1972   NtClose  (72, ... ) == 0x0
 00510  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000017"}, ... 72, ) }, ... 72, ) == 0x0
 00511  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00512  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00513  1972   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00514  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\3\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\3\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\4\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\4\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\5\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\3\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\3\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\4\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\4\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\5\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\3\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\3\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\4\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\4\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\5\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00515  1972   NtClose  (72, ... ) == 0x0
 00516  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000018"}, ... 72, ) }, ... 72, ) == 0x0
 00517  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00518  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00519  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\10\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\10\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\11\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\11\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\12\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\10\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\10\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\11\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\11\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\12\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\10\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\10\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\11\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\11\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\12\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00520  1972   NtClose  (72, ... ) == 0x0
 00521  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000019"}, ... 72, ) }, ... 72, ) == 0x0
 00522  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00523  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00524  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\15\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\15\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\16\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\17\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\15\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\15\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\16\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\17\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\15\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\15\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\16\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\17\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00525  1972   NtClose  (72, ... ) == 0x0
 00526  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000020"}, ... 72, ) }, ... 72, ) == 0x0
 00527  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00528  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00529  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\22\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\22\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\23\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\23\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\24\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\24\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\25\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\22\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\22\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\23\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\23\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\24\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\24\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\25\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\24\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\25\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\22\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\22\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\23\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\23\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\24\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\24\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\25\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00530  1972   NtClose  (72, ... ) == 0x0
 00531  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000021"}, ... 72, ) }, ... 72, ) == 0x0
 00532  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00533  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00534  1972   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00535  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\30\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\30\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\31\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\31\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\32\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\32\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\33\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\30\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\30\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\31\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\31\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\32\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\32\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\33\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\32\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\33\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\30\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\30\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\31\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\31\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\32\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\32\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\33\2\0\0\200\6\0\0\264\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00536  1972   NtClose  (72, ... ) == 0x0
 00537  1972   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000022"}, ... 72, ) }, ... 72, ) == 0x0
 00538  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00539  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00540  1972   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\35\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\35\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\36\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\36\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\37\2\0\0\200\6\0\0\264\7\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\2\0\0\200\6\0\0\264\7\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0 \2\0\0\200\6\0\0\264\7\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0 \2\0\0\200\6\0\0\264\7\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0!\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\08\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0PO\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\35\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\35\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\36\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\36\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\37\2\0\0\200\6\0\0\264\7\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\2\0\0\200\6\0\0\264\7\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0 \2\0\0\200\6\0\0\264\7\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0 \2\0\0\200\6\0\0\264\7\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0!\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\08\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0PO\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\35\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\35\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\36\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\36\2\0\0\200\6\0\0\264\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\37\2\0\0\200\6\0\0\264\7\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\2\0\0\200\6\0\0\264\7\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0 \2\0\0\200\6\0\0\264\7\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0 \2\0\0\200\6\0\0\264\7\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0!\2\0\0\200\6\0\0\264\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\08\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0PO\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00541  1972   NtClose  (72, ... ) == 0x0
 00542  1972   NtClose  (68, ... ) == 0x0
 00543  1972   NtWaitForSingleObject  (60, 0, {0, 0}, ... ) == 0x102
 00544  1972   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00545  1972   NtOpenKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 72, ) }, ... 72, ) == 0x0
 00546  1972   NtQueryValueKey  (72,  (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00547  1972   NtNotifyChangeKey  (72, 68, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00548  1972   NtQueryValueKey  (72,  (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00549  1972   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00550  1972   NtQueryValueKey  (72,  (72, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00551  1972   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Catalog_Entries"}, ... 76, ) }, ... 76, ) == 0x0
 00552  1972   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000001"}, ... 80, ) }, ... 80, ) == 0x0
 00553  1972   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00554  1972   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00555  1972   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00556  1972   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00557  1972   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00558  1972   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00559  1972   NtQueryValueKey  (80,  (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00560  1972   NtQueryValueKey  (80,  (80, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00561  1972   NtQueryValueKey  (80,  (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00562  1972   NtQueryValueKey  (80,  (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00563  1972   NtQueryValueKey  (80,  (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00564  1972   NtQueryValueKey  (80,  (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00565  1972   NtClose  (80, ... ) == 0x0
 00566  1972   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000002"}, ... 80, ) }, ... 80, ) == 0x0
 00567  1972   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00568  1972   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00569  1972   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00570  1972   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00571  1972   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00572  1972   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00573  1972   NtQueryValueKey  (80,  (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00574  1972   NtQueryValueKey  (80,  (80, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575  1972   NtQueryValueKey  (80,  (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00576  1972   NtQueryValueKey  (80,  (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00577  1972   NtQueryValueKey  (80,  (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00578  1972   NtQueryValueKey  (80,  (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00579  1972   NtClose  (80, ... ) == 0x0
 00580  1972   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000003"}, ... 80, ) }, ... 80, ) == 0x0
 00581  1972   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00582  1972   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00583  1972   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00584  1972   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00585  1972   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00586  1972   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00587  1972   NtQueryValueKey  (80,  (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00588  1972   NtQueryValueKey  (80,  (80, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00589  1972   NtQueryValueKey  (80,  (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00590  1972   NtQueryValueKey  (80,  (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00591  1972   NtQueryValueKey  (80,  (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00592  1972   NtQueryValueKey  (80,  (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00593  1972   NtClose  (80, ... ) == 0x0
 00594  1972   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000004"}, ... 80, ) }, ... 80, ) == 0x0
 00595  1972   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00596  1972   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00597  1972   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00598  1972   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00599  1972   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00600  1972   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00601  1972   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00602  1972   NtQueryValueKey  (80,  (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 00603  1972   NtQueryValueKey  (80,  (80, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00604  1972   NtQueryValueKey  (80,  (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00605  1972   NtQueryValueKey  (80,  (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00606  1972   NtQueryValueKey  (80,  (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00607  1972   NtQueryValueKey  (80,  (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00608  1972   NtClose  (80, ... ) == 0x0
 00609  1972   NtClose  (76, ... ) == 0x0
 00610  1972   NtWaitForSingleObject  (68, 0, {0, 0}, ... ) == 0x102
 00611  1972   NtClose  (56, ... ) == 0x0
 00612  1972   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00613  1972   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00614  1972   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 56, ) }, ... 56, ) == 0x0
 00615  1972   NtQueryValueKey  (56,  (56, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00616  1972   NtClose  (56, ... ) == 0x0
 00617  1972   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 56, ) == 0x0
 00618  1972   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00619  1972   NtQueryInformationFile  (76, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00620  1972   NtQueryInformationFile  (76, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00621  1972   NtQueryInformationFile  (76, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00622  1972   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 00623  1972   NtQueryInformationFile  (76, 1356544, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00624  1972   NtQueryInformationFile  (76, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00625  1972   NtQueryInformationFile  (76, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00626  1972   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00627  1972   NtClose  (-2147482740, ... ) == 0x0
 00626  1972   NtCreateFile  ... 80, {status=0x0, info=2}, ) == 0x0
 00628  1972   NtQueryVolumeInformationFile  (80, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00629  1972   NtQueryInformationFile  (80, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00630  1972   NtQueryVolumeInformationFile  (76, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00631  1972   NtSetInformationFile  (80, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00632  1972   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 76, ... 84, ) == 0x0
 00633  1972   NtMapViewOfSection  (84, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x850000), {0, 0}, 65536, ) == 0x0
 00634  1972   NtClose  (84, ... ) == 0x0
 00635  1972   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\3\0d\347\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0\0\240\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 62702, 0x0, 0, ... {status=0x0, info=62702}, ) \0\0\0\0\0\0\0\240\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 62702, 0x0, 0, ... {status=0x0, info=62702}, ) == 0x0
 00636  1972   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 00637  1972   NtSetInformationFile  (80, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00638  1972   NtClose  (76, ... ) == 0x0
 00639  1972   NtClose  (80, ... ) == 0x0
 00640  1972   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 80, ) }, ... 80, ) == 0x0
 00641  1972   NtSetValueKey  (80,  (80, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (80, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 00642  1972   NtSetInformationFile  (-2147482448, -106645712, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00643  1972   NtSetInformationFile  (-2147482448, -106645804, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00644  1972   NtSetInformationFile  (-2147482448, -106646112, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00641  1972   NtSetValueKey  ... ) == 0x0
 00645  1972   NtClose  (80, ... ) == 0x0
 00646  1972   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 80, ) }, 0, ... 80, ) == 0x0
 00647  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9961472, 1048576, ) == 0x0
 00648  1972   NtAllocateVirtualMemory  (-1, 11001856, 0, 8192, 4096, 4, ... 11001856, 8192, ) == 0x0
 00649  1972   NtProtectVirtualMemory  (-1, (0xa7e000), 4096, 260, ... (0xa7e000), 4096, 4, ) == 0x0
 00650  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 76, {1664, 464}, ) == 0x0
 00651  1972   NtQueryInformationThread  (76, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1664,Tid=464,}, 0x0, ) == 0x0
 00652  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\0\0\0\200\6\0\0\320\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 57942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\0\0\0\200\6\0\0\320\1\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57942, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\0\0\0\200\6\0\0\320\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 57942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\0\0\0\200\6\0\0\320\1\0\0" )  ) == 0x0
 00653  1972   NtResumeThread  (76, ... 1, ) == 0x0
 00654  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00655   464   NtTestAlert  (... ) == 0x0
 00656   464   NtContinue  (11009328, 1, ...
 00657   464   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00658   464   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 84, ) == 0x0
 00659   464   NtWaitForSingleObject  (60, 0, {0, 0}, ...
 00654  1972   NtAllocateVirtualMemory  ... 11010048, 1048576, ) == 0x0
 00660  1972   NtAllocateVirtualMemory  (-1, 12050432, 0, 8192, 4096, 4, ... 12050432, 8192, ) == 0x0
 00661  1972   NtProtectVirtualMemory  (-1, (0xb7e000), 4096, 260, ... (0xb7e000), 4096, 4, ) == 0x0
 00662  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00659   464   NtWaitForSingleObject  ... ) == 0x102
 00663   464   NtAllocateVirtualMemory  (-1, 10997760, 0, 4096, 4096, 260, ... 10997760, 4096, ) == 0x0
 00664   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006452, ... ) }, 11006452, ... ) == 0x0
 00665   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00666   464   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 88, ... 92, ) == 0x0
 00667   464   NtClose  (88, ... ) == 0x0
 00668   464   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 00662  1972   NtCreateThread  ... 88, {1664, 860}, ) == 0x0
 00669  1972   NtQueryInformationThread  (88, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1664,Tid=860,}, 0x0, ) == 0x0
 00670  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57942, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\0\0\0\200\6\0\0\\3\0\0" ... {28, 56, reply, 0, 1664, 1972, 57943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\0\0\0\200\6\0\0\\3\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57943, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\0\0\0\200\6\0\0\\3\0\0" ... {28, 56, reply, 0, 1664, 1972, 57943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\0\0\0\200\6\0\0\\3\0\0" )  ) == 0x0
 00671  1972   NtResumeThread  (88, ... 1, ) == 0x0
 00672  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12058624, 1048576, ) == 0x0
 00673  1972   NtAllocateVirtualMemory  (-1, 13099008, 0, 8192, 4096, 4, ... 13099008, 8192, ) == 0x0
 00668   464   NtMapViewOfSection  ... (0xc80000), 0x0, 245760, ) == 0x0
 00674   860   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00675   464   NtClose  (92, ...
 00674   860   NtCreateEvent  ... 96, ) == 0x0
 00675   464   NtClose  ... ) == 0x0
 00676   860   NtWaitForSingleObject  (96, 0, 0x0, ...
 00677   464   NtUnmapViewOfSection  (-1, 0xc80000, ...
 00678  1972   NtProtectVirtualMemory  (-1, (0xc7e000), 4096, 260, ... (0xc7e000), 4096, 4, ) == 0x0
 00679  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 92, {1664, 484}, ) == 0x0
 00680  1972   NtQueryInformationThread  (92, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1664,Tid=484,}, 0x0, ) == 0x0
 00681  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57943, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\200\6\0\0\344\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 57944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\200\6\0\0\344\1\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57944, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\200\6\0\0\344\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 57944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\200\6\0\0\344\1\0\0" )  ) == 0x0
 00682  1972   NtResumeThread  (92, ... 1, ) == 0x0
 00683  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00677   464   NtUnmapViewOfSection  ... ) == 0x0
 00684   484   NtWaitForSingleObject  (96, 0, 0x0, ...
 00685   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006760, ... ) }, 11006760, ... ) == 0x0
 00686   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00687   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 104, ) == 0x0
 00688   464   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00689   464   NtClose  (100, ... ) == 0x0
 00690   464   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 00683  1972   NtAllocateVirtualMemory  ... 13107200, 1048576, ) == 0x0
 00691  1972   NtAllocateVirtualMemory  (-1, 14147584, 0, 8192, 4096, 4, ... 14147584, 8192, ) == 0x0
 00692  1972   NtProtectVirtualMemory  (-1, (0xd7e000), 4096, 260, ... (0xd7e000), 4096, 4, ) == 0x0
 00693  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 100, {1664, 748}, ) == 0x0
 00694  1972   NtQueryInformationThread  (100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1664,Tid=748,}, 0x0, ) == 0x0
 00695  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57944, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\200\6\0\0\354\2\0\0" ... {28, 56, reply, 0, 1664, 1972, 57945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\200\6\0\0\354\2\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57945, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\200\6\0\0\354\2\0\0" ... {28, 56, reply, 0, 1664, 1972, 57945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\200\6\0\0\354\2\0\0" )  ) == 0x0
 00690   464   NtMapViewOfSection  ... (0x71a50000), 0x0, 258048, ) == 0x0
 00696   464   NtClose  (104, ... ) == 0x0
 00697   464   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00698   464   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00699   464   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00700   464   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 00701  1972   NtResumeThread  (100, ... 1, ) == 0x0
 00702  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14155776, 1048576, ) == 0x0
 00703  1972   NtAllocateVirtualMemory  (-1, 15196160, 0, 8192, 4096, 4, ... 15196160, 8192, ) == 0x0
 00704  1972   NtProtectVirtualMemory  (-1, (0xe7e000), 4096, 260, ... (0xe7e000), 4096, 4, ) == 0x0
 00705  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 104, {1664, 1580}, ) == 0x0
 00706  1972   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1664,Tid=1580,}, 0x0, ) == 0x0
 00700   464   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 00707   748   NtWaitForSingleObject  (96, 0, 0x0, ...
 00708   464   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00709   464   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00710   464   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00711   464   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00712   464   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00713  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57945, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\200\6\0\0,\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 57946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\200\6\0\0,\6\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57946, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\200\6\0\0,\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 57946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\200\6\0\0,\6\0\0" )  ) == 0x0
 00714  1972   NtResumeThread  (104, ... 1, ) == 0x0
 00715  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00716   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... }, ...
 00717  1580   NtWaitForSingleObject  (96, 0, 0x0, ...
 00716   464   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00718   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00719   464   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00720   464   NtSetEventBoostPriority  (96, ...
 00676   860   NtWaitForSingleObject  ... ) == 0x0
 00721   860   NtSetEventBoostPriority  (96, ...
 00684   484   NtWaitForSingleObject  ... ) == 0x0
 00722   484   NtSetEventBoostPriority  (96, ...
 00707   748   NtWaitForSingleObject  ... ) == 0x0
 00723   748   NtSetEventBoostPriority  (96, ...
 00717  1580   NtWaitForSingleObject  ... ) == 0x0
 00724  1580   NtTestAlert  (... ) == 0x0
 00723   748   NtSetEventBoostPriority  ... ) == 0x0
 00722   484   NtSetEventBoostPriority  ... ) == 0x0
 00721   860   NtSetEventBoostPriority  ... ) == 0x0
 00720   464   NtSetEventBoostPriority  ... ) == 0x0
 00715  1972   NtAllocateVirtualMemory  ... 15204352, 1048576, ) == 0x0
 00725  1580   NtContinue  (15203632, 1, ...
 00726   748   NtTestAlert  (...
 00727   484   NtTestAlert  (...
 00728   464   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00729  1972   NtAllocateVirtualMemory  (-1, 16244736, 0, 8192, 4096, 4, ...
 00730  1580   NtRegisterThreadTerminatePort  (24, ...
 00726   748   NtTestAlert  ... ) == 0x0
 00727   484   NtTestAlert  ... ) == 0x0
 00728   464   NtCreateEvent  ... 108, ) == 0x0
 00729  1972   NtAllocateVirtualMemory  ... 16244736, 8192, ) == 0x0
 00730  1580   NtRegisterThreadTerminatePort  ... ) == 0x0
 00731   748   NtContinue  (14155056, 1, ...
 00732   484   NtContinue  (13106480, 1, ...
 00733   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 00734  1972   NtProtectVirtualMemory  (-1, (0xf7e000), 4096, 260, ...
 00735  1580   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00736   748   NtRegisterThreadTerminatePort  (24, ...
 00737   484   NtRegisterThreadTerminatePort  (24, ...
 00738   860   NtTestAlert  (...
 00734  1972   NtProtectVirtualMemory  ... (0xf7e000), 4096, 4, ) == 0x0
 00735  1580   NtDuplicateObject  ... 112, ) == 0x0
 00736   748   NtRegisterThreadTerminatePort  ... ) == 0x0
 00737   484   NtRegisterThreadTerminatePort  ... ) == 0x0
 00738   860   NtTestAlert  ... ) == 0x0
 00739  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00740  1580   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 00741   748   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00742   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00743   860   NtContinue  (12057904, 1, ...
 00733   464   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00739  1972   NtCreateThread  ... 116, {1664, 1756}, ) == 0x0
 00740  1580   NtWaitForSingleObject  ... ) == 0x102
 00741   748   NtDuplicateObject  ... 120, ) == 0x0
 00744   860   NtRegisterThreadTerminatePort  (24, ...
 00745   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11006372, ... }, 11006372, ...
 00746  1972   NtQueryInformationThread  (116, Basic, 28, ...
 00747  1580   NtAllocateVirtualMemory  (-1, 15192064, 0, 4096, 4096, 260, ...
 00748   748   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 00744   860   NtRegisterThreadTerminatePort  ... ) == 0x0
 00746  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1664,Tid=1756,}, 0x0, ) == 0x0
 00747  1580   NtAllocateVirtualMemory  ... 15192064, 4096, ) == 0x0
 00748   748   NtWaitForSingleObject  ... ) == 0x102
 00749   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00750  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57946, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\0\0\0\200\6\0\0\334\6\0\0" ...  ...
 00751  1580   NtWaitForSingleObject  (96, 0, 0x0, ...
 00752   748   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00742   484   NtDuplicateObject  ... 124, ) == 0x0
 00750  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 57947, 0}  ... {28, 56, reply, 0, 1664, 1972, 57947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\0\0\0\200\6\0\0\334\6\0\0" )  ) == 0x0
 00752   748   NtCreateEvent  ... 128, ) == 0x0
 00753   484   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 00749   860   NtDuplicateObject  ... 132, ) == 0x0
 00754  1972   NtResumeThread  (116, ...
 00753   484   NtWaitForSingleObject  ... ) == 0x102
 00755   860   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 00754  1972   NtResumeThread  ... 1, ) == 0x0
 00756   484   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00755   860   NtWaitForSingleObject  ... ) == 0x102
 00757  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00756   484   NtCreateEvent  ... 136, ) == 0x0
 00758   860   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00757  1972   NtAllocateVirtualMemory  ... 16252928, 1048576, ) == 0x0
 00759   748   NtWaitForSingleObject  (128, 0, 0x0, ...
 00760  1756   NtWaitForSingleObject  (96, 0, 0x0, ...
 00758   860   NtCreateEvent  ... 140, ) == 0x0
 00761  1972   NtAllocateVirtualMemory  (-1, 17293312, 0, 8192, 4096, 4, ...
 00762   484   NtClose  (136, ...
 00761  1972   NtAllocateVirtualMemory  ... 17293312, 8192, ) == 0x0
 00762   484   NtClose  ... ) == 0x0
 00763   860   NtClose  (140, ...
 00764   484   NtWaitForSingleObject  (128, 0, 0x0, ...
 00763   860   NtClose  ... ) == 0x0
 00765   860   NtWaitForSingleObject  (128, 0, 0x0, ...
 00766  1972   NtProtectVirtualMemory  (-1, (0x107e000), 4096, 260, ... (0x107e000), 4096, 4, ) == 0x0
 00767  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 140, {1664, 1292}, ) == 0x0
 00768  1972   NtQueryInformationThread  (140, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1664,Tid=1292,}, 0x0, ) == 0x0
 00769  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57947, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\200\6\0\0\14\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 57948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\200\6\0\0\14\5\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57948, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\200\6\0\0\14\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 57948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\200\6\0\0\14\5\0\0" )  ) == 0x0
 00770  1972   NtResumeThread  (140, ... 1, ) == 0x0
 00771  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17301504, 1048576, ) == 0x0
 00772  1972   NtAllocateVirtualMemory  (-1, 18341888, 0, 8192, 4096, 4, ... 18341888, 8192, ) == 0x0
 00773  1292   NtWaitForSingleObject  (96, 0, 0x0, ...
 00774  1972   NtProtectVirtualMemory  (-1, (0x117e000), 4096, 260, ... (0x117e000), 4096, 4, ) == 0x0
 00775  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 136, {1664, 1956}, ) == 0x0
 00776  1972   NtQueryInformationThread  (136, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1664,Tid=1956,}, 0x0, ) == 0x0
 00777  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57948, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\200\6\0\0\244\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 57949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\200\6\0\0\244\7\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57949, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\200\6\0\0\244\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 57949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\200\6\0\0\244\7\0\0" )  ) == 0x0
 00778  1972   NtResumeThread  (136, ... 1, ) == 0x0
 00779  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00780  1956   NtWaitForSingleObject  (96, 0, 0x0, ...
 00779  1972   NtAllocateVirtualMemory  ... 18350080, 1048576, ) == 0x0
 00781  1972   NtAllocateVirtualMemory  (-1, 19390464, 0, 8192, 4096, 4, ... 19390464, 8192, ) == 0x0
 00782  1972   NtProtectVirtualMemory  (-1, (0x127e000), 4096, 260, ... (0x127e000), 4096, 4, ) == 0x0
 00783  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 144, {1664, 1980}, ) == 0x0
 00784  1972   NtQueryInformationThread  (144, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1664,Tid=1980,}, 0x0, ) == 0x0
 00785  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57949, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\200\6\0\0\274\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 57950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\200\6\0\0\274\7\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57950, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\200\6\0\0\274\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 57950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\200\6\0\0\274\7\0\0" )  ) == 0x0
 00786  1972   NtResumeThread  (144, ... 1, ) == 0x0
 00787  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19398656, 1048576, ) == 0x0
 00788  1972   NtAllocateVirtualMemory  (-1, 20439040, 0, 8192, 4096, 4, ... 20439040, 8192, ) == 0x0
 00789  1980   NtWaitForSingleObject  (96, 0, 0x0, ...
 00790  1972   NtProtectVirtualMemory  (-1, (0x137e000), 4096, 260, ... (0x137e000), 4096, 4, ) == 0x0
 00791  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 148, {1664, 1784}, ) == 0x0
 00792  1972   NtQueryInformationThread  (148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1664,Tid=1784,}, 0x0, ) == 0x0
 00793  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57950, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\200\6\0\0\370\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\200\6\0\0\370\6\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57951, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\200\6\0\0\370\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\200\6\0\0\370\6\0\0" )  ) == 0x0
 00794  1972   NtResumeThread  (148, ... 1, ) == 0x0
 00795  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00796  1784   NtWaitForSingleObject  (96, 0, 0x0, ...
 00795  1972   NtAllocateVirtualMemory  ... 20447232, 1048576, ) == 0x0
 00797  1972   NtAllocateVirtualMemory  (-1, 21487616, 0, 8192, 4096, 4, ... 21487616, 8192, ) == 0x0
 00798  1972   NtProtectVirtualMemory  (-1, (0x147e000), 4096, 260, ... (0x147e000), 4096, 4, ) == 0x0
 00799  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 152, {1664, 1480}, ) == 0x0
 00800  1972   NtQueryInformationThread  (152, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1664,Tid=1480,}, 0x0, ) == 0x0
 00801  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57951, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\200\6\0\0\310\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 57952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\200\6\0\0\310\5\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57952, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\200\6\0\0\310\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 57952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\200\6\0\0\310\5\0\0" )  ) == 0x0
 00802  1972   NtResumeThread  (152, ... 1, ) == 0x0
 00803  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21495808, 1048576, ) == 0x0
 00804  1972   NtAllocateVirtualMemory  (-1, 22536192, 0, 8192, 4096, 4, ... 22536192, 8192, ) == 0x0
 00805  1480   NtWaitForSingleObject  (96, 0, 0x0, ...
 00806  1972   NtProtectVirtualMemory  (-1, (0x157e000), 4096, 260, ... (0x157e000), 4096, 4, ) == 0x0
 00807  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 156, {1664, 1556}, ) == 0x0
 00808  1972   NtQueryInformationThread  (156, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1664,Tid=1556,}, 0x0, ) == 0x0
 00809  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57952, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0\200\6\0\0\24\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 57953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0\200\6\0\0\24\6\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57953, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0\200\6\0\0\24\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 57953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0\200\6\0\0\24\6\0\0" )  ) == 0x0
 00810  1972   NtResumeThread  (156, ... 1, ) == 0x0
 00811  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00812  1556   NtWaitForSingleObject  (96, 0, 0x0, ...
 00811  1972   NtAllocateVirtualMemory  ... 22544384, 1048576, ) == 0x0
 00813  1972   NtAllocateVirtualMemory  (-1, 23584768, 0, 8192, 4096, 4, ... 23584768, 8192, ) == 0x0
 00814  1972   NtProtectVirtualMemory  (-1, (0x167e000), 4096, 260, ... (0x167e000), 4096, 4, ) == 0x0
 00815  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 160, {1664, 460}, ) == 0x0
 00816  1972   NtQueryInformationThread  (160, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1664,Tid=460,}, 0x0, ) == 0x0
 00817  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57953, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\0\0\0\200\6\0\0\314\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 57954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\0\0\0\200\6\0\0\314\1\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57954, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\0\0\0\200\6\0\0\314\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 57954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\0\0\0\200\6\0\0\314\1\0\0" )  ) == 0x0
 00818  1972   NtResumeThread  (160, ... 1, ) == 0x0
 00819  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23592960, 1048576, ) == 0x0
 00820  1972   NtAllocateVirtualMemory  (-1, 24633344, 0, 8192, 4096, 4, ... 24633344, 8192, ) == 0x0
 00821   460   NtWaitForSingleObject  (96, 0, 0x0, ...
 00822  1972   NtProtectVirtualMemory  (-1, (0x177e000), 4096, 260, ... (0x177e000), 4096, 4, ) == 0x0
 00823  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 164, {1664, 1068}, ) == 0x0
 00824  1972   NtQueryInformationThread  (164, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1664,Tid=1068,}, 0x0, ) == 0x0
 00825  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57954, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0\200\6\0\0,\4\0\0" ... {28, 56, reply, 0, 1664, 1972, 57955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0\200\6\0\0,\4\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57955, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0\200\6\0\0,\4\0\0" ... {28, 56, reply, 0, 1664, 1972, 57955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0\200\6\0\0,\4\0\0" )  ) == 0x0
 00826  1972   NtResumeThread  (164, ... 1, ) == 0x0
 00827  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00828  1068   NtWaitForSingleObject  (96, 0, 0x0, ...
 00827  1972   NtAllocateVirtualMemory  ... 24641536, 1048576, ) == 0x0
 00829  1972   NtAllocateVirtualMemory  (-1, 25681920, 0, 8192, 4096, 4, ... 25681920, 8192, ) == 0x0
 00830  1972   NtProtectVirtualMemory  (-1, (0x187e000), 4096, 260, ... (0x187e000), 4096, 4, ) == 0x0
 00831  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 168, {1664, 1856}, ) == 0x0
 00832  1972   NtQueryInformationThread  (168, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1664,Tid=1856,}, 0x0, ) == 0x0
 00833  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57955, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0\200\6\0\0@\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 57956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0\200\6\0\0@\7\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57956, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0\200\6\0\0@\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 57956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0\200\6\0\0@\7\0\0" )  ) == 0x0
 00834  1972   NtResumeThread  (168, ... 1, ) == 0x0
 00835  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25690112, 1048576, ) == 0x0
 00836  1972   NtAllocateVirtualMemory  (-1, 26730496, 0, 8192, 4096, 4, ... 26730496, 8192, ) == 0x0
 00837  1856   NtWaitForSingleObject  (96, 0, 0x0, ...
 00838  1972   NtProtectVirtualMemory  (-1, (0x197e000), 4096, 260, ... (0x197e000), 4096, 4, ) == 0x0
 00839  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 172, {1664, 1596}, ) == 0x0
 00840  1972   NtQueryInformationThread  (172, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1664,Tid=1596,}, 0x0, ) == 0x0
 00841  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57956, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0\200\6\0\0<\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 57957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0\200\6\0\0<\6\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57957, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0\200\6\0\0<\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 57957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0\200\6\0\0<\6\0\0" )  ) == 0x0
 00842  1972   NtResumeThread  (172, ... 1, ) == 0x0
 00843  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00844  1596   NtWaitForSingleObject  (96, 0, 0x0, ...
 00843  1972   NtAllocateVirtualMemory  ... 26738688, 1048576, ) == 0x0
 00845  1972   NtAllocateVirtualMemory  (-1, 27779072, 0, 8192, 4096, 4, ... 27779072, 8192, ) == 0x0
 00846  1972   NtProtectVirtualMemory  (-1, (0x1a7e000), 4096, 260, ... (0x1a7e000), 4096, 4, ) == 0x0
 00847  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 176, {1664, 1128}, ) == 0x0
 00848  1972   NtQueryInformationThread  (176, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1664,Tid=1128,}, 0x0, ) == 0x0
 00849  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57957, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\200\6\0\0h\4\0\0" ... {28, 56, reply, 0, 1664, 1972, 57958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\200\6\0\0h\4\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57958, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\200\6\0\0h\4\0\0" ... {28, 56, reply, 0, 1664, 1972, 57958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\200\6\0\0h\4\0\0" )  ) == 0x0
 00850  1972   NtResumeThread  (176, ... 1, ) == 0x0
 00851  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27787264, 1048576, ) == 0x0
 00852  1972   NtAllocateVirtualMemory  (-1, 28827648, 0, 8192, 4096, 4, ... 28827648, 8192, ) == 0x0
 00853  1128   NtWaitForSingleObject  (96, 0, 0x0, ...
 00854  1972   NtProtectVirtualMemory  (-1, (0x1b7e000), 4096, 260, ... (0x1b7e000), 4096, 4, ) == 0x0
 00855  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 180, {1664, 1256}, ) == 0x0
 00856  1972   NtQueryInformationThread  (180, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1664,Tid=1256,}, 0x0, ) == 0x0
 00857  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57958, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\200\6\0\0\350\4\0\0" ... {28, 56, reply, 0, 1664, 1972, 57959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\200\6\0\0\350\4\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57959, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\200\6\0\0\350\4\0\0" ... {28, 56, reply, 0, 1664, 1972, 57959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\200\6\0\0\350\4\0\0" )  ) == 0x0
 00858  1972   NtResumeThread  (180, ... 1, ) == 0x0
 00859  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00860  1256   NtWaitForSingleObject  (96, 0, 0x0, ...
 00859  1972   NtAllocateVirtualMemory  ... 28835840, 1048576, ) == 0x0
 00861  1972   NtAllocateVirtualMemory  (-1, 29876224, 0, 8192, 4096, 4, ... 29876224, 8192, ) == 0x0
 00862  1972   NtProtectVirtualMemory  (-1, (0x1c7e000), 4096, 260, ... (0x1c7e000), 4096, 4, ) == 0x0
 00863  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 184, {1664, 220}, ) == 0x0
 00864  1972   NtQueryInformationThread  (184, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1664,Tid=220,}, 0x0, ) == 0x0
 00865  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57959, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\200\6\0\0\334\0\0\0" ... {28, 56, reply, 0, 1664, 1972, 57960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\200\6\0\0\334\0\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57960, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\200\6\0\0\334\0\0\0" ... {28, 56, reply, 0, 1664, 1972, 57960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\200\6\0\0\334\0\0\0" )  ) == 0x0
 00866  1972   NtResumeThread  (184, ... 1, ) == 0x0
 00867  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29884416, 1048576, ) == 0x0
 00868  1972   NtAllocateVirtualMemory  (-1, 30924800, 0, 8192, 4096, 4, ... 30924800, 8192, ) == 0x0
 00869   220   NtWaitForSingleObject  (96, 0, 0x0, ...
 00870  1972   NtProtectVirtualMemory  (-1, (0x1d7e000), 4096, 260, ... (0x1d7e000), 4096, 4, ) == 0x0
 00871  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 188, {1664, 1800}, ) == 0x0
 00872  1972   NtQueryInformationThread  (188, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=1664,Tid=1800,}, 0x0, ) == 0x0
 00873  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57960, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\200\6\0\0\10\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 57961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\200\6\0\0\10\7\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57961, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\200\6\0\0\10\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 57961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\200\6\0\0\10\7\0\0" )  ) == 0x0
 00874  1972   NtResumeThread  (188, ... 1, ) == 0x0
 00875  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00876  1800   NtWaitForSingleObject  (96, 0, 0x0, ...
 00875  1972   NtAllocateVirtualMemory  ... 30932992, 1048576, ) == 0x0
 00877  1972   NtAllocateVirtualMemory  (-1, 31973376, 0, 8192, 4096, 4, ... 31973376, 8192, ) == 0x0
 00878  1972   NtProtectVirtualMemory  (-1, (0x1e7e000), 4096, 260, ... (0x1e7e000), 4096, 4, ) == 0x0
 00879  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 192, {1664, 1796}, ) == 0x0
 00880  1972   NtQueryInformationThread  (192, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=1664,Tid=1796,}, 0x0, ) == 0x0
 00881  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57961, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\200\6\0\0\4\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 57962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\200\6\0\0\4\7\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57962, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\200\6\0\0\4\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 57962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\200\6\0\0\4\7\0\0" )  ) == 0x0
 00882  1972   NtResumeThread  (192, ... 1, ) == 0x0
 00883  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31981568, 1048576, ) == 0x0
 00884  1972   NtAllocateVirtualMemory  (-1, 33021952, 0, 8192, 4096, 4, ... 33021952, 8192, ) == 0x0
 00885  1796   NtWaitForSingleObject  (96, 0, 0x0, ...
 00886  1972   NtProtectVirtualMemory  (-1, (0x1f7e000), 4096, 260, ... (0x1f7e000), 4096, 4, ) == 0x0
 00887  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 196, {1664, 1808}, ) == 0x0
 00888  1972   NtQueryInformationThread  (196, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=1664,Tid=1808,}, 0x0, ) == 0x0
 00889  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57962, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0\200\6\0\0\20\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 57963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0\200\6\0\0\20\7\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57963, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0\200\6\0\0\20\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 57963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0\200\6\0\0\20\7\0\0" )  ) == 0x0
 00890  1972   NtResumeThread  (196, ... 1, ) == 0x0
 00891  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00892  1808   NtWaitForSingleObject  (96, 0, 0x0, ...
 00891  1972   NtAllocateVirtualMemory  ... 33030144, 1048576, ) == 0x0
 00893  1972   NtAllocateVirtualMemory  (-1, 34070528, 0, 8192, 4096, 4, ... 34070528, 8192, ) == 0x0
 00894  1972   NtProtectVirtualMemory  (-1, (0x207e000), 4096, 260, ... (0x207e000), 4096, 4, ) == 0x0
 00895  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 200, {1664, 1700}, ) == 0x0
 00896  1972   NtQueryInformationThread  (200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=1664,Tid=1700,}, 0x0, ) == 0x0
 00897  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57963, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\200\6\0\0\244\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 57964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\200\6\0\0\244\6\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57964, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\200\6\0\0\244\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 57964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\200\6\0\0\244\6\0\0" )  ) == 0x0
 00898  1972   NtResumeThread  (200, ... 1, ) == 0x0
 00899  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34078720, 1048576, ) == 0x0
 00900  1972   NtAllocateVirtualMemory  (-1, 35119104, 0, 8192, 4096, 4, ... 35119104, 8192, ) == 0x0
 00901  1700   NtWaitForSingleObject  (96, 0, 0x0, ...
 00902  1972   NtProtectVirtualMemory  (-1, (0x217e000), 4096, 260, ... (0x217e000), 4096, 4, ) == 0x0
 00903  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 204, {1664, 1156}, ) == 0x0
 00904  1972   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=1664,Tid=1156,}, 0x0, ) == 0x0
 00905  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57964, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\200\6\0\0\204\4\0\0" ... {28, 56, reply, 0, 1664, 1972, 57965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\200\6\0\0\204\4\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57965, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\200\6\0\0\204\4\0\0" ... {28, 56, reply, 0, 1664, 1972, 57965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\200\6\0\0\204\4\0\0" )  ) == 0x0
 00906  1972   NtResumeThread  (204, ... 1, ) == 0x0
 00907  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00908  1156   NtWaitForSingleObject  (96, 0, 0x0, ...
 00907  1972   NtAllocateVirtualMemory  ... 35127296, 1048576, ) == 0x0
 00909  1972   NtAllocateVirtualMemory  (-1, 36167680, 0, 8192, 4096, 4, ... 36167680, 8192, ) == 0x0
 00910  1972   NtProtectVirtualMemory  (-1, (0x227e000), 4096, 260, ... (0x227e000), 4096, 4, ) == 0x0
 00911  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 208, {1664, 712}, ) == 0x0
 00912  1972   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=1664,Tid=712,}, 0x0, ) == 0x0
 00913  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57965, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\200\6\0\0\310\2\0\0" ... {28, 56, reply, 0, 1664, 1972, 57966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\200\6\0\0\310\2\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57966, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\200\6\0\0\310\2\0\0" ... {28, 56, reply, 0, 1664, 1972, 57966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\200\6\0\0\310\2\0\0" )  ) == 0x0
 00914  1972   NtResumeThread  (208, ... 1, ) == 0x0
 00915  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36175872, 1048576, ) == 0x0
 00916  1972   NtAllocateVirtualMemory  (-1, 37216256, 0, 8192, 4096, 4, ... 37216256, 8192, ) == 0x0
 00917   712   NtWaitForSingleObject  (96, 0, 0x0, ...
 00918  1972   NtProtectVirtualMemory  (-1, (0x237e000), 4096, 260, ... (0x237e000), 4096, 4, ) == 0x0
 00919  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 212, {1664, 1728}, ) == 0x0
 00920  1972   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=1664,Tid=1728,}, 0x0, ) == 0x0
 00921  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57966, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\200\6\0\0\300\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 57967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\200\6\0\0\300\6\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57967, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\200\6\0\0\300\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 57967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\200\6\0\0\300\6\0\0" )  ) == 0x0
 00922  1972   NtResumeThread  (212, ... 1, ) == 0x0
 00923  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00924  1728   NtWaitForSingleObject  (96, 0, 0x0, ...
 00923  1972   NtAllocateVirtualMemory  ... 37224448, 1048576, ) == 0x0
 00925  1972   NtAllocateVirtualMemory  (-1, 38264832, 0, 8192, 4096, 4, ... 38264832, 8192, ) == 0x0
 00926  1972   NtProtectVirtualMemory  (-1, (0x247e000), 4096, 260, ... (0x247e000), 4096, 4, ) == 0x0
 00927  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00745   464   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00927  1972   NtCreateThread  ... 216, {1664, 1356}, ) == 0x0
 00928  1972   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1664,Tid=1356,}, 0x0, ) == 0x0
 00929  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57967, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\200\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 57968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\200\6\0\0L\5\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57968, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\200\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 57968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\200\6\0\0L\5\0\0" )  ) == 0x0
 00930  1972   NtResumeThread  (216, ... 1, ) == 0x0
 00931  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38273024, 1048576, ) == 0x0
 00932  1972   NtAllocateVirtualMemory  (-1, 39313408, 0, 8192, 4096, 4, ... 39313408, 8192, ) == 0x0
 00933   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11006372, ... }, 11006372, ...
 00934  1356   NtWaitForSingleObject  (96, 0, 0x0, ...
 00933   464   NtQueryAttributesFile  ... ) == 0x0
 00935   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... 220, {status=0x0, info=1}, ) }, 5, 96, ... 220, {status=0x0, info=1}, ) == 0x0
 00936   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 220, ... 224, ) == 0x0
 00937   464   NtQuerySection  (224, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00938   464   NtClose  (220, ... ) == 0x0
 00939   464   NtMapViewOfSection  (224, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x662b0000), 0x0, 360448, ) == 0x0
 00940  1972   NtProtectVirtualMemory  (-1, (0x257e000), 4096, 260, ... (0x257e000), 4096, 4, ) == 0x0
 00941  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 220, {1664, 1536}, ) == 0x0
 00942  1972   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1664,Tid=1536,}, 0x0, ) == 0x0
 00943  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57968, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\200\6\0\0\0\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\200\6\0\0\0\6\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57969, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\200\6\0\0\0\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\200\6\0\0\0\6\0\0" )  ) == 0x0
 00944  1972   NtResumeThread  (220, ... 1, ) == 0x0
 00945  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00946   464   NtClose  (224, ...
 00947  1536   NtWaitForSingleObject  (96, 0, 0x0, ...
 00946   464   NtClose  ... ) == 0x0
 00948   464   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00949   464   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00950   464   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00951   464   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00952   464   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00945  1972   NtAllocateVirtualMemory  ... 39321600, 1048576, ) == 0x0
 00953  1972   NtAllocateVirtualMemory  (-1, 40361984, 0, 8192, 4096, 4, ... 40361984, 8192, ) == 0x0
 00954  1972   NtProtectVirtualMemory  (-1, (0x267e000), 4096, 260, ... (0x267e000), 4096, 4, ) == 0x0
 00955  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 224, {1664, 444}, ) == 0x0
 00956  1972   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1664,Tid=444,}, 0x0, ) == 0x0
 00957  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57969, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\200\6\0\0\274\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 57970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\200\6\0\0\274\1\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57970, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\200\6\0\0\274\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 57970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\200\6\0\0\274\1\0\0" )  ) == 0x0
 00958   464   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00959   464   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00960   464   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00961   464   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00962   464   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00963   464   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00964  1972   NtResumeThread  (224, ... 1, ) == 0x0
 00965  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 40370176, 1048576, ) == 0x0
 00966  1972   NtAllocateVirtualMemory  (-1, 41410560, 0, 8192, 4096, 4, ... 41410560, 8192, ) == 0x0
 00967  1972   NtProtectVirtualMemory  (-1, (0x277e000), 4096, 260, ... (0x277e000), 4096, 4, ) == 0x0
 00968  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00969   464   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00970   464   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00971   464   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00972   444   NtWaitForSingleObject  (96, 0, 0x0, ...
 00968  1972   NtCreateThread  ... 228, {1664, 1904}, ) == 0x0
 00973  1972   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1664,Tid=1904,}, 0x0, ) == 0x0
 00974  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57970, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\200\6\0\0p\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 57971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\200\6\0\0p\7\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57971, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\200\6\0\0p\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 57971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\200\6\0\0p\7\0\0" )  ) == 0x0
 00975  1972   NtResumeThread  (228, ... 1, ) == 0x0
 00976  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 41418752, 1048576, ) == 0x0
 00977  1972   NtAllocateVirtualMemory  (-1, 42459136, 0, 8192, 4096, 4, ... 42459136, 8192, ) == 0x0
 00978   464   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 00979  1904   NtWaitForSingleObject  (96, 0, 0x0, ...
 00978   464   NtFlushInstructionCache  ... ) == 0x0
 00980   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981   464   NtSetEventBoostPriority  (96, ...
 00751  1580   NtWaitForSingleObject  ... ) == 0x0
 00982  1580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15199184, ... ) }, 15199184, ... ) == 0x0
 00981   464   NtSetEventBoostPriority  ... ) == 0x0
 00983  1972   NtProtectVirtualMemory  (-1, (0x287e000), 4096, 260, ...
 00984  1580   NtSetEventBoostPriority  (96, ...
 00983  1972   NtProtectVirtualMemory  ... (0x287e000), 4096, 4, ) == 0x0
 00760  1756   NtWaitForSingleObject  ... ) == 0x0
 00984  1580   NtSetEventBoostPriority  ... ) == 0x0
 00985  1756   NtSetEventBoostPriority  (96, ...
 00986  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00773  1292   NtWaitForSingleObject  ... ) == 0x0
 00985  1756   NtSetEventBoostPriority  ... ) == 0x0
 00987  1580   NtWaitForSingleObject  (96, 0, 0x0, ...
 00988  1292   NtSetEventBoostPriority  (96, ...
 00986  1972   NtCreateThread  ... 232, {1664, 1936}, ) == 0x0
 00989   464   NtWaitForSingleObject  (96, 0, 0x0, ...
 00780  1956   NtWaitForSingleObject  ... ) == 0x0
 00988  1292   NtSetEventBoostPriority  ... ) == 0x0
 00990  1972   NtQueryInformationThread  (232, Basic, 28, ...
 00991  1956   NtSetEventBoostPriority  (96, ...
 00992  1756   NtTestAlert  (...
 00789  1980   NtWaitForSingleObject  ... ) == 0x0
 00991  1956   NtSetEventBoostPriority  ... ) == 0x0
 00990  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1664,Tid=1936,}, 0x0, ) == 0x0
 00993  1980   NtSetEventBoostPriority  (96, ...
 00992  1756   NtTestAlert  ... ) == 0x0
 00994  1292   NtTestAlert  (...
 00995  1956   NtTestAlert  (...
 00796  1784   NtWaitForSingleObject  ... ) == 0x0
 00993  1980   NtSetEventBoostPriority  ... ) == 0x0
 00996  1756   NtContinue  (16252208, 1, ...
 00994  1292   NtTestAlert  ... ) == 0x0
 00997  1784   NtSetEventBoostPriority  (96, ...
 00995  1956   NtTestAlert  ... ) == 0x0
 00998  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57971, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\200\6\0\0\220\7\0\0" ...  ...
 00999  1756   NtRegisterThreadTerminatePort  (24, ...
 00805  1480   NtWaitForSingleObject  ... ) == 0x0
 00997  1784   NtSetEventBoostPriority  ... ) == 0x0
 01000  1292   NtContinue  (17300784, 1, ...
 01001  1956   NtContinue  (18349360, 1, ...
 00998  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 57972, 0}  ... {28, 56, reply, 0, 1664, 1972, 57972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\200\6\0\0\220\7\0\0" )  ) == 0x0
 01002  1480   NtSetEventBoostPriority  (96, ...
 00999  1756   NtRegisterThreadTerminatePort  ... ) == 0x0
 01003  1980   NtTestAlert  (...
 01004  1292   NtRegisterThreadTerminatePort  (24, ...
 01005  1956   NtRegisterThreadTerminatePort  (24, ...
 00812  1556   NtWaitForSingleObject  ... ) == 0x0
 01002  1480   NtSetEventBoostPriority  ... ) == 0x0
 01006  1972   NtResumeThread  (232, ...
 01007  1756   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01003  1980   NtTestAlert  ... ) == 0x0
 01004  1292   NtRegisterThreadTerminatePort  ... ) == 0x0
 01008  1556   NtSetEventBoostPriority  (96, ...
 01005  1956   NtRegisterThreadTerminatePort  ... ) == 0x0
 01009  1784   NtTestAlert  (...
 01006  1972   NtResumeThread  ... 1, ) == 0x0
 01010  1480   NtTestAlert  (...
 01011  1980   NtContinue  (19397936, 1, ...
 00821   460   NtWaitForSingleObject  ... ) == 0x0
 01008  1556   NtSetEventBoostPriority  ... ) == 0x0
 01012  1292   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01013  1956   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01009  1784   NtTestAlert  ... ) == 0x0
 01014  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01010  1480   NtTestAlert  ... ) == 0x0
 01015   460   NtSetEventBoostPriority  (96, ...
 01016  1980   NtRegisterThreadTerminatePort  (24, ...
 01007  1756   NtDuplicateObject  ... 236, ) == 0x0
 01017  1936   NtWaitForSingleObject  (96, 0, 0x0, ...
 01018  1556   NtTestAlert  (...
 01012  1292   NtDuplicateObject  ... 240, ) == 0x0
 01019  1784   NtContinue  (20446512, 1, ...
 01013  1956   NtDuplicateObject  ... 244, ) == 0x0
 00828  1068   NtWaitForSingleObject  ... ) == 0x0
 01015   460   NtSetEventBoostPriority  ... ) == 0x0
 01020  1480   NtContinue  (21495088, 1, ...
 01016  1980   NtRegisterThreadTerminatePort  ... ) == 0x0
 01021  1756   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01018  1556   NtTestAlert  ... ) == 0x0
 01022  1292   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01023  1784   NtRegisterThreadTerminatePort  (24, ...
 01024  1068   NtSetEventBoostPriority  (96, ...
 01025  1956   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01014  1972   NtAllocateVirtualMemory  ... 42467328, 1048576, ) == 0x0
 01026  1480   NtRegisterThreadTerminatePort  (24, ...
 01027  1980   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01021  1756   NtWaitForSingleObject  ... ) == 0x102
 01028  1556   NtContinue  (22543664, 1, ...
 01022  1292   NtWaitForSingleObject  ... ) == 0x102
 00837  1856   NtWaitForSingleObject  ... ) == 0x0
 01024  1068   NtSetEventBoostPriority  ... ) == 0x0
 01023  1784   NtRegisterThreadTerminatePort  ... ) == 0x0
 01025  1956   NtWaitForSingleObject  ... ) == 0x102
 01029  1972   NtAllocateVirtualMemory  (-1, 43507712, 0, 8192, 4096, 4, ...
 01026  1480   NtRegisterThreadTerminatePort  ... ) == 0x0
 01030   460   NtTestAlert  (...
 01031  1756   NtWaitForSingleObject  (128, 0, 0x0, ...
 01032  1556   NtRegisterThreadTerminatePort  (24, ...
 01033  1856   NtSetEventBoostPriority  (96, ...
 01034  1292   NtWaitForSingleObject  (128, 0, 0x0, ...
 01027  1980   NtDuplicateObject  ... 248, ) == 0x0
 01035  1784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01036  1956   NtWaitForSingleObject  (128, 0, 0x0, ...
 01029  1972   NtAllocateVirtualMemory  ... 43507712, 8192, ) == 0x0
 01037  1480   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01030   460   NtTestAlert  ... ) == 0x0
 00844  1596   NtWaitForSingleObject  ... ) == 0x0
 01033  1856   NtSetEventBoostPriority  ... ) == 0x0
 01032  1556   NtRegisterThreadTerminatePort  ... ) == 0x0
 01038  1980   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01039  1068   NtTestAlert  (...
 01040  1972   NtProtectVirtualMemory  (-1, (0x297e000), 4096, 260, ...
 01035  1784   NtDuplicateObject  ... 252, ) == 0x0
 01041  1596   NtSetEventBoostPriority  (96, ...
 01042   460   NtContinue  (23592240, 1, ...
 01037  1480   NtDuplicateObject  ... 256, ) == 0x0
 01043  1556   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01038  1980   NtWaitForSingleObject  ... ) == 0x102
 01039  1068   NtTestAlert  ... ) == 0x0
 01040  1972   NtProtectVirtualMemory  ... (0x297e000), 4096, 4, ) == 0x0
 00853  1128   NtWaitForSingleObject  ... ) == 0x0
 01041  1596   NtSetEventBoostPriority  ... ) == 0x0
 01044  1784   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01045   460   NtRegisterThreadTerminatePort  (24, ...
 01046  1480   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01047  1856   NtTestAlert  (...
 01048  1980   NtWaitForSingleObject  (128, 0, 0x0, ...
 01049  1068   NtContinue  (24640816, 1, ...
 01050  1128   NtSetEventBoostPriority  (96, ...
 01051  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01043  1556   NtDuplicateObject  ... 260, ) == 0x0
 01044  1784   NtWaitForSingleObject  ... ) == 0x102
 01045   460   NtRegisterThreadTerminatePort  ... ) == 0x0
 01046  1480   NtWaitForSingleObject  ... ) == 0x102
 01047  1856   NtTestAlert  ... ) == 0x0
 00860  1256   NtWaitForSingleObject  ... ) == 0x0
 01050  1128   NtSetEventBoostPriority  ... ) == 0x0
 01052  1068   NtRegisterThreadTerminatePort  (24, ...
 01053  1596   NtTestAlert  (...
 01054  1556   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01055  1784   NtWaitForSingleObject  (128, 0, 0x0, ...
 01056   460   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01057  1480   NtWaitForSingleObject  (128, 0, 0x0, ...
 01058  1256   NtSetEventBoostPriority  (96, ...
 01059  1856   NtContinue  (25689392, 1, ...
 01051  1972   NtCreateThread  ... 264, {1664, 1648}, ) == 0x0
 01052  1068   NtRegisterThreadTerminatePort  ... ) == 0x0
 01053  1596   NtTestAlert  ... ) == 0x0
 01054  1556   NtWaitForSingleObject  ... ) == 0x102
 01060  1128   NtTestAlert  (...
 00869   220   NtWaitForSingleObject  ... ) == 0x0
 01058  1256   NtSetEventBoostPriority  ... ) == 0x0
 01061  1856   NtRegisterThreadTerminatePort  (24, ...
 01062  1972   NtQueryInformationThread  (264, Basic, 28, ...
 01063  1068   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01064  1596   NtContinue  (26737968, 1, ...
 01065  1556   NtWaitForSingleObject  (128, 0, 0x0, ...
 01066   220   NtSetEventBoostPriority  (96, ...
 01060  1128   NtTestAlert  ... ) == 0x0
 01056   460   NtDuplicateObject  ... 268, ) == 0x0
 01061  1856   NtRegisterThreadTerminatePort  ... ) == 0x0
 01062  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1664,Tid=1648,}, 0x0, ) == 0x0
 01067  1256   NtTestAlert  (...
 01068  1596   NtRegisterThreadTerminatePort  (24, ...
 00876  1800   NtWaitForSingleObject  ... ) == 0x0
 01066   220   NtSetEventBoostPriority  ... ) == 0x0
 01069  1128   NtContinue  (27786544, 1, ...
 01070   460   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01071  1856   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01072  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57972, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0\200\6\0\0p\6\0\0" ...  ...
 01067  1256   NtTestAlert  ... ) == 0x0
 01073  1800   NtSetEventBoostPriority  (96, ...
 01068  1596   NtRegisterThreadTerminatePort  ... ) == 0x0
 01063  1068   NtDuplicateObject  ... 272, ) == 0x0
 01074  1128   NtRegisterThreadTerminatePort  (24, ...
 01070   460   NtWaitForSingleObject  ... ) == 0x102
 01075   220   NtTestAlert  (...
 01072  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 57973, 0}  ... {28, 56, reply, 0, 1664, 1972, 57973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0\200\6\0\0p\6\0\0" )  ) == 0x0
 00885  1796   NtWaitForSingleObject  ... ) == 0x0
 01073  1800   NtSetEventBoostPriority  ... ) == 0x0
 01076  1256   NtContinue  (28835120, 1, ...
 01077  1596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01078  1068   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01074  1128   NtRegisterThreadTerminatePort  ... ) == 0x0
 01079   460   NtWaitForSingleObject  (128, 0, 0x0, ...
 01075   220   NtTestAlert  ... ) == 0x0
 01071  1856   NtDuplicateObject  ... 276, ) == 0x0
 01080  1796   NtSetEventBoostPriority  (96, ...
 01081  1972   NtResumeThread  (264, ...
 01082  1256   NtRegisterThreadTerminatePort  (24, ...
 01083  1800   NtTestAlert  (...
 01078  1068   NtWaitForSingleObject  ... ) == 0x102
 01084  1128   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01085   220   NtContinue  (29883696, 1, ...
 00892  1808   NtWaitForSingleObject  ... ) == 0x0
 01080  1796   NtSetEventBoostPriority  ... ) == 0x0
 01086  1856   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01081  1972   NtResumeThread  ... 1, ) == 0x0
 01082  1256   NtRegisterThreadTerminatePort  ... ) == 0x0
 01083  1800   NtTestAlert  ... ) == 0x0
 01087  1068   NtWaitForSingleObject  (128, 0, 0x0, ...
 01077  1596   NtDuplicateObject  ... 280, ) == 0x0
 01088  1648   NtWaitForSingleObject  (96, 0, 0x0, ...
 01089  1808   NtSetEventBoostPriority  (96, ...
 01090   220   NtRegisterThreadTerminatePort  (24, ...
 01084  1128   NtDuplicateObject  ... 284, ) == 0x0
 01086  1856   NtWaitForSingleObject  ... ) == 0x102
 01091  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01092  1256   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01093  1800   NtContinue  (30932272, 1, ...
 01094  1596   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 00901  1700   NtWaitForSingleObject  ... ) == 0x0
 01089  1808   NtSetEventBoostPriority  ... ) == 0x0
 01090   220   NtRegisterThreadTerminatePort  ... ) == 0x0
 01095  1128   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01096  1856   NtWaitForSingleObject  (128, 0, 0x0, ...
 01091  1972   NtAllocateVirtualMemory  ... 43515904, 1048576, ) == 0x0
 01097  1796   NtTestAlert  (...
 01098  1800   NtRegisterThreadTerminatePort  (24, ...
 01099  1700   NtSetEventBoostPriority  (96, ...
 01094  1596   NtWaitForSingleObject  ... ) == 0x102
 01092  1256   NtDuplicateObject  ... 288, ) == 0x0
 01100   220   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01095  1128   NtWaitForSingleObject  ... ) == 0x102
 01101  1972   NtAllocateVirtualMemory  (-1, 44556288, 0, 8192, 4096, 4, ...
 01097  1796   NtTestAlert  ... ) == 0x0
 00908  1156   NtWaitForSingleObject  ... ) == 0x0
 01099  1700   NtSetEventBoostPriority  ... ) == 0x0
 01098  1800   NtRegisterThreadTerminatePort  ... ) == 0x0
 01102  1596   NtWaitForSingleObject  (128, 0, 0x0, ...
 01103  1256   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01104  1808   NtTestAlert  (...
 01105  1128   NtWaitForSingleObject  (128, 0, 0x0, ...
 01101  1972   NtAllocateVirtualMemory  ... 44556288, 8192, ) == 0x0
 01106  1156   NtSetEventBoostPriority  (96, ...
 01107  1796   NtContinue  (31980848, 1, ...
 01100   220   NtDuplicateObject  ... 292, ) == 0x0
 01108  1800   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01103  1256   NtWaitForSingleObject  ... ) == 0x102
 01104  1808   NtTestAlert  ... ) == 0x0
 01109  1700   NtTestAlert  (...
 00917   712   NtWaitForSingleObject  ... ) == 0x0
 01106  1156   NtSetEventBoostPriority  ... ) == 0x0
 01110  1796   NtRegisterThreadTerminatePort  (24, ...
 01111   220   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01112  1972   NtProtectVirtualMemory  (-1, (0x2a7e000), 4096, 260, ...
 01113  1256   NtWaitForSingleObject  (128, 0, 0x0, ...
 01114  1808   NtContinue  (33029424, 1, ...
 01115   712   NtSetEventBoostPriority  (96, ...
 01109  1700   NtTestAlert  ... ) == 0x0
 01108  1800   NtDuplicateObject  ... 296, ) == 0x0
 01110  1796   NtRegisterThreadTerminatePort  ... ) == 0x0
 01111   220   NtWaitForSingleObject  ... ) == 0x102
 01112  1972   NtProtectVirtualMemory  ... (0x2a7e000), 4096, 4, ) == 0x0
 00924  1728   NtWaitForSingleObject  ... ) == 0x0
 01115   712   NtSetEventBoostPriority  ... ) == 0x0
 01116  1808   NtRegisterThreadTerminatePort  (24, ...
 01117  1700   NtContinue  (34078000, 1, ...
 01118  1800   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01119  1796   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01120   220   NtWaitForSingleObject  (128, 0, 0x0, ...
 01121  1728   NtAllocateVirtualMemory  (-1, 8802304, 0, 4096, 4096, 4, ...
 01122  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01123  1156   NtTestAlert  (...
 01116  1808   NtRegisterThreadTerminatePort  ... ) == 0x0
 01124  1700   NtRegisterThreadTerminatePort  (24, ...
 01118  1800   NtWaitForSingleObject  ... ) == 0x102
 01125   712   NtTestAlert  (...
 01121  1728   NtAllocateVirtualMemory  ... 8802304, 4096, ) == 0x0
 01122  1972   NtCreateThread  ... 300, {1664, 148}, ) == 0x0
 01123  1156   NtTestAlert  ... ) == 0x0
 01126  1808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01124  1700   NtRegisterThreadTerminatePort  ... ) == 0x0
 01127  1800   NtWaitForSingleObject  (128, 0, 0x0, ...
 01125   712   NtTestAlert  ... ) == 0x0
 01119  1796   NtDuplicateObject  ... 304, ) == 0x0
 01128  1972   NtQueryInformationThread  (300, Basic, 28, ...
 01129  1156   NtContinue  (35126576, 1, ...
 01130  1728   NtSetEventBoostPriority  (96, ...
 01131  1700   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01132   712   NtContinue  (36175152, 1, ...
 01133  1796   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01128  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1664,Tid=148,}, 0x0, ) == 0x0
 01134  1156   NtRegisterThreadTerminatePort  (24, ...
 00934  1356   NtWaitForSingleObject  ... ) == 0x0
 01130  1728   NtSetEventBoostPriority  ... ) == 0x0
 01126  1808   NtDuplicateObject  ... 308, ) == 0x0
 01135   712   NtRegisterThreadTerminatePort  (24, ...
 01133  1796   NtWaitForSingleObject  ... ) == 0x102
 01131  1700   NtDuplicateObject  ... 312, ) == 0x0
 01136  1356   NtSetEventBoostPriority  (96, ...
 01134  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 01137  1728   NtTestAlert  (...
 01138  1808   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01135   712   NtRegisterThreadTerminatePort  ... ) == 0x0
 01139  1796   NtWaitForSingleObject  (128, 0, 0x0, ...
 00947  1536   NtWaitForSingleObject  ... ) == 0x0
 01136  1356   NtSetEventBoostPriority  ... ) == 0x0
 01140  1700   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01141  1156   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01137  1728   NtTestAlert  ... ) == 0x0
 01138  1808   NtWaitForSingleObject  ... ) == 0x102
 01142   712   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01143  1536   NtSetEventBoostPriority  (96, ...
 01144  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57973, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\1\0\0\200\6\0\0\224\0\0\0" ...  ...
 01140  1700   NtWaitForSingleObject  ... ) == 0x102
 01145  1356   NtTestAlert  (...
 01146  1728   NtContinue  (37223728, 1, ...
 01147  1808   NtWaitForSingleObject  (128, 0, 0x0, ...
 01141  1156   NtDuplicateObject  ... 316, ) == 0x0
 00972   444   NtWaitForSingleObject  ... ) == 0x0
 01143  1536   NtSetEventBoostPriority  ... ) == 0x0
 01144  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 57974, 0}  ... {28, 56, reply, 0, 1664, 1972, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\1\0\0\200\6\0\0\224\0\0\0" )  ) == 0x0
 01148  1700   NtWaitForSingleObject  (128, 0, 0x0, ...
 01145  1356   NtTestAlert  ... ) == 0x0
 01149  1728   NtRegisterThreadTerminatePort  (24, ...
 01150   444   NtSetEventBoostPriority  (96, ...
 01151  1156   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01142   712   NtDuplicateObject  ... 320, ) == 0x0
 01152  1972   NtResumeThread  (300, ...
 01153  1356   NtContinue  (38272304, 1, ...
 01154  1536   NtTestAlert  (...
 00979  1904   NtWaitForSingleObject  ... ) == 0x0
 01150   444   NtSetEventBoostPriority  ... ) == 0x0
 01151  1156   NtWaitForSingleObject  ... ) == 0x102
 01155   712   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01152  1972   NtResumeThread  ... 1, ) == 0x0
 01156  1356   NtRegisterThreadTerminatePort  (24, ...
 01157  1904   NtSetEventBoostPriority  (96, ...
 01154  1536   NtTestAlert  ... ) == 0x0
 01149  1728   NtRegisterThreadTerminatePort  ... ) == 0x0
 01158   148   NtWaitForSingleObject  (96, 0, 0x0, ...
 01159  1156   NtWaitForSingleObject  (128, 0, 0x0, ...
 01155   712   NtWaitForSingleObject  ... ) == 0x102
 01160  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00987  1580   NtWaitForSingleObject  ... ) == 0x0
 01157  1904   NtSetEventBoostPriority  ... ) == 0x0
 01156  1356   NtRegisterThreadTerminatePort  ... ) == 0x0
 01161  1536   NtContinue  (39320880, 1, ...
 01162  1728   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01163   712   NtWaitForSingleObject  (128, 0, 0x0, ...
 01164   444   NtTestAlert  (...
 01165  1580   NtSetEventBoostPriority  (96, ...
 01160  1972   NtAllocateVirtualMemory  ... 44564480, 1048576, ) == 0x0
 01166  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01167  1536   NtRegisterThreadTerminatePort  (24, ...
 01162  1728   NtDuplicateObject  ... 324, ) == 0x0
 00989   464   NtWaitForSingleObject  ... ) == 0x0
 01165  1580   NtSetEventBoostPriority  ... ) == 0x0
 01164   444   NtTestAlert  ... ) == 0x0
 01168  1972   NtAllocateVirtualMemory  (-1, 45604864, 0, 8192, 4096, 4, ...
 01169  1904   NtTestAlert  (...
 01167  1536   NtRegisterThreadTerminatePort  ... ) == 0x0
 01170   464   NtSetEventBoostPriority  (96, ...
 01171  1728   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ...
 01166  1356   NtDuplicateObject  ... 328, ) == 0x0
 01172   444   NtContinue  (40369456, 1, ...
 01168  1972   NtAllocateVirtualMemory  ... 45604864, 8192, ) == 0x0
 01169  1904   NtTestAlert  ... ) == 0x0
 01017  1936   NtWaitForSingleObject  ... ) == 0x0
 01170   464   NtSetEventBoostPriority  ... ) == 0x0
 01173  1536   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01171  1728   NtAllocateVirtualMemory  ... 1368064, 4096, ) == 0x0
 01174  1356   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01175   444   NtRegisterThreadTerminatePort  (24, ...
 01176  1972   NtProtectVirtualMemory  (-1, (0x2b7e000), 4096, 260, ...
 01177  1936   NtSetEventBoostPriority  (96, ...
 01178  1904   NtContinue  (41418032, 1, ...
 01179   464   NtWaitForSingleObject  (96, 0, 0x0, ...
 01180  1580   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01181  1728   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01174  1356   NtCreateEvent  ... 332, ) == 0x0
 01175   444   NtRegisterThreadTerminatePort  ... ) == 0x0
 01088  1648   NtWaitForSingleObject  ... ) == 0x0
 01177  1936   NtSetEventBoostPriority  ... ) == 0x0
 01176  1972   NtProtectVirtualMemory  ... (0x2b7e000), 4096, 4, ) == 0x0
 01182  1904   NtRegisterThreadTerminatePort  (24, ...
 01173  1536   NtCreateEvent  ... 336, ) == 0x0
 01180  1580   NtCreateEvent  ... 340, ) == 0x0
 01183  1356   NtWaitForSingleObject  (332, 0, 0x0, ...
 01184  1648   NtSetEventBoostPriority  (96, ...
 01185   444   NtWaitForSingleObject  (332, 0, 0x0, ...
 01181  1728   NtCreateEvent  ... 344, ) == 0x0
 01186  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01182  1904   NtRegisterThreadTerminatePort  ... ) == 0x0
 01187  1536   NtClose  (336, ...
 01188  1580   NtWaitForSingleObject  (332, 0, 0x0, ...
 01158   148   NtWaitForSingleObject  ... ) == 0x0
 01184  1648   NtSetEventBoostPriority  ... ) == 0x0
 01189  1936   NtTestAlert  (...
 01190  1728   NtClose  (344, ...
 01191  1904   NtWaitForSingleObject  (332, 0, 0x0, ...
 01187  1536   NtClose  ... ) == 0x0
 01192   148   NtSetEventBoostPriority  (96, ...
 01186  1972   NtCreateThread  ... 336, {1664, 1828}, ) == 0x0
 01189  1936   NtTestAlert  ... ) == 0x0
 01190  1728   NtClose  ... ) == 0x0
 01193  1648   NtTestAlert  (...
 01179   464   NtWaitForSingleObject  ... ) == 0x0
 01192   148   NtSetEventBoostPriority  ... ) == 0x0
 01194  1536   NtWaitForSingleObject  (332, 0, 0x0, ...
 01195  1972   NtQueryInformationThread  (336, Basic, 28, ...
 01196  1936   NtContinue  (42466608, 1, ...
 01197  1728   NtSetEventBoostPriority  (332, ...
 01198   464   NtQuerySystemInformation  (Basic, 44, ...
 01193  1648   NtTestAlert  ... ) == 0x0
 01195  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1664,Tid=1828,}, 0x0, ) == 0x0
 01199  1936   NtRegisterThreadTerminatePort  (24, ...
 01198   464   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01183  1356   NtWaitForSingleObject  ... ) == 0x0
 01197  1728   NtSetEventBoostPriority  ... ) == 0x0
 01200  1648   NtContinue  (43515184, 1, ...
 01201  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57974, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\200\6\0\0$\7\0\0" ...  ...
 01202   464   NtWaitForSingleObject  (332, 0, 0x0, ...
 01203  1356   NtSetEventBoostPriority  (332, ...
 01199  1936   NtRegisterThreadTerminatePort  ... ) == 0x0
 01204  1728   NtWaitForSingleObject  (332, 0, 0x0, ...
 01205  1648   NtRegisterThreadTerminatePort  (24, ...
 01185   444   NtWaitForSingleObject  ... ) == 0x0
 01203  1356   NtSetEventBoostPriority  ... ) == 0x0
 01201  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 57975, 0}  ... {28, 56, reply, 0, 1664, 1972, 57975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\200\6\0\0$\7\0\0" )  ) == 0x0
 01206  1936   NtWaitForSingleObject  (332, 0, 0x0, ...
 01207   148   NtTestAlert  (...
 01208   444   NtSetEventBoostPriority  (332, ...
 01205  1648   NtRegisterThreadTerminatePort  ... ) == 0x0
 01209  1356   NtWaitForSingleObject  (332, 0, 0x0, ...
 01210  1972   NtResumeThread  (336, ...
 01188  1580   NtWaitForSingleObject  ... ) == 0x0
 01207   148   NtTestAlert  ... ) == 0x0
 01211  1648   NtWaitForSingleObject  (332, 0, 0x0, ...
 01210  1972   NtResumeThread  ... 1, ) == 0x0
 01212  1580   NtSetEventBoostPriority  (332, ...
 01213   148   NtContinue  (44563760, 1, ...
 01208   444   NtSetEventBoostPriority  ... ) == 0x0
 01214  1828   NtTestAlert  (...
 01215  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01191  1904   NtWaitForSingleObject  ... ) == 0x0
 01212  1580   NtSetEventBoostPriority  ... ) == 0x0
 01216   148   NtRegisterThreadTerminatePort  (24, ...
 01217   444   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01214  1828   NtTestAlert  ... ) == 0x0
 01218  1904   NtSetEventBoostPriority  (332, ...
 01215  1972   NtAllocateVirtualMemory  ... 45613056, 1048576, ) == 0x0
 01216   148   NtRegisterThreadTerminatePort  ... ) == 0x0
 01217   444   NtDuplicateObject  ... 344, ) == 0x0
 01194  1536   NtWaitForSingleObject  ... ) == 0x0
 01219  1828   NtContinue  (45612336, 1, ...
 01220  1972   NtAllocateVirtualMemory  (-1, 46653440, 0, 8192, 4096, 4, ...
 01221   148   NtWaitForSingleObject  (332, 0, 0x0, ...
 01218  1904   NtSetEventBoostPriority  ... ) == 0x0
 01222  1580   NtWaitForSingleObject  (332, 0, 0x0, ...
 01223  1536   NtSetEventBoostPriority  (332, ...
 01224  1828   NtRegisterThreadTerminatePort  (24, ...
 01220  1972   NtAllocateVirtualMemory  ... 46653440, 8192, ) == 0x0
 01225   444   NtWaitForSingleObject  (332, 0, 0x0, ...
 01226  1904   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01202   464   NtWaitForSingleObject  ... ) == 0x0
 01223  1536   NtSetEventBoostPriority  ... ) == 0x0
 01224  1828   NtRegisterThreadTerminatePort  ... ) == 0x0
 01227   464   NtSetEventBoostPriority  (332, ...
 01226  1904   NtDuplicateObject  ... 348, ) == 0x0
 01228  1972   NtProtectVirtualMemory  (-1, (0x2c7e000), 4096, 260, ...
 01229  1536   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01204  1728   NtWaitForSingleObject  ... ) == 0x0
 01227   464   NtSetEventBoostPriority  ... ) == 0x0
 01230  1828   NtWaitForSingleObject  (332, 0, 0x0, ...
 01228  1972   NtProtectVirtualMemory  ... (0x2c7e000), 4096, 4, ) == 0x0
 01229  1536   NtDuplicateObject  ... 352, ) == 0x0
 01231  1728   NtSetEventBoostPriority  (332, ...
 01232  1904   NtWaitForSingleObject  (332, 0, 0x0, ...
 01233  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01234  1536   NtWaitForSingleObject  (332, 0, 0x0, ...
 01209  1356   NtWaitForSingleObject  ... ) == 0x0
 01233  1972   NtCreateThread  ... 356, {1664, 1864}, ) == 0x0
 01235  1356   NtSetEventBoostPriority  (332, ...
 01236  1972   NtQueryInformationThread  (356, Basic, 28, ...
 01206  1936   NtWaitForSingleObject  ... ) == 0x0
 01235  1356   NtSetEventBoostPriority  ... ) == 0x0
 01237  1936   NtSetEventBoostPriority  (332, ...
 01236  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1664,Tid=1864,}, 0x0, ) == 0x0
 01211  1648   NtWaitForSingleObject  ... ) == 0x0
 01238  1356   NtWaitForSingleObject  (332, 0, 0x0, ...
 01237  1936   NtSetEventBoostPriority  ... ) == 0x0
 01231  1728   NtSetEventBoostPriority  ... ) == 0x0
 01239   464   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 01240  1648   NtSetEventBoostPriority  (332, ...
 01241  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57975, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\200\6\0\0H\7\0\0" ...  ...
 01242  1936   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01243  1728   NtWaitForSingleObject  (332, 0, 0x0, ...
 01239   464   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01222  1580   NtWaitForSingleObject  ... ) == 0x0
 01241  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 57976, 0}  ... {28, 56, reply, 0, 1664, 1972, 57976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\200\6\0\0H\7\0\0" )  ) == 0x0
 01242  1936   NtDuplicateObject  ... 360, ) == 0x0
 01244   464   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 01245  1580   NtSetEventBoostPriority  (332, ...
 01246  1972   NtResumeThread  (356, ...
 01240  1648   NtSetEventBoostPriority  ... ) == 0x0
 01244   464   NtOpenKey  ... 364, ) == 0x0
 01221   148   NtWaitForSingleObject  ... ) == 0x0
 01245  1580   NtSetEventBoostPriority  ... ) == 0x0
 01246  1972   NtResumeThread  ... 1, ) == 0x0
 01247  1648   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01248   148   NtSetEventBoostPriority  (332, ...
 01249   464   NtQueryValueKey  (364,  (364, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 01250  1580   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 01251  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01225   444   NtWaitForSingleObject  ... ) == 0x0
 01247  1648   NtDuplicateObject  ... 368, ) == 0x0
 01249   464   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01248   148   NtSetEventBoostPriority  ... ) == 0x0
 01252  1936   NtWaitForSingleObject  (332, 0, 0x0, ...
 01253  1864   NtWaitForSingleObject  (96, 0, 0x0, ...
 01250  1580   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01254   444   NtSetEventBoostPriority  (332, ...
 01251  1972   NtAllocateVirtualMemory  ... 46661632, 1048576, ) == 0x0
 01255  1648   NtWaitForSingleObject  (332, 0, 0x0, ...
 01256   148   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01257  1580   NtWaitForSingleObject  (332, 0, 0x0, ...
 01230  1828   NtWaitForSingleObject  ... ) == 0x0
 01254   444   NtSetEventBoostPriority  ... ) == 0x0
 01258  1972   NtAllocateVirtualMemory  (-1, 47702016, 0, 8192, 4096, 4, ...
 01256   148   NtDuplicateObject  ... 372, ) == 0x0
 01259  1828   NtSetEventBoostPriority  (332, ...
 01260   444   NtWaitForSingleObject  (332, 0, 0x0, ...
 01258  1972   NtAllocateVirtualMemory  ... 47702016, 8192, ) == 0x0
 01261   464   NtClose  (364, ...
 01232  1904   NtWaitForSingleObject  ... ) == 0x0
 01259  1828   NtSetEventBoostPriority  ... ) == 0x0
 01262   148   NtWaitForSingleObject  (332, 0, 0x0, ...
 01263  1972   NtProtectVirtualMemory  (-1, (0x2d7e000), 4096, 260, ...
 01264  1904   NtSetEventBoostPriority  (332, ...
 01261   464   NtClose  ... ) == 0x0
 01265  1828   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01234  1536   NtWaitForSingleObject  ... ) == 0x0
 01264  1904   NtSetEventBoostPriority  ... ) == 0x0
 01263  1972   NtProtectVirtualMemory  ... (0x2d7e000), 4096, 4, ) == 0x0
 01266   464   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 01267  1536   NtSetEventBoostPriority  (332, ...
 01268  1904   NtWaitForSingleObject  (332, 0, 0x0, ...
 01269  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01243  1728   NtWaitForSingleObject  ... ) == 0x0
 01267  1536   NtSetEventBoostPriority  ... ) == 0x0
 01266   464   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01265  1828   NtDuplicateObject  ... 364, ) == 0x0
 01270  1728   NtSetEventBoostPriority  (332, ...
 01269  1972   NtCreateThread  ... 376, {1664, 1896}, ) == 0x0
 01271   464   NtWaitForSingleObject  (332, 0, 0x0, ...
 01238  1356   NtWaitForSingleObject  ... ) == 0x0
 01270  1728   NtSetEventBoostPriority  ... ) == 0x0
 01272  1828   NtWaitForSingleObject  (332, 0, 0x0, ...
 01273  1972   NtQueryInformationThread  (376, Basic, 28, ...
 01274  1356   NtSetEventBoostPriority  (332, ...
 01275  1536   NtWaitForSingleObject  (332, 0, 0x0, ...
 01252  1936   NtWaitForSingleObject  ... ) == 0x0
 01273  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1664,Tid=1896,}, 0x0, ) == 0x0
 01276  1936   NtSetEventBoostPriority  (332, ...
 01277  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57976, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\200\6\0\0h\7\0\0" ...  ...
 01255  1648   NtWaitForSingleObject  ... ) == 0x0
 01276  1936   NtSetEventBoostPriority  ... ) == 0x0
 01278  1648   NtSetEventBoostPriority  (332, ...
 01277  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 57977, 0}  ... {28, 56, reply, 0, 1664, 1972, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\200\6\0\0h\7\0\0" )  ) == 0x0
 01257  1580   NtWaitForSingleObject  ... ) == 0x0
 01278  1648   NtSetEventBoostPriority  ... ) == 0x0
 01279  1936   NtWaitForSingleObject  (332, 0, 0x0, ...
 01274  1356   NtSetEventBoostPriority  ... ) == 0x0
 01280  1728   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01281  1580   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ...
 01282  1648   NtWaitForSingleObject  (332, 0, 0x0, ...
 01283  1972   NtResumeThread  (376, ...
 01284  1356   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01281  1580   NtAllocateVirtualMemory  ... 1372160, 4096, ) == 0x0
 01280  1728   NtCreateEvent  ... 380, ) == 0x0
 01283  1972   NtResumeThread  ... 1, ) == 0x0
 01284  1356   NtCreateEvent  ... 384, ) == 0x0
 01285  1896   NtWaitForSingleObject  (96, 0, 0x0, ...
 01286  1728   NtWaitForSingleObject  (380, 0, 0x0, ...
 01287  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01288  1580   NtSetEventBoostPriority  (332, ...
 01287  1972   NtAllocateVirtualMemory  ... 47710208, 1048576, ) == 0x0
 01262   148   NtWaitForSingleObject  ... ) == 0x0
 01288  1580   NtSetEventBoostPriority  ... ) == 0x0
 01289   148   NtSetEventBoostPriority  (332, ...
 01290  1972   NtAllocateVirtualMemory  (-1, 48750592, 0, 8192, 4096, 4, ...
 01260   444   NtWaitForSingleObject  ... ) == 0x0
 01289   148   NtSetEventBoostPriority  ... ) == 0x0
 01291  1580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 15199288, ... }, 15199288, ...
 01292   444   NtSetEventBoostPriority  (332, ...
 01290  1972   NtAllocateVirtualMemory  ... 48750592, 8192, ) == 0x0
 01293   148   NtWaitForSingleObject  (332, 0, 0x0, ...
 01268  1904   NtWaitForSingleObject  ... ) == 0x0
 01292   444   NtSetEventBoostPriority  ... ) == 0x0
 01294  1356   NtClose  (384, ...
 01295  1972   NtProtectVirtualMemory  (-1, (0x2e7e000), 4096, 260, ...
 01296  1904   NtSetEventBoostPriority  (332, ...
 01297   444   NtWaitForSingleObject  (332, 0, 0x0, ...
 01294  1356   NtClose  ... ) == 0x0
 01295  1972   NtProtectVirtualMemory  ... (0x2e7e000), 4096, 4, ) == 0x0
 01271   464   NtWaitForSingleObject  ... ) == 0x0
 01298  1356   NtWaitForSingleObject  (380, 0, 0x0, ...
 01299  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01300   464   NtSetEventBoostPriority  (332, ...
 01299  1972   NtCreateThread  ... 384, {1664, 1524}, ) == 0x0
 01272  1828   NtWaitForSingleObject  ... ) == 0x0
 01300   464   NtSetEventBoostPriority  ... ) == 0x0
 01301  1828   NtSetEventBoostPriority  (332, ...
 01302  1972   NtQueryInformationThread  (384, Basic, 28, ...
 01296  1904   NtSetEventBoostPriority  ... ) == 0x0
 01275  1536   NtWaitForSingleObject  ... ) == 0x0
 01301  1828   NtSetEventBoostPriority  ... ) == 0x0
 01302  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1664,Tid=1524,}, 0x0, ) == 0x0
 01303  1536   NtSetEventBoostPriority  (332, ...
 01304  1904   NtWaitForSingleObject  (332, 0, 0x0, ...
 01305   464   NtWaitForSingleObject  (380, 0, 0x0, ...
 01306  1828   NtWaitForSingleObject  (332, 0, 0x0, ...
 01279  1936   NtWaitForSingleObject  ... ) == 0x0
 01303  1536   NtSetEventBoostPriority  ... ) == 0x0
 01307  1936   NtSetEventBoostPriority  (332, ...
 01282  1648   NtWaitForSingleObject  ... ) == 0x0
 01308  1648   NtSetEventBoostPriority  (332, ...
 01297   444   NtWaitForSingleObject  ... ) == 0x0
 01309   444   NtSetEventBoostPriority  (332, ...
 01293   148   NtWaitForSingleObject  ... ) == 0x0
 01310   148   NtSetEventBoostPriority  (332, ...
 01304  1904   NtWaitForSingleObject  ... ) == 0x0
 01311  1904   NtSetEventBoostPriority  (332, ...
 01306  1828   NtWaitForSingleObject  ... ) == 0x0
 01312  1828   NtWaitForSingleObject  (380, 0, 0x0, ...
 01311  1904   NtSetEventBoostPriority  ... ) == 0x0
 01309   444   NtSetEventBoostPriority  ... ) == 0x0
 01313  1536   NtWaitForSingleObject  (380, 0, 0x0, ...
 01310   148   NtSetEventBoostPriority  ... ) == 0x0
 01308  1648   NtSetEventBoostPriority  ... ) == 0x0
 01307  1936   NtSetEventBoostPriority  ... ) == 0x0
 01314  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57977, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\200\6\0\0\364\5\0\0" ...  ...
 01291  1580   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01315  1904   NtWaitForSingleObject  (380, 0, 0x0, ...
 01316   444   NtWaitForSingleObject  (380, 0, 0x0, ...
 01317   148   NtWaitForSingleObject  (380, 0, 0x0, ...
 01318  1648   NtWaitForSingleObject  (380, 0, 0x0, ...
 01319  1936   NtSetEventBoostPriority  (380, ...
 01314  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 57978, 0}  ... {28, 56, reply, 0, 1664, 1972, 57978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\200\6\0\0\364\5\0\0" )  ) == 0x0
 01320  1580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 15199288, ... }, 15199288, ...
 01286  1728   NtWaitForSingleObject  ... ) == 0x0
 01319  1936   NtSetEventBoostPriority  ... ) == 0x0
 01321  1972   NtResumeThread  (384, ...
 01322  1728   NtSetEventBoostPriority  (380, ...
 01320  1580   NtQueryAttributesFile  ... ) == 0x0
 01298  1356   NtWaitForSingleObject  ... ) == 0x0
 01322  1728   NtSetEventBoostPriority  ... ) == 0x0
 01321  1972   NtResumeThread  ... 1, ) == 0x0
 01323  1356   NtSetEventBoostPriority  (380, ...
 01324  1580   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 01325  1936   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01326  1524   NtWaitForSingleObject  (96, 0, 0x0, ...
 01305   464   NtWaitForSingleObject  ... ) == 0x0
 01323  1356   NtSetEventBoostPriority  ... ) == 0x0
 01327  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01324  1580   NtOpenFile  ... 388, {status=0x0, info=1}, ) == 0x0
 01325  1936   NtWaitForSingleObject  ... ) == 0x102
 01328   464   NtSetEventBoostPriority  (380, ...
 01329  1728   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01330  1356   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01331  1580   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 388, ...
 01312  1828   NtWaitForSingleObject  ... ) == 0x0
 01328   464   NtSetEventBoostPriority  ... ) == 0x0
 01332  1936   NtWaitForSingleObject  (128, 0, 0x0, ...
 01329  1728   NtWaitForSingleObject  ... ) == 0x102
 01330  1356   NtWaitForSingleObject  ... ) == 0x102
 01327  1972   NtAllocateVirtualMemory  ... 48758784, 1048576, ) == 0x0
 01333  1828   NtSetEventBoostPriority  (380, ...
 01334   464   NtWaitForSingleObject  (380, 0, 0x0, ...
 01335  1728   NtWaitForSingleObject  (128, 0, 0x0, ...
 01336  1356   NtWaitForSingleObject  (128, 0, 0x0, ...
 01315  1904   NtWaitForSingleObject  ... ) == 0x0
 01333  1828   NtSetEventBoostPriority  ... ) == 0x0
 01337  1972   NtAllocateVirtualMemory  (-1, 49799168, 0, 8192, 4096, 4, ...
 01331  1580   NtCreateSection  ... 392, ) == 0x0
 01338  1904   NtSetEventBoostPriority  (380, ...
 01337  1972   NtAllocateVirtualMemory  ... 49799168, 8192, ) == 0x0
 01316   444   NtWaitForSingleObject  ... ) == 0x0
 01338  1904   NtSetEventBoostPriority  ... ) == 0x0
 01339  1580   NtQuerySection  (392, Image, 48, ...
 01340   444   NtSetEventBoostPriority  (380, ...
 01341  1972   NtProtectVirtualMemory  (-1, (0x2f7e000), 4096, 260, ...
 01342  1904   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01317   148   NtWaitForSingleObject  ... ) == 0x0
 01340   444   NtSetEventBoostPriority  ... ) == 0x0
 01339  1580   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01341  1972   NtProtectVirtualMemory  ... (0x2f7e000), 4096, 4, ) == 0x0
 01343  1828   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01344   148   NtSetEventBoostPriority  (380, ...
 01345   444   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01346  1580   NtClose  (388, ...
 01347  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01318  1648   NtWaitForSingleObject  ... ) == 0x0
 01344   148   NtSetEventBoostPriority  ... ) == 0x0
 01343  1828   NtWaitForSingleObject  ... ) == 0x102
 01342  1904   NtWaitForSingleObject  ... ) == 0x102
 01346  1580   NtClose  ... ) == 0x0
 01345   444   NtWaitForSingleObject  ... ) == 0x102
 01348  1648   NtSetEventBoostPriority  (380, ...
 01347  1972   NtCreateThread  ... 388, {1664, 1944}, ) == 0x0
 01349  1828   NtWaitForSingleObject  (128, 0, 0x0, ...
 01350  1904   NtWaitForSingleObject  (128, 0, 0x0, ...
 01351  1580   NtMapViewOfSection  (392, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01313  1536   NtWaitForSingleObject  ... ) == 0x0
 01348  1648   NtSetEventBoostPriority  ... ) == 0x0
 01352   444   NtWaitForSingleObject  (128, 0, 0x0, ...
 01353  1972   NtQueryInformationThread  (388, Basic, 28, ...
 01354   148   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01355  1536   NtSetEventBoostPriority  (380, ...
 01351  1580   NtMapViewOfSection  ... (0x76f20000), 0x0, 159744, ) == 0x0
 01353  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1664,Tid=1944,}, 0x0, ) == 0x0
 01334   464   NtWaitForSingleObject  ... ) == 0x0
 01354   148   NtWaitForSingleObject  ... ) == 0x102
 01356  1580   NtClose  (392, ...
 01357  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57978, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\200\6\0\0\230\7\0\0" ...  ...
 01358   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01359   148   NtWaitForSingleObject  (128, 0, 0x0, ...
 01356  1580   NtClose  ... ) == 0x0
 01357  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 57979, 0}  ... {28, 56, reply, 0, 1664, 1972, 57979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\200\6\0\0\230\7\0\0" )  ) == 0x0
 01358   464   NtCreateEvent  ... 392, ) == 0x0
 01360  1580   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01355  1536   NtSetEventBoostPriority  ... ) == 0x0
 01361  1648   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01362   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01360  1580   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01363  1536   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01361  1648   NtWaitForSingleObject  ... ) == 0x102
 01362   464   NtCreateEvent  ... 396, ) == 0x0
 01364  1580   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 01365  1648   NtWaitForSingleObject  (128, 0, 0x0, ...
 01366  1972   NtResumeThread  (388, ...
 01363  1536   NtWaitForSingleObject  ... ) == 0x102
 01367   464   NtQuerySystemTime  (...
 01366  1972   NtResumeThread  ... 1, ) == 0x0
 01368  1536   NtWaitForSingleObject  (128, 0, 0x0, ...
 01367   464   NtQuerySystemTime  ... {-1501629170, 29915144}, ) == 0x0
 01369  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01370   464   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01369  1972   NtAllocateVirtualMemory  ... 49807360, 1048576, ) == 0x0
 01370   464   NtCreateEvent  ... 400, ) == 0x0
 01371  1972   NtAllocateVirtualMemory  (-1, 50847744, 0, 8192, 4096, 4, ...
 01372   464   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 01371  1972   NtAllocateVirtualMemory  ... 50847744, 8192, ) == 0x0
 01372   464   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01364  1580   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 01373  1944   NtWaitForSingleObject  (96, 0, 0x0, ...
 01374  1972   NtProtectVirtualMemory  (-1, (0x307e000), 4096, 260, ...
 01375  1580   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01374  1972   NtProtectVirtualMemory  ... (0x307e000), 4096, 4, ) == 0x0
 01375  1580   NtFlushInstructionCache  ... ) == 0x0
 01376  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01377  1580   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01376  1972   NtCreateThread  ... 404, {1664, 2044}, ) == 0x0
 01377  1580   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01378  1972   NtQueryInformationThread  (404, Basic, 28, ...
 01379  1580   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 01378  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1664,Tid=2044,}, 0x0, ) == 0x0
 01380   464   NtQuerySystemInformation  (Performance, 312, ...
 01379  1580   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 01380   464   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01381  1580   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01382   464   NtQueryInformationProcess  (-1, QuotaLimits, 32, ...
 01381  1580   NtFlushInstructionCache  ... ) == 0x0
 01382   464   NtQueryInformationProcess  ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01383  1580   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01384   464   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 01383  1580   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01384   464   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01385  1580   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 01386  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57979, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\200\6\0\0\374\7\0\0" ...  ...
 01387   464   NtWaitForSingleObject  (96, 0, 0x0, ...
 01386  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 57980, 0}  ... {28, 56, reply, 0, 1664, 1972, 57980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\200\6\0\0\374\7\0\0" )  ) == 0x0
 01388  1972   NtResumeThread  (404, ... 1, ) == 0x0
 01389  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 50855936, 1048576, ) == 0x0
 01390  1972   NtAllocateVirtualMemory  (-1, 51896320, 0, 8192, 4096, 4, ... 51896320, 8192, ) == 0x0
 01391  1972   NtProtectVirtualMemory  (-1, (0x317e000), 4096, 260, ... (0x317e000), 4096, 4, ) == 0x0
 01392  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01385  1580   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 01393  2044   NtWaitForSingleObject  (96, 0, 0x0, ...
 01394  1580   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01395  1580   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01396  1580   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01397  1580   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01398  1580   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01399  1580   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 01392  1972   NtCreateThread  ... 408, {1664, 240}, ) == 0x0
 01400  1972   NtQueryInformationThread  (408, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1664,Tid=240,}, 0x0, ) == 0x0
 01401  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57980, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\200\6\0\0\360\0\0\0" ... {28, 56, reply, 0, 1664, 1972, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\200\6\0\0\360\0\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57981, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\200\6\0\0\360\0\0\0" ... {28, 56, reply, 0, 1664, 1972, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\200\6\0\0\360\0\0\0" )  ) == 0x0
 01402  1972   NtResumeThread  (408, ... 1, ) == 0x0
 01403  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 51904512, 1048576, ) == 0x0
 01404  1972   NtAllocateVirtualMemory  (-1, 52944896, 0, 8192, 4096, 4, ... 52944896, 8192, ) == 0x0
 01399  1580   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 01405   240   NtWaitForSingleObject  (96, 0, 0x0, ...
 01406  1580   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01407  1580   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01408  1580   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01409  1580   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01410  1580   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01411  1580   NtCreateKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01412  1972   NtProtectVirtualMemory  (-1, (0x327e000), 4096, 260, ... (0x327e000), 4096, 4, ) == 0x0
 01413  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 412, {1664, 968}, ) == 0x0
 01414  1972   NtQueryInformationThread  (412, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1664,Tid=968,}, 0x0, ) == 0x0
 01415  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57981, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\200\6\0\0\310\3\0\0" ... {28, 56, reply, 0, 1664, 1972, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\200\6\0\0\310\3\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57982, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\200\6\0\0\310\3\0\0" ... {28, 56, reply, 0, 1664, 1972, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\200\6\0\0\310\3\0\0" )  ) == 0x0
 01416  1972   NtResumeThread  (412, ... 1, ) == 0x0
 01417  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01411  1580   NtCreateKey  ... 416, 2, ) == 0x0
 01418   968   NtWaitForSingleObject  (96, 0, 0x0, ...
 01419  1580   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 420, ) }, ... 420, ) == 0x0
 01420  1580   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01421  1580   NtQueryValueKey  (420,  (420, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01422  1580   NtQueryValueKey  (416,  (416, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01423  1580   NtQueryValueKey  (420,  (420, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01424  1580   NtQueryValueKey  (416,  (416, "UseDomainNameDevolution", Partial, 144, ... , Partial, 144, ...
 01417  1972   NtAllocateVirtualMemory  ... 52953088, 1048576, ) == 0x0
 01425  1972   NtAllocateVirtualMemory  (-1, 53993472, 0, 8192, 4096, 4, ... 53993472, 8192, ) == 0x0
 01426  1972   NtProtectVirtualMemory  (-1, (0x337e000), 4096, 260, ... (0x337e000), 4096, 4, ) == 0x0
 01427  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 424, {1664, 308}, ) == 0x0
 01428  1972   NtQueryInformationThread  (424, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1664,Tid=308,}, 0x0, ) == 0x0
 01429  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57982, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\200\6\0\04\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\200\6\0\04\1\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57983, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\200\6\0\04\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\200\6\0\04\1\0\0" )  ) == 0x0
 01424  1580   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01430  1580   NtQueryValueKey  (420,  (420, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01431  1580   NtQueryValueKey  (416,  (416, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432  1580   NtQueryValueKey  (420,  (420, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01433  1580   NtQueryValueKey  (416,  (416, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01434  1580   NtQueryValueKey  (420,  (420, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01435  1580   NtQueryValueKey  (420,  (420, "ScreenBadTlds", Partial, 144, ... , Partial, 144, ...
 01436  1972   NtResumeThread  (424, ... 1, ) == 0x0
 01437  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 54001664, 1048576, ) == 0x0
 01438  1972   NtAllocateVirtualMemory  (-1, 55042048, 0, 8192, 4096, 4, ... 55042048, 8192, ) == 0x0
 01439  1972   NtProtectVirtualMemory  (-1, (0x347e000), 4096, 260, ... (0x347e000), 4096, 4, ) == 0x0
 01440  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 428, {1664, 764}, ) == 0x0
 01441  1972   NtQueryInformationThread  (428, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1664,Tid=764,}, 0x0, ) == 0x0
 01435  1580   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442   308   NtWaitForSingleObject  (96, 0, 0x0, ...
 01443  1580   NtQueryValueKey  (420,  (420, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01444  1580   NtQueryValueKey  (420,  (420, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445  1580   NtQueryValueKey  (420,  (420, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446  1580   NtQueryValueKey  (420,  (420, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01447  1580   NtQueryValueKey  (420,  (420, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01448  1580   NtQueryValueKey  (420,  (420, "UseHostsFile", Partial, 144, ... , Partial, 144, ...
 01449  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57983, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\200\6\0\0\374\2\0\0" ... {28, 56, reply, 0, 1664, 1972, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\200\6\0\0\374\2\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57984, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\200\6\0\0\374\2\0\0" ... {28, 56, reply, 0, 1664, 1972, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\200\6\0\0\374\2\0\0" )  ) == 0x0
 01450  1972   NtResumeThread  (428, ... 1, ) == 0x0
 01451  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 55050240, 1048576, ) == 0x0
 01452  1972   NtAllocateVirtualMemory  (-1, 56090624, 0, 8192, 4096, 4, ... 56090624, 8192, ) == 0x0
 01453  1972   NtProtectVirtualMemory  (-1, (0x357e000), 4096, 260, ... (0x357e000), 4096, 4, ) == 0x0
 01454  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01448  1580   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01455   764   NtWaitForSingleObject  (96, 0, 0x0, ...
 01456  1580   NtQueryValueKey  (420,  (420, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01457  1580   NtQueryValueKey  (416,  (416, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01458  1580   NtQueryValueKey  (420,  (420, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01459  1580   NtQueryValueKey  (420,  (420, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01460  1580   NtQueryValueKey  (416,  (416, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01461  1580   NtQueryValueKey  (420,  (420, "RegisterReverseLookup", Partial, 144, ... , Partial, 144, ...
 01454  1972   NtCreateThread  ... 432, {1664, 2000}, ) == 0x0
 01462  1972   NtQueryInformationThread  (432, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1664,Tid=2000,}, 0x0, ) == 0x0
 01463  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57984, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\200\6\0\0\320\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\200\6\0\0\320\7\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57985, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\200\6\0\0\320\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\200\6\0\0\320\7\0\0" )  ) == 0x0
 01464  1972   NtResumeThread  (432, ... 1, ) == 0x0
 01465  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 56098816, 1048576, ) == 0x0
 01466  1972   NtAllocateVirtualMemory  (-1, 57139200, 0, 8192, 4096, 4, ... 57139200, 8192, ) == 0x0
 01461  1580   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01467  2000   NtWaitForSingleObject  (96, 0, 0x0, ...
 01468  1580   NtQueryValueKey  (416,  (416, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01469  1580   NtQueryValueKey  (420,  (420, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01470  1580   NtQueryValueKey  (416,  (416, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01471  1580   NtQueryValueKey  (420,  (420, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01472  1580   NtQueryValueKey  (416,  (416, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01473  1580   NtQueryValueKey  (420,  (420, "RegistrationRefreshInterval", Partial, 144, ... , Partial, 144, ...
 01474  1972   NtProtectVirtualMemory  (-1, (0x367e000), 4096, 260, ... (0x367e000), 4096, 4, ) == 0x0
 01475  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 436, {1664, 1852}, ) == 0x0
 01476  1972   NtQueryInformationThread  (436, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1664,Tid=1852,}, 0x0, ) == 0x0
 01477  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57985, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\200\6\0\0<\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\200\6\0\0<\7\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57986, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\200\6\0\0<\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\200\6\0\0<\7\0\0" )  ) == 0x0
 01478  1972   NtResumeThread  (436, ... 1, ) == 0x0
 01479  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01473  1580   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01480  1852   NtWaitForSingleObject  (96, 0, 0x0, ...
 01481  1580   NtQueryValueKey  (416,  (416, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01482  1580   NtQueryValueKey  (420,  (420, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01483  1580   NtQueryValueKey  (416,  (416, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484  1580   NtQueryValueKey  (420,  (420, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01485  1580   NtQueryValueKey  (416,  (416, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01486  1580   NtQueryValueKey  (420,  (420, "UpdateZoneExcludeFile", Partial, 144, ... , Partial, 144, ...
 01479  1972   NtAllocateVirtualMemory  ... 57147392, 1048576, ) == 0x0
 01487  1972   NtAllocateVirtualMemory  (-1, 58187776, 0, 8192, 4096, 4, ... 58187776, 8192, ) == 0x0
 01488  1972   NtProtectVirtualMemory  (-1, (0x377e000), 4096, 260, ... (0x377e000), 4096, 4, ) == 0x0
 01489  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 440, {1664, 1420}, ) == 0x0
 01490  1972   NtQueryInformationThread  (440, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1664,Tid=1420,}, 0x0, ) == 0x0
 01491  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57986, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\200\6\0\0\214\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\200\6\0\0\214\5\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57987, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\200\6\0\0\214\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\200\6\0\0\214\5\0\0" )  ) == 0x0
 01486  1580   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01492  1580   NtQueryValueKey  (420,  (420, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01493  1580   NtQueryValueKey  (420,  (420, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494  1580   NtQueryValueKey  (420,  (420, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01495  1580   NtQueryValueKey  (420,  (420, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01496  1580   NtQueryValueKey  (420,  (420, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01497  1580   NtQueryValueKey  (420,  (420, "AdapterTimeoutLimit", Partial, 144, ... , Partial, 144, ...
 01498  1972   NtResumeThread  (440, ... 1, ) == 0x0
 01499  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 58195968, 1048576, ) == 0x0
 01500  1972   NtAllocateVirtualMemory  (-1, 59236352, 0, 8192, 4096, 4, ... 59236352, 8192, ) == 0x0
 01501  1972   NtProtectVirtualMemory  (-1, (0x387e000), 4096, 260, ... (0x387e000), 4096, 4, ) == 0x0
 01502  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 444, {1664, 164}, ) == 0x0
 01503  1972   NtQueryInformationThread  (444, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1664,Tid=164,}, 0x0, ) == 0x0
 01497  1580   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504  1420   NtWaitForSingleObject  (96, 0, 0x0, ...
 01505  1580   NtQueryValueKey  (420,  (420, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01506  1580   NtQueryValueKey  (420,  (420, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01507  1580   NtQueryValueKey  (420,  (420, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01508  1580   NtQueryValueKey  (420,  (420, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01509  1580   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 448, ) }, ... 448, ) == 0x0
 01510  1580   NtQueryValueKey  (448,  (448, "SystemSetupInProgress", Partial, 144, ... , Partial, 144, ...
 01511  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57987, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\200\6\0\0\244\0\0\0" ... {28, 56, reply, 0, 1664, 1972, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\200\6\0\0\244\0\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57988, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\200\6\0\0\244\0\0\0" ... {28, 56, reply, 0, 1664, 1972, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\200\6\0\0\244\0\0\0" )  ) == 0x0
 01512  1972   NtResumeThread  (444, ... 1, ) == 0x0
 01513  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 59244544, 1048576, ) == 0x0
 01514  1972   NtAllocateVirtualMemory  (-1, 60284928, 0, 8192, 4096, 4, ... 60284928, 8192, ) == 0x0
 01515  1972   NtProtectVirtualMemory  (-1, (0x397e000), 4096, 260, ... (0x397e000), 4096, 4, ) == 0x0
 01516  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01510  1580   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01517   164   NtWaitForSingleObject  (96, 0, 0x0, ...
 01518  1580   NtClose  (448, ... ) == 0x0
 01519  1580   NtClose  (416, ... ) == 0x0
 01520  1580   NtClose  (420, ... ) == 0x0
 01521  1580   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 420, ) }, ... 420, ) == 0x0
 01522  1580   NtQueryValueKey  (420,  (420, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01523  1580   NtQueryValueKey  (420,  (420, "DnsQuickQueryTimeouts", Partial, 144, ... , Partial, 144, ...
 01516  1972   NtCreateThread  ... 416, {1664, 1564}, ) == 0x0
 01524  1972   NtQueryInformationThread  (416, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1664,Tid=1564,}, 0x0, ) == 0x0
 01525  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57988, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\200\6\0\0\34\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\200\6\0\0\34\6\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 57989, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\200\6\0\0\34\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\200\6\0\0\34\6\0\0" )  ) == 0x0
 01526  1972   NtResumeThread  (416, ... 1, ) == 0x0
 01527  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 60293120, 1048576, ) == 0x0
 01528  1972   NtAllocateVirtualMemory  (-1, 61333504, 0, 8192, 4096, 4, ... 61333504, 8192, ) == 0x0
 01523  1580   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01529  1564   NtWaitForSingleObject  (96, 0, 0x0, ...
 01530  1580   NtQueryValueKey  (420,  (420, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01531  1580   NtClose  (420, ... ) == 0x0
 01532  1580   NtSetEventBoostPriority  (96, ...
 01253  1864   NtWaitForSingleObject  ... ) == 0x0
 01533  1864   NtSetEventBoostPriority  (96, ...
 01285  1896   NtWaitForSingleObject  ... ) == 0x0
 01534  1896   NtSetEventBoostPriority  (96, ...
 01326  1524   NtWaitForSingleObject  ... ) == 0x0
 01535  1524   NtSetEventBoostPriority  (96, ...
 01373  1944   NtWaitForSingleObject  ... ) == 0x0
 01536  1944   NtSetEventBoostPriority  (96, ...
 01387   464   NtWaitForSingleObject  ... ) == 0x0
 01537   464   NtSetEventBoostPriority  (96, ...
 01393  2044   NtWaitForSingleObject  ... ) == 0x0
 01538  2044   NtSetEventBoostPriority  (96, ...
 01405   240   NtWaitForSingleObject  ... ) == 0x0
 01539   240   NtSetEventBoostPriority  (96, ...
 01418   968   NtWaitForSingleObject  ... ) == 0x0
 01540   968   NtSetEventBoostPriority  (96, ...
 01442   308   NtWaitForSingleObject  ... ) == 0x0
 01541   308   NtSetEventBoostPriority  (96, ...
 01455   764   NtWaitForSingleObject  ... ) == 0x0
 01542   764   NtSetEventBoostPriority  (96, ...
 01467  2000   NtWaitForSingleObject  ... ) == 0x0
 01543  2000   NtSetEventBoostPriority  (96, ...
 01480  1852   NtWaitForSingleObject  ... ) == 0x0
 01544  1852   NtSetEventBoostPriority  (96, ...
 01504  1420   NtWaitForSingleObject  ... ) == 0x0
 01545  1420   NtSetEventBoostPriority  (96, ...
 01517   164   NtWaitForSingleObject  ... ) == 0x0
 01546   164   NtSetEventBoostPriority  (96, ...
 01529  1564   NtWaitForSingleObject  ... ) == 0x0
 01547  1564   NtTestAlert  (... ) == 0x0
 01546   164   NtSetEventBoostPriority  ... ) == 0x0
 01545  1420   NtSetEventBoostPriority  ... ) == 0x0
 01544  1852   NtSetEventBoostPriority  ... ) == 0x0
 01543  2000   NtSetEventBoostPriority  ... ) == 0x0
 01542   764   NtSetEventBoostPriority  ... ) == 0x0
 01541   308   NtSetEventBoostPriority  ... ) == 0x0
 01540   968   NtSetEventBoostPriority  ... ) == 0x0
 01539   240   NtSetEventBoostPriority  ... ) == 0x0
 01538  2044   NtSetEventBoostPriority  ... ) == 0x0
 01537   464   NtSetEventBoostPriority  ... ) == 0x0
 01536  1944   NtSetEventBoostPriority  ... ) == 0x0
 01535  1524   NtSetEventBoostPriority  ... ) == 0x0
 01534  1896   NtSetEventBoostPriority  ... ) == 0x0
 01533  1864   NtSetEventBoostPriority  ... ) == 0x0
 01532  1580   NtSetEventBoostPriority  ... ) == 0x0
 01548  1972   NtProtectVirtualMemory  (-1, (0x3a7e000), 4096, 260, ...
 01549  1564   NtContinue  (60292400, 1, ...
 01550   164   NtTestAlert  (...
 01551  1420   NtTestAlert  (...
 01552  1852   NtTestAlert  (...
 01553  2000   NtTestAlert  (...
 01554   764   NtTestAlert  (...
 01555   308   NtTestAlert  (...
 01556   968   NtTestAlert  (...
 01557   240   NtTestAlert  (...
 01558   464   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01559  2044   NtTestAlert  (...
 01560  1944   NtTestAlert  (...
 01561  1524   NtTestAlert  (...
 01562  1896   NtTestAlert  (...
 01563  1580   NtWaitForSingleObject  (332, 0, 0x0, ...
 01548  1972   NtProtectVirtualMemory  ... (0x3a7e000), 4096, 4, ) == 0x0
 01564  1564   NtRegisterThreadTerminatePort  (24, ...
 01550   164   NtTestAlert  ... ) == 0x0
 01551  1420   NtTestAlert  ... ) == 0x0
 01552  1852   NtTestAlert  ... ) == 0x0
 01553  2000   NtTestAlert  ... ) == 0x0
 01554   764   NtTestAlert  ... ) == 0x0
 01555   308   NtTestAlert  ... ) == 0x0
 01556   968   NtTestAlert  ... ) == 0x0
 01557   240   NtTestAlert  ... ) == 0x0
 01565  1864   NtTestAlert  (...
 01559  2044   NtTestAlert  ... ) == 0x0
 01560  1944   NtTestAlert  ... ) == 0x0
 01561  1524   NtTestAlert  ... ) == 0x0
 01562  1896   NtTestAlert  ... ) == 0x0
 01566  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01564  1564   NtRegisterThreadTerminatePort  ... ) == 0x0
 01567   164   NtContinue  (59243824, 1, ...
 01568  1420   NtContinue  (58195248, 1, ...
 01569  1852   NtContinue  (57146672, 1, ...
 01570  2000   NtContinue  (56098096, 1, ...
 01571   764   NtContinue  (55049520, 1, ...
 01572   308   NtContinue  (54000944, 1, ...
 01573   968   NtContinue  (52952368, 1, ...
 01574   240   NtContinue  (51903792, 1, ...
 01565  1864   NtTestAlert  ... ) == 0x0
 01575  2044   NtContinue  (50855216, 1, ...
 01576  1944   NtContinue  (49806640, 1, ...
 01577  1524   NtContinue  (48758064, 1, ...
 01578  1896   NtContinue  (47709488, 1, ...
 01566  1972   NtCreateThread  ... 420, {1664, 1592}, ) == 0x0
 01579  1564   NtWaitForSingleObject  (332, 0, 0x0, ...
 01580   164   NtRegisterThreadTerminatePort  (24, ...
 01581  1420   NtRegisterThreadTerminatePort  (24, ...
 01582  1852   NtRegisterThreadTerminatePort  (24, ...
 01583  2000   NtRegisterThreadTerminatePort  (24, ...
 01584   764   NtRegisterThreadTerminatePort  (24, ...
 01585   308   NtRegisterThreadTerminatePort  (24, ...
 01586   968   NtRegisterThreadTerminatePort  (24, ...
 01587   240   NtRegisterThreadTerminatePort  (24, ...
 01588  1864   NtContinue  (46660912, 1, ...
 01589  2044   NtRegisterThreadTerminatePort  (24, ...
 01590  1944   NtRegisterThreadTerminatePort  (24, ...
 01591  1524   NtRegisterThreadTerminatePort  (24, ...
 01592  1896   NtRegisterThreadTerminatePort  (24, ...
 01593  1972   NtQueryInformationThread  (420, Basic, 28, ...
 01580   164   NtRegisterThreadTerminatePort  ... ) == 0x0
 01581  1420   NtRegisterThreadTerminatePort  ... ) == 0x0
 01582  1852   NtRegisterThreadTerminatePort  ... ) == 0x0
 01583  2000   NtRegisterThreadTerminatePort  ... ) == 0x0
 01584   764   NtRegisterThreadTerminatePort  ... ) == 0x0
 01585   308   NtRegisterThreadTerminatePort  ... ) == 0x0
 01586   968   NtRegisterThreadTerminatePort  ... ) == 0x0
 01587   240   NtRegisterThreadTerminatePort  ... ) == 0x0
 01594  1864   NtRegisterThreadTerminatePort  (24, ...
 01589  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 01590  1944   NtRegisterThreadTerminatePort  ... ) == 0x0
 01591  1524   NtRegisterThreadTerminatePort  ... ) == 0x0
 01592  1896   NtRegisterThreadTerminatePort  ... ) == 0x0
 01593  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1664,Tid=1592,}, 0x0, ) == 0x0
 01595   164   NtWaitForSingleObject  (332, 0, 0x0, ...
 01596  1420   NtWaitForSingleObject  (332, 0, 0x0, ...
 01597  1852   NtWaitForSingleObject  (332, 0, 0x0, ...
 01598  2000   NtWaitForSingleObject  (332, 0, 0x0, ...
 01599   764   NtWaitForSingleObject  (332, 0, 0x0, ...
 01600   308   NtWaitForSingleObject  (332, 0, 0x0, ...
 01601   968   NtWaitForSingleObject  (332, 0, 0x0, ...
 01602   240   NtWaitForSingleObject  (332, 0, 0x0, ...
 01594  1864   NtRegisterThreadTerminatePort  ... ) == 0x0
 01603  2044   NtWaitForSingleObject  (332, 0, 0x0, ...
 01604  1944   NtWaitForSingleObject  (332, 0, 0x0, ...
 01605  1524   NtWaitForSingleObject  (332, 0, 0x0, ...
 01606  1896   NtWaitForSingleObject  (332, 0, 0x0, ...
 01558   464   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01607  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57989, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\200\6\0\08\6\0\0" ...  ...
 01608  1864   NtWaitForSingleObject  (332, 0, 0x0, ...
 01609   464   NtSetEventBoostPriority  (332, ...
 01607  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 57990, 0}  ... {28, 56, reply, 0, 1664, 1972, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\200\6\0\08\6\0\0" )  ) == 0x0
 01563  1580   NtWaitForSingleObject  ... ) == 0x0
 01609   464   NtSetEventBoostPriority  ... ) == 0x0
 01610  1580   NtSetEventBoostPriority  (332, ...
 01611  1972   NtResumeThread  (420, ...
 01579  1564   NtWaitForSingleObject  ... ) == 0x0
 01610  1580   NtSetEventBoostPriority  ... ) == 0x0
 01612   464   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01613  1564   NtSetEventBoostPriority  (332, ...
 01611  1972   NtResumeThread  ... 1, ) == 0x0
 01595   164   NtWaitForSingleObject  ... ) == 0x0
 01613  1564   NtSetEventBoostPriority  ... ) == 0x0
 01612   464   NtCreateEvent  ... 448, ) == 0x0
 01614   164   NtSetEventBoostPriority  (332, ...
 01615  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01616  1580   NtWaitForSingleObject  (332, 0, 0x0, ...
 01617  1592   NtTestAlert  (...
 01596  1420   NtWaitForSingleObject  ... ) == 0x0
 01618   464   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01614   164   NtSetEventBoostPriority  ... ) == 0x0
 01619  1564   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01617  1592   NtTestAlert  ... ) == 0x0
 01620  1420   NtSetEventBoostPriority  (332, ...
 01615  1972   NtAllocateVirtualMemory  ... 61341696, 1048576, ) == 0x0
 01621   164   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01619  1564   NtDuplicateObject  ... 452, ) == 0x0
 01622  1592   NtContinue  (61340976, 1, ...
 01597  1852   NtWaitForSingleObject  ... ) == 0x0
 01623  1972   NtAllocateVirtualMemory  (-1, 62382080, 0, 8192, 4096, 4, ...
 01621   164   NtDuplicateObject  ... 456, ) == 0x0
 01624  1564   NtWaitForSingleObject  (332, 0, 0x0, ...
 01625  1592   NtRegisterThreadTerminatePort  (24, ...
 01626  1852   NtSetEventBoostPriority  (332, ...
 01623  1972   NtAllocateVirtualMemory  ... 62382080, 8192, ) == 0x0
 01620  1420   NtSetEventBoostPriority  ... ) == 0x0
 01618   464   NtDuplicateObject  ... 460, ) == 0x0
 01625  1592   NtRegisterThreadTerminatePort  ... ) == 0x0
 01598  2000   NtWaitForSingleObject  ... ) == 0x0
 01627  1972   NtProtectVirtualMemory  (-1, (0x3b7e000), 4096, 260, ...
 01628  1420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01629   464   NtWaitForSingleObject  (332, 0, 0x0, ...
 01626  1852   NtSetEventBoostPriority  ... ) == 0x0
 01630   164   NtWaitForSingleObject  (332, 0, 0x0, ...
 01631  2000   NtSetEventBoostPriority  (332, ...
 01627  1972   NtProtectVirtualMemory  ... (0x3b7e000), 4096, 4, ) == 0x0
 01628  1420   NtDuplicateObject  ... 464, ) == 0x0
 01632  1852   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01599   764   NtWaitForSingleObject  ... ) == 0x0
 01633  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01631  2000   NtSetEventBoostPriority  ... ) == 0x0
 01634  1592   NtWaitForSingleObject  (332, 0, 0x0, ...
 01632  1852   NtDuplicateObject  ... 468, ) == 0x0
 01635   764   NtSetEventBoostPriority  (332, ...
 01636  1420   NtWaitForSingleObject  (332, 0, 0x0, ...
 01637  2000   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01633  1972   NtCreateThread  ... 472, {1664, 2032}, ) == 0x0
 01600   308   NtWaitForSingleObject  ... ) == 0x0
 01637  2000   NtDuplicateObject  ... 476, ) == 0x0
 01638  1972   NtQueryInformationThread  (472, Basic, 28, ...
 01639   308   NtSetEventBoostPriority  (332, ...
 01635   764   NtSetEventBoostPriority  ... ) == 0x0
 01640  1852   NtWaitForSingleObject  (332, 0, 0x0, ...
 01638  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1664,Tid=2032,}, 0x0, ) == 0x0
 01601   968   NtWaitForSingleObject  ... ) == 0x0
 01641   764   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01642  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57990, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\200\6\0\0\360\7\0\0" ...  ...
 01643   968   NtSetEventBoostPriority  (332, ...
 01641   764   NtDuplicateObject  ... 480, ) == 0x0
 01642  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 57991, 0}  ... {28, 56, reply, 0, 1664, 1972, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\200\6\0\0\360\7\0\0" )  ) == 0x0
 01602   240   NtWaitForSingleObject  ... ) == 0x0
 01643   968   NtSetEventBoostPriority  ... ) == 0x0
 01639   308   NtSetEventBoostPriority  ... ) == 0x0
 01644  2000   NtWaitForSingleObject  (332, 0, 0x0, ...
 01645   764   NtWaitForSingleObject  (332, 0, 0x0, ...
 01646   240   NtSetEventBoostPriority  (332, ...
 01647   968   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01648   308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01603  2044   NtWaitForSingleObject  ... ) == 0x0
 01647   968   NtDuplicateObject  ... 484, ) == 0x0
 01648   308   NtDuplicateObject  ... 488, ) == 0x0
 01649  2044   NtSetEventBoostPriority  (332, ...
 01646   240   NtSetEventBoostPriority  ... ) == 0x0
 01650  1972   NtResumeThread  (472, ...
 01651   968   NtWaitForSingleObject  (332, 0, 0x0, ...
 01604  1944   NtWaitForSingleObject  ... ) == 0x0
 01652   240   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01650  1972   NtResumeThread  ... 1, ) == 0x0
 01653  1944   NtSetEventBoostPriority  (332, ...
 01652   240   NtDuplicateObject  ... 492, ) == 0x0
 01654  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01605  1524   NtWaitForSingleObject  ... ) == 0x0
 01653  1944   NtSetEventBoostPriority  ... ) == 0x0
 01649  2044   NtSetEventBoostPriority  ... ) == 0x0
 01655   308   NtWaitForSingleObject  (332, 0, 0x0, ...
 01656  2032   NtTestAlert  (...
 01654  1972   NtAllocateVirtualMemory  ... 62390272, 1048576, ) == 0x0
 01657  1524   NtSetEventBoostPriority  (332, ...
 01658  1944   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01659  2044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01656  2032   NtTestAlert  ... ) == 0x0
 01660  1972   NtAllocateVirtualMemory  (-1, 63430656, 0, 8192, 4096, 4, ...
 01606  1896   NtWaitForSingleObject  ... ) == 0x0
 01658  1944   NtDuplicateObject  ... 496, ) == 0x0
 01659  2044   NtDuplicateObject  ... 500, ) == 0x0
 01661  2032   NtContinue  (62389552, 1, ...
 01660  1972   NtAllocateVirtualMemory  ... 63430656, 8192, ) == 0x0
 01662  1896   NtSetEventBoostPriority  (332, ...
 01657  1524   NtSetEventBoostPriority  ... ) == 0x0
 01663   240   NtWaitForSingleObject  (332, 0, 0x0, ...
 01664  1944   NtWaitForSingleObject  (332, 0, 0x0, ...
 01665  2032   NtRegisterThreadTerminatePort  (24, ...
 01666  2044   NtWaitForSingleObject  (332, 0, 0x0, ...
 01608  1864   NtWaitForSingleObject  ... ) == 0x0
 01667  1524   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01665  2032   NtRegisterThreadTerminatePort  ... ) == 0x0
 01668  1864   NtSetEventBoostPriority  (332, ...
 01667  1524   NtDuplicateObject  ... 504, ) == 0x0
 01662  1896   NtSetEventBoostPriority  ... ) == 0x0
 01669  1972   NtProtectVirtualMemory  (-1, (0x3c7e000), 4096, 260, ...
 01616  1580   NtWaitForSingleObject  ... ) == 0x0
 01668  1864   NtSetEventBoostPriority  ... ) == 0x0
 01670  2032   NtWaitForSingleObject  (332, 0, 0x0, ...
 01671  1896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01669  1972   NtProtectVirtualMemory  ... (0x3c7e000), 4096, 4, ) == 0x0
 01672  1580   NtSetEventBoostPriority  (332, ...
 01673  1864   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01671  1896   NtDuplicateObject  ... 508, ) == 0x0
 01674  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01624  1564   NtWaitForSingleObject  ... ) == 0x0
 01672  1580   NtSetEventBoostPriority  ... ) == 0x0
 01673  1864   NtDuplicateObject  ... 512, ) == 0x0
 01675  1524   NtWaitForSingleObject  (332, 0, 0x0, ...
 01676  1564   NtSetEventBoostPriority  (332, ...
 01674  1972   NtCreateThread  ... 516, {1664, 1500}, ) == 0x0
 01677  1580   NtWaitForSingleObject  (332, 0, 0x0, ...
 01678  1896   NtWaitForSingleObject  (332, 0, 0x0, ...
 01629   464   NtWaitForSingleObject  ... ) == 0x0
 01676  1564   NtSetEventBoostPriority  ... ) == 0x0
 01679  1972   NtQueryInformationThread  (516, Basic, 28, ...
 01680  1864   NtWaitForSingleObject  (332, 0, 0x0, ...
 01681   464   NtSetEventBoostPriority  (332, ...
 01679  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1664,Tid=1500,}, 0x0, ) == 0x0
 01630   164   NtWaitForSingleObject  ... ) == 0x0
 01681   464   NtSetEventBoostPriority  ... ) == 0x0
 01682  1564   NtWaitForSingleObject  (332, 0, 0x0, ...
 01683   164   NtSetEventBoostPriority  (332, ...
 01684  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57991, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\200\6\0\0\334\5\0\0" ...  ...
 01634  1592   NtWaitForSingleObject  ... ) == 0x0
 01683   164   NtSetEventBoostPriority  ... ) == 0x0
 01685  1592   NtSetEventBoostPriority  (332, ...
 01684  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 57992, 0}  ... {28, 56, reply, 0, 1664, 1972, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\200\6\0\0\334\5\0\0" )  ) == 0x0
 01636  1420   NtWaitForSingleObject  ... ) == 0x0
 01685  1592   NtSetEventBoostPriority  ... ) == 0x0
 01686   164   NtWaitForSingleObject  (332, 0, 0x0, ...
 01687  1420   NtSetEventBoostPriority  (332, ...
 01688  1972   NtResumeThread  (516, ...
 01689  1592   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01690   464   NtWaitForSingleObject  (332, 0, 0x0, ...
 01640  1852   NtWaitForSingleObject  ... ) == 0x0
 01687  1420   NtSetEventBoostPriority  ... ) == 0x0
 01688  1972   NtResumeThread  ... 1, ) == 0x0
 01691  1852   NtSetEventBoostPriority  (332, ...
 01692  1420   NtWaitForSingleObject  (332, 0, 0x0, ...
 01644  2000   NtWaitForSingleObject  ... ) == 0x0
 01691  1852   NtSetEventBoostPriority  ... ) == 0x0
 01693  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01689  1592   NtDuplicateObject  ... 520, ) == 0x0
 01694  1500   NtTestAlert  (...
 01695  2000   NtSetEventBoostPriority  (332, ...
 01696  1852   NtWaitForSingleObject  (332, 0, 0x0, ...
 01697  1592   NtWaitForSingleObject  (332, 0, 0x0, ...
 01645   764   NtWaitForSingleObject  ... ) == 0x0
 01695  2000   NtSetEventBoostPriority  ... ) == 0x0
 01694  1500   NtTestAlert  ... ) == 0x0
 01693  1972   NtAllocateVirtualMemory  ... 63438848, 1048576, ) == 0x0
 01698   764   NtSetEventBoostPriority  (332, ...
 01699  2000   NtWaitForSingleObject  (332, 0, 0x0, ...
 01700  1500   NtContinue  (63438128, 1, ...
 01651   968   NtWaitForSingleObject  ... ) == 0x0
 01698   764   NtSetEventBoostPriority  ... ) == 0x0
 01701  1972   NtAllocateVirtualMemory  (-1, 64479232, 0, 8192, 4096, 4, ...
 01702   968   NtSetEventBoostPriority  (332, ...
 01703  1500   NtRegisterThreadTerminatePort  (24, ...
 01704   764   NtWaitForSingleObject  (332, 0, 0x0, ...
 01655   308   NtWaitForSingleObject  ... ) == 0x0
 01702   968   NtSetEventBoostPriority  ... ) == 0x0
 01701  1972   NtAllocateVirtualMemory  ... 64479232, 8192, ) == 0x0
 01703  1500   NtRegisterThreadTerminatePort  ... ) == 0x0
 01705   308   NtSetEventBoostPriority  (332, ...
 01706   968   NtWaitForSingleObject  (332, 0, 0x0, ...
 01707  1972   NtProtectVirtualMemory  (-1, (0x3d7e000), 4096, 260, ...
 01663   240   NtWaitForSingleObject  ... ) == 0x0
 01705   308   NtSetEventBoostPriority  ... ) == 0x0
 01708  1500   NtWaitForSingleObject  (332, 0, 0x0, ...
 01709   240   NtSetEventBoostPriority  (332, ...
 01707  1972   NtProtectVirtualMemory  ... (0x3d7e000), 4096, 4, ) == 0x0
 01710   308   NtWaitForSingleObject  (332, 0, 0x0, ...
 01664  1944   NtWaitForSingleObject  ... ) == 0x0
 01709   240   NtSetEventBoostPriority  ... ) == 0x0
 01711  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01712  1944   NtSetEventBoostPriority  (332, ...
 01713   240   NtWaitForSingleObject  (332, 0, 0x0, ...
 01666  2044   NtWaitForSingleObject  ... ) == 0x0
 01712  1944   NtSetEventBoostPriority  ... ) == 0x0
 01711  1972   NtCreateThread  ... 524, {1664, 932}, ) == 0x0
 01714  2044   NtSetEventBoostPriority  (332, ...
 01715  1944   NtWaitForSingleObject  (332, 0, 0x0, ...
 01670  2032   NtWaitForSingleObject  ... ) == 0x0
 01714  2044   NtSetEventBoostPriority  ... ) == 0x0
 01716  1972   NtQueryInformationThread  (524, Basic, 28, ...
 01717  2032   NtSetEventBoostPriority  (332, ...
 01718  2044   NtWaitForSingleObject  (332, 0, 0x0, ...
 01675  1524   NtWaitForSingleObject  ... ) == 0x0
 01717  2032   NtSetEventBoostPriority  ... ) == 0x0
 01716  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1664,Tid=932,}, 0x0, ) == 0x0
 01719  1524   NtSetEventBoostPriority  (332, ...
 01720  2032   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01678  1896   NtWaitForSingleObject  ... ) == 0x0
 01719  1524   NtSetEventBoostPriority  ... ) == 0x0
 01721  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57992, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\200\6\0\0\244\3\0\0" ...  ...
 01722  1896   NtSetEventBoostPriority  (332, ...
 01723  1524   NtWaitForSingleObject  (332, 0, 0x0, ...
 01677  1580   NtWaitForSingleObject  ... ) == 0x0
 01722  1896   NtSetEventBoostPriority  ... ) == 0x0
 01721  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 57993, 0}  ... {28, 56, reply, 0, 1664, 1972, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\200\6\0\0\244\3\0\0" )  ) == 0x0
 01720  2032   NtDuplicateObject  ... 528, ) == 0x0
 01724  1580   NtSetEventBoostPriority  (332, ...
 01725  1896   NtWaitForSingleObject  (332, 0, 0x0, ...
 01680  1864   NtWaitForSingleObject  ... ) == 0x0
 01726  2032   NtWaitForSingleObject  (332, 0, 0x0, ...
 01724  1580   NtSetEventBoostPriority  ... ) == 0x0
 01727  1972   NtResumeThread  (524, ...
 01728  1864   NtSetEventBoostPriority  (332, ...
 01729  1580   NtWaitForSingleObject  (332, 0, 0x0, ...
 01727  1972   NtResumeThread  ... 1, ) == 0x0
 01682  1564   NtWaitForSingleObject  ... ) == 0x0
 01728  1864   NtSetEventBoostPriority  ... ) == 0x0
 01730  1564   NtSetEventBoostPriority  (332, ...
 01731  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01686   164   NtWaitForSingleObject  ... ) == 0x0
 01730  1564   NtSetEventBoostPriority  ... ) == 0x0
 01732  1864   NtWaitForSingleObject  (332, 0, 0x0, ...
 01733   164   NtSetEventBoostPriority  (332, ...
 01731  1972   NtAllocateVirtualMemory  ... 64487424, 1048576, ) == 0x0
 01734  1564   NtWaitForSingleObject  (332, 0, 0x0, ...
 01735   932   NtTestAlert  (...
 01690   464   NtWaitForSingleObject  ... ) == 0x0
 01736  1972   NtAllocateVirtualMemory  (-1, 65527808, 0, 8192, 4096, 4, ...
 01733   164   NtSetEventBoostPriority  ... ) == 0x0
 01735   932   NtTestAlert  ... ) == 0x0
 01737   464   NtSetEventBoostPriority  (332, ...
 01736  1972   NtAllocateVirtualMemory  ... 65527808, 8192, ) == 0x0
 01738   164   NtWaitForSingleObject  (332, 0, 0x0, ...
 01739   932   NtContinue  (64486704, 1, ...
 01692  1420   NtWaitForSingleObject  ... ) == 0x0
 01737   464   NtSetEventBoostPriority  ... ) == 0x0
 01740  1420   NtSetEventBoostPriority  (332, ...
 01741   932   NtRegisterThreadTerminatePort  (24, ...
 01697  1592   NtWaitForSingleObject  ... ) == 0x0
 01742   464   NtWaitForSingleObject  (332, 0, 0x0, ...
 01741   932   NtRegisterThreadTerminatePort  ... ) == 0x0
 01743  1592   NtSetEventBoostPriority  (332, ...
 01740  1420   NtSetEventBoostPriority  ... ) == 0x0
 01744  1972   NtProtectVirtualMemory  (-1, (0x3e7e000), 4096, 260, ...
 01696  1852   NtWaitForSingleObject  ... ) == 0x0
 01743  1592   NtSetEventBoostPriority  ... ) == 0x0
 01745  1420   NtWaitForSingleObject  (332, 0, 0x0, ...
 01746  1852   NtSetEventBoostPriority  (332, ...
 01744  1972   NtProtectVirtualMemory  ... (0x3e7e000), 4096, 4, ) == 0x0
 01747   932   NtWaitForSingleObject  (332, 0, 0x0, ...
 01699  2000   NtWaitForSingleObject  ... ) == 0x0
 01748  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01749  2000   NtSetEventBoostPriority  (332, ...
 01748  1972   NtCreateThread  ... 532, {1664, 1528}, ) == 0x0
 01704   764   NtWaitForSingleObject  ... ) == 0x0
 01750  1972   NtQueryInformationThread  (532, Basic, 28, ...
 01751   764   NtSetEventBoostPriority  (332, ...
 01750  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1664,Tid=1528,}, 0x0, ) == 0x0
 01708  1500   NtWaitForSingleObject  ... ) == 0x0
 01751   764   NtSetEventBoostPriority  ... ) == 0x0
 01749  2000   NtSetEventBoostPriority  ... ) == 0x0
 01746  1852   NtSetEventBoostPriority  ... ) == 0x0
 01752  1592   NtWaitForSingleObject  (332, 0, 0x0, ...
 01753  1500   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01754   764   NtWaitForSingleObject  (332, 0, 0x0, ...
 01755  2000   NtWaitForSingleObject  (332, 0, 0x0, ...
 01756  1852   NtWaitForSingleObject  (332, 0, 0x0, ...
 01753  1500   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01757  1500   NtSetEventBoostPriority  (332, ...
 01706   968   NtWaitForSingleObject  ... ) == 0x0
 01758   968   NtSetEventBoostPriority  (332, ...
 01710   308   NtWaitForSingleObject  ... ) == 0x0
 01759   308   NtSetEventBoostPriority  (332, ...
 01713   240   NtWaitForSingleObject  ... ) == 0x0
 01760   240   NtSetEventBoostPriority  (332, ...
 01715  1944   NtWaitForSingleObject  ... ) == 0x0
 01761  1944   NtSetEventBoostPriority  (332, ...
 01718  2044   NtWaitForSingleObject  ... ) == 0x0
 01762  2044   NtSetEventBoostPriority  (332, ...
 01723  1524   NtWaitForSingleObject  ... ) == 0x0
 01763  1524   NtSetEventBoostPriority  (332, ...
 01726  2032   NtWaitForSingleObject  ... ) == 0x0
 01764  2032   NtSetEventBoostPriority  (332, ...
 01729  1580   NtWaitForSingleObject  ... ) == 0x0
 01765  1580   NtSetEventBoostPriority  (332, ...
 01725  1896   NtWaitForSingleObject  ... ) == 0x0
 01766  1896   NtSetEventBoostPriority  (332, ...
 01732  1864   NtWaitForSingleObject  ... ) == 0x0
 01767  1864   NtSetEventBoostPriority  (332, ...
 01734  1564   NtWaitForSingleObject  ... ) == 0x0
 01768  1564   NtSetEventBoostPriority  (332, ...
 01738   164   NtWaitForSingleObject  ... ) == 0x0
 01769   164   NtSetEventBoostPriority  (332, ...
 01742   464   NtWaitForSingleObject  ... ) == 0x0
 01770   464   NtSetEventBoostPriority  (332, ...
 01745  1420   NtWaitForSingleObject  ... ) == 0x0
 01771  1420   NtSetEventBoostPriority  (332, ...
 01747   932   NtWaitForSingleObject  ... ) == 0x0
 01772   932   NtSetEventBoostPriority  (332, ...
 01752  1592   NtWaitForSingleObject  ... ) == 0x0
 01773  1592   NtSetEventBoostPriority  (332, ...
 01754   764   NtWaitForSingleObject  ... ) == 0x0
 01774   764   NtSetEventBoostPriority  (332, ...
 01755  2000   NtWaitForSingleObject  ... ) == 0x0
 01775  2000   NtSetEventBoostPriority  (332, ...
 01756  1852   NtWaitForSingleObject  ... ) == 0x0
 01776  1852   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01775  2000   NtSetEventBoostPriority  ... ) == 0x0
 01774   764   NtSetEventBoostPriority  ... ) == 0x0
 01773  1592   NtSetEventBoostPriority  ... ) == 0x0
 01772   932   NtSetEventBoostPriority  ... ) == 0x0
 01771  1420   NtSetEventBoostPriority  ... ) == 0x0
 01769   164   NtSetEventBoostPriority  ... ) == 0x0
 01765  1580   NtSetEventBoostPriority  ... ) == 0x0
 01764  2032   NtSetEventBoostPriority  ... ) == 0x0
 01770   464   NtSetEventBoostPriority  ... ) == 0x0
 01768  1564   NtSetEventBoostPriority  ... ) == 0x0
 01767  1864   NtSetEventBoostPriority  ... ) == 0x0
 01766  1896   NtSetEventBoostPriority  ... ) == 0x0
 01763  1524   NtSetEventBoostPriority  ... ) == 0x0
 01762  2044   NtSetEventBoostPriority  ... ) == 0x0
 01761  1944   NtSetEventBoostPriority  ... ) == 0x0
 01760   240   NtSetEventBoostPriority  ... ) == 0x0
 01759   308   NtSetEventBoostPriority  ... ) == 0x0
 01758   968   NtSetEventBoostPriority  ... ) == 0x0
 01757  1500   NtSetEventBoostPriority  ... ) == 0x0
 01777  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57993, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\200\6\0\0\370\5\0\0" ...  ...
 01776  1852   NtWaitForSingleObject  ... ) == 0x102
 01778  2000   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01779  1592   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01780   932   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01781   764   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01782  1420   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01783   164   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01784  1580   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01785   464   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01786  1564   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01787  1864   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01788  1896   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01789  1524   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01790  2044   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01791  1944   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01792   240   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01793   308   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01794   968   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01795  1500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01777  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 57994, 0}  ... {28, 56, reply, 0, 1664, 1972, 57994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\200\6\0\0\370\5\0\0" )  ) == 0x0
 01796  1852   NtWaitForSingleObject  (128, 0, 0x0, ...
 01778  2000   NtWaitForSingleObject  ... ) == 0x102
 01797  2032   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01779  1592   NtWaitForSingleObject  ... ) == 0x102
 01781   764   NtWaitForSingleObject  ... ) == 0x102
 01782  1420   NtWaitForSingleObject  ... ) == 0x102
 01783   164   NtWaitForSingleObject  ... ) == 0x102
 01784  1580   NtCreateEvent  ... 536, ) == 0x0
 01785   464   NtOpenKey  ... 540, ) == 0x0
 01795  1500   NtDuplicateObject  ... 544, ) == 0x0
 01798  1972   NtResumeThread  (532, ...
 01799  2000   NtWaitForSingleObject  (128, 0, 0x0, ...
 01797  2032   NtWaitForSingleObject  ... ) == 0x102
 01800  1592   NtWaitForSingleObject  (128, 0, 0x0, ...
 01801   764   NtWaitForSingleObject  (128, 0, 0x0, ...
 01802  1420   NtWaitForSingleObject  (128, 0, 0x0, ...
 01803   164   NtWaitForSingleObject  (128, 0, 0x0, ...
 01804  1580   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01780   932   NtDuplicateObject  ... 548, ) == 0x0
 01786  1564   NtWaitForSingleObject  ... ) == 0x102
 01787  1864   NtWaitForSingleObject  ... ) == 0x102
 01788  1896   NtWaitForSingleObject  ... ) == 0x102
 01789  1524   NtWaitForSingleObject  ... ) == 0x102
 01790  2044   NtWaitForSingleObject  ... ) == 0x102
 01791  1944   NtWaitForSingleObject  ... ) == 0x102
 01792   240   NtWaitForSingleObject  ... ) == 0x102
 01793   308   NtWaitForSingleObject  ... ) == 0x102
 01794   968   NtWaitForSingleObject  ... ) == 0x102
 01805  1500   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01798  1972   NtResumeThread  ... 1, ) == 0x0
 01806  2032   NtWaitForSingleObject  (128, 0, 0x0, ...
 01804  1580   NtDuplicateObject  ... 552, ) == 0x0
 01807   932   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01808  1564   NtWaitForSingleObject  (128, 0, 0x0, ...
 01809  1864   NtWaitForSingleObject  (128, 0, 0x0, ...
 01810  1896   NtWaitForSingleObject  (128, 0, 0x0, ...
 01811  1524   NtWaitForSingleObject  (128, 0, 0x0, ...
 01812  2044   NtWaitForSingleObject  (128, 0, 0x0, ...
 01813  1944   NtWaitForSingleObject  (128, 0, 0x0, ...
 01814   240   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 01815   308   NtWaitForSingleObject  (332, 0, 0x0, ...
 01816   968   NtWaitForSingleObject  (332, 0, 0x0, ...
 01805  1500   NtWaitForSingleObject  ... ) == 0x102
 01817  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01818  1580   NtWaitForSingleObject  (332, 0, 0x0, ...
 01807   932   NtWaitForSingleObject  ... ) == 0x102
 01814   240   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 01819   464   NtQueryValueKey  (540,  (540, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01820  1528   NtAllocateVirtualMemory  (-1, 8806400, 0, 4096, 4096, 4, ...
 01821  1500   NtWaitForSingleObject  (332, 0, 0x0, ...
 01822   932   NtWaitForSingleObject  (332, 0, 0x0, ...
 01823   240   NtSetEventBoostPriority  (332, ...
 01819   464   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01820  1528   NtAllocateVirtualMemory  ... 8806400, 4096, ) == 0x0
 01815   308   NtWaitForSingleObject  ... ) == 0x0
 01823   240   NtSetEventBoostPriority  ... ) == 0x0
 01824   464   NtClose  (540, ...
 01825   308   NtSetEventBoostPriority  (332, ...
 01826  1528   NtTestAlert  (...
 01827   240   NtWaitForSingleObject  (128, 0, 0x0, ...
 01816   968   NtWaitForSingleObject  ... ) == 0x0
 01825   308   NtSetEventBoostPriority  ... ) == 0x0
 01824   464   NtClose  ... ) == 0x0
 01826  1528   NtTestAlert  ... ) == 0x0
 01817  1972   NtAllocateVirtualMemory  ... 65536000, 1048576, ) == 0x0
 01828   968   NtSetEventBoostPriority  (332, ...
 01829   464   NtWaitForSingleObject  (332, 0, 0x0, ...
 01830  1528   NtContinue  (65535280, 1, ...
 01818  1580   NtWaitForSingleObject  ... ) == 0x0
 01828   968   NtSetEventBoostPriority  ... ) == 0x0
 01831  1972   NtAllocateVirtualMemory  (-1, 66576384, 0, 8192, 4096, 4, ...
 01832   308   NtWaitForSingleObject  (128, 0, 0x0, ...
 01833  1580   NtSetEventBoostPriority  (332, ...
 01834  1528   NtRegisterThreadTerminatePort  (24, ...
 01831  1972   NtAllocateVirtualMemory  ... 66576384, 8192, ) == 0x0
 01821  1500   NtWaitForSingleObject  ... ) == 0x0
 01833  1580   NtSetEventBoostPriority  ... ) == 0x0
 01834  1528   NtRegisterThreadTerminatePort  ... ) == 0x0
 01835  1500   NtSetEventBoostPriority  (332, ...
 01836  1972   NtProtectVirtualMemory  (-1, (0x3f7e000), 4096, 260, ...
 01837   968   NtWaitForSingleObject  (128, 0, 0x0, ...
 01822   932   NtWaitForSingleObject  ... ) == 0x0
 01835  1500   NtSetEventBoostPriority  ... ) == 0x0
 01838  1528   NtWaitForSingleObject  (332, 0, 0x0, ...
 01836  1972   NtProtectVirtualMemory  ... (0x3f7e000), 4096, 4, ) == 0x0
 01839   932   NtSetEventBoostPriority  (332, ...
 01840  1500   NtWaitForSingleObject  (128, 0, 0x0, ...
 01829   464   NtWaitForSingleObject  ... ) == 0x0
 01839   932   NtSetEventBoostPriority  ... ) == 0x0
 01841  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01842  1580   NtWaitForSingleObject  (332, 0, 0x0, ...
 01843   464   NtSetEventBoostPriority  (332, ...
 01844   932   NtWaitForSingleObject  (128, 0, 0x0, ...
 01838  1528   NtWaitForSingleObject  ... ) == 0x0
 01843   464   NtSetEventBoostPriority  ... ) == 0x0
 01845  1528   NtSetEventBoostPriority  (332, ...
 01841  1972   NtCreateThread  ... 540, {1664, 1780}, ) == 0x0
 01842  1580   NtWaitForSingleObject  ... ) == 0x0
 01845  1528   NtSetEventBoostPriority  ... ) == 0x0
 01846  1580   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 01847  1972   NtQueryInformationThread  (540, Basic, 28, ...
 01848   464   NtOpenThreadToken  (-2, 0xc, 1, ...
 01846  1580   NtOpenFile  ... 556, {status=0x0, info=0}, ) == 0x0
 01847  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1664,Tid=1780,}, 0x0, ) == 0x0
 01849  1580   NtDeviceIoControlFile  (556, 0, 0x0, 0x0, 0x390008,  (556, 0, 0x0, 0x0, 0x390008, "\345\242P\220\260\320A\3532\224\b\31\333C&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01848   464   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01850  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57994, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\200\6\0\0\364\6\0\0" ...  ...
 01851  1528   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01852   464   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01850  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 57995, 0}  ... {28, 56, reply, 0, 1664, 1972, 57995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\200\6\0\0\364\6\0\0" )  ) == 0x0
 01851  1528   NtDuplicateObject  ... 560, ) == 0x0
 01852   464   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01853  1580   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01854  1528   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 01855   464   NtWaitForSingleObject  (332, 0, 0x0, ...
 01853  1580   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01854  1528   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 01856  1580   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01857  1528   NtSetEventBoostPriority  (332, ...
 01856  1580   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01855   464   NtWaitForSingleObject  ... ) == 0x0
 01857  1528   NtSetEventBoostPriority  ... ) == 0x0
 01858   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006064, ... }, 11006064, ...
 01859  1580   NtQuerySystemInformation  (Performance, 312, ...
 01860  1972   NtResumeThread  (540, ...
 01858   464   NtQueryAttributesFile  ... ) == 0x0
 01859  1580   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01860  1972   NtResumeThread  ... 1, ) == 0x0
 01861  1528   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01862   464   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01863  1780   NtTestAlert  (...
 01864  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01861  1528   NtWaitForSingleObject  ... ) == 0x102
 01862   464   NtOpenKey  ... 564, ) == 0x0
 01863  1780   NtTestAlert  ... ) == 0x0
 01864  1972   NtAllocateVirtualMemory  ... 66584576, 1048576, ) == 0x0
 01865  1528   NtWaitForSingleObject  (128, 0, 0x0, ...
 01866   464   NtQueryValueKey  (564,  (564, "Transports", Partial, 144, ... , Partial, 144, ...
 01867  1780   NtContinue  (66583856, 1, ...
 01868  1972   NtAllocateVirtualMemory  (-1, 67624960, 0, 8192, 4096, 4, ...
 01866   464   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01869  1780   NtRegisterThreadTerminatePort  (24, ...
 01868  1972   NtAllocateVirtualMemory  ... 67624960, 8192, ) == 0x0
 01870   464   NtQueryValueKey  (564,  (564, "Transports", Partial, 144, ... , Partial, 144, ...
 01869  1780   NtRegisterThreadTerminatePort  ... ) == 0x0
 01871  1580   NtQuerySystemInformation  (Exception, 16, ...
 01870   464   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01872  1972   NtProtectVirtualMemory  (-1, (0x407e000), 4096, 260, ...
 01871  1580   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01873  1780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01872  1972   NtProtectVirtualMemory  ... (0x407e000), 4096, 4, ) == 0x0
 01874  1580   NtQuerySystemInformation  (Lookaside, 32, ...
 01873  1780   NtDuplicateObject  ... 568, ) == 0x0
 01875  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01874  1580   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01876  1780   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01875  1972   NtCreateThread  ... 572, {1664, 1804}, ) == 0x0
 01877  1580   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01876  1780   NtWaitForSingleObject  ... ) == 0x102
 01878  1972   NtQueryInformationThread  (572, Basic, 28, ...
 01877  1580   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01879  1780   NtWaitForSingleObject  (128, 0, 0x0, ...
 01878  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1664,Tid=1804,}, 0x0, ) == 0x0
 01880   464   NtClose  (564, ...
 01881  1580   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01880   464   NtClose  ... ) == 0x0
 01881  1580   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01882   464   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01883  1580   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01882   464   NtOpenKey  ... 564, ) == 0x0
 01884  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57995, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\200\6\0\0\14\7\0\0" ...  ...
 01885   464   NtQueryValueKey  (564,  (564, "Mapping", Partial, 144, ... , Partial, 144, ...
 01884  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 57996, 0}  ... {28, 56, reply, 0, 1664, 1972, 57996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\200\6\0\0\14\7\0\0" )  ) == 0x0
 01885   464   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01886  1972   NtResumeThread  (572, ...
 01883  1580   NtCreateKey  ... -2147482740, 2, ) == 0x0
 01886  1972   NtResumeThread  ... 1, ) == 0x0
 01887  1580   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\27A\211U\273\15j=\212V0QO_\2105MK\244:K\331\346\252\341\225\354\16\303m\3711$\372N\277\325\24{\365\315Pu\34\360\367|Z-\343;\302\306\351/\361I3UN:\300\320NOo\236\256"\256(\324\232\303e\240\22\221\312\11", 80, ... , 0, 3,  (-2147482740, "Seed", 0, 3, "\27A\211U\273\15j=\212V0QO_\2105MK\244:K\331\346\252\341\225\354\16\303m\3711$\372N\277\325\24{\365\315Pu\34\360\367|Z-\343;\302\306\351/\361I3UN:\300\320NOo\236\256"\256(\324\232\303e\240\22\221\312\11", 80, ... \256(\324\232\303e\240\22\221\312\11", 80, ...
 01888  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01887  1580   NtSetValueKey  ... ) == 0x0
 01889   464   NtQueryValueKey  (564,  (564, "Mapping", Partial, 144, ... , Partial, 144, ...
 01890  1804   NtTestAlert  (...
 01891  1580   NtClose  (-2147482740, ...
 01889   464   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01890  1804   NtTestAlert  ... ) == 0x0
 01891  1580   NtClose  ... ) == 0x0
 01892   464   NtQueryValueKey  (564,  (564, "Mapping", Partial, 152, ... , Partial, 152, ...
 01893  1804   NtContinue  (67632432, 1, ...
 01849  1580   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\14\2165Y\2Xm\312\236>\324\246\234\303q\325\23S\333\25\270\263\202\322i\177\330BB\263\341c\306\347\236\2772y P\276\217\306f\334\274\5X\216\300e\16\215\275zT\204\360\260\361\306\201\371\23\221\254\220\253\345w"R{\215\360\273\230\23\265~.\23\340C\10\315^\10\372\22k\354\370\31e\202\213\357\355}B\317\325\265\231`\372\14\2AY\265\337T\34\366gI"\253\301:\343\361\340\301\325\342w\233\267\352x\267\177A@\360X\267eb\25127\311\364\353b\246\3525A!\220\10\363\255?\0\267\32\16\204U\320\15km\264\327\15\271\5MS\2026\262/]\310\13\7\356\373,", ) Xm\312\236>\324\246\234\303q\325\23S\333\25\270\263\202\322i\177\330BB\263\341c\306\347\236\2772y P\276\217\306f\334\274\5X\216\300e\16\215\275zT\204\360\260\361\306\201\371\23\221\254\220\253\345w ... {status=0x0, info=256}, "\14\2165Y\2Xm\312\236>\324\246\234\303q\325\23S\333\25\270\263\202\322i\177\330BB\263\341c\306\347\236\2772y P\276\217\306f\334\274\5X\216\300e\16\215\275zT\204\360\260\361\306\201\371\23\221\254\220\253\345w"R{\215\360\273\230\23\265~.\23\340C\10\315^\10\372\22k\354\370\31e\202\213\357\355}B\317\325\265\231`\372\14\2AY\265\337T\34\366gI"\253\301:\343\361\340\301\325\342w\233\267\352x\267\177A@\360X\267eb\25127\311\364\353b\246\3525A!\220\10\363\255?\0\267\32\16\204U\320\15km\264\327\15\271\5MS\2026\262/]\310\13\7\356\373,", ) \253\301:\343\361\340\301\325\342w\233\267\352x\267\177A@\360X\267eb\25127\311\364\353b\246\3525A!\220\10\363\255?\0\267\32\16\204U\320\15km\264\327\15\271\5MS\2026\262/]\310\13\7\356\373,", ) == 0x0
 01892   464   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01894  1804   NtRegisterThreadTerminatePort  (24, ...
 01888  1972   NtAllocateVirtualMemory  ... 67633152, 1048576, ) == 0x0
 01895   464   NtClose  (564, ...
 01894  1804   NtRegisterThreadTerminatePort  ... ) == 0x0
 01896  1972   NtAllocateVirtualMemory  (-1, 68673536, 0, 8192, 4096, 4, ...
 01895   464   NtClose  ... ) == 0x0
 01897  1580   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01896  1972   NtAllocateVirtualMemory  ... 68673536, 8192, ) == 0x0
 01898  1804   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01897  1580   NtCreateEvent  ... 564, ) == 0x0
 01899  1972   NtProtectVirtualMemory  (-1, (0x417e000), 4096, 260, ...
 01898  1804   NtDuplicateObject  ... 576, ) == 0x0
 01900  1580   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15199748, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15199748, 188, ...
 01899  1972   NtProtectVirtualMemory  ... (0x417e000), 4096, 4, ) == 0x0
 01901  1804   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01902  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01901  1804   NtWaitForSingleObject  ... ) == 0x102
 01900  1580   NtConnectPort  ... 580, 0x0, 0x0, 0x0, 188, ) == 0x0
 01903   464   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01904  1804   NtWaitForSingleObject  (128, 0, 0x0, ...
 01905  1580   NtRequestWaitReplyPort  (580, {200, 224, new_msg, 0, 1390776, 12, 2, 1310721}  (580, {200, 224, new_msg, 0, 1390776, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\2106\25\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\231\216\33!o\266J\265h8\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0@8\25\0\22\13V\6x\1\24\0`8\25\0h\1\24\0\0\0\0\0\0\0\0\0`8\25\0P\0\0\0h8\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\347\0\372\31\221|\30\364\347\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01903   464   NtOpenKey  ... 584, ) == 0x0
 01902  1972   NtCreateThread  ... 588, {1664, 1644}, ) == 0x0
 01906   464   NtQueryValueKey  (584,  (584, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01907  1972   NtQueryInformationThread  (588, Basic, 28, ...
 01906   464   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01907  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1664,Tid=1644,}, 0x0, ) == 0x0
 01908   464   NtQueryValueKey  (584,  (584, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01909  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57996, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\200\6\0\0l\6\0\0" ...  ...
 01908   464   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01909  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 57998, 0}  ... {28, 56, reply, 0, 1664, 1972, 57998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\200\6\0\0l\6\0\0" )  ) == 0x0
 01905  1580   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1664, 1580, 57999, 0}  ... {200, 224, reply, 0, 1664, 1580, 57999, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\231\216\33!o\266J\265h8\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0@8\25\0\22\13V\6x\1\24\0`8\25\0h\1\24\0\0\0\0\0\0\0\0\0`8\25\0P\0\0\0h8\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\347\0\372\31\221|\30\364\347\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01910   464   NtQueryValueKey  (584,  (584, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01911  1580   NtRequestWaitReplyPort  (580, {64, 88, new_msg, 0, 0, 0, 0, 0}  (580, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01910   464   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01912   464   NtQueryValueKey  (584,  (584, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (584, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01913   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11007020, ... ) }, 11007020, ... ) == 0x0
 01914  1972   NtResumeThread  (588, ... 1, ) == 0x0
 01915  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 68681728, 1048576, ) == 0x0
 01916  1972   NtAllocateVirtualMemory  (-1, 69722112, 0, 8192, 4096, 4, ... 69722112, 8192, ) == 0x0
 01917  1972   NtProtectVirtualMemory  (-1, (0x427e000), 4096, 260, ... (0x427e000), 4096, 4, ) == 0x0
 01918  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 592, {1664, 336}, ) == 0x0
 01919  1972   NtQueryInformationThread  (592, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1664,Tid=336,}, 0x0, ) == 0x0
 01920   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01921  1644   NtWaitForSingleObject  (96, 0, 0x0, ...
 01920   464   NtOpenFile  ... 596, {status=0x0, info=1}, ) == 0x0
 01922   464   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 596, ... 600, ) == 0x0
 01923   464   NtClose  (596, ... ) == 0x0
 01924   464   NtMapViewOfSection  (600, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x850000), 0x0, 20480, ) == 0x0
 01925   464   NtClose  (600, ... ) == 0x0
 01926  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 57998, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\200\6\0\0P\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\200\6\0\0P\1\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58001, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 57998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\200\6\0\0P\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\200\6\0\0P\1\0\0" )  ) == 0x0
 01927  1972   NtResumeThread  (592, ... 1, ) == 0x0
 01928  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01929   336   NtWaitForSingleObject  (96, 0, 0x0, ...
 01928  1972   NtAllocateVirtualMemory  ... 69730304, 1048576, ) == 0x0
 01930  1972   NtAllocateVirtualMemory  (-1, 70770688, 0, 8192, 4096, 4, ... 70770688, 8192, ) == 0x0
 01931  1972   NtProtectVirtualMemory  (-1, (0x437e000), 4096, 260, ... (0x437e000), 4096, 4, ) == 0x0
 01932  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01933   464   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 01934   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11007328, ... ) }, 11007328, ... ) == 0x0
 01935   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 600, {status=0x0, info=1}, ) }, 5, 96, ... 600, {status=0x0, info=1}, ) == 0x0
 01936   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 600, ... 596, ) == 0x0
 01937   464   NtQuerySection  (596, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01938   464   NtClose  (600, ... ) == 0x0
 01932  1972   NtCreateThread  ... 600, {1664, 888}, ) == 0x0
 01939  1972   NtQueryInformationThread  (600, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1664,Tid=888,}, 0x0, ) == 0x0
 01940  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58001, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\200\6\0\0x\3\0\0" ... {28, 56, reply, 0, 1664, 1972, 58002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\200\6\0\0x\3\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58002, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\200\6\0\0x\3\0\0" ... {28, 56, reply, 0, 1664, 1972, 58002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\200\6\0\0x\3\0\0" )  ) == 0x0
 01941  1972   NtResumeThread  (600, ... 1, ) == 0x0
 01942  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 70778880, 1048576, ) == 0x0
 01943  1972   NtAllocateVirtualMemory  (-1, 71819264, 0, 8192, 4096, 4, ... 71819264, 8192, ) == 0x0
 01944   464   NtMapViewOfSection  (596, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01945   888   NtWaitForSingleObject  (96, 0, 0x0, ...
 01911  1580   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1664, 1580, 58000, 0}  ... {52, 76, reply, 0, 1664, 1580, 58000, 0} "\2\356Q\200\1\0\0\0P\306\233\201\0\220\372\177\220\353\3\370\370\37`\300l\353\3\370X\353Q\200\260\37\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 01944   464   NtMapViewOfSection  ... (0x71a90000), 0x0, 32768, ) == 0x0
 01946  1580   NtClose  (564, ...
 01947   464   NtClose  (596, ...
 01948  1972   NtProtectVirtualMemory  (-1, (0x447e000), 4096, 260, ...
 01947   464   NtClose  ... ) == 0x0
 01948  1972   NtProtectVirtualMemory  ... (0x447e000), 4096, 4, ) == 0x0
 01949   464   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ...
 01950  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01949   464   NtProtectVirtualMemory  ... (0x71a91000), 4096, 32, ) == 0x0
 01950  1972   NtCreateThread  ... 596, {1664, 1392}, ) == 0x0
 01946  1580   NtClose  ... ) == 0x0
 01951  1972   NtQueryInformationThread  (596, Basic, 28, ...
 01952  1580   NtClose  (580, ...
 01951  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1664,Tid=1392,}, 0x0, ) == 0x0
 01952  1580   NtClose  ... ) == 0x0
 01953   464   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ...
 01954  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58002, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\200\6\0\0p\5\0\0" ...  ...
 01953   464   NtProtectVirtualMemory  ... (0x71a91000), 4096, 4, ) == 0x0
 01954  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58004, 0}  ... {28, 56, reply, 0, 1664, 1972, 58004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\200\6\0\0p\5\0\0" )  ) == 0x0
 01955   464   NtFlushInstructionCache  (-1, 1906905088, 128, ...
 01956  1972   NtResumeThread  (596, ...
 01955   464   NtFlushInstructionCache  ... ) == 0x0
 01956  1972   NtResumeThread  ... 1, ) == 0x0
 01957  1580   NtWaitForSingleObject  (96, 0, 0x0, ...
 01958  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01959   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... }, ...
 01960  1392   NtWaitForSingleObject  (96, 0, 0x0, ...
 01959   464   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01961   464   NtSetEventBoostPriority  (96, ...
 01921  1644   NtWaitForSingleObject  ... ) == 0x0
 01962  1644   NtSetEventBoostPriority  (96, ...
 01929   336   NtWaitForSingleObject  ... ) == 0x0
 01963   336   NtSetEventBoostPriority  (96, ...
 01945   888   NtWaitForSingleObject  ... ) == 0x0
 01964   888   NtSetEventBoostPriority  (96, ...
 01957  1580   NtWaitForSingleObject  ... ) == 0x0
 01965  1580   NtSetEventBoostPriority  (96, ...
 01960  1392   NtWaitForSingleObject  ... ) == 0x0
 01966  1392   NtTestAlert  (... ) == 0x0
 01965  1580   NtSetEventBoostPriority  ... ) == 0x0
 01964   888   NtSetEventBoostPriority  ... ) == 0x0
 01963   336   NtSetEventBoostPriority  ... ) == 0x0
 01962  1644   NtSetEventBoostPriority  ... ) == 0x0
 01961   464   NtSetEventBoostPriority  ... ) == 0x0
 01958  1972   NtAllocateVirtualMemory  ... 71827456, 1048576, ) == 0x0
 01967  1580   NtCreateKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01968  1392   NtContinue  (71826736, 1, ...
 01969   888   NtTestAlert  (...
 01970   336   NtTestAlert  (...
 01971  1644   NtTestAlert  (...
 01972  1972   NtAllocateVirtualMemory  (-1, 72867840, 0, 8192, 4096, 4, ...
 01973   464   NtClose  (584, ...
 01974  1392   NtRegisterThreadTerminatePort  (24, ...
 01969   888   NtTestAlert  ... ) == 0x0
 01970   336   NtTestAlert  ... ) == 0x0
 01971  1644   NtTestAlert  ... ) == 0x0
 01972  1972   NtAllocateVirtualMemory  ... 72867840, 8192, ) == 0x0
 01973   464   NtClose  ... ) == 0x0
 01974  1392   NtRegisterThreadTerminatePort  ... ) == 0x0
 01975   888   NtContinue  (70778160, 1, ...
 01976   336   NtContinue  (69729584, 1, ...
 01977  1644   NtContinue  (68681008, 1, ...
 01978  1972   NtProtectVirtualMemory  (-1, (0x457e000), 4096, 260, ...
 01979   464   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 01980  1392   NtWaitForSingleObject  (332, 0, 0x0, ...
 01981   888   NtRegisterThreadTerminatePort  (24, ...
 01982   336   NtRegisterThreadTerminatePort  (24, ...
 01983  1644   NtRegisterThreadTerminatePort  (24, ...
 01978  1972   NtProtectVirtualMemory  ... (0x457e000), 4096, 4, ) == 0x0
 01979   464   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 01981   888   NtRegisterThreadTerminatePort  ... ) == 0x0
 01982   336   NtRegisterThreadTerminatePort  ... ) == 0x0
 01983  1644   NtRegisterThreadTerminatePort  ... ) == 0x0
 01984  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01985   464   NtSetEventBoostPriority  (332, ...
 01986   888   NtWaitForSingleObject  (332, 0, 0x0, ...
 01987   336   NtWaitForSingleObject  (332, 0, 0x0, ...
 01988  1644   NtWaitForSingleObject  (332, 0, 0x0, ...
 01967  1580   NtCreateKey  ... 584, 2, ) == 0x0
 01980  1392   NtWaitForSingleObject  ... ) == 0x0
 01985   464   NtSetEventBoostPriority  ... ) == 0x0
 01984  1972   NtCreateThread  ... 580, {1664, 2020}, ) == 0x0
 01989  1392   NtSetEventBoostPriority  (332, ...
 01990  1580   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01986   888   NtWaitForSingleObject  ... ) == 0x0
 01989  1392   NtSetEventBoostPriority  ... ) == 0x0
 01991  1972   NtQueryInformationThread  (580, Basic, 28, ...
 01992   888   NtSetEventBoostPriority  (332, ...
 01990  1580   NtOpenKey  ... 564, ) == 0x0
 01993   464   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11009664, 67, ... }, 0x0, 0, 3, 3, 0, 11009664, 67, ...
 01987   336   NtWaitForSingleObject  ... ) == 0x0
 01991  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1664,Tid=2020,}, 0x0, ) == 0x0
 01994  1580   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01993   464   NtCreateFile  ... 604, {status=0x0, info=0}, ) == 0x0
 01995   336   NtSetEventBoostPriority  (332, ...
 01996  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58004, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\200\6\0\0\344\7\0\0" ...  ...
 01994  1580   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01997   464   NtDeviceIoControlFile  (604, 108, 0x0, 0x0, 0x1207b,  (604, 108, 0x0, 0x0, 0x1207b, "\7\0\0\0x\1\24\0\340\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 01988  1644   NtWaitForSingleObject  ... ) == 0x0
 01996  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58005, 0}  ... {28, 56, reply, 0, 1664, 1972, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\200\6\0\0\344\7\0\0" )  ) == 0x0
 01998  1580   NtQueryValueKey  (584,  (584, "Hostname", Partial, 144, ... , Partial, 144, ...
 01997   464   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0 \376\255\201", ) , ) == 0x0
 01999  1644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01995   336   NtSetEventBoostPriority  ... ) == 0x0
 01992   888   NtSetEventBoostPriority  ... ) == 0x0
 02000  1392   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02001  1972   NtResumeThread  (580, ...
 02002   464   NtDeviceIoControlFile  (604, 108, 0x0, 0x0, 0x1207b,  (604, 108, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0 \376\255\201", 16, 16, ... , 16, 16, ...
 01999  1644   NtDuplicateObject  ... 608, ) == 0x0
 02003   336   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02004   888   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02000  1392   NtDuplicateObject  ... 612, ) == 0x0
 02001  1972   NtResumeThread  ... 1, ) == 0x0
 02002   464   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0 \376\255\201", ) , ) == 0x0
 02005  1644   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02003   336   NtDuplicateObject  ... 616, ) == 0x0
 02004   888   NtDuplicateObject  ... 620, ) == 0x0
 02006  1392   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02007  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01998  1580   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02008  2020   NtTestAlert  (...
 02005  1644   NtWaitForSingleObject  ... ) == 0x102
 02009   464   NtDeviceIoControlFile  (604, 108, 0x0, 0x0, 0x12047,  (604, 108, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\16\0\5\0\0\20\0\0\350\1\24\0\350\1\24\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 02010   336   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02006  1392   NtWaitForSingleObject  ... ) == 0x102
 02007  1972   NtAllocateVirtualMemory  ... 72876032, 1048576, ) == 0x0
 02011  1580   NtQueryValueKey  (584,  (584, "Hostname", Partial, 144, ... , Partial, 144, ...
 02008  2020   NtTestAlert  ... ) == 0x0
 02012  1644   NtWaitForSingleObject  (128, 0, 0x0, ...
 02009   464   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02010   336   NtWaitForSingleObject  ... ) == 0x102
 02013  1392   NtWaitForSingleObject  (128, 0, 0x0, ...
 02014  1972   NtAllocateVirtualMemory  (-1, 73916416, 0, 8192, 4096, 4, ...
 02011  1580   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02015  2020   NtContinue  (72875312, 1, ...
 02016   464   NtWaitForSingleObject  (60, 0, {0, 0}, ...
 02017   336   NtWaitForSingleObject  (128, 0, 0x0, ...
 02018   888   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02014  1972   NtAllocateVirtualMemory  ... 73916416, 8192, ) == 0x0
 02019  1580   NtClose  (584, ...
 02020  2020   NtRegisterThreadTerminatePort  (24, ...
 02016   464   NtWaitForSingleObject  ... ) == 0x102
 02018   888   NtWaitForSingleObject  ... ) == 0x102
 02019  1580   NtClose  ... ) == 0x0
 02020  2020   NtRegisterThreadTerminatePort  ... ) == 0x0
 02021   464   NtDeviceIoControlFile  (604, 108, 0x0, 0x0, 0x12003,  (604, 108, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02022   888   NtWaitForSingleObject  (128, 0, 0x0, ...
 02023  1580   NtClose  (564, ...
 02024  1972   NtProtectVirtualMemory  (-1, (0x467e000), 4096, 260, ...
 02025  2020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02021   464   NtDeviceIoControlFile  ... {status=0x0, info=584},  ... {status=0x0, info=584}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02024  1972   NtProtectVirtualMemory  ... (0x467e000), 4096, 4, ) == 0x0
 02025  2020   NtDuplicateObject  ... 624, ) == 0x0
 02026   464   NtDeviceIoControlFile  (604, 108, 0x0, 0x0, 0x12047,  (604, 108, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\16\0\5\0\0\20\0\0\350\1\24\0\350\1\24\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02027  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02028  2020   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02026   464   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02027  1972   NtCreateThread  ... 628, {1664, 740}, ) == 0x0
 02028  2020   NtWaitForSingleObject  ... ) == 0x102
 02029   464   NtDeviceIoControlFile  (604, 108, 0x0, 0x0, 0x12037,  (604, 108, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 02030  1972   NtQueryInformationThread  (628, Basic, 28, ...
 02031  2020   NtWaitForSingleObject  (128, 0, 0x0, ...
 02029   464   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02030  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1664,Tid=740,}, 0x0, ) == 0x0
 02023  1580   NtClose  ... ) == 0x0
 02032   464   NtDeviceIoControlFile  (604, 108, 0x0, 0x0, 0x1200b,  (604, 108, 0x0, 0x0, 0x1200b, "\0\376\247\0\5\0\0\0\0\261\24\0", 12, 0, ... , 12, 0, ...
 02033  1580   NtDeviceIoControlFile  (556, 0, 0x0, 0x0, 0x390008,  (556, 0, 0x0, 0x0, 0x390008, "\345\242P\220\260\320A\332b\32\241\177\316b\326e\210\377L\266\364\256\273\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02032   464   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02034  1580   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02035   464   NtDeviceIoControlFile  (604, 108, 0x0, 0x0, 0x12047,  (604, 108, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\247\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\16\0\5\0\0\20\0\0\350\1\24\0\350\1\24\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02034  1580   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02035   464   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02036  1580   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02037   464   NtDeviceIoControlFile  (604, 108, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 02036  1580   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02037   464   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02038  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58005, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\200\6\0\0\344\2\0\0" ...  ...
 02039  1580   NtQuerySystemInformation  (Performance, 312, ...
 02038  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58006, 0}  ... {28, 56, reply, 0, 1664, 1972, 58006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\200\6\0\0\344\2\0\0" )  ) == 0x0
 02039  1580   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02040  1972   NtResumeThread  (628, ...
 02041  1580   NtQuerySystemInformation  (Exception, 16, ...
 02040  1972   NtResumeThread  ... 1, ) == 0x0
 02041  1580   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02042  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02043  1580   NtQuerySystemInformation  (Lookaside, 32, ...
 02044   464   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02045   740   NtTestAlert  (...
 02043  1580   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02044   464   NtCreateEvent  ... 564, ) == 0x0
 02045   740   NtTestAlert  ... ) == 0x0
 02042  1972   NtAllocateVirtualMemory  ... 73924608, 1048576, ) == 0x0
 02046   464   NtWaitForSingleObject  (564, 0, 0x0, ...
 02047   740   NtContinue  (73923888, 1, ...
 02048  1972   NtAllocateVirtualMemory  (-1, 74964992, 0, 8192, 4096, 4, ...
 02049   740   NtRegisterThreadTerminatePort  (24, ...
 02048  1972   NtAllocateVirtualMemory  ... 74964992, 8192, ) == 0x0
 02049   740   NtRegisterThreadTerminatePort  ... ) == 0x0
 02050  1972   NtProtectVirtualMemory  (-1, (0x477e000), 4096, 260, ...
 02051  1580   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02050  1972   NtProtectVirtualMemory  ... (0x477e000), 4096, 4, ) == 0x0
 02051  1580   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02052  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02053  1580   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02054   740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02053  1580   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02054   740   NtDuplicateObject  ... 632, ) == 0x0
 02055  1580   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02056   740   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02055  1580   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02056   740   NtWaitForSingleObject  ... ) == 0x102
 02052  1972   NtCreateThread  ... 636, {1664, 1676}, ) == 0x0
 02057   740   NtWaitForSingleObject  (128, 0, 0x0, ...
 02058  1972   NtQueryInformationThread  (636, Basic, 28, ...
 02059  1580   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\236B4\307\262y1 \260\367\352=F\14\273\252\24\335\351{\315?V\334\277\357\11G\201\256\310i\375\224\3\13J\235\310Q^1\351\320CT`\241\1'?\246\214\377GV\311\264-\363\14\214\342\316\324\333\343i\332\331\7\233\327\232\312B?\323y", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\236B4\307\262y1 \260\367\352=F\14\273\252\24\335\351{\315?V\334\277\357\11G\201\256\310i\375\224\3\13J\235\310Q^1\351\320CT`\241\1'?\246\214\377GV\311\264-\363\14\214\342\316\324\333\343i\332\331\7\233\327\232\312B?\323y", 80, ... , 80, ...
 02058  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1664,Tid=1676,}, 0x0, ) == 0x0
 02059  1580   NtSetValueKey  ... ) == 0x0
 02060  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58006, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\200\6\0\0\214\6\0\0" ...  ...
 02061  1580   NtClose  (-2147481344, ...
 02060  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58007, 0}  ... {28, 56, reply, 0, 1664, 1972, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\200\6\0\0\214\6\0\0" )  ) == 0x0
 02061  1580   NtClose  ... ) == 0x0
 02033  1580   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\377\246\212\332\232b\2dV\266\322\177\2465J\340\6\301\26p\260gm\210L\Zs{\364\2\361NpR\27\277\0X\3\200\347\303\270\24@\203\4\136\200&\231V\375\24S\251\5\177b\235\270\5\343\35\370BY\364\16\332\6+\235\246\220\312\203\320\250\16\201{\317\2140\324\230\375;\35\311\23\245f \347k\266\200}~q\365\323\27\36V\345\365\201L\322\270\177\331K \345'\374n\207S\334:\321z\255\2d@\30\265\16\346\34t[JO\353\323\224\320\353\217\254o\270T\344z2U\22@\350\30\177N\345\316P\202\362\337\226\256\355\320\10\9l\32>O\22\341\223GPm\234\231\27\216\214\311\202\2748!`\205\212x\5g(\261?\333a$\11\260.t\364\31-`q\335\210A\320]\10\204W\365E*\223GE;\24*\206>^\304\352\206\3019 S\276\213\371l\373\353\34y8Tk\306", ) , ) == 0x0
 02062  1580   NtDeviceIoControlFile  (556, 0, 0x0, 0x0, 0x390008,  (556, 0, 0x0, 0x0, 0x390008, "\345\242P\220\260\320A\332b\32\241\177\316b\3475\6\2QaM;\370\210\377L\266\364\256\273\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02063  1580   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02064  1580   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02065  1580   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02066  1972   NtResumeThread  (636, ... 1, ) == 0x0
 02067  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 74973184, 1048576, ) == 0x0
 02068  1972   NtAllocateVirtualMemory  (-1, 76013568, 0, 8192, 4096, 4, ... 76013568, 8192, ) == 0x0
 02069  1972   NtProtectVirtualMemory  (-1, (0x487e000), 4096, 260, ... (0x487e000), 4096, 4, ) == 0x0
 02070  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 640, {1664, 496}, ) == 0x0
 02071  1972   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1664,Tid=496,}, 0x0, ) == 0x0
 02072  1580   NtQuerySystemInformation  (Exception, 16, ...
 02073  1676   NtTestAlert  (...
 02072  1580   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02073  1676   NtTestAlert  ... ) == 0x0
 02074  1580   NtQuerySystemInformation  (Lookaside, 32, ...
 02075  1676   NtContinue  (74972464, 1, ...
 02074  1580   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02076  1676   NtRegisterThreadTerminatePort  (24, ...
 02077  1580   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02076  1676   NtRegisterThreadTerminatePort  ... ) == 0x0
 02077  1580   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02078  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58007, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\200\6\0\0\360\1\0\0" ...  ...
 02079  1676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02078  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58008, 0}  ... {28, 56, reply, 0, 1664, 1972, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\200\6\0\0\360\1\0\0" )  ) == 0x0
 02079  1676   NtDuplicateObject  ... 644, ) == 0x0
 02080  1972   NtResumeThread  (640, ...
 02081  1676   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02080  1972   NtResumeThread  ... 1, ) == 0x0
 02081  1676   NtWaitForSingleObject  ... ) == 0x102
 02082  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02083  1676   NtWaitForSingleObject  (128, 0, 0x0, ...
 02084  1580   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02085   496   NtTestAlert  (...
 02082  1972   NtAllocateVirtualMemory  ... 76021760, 1048576, ) == 0x0
 02084  1580   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02085   496   NtTestAlert  ... ) == 0x0
 02086  1972   NtAllocateVirtualMemory  (-1, 77062144, 0, 8192, 4096, 4, ...
 02087  1580   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02088   496   NtContinue  (76021040, 1, ...
 02086  1972   NtAllocateVirtualMemory  ... 77062144, 8192, ) == 0x0
 02087  1580   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02089   496   NtRegisterThreadTerminatePort  (24, ...
 02090  1972   NtProtectVirtualMemory  (-1, (0x497e000), 4096, 260, ...
 02091  1580   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\270R\247\345\336\242\24e\26\307\307\4xe\313e2\316(\22\334\1~\274\334\245\346q\334b\360\266#\200\30\306\232\306\252\241l\355\21\336\241\224\350\207/\275c\344\333\346\343h\213\303\225\261Y\213\216\207#y/\333;\314@\274hC\233\361\2371`\356", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\270R\247\345\336\242\24e\26\307\307\4xe\313e2\316(\22\334\1~\274\334\245\346q\334b\360\266#\200\30\306\232\306\252\241l\355\21\336\241\224\350\207/\275c\344\333\346\343h\213\303\225\261Y\213\216\207#y/\333;\314@\274hC\233\361\2371`\356", 80, ... , 80, ...
 02089   496   NtRegisterThreadTerminatePort  ... ) == 0x0
 02090  1972   NtProtectVirtualMemory  ... (0x497e000), 4096, 4, ) == 0x0
 02091  1580   NtSetValueKey  ... ) == 0x0
 02092  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02093   496   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02094  1580   NtClose  (-2147481344, ...
 02093   496   NtDuplicateObject  ... 648, ) == 0x0
 02094  1580   NtClose  ... ) == 0x0
 02095   496   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02062  1580   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\3s\214\25\32*S\201;\307\361\327>\303\331{\315.\257\177+\352\341BFA[]\213\314\12r<\343e\303g\276\302\340jn\345m\33f$\23H|)\245,\263\373\372\304\272\346\206i7\4\275`\31\212HmJ\334-3p\17\202\220;\240\315\220\265\37\353E\331\2v\11\304x\337\261\317\264\3436\213%h\350\317\342q\3 >A\23\322D\305\252\245S\306\316\234`\252\333-n|H\354\241\324 \32\256v\211\251\324\177`p\237\25UN\3x\271\217\324\320\363\253\274\325\217\25y\3\312\251\33f\260\300\16\33\256\244\262\326\264\336\331\257\274\220Q\266\236\12\321\375\304.\200]\3032\221\347}\374\11!T\210i\245\367\\253\226\177ZyY\304\22\246\13\244\341J\1r\316\233$\373\305\26:\203N\276\6\341\232\363|\214\244\376"h\263s03\276\325z\215h\317\350\353%B\314\24\271\26\264\7\30e\357", ) h\263s03\276\325z\215h\317\350\353%B\314\24\271\26\264\7\30e\357", ) == 0x0
 02095   496   NtWaitForSingleObject  ... ) == 0x102
 02096  1580   NtDeviceIoControlFile  (556, 0, 0x0, 0x0, 0x390008,  (556, 0, 0x0, 0x0, 0x390008, "\345\242P\220\260\320A\332b\32\241\177\316b\3475\6\2QaM\12\250\6\2QaM;\370\210\377L\266\364\256\273\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02097   496   NtWaitForSingleObject  (128, 0, 0x0, ...
 02098  1580   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02092  1972   NtCreateThread  ... 652, {1664, 1020}, ) == 0x0
 02098  1580   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02099  1972   NtQueryInformationThread  (652, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1664,Tid=1020,}, 0x0, ) == 0x0
 02100  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58008, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\200\6\0\0\374\3\0\0" ... {28, 56, reply, 0, 1664, 1972, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\200\6\0\0\374\3\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58009, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\200\6\0\0\374\3\0\0" ... {28, 56, reply, 0, 1664, 1972, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\200\6\0\0\374\3\0\0" )  ) == 0x0
 02101  1972   NtResumeThread  (652, ... 1, ) == 0x0
 02102  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 77070336, 1048576, ) == 0x0
 02103  1972   NtAllocateVirtualMemory  (-1, 78110720, 0, 8192, 4096, 4, ... 78110720, 8192, ) == 0x0
 02104  1580   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02105  1020   NtTestAlert  (...
 02104  1580   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02105  1020   NtTestAlert  ... ) == 0x0
 02106  1580   NtQuerySystemInformation  (Performance, 312, ...
 02107  1020   NtContinue  (77069616, 1, ...
 02106  1580   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02108  1020   NtRegisterThreadTerminatePort  (24, ...
 02109  1580   NtQuerySystemInformation  (Exception, 16, ...
 02108  1020   NtRegisterThreadTerminatePort  ... ) == 0x0
 02109  1580   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02110  1972   NtProtectVirtualMemory  (-1, (0x4a7e000), 4096, 260, ...
 02111  1020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02110  1972   NtProtectVirtualMemory  ... (0x4a7e000), 4096, 4, ) == 0x0
 02111  1020   NtDuplicateObject  ... 656, ) == 0x0
 02112  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02113  1020   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ...
 02112  1972   NtCreateThread  ... 660, {1664, 432}, ) == 0x0
 02113  1020   NtAllocateVirtualMemory  ... 1396736, 4096, ) == 0x0
 02114  1972   NtQueryInformationThread  (660, Basic, 28, ...
 02115  1020   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02114  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1664,Tid=432,}, 0x0, ) == 0x0
 02115  1020   NtWaitForSingleObject  ... ) == 0x102
 02116  1580   NtQuerySystemInformation  (Lookaside, 32, ...
 02117  1020   NtWaitForSingleObject  (128, 0, 0x0, ...
 02116  1580   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02118  1580   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02119  1580   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02120  1580   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481344, 2, ) }, 0, 0x0, 0, ... -2147481344, 2, ) == 0x0
 02121  1580   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\374\31\2079\206|\217\277\332\363\236"\341\177\301\251\325A2\220\2311hOB\260F\314-\301\236q\1\31b\275"\3\352\353<\221\317>4\310\357P-\27\317\216\250"\317\307\240J\226\25678\346\202L'\35\276\252'\361 j\216\265Oja\207>", 80, ... ) , 0, 3,  (-2147481344, "Seed", 0, 3, "\374\31\2079\206|\217\277\332\363\236"\341\177\301\251\325A2\220\2311hOB\260F\314-\301\236q\1\31b\275"\3\352\353<\221\317>4\310\357P-\27\317\216\250"\317\307\240J\226\25678\346\202L'\35\276\252'\361 j\216\265Oja\207>", 80, ... ) \341\177\301\251\325A2\220\2311hOB\260F\314-\301\236q\1\31b\275 (-2147481344, "Seed", 0, 3, "\374\31\2079\206|\217\277\332\363\236"\341\177\301\251\325A2\220\2311hOB\260F\314-\301\236q\1\31b\275"\3\352\353<\221\317>4\310\357P-\27\317\216\250"\317\307\240J\226\25678\346\202L'\35\276\252'\361 j\216\265Oja\207>", 80, ... ) \317\307\240J\226\25678\346\202L'\35\276\252'\361 j\216\265Oja\207>", 80, ... ) == 0x0
 02122  1580   NtClose  (-2147481344, ... ) == 0x0
 02123  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58009, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\200\6\0\0\260\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\200\6\0\0\260\1\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58010, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\200\6\0\0\260\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\200\6\0\0\260\1\0\0" )  ) == 0x0
 02124  1972   NtResumeThread  (660, ... 1, ) == 0x0
 02125  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 78118912, 1048576, ) == 0x0
 02126  1972   NtAllocateVirtualMemory  (-1, 79159296, 0, 8192, 4096, 4, ... 79159296, 8192, ) == 0x0
 02127  1972   NtProtectVirtualMemory  (-1, (0x4b7e000), 4096, 260, ... (0x4b7e000), 4096, 4, ) == 0x0
 02128  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02096  1580   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "H\317\177\31\323\377\253\250~\335W\333js\307\302\15Q]\226r\37\311\256\25\314[\207\216\25\343\376\367k\26\246\237\23|\275K\14D\260\262\26\4\347\227\310\12S\225z\365N=\316\375\35\211,\201\17\2660_\313\25q\322\354B>\235\201-I\227\211\16t\36{\6\213\317\306/\243~\20\34\342\244`\361aM^S\262\301\233B\355\254/{\243v=\367\11\334Ld%\31x+6=\2102U*\240Bc\213\307J!i\326,#\311\223;\340\2724\1\254\243\27A\315\237D\271\12%\7\376\236\267\4\336\332\264\272p\232a\253\233\314\200\362S\324\246\302\307\260\213y\216:\5\245\237\361\235\273D\37,\36N\317\317\0\335\13\251((\35x`}U>z\315\351\27\215\17\214x\345[\102a\5:\224.\333\354\311\377\215\313\206\230j\263\276a\223Y\213!X\361\372\312\242\365Y\27\225\316\311\332\211\256+\376", ) , ) == 0x0
 02129   432   NtTestAlert  (...
 02130  1580   NtDeviceIoControlFile  (556, 0, 0x0, 0x0, 0x390008,  (556, 0, 0x0, 0x0, 0x390008, "\345\242P\220\260\320A\332b\32\241\177\316b\3475\6\2QaM\12\250\6\2QaM\12\250\6\2QaM;\370\210\377L\266\364\256\273\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02129   432   NtTestAlert  ... ) == 0x0
 02131  1580   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02132   432   NtContinue  (78118192, 1, ...
 02131  1580   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02133   432   NtRegisterThreadTerminatePort  (24, ...
 02134  1580   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02133   432   NtRegisterThreadTerminatePort  ... ) == 0x0
 02134  1580   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02128  1972   NtCreateThread  ... 664, {1664, 1332}, ) == 0x0
 02135   432   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02136  1972   NtQueryInformationThread  (664, Basic, 28, ...
 02135   432   NtDuplicateObject  ... 668, ) == 0x0
 02136  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1664,Tid=1332,}, 0x0, ) == 0x0
 02137   432   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02138  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58010, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\200\6\0\04\5\0\0" ...  ...
 02137   432   NtWaitForSingleObject  ... ) == 0x102
 02138  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58011, 0}  ... {28, 56, reply, 0, 1664, 1972, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\200\6\0\04\5\0\0" )  ) == 0x0
 02139   432   NtWaitForSingleObject  (128, 0, 0x0, ...
 02140  1580   NtQuerySystemInformation  (Performance, 312, ...
 02141  1972   NtResumeThread  (664, ...
 02140  1580   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02141  1972   NtResumeThread  ... 1, ) == 0x0
 02142  1580   NtQuerySystemInformation  (Exception, 16, ...
 02143  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02142  1580   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02143  1972   NtAllocateVirtualMemory  ... 79167488, 1048576, ) == 0x0
 02144  1580   NtQuerySystemInformation  (Lookaside, 32, ...
 02145  1972   NtAllocateVirtualMemory  (-1, 80207872, 0, 8192, 4096, 4, ...
 02144  1580   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02145  1972   NtAllocateVirtualMemory  ... 80207872, 8192, ) == 0x0
 02146  1332   NtTestAlert  (...
 02147  1580   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02146  1332   NtTestAlert  ... ) == 0x0
 02147  1580   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02148  1332   NtContinue  (79166768, 1, ...
 02149  1580   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02150  1332   NtRegisterThreadTerminatePort  (24, ...
 02149  1580   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02150  1332   NtRegisterThreadTerminatePort  ... ) == 0x0
 02151  1580   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02152  1972   NtProtectVirtualMemory  (-1, (0x4c7e000), 4096, 260, ... (0x4c7e000), 4096, 4, ) == 0x0
 02153  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {1664, 1328}, ) == 0x0
 02154  1972   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1664,Tid=1328,}, 0x0, ) == 0x0
 02155  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58011, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\200\6\0\00\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\200\6\0\00\5\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58012, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\200\6\0\00\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\200\6\0\00\5\0\0" )  ) == 0x0
 02156  1972   NtResumeThread  (672, ... 1, ) == 0x0
 02157  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02151  1580   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02158  1332   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02159  1328   NtTestAlert  (...
 02160  1580   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "9\233x\367\307\357\36\207\370\302\253`\337\240\202\230\324\320.\2177g\363\253\202\316\304\332\375\372\254\17\227\230^9\370\35h\227\267\271r#\264\260\24\312\201`\214%\250\234\353\33S\321\245\177\367\261TU\214\335\375\6\2\302\264\4y\3\4\374\331\334\240s", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "9\233x\367\307\357\36\207\370\302\253`\337\240\202\230\324\320.\2177g\363\253\202\316\304\332\375\372\254\17\227\230^9\370\35h\227\267\271r#\264\260\24\312\201`\214%\250\234\353\33S\321\245\177\367\261TU\214\335\375\6\2\302\264\4y\3\4\374\331\334\240s", 80, ... , 80, ...
 02158  1332   NtDuplicateObject  ... 676, ) == 0x0
 02159  1328   NtTestAlert  ... ) == 0x0
 02160  1580   NtSetValueKey  ... ) == 0x0
 02161  1332   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02162  1328   NtContinue  (80215344, 1, ...
 02163  1580   NtClose  (-2147481344, ...
 02161  1332   NtWaitForSingleObject  ... ) == 0x102
 02164  1328   NtRegisterThreadTerminatePort  (24, ...
 02163  1580   NtClose  ... ) == 0x0
 02165  1332   NtWaitForSingleObject  (128, 0, 0x0, ...
 02164  1328   NtRegisterThreadTerminatePort  ... ) == 0x0
 02130  1580   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\201\337\234.\366\266S\32\371r\253\362\177j\341\221F\340\206\213\270\316\363\37L\244(M\263ey\371\266\344\315k\230g\363\303\321\17r\212R\274BC`O\322z\34[F\206w\241C\206\223P\25P\207\310\307@\350CS<\2\3451^^\247\223,\232:\343\370\337>\351\342\6\365\351\340\315\24L\3762\322?\377L*\2002\340A\334\16-\360R\246\262N,\211\6\256"l0\33/(\250\270J\216\317W\212\377\344\35\342Gm!\217\346m\227\361\377V\230M\343p\316d\370\203U\201\300\216\305X\301\204\375\267=}\204\3733?a\36\354\342\22_\307Z6\177\231\227\210}W\24H\302\345\340\330\375c?\15\205_\302\354\252\260\201T\262\302FK5\311>'\341\307\336\274\306I\26\267\201\301\273_B\315\27\205 \24\370\267Vx\372\\326Ho\341\25w\5\17\4*\237\244 /A*L#\335\304#", ) l0\33/(\250\270J\216\317W\212\377\344\35\342Gm!\217\346m\227\361\377V\230M\343p\316d\370\203U\201\300\216\305X\301\204\375\267=}\204\3733?a\36\354\342\22_\307Z6\177\231\227\210}W\24H\302\345\340\330\375c?\15\205_\302\354\252\260\201T\262\302FK5\311>'\341\307\336\274\306I\26\267\201\301\273_B\315\27\205 \24\370\267Vx\372\\326Ho\341\25w\5\17\4*\237\244 /A*L#\335\304#", ) == 0x0
 02157  1972   NtAllocateVirtualMemory  ... 80216064, 1048576, ) == 0x0
 02166  1328   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02167  1972   NtAllocateVirtualMemory  (-1, 81256448, 0, 8192, 4096, 4, ...
 02166  1328   NtDuplicateObject  ... 680, ) == 0x0
 02167  1972   NtAllocateVirtualMemory  ... 81256448, 8192, ) == 0x0
 02168  1328   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02169  1972   NtProtectVirtualMemory  (-1, (0x4d7e000), 4096, 260, ...
 02168  1328   NtWaitForSingleObject  ... ) == 0x102
 02169  1972   NtProtectVirtualMemory  ... (0x4d7e000), 4096, 4, ) == 0x0
 02170  1328   NtWaitForSingleObject  (128, 0, 0x0, ...
 02171  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02172  1580   NtDeviceIoControlFile  (556, 0, 0x0, 0x0, 0x390008,  (556, 0, 0x0, 0x0, 0x390008, "\345\242P\220\260\320A\332b\32\241\177\316b\3475\6\2QaM\12\250\6\2QaM\12\250\6\2QaM\12\250\6\2QaM;\370\210\377L\266\364\256\273\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02173  1580   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02174  1580   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02175  1580   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02176  1580   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02177  1580   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02178  1580   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02171  1972   NtCreateThread  ... 684, {1664, 752}, ) == 0x0
 02179  1972   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1664,Tid=752,}, 0x0, ) == 0x0
 02180  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58012, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\200\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1664, 1972, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\200\6\0\0\360\2\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58013, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\200\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1664, 1972, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\200\6\0\0\360\2\0\0" )  ) == 0x0
 02181  1972   NtResumeThread  (684, ... 1, ) == 0x0
 02182  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 81264640, 1048576, ) == 0x0
 02183  1972   NtAllocateVirtualMemory  (-1, 82305024, 0, 8192, 4096, 4, ... 82305024, 8192, ) == 0x0
 02178  1580   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02184   752   NtTestAlert  (...
 02185  1580   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02184   752   NtTestAlert  ... ) == 0x0
 02185  1580   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02186   752   NtContinue  (81263920, 1, ...
 02187  1580   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02188   752   NtRegisterThreadTerminatePort  (24, ...
 02187  1580   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02188   752   NtRegisterThreadTerminatePort  ... ) == 0x0
 02189  1580   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\206\1\245E\347S5U^\377\314\14Ii\337\375pl\16y0\332F\356\301\242n\350\270\264\202>&\0@\6\220\13\200\345u\234s\332:KK\340\265\310\342b\11,\275\364\327\222W\265\353S\252\211RT?"\265\364\311\222\274N\347\273\203\305@ ", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\206\1\245E\347S5U^\377\314\14Ii\337\375pl\16y0\332F\356\301\242n\350\270\264\202>&\0@\6\220\13\200\345u\234s\332:KK\340\265\310\342b\11,\275\364\327\222W\265\353S\252\211RT?"\265\364\311\222\274N\347\273\203\305@ ", 80, ... \265\364\311\222\274N\347\273\203\305@ ", 80, ...
 02190  1972   NtProtectVirtualMemory  (-1, (0x4e7e000), 4096, 260, ...
 02191   752   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02190  1972   NtProtectVirtualMemory  ... (0x4e7e000), 4096, 4, ) == 0x0
 02191   752   NtDuplicateObject  ... 688, ) == 0x0
 02192  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02193   752   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02192  1972   NtCreateThread  ... 692, {1664, 120}, ) == 0x0
 02193   752   NtWaitForSingleObject  ... ) == 0x102
 02194  1972   NtQueryInformationThread  (692, Basic, 28, ...
 02195   752   NtWaitForSingleObject  (128, 0, 0x0, ...
 02194  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1664,Tid=120,}, 0x0, ) == 0x0
 02189  1580   NtSetValueKey  ... ) == 0x0
 02196  1580   NtClose  (-2147481344, ... ) == 0x0
 02172  1580   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\231\331\30\262\344\176B\12\34\345\313\27\210:\321\203#\5\210\24\6\233!J\240\315,%\207\241<\210\361@\336\10\326\2\336n\351\333U\325\347\321F\11\231"\36\275\323\201\357\362?A\320y\345?\243\316\332\377-\303V\342\31\254\347&\202\364\276Q?Fr\361&\347C\261\361\316\31\312k\272\254\343\205n\10Lw\27\35S\304|\325r\377~\337\21jd+\374\235\331\206s\253\275\14\377TY\20\364]\33\316\342\316\373\6\252\363\16i%\255a.\232\223\344=\22ST\370\332f\2407\313\367;\346f\311\247\272\351\24\303[\304C\265\367#\7\210J4\304\7\327\2339s\336\247\316B\24\214\371g\305\241\353v$\356E\302\353\333\276\246\335\25\363\223\232\313$p8[/05\4\321=@\200\374\3023S\265\24y\374:!\246\351\2\217:F3\335\37741n\310\26\262\35:'\353\6\305\338\267\245\301", ) \36\275\323\201\357\362?A\320y\345?\243\316\332\377-\303V\342\31\254\347&\202\364\276Q?Fr\361&\347C\261\361\316\31\312k\272\254\343\205n\10Lw\27\35S\304|\325r\377~\337\21jd+\374\235\331\206s\253\275\14\377TY\20\364]\33\316\342\316\373\6\252\363\16i%\255a.\232\223\344=\22ST\370\332f\2407\313\367;\346f\311\247\272\351\24\303[\304C\265\367#\7\210J4\304\7\327\2339s\336\247\316B\24\214\371g\305\241\353v$\356E\302\353\333\276\246\335\25\363\223\232\313$p8[/05\4\321=@\200\374\3023S\265\24y\374:!\246\351\2\217:F3\335\37741n\310\26\262\35:'\353\6\305\338\267\245\301", ) == 0x0
 02197  1580   NtDeviceIoControlFile  (556, 0, 0x0, 0x0, 0x390008,  (556, 0, 0x0, 0x0, 0x390008, "\345\242P\220\260\320A\332b\32\241\177\316b\3475\6\2QaM\12\250\6\2QaM\12\250\6\2QaM\12\250\6\2QaM\12\250\6\2QaM;\370\210\377L\266\364\256\273\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02198  1580   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02199  1580   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02200  1580   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02201  1580   NtQuerySystemInformation  (Exception, 16, ...
 02202  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58013, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\200\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1664, 1972, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\200\6\0\0x\0\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58014, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\200\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1664, 1972, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\200\6\0\0x\0\0\0" )  ) == 0x0
 02203  1972   NtResumeThread  (692, ... 1, ) == 0x0
 02204  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 82313216, 1048576, ) == 0x0
 02205  1972   NtAllocateVirtualMemory  (-1, 83353600, 0, 8192, 4096, 4, ... 83353600, 8192, ) == 0x0
 02206  1972   NtProtectVirtualMemory  (-1, (0x4f7e000), 4096, 260, ... (0x4f7e000), 4096, 4, ) == 0x0
 02207  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02201  1580   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02208   120   NtTestAlert  (...
 02209  1580   NtQuerySystemInformation  (Lookaside, 32, ...
 02208   120   NtTestAlert  ... ) == 0x0
 02209  1580   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02210   120   NtContinue  (82312496, 1, ...
 02211  1580   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02212   120   NtRegisterThreadTerminatePort  (24, ...
 02211  1580   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02212   120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02213  1580   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02207  1972   NtCreateThread  ... 696, {1664, 1732}, ) == 0x0
 02214   120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02215  1972   NtQueryInformationThread  (696, Basic, 28, ...
 02214   120   NtDuplicateObject  ... 700, ) == 0x0
 02215  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1664,Tid=1732,}, 0x0, ) == 0x0
 02216   120   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02217  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58014, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\200\6\0\0\304\6\0\0" ...  ...
 02216   120   NtWaitForSingleObject  ... ) == 0x102
 02217  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58015, 0}  ... {28, 56, reply, 0, 1664, 1972, 58015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\200\6\0\0\304\6\0\0" )  ) == 0x0
 02218   120   NtWaitForSingleObject  (128, 0, 0x0, ...
 02213  1580   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02219  1972   NtResumeThread  (696, ...
 02220  1580   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02219  1972   NtResumeThread  ... 1, ) == 0x0
 02220  1580   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02221  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02222  1580   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\361\225\11v\241\301\\23\355\321\250\220r\357\216/\230N\220\3261-\371k\300\327\202\326x[W\277\27\225\225^F\246U\334\321\207\375\375jd\207\364\266\177e\252/\226f\377K\376K\315.E\341\27\201\303\306\231|\371c\20\2320\305\235\202\365\360", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\361\225\11v\241\301\\23\355\321\250\220r\357\216/\230N\220\3261-\371k\300\327\202\326x[W\277\27\225\225^F\246U\334\321\207\375\375jd\207\364\266\177e\252/\226f\377K\376K\315.E\341\27\201\303\306\231|\371c\20\2320\305\235\202\365\360", 80, ... , 80, ...
 02221  1972   NtAllocateVirtualMemory  ... 83361792, 1048576, ) == 0x0
 02222  1580   NtSetValueKey  ... ) == 0x0
 02223  1972   NtAllocateVirtualMemory  (-1, 84402176, 0, 8192, 4096, 4, ...
 02224  1580   NtClose  (-2147481344, ...
 02223  1972   NtAllocateVirtualMemory  ... 84402176, 8192, ) == 0x0
 02225  1732   NtTestAlert  (...
 02224  1580   NtClose  ... ) == 0x0
 02225  1732   NtTestAlert  ... ) == 0x0
 02197  1580   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "[%\321\27\217`\221q\337\376:O\270l\331\23\2532V&V \224C-Fps\264\24\303#\310L\263_\0~\206\21\6\0\260z\323j\2\325.L$\341\314\312\253&\226@x\15\271+p\10\361up\247\2\225N\265\273^\15\234\0I\15'4\204\211\36\\204{\256\275Q\322\363\206_\21\310@Wnf\3446V#2\334!\264&o\276Vi\14\352\354>\311l\20\320\256\37=\12S\30]\366C\251\312W\16;\351\265\251\200\200\377\275=\32m\36o\23GU_\22\223\342T\326\21K\351\253x?;^&\342\11v\20\n+\207!;\242\\13\24!^\313\337,\246\232\23215\325U\214\321\316P\342\300\177\372/\350\10+l\275\7p\24\320l\32\15\276\3464\241\220\2\32\244\23\222i\305.\5\235\377\217LS\276\310\250\340\347\370\375\2632E\350\373\333,x\206\360\225J0q\270\237<\340", ) , ) == 0x0
 02226  1732   NtContinue  (83361072, 1, ...
 02227  1580   NtDeviceIoControlFile  (556, 0, 0x0, 0x0, 0x390008,  (556, 0, 0x0, 0x0, 0x390008, "\345\242P\220\260\320A\332b\32\241\177\316b\3475\6\2QaM\12\250\6\2QaM\12\250\6\2QaM\12\250\6\2QaM\12\250\6\2QaM\12\250\6\2QaM;\370\210\377L\266\364\256\273\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02228  1732   NtRegisterThreadTerminatePort  (24, ...
 02229  1580   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02228  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 02229  1580   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02230  1972   NtProtectVirtualMemory  (-1, (0x507e000), 4096, 260, ...
 02231  1580   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02230  1972   NtProtectVirtualMemory  ... (0x507e000), 4096, 4, ) == 0x0
 02232  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02233  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02232  1732   NtDuplicateObject  ... 704, ) == 0x0
 02233  1972   NtCreateThread  ... 708, {1664, 188}, ) == 0x0
 02234  1732   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02235  1972   NtQueryInformationThread  (708, Basic, 28, ...
 02234  1732   NtWaitForSingleObject  ... ) == 0x102
 02235  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1664,Tid=188,}, 0x0, ) == 0x0
 02236  1732   NtWaitForSingleObject  (128, 0, 0x0, ...
 02231  1580   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02237  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58015, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\200\6\0\0\274\0\0\0" ...  ...
 02238  1580   NtQuerySystemInformation  (Performance, 312, ...
 02237  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58016, 0}  ... {28, 56, reply, 0, 1664, 1972, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\200\6\0\0\274\0\0\0" )  ) == 0x0
 02238  1580   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02239  1972   NtResumeThread  (708, ...
 02240  1580   NtQuerySystemInformation  (Exception, 16, ...
 02239  1972   NtResumeThread  ... 1, ) == 0x0
 02240  1580   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02241  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02242  1580   NtQuerySystemInformation  (Lookaside, 32, ...
 02243   188   NtTestAlert  (...
 02241  1972   NtAllocateVirtualMemory  ... 84410368, 1048576, ) == 0x0
 02243   188   NtTestAlert  ... ) == 0x0
 02244  1972   NtAllocateVirtualMemory  (-1, 85450752, 0, 8192, 4096, 4, ...
 02245   188   NtContinue  (84409648, 1, ...
 02244  1972   NtAllocateVirtualMemory  ... 85450752, 8192, ) == 0x0
 02246   188   NtRegisterThreadTerminatePort  (24, ...
 02247  1972   NtProtectVirtualMemory  (-1, (0x517e000), 4096, 260, ...
 02246   188   NtRegisterThreadTerminatePort  ... ) == 0x0
 02247  1972   NtProtectVirtualMemory  ... (0x517e000), 4096, 4, ) == 0x0
 02242  1580   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02248  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02249  1580   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02250   188   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02249  1580   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02250   188   NtDuplicateObject  ... 712, ) == 0x0
 02251  1580   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02252   188   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02251  1580   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02252   188   NtWaitForSingleObject  ... ) == 0x102
 02253  1580   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02254   188   NtWaitForSingleObject  (128, 0, 0x0, ...
 02248  1972   NtCreateThread  ... 716, {1664, 1636}, ) == 0x0
 02253  1580   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02255  1972   NtQueryInformationThread  (716, Basic, 28, ...
 02256  1580   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\221A+\37\370\374g\356[\204l\202\234V\245\253+\344\355\362\245q;Bq\6\35\314\256Q-E?1[\211\324|u\264z\257\256\273\346\9\37.0\14\2\5\334\20\224\360\302\21\33\335\251}\356v\320+^])+\242\277m\375u%\213u^", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\221A+\37\370\374g\356[\204l\202\234V\245\253+\344\355\362\245q;Bq\6\35\314\256Q-E?1[\211\324|u\264z\257\256\273\346\9\37.0\14\2\5\334\20\224\360\302\21\33\335\251}\356v\320+^])+\242\277m\375u%\213u^", 80, ... , 80, ...
 02255  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1664,Tid=1636,}, 0x0, ) == 0x0
 02256  1580   NtSetValueKey  ... ) == 0x0
 02257  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58016, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\200\6\0\0d\6\0\0" ...  ...
 02258  1580   NtClose  (-2147481344, ...
 02257  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58017, 0}  ... {28, 56, reply, 0, 1664, 1972, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\200\6\0\0d\6\0\0" )  ) == 0x0
 02258  1580   NtClose  ... ) == 0x0
 02227  1580   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\315-Z"\260(\347\363\360\221V\253YS>\214PW!\2\5s;y\221}\205\264M\235\252%\224\3157LZ\270\245\247\11\3445\37w\17c\202\356i$\210\213\14\234\370\235\211.\373Z\377+[1\3\241\177\22\356\276\304\327\215\242\336>\16N\340\231\360\30\6\254|\272\262\366R\215\200\242\374\37\247\367\215\26\0\341,\317\350\17\17\375[\3402\256\216f\250\247#N\323\33\200\361\26E\213<\326\322\275\222\310\275\36\360\5\361\177\360xG\341\370B\26\232\35132\306\375`mb\277\32\257\367Q,\22\206\342t\324\303\223o\351\312\320\263*;w\23\225d\253\271P6\376\331[+\365\372\216\240\12\241"\375\211>\206\266\324\2452\2\216\345`\352F.\25#@\15t\202\317\274\342\16\271-\263\256\225V\262\37)B\335\275N\220C\205\263|\302y\353nI\251\347\376\222Va\2\204\360\11\316\361`/\271\2440", ) \260(\347\363\360\221V\253YS>\214PW!\2\5s;y\221}\205\264M\235\252%\224\3157LZ\270\245\247\11\3445\37w\17c\202\356i$\210\213\14\234\370\235\211.\373Z\377+[1\3\241\177\22\356\276\304\327\215\242\336>\16N\340\231\360\30\6\254|\272\262\366R\215\200\242\374\37\247\367\215\26\0\341,\317\350\17\17\375[\3402\256\216f\250\247#N\323\33\200\361\26E\213<\326\322\275\222\310\275\36\360\5\361\177\360xG\341\370B\26\232\35132\306\375`mb\277\32\257\367Q,\22\206\342t\324\303\223o\351\312\320\263*;w\23\225d\253\271P6\376\331[+\365\372\216\240\12\241 ... {status=0x0, info=256}, "\315-Z"\260(\347\363\360\221V\253YS>\214PW!\2\5s;y\221}\205\264M\235\252%\224\3157LZ\270\245\247\11\3445\37w\17c\202\356i$\210\213\14\234\370\235\211.\373Z\377+[1\3\241\177\22\356\276\304\327\215\242\336>\16N\340\231\360\30\6\254|\272\262\366R\215\200\242\374\37\247\367\215\26\0\341,\317\350\17\17\375[\3402\256\216f\250\247#N\323\33\200\361\26E\213<\326\322\275\222\310\275\36\360\5\361\177\360xG\341\370B\26\232\35132\306\375`mb\277\32\257\367Q,\22\206\342t\324\303\223o\351\312\320\263*;w\23\225d\253\271P6\376\331[+\365\372\216\240\12\241"\375\211>\206\266\324\2452\2\216\345`\352F.\25#@\15t\202\317\274\342\16\271-\263\256\225V\262\37)B\335\275N\220C\205\263|\302y\353nI\251\347\376\222Va\2\204\360\11\316\361`/\271\2440", ) , ) == 0x0
 02259  1580   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 720, ) == 0x0
 02260  1580   NtSetEventBoostPriority  (564, ...
 02046   464   NtWaitForSingleObject  ... ) == 0x0
 02261   464   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 02262   464   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 02263   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 724, ) == 0x0
 02264   464   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 11006584, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 11006584, 188, ...
 02260  1580   NtSetEventBoostPriority  ... ) == 0x0
 02265  1580   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15199596, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15199596, 188, ...
 02266  1972   NtResumeThread  (716, ... 1, ) == 0x0
 02267  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 85458944, 1048576, ) == 0x0
 02268  1972   NtAllocateVirtualMemory  (-1, 86499328, 0, 8192, 4096, 4, ... 86499328, 8192, ) == 0x0
 02264   464   NtConnectPort  ... 728, 0x0, 0x0, 0x0, 188, ) == 0x0
 02265  1580   NtConnectPort  ... 732, 0x0, 0x0, 0x0, 188, ) == 0x0
 02269  1636   NtTestAlert  (...
 02270   464   NtRequestWaitReplyPort  (728, {200, 224, new_msg, 0, 2883626, 1356488, 12, 2}  (728, {200, 224, new_msg, 0, 2883626, 1356488, 12, 2} "\0\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\1\0\4\0\4\0\0\0\107\24\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0\253\273o\201>c\6\13 r\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\370q\25\0\324&C\355x\1\24\0\30r\25\0h\1\24\0\0\0\0\0\0\0\0\0\30r\25\0P\0\0\0 r\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\247\0\372\31\221|\214\370\247\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 02271  1580   NtRequestWaitReplyPort  (732, {200, 224, new_msg, 0, 1390776, 12, 2, 1310721}  (732, {200, 224, new_msg, 0, 1390776, 12, 2, 1310721} "\0\0\0\0\274\0\0\0\2149\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\363\0`6t\21uppr\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\0\\25\0\214S\26ix\1\24\0hr\25\0h\1\24\0\0\0\0\0\0\0\0\0hr\25\0P\0\0\0pr\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\347\0\372\31\221|\200\363\347\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02269  1636   NtTestAlert  ... ) == 0x0
 02272  1636   NtContinue  (85458224, 1, ...
 02273  1636   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02270   464   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1664, 464, 58020, 0}  ... {200, 224, reply, 0, 1664, 464, 58020, 0} "\7\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\107\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0\253\273o\201>c\6\13 r\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\370q\25\0\324&C\355x\1\24\0\30r\25\0h\1\24\0\0\0\0\0\0\0\0\0\30r\25\0P\0\0\0 r\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\247\0\372\31\221|\214\370\247\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 02271  1580   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1664, 1580, 58021, 0}  ... {200, 224, reply, 0, 1664, 1580, 58021, 0} "\7\0\0\0\274\0\0\0\2149\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\363\0`6t\21uppr\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\0\\25\0\214S\26ix\1\24\0hr\25\0h\1\24\0\0\0\0\0\0\0\0\0hr\25\0P\0\0\0pr\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\347\0\372\31\221|\200\363\347\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02274  1972   NtProtectVirtualMemory  (-1, (0x527e000), 4096, 260, ...
 02275   464   NtRequestWaitReplyPort  (728, {44, 68, new_msg, 56, 0, 0, 0, 0}  (728, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\320s\25\0\322\0\0\0" ...  ...
 02276  1580   NtRequestWaitReplyPort  (732, {44, 68, new_msg, 0, 1664, 1580, 58000, 0}  (732, {44, 68, new_msg, 0, 1664, 1580, 58000, 0} "\1\356\0\0A\2\4\0P\306\233\201\0\220\372\177\220\353\3\370\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 02274  1972   NtProtectVirtualMemory  ... (0x527e000), 4096, 4, ) == 0x0
 02277  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 736, {1664, 624}, ) == 0x0
 02278  1972   NtQueryInformationThread  (736, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1664,Tid=624,}, 0x0, ) == 0x0
 02279  1636   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02275   464   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1664, 464, 58022, 0}  ... {40, 64, reply, 0, 1664, 464, 58022, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\323\1\0\0\350\370\14\0" )  ) == 0x0
 02279  1636   NtDuplicateObject  ... 740, ) == 0x0
 02280   464   NtRequestWaitReplyPort  (728, {64, 88, new_msg, 56, 1310720, 11006452, 1405896, 0}  (728, {64, 88, new_msg, 56, 1310720, 11006452, 1405896, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\20u\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02281  1636   NtWaitForSingleObject  (68, 0, {0, 0}, ... ) == 0x102
 02282  1636   NtWaitForSingleObject  (128, 0, 0x0, ...
 02280   464   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1664, 464, 58024, 0}  ... {64, 88, reply, 56, 1664, 464, 58024, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\20u\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02283  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58017, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\200\6\0\0p\2\0\0" ...  ...
 02276  1580   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1664, 1580, 58023, 0}  ... {40, 64, reply, 0, 1664, 1580, 58023, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\220\372\177\220\353\3\370\370\37`\300l\353\3\370X\353Q\200\320\1\0\0X-\12\0" )  ) == 0x0
 02284   464   NtRequestWaitReplyPort  (728, {44, 68, new_msg, 56, 1664, 464, 58022, 0}  (728, {44, 68, new_msg, 56, 1664, 464, 58022, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0\320s\25\0\322\0\0\0" ...  ...
 02283  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58025, 0}  ... {28, 56, reply, 0, 1664, 1972, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\200\6\0\0p\2\0\0" )  ) == 0x0
 02285  1580   NtRequestWaitReplyPort  (732, {64, 88, new_msg, 56, 1385080, 15200108, 15200208, 0}  (732, {64, 88, new_msg, 56, 1385080, 15200108, 15200208, 0} "\10\357\347\0@\0\25\0\346\277\347w\320\357\347\0l\357\347\0\20\0\0\0\250.\362v\354"\25\0\1\0\0\0\240}\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\10\14\25\0" ... \25\0\1\0\0\0\240}\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\10\14\25\0" ...
 02286  1972   NtResumeThread  (736, ... 1, ) == 0x0
 02287  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02285  1580   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1664, 1580, 58027, 0}  ... {64, 88, reply, 56, 1664, 1580, 58027, 0} "\10\357\347\0@\0\25\0\346\277\347w\320\357\347\0l\357\347\0\20\0\0\0\250.\362v\354"\25\0\1\0\0\0\240}\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\10\14\25\0" ) \25\0\1\0\0\0\240}\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\10\14\25\0" ) == 0x0
 02284   464   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1664, 464, 58026, 0}  ... {40, 64, reply, 0, 1664, 464, 58026, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\351\1\0\0\350\232\14\0" )  ) == 0x0
 02288   624   NtTestAlert  (...
 02289  1580   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ...
 02290   464   NtWaitForSingleObject  (332, 0, 0x0, ...
 02288   624   NtTestAlert  ... ) == 0x0
 02289  1580   NtAllocateVirtualMemory  ... 1409024, 4096, ) == 0x0
 02291   624   NtContinue  (86506800, 1, ...
 02287  1972   NtAllocateVirtualMemory  ... 86507520, 1048576, ) == 0x0
 02292   624   NtRegisterThreadTerminatePort  (24, ...
 02293  1972   NtAllocateVirtualMemory  (-1, 87547904, 0, 8192, 4096, 4, ...
 02292   624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02293  1972   NtAllocateVirtualMemory  ... 87547904, 8192, ) == 0x0
 02294  1580   NtSetEventBoostPriority  (332, ...
 02295  1972   NtProtectVirtualMemory  (-1, (0x537e000), 4096, 260, ...
 02290   464   NtWaitForSingleObject  ... ) == 0x0
 02294  1580   NtSetEventBoostPriority  ... ) == 0x0
 02296   464   NtRequestWaitReplyPort  (728, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0}  (728, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\08\200\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02295  1972   NtProtectVirtualMemory  ... (0x537e000), 4096, 4, ) == 0x0
 02297  1580   NtClose  (720, ...
 02298  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02297  1580   NtClose  ... ) == 0x0
 02299   624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02296   464   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1664, 464, 58028, 0}  ... {64, 88, reply, 56, 1664, 464, 58028, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\08\200\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02300  1580   NtClose  (732, ...
 02299   624   NtDuplicateObject  ... 720, ) == 0x0
 02301   464   NtRequestWaitReplyPort  (728, {44, 68, new_msg, 56, 1664, 464, 58026, 0}  (728, {44, 68, new_msg, 56, 1664, 464, 58026, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0\320s\25\0\322\0\0\0" ...  ...
 02300  1580   NtClose  ... ) == 0x0
 02302   624   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02301   464   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1664, 464, 58030, 0}  ... {40, 64, reply, 0, 1664, 464, 58030, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0|\1\0\0h\236\14\0" )  ) == 0x0
 02298  1972   NtCreateThread  ... 732, {1664, 1948}, ) == 0x0
 02302   624   NtWaitForSingleObject  ... ) == 0x102
 02303   464   NtRequestWaitReplyPort  (728, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0}  (728, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0(\214\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02304  1972   NtQueryInformationThread  (732, Basic, 28, ...
 02305   624   NtWaitForSingleObject  (128, 0, 0x0, ...
 02304  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1664,Tid=1948,}, 0x0, ) == 0x0
 02306  1580   NtCreateKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02307  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58025, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\200\6\0\0\234\7\0\0" ...  ...
 02306  1580   NtCreateKey  ... 744, 2, ) == 0x0
 02307  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58032, 0}  ... {28, 56, reply, 0, 1664, 1972, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\200\6\0\0\234\7\0\0" )  ) == 0x0
 02308  1580   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02303   464   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1664, 464, 58031, 0}  ... {64, 88, reply, 56, 1664, 464, 58031, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0(\214\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02308  1580   NtOpenKey  ... 748, ) == 0x0
 02309   464   NtClose  (724, ...
 02310  1580   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02309   464   NtClose  ... ) == 0x0
 02310  1580   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02311   464   NtClose  (728, ...
 02312  1972   NtResumeThread  (732, ...
 02311   464   NtClose  ... ) == 0x0
 02312  1972   NtResumeThread  ... 1, ) == 0x0
 02313   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02314  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02315  1580   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 02316  1948   NtTestAlert  (...
 02314  1972   NtAllocateVirtualMemory  ... 87556096, 1048576, ) == 0x0
 02315  1580   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02316  1948   NtTestAlert  ... ) == 0x0
 02317  1972   NtAllocateVirtualMemory  (-1, 88596480, 0, 8192, 4096, 4, ...
 02318  1580   NtQueryValueKey  (744,  (744, "Domain", Partial, 144, ... , Partial, 144, ...
 02319  1948   NtContinue  (87555376, 1, ...
 02317  1972   NtAllocateVirtualMemory  ... 88596480, 8192, ) == 0x0
 02318  1580   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02320  1948   NtRegisterThreadTerminatePort  (24, ...
 02313   464   NtCreateEvent  ... 728, ) == 0x0
 02321  1580   NtQueryValueKey  (744,  (744, "Domain", Partial, 144, ... , Partial, 144, ...
 02320  1948   NtRegisterThreadTerminatePort  ... ) == 0x0
 02322   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 02321  1580   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02323  1972   NtProtectVirtualMemory  (-1, (0x547e000), 4096, 260, ...
 02322   464   NtOpenKey  ... 724, ) == 0x0
 02324  1948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02323  1972   NtProtectVirtualMemory  ... (0x547e000), 4096, 4, ) == 0x0
 02325   464   NtOpenKey  (0x20019, {24, 724, 0x40, 0, 0,  (0x20019, {24, 724, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 02324  1948   NtDuplicateObject  ... 752, ) == 0x0
 02326  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02325   464   NtOpenKey  ... 756, ) == 0x0
 02327  1948   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02326  1972   NtCreateThread  ... 760, {1664, 468}, ) == 0x0
 02328   464   NtQueryValueKey  (756,  (756, "ComputerName", Full, 108, ... , Full, 108, ...
 02327  1948   NtWaitForSingleObject  ... ) == 0x102
 02329  1972   NtQueryInformationThread  (760, Basic, 28, ...
 02330  1580   NtClose  (744, ...
 02331  1948   NtWaitForSingleObject  (128, 0, 0x0, ...
 02329  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1664,Tid=468,}, 0x0, ) == 0x0
 02330  1580   NtClose  ... ) == 0x0
 02328   464   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02332  1580   NtClose  (748, ...
 02333   464   NtClose  (756, ...
 02332  1580   NtClose  ... ) == 0x0
 02333   464   NtClose  ... ) == 0x0
 02334  1580   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 02335   464   NtClose  (724, ...
 02334  1580   NtOpenKey  ... 756, ) == 0x0
 02335   464   NtClose  ... ) == 0x0
 02336  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58032, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\200\6\0\0\324\1\0\0" ...  ...
 02337   464   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ...
 02336  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58035, 0}  ... {28, 56, reply, 0, 1664, 1972, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\200\6\0\0\324\1\0\0" )  ) == 0x0
 02338  1580   NtQueryValueKey  (756,  (756, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 02339  1972   NtResumeThread  (760, ...
 02338  1580   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02339  1972   NtResumeThread  ... 1, ) == 0x0
 02340  1580   NtClose  (756, ...
 02341  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02340  1580   NtClose  ... ) == 0x0
 02337   464   NtCreateIoCompletion  ... 756, ) == 0x0
 02342   468   NtTestAlert  (...
 02343  1580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15199184, ... }, 15199184, ...
 02344   464   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ...
 02342   468   NtTestAlert  ... ) == 0x0
 02343  1580   NtQueryAttributesFile  ... ) == 0x0
 02344   464   NtCreateIoCompletion  ... 724, ) == 0x0
 02341  1972   NtAllocateVirtualMemory  ... 88604672, 1048576, ) == 0x0
 02345   468   NtContinue  (88603952, 1, ...
 02346   464   NtDuplicateObject  (-1, 756, -1, 0x0, 0, 2, ...
 02347  1972   NtAllocateVirtualMemory  (-1, 89645056, 0, 8192, 4096, 4, ...
 02348   468   NtRegisterThreadTerminatePort  (24, ...
 02346   464   NtDuplicateObject  ... 748, ) == 0x0
 02347  1972   NtAllocateVirtualMemory  ... 89645056, 8192, ) == 0x0
 02348   468   NtRegisterThreadTerminatePort  ... ) == 0x0
 02349   464   NtOpenThreadToken  (-2, 0xc, 1, ...
 02350  1972   NtProtectVirtualMemory  (-1, (0x557e000), 4096, 260, ...
 02351   468   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02352  1580   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02350  1972   NtProtectVirtualMemory  ... (0x557e000), 4096, 4, ) == 0x0
 02351   468   NtDuplicateObject  ... 744, ) == 0x0
 02352  1580   NtOpenFile  ... 764, {status=0x0, info=1}, ) == 0x0
 02353  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02354   468   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02355  1580   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 764, ...
 02349   464   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02353  1972   NtCreateThread  ... 768, {1664, 380}, ) == 0x0
 02355  1580   NtCreateSection  ... 772, ) == 0x0
 02356   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02357  1972   NtQueryInformationThread  (768, Basic, 28, ...
 02358  1580   NtClose  (764, ...
 02356   464   NtCreateEvent  ... 776, ) == 0x0
 02357  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1664,Tid=380,}, 0x0, ) == 0x0
 02358  1580   NtClose  ... ) == 0x0
 02359   464   NtOpenThreadToken  (-2, 0xc, 1, ...
 02360  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58035, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\200\6\0\0|\1\0\0" ...  ...
 02354   468   NtWaitForSingleObject  ... ) == 0x102
 02359   464   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02360  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58036, 0}  ... {28, 56, reply, 0, 1664, 1972, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\200\6\0\0|\1\0\0" )  ) == 0x0
 02361   468   NtWaitForSingleObject  (128, 0, 0x0, ...
 02362   464   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02363  1580   NtMapViewOfSection  (772, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02364  1972   NtResumeThread  (768, ...
 02363  1580   NtMapViewOfSection  ... (0x850000), 0x0, 20480, ) == 0x0
 02364  1972   NtResumeThread  ... 1, ) == 0x0
 02365  1580   NtClose  (772, ...
 02366  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02365  1580   NtClose  ... ) == 0x0
 02366  1972   NtAllocateVirtualMemory  ... 89653248, 1048576, ) == 0x0
 02367  1972   NtAllocateVirtualMemory  (-1, 90693632, 0, 8192, 4096, 4, ... 90693632, 8192, ) == 0x0
 02368  1972   NtProtectVirtualMemory  (-1, (0x567e000), 4096, 260, ... (0x567e000), 4096, 4, ) == 0x0
 02369  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02370  1580   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 02371  1580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15199492, ... ) }, 15199492, ... ) == 0x0
 02372  1580   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 772, {status=0x0, info=1}, ) }, 5, 96, ... 772, {status=0x0, info=1}, ) == 0x0
 02373  1580   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 772, ... 764, ) == 0x0
 02374  1580   NtQuerySection  (764, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02375  1580   NtClose  (772, ...
 02369  1972   NtCreateThread  ... 780, {1664, 1692}, ) == 0x0
 02362   464   NtSetInformationThread  ... ) == 0x0
 02376   380   NtWaitForSingleObject  (96, 0, 0x0, ...
 02377  1972   NtQueryInformationThread  (780, Basic, 28, ...
 02378   464   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11006144,  (0xc0100080, {24, 0, 0x40, 0, 11006144, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 02377  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1664,Tid=1692,}, 0x0, ) == 0x0
 02378   464   NtCreateFile  ... 784, {status=0x0, info=1}, ) == 0x0
 02375  1580   NtClose  ... ) == 0x0
 02379   464   NtSetInformationFile  (784, 11006200, 8, Pipe, ...
 02380  1580   NtMapViewOfSection  (764, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02379   464   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02380  1580   NtMapViewOfSection  ... (0x76fb0000), 0x0, 32768, ) == 0x0
 02381   464   NtSetInformationFile  (784, 11006188, 8, Completion, ...
 02382  1580   NtClose  (764, ...
 02383  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58036, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0\200\6\0\0\234\6\0\0" ...  ...
 02382  1580   NtClose  ... ) == 0x0
 02383  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58037, 0}  ... {28, 56, reply, 0, 1664, 1972, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0\200\6\0\0\234\6\0\0" )  ) == 0x0
 02384  1580   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02385  1972   NtResumeThread  (780, ...
 02381   464   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02385  1972   NtResumeThread  ... 1, ) == 0x0
 02386   464   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02387  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02386   464   NtSetInformationThread  ... ) == 0x0
 02384  1580   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02388  1692   NtWaitForSingleObject  (96, 0, 0x0, ...
 02389   464   NtWriteFile  (784, 449, 0, 0,  (784, 449, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 02390  1580   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02389   464   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 02390  1580   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02391   464   NtReadFile  (784, 449, 0, 0, 1024, {0, 0}, 0, ...
 02392  1580   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 02387  1972   NtAllocateVirtualMemory  ... 90701824, 1048576, ) == 0x0
 02391   464   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02393  1972   NtAllocateVirtualMemory  (-1, 91742208, 0, 8192, 4096, 4, ...
 02394   464   NtFsControlFile  (784, 449, 0x0, 0x0, 0x11c017,  (784, 449, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\247\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 02393  1972   NtAllocateVirtualMemory  ... 91742208, 8192, ) == 0x0
 02394   464   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02395  1972   NtProtectVirtualMemory  (-1, (0x577e000), 4096, 260, ...
 02396   464   NtFsControlFile  (784, 449, 0x0, 0x0, 0x11c017,  (784, 449, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\1\0\0\0\1\0\0\0&\0(\0\310\216\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 02395  1972   NtProtectVirtualMemory  ... (0x577e000), 4096, 4, ) == 0x0
 02396   464   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\0\0\0\0", ) , ) == 0x103
 02397  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02398   464   NtFsControlFile  (784, 449, 0x0, 0x0, 0x11c017,  (784, 449, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse", 44, 1024, ... , 44, 1024, ...
 02392  1580   NtFlushInstructionCache  ... ) == 0x0
 02397  1972   NtCreateThread  ... 764, {1664, 1792}, ) == 0x0
 02399  1580   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02400  1972   NtQueryInformationThread  (764, Basic, 28, ...
 02399  1580   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02400  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1664,Tid=1792,}, 0x0, ) == 0x0
 02401  1580   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02402  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58037, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\200\6\0\0\0\7\0\0" ...  ...
 02401  1580   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02402  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58038, 0}  ... {28, 56, reply, 0, 1664, 1972, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\200\6\0\0\0\7\0\0" )  ) == 0x0
 02403  1580   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 02398   464   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\340i\25\0\1\0\0\0\354i\25\0 \0\0\0\1\0\0\0\30\0\32\0\370i\25\0\24j\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0Hj\25\0\1\0\0\0\5\0i\0Xj\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02404  1972   NtResumeThread  (764, ...
 02405   464   NtClose  (776, ...
 02404  1972   NtResumeThread  ... 1, ) == 0x0
 02405   464   NtClose  ... ) == 0x0
 02406  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02407   464   NtClose  (784, ...
 02406  1972   NtAllocateVirtualMemory  ... 91750400, 1048576, ) == 0x0
 02408  1972   NtAllocateVirtualMemory  (-1, 92790784, 0, 8192, 4096, 4, ... 92790784, 8192, ) == 0x0
 02409  1972   NtProtectVirtualMemory  (-1, (0x587e000), 4096, 260, ... (0x587e000), 4096, 4, ) == 0x0
 02410  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 784, {1664, 784}, ) == 0x0
 02411  1972   NtQueryInformationThread  (784, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1664,Tid=784,}, 0x0, ) == 0x0
 02403  1580   NtFlushInstructionCache  ... ) == 0x0
 02412  1792   NtWaitForSingleObject  (96, 0, 0x0, ...
 02407   464   NtClose  ... ) == 0x0
 02413  1580   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... }, ...
 02414   464   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1390776, 0x0, 11008068, 188, ... , {12, 2, 1, 1}, 0x0, 1390776, 0x0, 11008068, 188, ...
 02413  1580   NtOpenSection  ... 776, ) == 0x0
 02415  1580   NtMapViewOfSection  (776, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 02416  1580   NtClose  (776, ...
 02414   464   NtSecureConnectPort  ... 772, 0x0, 0x0, 0x0, 188, ) == 0x0
 02417  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58038, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\200\6\0\0\20\3\0\0" ...  ...
 02418   464   NtOpenThreadToken  (-2, 0xc, 1, ...
 02417  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58040, 0}  ... {28, 56, reply, 0, 1664, 1972, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\200\6\0\0\20\3\0\0" )  ) == 0x0
 02418   464   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02419  1972   NtResumeThread  (784, ...
 02416  1580   NtClose  ... ) == 0x0
 02419  1972   NtResumeThread  ... 1, ) == 0x0
 02420  1580   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ...
 02421  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02420  1580   NtProtectVirtualMemory  ... (0x76f61000), 4096, 32, ) == 0x0
 02422   464   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02423   784   NtWaitForSingleObject  (96, 0, 0x0, ...
 02424  1580   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 02422   464   NtSetInformationThread  ... ) == 0x0
 02424  1580   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 02425   464   NtRequestWaitReplyPort  (772, {200, 224, new_msg, 0, 1356488, 12, 2, 1310977}  (772, {200, 224, new_msg, 0, 1356488, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\244\212a\201:4\355\30\314\366\301\326d\14\235\222\12\0\0\0g\244\34\371\353\0\341p\0\0\0\00\202\25\0\16\375\32\354z9\14\334(\0\0\0O\372\0g\0\0\24\0\240\366\247\0\345\270\211\365\0\0\0\0 r\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\247\0\372\31\221|X\376\247\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02426  1580   NtFlushInstructionCache  (-1, 1995837440, 228, ...
 02425   464   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1664, 464, 58041, 0}  ... {200, 224, reply, 0, 1664, 464, 58041, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\244\212a\201:4\355\30\314\366\301\326d\14\235\222\12\0\0\0g\244\34\371\353\0\341p\0\0\0\00\202\25\0\16\375\32\354z9\14\334(\0\0\0O\372\0g\0\0\24\0\240\366\247\0\345\270\211\365\0\0\0\0 r\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\247\0\372\31\221|X\376\247\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02421  1972   NtAllocateVirtualMemory  ... 92798976, 1048576, ) == 0x0
 02427   464   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02428  1972   NtAllocateVirtualMemory  (-1, 93839360, 0, 8192, 4096, 4, ...
 02426  1580   NtFlushInstructionCache  ... ) == 0x0
 02428  1972   NtAllocateVirtualMemory  ... 93839360, 8192, ) == 0x0
 02429  1580   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ...
 02430  1972   NtProtectVirtualMemory  (-1, (0x597e000), 4096, 260, ...
 02429  1580   NtProtectVirtualMemory  ... (0x76f61000), 4096, 32, ) == 0x0
 02430  1972   NtProtectVirtualMemory  ... (0x597e000), 4096, 4, ) == 0x0
 02431  1580   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 02432  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02431  1580   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 02427   464   NtSetInformationThread  ... ) == 0x0
 02433  1580   NtFlushInstructionCache  (-1, 1995837440, 228, ...
 02434   464   NtRequestWaitReplyPort  (772, {56, 80, new_msg, 0, 44, 3, 20, 0}  (772, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0\215\373FC\227[\347p\214Nse\1\0\0\0\0\0\0\0&\0(\0\\2\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 02432  1972   NtCreateThread  ... 776, {1664, 1520}, ) == 0x0
 02435  1972   NtQueryInformationThread  (776, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1664,Tid=1520,}, 0x0, ) == 0x0
 02436  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58040, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\200\6\0\0\360\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\200\6\0\0\360\5\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58043, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\200\6\0\0\360\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\200\6\0\0\360\5\0\0" )  ) == 0x0
 02433  1580   NtFlushInstructionCache  ... ) == 0x0
 02437  1580   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 02438  1580   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 02439  1580   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 02440  1580   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02441  1580   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 788, ) == 0x0
 02442  1580   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... }, ...
 02443  1972   NtResumeThread  (776, ... 1, ) == 0x0
 02444  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 93847552, 1048576, ) == 0x0
 02445  1972   NtAllocateVirtualMemory  (-1, 94887936, 0, 8192, 4096, 4, ... 94887936, 8192, ) == 0x0
 02446  1972   NtProtectVirtualMemory  (-1, (0x5a7e000), 4096, 260, ... (0x5a7e000), 4096, 4, ) == 0x0
 02447  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 792, {1664, 1696}, ) == 0x0
 02448  1972   NtQueryInformationThread  (792, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1664,Tid=1696,}, 0x0, ) == 0x0
 02442  1580   NtOpenKey  ... 796, ) == 0x0
 02449  1520   NtWaitForSingleObject  (96, 0, 0x0, ...
 02434   464   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 1664, 464, 58042, 0}  ... {44, 68, reply, 0, 1664, 464, 58042, 0} "\4\31\221|\0\0\221|\200\300\227|p\31\221|\0\276\21\0\330\0\0\0\204-|\2\0\220\366\177\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02450  1580   NtQueryValueKey  (796,  (796, "LdapClientIntegrity", Partial, 144, ... , Partial, 144, ...
 02451   464   NtRaiseException  (11008528, 11007788, 1, ...
 02450  1580   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02452   464   NtQueryVirtualMemory  (-1, 0x77ea0470, BasicVlm, 16, ...
 02453  1580   NtClose  (796, ...
 02454  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58043, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\200\6\0\0\240\6\0\0" ...  ...
 02453  1580   NtClose  ... ) == 0x0
 02454  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58044, 0}  ... {28, 56, reply, 0, 1664, 1972, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\200\6\0\0\240\6\0\0" )  ) == 0x0
 02455  1580   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... }, ...
 02456  1972   NtResumeThread  (792, ...
 02452   464   NtQueryVirtualMemory  ... {memory info, class 3, size 16}, 0x0, ) == 0x0
 02456  1972   NtResumeThread  ... 1, ) == 0x0
 02457   464   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 02458  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02457   464   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02455  1580   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02459  1696   NtWaitForSingleObject  (96, 0, 0x0, ...
 02460   464   NtContinue  (11006756, 0, ...
 02461  1580   NtQueryPerformanceCounter  (... {925242143, 10}, {3579545, 0}, ) == 0x0
 02462  1580   NtSetEventBoostPriority  (96, ...
 02458  1972   NtAllocateVirtualMemory  ... 94896128, 1048576, ) == 0x0
 02463  1972   NtAllocateVirtualMemory  (-1, 95936512, 0, 8192, 4096, 4, ... 95936512, 8192, ) == 0x0
 02464  1972   NtProtectVirtualMemory  (-1, (0x5b7e000), 4096, 260, ... (0x5b7e000), 4096, 4, ) == 0x0
 02465  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 796, {1664, 1744}, ) == 0x0
 02466  1972   NtQueryInformationThread  (796, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1664,Tid=1744,}, 0x0, ) == 0x0
 02467  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58044, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\3\0\0\200\6\0\0\320\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\3\0\0\200\6\0\0\320\6\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58045, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\3\0\0\200\6\0\0\320\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\3\0\0\200\6\0\0\320\6\0\0" )  ) == 0x0
 02376   380   NtWaitForSingleObject  ... ) == 0x0
 02462  1580   NtSetEventBoostPriority  ... ) == 0x0
 02468   464   NtDeviceIoControlFile  (604, 108, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 02469   380   NtSetEventBoostPriority  (96, ...
 02470  1580   NtWaitForSingleObject  (96, 0, 0x0, ...
 02468   464   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 02388  1692   NtWaitForSingleObject  ... ) == 0x0
 02469   380   NtSetEventBoostPriority  ... ) == 0x0
 02471  1692   NtSetEventBoostPriority  (96, ...
 02472   464   NtWaitForSingleObject  (108, 1, {-5000000, -1}, ...
 02473  1972   NtResumeThread  (796, ...
 02412  1792   NtWaitForSingleObject  ... ) == 0x0
 02471  1692   NtSetEventBoostPriority  ... ) == 0x0
 02474  1792   NtSetEventBoostPriority  (96, ...
 02473  1972   NtResumeThread  ... 1, ) == 0x0
 02475   380   NtTestAlert  (...
 02423   784   NtWaitForSingleObject  ... ) == 0x0
 02474  1792   NtSetEventBoostPriority  ... ) == 0x0
 02476  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02477   784   NtSetEventBoostPriority  (96, ...
 02475   380   NtTestAlert  ... ) == 0x0
 02478  1692   NtTestAlert  (...
 02479  1744   NtWaitForSingleObject  (96, 0, 0x0, ...
 02449  1520   NtWaitForSingleObject  ... ) == 0x0
 02477   784   NtSetEventBoostPriority  ... ) == 0x0
 02476  1972   NtAllocateVirtualMemory  ... 95944704, 1048576, ) == 0x0
 02480   380   NtContinue  (89652528, 1, ...
 02478  1692   NtTestAlert  ... ) == 0x0
 02481  1520   NtAllocateVirtualMemory  (-1, 8810496, 0, 4096, 4096, 4, ...
 02482  1792   NtTestAlert  (...
 02483  1972   NtAllocateVirtualMemory  (-1, 96985088, 0, 8192, 4096, 4, ...
 02484   380   NtRegisterThreadTerminatePort  (24, ...
 02481  1520   NtAllocateVirtualMemory  ... 8810496, 4096, ) == 0x0
 02485  1692   NtContinue  (90701104, 1, ...
 02482  1792   NtTestAlert  ... ) == 0x0
 02483  1972   NtAllocateVirtualMemory  ... 96985088, 8192, ) == 0x0
 02484   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 02486   784   NtTestAlert  (...
 02487  1692   NtRegisterThreadTerminatePort  (24, ...
 02488  1792   NtContinue  (91749680, 1, ...
 02489  1520   NtSetEventBoostPriority  (96, ...
 02490   380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02486   784   NtTestAlert  ... ) == 0x0
 02487  1692   NtRegisterThreadTerminatePort  ... ) == 0x0
 02491  1792   NtRegisterThreadTerminatePort  (24, ...
 02459  1696   NtWaitForSingleObject  ... ) == 0x0
 02489  1520   NtSetEventBoostPriority  ... ) == 0x0
 02492  1972   NtProtectVirtualMemory  (-1, (0x5c7e000), 4096, 260, ...
 02493   784   NtContinue  (92798256, 1, ...
 02494  1692   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02495  1696   NtSetEventBoostPriority  (96, ...
 02491  1792   NtRegisterThreadTerminatePort  ... ) == 0x0
 02496  1520   NtTestAlert  (...
 02492  1972   NtProtectVirtualMemory  ... (0x5c7e000), 4096, 4, ) == 0x0
 02497   784   NtRegisterThreadTerminatePort  (24, ...
 02490   380   NtDuplicateObject  ... 800, ) == 0x0
 02470  1580   NtWaitForSingleObject  ... ) == 0x0
 02495  1696   NtSetEventBoostPriority  ... ) == 0x0
 02498  1792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02496  1520   NtTestAlert  ... ) == 0x0
 02499  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02497   784   NtRegisterThreadTerminatePort  ... ) == 0x0
 02500  1580   NtSetEventBoostPriority  (96, ...
 02501   380   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02494  1692   NtDuplicateObject  ... 804, ) == 0x0
 02502  1696   NtTestAlert  (...
 02503  1520   NtContinue  (93846832, 1, ...
 02499  1972   NtCreateThread  ... 808, {1664, 1124}, ) == 0x0
 02479  1744   NtWaitForSingleObject  ... ) == 0x0
 02500  1580   NtSetEventBoostPriority  ... ) == 0x0
 02504   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02501   380   NtWaitForSingleObject  ... ) == 0x102
 02505  1692   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02502  1696   NtTestAlert  ... ) == 0x0
 02506  1520   NtRegisterThreadTerminatePort  (24, ...
 02507  1744   NtTestAlert  (...
 02508  1972   NtQueryInformationThread  (808, Basic, 28, ...
 02498  1792   NtDuplicateObject  ... 812, ) == 0x0
 02509  1580   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ...
 02510   380   NtWaitForSingleObject  (128, 0, 0x0, ...
 02505  1692   NtWaitForSingleObject  ... ) == 0x102
 02511  1696   NtContinue  (94895408, 1, ...
 02504   784   NtDuplicateObject  ... 816, ) == 0x0
 02507  1744   NtTestAlert  ... ) == 0x0
 02508  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1664,Tid=1124,}, 0x0, ) == 0x0
 02512  1792   NtWaitForSingleObject  (332, 0, 0x0, ...
 02509  1580   NtAllocateVirtualMemory  ... 1413120, 4096, ) == 0x0
 02513  1692   NtWaitForSingleObject  (332, 0, 0x0, ...
 02514  1696   NtRegisterThreadTerminatePort  (24, ...
 02515   784   NtWaitForSingleObject  (332, 0, 0x0, ...
 02506  1520   NtRegisterThreadTerminatePort  ... ) == 0x0
 02516  1744   NtContinue  (95943984, 1, ...
 02517  1580   NtSetEventBoostPriority  (332, ...
 02514  1696   NtRegisterThreadTerminatePort  ... ) == 0x0
 02518  1520   NtWaitForSingleObject  (332, 0, 0x0, ...
 02519  1744   NtRegisterThreadTerminatePort  (24, ...
 02512  1792   NtWaitForSingleObject  ... ) == 0x0
 02517  1580   NtSetEventBoostPriority  ... ) == 0x0
 02520  1696   NtWaitForSingleObject  (332, 0, 0x0, ...
 02521  1792   NtSetEventBoostPriority  (332, ...
 02519  1744   NtRegisterThreadTerminatePort  ... ) == 0x0
 02522  1580   NtWaitForSingleObject  (332, 0, 0x0, ...
 02523  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58045, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0\200\6\0\0d\4\0\0" ...  ...
 02513  1692   NtWaitForSingleObject  ... ) == 0x0
 02521  1792   NtSetEventBoostPriority  ... ) == 0x0
 02524  1744   NtWaitForSingleObject  (332, 0, 0x0, ...
 02525  1692   NtSetEventBoostPriority  (332, ...
 02523  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58046, 0}  ... {28, 56, reply, 0, 1664, 1972, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0\200\6\0\0d\4\0\0" )  ) == 0x0
 02515   784   NtWaitForSingleObject  ... ) == 0x0
 02525  1692   NtSetEventBoostPriority  ... ) == 0x0
 02526   784   NtSetEventBoostPriority  (332, ...
 02527  1972   NtResumeThread  (808, ...
 02528  1792   NtWaitForSingleObject  (332, 0, 0x0, ...
 02518  1520   NtWaitForSingleObject  ... ) == 0x0
 02526   784   NtSetEventBoostPriority  ... ) == 0x0
 02527  1972   NtResumeThread  ... 1, ) == 0x0
 02529  1520   NtSetEventBoostPriority  (332, ...
 02530  1692   NtWaitForSingleObject  (128, 0, 0x0, ...
 02531  1124   NtWaitForSingleObject  (332, 0, 0x0, ...
 02522  1580   NtWaitForSingleObject  ... ) == 0x0
 02529  1520   NtSetEventBoostPriority  ... ) == 0x0
 02532  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02533  1580   NtSetEventBoostPriority  (332, ...
 02534   784   NtWaitForSingleObject  (332, 0, 0x0, ...
 02535  1520   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02520  1696   NtWaitForSingleObject  ... ) == 0x0
 02533  1580   NtSetEventBoostPriority  ... ) == 0x0
 02536  1696   NtSetEventBoostPriority  (332, ...
 02535  1520   NtDuplicateObject  ... 820, ) == 0x0
 02532  1972   NtAllocateVirtualMemory  ... 96993280, 1048576, ) == 0x0
 02524  1744   NtWaitForSingleObject  ... ) == 0x0
 02537  1520   NtWaitForSingleObject  (332, 0, 0x0, ...
 02538  1972   NtAllocateVirtualMemory  (-1, 98033664, 0, 8192, 4096, 4, ...
 02539  1744   NtSetEventBoostPriority  (332, ...
 02538  1972   NtAllocateVirtualMemory  ... 98033664, 8192, ) == 0x0
 02528  1792   NtWaitForSingleObject  ... ) == 0x0
 02539  1744   NtSetEventBoostPriority  ... ) == 0x0
 02540  1792   NtSetEventBoostPriority  (332, ...
 02541  1972   NtProtectVirtualMemory  (-1, (0x5d7e000), 4096, 260, ...
 02536  1696   NtSetEventBoostPriority  ... ) == 0x0
 02542  1580   NtWaitForSingleObject  (96, 0, 0x0, ...
 02531  1124   NtWaitForSingleObject  ... ) == 0x0
 02540  1792   NtSetEventBoostPriority  ... ) == 0x0
 02541  1972   NtProtectVirtualMemory  ... (0x5d7e000), 4096, 4, ) == 0x0
 02543  1696   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02544  1124   NtSetEventBoostPriority  (332, ...
 02545  1792   NtWaitForSingleObject  (332, 0, 0x0, ...
 02546  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02534   784   NtWaitForSingleObject  ... ) == 0x0
 02544  1124   NtSetEventBoostPriority  ... ) == 0x0
 02543  1696   NtDuplicateObject  ... 824, ) == 0x0
 02547  1744   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02548   784   NtSetEventBoostPriority  (332, ...
 02546  1972   NtCreateThread  ... 828, {1664, 1496}, ) == 0x0
 02549  1124   NtSetEventBoostPriority  (96, ...
 02537  1520   NtWaitForSingleObject  ... ) == 0x0
 02548   784   NtSetEventBoostPriority  ... ) == 0x0
 02547  1744   NtDuplicateObject  ... 832, ) == 0x0
 02550  1972   NtQueryInformationThread  (828, Basic, 28, ...
 02551  1520   NtSetEventBoostPriority  (332, ...
 02542  1580   NtWaitForSingleObject  ... ) == 0x0
 02549  1124   NtSetEventBoostPriority  ... ) == 0x0
 02552   784   NtWaitForSingleObject  (332, 0, 0x0, ...
 02553  1744   NtWaitForSingleObject  (332, 0, 0x0, ...
 02545  1792   NtWaitForSingleObject  ... ) == 0x0
 02554  1580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15199184, ... }, 15199184, ...
 02551  1520   NtSetEventBoostPriority  ... ) == 0x0
 02550  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1664,Tid=1496,}, 0x0, ) == 0x0
 02555  1124   NtTestAlert  (...
 02556  1696   NtWaitForSingleObject  (332, 0, 0x0, ...
 02557  1792   NtSetEventBoostPriority  (332, ...
 02554  1580   NtQueryAttributesFile  ... ) == 0x0
 02558  1520   NtWaitForSingleObject  (332, 0, 0x0, ...
 02555  1124   NtTestAlert  ... ) == 0x0
 02553  1744   NtWaitForSingleObject  ... ) == 0x0
 02559  1580   NtQuerySystemInformation  (Basic, 44, ...
 02560  1124   NtContinue  (96992560, 1, ...
 02561  1744   NtSetEventBoostPriority  (332, ...
 02557  1792   NtSetEventBoostPriority  ... ) == 0x0
 02562  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58046, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\3\0\0\200\6\0\0\330\5\0\0" ...  ...
 02563  1124   NtRegisterThreadTerminatePort  (24, ...
 02552   784   NtWaitForSingleObject  ... ) == 0x0
 02561  1744   NtSetEventBoostPriority  ... ) == 0x0
 02564  1792   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02562  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58047, 0}  ... {28, 56, reply, 0, 1664, 1972, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\3\0\0\200\6\0\0\330\5\0\0" )  ) == 0x0
 02559  1580   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02565   784   NtSetEventBoostPriority  (332, ...
 02563  1124   NtRegisterThreadTerminatePort  ... ) == 0x0
 02566  1972   NtResumeThread  (828, ...
 02556  1696   NtWaitForSingleObject  ... ) == 0x0
 02567  1580   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 02568  1124   NtWaitForSingleObject  (332, 0, 0x0, ...
 02566  1972   NtResumeThread  ... 1, ) == 0x0
 02569  1696   NtSetEventBoostPriority  (332, ...
 02567  1580   NtAllocateVirtualMemory  ... 8716288, 65536, ) == 0x0
 02570  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02558  1520   NtWaitForSingleObject  ... ) == 0x0
 02569  1696   NtSetEventBoostPriority  ... ) == 0x0
 02571  1580   NtAllocateVirtualMemory  (-1, 8716288, 0, 4096, 4096, 4, ...
 02565   784   NtSetEventBoostPriority  ... ) == 0x0
 02572  1744   NtWaitForSingleObject  (332, 0, 0x0, ...
 02564  1792   NtWaitForSingleObject  ... ) == 0x102
 02573  1496   NtWaitForSingleObject  (332, 0, 0x0, ...
 02574  1520   NtSetEventBoostPriority  (332, ...
 02575  1696   NtWaitForSingleObject  (332, 0, 0x0, ...
 02571  1580   NtAllocateVirtualMemory  ... 8716288, 4096, ) == 0x0
 02576   784   NtWaitForSingleObject  (380, 0, 0x0, ...
 02577  1792   NtWaitForSingleObject  (128, 0, 0x0, ...
 02568  1124   NtWaitForSingleObject  ... ) == 0x0
 02574  1520   NtSetEventBoostPriority  ... ) == 0x0
 02570  1972   NtAllocateVirtualMemory  ... 98041856, 1048576, ) == 0x0
 02578  1580   NtWaitForSingleObject  (380, 0, 0x0, ...
 02579  1124   NtSetEventBoostPriority  (332, ...
 02580  1520   NtWaitForSingleObject  (332, 0, 0x0, ...
 02581  1972   NtAllocateVirtualMemory  (-1, 99082240, 0, 8192, 4096, 4, ...
 02572  1744   NtWaitForSingleObject  ... ) == 0x0
 02579  1124   NtSetEventBoostPriority  ... ) == 0x0
 02582  1744   NtSetEventBoostPriority  (332, ...
 02581  1972   NtAllocateVirtualMemory  ... 99082240, 8192, ) == 0x0
 02573  1496   NtWaitForSingleObject  ... ) == 0x0
 02582  1744   NtSetEventBoostPriority  ... ) == 0x0
 02583  1496   NtSetEventBoostPriority  (332, ...
 02584  1972   NtProtectVirtualMemory  (-1, (0x5e7e000), 4096, 260, ...
 02575  1696   NtWaitForSingleObject  ... ) == 0x0
 02583  1496   NtSetEventBoostPriority  ... ) == 0x0
 02585  1744   NtSetEventBoostPriority  (380, ...
 02586  1696   NtSetEventBoostPriority  (332, ...
 02584  1972   NtProtectVirtualMemory  ... (0x5e7e000), 4096, 4, ) == 0x0
 02587  1124   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02588  1496   NtTestAlert  (...
 02580  1520   NtWaitForSingleObject  ... ) == 0x0
 02589  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02587  1124   NtDuplicateObject  ... 836, ) == 0x0
 02588  1496   NtTestAlert  ... ) == 0x0
 02590  1520   NtWaitForSingleObject  (380, 0, 0x0, ...
 02586  1696   NtSetEventBoostPriority  ... ) == 0x0
 02576   784   NtWaitForSingleObject  ... ) == 0x0
 02585  1744   NtSetEventBoostPriority  ... ) == 0x0
 02591  1124   NtWaitForSingleObject  (380, 0, 0x0, ...
 02592  1496   NtContinue  (98041136, 1, ...
 02593  1696   NtWaitForSingleObject  (380, 0, 0x0, ...
 02594   784   NtSetEventBoostPriority  (380, ...
 02595  1744   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02596  1496   NtRegisterThreadTerminatePort  (24, ...
 02578  1580   NtWaitForSingleObject  ... ) == 0x0
 02594   784   NtSetEventBoostPriority  ... ) == 0x0
 02595  1744   NtWaitForSingleObject  ... ) == 0x102
 02597  1580   NtSetEventBoostPriority  (380, ...
 02596  1496   NtRegisterThreadTerminatePort  ... ) == 0x0
 02589  1972   NtCreateThread  ... 840, {1664, 168}, ) == 0x0
 02590  1520   NtWaitForSingleObject  ... ) == 0x0
 02598  1744   NtWaitForSingleObject  (128, 0, 0x0, ...
 02599  1496   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02600  1972   NtQueryInformationThread  (840, Basic, 28, ...
 02601  1520   NtSetEventBoostPriority  (380, ...
 02597  1580   NtSetEventBoostPriority  ... ) == 0x0
 02602   784   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02600  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1664,Tid=168,}, 0x0, ) == 0x0
 02591  1124   NtWaitForSingleObject  ... ) == 0x0
 02603  1580   NtAllocateVirtualMemory  (-1, 8720384, 0, 8192, 4096, 4, ...
 02602   784   NtWaitForSingleObject  ... ) == 0x102
 02604  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58047, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0\200\6\0\0\250\0\0\0" ...  ...
 02605  1124   NtSetEventBoostPriority  (380, ...
 02603  1580   NtAllocateVirtualMemory  ... 8720384, 8192, ) == 0x0
 02606   784   NtWaitForSingleObject  (128, 0, 0x0, ...
 02604  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58048, 0}  ... {28, 56, reply, 0, 1664, 1972, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0\200\6\0\0\250\0\0\0" )  ) == 0x0
 02593  1696   NtWaitForSingleObject  ... ) == 0x0
 02605  1124   NtSetEventBoostPriority  ... ) == 0x0
 02601  1520   NtSetEventBoostPriority  ... ) == 0x0
 02599  1496   NtDuplicateObject  ... 844, ) == 0x0
 02607  1580   NtWaitForSingleObject  (380, 0, 0x0, ...
 02608  1696   NtSetEventBoostPriority  (380, ...
 02609  1972   NtResumeThread  (840, ...
 02610  1124   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02611  1496   NtWaitForSingleObject  (380, 0, 0x0, ...
 02608  1696   NtSetEventBoostPriority  ... ) == 0x0
 02607  1580   NtWaitForSingleObject  ... ) == 0x0
 02609  1972   NtResumeThread  ... 1, ) == 0x0
 02610  1124   NtWaitForSingleObject  ... ) == 0x102
 02612  1520   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02613   168   NtTestAlert  (...
 02614  1580   NtSetEventBoostPriority  (380, ...
 02615  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02616  1124   NtWaitForSingleObject  (128, 0, 0x0, ...
 02612  1520   NtWaitForSingleObject  ... ) == 0x102
 02613   168   NtTestAlert  ... ) == 0x0
 02611  1496   NtWaitForSingleObject  ... ) == 0x0
 02614  1580   NtSetEventBoostPriority  ... ) == 0x0
 02615  1972   NtAllocateVirtualMemory  ... 99090432, 1048576, ) == 0x0
 02617  1520   NtWaitForSingleObject  (128, 0, 0x0, ...
 02618  1496   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02619   168   NtContinue  (99089712, 1, ...
 02620  1580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 15199184, ... }, 15199184, ...
 02621  1972   NtAllocateVirtualMemory  (-1, 100130816, 0, 8192, 4096, 4, ...
 02622   168   NtRegisterThreadTerminatePort  (24, ...
 02623  1696   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02618  1496   NtWaitForSingleObject  ... ) == 0x102
 02621  1972   NtAllocateVirtualMemory  ... 100130816, 8192, ) == 0x0
 02622   168   NtRegisterThreadTerminatePort  ... ) == 0x0
 02623  1696   NtWaitForSingleObject  ... ) == 0x102
 02624  1496   NtWaitForSingleObject  (128, 0, 0x0, ...
 02620  1580   NtQueryAttributesFile  ... ) == 0x0
 02625  1972   NtProtectVirtualMemory  (-1, (0x5f7e000), 4096, 260, ...
 02626  1696   NtWaitForSingleObject  (128, 0, 0x0, ...
 02627  1580   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... }, 5, 96, ...
 02625  1972   NtProtectVirtualMemory  ... (0x5f7e000), 4096, 4, ) == 0x0
 02627  1580   NtOpenFile  ... 848, {status=0x0, info=1}, ) == 0x0
 02628  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02629  1580   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 848, ...
 02628  1972   NtCreateThread  ... 852, {1664, 1284}, ) == 0x0
 02629  1580   NtCreateSection  ... 856, ) == 0x0
 02630  1972   NtQueryInformationThread  (852, Basic, 28, ...
 02631  1580   NtClose  (848, ...
 02630  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1664,Tid=1284,}, 0x0, ) == 0x0
 02632   168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02631  1580   NtClose  ... ) == 0x0
 02632   168   NtDuplicateObject  ... 848, ) == 0x0
 02633  1580   NtMapViewOfSection  (856, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02634   168   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02633  1580   NtMapViewOfSection  ... (0x5f80000), 0x0, 110592, ) == 0x0
 02634   168   NtWaitForSingleObject  ... ) == 0x102
 02635  1580   NtClose  (856, ...
 02636   168   NtWaitForSingleObject  (128, 0, 0x0, ...
 02635  1580   NtClose  ... ) == 0x0
 02637  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58048, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\3\0\0\200\6\0\0\4\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\3\0\0\200\6\0\0\4\5\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58049, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\3\0\0\200\6\0\0\4\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\3\0\0\200\6\0\0\4\5\0\0" )  ) == 0x0
 02638  1972   NtResumeThread  (852, ... 1, ) == 0x0
 02639  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 100270080, 1048576, ) == 0x0
 02640  1972   NtAllocateVirtualMemory  (-1, 101310464, 0, 8192, 4096, 4, ... 101310464, 8192, ) == 0x0
 02641  1972   NtProtectVirtualMemory  (-1, (0x609e000), 4096, 260, ... (0x609e000), 4096, 4, ) == 0x0
 02642  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02643  1580   NtUnmapViewOfSection  (-1, 0x5f80000, ...
 02644  1284   NtWaitForSingleObject  (96, 0, 0x0, ...
 02643  1580   NtUnmapViewOfSection  ... ) == 0x0
 02645  1580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 15199492, ... ) }, 15199492, ... ) == 0x0
 02646  1580   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 856, {status=0x0, info=1}, ) }, 5, 96, ... 856, {status=0x0, info=1}, ) == 0x0
 02647  1580   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 856, ... 860, ) == 0x0
 02648  1580   NtQuerySection  (860, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02649  1580   NtClose  (856, ...
 02642  1972   NtCreateThread  ... 864, {1664, 1268}, ) == 0x0
 02650  1972   NtQueryInformationThread  (864, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1664,Tid=1268,}, 0x0, ) == 0x0
 02651  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58049, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\200\6\0\0\364\4\0\0" ... {28, 56, reply, 0, 1664, 1972, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\200\6\0\0\364\4\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58050, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\200\6\0\0\364\4\0\0" ... {28, 56, reply, 0, 1664, 1972, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\200\6\0\0\364\4\0\0" )  ) == 0x0
 02652  1972   NtResumeThread  (864, ... 1, ) == 0x0
 02653  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 101318656, 1048576, ) == 0x0
 02654  1972   NtAllocateVirtualMemory  (-1, 102359040, 0, 8192, 4096, 4, ... 102359040, 8192, ) == 0x0
 02649  1580   NtClose  ... ) == 0x0
 02655  1268   NtWaitForSingleObject  (96, 0, 0x0, ...
 02656  1580   NtMapViewOfSection  (860, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x751d0000), 0x0, 122880, ) == 0x0
 02657  1580   NtClose  (860, ... ) == 0x0
 02658  1580   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02659  1580   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02660  1580   NtFlushInstructionCache  (-1, 1964838912, 224, ...
 02661  1972   NtProtectVirtualMemory  (-1, (0x619e000), 4096, 260, ... (0x619e000), 4096, 4, ) == 0x0
 02662  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 860, {1664, 840}, ) == 0x0
 02663  1972   NtQueryInformationThread  (860, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1664,Tid=840,}, 0x0, ) == 0x0
 02664  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58050, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\3\0\0\200\6\0\0H\3\0\0" ... {28, 56, reply, 0, 1664, 1972, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\3\0\0\200\6\0\0H\3\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58051, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\3\0\0\200\6\0\0H\3\0\0" ... {28, 56, reply, 0, 1664, 1972, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\3\0\0\200\6\0\0H\3\0\0" )  ) == 0x0
 02665  1972   NtResumeThread  (860, ... 1, ) == 0x0
 02666  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02660  1580   NtFlushInstructionCache  ... ) == 0x0
 02667   840   NtWaitForSingleObject  (96, 0, 0x0, ...
 02668  1580   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02669  1580   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02670  1580   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02671  1580   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02672  1580   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ... 1417216, 4096, ) == 0x0
 02673  1580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 15198668, ... }, 15198668, ...
 02666  1972   NtAllocateVirtualMemory  ... 102367232, 1048576, ) == 0x0
 02674  1972   NtAllocateVirtualMemory  (-1, 103407616, 0, 8192, 4096, 4, ... 103407616, 8192, ) == 0x0
 02675  1972   NtProtectVirtualMemory  (-1, (0x629e000), 4096, 260, ... (0x629e000), 4096, 4, ) == 0x0
 02676  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 856, {1664, 1336}, ) == 0x0
 02677  1972   NtQueryInformationThread  (856, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1664,Tid=1336,}, 0x0, ) == 0x0
 02678  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58051, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\200\6\0\08\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\200\6\0\08\5\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58052, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\200\6\0\08\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\200\6\0\08\5\0\0" )  ) == 0x0
 02679  1972   NtResumeThread  (856, ... 1, ) == 0x0
 02680  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 103415808, 1048576, ) == 0x0
 02681  1972   NtAllocateVirtualMemory  (-1, 104456192, 0, 8192, 4096, 4, ... 104456192, 8192, ) == 0x0
 02682  1336   NtWaitForSingleObject  (96, 0, 0x0, ...
 02683  1972   NtProtectVirtualMemory  (-1, (0x639e000), 4096, 260, ... (0x639e000), 4096, 4, ) == 0x0
 02684  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 868, {1664, 1200}, ) == 0x0
 02685  1972   NtQueryInformationThread  (868, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1664,Tid=1200,}, 0x0, ) == 0x0
 02686  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58052, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0\200\6\0\0\260\4\0\0" ... {28, 56, reply, 0, 1664, 1972, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0\200\6\0\0\260\4\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58053, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0\200\6\0\0\260\4\0\0" ... {28, 56, reply, 0, 1664, 1972, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0\200\6\0\0\260\4\0\0" )  ) == 0x0
 02687  1972   NtResumeThread  (868, ... 1, ) == 0x0
 02688  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02689  1200   NtWaitForSingleObject  (96, 0, 0x0, ...
 02688  1972   NtAllocateVirtualMemory  ... 104464384, 1048576, ) == 0x0
 02690  1972   NtAllocateVirtualMemory  (-1, 105504768, 0, 8192, 4096, 4, ... 105504768, 8192, ) == 0x0
 02691  1972   NtProtectVirtualMemory  (-1, (0x649e000), 4096, 260, ... (0x649e000), 4096, 4, ) == 0x0
 02692  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02673  1580   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02693  1580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 15198668, ... ) }, 15198668, ... ) == 0x0
 02694  1580   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 872, {status=0x0, info=1}, ) }, 5, 96, ... 872, {status=0x0, info=1}, ) == 0x0
 02695  1580   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 872, ... 876, ) == 0x0
 02696  1580   NtQuerySection  (876, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02692  1972   NtCreateThread  ... 880, {1664, 1920}, ) == 0x0
 02697  1972   NtQueryInformationThread  (880, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1664,Tid=1920,}, 0x0, ) == 0x0
 02698  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58053, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0\200\6\0\0\200\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0\200\6\0\0\200\7\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58054, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0\200\6\0\0\200\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0\200\6\0\0\200\7\0\0" )  ) == 0x0
 02699  1972   NtResumeThread  (880, ... 1, ) == 0x0
 02700  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 105512960, 1048576, ) == 0x0
 02701  1972   NtAllocateVirtualMemory  (-1, 106553344, 0, 8192, 4096, 4, ... 106553344, 8192, ) == 0x0
 02702  1580   NtClose  (872, ...
 02703  1920   NtWaitForSingleObject  (96, 0, 0x0, ...
 02702  1580   NtClose  ... ) == 0x0
 02704  1580   NtMapViewOfSection  (876, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 02705  1580   NtClose  (876, ... ) == 0x0
 02706  1580   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02707  1580   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02708  1580   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02709  1972   NtProtectVirtualMemory  (-1, (0x659e000), 4096, 260, ... (0x659e000), 4096, 4, ) == 0x0
 02710  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 876, {1664, 896}, ) == 0x0
 02711  1972   NtQueryInformationThread  (876, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1664,Tid=896,}, 0x0, ) == 0x0
 02712  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58054, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\200\6\0\0\200\3\0\0" ... {28, 56, reply, 0, 1664, 1972, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\200\6\0\0\200\3\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58055, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\200\6\0\0\200\3\0\0" ... {28, 56, reply, 0, 1664, 1972, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\200\6\0\0\200\3\0\0" )  ) == 0x0
 02713  1972   NtResumeThread  (876, ... 1, ) == 0x0
 02714  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02715  1580   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ...
 02716   896   NtWaitForSingleObject  (96, 0, 0x0, ...
 02715  1580   NtProtectVirtualMemory  ... (0x77921000), 4096, 32, ) == 0x0
 02717  1580   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02718  1580   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02719  1580   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02720  1580   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02721  1580   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02714  1972   NtAllocateVirtualMemory  ... 106561536, 1048576, ) == 0x0
 02722  1972   NtAllocateVirtualMemory  (-1, 107601920, 0, 8192, 4096, 4, ... 107601920, 8192, ) == 0x0
 02723  1972   NtProtectVirtualMemory  (-1, (0x669e000), 4096, 260, ... (0x669e000), 4096, 4, ) == 0x0
 02724  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 872, {1664, 2016}, ) == 0x0
 02725  1972   NtQueryInformationThread  (872, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1664,Tid=2016,}, 0x0, ) == 0x0
 02726  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58055, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\200\6\0\0\340\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\200\6\0\0\340\7\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58056, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\200\6\0\0\340\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\200\6\0\0\340\7\0\0" )  ) == 0x0
 02727  1580   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02728  1580   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02729  1580   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02730  1580   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02731  1580   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02732  1580   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02733  1972   NtResumeThread  (872, ... 1, ) == 0x0
 02734  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 107610112, 1048576, ) == 0x0
 02735  1972   NtAllocateVirtualMemory  (-1, 108650496, 0, 8192, 4096, 4, ... 108650496, 8192, ) == 0x0
 02736  1972   NtProtectVirtualMemory  (-1, (0x679e000), 4096, 260, ... (0x679e000), 4096, 4, ) == 0x0
 02737  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 884, {1664, 2012}, ) == 0x0
 02738  1972   NtQueryInformationThread  (884, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1664,Tid=2012,}, 0x0, ) == 0x0
 02739  1580   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ...
 02740  2016   NtWaitForSingleObject  (96, 0, 0x0, ...
 02739  1580   NtProtectVirtualMemory  ... (0x751d1000), 4096, 32, ) == 0x0
 02741  1580   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02742  1580   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02743  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58056, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0\200\6\0\0\334\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0\200\6\0\0\334\7\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58057, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0\200\6\0\0\334\7\0\0" ... {28, 56, reply, 0, 1664, 1972, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0\200\6\0\0\334\7\0\0" )  ) == 0x0
 02744  1972   NtResumeThread  (884, ... 1, ) == 0x0
 02745  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02746  1580   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... }, ...
 02747  2012   NtWaitForSingleObject  (96, 0, 0x0, ...
 02746  1580   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02748  1580   NtQueryDefaultUILanguage  (2090319928, ...
 02749  1580   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02750  1580   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481344, ) == 0x0
 02751  1580   NtQueryInformationToken  (-2147481344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02752  1580   NtClose  (-2147481344, ...
 02745  1972   NtAllocateVirtualMemory  ... 108658688, 1048576, ) == 0x0
 02753  1972   NtAllocateVirtualMemory  (-1, 109699072, 0, 8192, 4096, 4, ... 109699072, 8192, ) == 0x0
 02754  1972   NtProtectVirtualMemory  (-1, (0x689e000), 4096, 260, ... (0x689e000), 4096, 4, ) == 0x0
 02755  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 888, {1664, 1604}, ) == 0x0
 02756  1972   NtQueryInformationThread  (888, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=1664,Tid=1604,}, 0x0, ) == 0x0
 02757  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58057, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0\200\6\0\0D\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0\200\6\0\0D\6\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58058, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0\200\6\0\0D\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0\200\6\0\0D\6\0\0" )  ) == 0x0
 02752  1580   NtClose  ... ) == 0x0
 02758  1580   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481344, ) }, ... -2147481344, ) == 0x0
 02759  1580   NtOpenKey  (0x80000000, {24, -2147481344, 0x240, 0, 0,  (0x80000000, {24, -2147481344, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02760  1580   NtOpenKey  (0x80000000, {24, -2147481344, 0x640, 0, 0,  (0x80000000, {24, -2147481344, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482132, ) }, ... -2147482132, ) == 0x0
 02761  1580   NtQueryValueKey  (-2147482132,  (-2147482132, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02762  1580   NtClose  (-2147482132, ... ) == 0x0
 02763  1580   NtClose  (-2147481344, ...
 02764  1972   NtResumeThread  (888, ... 1, ) == 0x0
 02765  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 109707264, 1048576, ) == 0x0
 02766  1972   NtAllocateVirtualMemory  (-1, 110747648, 0, 8192, 4096, 4, ... 110747648, 8192, ) == 0x0
 02767  1972   NtProtectVirtualMemory  (-1, (0x699e000), 4096, 260, ... (0x699e000), 4096, 4, ) == 0x0
 02768  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 892, {1664, 1572}, ) == 0x0
 02769  1972   NtQueryInformationThread  (892, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=1664,Tid=1572,}, 0x0, ) == 0x0
 02763  1580   NtClose  ... ) == 0x0
 02770  1604   NtWaitForSingleObject  (96, 0, 0x0, ...
 02748  1580   NtQueryDefaultUILanguage  ... ) == 0x0
 02771  1580   NtAllocateVirtualMemory  (-1, 15187968, 0, 4096, 4096, 260, ... 15187968, 4096, ) == 0x0
 02772  1580   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 02773  1580   NtQueryDefaultLocale  (1, 15199388, ... ) == 0x0
 02774  1580   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02775  1580   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 896, ) }, ... 896, ) == 0x0
 02776  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58058, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0\200\6\0\0$\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0\200\6\0\0$\6\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58059, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0\200\6\0\0$\6\0\0" ... {28, 56, reply, 0, 1664, 1972, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0\200\6\0\0$\6\0\0" )  ) == 0x0
 02777  1972   NtResumeThread  (892, ... 1, ) == 0x0
 02778  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 110755840, 1048576, ) == 0x0
 02779  1972   NtAllocateVirtualMemory  (-1, 111796224, 0, 8192, 4096, 4, ... 111796224, 8192, ) == 0x0
 02780  1972   NtProtectVirtualMemory  (-1, (0x6a9e000), 4096, 260, ... (0x6a9e000), 4096, 4, ) == 0x0
 02781  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02782  1580   NtQueryValueKey  (896,  (896, "SystemSetupInProgress", Partial, 144, ... , Partial, 144, ...
 02783  1572   NtWaitForSingleObject  (96, 0, 0x0, ...
 02782  1580   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02784  1580   NtClose  (896, ... ) == 0x0
 02785  1580   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 896, ) == 0x0
 02786  1580   NtCallbackReturn  (0, 0, 0, ...
 02787  1580   NtUserGetProcessWindowStation  (... ) == 0x20
 02788  1580   NtUserGetObjectInformation  (32, 1, 15198984, 12, 15198996, ... ) == 0x1
 02789  1580   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... }, ...
 02781  1972   NtCreateThread  ... 900, {1664, 596}, ) == 0x0
 02790  1972   NtQueryInformationThread  (900, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=1664,Tid=596,}, 0x0, ) == 0x0
 02791  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58059, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0\200\6\0\0T\2\0\0" ... {28, 56, reply, 0, 1664, 1972, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0\200\6\0\0T\2\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58060, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0\200\6\0\0T\2\0\0" ... {28, 56, reply, 0, 1664, 1972, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0\200\6\0\0T\2\0\0" )  ) == 0x0
 02792  1972   NtResumeThread  (900, ... 1, ) == 0x0
 02793  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 111804416, 1048576, ) == 0x0
 02794  1972   NtAllocateVirtualMemory  (-1, 112844800, 0, 8192, 4096, 4, ... 112844800, 8192, ) == 0x0
 02789  1580   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02795   596   NtWaitForSingleObject  (96, 0, 0x0, ...
 02796  1580   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\WPA\PnP"}, ... 904, ) }, ... 904, ) == 0x0
 02797  1580   NtQueryValueKey  (904,  (904, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (904, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 02798  1580   NtClose  (904, ... ) == 0x0
 02799  1580   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 904, ) }, ... 904, ) == 0x0
 02800  1580   NtQueryValueKey  (904,  (904, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (904, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02801  1580   NtQueryValueKey  (904,  (904, "OsLoaderPath", Partial, 144, ... , Partial, 144, ...
 02802  1972   NtProtectVirtualMemory  (-1, (0x6b9e000), 4096, 260, ... (0x6b9e000), 4096, 4, ) == 0x0
 02803  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 908, {1664, 376}, ) == 0x0
 02804  1972   NtQueryInformationThread  (908, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff58000,Pid=1664,Tid=376,}, 0x0, ) == 0x0
 02805  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58060, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0\200\6\0\0x\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0\200\6\0\0x\1\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58061, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0\200\6\0\0x\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0\200\6\0\0x\1\0\0" )  ) == 0x0
 02806  1972   NtResumeThread  (908, ... 1, ) == 0x0
 02807  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02801  1580   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02808   376   NtWaitForSingleObject  (96, 0, 0x0, ...
 02809  1580   NtClose  (904, ... ) == 0x0
 02810  1580   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 904, ) }, ... 904, ) == 0x0
 02811  1580   NtQueryValueKey  (904,  (904, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (904, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02812  1580   NtQueryValueKey  (904,  (904, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (904, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02813  1580   NtClose  (904, ... ) == 0x0
 02814  1580   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... }, ...
 02807  1972   NtAllocateVirtualMemory  ... 112852992, 1048576, ) == 0x0
 02815  1972   NtAllocateVirtualMemory  (-1, 113893376, 0, 8192, 4096, 4, ... 113893376, 8192, ) == 0x0
 02816  1972   NtProtectVirtualMemory  (-1, (0x6c9e000), 4096, 260, ... (0x6c9e000), 4096, 4, ) == 0x0
 02817  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 904, {1664, 1168}, ) == 0x0
 02818  1972   NtQueryInformationThread  (904, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff57000,Pid=1664,Tid=1168,}, 0x0, ) == 0x0
 02819  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58061, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0\200\6\0\0\220\4\0\0" ... {28, 56, reply, 0, 1664, 1972, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0\200\6\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58062, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0\200\6\0\0\220\4\0\0" ... {28, 56, reply, 0, 1664, 1972, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0\200\6\0\0\220\4\0\0" )  ) == 0x0
 02814  1580   NtOpenKey  ... 912, ) == 0x0
 02820  1580   NtQueryValueKey  (912,  (912, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (912, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02821  1580   NtQueryValueKey  (912,  (912, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (912, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02822  1580   NtClose  (912, ... ) == 0x0
 02823  1580   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 912, ) }, ... 912, ) == 0x0
 02824  1580   NtQueryValueKey  (912,  (912, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (912, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02825  1580   NtQueryValueKey  (912,  (912, "ServicePackSourcePath", Partial, 144, ... , Partial, 144, ...
 02826  1972   NtResumeThread  (904, ... 1, ) == 0x0
 02827  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 113901568, 1048576, ) == 0x0
 02828  1972   NtAllocateVirtualMemory  (-1, 114941952, 0, 8192, 4096, 4, ... 114941952, 8192, ) == 0x0
 02829  1972   NtProtectVirtualMemory  (-1, (0x6d9e000), 4096, 260, ... (0x6d9e000), 4096, 4, ) == 0x0
 02830  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 916, {1664, 428}, ) == 0x0
 02831  1972   NtQueryInformationThread  (916, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff56000,Pid=1664,Tid=428,}, 0x0, ) == 0x0
 02825  1580   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02832  1168   NtWaitForSingleObject  (96, 0, 0x0, ...
 02833  1580   NtClose  (912, ... ) == 0x0
 02834  1580   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 912, ) }, ... 912, ) == 0x0
 02835  1580   NtQueryValueKey  (912,  (912, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (912, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02836  1580   NtQueryValueKey  (912,  (912, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (912, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02837  1580   NtClose  (912, ... ) == 0x0
 02838  1580   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... }, ...
 02839  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58062, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0\200\6\0\0\254\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0\200\6\0\0\254\1\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58063, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0\200\6\0\0\254\1\0\0" ... {28, 56, reply, 0, 1664, 1972, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0\200\6\0\0\254\1\0\0" )  ) == 0x0
 02840  1972   NtResumeThread  (916, ... 1, ) == 0x0
 02841  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 114950144, 1048576, ) == 0x0
 02842  1972   NtAllocateVirtualMemory  (-1, 115990528, 0, 8192, 4096, 4, ... 115990528, 8192, ) == 0x0
 02843  1972   NtProtectVirtualMemory  (-1, (0x6e9e000), 4096, 260, ... (0x6e9e000), 4096, 4, ) == 0x0
 02844  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02838  1580   NtOpenKey  ... 912, ) == 0x0
 02845   428   NtWaitForSingleObject  (96, 0, 0x0, ...
 02846  1580   NtQueryValueKey  (912,  (912, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (912, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02847  1580   NtQueryValueKey  (912,  (912, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (912, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02848  1580   NtClose  (912, ... ) == 0x0
 02849  1580   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 912, ) }, ... 912, ) == 0x0
 02850  1580   NtQueryValueKey  (912,  (912, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02851  1580   NtQueryValueKey  (912,  (912, "DevicePath", Partial, 346, ... , Partial, 346, ...
 02844  1972   NtCreateThread  ... 920, {1664, 1344}, ) == 0x0
 02852  1972   NtQueryInformationThread  (920, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff55000,Pid=1664,Tid=1344,}, 0x0, ) == 0x0
 02853  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58063, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\200\6\0\0@\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\200\6\0\0@\5\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58064, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\200\6\0\0@\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\200\6\0\0@\5\0\0" )  ) == 0x0
 02854  1972   NtResumeThread  (920, ... 1, ) == 0x0
 02855  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 115998720, 1048576, ) == 0x0
 02856  1972   NtAllocateVirtualMemory  (-1, 117039104, 0, 8192, 4096, 4, ... 117039104, 8192, ) == 0x0
 02851  1580   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 02857  1344   NtWaitForSingleObject  (96, 0, 0x0, ...
 02858  1580   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ... 1421312, 4096, ) == 0x0
 02859  1580   NtClose  (912, ... ) == 0x0
 02860  1580   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 912, ) == 0x0
 02861  1580   NtCreateMutant  (0x1f0001, 0x0, 0, ... 924, ) == 0x0
 02862  1580   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 928, ) == 0x0
 02863  1580   NtCreateMutant  (0x1f0001, 0x0, 0, ...
 02864  1972   NtProtectVirtualMemory  (-1, (0x6f9e000), 4096, 260, ... (0x6f9e000), 4096, 4, ) == 0x0
 02865  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 932, {1664, 1300}, ) == 0x0
 02866  1972   NtQueryInformationThread  (932, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff54000,Pid=1664,Tid=1300,}, 0x0, ) == 0x0
 02867  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58064, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\3\0\0\200\6\0\0\24\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\3\0\0\200\6\0\0\24\5\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58065, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\3\0\0\200\6\0\0\24\5\0\0" ... {28, 56, reply, 0, 1664, 1972, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\3\0\0\200\6\0\0\24\5\0\0" )  ) == 0x0
 02868  1972   NtResumeThread  (932, ... 1, ) == 0x0
 02869  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02863  1580   NtCreateMutant  ... 936, ) == 0x0
 02870  1300   NtWaitForSingleObject  (96, 0, 0x0, ...
 02871  1580   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 940, ) == 0x0
 02872  1580   NtCreateMutant  (0x1f0001, 0x0, 0, ... 944, ) == 0x0
 02873  1580   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 948, ) }, ... 948, ) == 0x0
 02874  1580   NtQueryValueKey  (948,  (948, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (948, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02875  1580   NtQueryValueKey  (948,  (948, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (948, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02876  1580   NtQueryValueKey  (948,  (948, "LogPath", Partial, 144, ... , Partial, 144, ...
 02869  1972   NtAllocateVirtualMemory  ... 117047296, 1048576, ) == 0x0
 02877  1972   NtAllocateVirtualMemory  (-1, 118087680, 0, 8192, 4096, 4, ... 118087680, 8192, ) == 0x0
 02878  1972   NtProtectVirtualMemory  (-1, (0x709e000), 4096, 260, ... (0x709e000), 4096, 4, ) == 0x0
 02879  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 952, {1664, 1096}, ) == 0x0
 02880  1972   NtQueryInformationThread  (952, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff53000,Pid=1664,Tid=1096,}, 0x0, ) == 0x0
 02881  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58065, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\200\6\0\0H\4\0\0" ... {28, 56, reply, 0, 1664, 1972, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\200\6\0\0H\4\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58066, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\200\6\0\0H\4\0\0" ... {28, 56, reply, 0, 1664, 1972, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\200\6\0\0H\4\0\0" )  ) == 0x0
 02876  1580   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02882  1580   NtOpenKey  (0x1, {24, 948, 0x40, 0, 0,  (0x1, {24, 948, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02883  1580   NtClose  (948, ... ) == 0x0
 02884  1580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 15198900, ... ) }, 15198900, ... ) == 0x0
 02885  1580   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 948, ) }, ... 948, ) == 0x0
 02886  1580   NtQueryValueKey  (948,  (948, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (948, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (948, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02887  1580   NtClose  (948, ...
 02888  1972   NtResumeThread  (952, ... 1, ) == 0x0
 02889  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 118095872, 1048576, ) == 0x0
 02890  1972   NtAllocateVirtualMemory  (-1, 119136256, 0, 8192, 4096, 4, ... 119136256, 8192, ) == 0x0
 02891  1972   NtProtectVirtualMemory  (-1, (0x719e000), 4096, 260, ... (0x719e000), 4096, 4, ) == 0x0
 02892  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 956, {1664, 252}, ) == 0x0
 02893  1972   NtQueryInformationThread  (956, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff52000,Pid=1664,Tid=252,}, 0x0, ) == 0x0
 02887  1580   NtClose  ... ) == 0x0
 02894  1096   NtWaitForSingleObject  (96, 0, 0x0, ...
 02895  1580   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 948, ) }, ... 948, ) == 0x0
 02896  1580   NtQueryValueKey  (948,  (948, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (948, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (948, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 02897  1580   NtClose  (948, ... ) == 0x0
 02898  1580   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02899  1580   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 948, ) }, ... 948, ) == 0x0
 02900  1580   NtQueryValueKey  (948,  (948, "Domain", Full, 128, ... , Full, 128, ...
 02901  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58066, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\3\0\0\200\6\0\0\374\0\0\0" ... {28, 56, reply, 0, 1664, 1972, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\3\0\0\200\6\0\0\374\0\0\0" )  ... {28, 56, reply, 0, 1664, 1972, 58067, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\3\0\0\200\6\0\0\374\0\0\0" ... {28, 56, reply, 0, 1664, 1972, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\3\0\0\200\6\0\0\374\0\0\0" )  ) == 0x0
 02902  1972   NtResumeThread  (956, ... 1, ) == 0x0
 02903  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 119144448, 1048576, ) == 0x0
 02904  1972   NtAllocateVirtualMemory  (-1, 120184832, 0, 8192, 4096, 4, ... 120184832, 8192, ) == 0x0
 02905  1972   NtProtectVirtualMemory  (-1, (0x729e000), 4096, 260, ... (0x729e000), 4096, 4, ) == 0x0
 02906  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02900  1580   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02907   252   NtWaitForSingleObject  (96, 0, 0x0, ...
 02908  1580   NtClose  (948, ... ) == 0x0
 02909  1580   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshbth.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02910  1580   NtSetEventBoostPriority  (96, ...
 02644  1284   NtWaitForSingleObject  ... ) == 0x0
 02911  1284   NtSetEventBoostPriority  (96, ...
 02655  1268   NtWaitForSingleObject  ... ) == 0x0
 02912  1268   NtSetEventBoostPriority  (96, ...
 02667   840   NtWaitForSingleObject  ... ) == 0x0
 02913   840   NtSetEventBoostPriority  (96, ...
 02682  1336   NtWaitForSingleObject  ... ) == 0x0
 02914  1336   NtSetEventBoostPriority  (96, ...
 02689  1200   NtWaitForSingleObject  ... ) == 0x0
 02915  1200   NtSetEventBoostPriority  (96, ...
 02703  1920   NtWaitForSingleObject  ... ) == 0x0
 02916  1920   NtSetEventBoostPriority  (96, ...
 02716   896   NtWaitForSingleObject  ... ) == 0x0
 02917   896   NtSetEventBoostPriority  (96, ...
 02740  2016   NtWaitForSingleObject  ... ) == 0x0
 02918  2016   NtSetEventBoostPriority  (96, ...
 02747  2012   NtWaitForSingleObject  ... ) == 0x0
 02919  2012   NtSetEventBoostPriority  (96, ...
 02770  1604   NtWaitForSingleObject  ... ) == 0x0
 02920  1604   NtSetEventBoostPriority  (96, ...
 02783  1572   NtWaitForSingleObject  ... ) == 0x0
 02921  1572   NtSetEventBoostPriority  (96, ...
 02795   596   NtWaitForSingleObject  ... ) == 0x0
 02922   596   NtSetEventBoostPriority  (96, ...
 02808   376   NtWaitForSingleObject  ... ) == 0x0
 02923   376   NtSetEventBoostPriority  (96, ...
 02832  1168   NtWaitForSingleObject  ... ) == 0x0
 02924  1168   NtSetEventBoostPriority  (96, ...
 02845   428   NtWaitForSingleObject  ... ) == 0x0
 02925   428   NtSetEventBoostPriority  (96, ...
 02857  1344   NtWaitForSingleObject  ... ) == 0x0
 02926  1344   NtSetEventBoostPriority  (96, ...
 02870  1300   NtWaitForSingleObject  ... ) == 0x0
 02927  1300   NtSetEventBoostPriority  (96, ...
 02894  1096   NtWaitForSingleObject  ... ) == 0x0
 02928  1096   NtSetEventBoostPriority  (96, ...
 02907   252   NtWaitForSingleObject  ... ) == 0x0
 02929   252   NtTestAlert  (... ) == 0x0
 02928  1096   NtSetEventBoostPriority  ... ) == 0x0
 02927  1300   NtSetEventBoostPriority  ... ) == 0x0
 02926  1344   NtSetEventBoostPriority  ... ) == 0x0
 02925   428   NtSetEventBoostPriority  ... ) == 0x0
 02924  1168   NtSetEventBoostPriority  ... ) == 0x0
 02923   376   NtSetEventBoostPriority  ... ) == 0x0
 02922   596   NtSetEventBoostPriority  ... ) == 0x0
 02921  1572   NtSetEventBoostPriority  ... ) == 0x0
 02920  1604   NtSetEventBoostPriority  ... ) == 0x0
 02919  2012   NtSetEventBoostPriority  ... ) == 0x0
 02918  2016   NtSetEventBoostPriority  ... ) == 0x0
 02917   896   NtSetEventBoostPriority  ... ) == 0x0
 02916  1920   NtSetEventBoostPriority  ... ) == 0x0
 02915  1200   NtSetEventBoostPriority  ... ) == 0x0
 02914  1336   NtSetEventBoostPriority  ... ) == 0x0
 02913   840   NtSetEventBoostPriority  ... ) == 0x0
 02912  1268   NtSetEventBoostPriority  ... ) == 0x0
 02911  1284   NtSetEventBoostPriority  ... ) == 0x0
 02910  1580   NtSetEventBoostPriority  ... ) == 0x0
 02906  1972   NtCreateThread  ... 948, {1664, 500}, ) == 0x0
 02930   252   NtContinue  (119143728, 1, ...
 02931  1096   NtTestAlert  (...
 02932  1300   NtTestAlert  (...
 02933  1344   NtTestAlert  (...
 02934   428   NtTestAlert  (...
 02935  1168   NtTestAlert  (...
 02936   376   NtTestAlert  (...
 02937   596   NtTestAlert  (...
 02938  1572   NtTestAlert  (...
 02939  1604   NtTestAlert  (...
 02940  2012   NtTestAlert  (...
 02941  2016   NtTestAlert  (...
 02942   896   NtTestAlert  (...
 02943  1920   NtTestAlert  (...
 02944  1200   NtTestAlert  (...
 02945  1336   NtTestAlert  (...
 02946   840   NtTestAlert  (...
 02947  1268   NtTestAlert  (...
 02948  1580   NtSetEventBoostPriority  (128, ...
 02949  1972   NtQueryInformationThread  (948, Basic, 28, ...
 02950   252   NtRegisterThreadTerminatePort  (24, ...
 02931  1096   NtTestAlert  ... ) == 0x0
 02932  1300   NtTestAlert  ... ) == 0x0
 02933  1344   NtTestAlert  ... ) == 0x0
 02934   428   NtTestAlert  ... ) == 0x0
 02935  1168   NtTestAlert  ... ) == 0x0
 02936   376   NtTestAlert  ... ) == 0x0
 02937   596   NtTestAlert  ... ) == 0x0
 02938  1572   NtTestAlert  ... ) == 0x0
 02939  1604   NtTestAlert  ... ) == 0x0
 02940  2012   NtTestAlert  ... ) == 0x0
 02941  2016   NtTestAlert  ... ) == 0x0
 02942   896   NtTestAlert  ... ) == 0x0
 02943  1920   NtTestAlert  ... ) == 0x0
 02944  1200   NtTestAlert  ... ) == 0x0
 02945  1336   NtTestAlert  ... ) == 0x0
 02946   840   NtTestAlert  ... ) == 0x0
 02947  1268   NtTestAlert  ... ) == 0x0
 00759   748   NtWaitForSingleObject  ... ) == 0x0
 02948  1580   NtSetEventBoostPriority  ... ) == 0x0
 02949  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff51000,Pid=1664,Tid=500,}, 0x0, ) == 0x0
 02950   252   NtRegisterThreadTerminatePort  ... ) == 0x0
 02951  1096   NtContinue  (118095152, 1, ...
 02952  1300   NtContinue  (117046576, 1, ...
 02953  1344   NtContinue  (115998000, 1, ...
 02954   428   NtContinue  (114949424, 1, ...
 02955  1168   NtContinue  (113900848, 1, ...
 02956   376   NtContinue  (112852272, 1, ...
 02957   596   NtContinue  (111803696, 1, ...
 02958  1572   NtContinue  (110755120, 1, ...
 02959  1604   NtContinue  (109706544, 1, ...
 02960  2012   NtContinue  (108657968, 1, ...
 02961  2016   NtContinue  (107609392, 1, ...
 02962   896   NtContinue  (106560816, 1, ...
 02963  1920   NtContinue  (105512240, 1, ...
 02964  1200   NtContinue  (104463664, 1, ...
 02965  1336   NtContinue  (103415088, 1, ...
 02966   840   NtContinue  (102366512, 1, ...
 02967   748   NtSetEventBoostPriority  (128, ...
 02968  1268   NtContinue  (101317936, 1, ...
 02969  1580   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02970  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58067, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0\200\6\0\0\364\1\0\0" ...  ...
 02971   252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02972  1096   NtRegisterThreadTerminatePort  (24, ...
 02973  1300   NtRegisterThreadTerminatePort  (24, ...
 02974  1344   NtRegisterThreadTerminatePort  (24, ...
 02975   428   NtRegisterThreadTerminatePort  (24, ...
 02976  1168   NtRegisterThreadTerminatePort  (24, ...
 02977   376   NtRegisterThreadTerminatePort  (24, ...
 02978   596   NtRegisterThreadTerminatePort  (24, ...
 02979  1572   NtRegisterThreadTerminatePort  (24, ...
 02980  1604   NtRegisterThreadTerminatePort  (24, ...
 02981  2012   NtRegisterThreadTerminatePort  (24, ...
 02982  2016   NtRegisterThreadTerminatePort  (24, ...
 02983   896   NtRegisterThreadTerminatePort  (24, ...
 02984  1920   NtRegisterThreadTerminatePort  (24, ...
 02985  1200   NtRegisterThreadTerminatePort  (24, ...
 02986  1336   NtRegisterThreadTerminatePort  (24, ...
 00764   484   NtWaitForSingleObject  ... ) == 0x0
 02967   748   NtSetEventBoostPriority  ... ) == 0x0
 02987   840   NtRegisterThreadTerminatePort  (24, ...
 02988  1268   NtRegisterThreadTerminatePort  (24, ...
 02969  1580   NtCreateEvent  ... 960, ) == 0x0
 02970  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58068, 0}  ... {28, 56, reply, 0, 1664, 1972, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0\200\6\0\0\364\1\0\0" )  ) == 0x0
 02971   252   NtDuplicateObject  ... 964, ) == 0x0
 02972  1096   NtRegisterThreadTerminatePort  ... ) == 0x0
 02973  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 02974  1344   NtRegisterThreadTerminatePort  ... ) == 0x0
 02975   428   NtRegisterThreadTerminatePort  ... ) == 0x0
 02976  1168   NtRegisterThreadTerminatePort  ... ) == 0x0
 02977   376   NtRegisterThreadTerminatePort  ... ) == 0x0
 02978   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 02979  1572   NtRegisterThreadTerminatePort  ... ) == 0x0
 02980  1604   NtRegisterThreadTerminatePort  ... ) == 0x0
 02981  2012   NtRegisterThreadTerminatePort  ... ) == 0x0
 02982  2016   NtRegisterThreadTerminatePort  ... ) == 0x0
 02983   896   NtRegisterThreadTerminatePort  ... ) == 0x0
 02984  1920   NtRegisterThreadTerminatePort  ... ) == 0x0
 02985  1200   NtRegisterThreadTerminatePort  ... ) == 0x0
 02989   484   NtSetEventBoostPriority  (128, ...
 02986  1336   NtRegisterThreadTerminatePort  ... ) == 0x0
 02990   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02987   840   NtRegisterThreadTerminatePort  ... ) == 0x0
 02988  1268   NtRegisterThreadTerminatePort  ... ) == 0x0
 02991  1580   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15199412, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15199412, 188, ...
 02992  1284   NtTestAlert  (...
 02993   252   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02994  1096   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02995  1300   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02996  1344   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02997   428   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02998  1168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02999   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03000   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03001  1572   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03002  1604   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03003  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03004  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03005   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03006  1920   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00765   860   NtWaitForSingleObject  ... ) == 0x0
 02989   484   NtSetEventBoostPriority  ... ) == 0x0
 03007  1200   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03008  1336   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03009  1972   NtResumeThread  (948, ...
 03010   840   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03011  1268   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02990   748   NtCreateEvent  ... 968, ) == 0x0
 02992  1284   NtTestAlert  ... ) == 0x0
 02991  1580   NtConnectPort  ... 972, 0x0, 0x0, 0x0, 188, ) == 0x0
 02993   252   NtWaitForSingleObject  ... ) == 0x102
 02994  1096   NtDuplicateObject  ... 976, ) == 0x0
 02995  1300   NtDuplicateObject  ... 980, ) == 0x0
 02996  1344   NtDuplicateObject  ... 984, ) == 0x0
 02997   428   NtDuplicateObject  ... 988, ) == 0x0
 02998  1168   NtDuplicateObject  ... 992, ) == 0x0
 02999   376   NtDuplicateObject  ... 996, ) == 0x0
 03000   596   NtDuplicateObject  ... 1000, ) == 0x0
 03001  1572   NtDuplicateObject  ... 1004, ) == 0x0
 03002  1604   NtDuplicateObject  ... 1008, ) == 0x0
 03003  2012   NtDuplicateObject  ... 1012, ) == 0x0
 03004  2016   NtDuplicateObject  ... 1016, ) == 0x0
 03005   896   NtDuplicateObject  ... 1020, ) == 0x0
 03012   860   NtSetEventBoostPriority  (128, ...
 03006  1920   NtDuplicateObject  ... 1024, ) == 0x0
 03013   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03007  1200   NtDuplicateObject  ... 1028, ) == 0x0
 03009  1972   NtResumeThread  ... 1, ) == 0x0
 03008  1336   NtDuplicateObject  ... 1032, ) == 0x0
 03010   840   NtDuplicateObject  ... 1036, ) == 0x0
 03014   500   NtTestAlert  (...
 03015   748   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ...
 03016  1284   NtContinue  (100138288, 1, ...
 03017  1580   NtRequestWaitReplyPort  (972, {200, 224, new_msg, 0, 1391552, 12, 2, 1310721}  (972, {200, 224, new_msg, 0, 1391552, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\366\321\356\212v\371bL0\250\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\10\250\25\0\262\22\245\14x\1\24\0(\250\25\0h\1\24\0\0\0\0\0\0\0\0\0(\250\25\0P\0\0\00\250\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\04\353\347\0\372\31\221|\310\362\347\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 03018   252   NtWaitForSingleObject  (128, 0, 0x0, ...
 03019  1096   NtWaitForSingleObject  (332, 0, 0x0, ...
 03020  1300   NtWaitForSingleObject  (332, 0, 0x0, ...
 03021  1344   NtWaitForSingleObject  (332, 0, 0x0, ...
 03022   428   NtWaitForSingleObject  (332, 0, 0x0, ...
 03023  1168   NtWaitForSingleObject  (332, 0, 0x0, ...
 03024   376   NtWaitForSingleObject  (332, 0, 0x0, ...
 03025   596   NtWaitForSingleObject  (332, 0, 0x0, ...
 03026  1572   NtWaitForSingleObject  (332, 0, 0x0, ...
 03027  1604   NtWaitForSingleObject  (332, 0, 0x0, ...
 03028  2012   NtWaitForSingleObject  (332, 0, 0x0, ...
 03029  2016   NtWaitForSingleObject  (332, 0, 0x0, ...
 01031  1756   NtWaitForSingleObject  ... ) == 0x0
 03012   860   NtSetEventBoostPriority  ... ) == 0x0
 03030   896   NtWaitForSingleObject  (332, 0, 0x0, ...
 03031  1920   NtWaitForSingleObject  (332, 0, 0x0, ...
 03013   484   NtCreateEvent  ... 1040, ) == 0x0
 03032  1200   NtWaitForSingleObject  (332, 0, 0x0, ...
 03033  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03034  1336   NtWaitForSingleObject  (332, 0, 0x0, ...
 03035   840   NtWaitForSingleObject  (332, 0, 0x0, ...
 03014   500   NtTestAlert  ... ) == 0x0
 03015   748   NtAllocateVirtualMemory  ... 1425408, 4096, ) == 0x0
 03036  1284   NtRegisterThreadTerminatePort  (24, ...
 03017  1580   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1664, 1580, 58070, 0}  ... {200, 224, reply, 0, 1664, 1580, 58070, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\366\321\356\212v\371bL0\250\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\10\250\25\0\262\22\245\14x\1\24\0(\250\25\0h\1\24\0\0\0\0\0\0\0\0\0(\250\25\0P\0\0\00\250\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\04\353\347\0\372\31\221|\310\362\347\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 03037  1756   NtWaitForSingleObject  (332, 0, 0x0, ...
 03011  1268   NtDuplicateObject  ... 1044, ) == 0x0
 03038   484   NtWaitForSingleObject  (332, 0, 0x0, ...
 03033  1972   NtAllocateVirtualMemory  ... 120193024, 1048576, ) == 0x0
 03039   500   NtContinue  (120192304, 1, ...
 03040   748   NtSetEventBoostPriority  (332, ...
 03036  1284   NtRegisterThreadTerminatePort  ... ) == 0x0
 03041  1580   NtRequestWaitReplyPort  (972, {64, 88, new_msg, 0, 1664, 1580, 58023, 0}  (972, {64, 88, new_msg, 0, 1664, 1580, 58023, 0} "\1\356\0\0A\2\10\0P\306\233\201\0\220\372\177\220\353\3\370\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03042  1268   NtWaitForSingleObject  (332, 0, 0x0, ...
 03043  1972   NtAllocateVirtualMemory  (-1, 121233408, 0, 8192, 4096, 4, ...
 03044   500   NtRegisterThreadTerminatePort  (24, ...
 03019  1096   NtWaitForSingleObject  ... ) == 0x0
 03040   748   NtSetEventBoostPriority  ... ) == 0x0
 03045  1284   NtWaitForSingleObject  (332, 0, 0x0, ...
 03046   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03043  1972   NtAllocateVirtualMemory  ... 121233408, 8192, ) == 0x0
 03047  1096   NtSetEventBoostPriority  (332, ...
 03044   500   NtRegisterThreadTerminatePort  ... ) == 0x0
 03048   748   NtWaitForSingleObject  (332, 0, 0x0, ...
 03041  1580   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1664, 1580, 58071, 0}  ... {52, 76, reply, 0, 1664, 1580, 58071, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200H\36\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 03046   860   NtCreateEvent  ... 1048, ) == 0x0
 03020  1300   NtWaitForSingleObject  ... ) == 0x0
 03047  1096   NtSetEventBoostPriority  ... ) == 0x0
 03049  1972   NtProtectVirtualMemory  (-1, (0x739e000), 4096, 260, ...
 03050   500   NtWaitForSingleObject  (332, 0, 0x0, ...
 03051  1580   NtWaitForSingleObject  (332, 0, 0x0, ...
 03052  1300   NtSetEventBoostPriority  (332, ...
 03053   860   NtWaitForSingleObject  (332, 0, 0x0, ...
 03049  1972   NtProtectVirtualMemory  ... (0x739e000), 4096, 4, ) == 0x0
 03021  1344   NtWaitForSingleObject  ... ) == 0x0
 03052  1300   NtSetEventBoostPriority  ... ) == 0x0
 03054  1344   NtSetEventBoostPriority  (332, ...
 03055  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03056  1096   NtWaitForSingleObject  (332, 0, 0x0, ...
 03022   428   NtWaitForSingleObject  ... ) == 0x0
 03054  1344   NtSetEventBoostPriority  ... ) == 0x0
 03055  1972   NtCreateThread  ... 1052, {1664, 1132}, ) == 0x0
 03057   428   NtSetEventBoostPriority  (332, ...
 03058  1300   NtWaitForSingleObject  (332, 0, 0x0, ...
 03023  1168   NtWaitForSingleObject  ... ) == 0x0
 03057   428   NtSetEventBoostPriority  ... ) == 0x0
 03059  1972   NtQueryInformationThread  (1052, Basic, 28, ...
 03060  1168   NtSetEventBoostPriority  (332, ...
 03061  1344   NtWaitForSingleObject  (332, 0, 0x0, ...
 03024   376   NtWaitForSingleObject  ... ) == 0x0
 03060  1168   NtSetEventBoostPriority  ... ) == 0x0
 03059  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff50000,Pid=1664,Tid=1132,}, 0x0, ) == 0x0
 03062   376   NtSetEventBoostPriority  (332, ...
 03063   428   NtWaitForSingleObject  (332, 0, 0x0, ...
 03064  1168   NtWaitForSingleObject  (332, 0, 0x0, ...
 03025   596   NtWaitForSingleObject  ... ) == 0x0
 03062   376   NtSetEventBoostPriority  ... ) == 0x0
 03065   596   NtSetEventBoostPriority  (332, ...
 03066  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58068, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\4\0\0\200\6\0\0l\4\0\0" ...  ...
 03026  1572   NtWaitForSingleObject  ... ) == 0x0
 03065   596   NtSetEventBoostPriority  ... ) == 0x0
 03067  1572   NtSetEventBoostPriority  (332, ...
 03066  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58072, 0}  ... {28, 56, reply, 0, 1664, 1972, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\4\0\0\200\6\0\0l\4\0\0" )  ) == 0x0
 03068   376   NtWaitForSingleObject  (332, 0, 0x0, ...
 03027  1604   NtWaitForSingleObject  ... ) == 0x0
 03067  1572   NtSetEventBoostPriority  ... ) == 0x0
 03069  1972   NtResumeThread  (1052, ...
 03070  1604   NtSetEventBoostPriority  (332, ...
 03071   596   NtWaitForSingleObject  (332, 0, 0x0, ...
 03028  2012   NtWaitForSingleObject  ... ) == 0x0
 03070  1604   NtSetEventBoostPriority  ... ) == 0x0
 03069  1972   NtResumeThread  ... 1, ) == 0x0
 03072  2012   NtSetEventBoostPriority  (332, ...
 03073  1572   NtWaitForSingleObject  (332, 0, 0x0, ...
 03074  1132   NtWaitForSingleObject  (332, 0, 0x0, ...
 03029  2016   NtWaitForSingleObject  ... ) == 0x0
 03072  2012   NtSetEventBoostPriority  ... ) == 0x0
 03075  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03076  2016   NtSetEventBoostPriority  (332, ...
 03077  1604   NtWaitForSingleObject  (332, 0, 0x0, ...
 03078  2012   NtWaitForSingleObject  (332, 0, 0x0, ...
 03030   896   NtWaitForSingleObject  ... ) == 0x0
 03076  2016   NtSetEventBoostPriority  ... ) == 0x0
 03079   896   NtSetEventBoostPriority  (332, ...
 03075  1972   NtAllocateVirtualMemory  ... 121241600, 1048576, ) == 0x0
 03031  1920   NtWaitForSingleObject  ... ) == 0x0
 03079   896   NtSetEventBoostPriority  ... ) == 0x0
 03080  1920   NtSetEventBoostPriority  (332, ...
 03081  1972   NtAllocateVirtualMemory  (-1, 122281984, 0, 8192, 4096, 4, ...
 03082  2016   NtWaitForSingleObject  (332, 0, 0x0, ...
 03032  1200   NtWaitForSingleObject  ... ) == 0x0
 03080  1920   NtSetEventBoostPriority  ... ) == 0x0
 03081  1972   NtAllocateVirtualMemory  ... 122281984, 8192, ) == 0x0
 03083  1200   NtSetEventBoostPriority  (332, ...
 03084   896   NtWaitForSingleObject  (332, 0, 0x0, ...
 03034  1336   NtWaitForSingleObject  ... ) == 0x0
 03083  1200   NtSetEventBoostPriority  ... ) == 0x0
 03085  1972   NtProtectVirtualMemory  (-1, (0x749e000), 4096, 260, ...
 03086  1336   NtSetEventBoostPriority  (332, ...
 03087  1920   NtWaitForSingleObject  (332, 0, 0x0, ...
 03035   840   NtWaitForSingleObject  ... ) == 0x0
 03086  1336   NtSetEventBoostPriority  ... ) == 0x0
 03085  1972   NtProtectVirtualMemory  ... (0x749e000), 4096, 4, ) == 0x0
 03088   840   NtSetEventBoostPriority  (332, ...
 03089  1200   NtWaitForSingleObject  (332, 0, 0x0, ...
 03037  1756   NtWaitForSingleObject  ... ) == 0x0
 03088   840   NtSetEventBoostPriority  ... ) == 0x0
 03090  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03091  1756   NtSetEventBoostPriority  (332, ...
 03092  1336   NtWaitForSingleObject  (332, 0, 0x0, ...
 03093   840   NtWaitForSingleObject  (332, 0, 0x0, ...
 03038   484   NtWaitForSingleObject  ... ) == 0x0
 03091  1756   NtSetEventBoostPriority  ... ) == 0x0
 03094   484   NtSetEventBoostPriority  (332, ...
 03090  1972   NtCreateThread  ... 1056, {1664, 1024}, ) == 0x0
 03042  1268   NtWaitForSingleObject  ... ) == 0x0
 03094   484   NtSetEventBoostPriority  ... ) == 0x0
 03095  1268   NtSetEventBoostPriority  (332, ...
 03096  1972   NtQueryInformationThread  (1056, Basic, 28, ...
 03097  1756   NtWaitForSingleObject  (332, 0, 0x0, ...
 03045  1284   NtWaitForSingleObject  ... ) == 0x0
 03095  1268   NtSetEventBoostPriority  ... ) == 0x0
 03096  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff4f000,Pid=1664,Tid=1024,}, 0x0, ) == 0x0
 03098  1284   NtSetEventBoostPriority  (332, ...
 03099   484   NtWaitForSingleObject  (332, 0, 0x0, ...
 03048   748   NtWaitForSingleObject  ... ) == 0x0
 03100  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58072, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \4\0\0\200\6\0\0\0\4\0\0" ...  ...
 03101   748   NtSetEventBoostPriority  (332, ...
 03100  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58073, 0}  ... {28, 56, reply, 0, 1664, 1972, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \4\0\0\200\6\0\0\0\4\0\0" )  ) == 0x0
 03050   500   NtWaitForSingleObject  ... ) == 0x0
 03101   748   NtSetEventBoostPriority  ... ) == 0x0
 03098  1284   NtSetEventBoostPriority  ... ) == 0x0
 03102  1268   NtWaitForSingleObject  (332, 0, 0x0, ...
 03103   500   NtSetEventBoostPriority  (332, ...
 03104   748   NtWaitForSingleObject  (332, 0, 0x0, ...
 03105  1284   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03051  1580   NtWaitForSingleObject  ... ) == 0x0
 03103   500   NtSetEventBoostPriority  ... ) == 0x0
 03106  1580   NtSetEventBoostPriority  (332, ...
 03105  1284   NtDuplicateObject  ... 1060, ) == 0x0
 03053   860   NtWaitForSingleObject  ... ) == 0x0
 03106  1580   NtSetEventBoostPriority  ... ) == 0x0
 03107   500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03108  1972   NtResumeThread  (1056, ...
 03109   860   NtSetEventBoostPriority  (332, ...
 03110  1284   NtWaitForSingleObject  (332, 0, 0x0, ...
 03111  1580   NtClose  (960, ...
 03056  1096   NtWaitForSingleObject  ... ) == 0x0
 03109   860   NtSetEventBoostPriority  ... ) == 0x0
 03108  1972   NtResumeThread  ... 1, ) == 0x0
 03112  1096   NtSetEventBoostPriority  (332, ...
 03111  1580   NtClose  ... ) == 0x0
 03107   500   NtDuplicateObject  ... 960, ) == 0x0
 03113  1024   NtWaitForSingleObject  (96, 0, 0x0, ...
 03058  1300   NtWaitForSingleObject  ... ) == 0x0
 03112  1096   NtSetEventBoostPriority  ... ) == 0x0
 03114  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03115  1580   NtClose  (972, ...
 03116   500   NtWaitForSingleObject  (332, 0, 0x0, ...
 03117  1300   NtSetEventBoostPriority  (332, ...
 03118  1096   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 03114  1972   NtAllocateVirtualMemory  ... 122290176, 1048576, ) == 0x0
 03115  1580   NtClose  ... ) == 0x0
 03061  1344   NtWaitForSingleObject  ... ) == 0x0
 03117  1300   NtSetEventBoostPriority  ... ) == 0x0
 03119   860   NtWaitForSingleObject  (332, 0, 0x0, ...
 03120  1972   NtAllocateVirtualMemory  (-1, 123330560, 0, 8192, 4096, 4, ...
 03121  1344   NtSetEventBoostPriority  (332, ...
 03122  1580   NtCreateKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03123  1300   NtWaitForSingleObject  (332, 0, 0x0, ...
 03063   428   NtWaitForSingleObject  ... ) == 0x0
 03121  1344   NtSetEventBoostPriority  ... ) == 0x0
 03120  1972   NtAllocateVirtualMemory  ... 123330560, 8192, ) == 0x0
 03122  1580   NtCreateKey  ... 972, 2, ) == 0x0
 03118  1096   NtWaitForSingleObject  ... ) == 0x102
 03124   428   NtSetEventBoostPriority  (332, ...
 03125  1344   NtWaitForSingleObject  (332, 0, 0x0, ...
 03126  1972   NtProtectVirtualMemory  (-1, (0x759e000), 4096, 260, ...
 03064  1168   NtWaitForSingleObject  ... ) == 0x0
 03124   428   NtSetEventBoostPriority  ... ) == 0x0
 03127  1096   NtWaitForSingleObject  (128, 0, 0x0, ...
 03128  1580   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 03129  1168   NtSetEventBoostPriority  (332, ...
 03126  1972   NtProtectVirtualMemory  ... (0x759e000), 4096, 4, ) == 0x0
 03130   428   NtWaitForSingleObject  (332, 0, 0x0, ...
 03068   376   NtWaitForSingleObject  ... ) == 0x0
 03129  1168   NtSetEventBoostPriority  ... ) == 0x0
 03128  1580   NtOpenKey  ... 1064, ) == 0x0
 03131  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03132   376   NtSetEventBoostPriority  (332, ...
 03133  1168   NtWaitForSingleObject  (332, 0, 0x0, ...
 03134  1580   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 03071   596   NtWaitForSingleObject  ... ) == 0x0
 03132   376   NtSetEventBoostPriority  ... ) == 0x0
 03131  1972   NtCreateThread  ... 1068, {1664, 948}, ) == 0x0
 03135   596   NtSetEventBoostPriority  (332, ...
 03134  1580   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03136   376   NtWaitForSingleObject  (332, 0, 0x0, ...
 03073  1572   NtWaitForSingleObject  ... ) == 0x0
 03135   596   NtSetEventBoostPriority  ... ) == 0x0
 03137  1972   NtQueryInformationThread  (1068, Basic, 28, ...
 03138  1580   NtQueryValueKey  (972,  (972, "Hostname", Partial, 144, ... , Partial, 144, ...
 03139  1572   NtSetEventBoostPriority  (332, ...
 03140   596   NtWaitForSingleObject  (332, 0, 0x0, ...
 03137  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff4e000,Pid=1664,Tid=948,}, 0x0, ) == 0x0
 03074  1132   NtWaitForSingleObject  ... ) == 0x0
 03139  1572   NtSetEventBoostPriority  ... ) == 0x0
 03138  1580   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 03141  1132   NtSetEventBoostPriority  (332, ...
 03142  1572   NtWaitForSingleObject  (332, 0, 0x0, ...
 03143  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58073, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\4\0\0\200\6\0\0\264\3\0\0" ...  ...
 03077  1604   NtWaitForSingleObject  ... ) == 0x0
 03141  1132   NtSetEventBoostPriority  ... ) == 0x0
 03144  1580   NtQueryValueKey  (972,  (972, "Hostname", Partial, 144, ... , Partial, 144, ...
 03145  1604   NtSetEventBoostPriority  (332, ...
 03143  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58075, 0}  ... {28, 56, reply, 0, 1664, 1972, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\4\0\0\200\6\0\0\264\3\0\0" )  ) == 0x0
 03078  2012   NtWaitForSingleObject  ... ) == 0x0
 03145  1604   NtSetEventBoostPriority  ... ) == 0x0
 03144  1580   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 03146  2012   NtSetEventBoostPriority  (332, ...
 03147  1972   NtResumeThread  (1068, ...
 03148  1604   NtWaitForSingleObject  (332, 0, 0x0, ...
 03082  2016   NtWaitForSingleObject  ... ) == 0x0
 03146  2012   NtSetEventBoostPriority  ... ) == 0x0
 03149  1580   NtClose  (972, ...
 03147  1972   NtResumeThread  ... 1, ) == 0x0
 03150  1132   NtSetEventBoostPriority  (96, ...
 03151  2016   NtSetEventBoostPriority  (332, ...
 03152  2012   NtWaitForSingleObject  (332, 0, 0x0, ...
 03149  1580   NtClose  ... ) == 0x0
 03153  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03084   896   NtWaitForSingleObject  ... ) == 0x0
 03151  2016   NtSetEventBoostPriority  ... ) == 0x0
 03113  1024   NtWaitForSingleObject  ... ) == 0x0
 03150  1132   NtSetEventBoostPriority  ... ) == 0x0
 03154   948   NtWaitForSingleObject  (96, 0, 0x0, ...
 03155  1580   NtClose  (1064, ...
 03156   896   NtSetEventBoostPriority  (332, ...
 03157  1024   NtAllocateVirtualMemory  (-1, 8814592, 0, 4096, 4096, 4, ...
 03158  2016   NtWaitForSingleObject  (332, 0, 0x0, ...
 03159  1132   NtTestAlert  (...
 03087  1920   NtWaitForSingleObject  ... ) == 0x0
 03157  1024   NtAllocateVirtualMemory  ... 8814592, 4096, ) == 0x0
 03156   896   NtSetEventBoostPriority  ... ) == 0x0
 03155  1580   NtClose  ... ) == 0x0
 03153  1972   NtAllocateVirtualMemory  ... 123338752, 1048576, ) == 0x0
 03160  1920   NtSetEventBoostPriority  (332, ...
 03159  1132   NtTestAlert  ... ) == 0x0
 03161   896   NtWaitForSingleObject  (332, 0, 0x0, ...
 03162  1024   NtSetEventBoostPriority  (96, ...
 03089  1200   NtWaitForSingleObject  ... ) == 0x0
 03160  1920   NtSetEventBoostPriority  ... ) == 0x0
 03163  1972   NtAllocateVirtualMemory  (-1, 124379136, 0, 8192, 4096, 4, ...
 03164  1132   NtContinue  (121240880, 1, ...
 03165  1580   NtWaitForSingleObject  (332, 0, 0x0, ...
 03166  1200   NtSetEventBoostPriority  (332, ...
 03154   948   NtWaitForSingleObject  ... ) == 0x0
 03162  1024   NtSetEventBoostPriority  ... ) == 0x0
 03167  1920   NtWaitForSingleObject  (332, 0, 0x0, ...
 03163  1972   NtAllocateVirtualMemory  ... 124379136, 8192, ) == 0x0
 03168  1132   NtRegisterThreadTerminatePort  (24, ...
 03092  1336   NtWaitForSingleObject  ... ) == 0x0
 03169   948   NtTestAlert  (...
 03166  1200   NtSetEventBoostPriority  ... ) == 0x0
 03170  1024   NtTestAlert  (...
 03171  1972   NtProtectVirtualMemory  (-1, (0x769e000), 4096, 260, ...
 03172  1336   NtSetEventBoostPriority  (332, ...
 03169   948   NtTestAlert  ... ) == 0x0
 03173  1200   NtWaitForSingleObject  (332, 0, 0x0, ...
 03170  1024   NtTestAlert  ... ) == 0x0
 03093   840   NtWaitForSingleObject  ... ) == 0x0
 03172  1336   NtSetEventBoostPriority  ... ) == 0x0
 03171  1972   NtProtectVirtualMemory  ... (0x769e000), 4096, 4, ) == 0x0
 03168  1132   NtRegisterThreadTerminatePort  ... ) == 0x0
 03174   948   NtContinue  (123338032, 1, ...
 03175   840   NtSetEventBoostPriority  (332, ...
 03176  1024   NtContinue  (122289456, 1, ...
 03177  1336   NtWaitForSingleObject  (332, 0, 0x0, ...
 03178  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03179  1132   NtWaitForSingleObject  (332, 0, 0x0, ...
 03097  1756   NtWaitForSingleObject  ... ) == 0x0
 03175   840   NtSetEventBoostPriority  ... ) == 0x0
 03180   948   NtRegisterThreadTerminatePort  (24, ...
 03181  1024   NtRegisterThreadTerminatePort  (24, ...
 03182  1756   NtSetEventBoostPriority  (332, ...
 03183   840   NtWaitForSingleObject  (332, 0, 0x0, ...
 03180   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 03178  1972   NtCreateThread  ... 1064, {1664, 1388}, ) == 0x0
 03099   484   NtWaitForSingleObject  ... ) == 0x0
 03182  1756   NtSetEventBoostPriority  ... ) == 0x0
 03181  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 03184   948   NtWaitForSingleObject  (332, 0, 0x0, ...
 03185   484   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ...
 03186  1972   NtQueryInformationThread  (1064, Basic, 28, ...
 03187  1756   NtSetEventBoostPriority  (128, ...
 03188  1024   NtWaitForSingleObject  (332, 0, 0x0, ...
 03185   484   NtAllocateVirtualMemory  ... 1429504, 4096, ) == 0x0
 03186  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff4d000,Pid=1664,Tid=1388,}, 0x0, ) == 0x0
 03189   484   NtSetEventBoostPriority  (332, ...
 03190  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58075, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\4\0\0\200\6\0\0l\5\0\0" ...  ...
 01034  1292   NtWaitForSingleObject  ... ) == 0x0
 03187  1756   NtSetEventBoostPriority  ... ) == 0x0
 03190  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58076, 0}  ... {28, 56, reply, 0, 1664, 1972, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\4\0\0\200\6\0\0l\5\0\0" )  ) == 0x0
 03191  1292   NtWaitForSingleObject  (332, 0, 0x0, ...
 03192  1756   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03102  1268   NtWaitForSingleObject  ... ) == 0x0
 03189   484   NtSetEventBoostPriority  ... ) == 0x0
 03192  1756   NtCreateEvent  ... 972, ) == 0x0
 03193  1268   NtSetEventBoostPriority  (332, ...
 03194   484   NtWaitForSingleObject  (332, 0, 0x0, ...
 03195  1756   NtWaitForSingleObject  (332, 0, 0x0, ...
 03104   748   NtWaitForSingleObject  ... ) == 0x0
 03193  1268   NtSetEventBoostPriority  ... ) == 0x0
 03196   748   NtSetEventBoostPriority  (332, ...
 03110  1284   NtWaitForSingleObject  ... ) == 0x0
 03197  1284   NtSetEventBoostPriority  (332, ...
 03116   500   NtWaitForSingleObject  ... ) == 0x0
 03198   500   NtSetEventBoostPriority  (332, ...
 03119   860   NtWaitForSingleObject  ... ) == 0x0
 03199   860   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ... 1433600, 4096, ) == 0x0
 03200   860   NtSetEventBoostPriority  (332, ...
 03198   500   NtSetEventBoostPriority  ... ) == 0x0
 03197  1284   NtSetEventBoostPriority  ... ) == 0x0
 03196   748   NtSetEventBoostPriority  ... ) == 0x0
 03201  1268   NtWaitForSingleObject  (332, 0, 0x0, ...
 03202  1972   NtResumeThread  (1064, ...
 03123  1300   NtWaitForSingleObject  ... ) == 0x0
 03200   860   NtSetEventBoostPriority  ... ) == 0x0
 03203  1284   NtWaitForSingleObject  (332, 0, 0x0, ...
 03204   500   NtWaitForSingleObject  (332, 0, 0x0, ...
 03205   748   NtWaitForSingleObject  (332, 0, 0x0, ...
 03202  1972   NtResumeThread  ... 1, ) == 0x0
 03206  1300   NtSetEventBoostPriority  (332, ...
 03207   860   NtWaitForSingleObject  (332, 0, 0x0, ...
 03208  1388   NtTestAlert  (...
 03209  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03125  1344   NtWaitForSingleObject  ... ) == 0x0
 03208  1388   NtTestAlert  ... ) == 0x0
 03209  1972   NtAllocateVirtualMemory  ... 124387328, 1048576, ) == 0x0
 03210  1344   NtSetEventBoostPriority  (332, ...
 03211  1388   NtContinue  (124386608, 1, ...
 03212  1972   NtAllocateVirtualMemory  (-1, 125427712, 0, 8192, 4096, 4, ...
 03130   428   NtWaitForSingleObject  ... ) == 0x0
 03213  1388   NtRegisterThreadTerminatePort  (24, ...
 03212  1972   NtAllocateVirtualMemory  ... 125427712, 8192, ) == 0x0
 03214   428   NtSetEventBoostPriority  (332, ...
 03213  1388   NtRegisterThreadTerminatePort  ... ) == 0x0
 03210  1344   NtSetEventBoostPriority  ... ) == 0x0
 03206  1300   NtSetEventBoostPriority  ... ) == 0x0
 03133  1168   NtWaitForSingleObject  ... ) == 0x0
 03214   428   NtSetEventBoostPriority  ... ) == 0x0
 03215  1972   NtProtectVirtualMemory  (-1, (0x779e000), 4096, 260, ...
 03216  1344   NtWaitForSingleObject  (332, 0, 0x0, ...
 03217  1300   NtWaitForSingleObject  (380, 0, 0x0, ...
 03218  1168   NtSetEventBoostPriority  (332, ...
 03219   428   NtWaitForSingleObject  (380, 0, 0x0, ...
 03215  1972   NtProtectVirtualMemory  ... (0x779e000), 4096, 4, ) == 0x0
 03136   376   NtWaitForSingleObject  ... ) == 0x0
 03220  1972   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03221   376   NtSetEventBoostPriority  (332, ...
 03220  1972   NtCreateThread  ... 1072, {1664, 520}, ) == 0x0
 03140   596   NtWaitForSingleObject  ... ) == 0x0
 03222  1972   NtQueryInformationThread  (1072, Basic, 28, ...
 03223   596   NtSetEventBoostPriority  (332, ...
 03222  1972   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff4c000,Pid=1664,Tid=520,}, 0x0, ) == 0x0
 03142  1572   NtWaitForSingleObject  ... ) == 0x0
 03223   596   NtSetEventBoostPriority  ... ) == 0x0
 03221   376   NtSetEventBoostPriority  ... ) == 0x0
 03218  1168   NtSetEventBoostPriority  ... ) == 0x0
 03224  1388   NtWaitForSingleObject  (332, 0, 0x0, ...
 03225  1572   NtSetEventBoostPriority  (332, ...
 03226   596   NtWaitForSingleObject  (332, 0, 0x0, ...
 03227   376   NtWaitForSingleObject  (332, 0, 0x0, ...
 03228  1168   NtWaitForSingleObject  (380, 0, 0x0, ...
 03148  1604   NtWaitForSingleObject  ... ) == 0x0
 03229  1604   NtSetEventBoostPriority  (332, ...
 03152  2012   NtWaitForSingleObject  ... ) == 0x0
 03230  2012   NtSetEventBoostPriority  (332, ...
 03158  2016   NtWaitForSingleObject  ... ) == 0x0
 03231  2016   NtSetEventBoostPriority  (332, ...
 03165  1580   NtWaitForSingleObject  ... ) == 0x0
 03232  1580   NtSetEventBoostPriority  (332, ...
 03161   896   NtWaitForSingleObject  ... ) == 0x0
 03233   896   NtSetEventBoostPriority  (332, ...
 03167  1920   NtWaitForSingleObject  ... ) == 0x0
 03234  1920   NtSetEventBoostPriority  (332, ...
 03173  1200   NtWaitForSingleObject  ... ) == 0x0
 03235  1200   NtSetEventBoostPriority  (332, ...
 03177  1336   NtWaitForSingleObject  ... ) == 0x0
 03236  1336   NtSetEventBoostPriority  (332, ...
 03179  1132   NtWaitForSingleObject  ... ) == 0x0
 03237  1132   NtSetEventBoostPriority  (332, ...
 03184   948   NtWaitForSingleObject  ... ) == 0x0
 03238   948   NtSetEventBoostPriority  (332, ...
 03183   840   NtWaitForSingleObject  ... ) == 0x0
 03239   840   NtSetEventBoostPriority  (332, ...
 03188  1024   NtWaitForSingleObject  ... ) == 0x0
 03240  1024   NtSetEventBoostPriority  (332, ...
 03191  1292   NtWaitForSingleObject  ... ) == 0x0
 03241  1292   NtSetEventBoostPriority  (332, ...
 03194   484   NtWaitForSingleObject  ... ) == 0x0
 03242   484   NtSetEventBoostPriority  (332, ...
 03195  1756   NtWaitForSingleObject  ... ) == 0x0
 03243  1756   NtSetEventBoostPriority  (332, ...
 03201  1268   NtWaitForSingleObject  ... ) == 0x0
 03244  1268   NtSetEventBoostPriority  (332, ...
 03204   500   NtWaitForSingleObject  ... ) == 0x0
 03245   500   NtSetEventBoostPriority  (332, ...
 03205   748   NtWaitForSingleObject  ... ) == 0x0
 03246   748   NtSetEventBoostPriority  (332, ...
 03207   860   NtWaitForSingleObject  ... ) == 0x0
 03247   860   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ... 1437696, 4096, ) == 0x0
 03246   748   NtSetEventBoostPriority  ... ) == 0x0
 03245   500   NtSetEventBoostPriority  ... ) == 0x0
 03243  1756   NtSetEventBoostPriority  ... ) == 0x0
 03242   484   NtSetEventBoostPriority  ... ) == 0x0
 03241  1292   NtSetEventBoostPriority  ... ) == 0x0
 03240  1024   NtSetEventBoostPriority  ... ) == 0x0
 03238   948   NtSetEventBoostPriority  ... ) == 0x0
 03237  1132   NtSetEventBoostPriority  ... ) == 0x0
 03232  1580   NtSetEventBoostPriority  ... ) == 0x0
 03244  1268   NtSetEventBoostPriority  ... ) == 0x0
 03239   840   NtSetEventBoostPriority  ... ) == 0x0
 03236  1336   NtSetEventBoostPriority  ... ) == 0x0
 03235  1200   NtSetEventBoostPriority  ... ) == 0x0
 03234  1920   NtSetEventBoostPriority  ... ) == 0x0
 03233   896   NtSetEventBoostPriority  ... ) == 0x0
 03231  2016   NtSetEventBoostPriority  ... ) == 0x0
 03230  2012   NtSetEventBoostPriority  ... ) == 0x0
 03229  1604   NtSetEventBoostPriority  ... ) == 0x0
 03225  1572   NtSetEventBoostPriority  ... ) == 0x0
 03248  1972   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1664, 1972, 58076, 0}  (24, {28, 56, new_msg, 0, 1664, 1972, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\4\0\0\200\6\0\0\10\2\0\0" ...  ...
 03249   748   NtWaitForSingleObject  (332, 0, 0x0, ...
 03250   500   NtWaitForSingleObject  (332, 0, 0x0, ...
 03251   860   NtSetEventBoostPriority  (332, ...
 03252  1756   NtWaitForSingleObject  (332, 0, 0x0, ...
 03253   484   NtWaitForSingleObject  (332, 0, 0x0, ...
 03254  1292   NtWaitForSingleObject  (332, 0, 0x0, ...
 03255  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03256   948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03257  1580   NtWaitForSingleObject  (332, 0, 0x0, ...
 03258  1268   NtWaitForSingleObject  (332, 0, 0x0, ...
 03259   840   NtWaitForSingleObject  (332, 0, 0x0, ...
 03260  1336   NtWaitForSingleObject  (332, 0, 0x0, ...
 03261  1200   NtWaitForSingleObject  (332, 0, 0x0, ...
 03262  1920   NtWaitForSingleObject  (332, 0, 0x0, ...
 03263   896   NtWaitForSingleObject  (332, 0, 0x0, ...
 03264  2016   NtWaitForSingleObject  (332, 0, 0x0, ...
 03265  2012   NtWaitForSingleObject  (332, 0, 0x0, ...
 03266  1604   NtWaitForSingleObject  (332, 0, 0x0, ...
 03267  1572   NtWaitForSingleObject  (332, 0, 0x0, ...
 03248  1972   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1664, 1972, 58077, 0}  ... {28, 56, reply, 0, 1664, 1972, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\4\0\0\200\6\0\0\10\2\0\0" )  ) == 0x0
 03268  1132   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03203  1284   NtWaitForSingleObject  ... ) == 0x0
 03251   860   NtSetEventBoostPriority  ... ) == 0x0
 03255  1024   NtDuplicateObject  ... 1076, ) == 0x0
 03256   948   NtDuplicateObject  ... 1080, ) == 0x0
 03269  1972   NtResumeThread  (1072, ...
 03270  1284   NtSetEventBoostPriority  (332, ...
 03268  1132   NtDuplicateObject  ... 1084, ) == 0x0
 03271   860   NtWaitForSingleObject  (332, 0, 0x0, ...
 03272  1024   NtWaitForSingleObject  (332, 0, 0x0, ...
 03273   948   NtWaitForSingleObject  (332, 0, 0x0, ...
 03216  1344   NtWaitForSingleObject  ... ) == 0x0
 03269  1972   NtResumeThread  ... 1, ) == 0x0
 03274  1132   NtWaitForSingleObject  (332, 0, 0x0, ...
 03275  1344   NtSetEventBoostPriority  (332, ...
 03276  1972   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03224  1388   NtWaitForSingleObject  ... ) == 0x0
 03275  1344   NtSetEventBoostPriority  ... ) == 0x0
 03270  1284   NtSetEventBoostPriority  ... ) == 0x0
NtGdiCreateBitmap(>)	1	NtOpenProcessToken(>)	2	NtQueryInformationProcess(>)	9	NtFlushInstructionCache(>)	57
NtGdiInit(>)	1	NtQueryDefaultUILanguage(>)	2	NtSetInformationThread(>)	9	NtCreateEvent(>)	60
NtGdiQueryFontAssocInfo(>)	1	NtQuerySystemTime(>)	2	NtUserFindExistingCursorIcon(>)	9	NtContinue(>)	114
NtGdiSelectBitmap(>)	1	NtFreeVirtualMemory(>)	3	NtOpenThreadToken(>)	10	NtQuerySystemInformation(>)	120
NtOpenKeyedEvent(>)	1	NtGdiCreateCompatibleDC(>)	3	NtQueryVirtualMemory(>)	10	NtOpenKey(>)	139
NtOpenSymbolicLinkObject(>)	1	NtQueryDebugFilterState(>)	3	NtSetInformationFile(>)	10	NtResumeThread(>)	150
NtQueryInstallUILanguage(>)	1	NtQueryDefaultLocale(>)	3	NtUnmapViewOfSection(>)	11	NtQueryInformationThread(>)	153
NtQueryObject(>)	1	NtQueryVolumeInformationFile(>)	3	NtCreateFile(>)	12	NtCreateThread(>)	167
NtQueryPerformanceCounter(>)	1	NtSecureConnectPort(>)	3	NtQuerySection(>)	13	NtRequestWaitReplyPort(>)	191
NtQuerySymbolicLinkObject(>)	1	NtSetInformationObject(>)	3	NtUserRegisterClassExWOW(>)	14	NtTestAlert(>)	214
NtRaiseException(>)	1	NtCreateIoCompletion(>)	4	NtSetValueKey(>)	17	NtRegisterThreadTerminatePort(>)	217
NtSetInformationProcess(>)	1	NtOpenProcessTokenEx(>)	4	NtReadFile(>)	21	NtDuplicateObject(>)	223
NtUserCallNoParam(>)	1	NtOpenThreadTokenEx(>)	4	NtOpenSection(>)	22	NtClose(>)	224
NtUserGetObjectInformation(>)	1	NtGdiGetStockObject(>)	5	NtWriteFile(>)	22	NtQueryValueKey(>)	261
NtUserGetProcessWindowStation(>)	1	NtCreateMutant(>)	6	NtCreateKey(>)	23	NtProtectVirtualMemory(>)	269
NtUserGetThreadDesktop(>)	1	NtQueryDirectoryFile(>)	6	NtCreateSection(>)	23	NtAllocateVirtualMemory(>)	407
NtCallbackReturn(>)	2	NtFsControlFile(>)	7	NtOpenFile(>)	27	NtSetEventBoostPriority(>)	632
NtGdiCreateSolidBrush(>)	2	NtQueryInformationFile(>)	7	NtDeviceIoControlFile(>)	36	NtWaitForSingleObject(>)	915
NtNotifyChangeKey(>)	2	NtQueryInformationToken(>)	7	NtMapViewOfSection(>)	39
NtOpenDirectoryObject(>)	2	NtConnectPort(>)	8