Summary:


NtAddAtom(>)  1 
NtUserGetProcessWindowStation(>)  2 
NtGdiExtGetObjectW(>)  6 
NtDeviceIoControlFile(>)  34 

NtCallbackReturn(>)  1 
NtUserGetThreadDesktop(>)  2 
NtOpenProcessToken(>)  6 
NtOpenSection(>)  38 

NtEnumerateValueKey(>)  1 
NtUserMessageCall(>)  2 
NtReleaseMutant(>)  6 
NtCreateEvent(>)  39 

NtFsControlFile(>)  1 
NtUserSetCursorIconData(>)  2 
NtSetInformationFile(>)  7 
NtCreateSection(>)  45 

NtGdiInit(>)  1 
NtUserSetWindowFNID(>)  2 
NtUserCallNoParam(>)  7 
NtOpenFile(>)  46 

NtGdiQueryFontAssocInfo(>)  1 
NtUserSetWindowLong(>)  2 
NtGdiDeleteObjectApp(>)  8 
NtUserFindExistingCursorIcon(>)  56 

NtOpenKeyedEvent(>)  1 
NtAccessCheck(>)  3 
NtQueryDefaultLocale(>)  8 
NtUserRegisterClassExWOW(>)  65 

NtOpenProcess(>)  1 
NtFreeVirtualMemory(>)  3 
NtQueryDebugFilterState(>)  9 
NtContinue(>)  67 

NtOpenSymbolicLinkObject(>)  1 
NtGdiCreateBitmap(>)  3 
NtSetInformationProcess(>)  9 
NtQueryAttributesFile(>)  70 

NtQueryEvent(>)  1 
NtOpenEvent(>)  3 
NtQueryDefaultUILanguage(>)  10 
NtMapViewOfSection(>)  75 

NtQueryInstallUILanguage(>)  1 
NtQueryPerformanceCounter(>)  3 
NtQueryInformationFile(>)  10 
NtQueryInformationThread(>)  103 

NtQueryObject(>)  1 
NtSetInformationObject(>)  3 
NtCreateFile(>)  11 
NtResumeThread(>)  105 

NtQuerySymbolicLinkObject(>)  1 
NtSetInformationThread(>)  3 
NtQueryVirtualMemory(>)  12 
NtCreateThread(>)  111 

NtSecureConnectPort(>)  1 
NtGdiDoPalette(>)  4 
NtOpenProcessTokenEx(>)  13 
NtFlushInstructionCache(>)  127 

NtSetEvent(>)  1 
NtGdiGetDIBitsInternal(>)  4 
NtUserSystemParametersInfo(>)  13 
NtRegisterThreadTerminatePort(>)  130 

NtUserCreateWindowEx(>)  1 
NtGdiHfontCreate(>)  4 
NtCreateMutant(>)  15 
NtTestAlert(>)  130 

NtGdiBitBlt(>)  2 
NtGdiStretchDIBitsInternal(>)  4 
NtOpenThreadTokenEx(>)  15 
NtRequestWaitReplyPort(>)  131 

NtGdiCreateCompatibleBitmap(>)  2 
NtOpenThreadToken(>)  4 
NtSetValueKey(>)  16 
NtDuplicateObject(>)  134 

NtGdiCreateDIBitmapInternal(>)  2 
NtQueryVolumeInformationFile(>)  4 
NtGdiSelectBitmap(>)  17 
NtQuerySystemInformation(>)  137 

NtGdiCreatePatternBrushInternal(>)  2 
NtUserGetObjectInformation(>)  4 
NtQueryInformationToken(>)  17 
NtOpenKey(>)  164 

NtGdiCreateSolidBrush(>)  2 
NtUserSetWindowsHookEx(>)  4 
NtUserRegisterWindowMessage(>)  17 
NtOpenMutant(>)  246 

NtNotifyChangeKey(>)  2 
NtWriteFile(>)  4 
NtQueryInformationProcess(>)  18 
NtClose(>)  256 

NtOpenDirectoryObject(>)  2 
NtCreateSemaphore(>)  5 
NtCreateKey(>)  19 
NtQueryValueKey(>)  257 

NtQuerySystemTime(>)  2 
NtGdiCreateCompatibleDC(>)  5 
NtQuerySection(>)  19 
NtAllocateVirtualMemory(>)  295 

NtUserGetGUIThreadInfo(>)  2 
NtGdiGetStockObject(>)  5 
NtUserGetWindowDC(>)  19 
NtProtectVirtualMemory(>)  340 

NtUserGetIconInfo(>)  2 
NtUserGetDC(>)  5 
NtUnmapViewOfSection(>)  26 
NtSetEventBoostPriority(>)  560 

NtUserGetIconSize(>)  2 
NtConnectPort(>)  6 
NtUserCallOneParam(>)  27 
NtWaitForSingleObject(>)  746 


Trace:
 00001  1736   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1736   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 4521984, 2097152, ) == 0x0
 00006  1736   NtAllocateVirtualMemory  (-1, 4521984, 0, 4096, 4096, 4, ... 4521984, 4096, ) == 0x0
 00007  1736   NtAllocateVirtualMemory  (-1, 4526080, 0, 8192, 4096, 4, ... 4526080, 8192, ) == 0x0
 00008  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1736   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1736   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1736   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1736   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1736   NtClose  (12, ... ) == 0x0
 00015  1736   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1736   NtQueryVolumeInformationFile  (12, 2292428, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 2292380, ... ) }, 2292380, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1736   NtClose  (16, ... ) == 0x0
 00021  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1736   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1736   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1736   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1736   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 4531000, {12, 0, 0}, 2290520, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 4531000, {12, 0, 0}, 2290520, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1736   NtClose  (16, ... ) == 0x0
 00030  1736   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1736   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1736   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1736   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2290836, 2291036, 2089900544, 2290760}  (24, {28, 56, new_msg, 0, 2290836, 2291036, 2089900544, 2290760} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75469, 0}  (24, {28, 56, new_msg, 0, 2290836, 2291036, 2089900544, 2290760} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ) == 0x0
 00036  1736   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1736   NtAllocateVirtualMemory  (-1, 2281472, 0, 4096, 4096, 260, ... 2281472, 4096, ) == 0x0
 00038  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1736   NtClose  (16, ... ) == 0x0
 00041  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1736   NtClose  (16, ... ) == 0x0
 00044  1736   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1736   NtClose  (16, ... ) == 0x0
 00048  1736   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1736   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1736   NtClose  (16, ... ) == 0x0
 00052  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1736   NtClose  (16, ... ) == 0x0
 00055  1736   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1736   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1736   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ... {24, 52, reply, 0, 1636, 1736, 75470, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ) == 0x0
 00060  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75471, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ) == 0x0
 00061  1736   NtProtectVirtualMemory  (-1, (0x409000), 65552, 4, ... (0x409000), 69632, 128, ) == 0x0
 00062  1736   NtProtectVirtualMemory  (-1, (0x409000), 69632, 128, ... (0x409000), 69632, 4, ) == 0x0
 00063  1736   NtFlushInstructionCache  (-1, 4231168, 65552, ... ) == 0x0
 00064  1736   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065  1736   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066  1736   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067  1736   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068  1736   NtClose  (16, ... ) == 0x0
 00069  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071  1736   NtClose  (16, ... ) == 0x0
 00072  1736   NtTestAlert  (... ) == 0x0
 00073  1736   NtContinue  (2293040, 1, ...
 00074  1736   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x41a000,}, 4, ... ) == 0x0
 00075  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00076  1736   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00077  1736   NtClose  (16, ... ) == 0x0
 00078  1736   NtAllocateVirtualMemory  (-1, 4534272, 0, 4096, 4096, 4, ... 4534272, 4096, ) == 0x0
 00079  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "crtdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\crtdll.dll"}, 2291232, ... ) }, 2291232, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00081  1736   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00082  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\crtdll.dll"}, 2291232, ... ) }, 2291232, ... ) == 0x0
 00083  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\crtdll.dll"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00084  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00085  1736   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00086  1736   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00087  1736   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00088  1736   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00089  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00090  1736   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00091  1736   NtClose  (36, ... ) == 0x0
 00092  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00093  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00094  1736   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00095  1736   NtClose  (36, ... ) == 0x0
 00096  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00097  1736   NtClose  (32, ... ) == 0x0
 00098  1736   NtClose  (16, ... ) == 0x0
 00099  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73d90000), 0x0, 159744, ) == 0x0
 00100  1736   NtClose  (28, ... ) == 0x0
 00101  1736   NtProtectVirtualMemory  (-1, (0x73d9103c), 400, 4, ... (0x73d91000), 4096, 32, ) == 0x0
 00102  1736   NtProtectVirtualMemory  (-1, (0x73d91000), 4096, 32, ... (0x73d91000), 4096, 4, ) == 0x0
 00103  1736   NtFlushInstructionCache  (-1, 1943605248, 400, ... ) == 0x0
 00104  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\crtdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\crtdll.dll"}, 2288836, ... ) }, 2288836, ... ) == 0x0
 00106  1736   NtAllocateVirtualMemory  (-1, 4538368, 0, 8192, 4096, 4, ... 4538368, 8192, ) == 0x0
 00107  1736   NtAllocateVirtualMemory  (-1, 4546560, 0, 4096, 4096, 4, ... 4546560, 4096, ) == 0x0
 00108  1736   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00109  1736   NtRequestWaitReplyPort  (24, {40, 68, new_msg, 0, 6553714, 5505056, 7143529, 101}  (24, {40, 68, new_msg, 0, 6553714, 5505056, 7143529, 101} "\0\0\0\0\0\2\2\0l\20\201|\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 1636, 1736, 75472, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" )  ... {40, 68, reply, 0, 1636, 1736, 75472, 0}  (24, {40, 68, new_msg, 0, 6553714, 5505056, 7143529, 101} "\0\0\0\0\0\2\2\0l\20\201|\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 1636, 1736, 75472, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" )  ) == 0x0
 00110  1736   NtRequestWaitReplyPort  (24, {40, 68, new_msg, 0, 1636, 1736, 75472, 0}  (24, {40, 68, new_msg, 0, 1636, 1736, 75472, 0} "\0\0\0\0\0\2\2\0\\20\201|\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 1636, 1736, 75473, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" )  ... {40, 68, reply, 0, 1636, 1736, 75473, 0}  (24, {40, 68, new_msg, 0, 1636, 1736, 75472, 0} "\0\0\0\0\0\2\2\0\\20\201|\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 1636, 1736, 75473, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" )  ) == 0x0
 00111  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00112  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00113  1736   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 28, ) }, ... 28, ) == 0x0
 00114  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx5"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx6"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00116  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx7"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00117  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx8"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00118  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx9"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00119  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx10"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00120  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx11"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00121  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx12"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00122  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx13"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx14"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00124  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx15"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00125  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx16"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx17"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00127  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx18"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx19"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx20"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx21"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00131  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx22"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00132  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx23"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00133  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx24"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00134  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx25"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00135  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx26"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00136  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx27"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00137  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx28"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx29"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00139  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx30"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx31"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00141  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00142  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx33"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00143  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx34"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00144  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx35"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00145  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx36"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00146  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx37"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00147  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx38"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00148  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx39"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00149  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx40"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00150  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx41"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00151  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx42"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx43"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00153  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx44"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00154  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx45"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00155  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx46"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00156  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx47"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00157  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx48"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00158  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx49"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00159  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx50"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx51"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00161  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx52"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00162  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx53"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00163  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx54"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00164  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx55"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00165  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx56"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00166  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx57"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00167  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx58"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00168  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx59"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00169  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx60"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00170  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx61"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00171  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx62"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00172  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx63"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00173  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx64"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00174  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx65"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx66"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx67"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00177  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx68"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00178  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx69"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx70"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00180  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx71"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00181  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx72"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx73"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00183  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx74"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00184  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx75"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00185  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx76"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00186  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx77"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00187  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx78"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx79"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx80"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00190  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx81"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00191  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx82"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00192  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx83"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx84"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00194  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx85"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00195  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00196  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx87"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx88"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00198  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx89"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00199  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx90"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00200  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx91"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00201  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx92"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00202  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx93"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00203  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx94"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00204  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx95"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00205  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx96"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00206  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx97"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00207  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx98"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208  1736   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx99"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00209  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 6619136, 2097152, ) == 0x0
 00210  1736   NtAllocateVirtualMemory  (-1, 8708096, 0, 8192, 4096, 4, ... 8708096, 8192, ) == 0x0
 00211  1736   NtProtectVirtualMemory  (-1, (0x84e000), 4096, 260, ... (0x84e000), 4096, 4, ) == 0x0
 00212  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292332, 2292276, 1, ... 16, {1636, 1744}, ) == 0x0
 00213  1736   NtQueryInformationThread  (16, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=1636,Tid=1744,}, 0x0, ) == 0x0
 00214  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2088770935, 4231184, 4512836, 0}  (24, {28, 56, new_msg, 0, 2088770935, 4231184, 4512836, 0} "\0\0\0\0\1\0\1\0mtx99\0@\0\20\0\0\0d\6\0\0\320\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75474, 0} "\0\0\0\0\1\0\1\0\0\0\0\09\0@\0\20\0\0\0d\6\0\0\320\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75474, 0}  (24, {28, 56, new_msg, 0, 2088770935, 4231184, 4512836, 0} "\0\0\0\0\1\0\1\0mtx99\0@\0\20\0\0\0d\6\0\0\320\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75474, 0} "\0\0\0\0\1\0\1\0\0\0\0\09\0@\0\20\0\0\0d\6\0\0\320\6\0\0" )  ) == 0x0
 00215  1736   NtResumeThread  (16, ... 1, ) == 0x0
 00216  1744   NtTestAlert  (... ) == 0x0
 00217  1744   NtContinue  (8715568, 1, ...
 00218  1744   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00219  1736   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ...
 00220  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00221  1744   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00222  1744   NtClose  (32, ... ) == 0x0
 00223  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00224  1744   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00225  1744   NtClose  (32, ... ) == 0x0
 00219  1736   NtQueryVirtualMemory  ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00226  1736   NtContinue  (2292976, 0, ...
 00227  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00228  1736   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 32, ) == 0x0
 00229  1736   NtWaitForSingleObject  (32, 0, 0x0, ...
 00230  1744   NtAllocateVirtualMemory  (-1, 8704000, 0, 4096, 4096, 260, ... 8704000, 4096, ) == 0x0
 00231  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00232  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00233  1744   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00234  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00235  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00236  1744   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00237  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00238  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00239  1744   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00240  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00241  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00242  1744   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00243  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00244  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00245  1744   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00246  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00247  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00248  1744   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00249  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00250  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00252  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 8712416}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 8712416} "\210\6$\1\0\0\0\0\344\0#\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1744, 75475, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ... {28, 56, reply, 0, 1636, 1744, 75475, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 8712416} "\210\6$\1\0\0\0\0\344\0#\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1744, 75475, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ) == 0x0
 00253  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 8709808, ... ) }, 8709808, ... ) == 0x0
 00254  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00255  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 36, ... 40, ) == 0x0
 00256  1744   NtClose  (36, ... ) == 0x0
 00257  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x850000), 0x0, 110592, ) == 0x0
 00258  1744   NtClose  (40, ... ) == 0x0
 00259  1744   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 00260  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 8709716, ... ) }, 8709716, ... ) == 0x0
 00261  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00262  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 40, ... 36, ) == 0x0
 00263  1744   NtClose  (40, ... ) == 0x0
 00264  1744   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x850000), 0x0, 110592, ) == 0x0
 00265  1744   NtClose  (36, ... ) == 0x0
 00266  1744   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 00267  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 8710024, ... ) }, 8710024, ... ) == 0x0
 00268  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00269  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 40, ) == 0x0
 00270  1744   NtQuerySection  (40, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00271  1744   NtClose  (36, ... ) == 0x0
 00272  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00273  1744   NtClose  (40, ... ) == 0x0
 00274  1744   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00275  1744   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00276  1744   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00277  1744   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00278  1744   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00279  1744   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00280  1744   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00281  1744   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00282  1744   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00283  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 40, ) }, ... 40, ) == 0x0
 00284  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00285  1744   NtClose  (40, ... ) == 0x0
 00286  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00287  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00288  1744   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00289  1744   NtAllocateVirtualMemory  (-1, 8699904, 0, 4096, 4096, 260, ... 8699904, 4096, ) == 0x0
 00290  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 40, ) }, ... 40, ) == 0x0
 00291  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00292  1744   NtClose  (40, ... ) == 0x0
 00293  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00294  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00295  1744   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00296  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00297  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00298  1744   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00299  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00300  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00301  1744   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00302  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00303  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00304  1744   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00305  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00306  1744   NtAllocateVirtualMemory  (-1, 4550656, 0, 4096, 4096, 4, ... 4550656, 4096, ) == 0x0
 00307  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 40, ) }, ... 40, ) == 0x0
 00309  1744   NtQueryValueKey  (40,  (40, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (40, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00310  1744   NtQueryValueKey  (40,  (40, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (40, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00311  1744   NtClose  (40, ... ) == 0x0
 00312  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 40, ) }, ... 40, ) == 0x0
 00313  1744   NtQueryValueKey  (40,  (40, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314  1744   NtClose  (40, ... ) == 0x0
 00315  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 40, ) }, ... 40, ) == 0x0
 00316  1744   NtSetInformationObject  (40, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00317  1744   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00319  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00320  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 8706940, ... ) }, 8706940, ... ) == 0x0
 00321  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 8710344, ... ) }, 8710344, ... ) == 0x0
 00322  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00323  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 36, ) }, ... 36, ) == 0x0
 00324  1744   NtQueryValueKey  (36,  (36, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00325  1744   NtClose  (36, ... ) == 0x0
 00326  1744   NtMapViewOfSection  (-2147482576, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x850000), 0x0, 1060864, ) == 0x0
 00327  1744   NtClose  (-2147482576, ... ) == 0x0
 00328  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00329  1744   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00330  1744   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482576, ) == 0x0
 00331  1744   NtQueryInformationToken  (-2147482576, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00332  1744   NtQueryInformationToken  (-2147482576, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00333  1744   NtClose  (-2147482576, ... ) == 0x0
 00334  1744   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 9830400, 4096, ) == 0x0
 00335  1744   NtFreeVirtualMemory  (-1, (0x960000), 4096, 32768, ... (0x960000), 4096, ) == 0x0
 00336  1744   NtDuplicateObject  (-1, 44, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00337  1744   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00338  1744   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00339  1744   NtClose  (-2147482576, ... ) == 0x0
 00340  1744   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00341  1744   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00342  1744   NtClose  (-2147482576, ... ) == 0x0
 00343  1744   NtQueryDefaultLocale  (0, -139347636, ... ) == 0x0
 00344  1744   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00345  1744   NtUserCallNoParam  (24, ... ) == 0x0
 00346  1744   NtGdiCreateCompatibleDC  (0, ...
 00347  1744   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9830400, 4096, ) == 0x0
 00346  1744   NtGdiCreateCompatibleDC  ... ) == 0xf2010663
 00348  1744   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00349  1744   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00350  1744   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0xfd0505f7
 00351  1744   NtGdiCreateSolidBrush  (0, 0, ...
 00352  1744   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 13041664, 4096, ) == 0x0
 00351  1744   NtGdiCreateSolidBrush  ... ) == 0x4210057d
 00353  1744   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00354  1744   NtGdiCreateCompatibleDC  (0, ... ) == 0x69010363
 00355  1744   NtGdiSelectBitmap  (1761674083, -50002441, ... ) == 0x185000f
 00356  1744   NtUserGetThreadDesktop  (1744, 0, ... ) == 0x30
 00357  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 56, ) }, ... 56, ) == 0x0
 00358  1744   NtQueryValueKey  (56,  (56, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (56, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00359  1744   NtClose  (56, ... ) == 0x0
 00360  1744   NtUserFindExistingCursorIcon  (8711520, 8711536, 8711584, ... ) == 0x10011
 00361  1744   NtUserRegisterClassExWOW  (8711532, 8711600, 8711616, 8711632, 673, 128, 0, ... ) == 0x8172c017
 00362  1744   NtUserFindExistingCursorIcon  (8711520, 8711536, 8711584, ... ) == 0x10011
 00363  1744   NtUserRegisterClassExWOW  (8711532, 8711600, 8711616, 8711632, 674, 128, 0, ... ) == 0x8172c01c
 00364  1744   NtUserFindExistingCursorIcon  (8711520, 8711536, 8711584, ... ) == 0x10011
 00365  1744   NtUserRegisterClassExWOW  (8711532, 8711600, 8711616, 8711632, 675, 128, 0, ... ) == 0x8172c01e
 00366  1744   NtUserFindExistingCursorIcon  (8711520, 8711536, 8711584, ... ) == 0x10011
 00367  1744   NtUserRegisterClassExWOW  (8711532, 8711600, 8711616, 8711632, 676, 128, 0, ... ) == 0x81728002
 00368  1744   NtUserFindExistingCursorIcon  (8711520, 8711536, 8711584, ... ) == 0x10013
 00369  1744   NtUserRegisterClassExWOW  (8711532, 8711600, 8711616, 8711632, 677, 128, 0, ... ) == 0x8172c018
 00370  1744   NtUserFindExistingCursorIcon  (8711520, 8711536, 8711584, ... ) == 0x10011
 00371  1744   NtUserRegisterClassExWOW  (8711532, 8711600, 8711616, 8711632, 678, 128, 0, ... ) == 0x8172c01a
 00372  1744   NtUserFindExistingCursorIcon  (8711520, 8711536, 8711584, ... ) == 0x10011
 00373  1744   NtUserRegisterClassExWOW  (8711532, 8711600, 8711616, 8711632, 679, 128, 0, ... ) == 0x8172c01d
 00374  1744   NtUserFindExistingCursorIcon  (8711520, 8711536, 8711584, ... ) == 0x10011
 00375  1744   NtUserRegisterClassExWOW  (8711532, 8711600, 8711616, 8711632, 681, 128, 0, ... ) == 0x8172c026
 00376  1744   NtUserFindExistingCursorIcon  (8711520, 8711536, 8711584, ... ) == 0x10011
 00377  1744   NtUserRegisterClassExWOW  (8711532, 8711600, 8711616, 8711632, 680, 128, 0, ... ) == 0x8172c019
 00378  1744   NtUserRegisterClassExWOW  (8711484, 8711552, 8711568, 8711584, 0, 128, 0, ... ) == 0x8172c020
 00379  1744   NtUserRegisterClassExWOW  (8711740, 8711836, 8711820, 8711808, 0, 130, 0, ... ) == 0x8172c022
 00380  1744   NtUserRegisterClassExWOW  (8711484, 8711552, 8711568, 8711584, 0, 128, 0, ... ) == 0x8172c023
 00381  1744   NtUserRegisterClassExWOW  (8711740, 8711836, 8711820, 8711808, 0, 130, 0, ... ) == 0x8172c024
 00382  1744   NtUserRegisterClassExWOW  (8711484, 8711552, 8711568, 8711584, 0, 128, 0, ... ) == 0x8172c025
 00383  1744   NtCallbackReturn  (0, 0, 0, ...
 00384  1744   NtGdiInit  (... ) == 0x1
 00385  1744   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00386  1744   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00387  1744   NtSetEventBoostPriority  (32, ...
 00229  1736   NtWaitForSingleObject  ... ) == 0x0
 00388  1736   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 13107200, 28672, ) == 0x0
 00389  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00390  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 2291484, ... }, 2291484, ...
 00387  1744   NtSetEventBoostPriority  ... ) == 0x0
 00391  1744   NtWaitForSingleObject  (32, 0, 0x0, ...
 00390  1736   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00392  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 2291484, ... ) }, 2291484, ... ) == 0x0
 00393  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00394  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 60, ) == 0x0
 00395  1736   NtQuerySection  (60, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00396  1736   NtClose  (56, ... ) == 0x0
 00397  1736   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00398  1736   NtClose  (60, ... ) == 0x0
 00399  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 60, ) }, ... 60, ) == 0x0
 00400  1736   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00401  1736   NtClose  (60, ... ) == 0x0
 00402  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00403  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00404  1736   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00405  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00406  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00407  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00408  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00409  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 2290668, ... ) }, 2290668, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00410  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 2290668, ... ) }, 2290668, ... ) == 0x0
 00411  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00412  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 56, ) == 0x0
 00413  1736   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00414  1736   NtClose  (60, ... ) == 0x0
 00415  1736   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00416  1736   NtClose  (56, ... ) == 0x0
 00417  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00418  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00419  1736   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00420  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00421  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00422  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00423  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00424  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00425  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 13172736, 65536, ) == 0x0
 00426  1736   NtAllocateVirtualMemory  (-1, 13172736, 0, 4096, 4096, 4, ... 13172736, 4096, ) == 0x0
 00427  1736   NtAllocateVirtualMemory  (-1, 13176832, 0, 8192, 4096, 4, ... 13176832, 8192, ) == 0x0
 00428  1736   NtAllocateVirtualMemory  (-1, 13185024, 0, 4096, 4096, 4, ... 13185024, 4096, ) == 0x0
 00429  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 56, ) }, ... 56, ) == 0x0
 00430  1736   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xca0000), 0x0, 12288, ) == 0x0
 00431  1736   NtClose  (56, ... ) == 0x0
 00432  1736   NtAllocateVirtualMemory  (-1, 13189120, 0, 4096, 4096, 4, ... 13189120, 4096, ) == 0x0
 00433  1736   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00434  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00435  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00436  1736   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00437  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00438  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00439  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00440  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00441  1736   NtSetEventBoostPriority  (32, ...
 00391  1744   NtWaitForSingleObject  ... ) == 0x0
 00442  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00443  1744   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00444  1744   NtClose  (56, ... ) == 0x0
 00445  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00441  1736   NtSetEventBoostPriority  ... ) == 0x0
 00446  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00447  1744   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00448  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00449  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00450  1744   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00451  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00452  1736   NtWaitForSingleObject  (32, 0, 0x0, ...
 00453  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00454  1744   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00455  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00456  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00457  1744   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00458  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00459  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00460  1744   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00461  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00462  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00463  1744   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00464  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00465  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00466  1744   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00467  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00468  1744   NtAllocateVirtualMemory  (-1, 4554752, 0, 4096, 4096, 4, ... 4554752, 4096, ) == 0x0
 00469  1744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 56, {status=0x0, info=0}, ) }, 7, 16, ... 56, {status=0x0, info=0}, ) == 0x0
 00470  1744   NtDeviceIoControlFile  (56, 0, 0x0, 0x0, 0x390008,  (56, 0, 0x0, 0x0, 0x390008, "\2726"\2165\354\317'\272\320\361rD\210\241\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \2165\354\317'\272\320\361rD\210\241\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 00471  1744   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00472  1744   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00473  1744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00474  1744   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00475  1744   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00476  1744   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00477  1744   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00478  1744   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482576, 2, ) }, 0, 0x0, 0, ... -2147482576, 2, ) == 0x0
 00479  1744   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "6]\375\243\353\34^\207\251\225*\273\6N\24\346\244X\265\354\35\320\22\321\2Tx0^)WY\335\217\277H\15L\177]\324\21\17~\6\301p\223\335\247*\26\10+\202\374n\265<\315\15\214A\220<\251\367n\361\254T,\323\335\27 Dk\211+", 80, ... ) , 0, 3,  (-2147482576, "Seed", 0, 3, "6]\375\243\353\34^\207\251\225*\273\6N\24\346\244X\265\354\35\320\22\321\2Tx0^)WY\335\217\277H\15L\177]\324\21\17~\6\301p\223\335\247*\26\10+\202\374n\265<\315\15\214A\220<\251\367n\361\254T,\323\335\27 Dk\211+", 80, ... ) , 80, ... ) == 0x0
 00480  1744   NtClose  (-2147482576, ... ) == 0x0
 00470  1744   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "b\350<#\6\331us\232\26x\336\31\31\203\2402\277\371\17<\234\2054n\\267\254\20F\17\262\211\3520N\325\361\343j[\274\364\345\335%\214\6R\316\227\332,Z\373\244\25i\333m\321\210\221\353\263\271\374yi\353\243\177{+pK\361\225\2733\316\312\231\24\y\260l\213^\2\255\200 \32Q\217\16\3631\267VkN\251\334\333\1z\247&!\376O\200q*U\361a\2373\267G\260C{\6\236\351\372t\204 \376\6\343\360>\322\307:\34\36N\365\201\317\307\242\241\232H\353+\254\275\205V\223cQ\7\4\363\366\250$"2\30 \206\257\\16C\223\221\205\351\15\334r\262\251gV\300\330\373\203>v\200\10\213l&\26\265\34\6\377\311\205\15L"\0\330\273\302\203\370\337l\257#a\257\356kE\247\227\217\227\326\373\344\325A0\233\235B=\3575A\362\256\266\35\232\305\265\11w]\231\269\366", ) 2\30 \206\257\\16C\223\221\205\351\15\334r\262\251gV\300\330\373\203>v\200\10\213l&\26\265\34\6\377\311\205\15L ... {status=0x0, info=256}, "b\350<#\6\331us\232\26x\336\31\31\203\2402\277\371\17<\234\2054n\\267\254\20F\17\262\211\3520N\325\361\343j[\274\364\345\335%\214\6R\316\227\332,Z\373\244\25i\333m\321\210\221\353\263\271\374yi\353\243\177{+pK\361\225\2733\316\312\231\24\y\260l\213^\2\255\200 \32Q\217\16\3631\267VkN\251\334\333\1z\247&!\376O\200q*U\361a\2373\267G\260C{\6\236\351\372t\204 \376\6\343\360>\322\307:\34\36N\365\201\317\307\242\241\232H\353+\254\275\205V\223cQ\7\4\363\366\250$"2\30 \206\257\\16C\223\221\205\351\15\334r\262\251gV\300\330\373\203>v\200\10\213l&\26\265\34\6\377\311\205\15L"\0\330\273\302\203\370\337l\257#a\257\356kE\247\227\217\227\326\373\344\325A0\233\235B=\3575A\362\256\266\35\232\305\265\11w]\231\269\366", ) , ) == 0x0
 00481  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00482  1744   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00483  1744   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00484  1744   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00485  1744   NtClose  (60, ... ) == 0x0
 00486  1744   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 60, ) }, ... 60, ) == 0x0
 00487  1744   NtQueryValueKey  (60,  (60, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00488  1744   NtClose  (60, ... ) == 0x0
 00489  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00490  1744   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00491  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00492  1744   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00493  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00494  1744   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00495  1744   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00496  1744   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00497  1744   NtClose  (60, ... ) == 0x0
 00498  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00499  1744   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00500  1744   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00501  1744   NtClose  (60, ... ) == 0x0
 00502  1744   NtOpenEvent  (0x1f0003, {24, 28, 0x0, 0, 0,  (0x1f0003, {24, 28, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00503  1744   NtSetEventBoostPriority  (32, ...
 00452  1736   NtWaitForSingleObject  ... ) == 0x0
 00504  1736   NtFreeVirtualMemory  (-1, (0xc80000), 0, 32768, ... (0xc80000), 28672, ) == 0x0
 00505  1736   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00506  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00507  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00508  1736   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ...
 00503  1744   NtSetEventBoostPriority  ... ) == 0x0
 00509  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "oleaut32.dll"}, ... 60, ) }, ... 60, ) == 0x0
 00510  1744   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00511  1744   NtClose  (60, ... ) == 0x0
 00512  1744   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00513  1744   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ...
 00508  1736   NtAllocateVirtualMemory  ... 3276800, 4096, ) == 0x0
 00514  1736   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00515  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13303808, 1048576, ) == 0x0
 00516  1736   NtAllocateVirtualMemory  (-1, 13303808, 0, 32768, 4096, 4, ... 13303808, 32768, ) == 0x0
 00517  1736   NtWaitForSingleObject  (32, 0, 0x0, ...
 00513  1744   NtProtectVirtualMemory  ... (0x77121000), 4096, 4, ) == 0x0
 00518  1744   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00519  1744   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00520  1744   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00521  1744   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00522  1744   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00523  1744   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00524  1744   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00525  1744   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00526  1744   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00527  1744   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00528  1744   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00529  1744   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00530  1744   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00531  1744   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00532  1744   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00533  1744   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00534  1744   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00535  1744   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00536  1744   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00537  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oleaut32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538  1744   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc077
 00539  1744   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00540  1744   NtOpenKey  (0x9, {24, 40, 0x40, 0, 0,  (0x9, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00541  1744   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00542  1744   NtSetEventBoostPriority  (32, ...
 00517  1736   NtWaitForSingleObject  ... ) == 0x0
 00543  1736   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "Jobaka3"}, 0, ... 60, ) }, 0, ... 60, ) == 0x0
 00544  1736   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 64, ) }, ... 64, ) == 0x0
 00545  1736   NtQueryValueKey  (64,  (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00546  1736   NtQueryValueKey  (64,  (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00542  1744   NtSetEventBoostPriority  ... ) == 0x0
 00547  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00548  1744   NtAllocateVirtualMemory  (-1, 4558848, 0, 4096, 4096, 4, ... 4558848, 4096, ) == 0x0
 00549  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc.dll"}, 8713748, ... }, 8713748, ...
 00550  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00551  1736   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Protocol_Catalog9"}, ... 72, ) }, ... 72, ) == 0x0
 00552  1736   NtQueryValueKey  (72,  (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00553  1736   NtNotifyChangeKey  (72, 68, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00554  1736   NtQueryValueKey  (72,  (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00555  1736   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00556  1736   NtQueryValueKey  (72,  (72, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00557  1736   NtQueryValueKey  (72,  (72, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00558  1736   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Catalog_Entries"}, ... 76, ) }, ... 76, ) == 0x0
 00559  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000001"}, ... 80, ) }, ... 80, ) == 0x0
 00560  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00561  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00549  1744   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00562  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\03\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\03\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\04\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\04\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\05\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\05\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\06\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\03\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\03\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\04\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\04\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\05\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\05\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\06\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\04\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\05\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\03\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\03\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\04\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\04\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\05\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\05\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\06\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00563  1736   NtClose  (80, ... ) == 0x0
 00564  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000002"}, ... 80, ) }, ... 80, ) == 0x0
 00565  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00566  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00567  1736   NtAllocateVirtualMemory  (-1, 4562944, 0, 4096, 4096, 4, ... 4562944, 4096, ) == 0x0
 00568  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\sfc.dll"}, 8713748, ... ) }, 8713748, ... ) == 0x0
 00569  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\sfc.dll"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 00570  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 84, ... 88, ) == 0x0
 00571  1744   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00572  1744   NtClose  (84, ... ) == 0x0
 00573  1744   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bb0000), 0x0, 20480, ) == 0x0
 00574  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0?\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0?\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0@\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0A\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0A\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0?\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0?\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0@\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0A\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0A\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0@\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0A\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0?\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0?\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0@\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0A\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0A\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00575  1736   NtClose  (80, ... ) == 0x0
 00576  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000003"}, ... 80, ) }, ... 80, ) == 0x0
 00577  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00578  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00579  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0D\2\0\0d\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0X\0\0\0D\2\0\0d\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0E\2\0\0d\6\0\0\320\6\0\0V\0\0\0\0\0\1\0\0\0\0\0D\0\0\0\16\0\0\0\0\0\0\0\30\0\0\0\10\0\0\0\30\364\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\0\26\0\0\354\375\177\0\0\0\0s\0f\0c\0_\0o\0s\0.\0d\0l\0l\0E\2\0\0d\6\0\0\320\6\0\0V\0\0\0\1\0\1\04\0\0\300\0\0\0\0F\2\0\0d\6\0\0\320\6\0\0c\0\0\0\0\0\1\0\0\0\0\0\\0\0\0\0\0\0\0\30\0\0\0\0\0\0\00\363\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0,\0\32\2\240 E\0\0\0\0\0\\0?\0?\0\\0u\0:\0\\0w\0o\0r\0k\0\\0s\0f\0c\0_\0o\0s\0.\0d\0l\0l\0\344\362\204\0G\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0G\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0H\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0D\2\0\0d\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0X\0\0\0D\2\0\0d\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0E\2\0\0d\6\0\0\320\6\0\0V\0\0\0\0\0\1\0\0\0\0\0D\0\0\0\16\0\0\0\0\0\0\0\30\0\0\0\10\0\0\0\30\364\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\0\26\0\0\354\375\177\0\0\0\0s\0f\0c\0_\0o\0s\0.\0d\0l\0l\0E\2\0\0d\6\0\0\320\6\0\0V\0\0\0\1\0\1\04\0\0\300\0\0\0\0F\2\0\0d\6\0\0\320\6\0\0c\0\0\0\0\0\1\0\0\0\0\0\\0\0\0\0\0\0\0\30\0\0\0\0\0\0\00\363\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0,\0\32\2\240 E\0\0\0\0\0\\0?\0?\0\\0u\0:\0\\0w\0o\0r\0k\0\\0s\0f\0c\0_\0o\0s\0.\0d\0l\0l\0\344\362\204\0G\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0G\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0H\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0"}, 900, ) }, 900, ) == 0x0
 00580  1744   NtClose  (88, ... ) == 0x0
 00581  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc_os.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00582  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc_os.dll"}, 8712932, ... }, 8712932, ...
 00583  1736   NtClose  (80, ... ) == 0x0
 00584  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000004"}, ... 80, ) }, ... 80, ) == 0x0
 00585  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00586  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00587  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0L\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0L\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0M\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0M\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0N\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0N\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0O\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0L\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0L\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0M\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0M\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0N\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0N\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0O\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0M\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0N\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0L\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0L\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0M\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0M\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0N\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0N\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0O\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00588  1736   NtClose  (80, ... ) == 0x0
 00589  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000005"}, ... 80, ) }, ... 80, ) == 0x0
 00590  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00591  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00592  1736   NtAllocateVirtualMemory  (-1, 4567040, 0, 4096, 4096, 4, ... 4567040, 4096, ) == 0x0
 00593  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0R\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0R\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0S\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0S\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0T\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0T\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0R\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0R\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0S\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0S\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0T\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0T\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0S\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0T\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0R\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0R\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0S\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0S\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0T\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0T\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00594  1736   NtClose  (80, ... ) == 0x0
 00595  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000006"}, ... 80, ) }, ... 80, ) == 0x0
 00596  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00597  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00582  1744   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00598  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\sfc_os.dll"}, 8712932, ... ) }, 8712932, ... ) == 0x0
 00599  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\sfc_os.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00600  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 84, ) == 0x0
 00601  1744   NtQuerySection  (84, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00602  1744   NtClose  (88, ...
 00603  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0]\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0^\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0^\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0]\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0^\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0^\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0]\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0^\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0]\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0^\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0^\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00604  1736   NtClose  (80, ... ) == 0x0
 00605  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000007"}, ... 80, ) }, ... 80, ) == 0x0
 00606  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00607  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00608  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0Z\2\0\0d\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0a\2\0\0d\6\0\0\320\6\0\0I\0\0\0\0\0\1\0\0\0\0\04\0\0\0T\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0a\2\0\0d\6\0\0\320\6\0\0I\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\306v\377\377\377\377\0\0\0\0\0\0\0\0\0\240\2\0b\2\0\0d\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0b\2\0\0d\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\306v\0\0\0\00\3\0\0\4\0\0\0c\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\306v\0\0\0\0\0\20\0\0\0\0\0\0 \0\0\0d\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0d\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\2\0\0d\6\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0Z\2\0\0d\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0a\2\0\0d\6\0\0\320\6\0\0I\0\0\0\0\0\1\0\0\0\0\04\0\0\0T\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0a\2\0\0d\6\0\0\320\6\0\0I\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\306v\377\377\377\377\0\0\0\0\0\0\0\0\0\240\2\0b\2\0\0d\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0b\2\0\0d\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\306v\0\0\0\00\3\0\0\4\0\0\0c\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\306v\0\0\0\0\0\20\0\0\0\0\0\0 \0\0\0d\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0d\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\2\0\0d\6\0\0"}, 900, ) }, 900, ) == 0x0
 00602  1744   NtClose  ... ) == 0x0
 00609  1744   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c60000), 0x0, 172032, ) == 0x0
 00610  1744   NtClose  (84, ... ) == 0x0
 00611  1744   NtProtectVirtualMemory  (-1, (0x76c61000), 816, 4, ... (0x76c61000), 4096, 32, ) == 0x0
 00612  1736   NtClose  (80, ... ) == 0x0
 00613  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000008"}, ... 80, ) }, ... 80, ) == 0x0
 00614  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00615  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00616  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0i\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0i\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\306v\0\0\0\0\0\20\0\0 \0\0\0j\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\306v\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0k\2\0\0d\6\0\0\320\6\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\306v0\3\0\0k\2\0\0d\6\0\0\320\6\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0l\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\306v\0\0\0\00\3\0\0\4\0\0\0l\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\306v\0\0\0\0\0\20\0\0\0\0\0\0 \0\0\0m\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\306v\0\0\0\0\0\20\0\0 \0\0\0m\2\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0i\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0i\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\306v\0\0\0\0\0\20\0\0 \0\0\0j\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\306v\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0k\2\0\0d\6\0\0\320\6\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\306v0\3\0\0k\2\0\0d\6\0\0\320\6\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0l\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\306v\0\0\0\00\3\0\0\4\0\0\0l\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\306v\0\0\0\0\0\20\0\0\0\0\0\0 \0\0\0m\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\306v\0\0\0\0\0\20\0\0 \0\0\0m\2\0\0"}, 900, ) }, 900, ) == 0x0
 00617  1736   NtClose  (80, ... ) == 0x0
 00618  1744   NtProtectVirtualMemory  (-1, (0x76c61000), 4096, 32, ... (0x76c61000), 4096, 4, ) == 0x0
 00619  1744   NtFlushInstructionCache  (-1, 1992691712, 816, ... ) == 0x0
 00620  1744   NtProtectVirtualMemory  (-1, (0x76c61000), 816, 4, ... (0x76c61000), 4096, 32, ) == 0x0
 00621  1744   NtProtectVirtualMemory  (-1, (0x76c61000), 4096, 32, ... (0x76c61000), 4096, 4, ) == 0x0
 00622  1744   NtFlushInstructionCache  (-1, 1992691712, 816, ... ) == 0x0
 00623  1744   NtProtectVirtualMemory  (-1, (0x76c61000), 816, 4, ... (0x76c61000), 4096, 32, ) == 0x0
 00624  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000009"}, ... 80, ) }, ... 80, ) == 0x0
 00625  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00626  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00627  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0t\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0t\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0u\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0v\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\306v\0\0\0\0\0\20\0\0 \0\0\0v\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\306v\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0w\2\0\0d\6\0\0\320\6\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\306v0\3\0\0w\2\0\0d\6\0\0\320\6\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\2\0\0d\6\0\0\320\6\0\0V\0\0\0\0\0\1\0\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0t\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0t\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0u\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0v\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\306v\0\0\0\0\0\20\0\0 \0\0\0v\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\306v\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0w\2\0\0d\6\0\0\320\6\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\306v0\3\0\0w\2\0\0d\6\0\0\320\6\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\2\0\0d\6\0\0\320\6\0\0V\0\0\0\0\0\1\0\0\0\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0u\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0v\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\306v\0\0\0\0\0\20\0\0 \0\0\0v\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\306v\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0w\2\0\0d\6\0\0\320\6\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\306v0\3\0\0w\2\0\0d\6\0\0\320\6\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\2\0\0d\6\0\0\320\6\0\0V\0\0\0\0\0\1\0\0\0\0\0"}, 900, ) == 0x0
 00628  1736   NtClose  (80, ... ) == 0x0
 00629  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000010"}, ... 80, ) }, ... 80, ) == 0x0
 00630  1744   NtProtectVirtualMemory  (-1, (0x76c61000), 4096, 32, ... (0x76c61000), 4096, 4, ) == 0x0
 00631  1744   NtFlushInstructionCache  (-1, 1992691712, 816, ... ) == 0x0
 00632  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00633  1744   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 188416, ) == 0x0
 00634  1744   NtClose  (84, ... ) == 0x0
 00635  1744   NtProtectVirtualMemory  (-1, (0x76c31000), 1204, 4, ... (0x76c31000), 4096, 32, ) == 0x0
 00636  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00637  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00638  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\177\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\177\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\200\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\201\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0 \0\0\0\201\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\202\2\0\0d\6\0\0\320\6\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\303v\264\4\0\0\202\2\0\0d\6\0\0\320\6\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\203\2\0\0d\6\0\0\320\6\0\0V\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\16\0\0\0\0\0\0\0\30\0\0\0\10\0\0\0\270\355\204\0@\0\0\0\0\0\0\0\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\177\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\177\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\200\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\201\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0 \0\0\0\201\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\202\2\0\0d\6\0\0\320\6\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\303v\264\4\0\0\202\2\0\0d\6\0\0\320\6\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\203\2\0\0d\6\0\0\320\6\0\0V\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\16\0\0\0\0\0\0\0\30\0\0\0\10\0\0\0\270\355\204\0@\0\0\0\0\0\0\0\0\0\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\201\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0 \0\0\0\201\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\202\2\0\0d\6\0\0\320\6\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\303v\264\4\0\0\202\2\0\0d\6\0\0\320\6\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\203\2\0\0d\6\0\0\320\6\0\0V\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\16\0\0\0\0\0\0\0\30\0\0\0\10\0\0\0\270\355\204\0@\0\0\0\0\0\0\0\0\0\0\0"}, 900, ) == 0x0
 00639  1736   NtClose  (80, ... ) == 0x0
 00640  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000011"}, ... }, ...
 00641  1744   NtProtectVirtualMemory  (-1, (0x76c31000), 4096, 32, ... (0x76c31000), 4096, 4, ) == 0x0
 00642  1744   NtFlushInstructionCache  (-1, 1992495104, 1204, ... ) == 0x0
 00643  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 80, ) }, ... 80, ) == 0x0
 00640  1736   NtOpenKey  ... 84, ) == 0x0
 00644  1736   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00645  1736   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00646  1736   NtAllocateVirtualMemory  (-1, 4571136, 0, 4096, 4096, 4, ... 4571136, 4096, ) == 0x0
 00647  1736   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\210\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\210\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\212\2\0\0d\6\0\0\320\6\0\0I\0\0\0\0\0\1\0\0\0\0\04\0\0\0P\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\212\2\0\0d\6\0\0\320\6\0\0I\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\250w\377\377\377\377\0\0\0\0\0\0\0\0\0@\11\0\213\2\0\0d\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\213\2\0\0d\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\210\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\210\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\212\2\0\0d\6\0\0\320\6\0\0I\0\0\0\0\0\1\0\0\0\0\04\0\0\0P\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\212\2\0\0d\6\0\0\320\6\0\0I\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\250w\377\377\377\377\0\0\0\0\0\0\0\0\0@\11\0\213\2\0\0d\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\213\2\0\0d\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\212\2\0\0d\6\0\0\320\6\0\0I\0\0\0\0\0\1\0\0\0\0\04\0\0\0P\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\212\2\0\0d\6\0\0\320\6\0\0I\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\250w\377\377\377\377\0\0\0\0\0\0\0\0\0@\11\0\213\2\0\0d\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\213\2\0\0d\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w"}, 900, ) == 0x0
 00648  1736   NtClose  (84, ... ) == 0x0
 00649  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000012"}, ... }, ...
 00650  1744   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77a80000), 0x0, 606208, ) == 0x0
 00651  1744   NtClose  (80, ... ) == 0x0
 00652  1744   NtProtectVirtualMemory  (-1, (0x77a81000), 1340, 4, ... (0x77a81000), 4096, 32, ) == 0x0
 00653  1744   NtProtectVirtualMemory  (-1, (0x77a81000), 4096, 32, ... (0x77a81000), 4096, 4, ) == 0x0
 00654  1744   NtFlushInstructionCache  (-1, 2007502848, 1340, ... ) == 0x0
 00655  1744   NtProtectVirtualMemory  (-1, (0x77a81000), 1340, 4, ... (0x77a81000), 4096, 32, ) == 0x0
 00649  1736   NtOpenKey  ... 80, ) == 0x0
 00656  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00657  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00658  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\223\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\223\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\224\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\225\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\226\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w\0\0\0\0\0\20\0\0 \0\0\0\226\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\250w\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\223\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\223\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\224\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\225\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\226\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w\0\0\0\0\0\20\0\0 \0\0\0\226\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\250w\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\224\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\225\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\223\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\223\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\224\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\225\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\226\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w\0\0\0\0\0\20\0\0 \0\0\0\226\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\250w\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0"}, 900, ) }, 900, ) == 0x0
 00659  1736   NtClose  (80, ... ) == 0x0
 00660  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000013"}, ... 80, ) }, ... 80, ) == 0x0
 00661  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... , Partial, 144, ...
 00662  1744   NtProtectVirtualMemory  (-1, (0x77a81000), 4096, 32, ... (0x77a81000), 4096, 4, ) == 0x0
 00663  1744   NtFlushInstructionCache  (-1, 2007502848, 1340, ... ) == 0x0
 00664  1744   NtProtectVirtualMemory  (-1, (0x77a81000), 1340, 4, ... (0x77a81000), 4096, 32, ) == 0x0
 00665  1744   NtProtectVirtualMemory  (-1, (0x77a81000), 4096, 32, ... (0x77a81000), 4096, 4, ) == 0x0
 00666  1744   NtFlushInstructionCache  (-1, 2007502848, 1340, ... ) == 0x0
 00667  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00661  1736   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 00668  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00669  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\236\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\236\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\237\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\240\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\240\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\236\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\236\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\237\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\240\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\240\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\237\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\240\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\236\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\236\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\237\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\240\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\240\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00670  1736   NtClose  (80, ... ) == 0x0
 00671  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000014"}, ... 80, ) }, ... 80, ) == 0x0
 00672  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00673  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... , Partial, 144, ...
 00674  1744   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b20000), 0x0, 73728, ) == 0x0
 00675  1744   NtClose  (84, ... ) == 0x0
 00676  1744   NtProtectVirtualMemory  (-1, (0x77b21000), 160, 4, ... (0x77b21000), 4096, 32, ) == 0x0
 00677  1744   NtProtectVirtualMemory  (-1, (0x77b21000), 4096, 32, ... (0x77b21000), 4096, 4, ) == 0x0
 00678  1744   NtFlushInstructionCache  (-1, 2008158208, 160, ... ) == 0x0
 00679  1744   NtProtectVirtualMemory  (-1, (0x77b21000), 160, 4, ... (0x77b21000), 4096, 32, ) == 0x0
 00673  1736   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 00680  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\251\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\251\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\252\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\252\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\253\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\253\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\254\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\251\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\251\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\252\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\252\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\253\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\253\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\254\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\252\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\253\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\251\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\251\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\252\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\252\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\253\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\253\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\254\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00681  1736   NtClose  (80, ... ) == 0x0
 00682  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000015"}, ... 80, ) }, ... 80, ) == 0x0
 00683  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00684  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00685  1736   NtAllocateVirtualMemory  (-1, 4575232, 0, 4096, 4096, 4, ...
 00686  1744   NtProtectVirtualMemory  (-1, (0x77b21000), 4096, 32, ... (0x77b21000), 4096, 4, ) == 0x0
 00687  1744   NtFlushInstructionCache  (-1, 2008158208, 160, ... ) == 0x0
 00688  1744   NtProtectVirtualMemory  (-1, (0x77b21000), 160, 4, ... (0x77b21000), 4096, 32, ) == 0x0
 00689  1744   NtProtectVirtualMemory  (-1, (0x77b21000), 4096, 32, ... (0x77b21000), 4096, 4, ) == 0x0
 00690  1744   NtFlushInstructionCache  (-1, 2008158208, 160, ... ) == 0x0
 00691  1744   NtProtectVirtualMemory  (-1, (0x77a81000), 1340, 4, ... (0x77a81000), 4096, 32, ) == 0x0
 00685  1736   NtAllocateVirtualMemory  ... 4575232, 4096, ) == 0x0
 00692  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\265\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\265\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\266\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\267\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\267\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\265\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\265\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\266\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\267\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\267\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\266\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\267\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\265\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\265\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\266\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\267\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\267\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00693  1736   NtClose  (80, ... ) == 0x0
 00694  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000016"}, ... 80, ) }, ... 80, ) == 0x0
 00695  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00696  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00697  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... , Partial, 900, ...
 00698  1744   NtProtectVirtualMemory  (-1, (0x77a81000), 4096, 32, ... (0x77a81000), 4096, 4, ) == 0x0
 00699  1744   NtFlushInstructionCache  (-1, 2007502848, 1340, ... ) == 0x0
 00700  1744   NtProtectVirtualMemory  (-1, (0x76c31000), 1204, 4, ... (0x76c31000), 4096, 32, ) == 0x0
 00701  1744   NtProtectVirtualMemory  (-1, (0x76c31000), 4096, 32, ... (0x76c31000), 4096, 4, ) == 0x0
 00702  1744   NtFlushInstructionCache  (-1, 1992495104, 1204, ... ) == 0x0
 00703  1744   NtProtectVirtualMemory  (-1, (0x76c31000), 1204, 4, ... (0x76c31000), 4096, 32, ) == 0x0
 00697  1736   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\300\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\300\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\301\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\302\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\302\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\301\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\302\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\300\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\300\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\301\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\302\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\302\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\2\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00704  1736   NtClose  (80, ... ) == 0x0
 00705  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000017"}, ... 80, ) }, ... 80, ) == 0x0
 00706  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00707  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00708  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\305\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\306\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0 \0\0\0\306\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\307\2\0\0d\6\0\0\320\6\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\303v\264\4\0\0\307\2\0\0d\6\0\0\320\6\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\310\2\0\0d\6\0\0\320\6\0\0V\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\16\0\0\0\0\0\0\0\30\0\0\0\10\0\0\0\270\355\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\354\375\177\0\0\0\0I\0M\0A\0G\0E\0H\0L\0P\0.\0d\0l\0l\0\310\2\0\0d\6\0\0\320\6\0\0V\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\311\2\0\0d\6\0\0\320\6\0\0I\0\0\0\0\0\1\0\0\0\0\04\0\0\0T\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\305\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\306\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0 \0\0\0\306\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\307\2\0\0d\6\0\0\320\6\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\303v\264\4\0\0\307\2\0\0d\6\0\0\320\6\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\310\2\0\0d\6\0\0\320\6\0\0V\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\16\0\0\0\0\0\0\0\30\0\0\0\10\0\0\0\270\355\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\354\375\177\0\0\0\0I\0M\0A\0G\0E\0H\0L\0P\0.\0d\0l\0l\0\310\2\0\0d\6\0\0\320\6\0\0V\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\311\2\0\0d\6\0\0\320\6\0\0I\0\0\0\0\0\1\0\0\0\0\04\0\0\0T\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 900, ) }, 900, ) == 0x0
 00709  1736   NtClose  (80, ...
 00710  1744   NtProtectVirtualMemory  (-1, (0x76c31000), 4096, 32, ... (0x76c31000), 4096, 4, ) == 0x0
 00711  1744   NtFlushInstructionCache  (-1, 1992495104, 1204, ... ) == 0x0
 00712  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00713  1744   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 163840, ) == 0x0
 00714  1744   NtClose  (84, ... ) == 0x0
 00715  1744   NtProtectVirtualMemory  (-1, (0x76c91000), 504, 4, ... (0x76c91000), 4096, 32, ) == 0x0
 00709  1736   NtClose  ... ) == 0x0
 00716  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000018"}, ... 80, ) }, ... 80, ) == 0x0
 00717  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00718  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00719  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\320\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\320\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\321\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\322\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\311v\0\0\0\0\0\20\0\0 \0\0\0\322\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\311v\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\323\2\0\0d\6\0\0\320\6\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\311v\370\1\0\0\323\2\0\0d\6\0\0\320\6\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\324\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\311v\0\0\0\0\370\1\0\0\4\0\0\0\324\2\0\0d\6\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\320\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\320\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\321\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\322\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\311v\0\0\0\0\0\20\0\0 \0\0\0\322\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\311v\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\323\2\0\0d\6\0\0\320\6\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\311v\370\1\0\0\323\2\0\0d\6\0\0\320\6\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\324\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\311v\0\0\0\0\370\1\0\0\4\0\0\0\324\2\0\0d\6\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\322\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\311v\0\0\0\0\0\20\0\0 \0\0\0\322\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\311v\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\323\2\0\0d\6\0\0\320\6\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\311v\370\1\0\0\323\2\0\0d\6\0\0\320\6\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\324\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\311v\0\0\0\0\370\1\0\0\4\0\0\0\324\2\0\0d\6\0\0"}, 900, ) == 0x0
 00720  1736   NtClose  (80, ... ) == 0x0
 00721  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000019"}, ... }, ...
 00722  1744   NtProtectVirtualMemory  (-1, (0x76c91000), 4096, 32, ... (0x76c91000), 4096, 4, ) == 0x0
 00723  1744   NtFlushInstructionCache  (-1, 1992888320, 504, ... ) == 0x0
 00724  1744   NtProtectVirtualMemory  (-1, (0x76c91000), 504, 4, ... (0x76c91000), 4096, 32, ) == 0x0
 00725  1744   NtProtectVirtualMemory  (-1, (0x76c91000), 4096, 32, ... (0x76c91000), 4096, 4, ) == 0x0
 00726  1744   NtFlushInstructionCache  (-1, 1992888320, 504, ... ) == 0x0
 00727  1744   NtProtectVirtualMemory  (-1, (0x76c31000), 1204, 4, ... (0x76c31000), 4096, 32, ) == 0x0
 00721  1736   NtOpenKey  ... 80, ) == 0x0
 00728  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00729  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00730  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\333\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\333\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\334\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\335\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0 \0\0\0\335\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\336\2\0\0d\6\0\0\320\6\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\303v\264\4\0\0\336\2\0\0d\6\0\0\320\6\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\337\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\333\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\333\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\334\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\335\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0 \0\0\0\335\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\336\2\0\0d\6\0\0\320\6\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\303v\264\4\0\0\336\2\0\0d\6\0\0\320\6\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\337\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\334\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\335\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0 \0\0\0\335\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\336\2\0\0d\6\0\0\320\6\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\303v\264\4\0\0\336\2\0\0d\6\0\0\320\6\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\337\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0"}, 900, ) == 0x0
 00731  1736   NtClose  (80, ... ) == 0x0
 00732  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000020"}, ... 80, ) }, ... 80, ) == 0x0
 00733  1744   NtProtectVirtualMemory  (-1, (0x76c31000), 4096, 32, ... (0x76c31000), 4096, 4, ) == 0x0
 00734  1744   NtFlushInstructionCache  (-1, 1992495104, 1204, ... ) == 0x0
 00735  1744   NtProtectVirtualMemory  (-1, (0x76c61000), 816, 4, ... (0x76c61000), 4096, 32, ) == 0x0
 00736  1744   NtProtectVirtualMemory  (-1, (0x76c61000), 4096, 32, ... (0x76c61000), 4096, 4, ) == 0x0
 00737  1744   NtFlushInstructionCache  (-1, 1992691712, 816, ... ) == 0x0
 00738  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00739  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00740  1736   NtAllocateVirtualMemory  (-1, 4579328, 0, 4096, 4096, 4, ... 4579328, 4096, ) == 0x0
 00741  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\346\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\346\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\347\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\347\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\350\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\273v\0\0\0\0L\0\0\0\4\0\0\0\350\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\273v\0\0\0\0\0\20\0\0\0\0\0\0 \0\0\0\351\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\273v\0\0\0\0\0\20\0\0 \0\0\0\351\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\273v\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\346\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\346\2\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\347\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\347\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\350\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\273v\0\0\0\0L\0\0\0\4\0\0\0\350\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\273v\0\0\0\0\0\20\0\0\0\0\0\0 \0\0\0\351\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\273v\0\0\0\0\0\20\0\0 \0\0\0\351\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\273v\0\0\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\223E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\347\2\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\350\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\273v\0\0\0\0L\0\0\0\4\0\0\0\350\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\273v\0\0\0\0\0\20\0\0\0\0\0\0 \0\0\0\351\2\0\0d\6\0\0\320\6\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\273v\0\0\0\0\0\20\0\0 \0\0\0\351\2\0\0d\6\0\0\320\6\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\273v\0\0\0\0"}, 900, ) == 0x0
 00742  1736   NtClose  (80, ... ) == 0x0
 00743  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000021"}, ... 80, ) }, ... 80, ) == 0x0
 00744  1744   NtProtectVirtualMemory  (-1, (0x76bb1000), 76, 4, ... (0x76bb1000), 4096, 32, ) == 0x0
 00745  1744   NtProtectVirtualMemory  (-1, (0x76bb1000), 4096, 32, ... (0x76bb1000), 4096, 4, ) == 0x0
 00746  1744   NtFlushInstructionCache  (-1, 1991970816, 76, ... ) == 0x0
 00747  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00748  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00749  1736   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\356\2\0\0d\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0\374\0\0\0\0\0\0\200\0\0\0\0\30\0\0\0\0\0\0\0\370\361\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\0\306\2\10\362\204\0\0\0\0\0\\0R\0e\0g\0i\0s\0t\0r\0y\0\\0M\0a\0c\0h\0i\0n\0e\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0I\0m\0a\0g\0e\0 \0F\0i\0l\0e\0 \0E\0x\0e\0c\0u\0t\0i\0o\0n\0 \0O\0p\0t\0i\0o\0n\0s\0\\0M\0S\0A\0S\0N\01\0.\0d\0l\0l\0\356\2\0\0d\6\0\0\320\6\0\0Q\0\0\0\1\0\1\04\0\0\300\0\0\0\0\357\2\0\0d\6\0\0\320\6\0\0v\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\357\2\0\0d\6\0\0\320\6\0\0v\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\3349\362A\20\0\0\0\0\0\0\0\231\2366\0\0\0\0\0\360\2\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\356\2\0\0d\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0\374\0\0\0\0\0\0\200\0\0\0\0\30\0\0\0\0\0\0\0\370\361\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\0\306\2\10\362\204\0\0\0\0\0\\0R\0e\0g\0i\0s\0t\0r\0y\0\\0M\0a\0c\0h\0i\0n\0e\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0I\0m\0a\0g\0e\0 \0F\0i\0l\0e\0 \0E\0x\0e\0c\0u\0t\0i\0o\0n\0 \0O\0p\0t\0i\0o\0n\0s\0\\0M\0S\0A\0S\0N\01\0.\0d\0l\0l\0\356\2\0\0d\6\0\0\320\6\0\0Q\0\0\0\1\0\1\04\0\0\300\0\0\0\0\357\2\0\0d\6\0\0\320\6\0\0v\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\357\2\0\0d\6\0\0\320\6\0\0v\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\3349\362A\20\0\0\0\0\0\0\0\231\2366\0\0\0\0\0\360\2\0\0"}, 900, ) }, 900, ) == 0x0
 00750  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASN1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00751  1744   NtQueryPerformanceCounter  (... {1106393564, 16}, {3579545, 0}, ) == 0x0
 00752  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CRYPT32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00753  1744   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00754  1744   NtAllocateVirtualMemory  (-1, 4583424, 0, 4096, 4096, 4, ... 4583424, 4096, ) == 0x0
 00755  1736   NtClose  (80, ... ) == 0x0
 00756  1736   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 80, ) == 0x0
 00757  1736   NtWaitForSingleObject  (80, 0, 0x0, ...
 00758  1744   NtSetEventBoostPriority  (80, ...
 00757  1736   NtWaitForSingleObject  ... ) == 0x0
 00759  1736   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000022"}, ... 84, ) }, ... 84, ) == 0x0
 00760  1736   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00761  1736   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00762  1736   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\366\2\0\0d\6\0\0\320\6\0\0'\4\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\2\0\0d\6\0\0\320\6\0\0\12\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\0\0F\0\0\0\0\0\0\0\0\0\0\20\0\0\0\20\0\0\4\0\0\0\373\2\0\0d\6\0\0\320\6\0\0\12\0\0\0\1\0\1\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0F\0\0\0\0\0\0\20\0\0\374\2\0\0d\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0\230\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0(\0\0\0\360\365\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0f\0h\0\30\16F\0\0\0\0\0S\0O\0F\0T\0W\0A\0R\0E\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0m\0s\0a\0s\0n\01\0c\0\374\2\0\0d\6\0\0\320\6\0\0Q\0\0\0\1\0\1\04\0\0\300\0\0\0\0\375\2\0\0d\6\0\0\320\6\0\0\12\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\0\20F\0\0\0\0\0\0\0\0\0\0\20\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\366\2\0\0d\6\0\0\320\6\0\0'\4\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\2\0\0d\6\0\0\320\6\0\0\12\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\0\0F\0\0\0\0\0\0\0\0\0\0\20\0\0\0\20\0\0\4\0\0\0\373\2\0\0d\6\0\0\320\6\0\0\12\0\0\0\1\0\1\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0F\0\0\0\0\0\0\20\0\0\374\2\0\0d\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0\230\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0(\0\0\0\360\365\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0f\0h\0\30\16F\0\0\0\0\0S\0O\0F\0T\0W\0A\0R\0E\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0m\0s\0a\0s\0n\01\0c\0\374\2\0\0d\6\0\0\320\6\0\0Q\0\0\0\1\0\1\04\0\0\300\0\0\0\0\375\2\0\0d\6\0\0\320\6\0\0\12\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\0\20F\0\0\0\0\0\0\0\0\0\0\20\0\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\366\2\0\0d\6\0\0\320\6\0\0'\4\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\2\0\0d\6\0\0\320\6\0\0\12\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\0\0F\0\0\0\0\0\0\0\0\0\0\20\0\0\0\20\0\0\4\0\0\0\373\2\0\0d\6\0\0\320\6\0\0\12\0\0\0\1\0\1\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0F\0\0\0\0\0\0\20\0\0\374\2\0\0d\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0\230\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0(\0\0\0\360\365\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0f\0h\0\30\16F\0\0\0\0\0S\0O\0F\0T\0W\0A\0R\0E\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0m\0s\0a\0s\0n\01\0c\0\374\2\0\0d\6\0\0\320\6\0\0Q\0\0\0\1\0\1\04\0\0\300\0\0\0\0\375\2\0\0d\6\0\0\320\6\0\0\12\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\0\20F\0\0\0\0\0\0\0\0\0\0\20\0\0"}, 900, ) == 0x0
 00758  1744   NtSetEventBoostPriority  ... ) == 0x0
 00763  1744   NtAllocateVirtualMemory  (-1, 4587520, 0, 4096, 4096, 4, ... 4587520, 4096, ) == 0x0
 00764  1744   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00765  1744   NtAllocateVirtualMemory  (-1, 4591616, 0, 4096, 4096, 4, ... 4591616, 4096, ) == 0x0
 00766  1744   NtAllocateVirtualMemory  (-1, 4595712, 0, 4096, 4096, 4, ... 4595712, 4096, ) == 0x0
 00767  1744   NtCreateEvent  (0x1f0003, {24, 28, 0x80, 8713872, 0,  (0x1f0003, {24, 28, 0x80, 8713872, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00768  1736   NtClose  (84, ... ) == 0x0
 00769  1736   NtClose  (76, ... ) == 0x0
 00770  1736   NtWaitForSingleObject  (68, 0, {0, 0}, ... ) == 0x102
 00771  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 76, ) == 0x0
 00772  1736   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 84, ) }, ... 84, ) == 0x0
 00773  1736   NtQueryValueKey  (84,  (84, "Serial_Access_Num", Partial, 144, ... , Partial, 144, ...
 00774  1744   NtOpenEvent  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 88, ) }, ... 88, ) == 0x0
 00775  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMAGEHLP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00776  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00777  1744   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00778  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00779  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14352384, 1048576, ) == 0x0
 00773  1736   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00780  1736   NtNotifyChangeKey  (84, 76, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00781  1736   NtQueryValueKey  (84,  (84, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00782  1736   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00783  1736   NtQueryValueKey  (84,  (84, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00784  1736   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Catalog_Entries"}, ... 92, ) }, ... 92, ) == 0x0
 00785  1736   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000001"}, ... }, ...
 00786  1744   NtAllocateVirtualMemory  (-1, 14352384, 0, 1048576, 4096, 4, ... 14352384, 1048576, ) == 0x0
 00787  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00788  1744   NtCreateMutant  (0x1f0001, 0x0, 0, ... 96, ) == 0x0
 00789  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 100, ) == 0x0
 00790  1744   NtCreateMutant  (0x1f0001, 0x0, 0, ... 104, ) == 0x0
 00791  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ...
 00785  1736   NtOpenKey  ... 108, ) == 0x0
 00792  1736   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00793  1736   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00794  1736   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00795  1736   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00796  1736   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00797  1736   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... , Partial, 144, ...
 00791  1744   NtCreateEvent  ... 112, ) == 0x0
 00798  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 116, ) == 0x0
 00799  1744   NtSetEvent  (116, ... 0x0, ) == 0x0
 00800  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc_os.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00801  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00802  1744   NtQueryPerformanceCounter  (...
 00797  1736   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00803  1736   NtQueryValueKey  (108,  (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00804  1736   NtQueryValueKey  (108,  (108, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00805  1736   NtQueryValueKey  (108,  (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00806  1736   NtQueryValueKey  (108,  (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00807  1736   NtQueryValueKey  (108,  (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00808  1736   NtQueryValueKey  (108,  (108, "StoresServiceClassInfo", Partial, 144, ... , Partial, 144, ...
 00802  1744   NtQueryPerformanceCounter  ... {1106432464, 16}, {3579545, 0}, ) == 0x0
 00809  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 120, ) }, ... 120, ) == 0x0
 00810  1744   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c9c0000), 0x0, 8482816, ) == 0x0
 00811  1744   NtClose  (120, ... ) == 0x0
 00812  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00813  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00814  1744   NtFlushInstructionCache  (-1, 2090602496, 4476, ...
 00808  1736   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00815  1736   NtClose  (108, ... ) == 0x0
 00816  1736   NtAllocateVirtualMemory  (-1, 4599808, 0, 4096, 4096, 4, ... 4599808, 4096, ) == 0x0
 00817  1736   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000002"}, ... 108, ) }, ... 108, ) == 0x0
 00818  1736   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00819  1736   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00820  1736   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... , Partial, 144, ...
 00814  1744   NtFlushInstructionCache  ... ) == 0x0
 00821  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00822  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00823  1744   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00824  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00825  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00826  1744   NtFlushInstructionCache  (-1, 2090602496, 4476, ...
 00820  1736   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00827  1736   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00828  1736   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00829  1736   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00830  1736   NtQueryValueKey  (108,  (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00831  1736   NtQueryValueKey  (108,  (108, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00832  1736   NtQueryValueKey  (108,  (108, "SupportedNameSpace", Partial, 144, ... , Partial, 144, ...
 00826  1744   NtFlushInstructionCache  ... ) == 0x0
 00833  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00834  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00835  1744   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00836  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00837  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00838  1744   NtFlushInstructionCache  (-1, 2090602496, 4476, ...
 00832  1736   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00839  1736   NtQueryValueKey  (108,  (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00840  1736   NtQueryValueKey  (108,  (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00841  1736   NtQueryValueKey  (108,  (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00842  1736   NtClose  (108, ... ) == 0x0
 00843  1736   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000003"}, ... 108, ) }, ... 108, ) == 0x0
 00844  1736   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... , Partial, 144, ...
 00838  1744   NtFlushInstructionCache  ... ) == 0x0
 00845  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00846  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00847  1744   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00848  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 120, ) }, ... 120, ) == 0x0
 00849  1744   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00850  1744   NtClose  (120, ...
 00844  1736   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00851  1736   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00852  1736   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00853  1736   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00854  1736   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00855  1736   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00856  1736   NtQueryValueKey  (108,  (108, "ProviderId", Partial, 144, ... , Partial, 144, ...
 00850  1744   NtClose  ... ) == 0x0
 00857  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00858  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00859  1744   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00860  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00861  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00862  1744   NtFlushInstructionCache  (-1, 2012614656, 2076, ...
 00856  1736   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00863  1736   NtQueryValueKey  (108,  (108, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864  1736   NtQueryValueKey  (108,  (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00865  1736   NtQueryValueKey  (108,  (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00866  1736   NtQueryValueKey  (108,  (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00867  1736   NtQueryValueKey  (108,  (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00868  1736   NtClose  (108, ...
 00862  1744   NtFlushInstructionCache  ... ) == 0x0
 00869  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00870  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00871  1744   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00872  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00873  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00874  1744   NtFlushInstructionCache  (-1, 2012614656, 2076, ...
 00868  1736   NtClose  ... ) == 0x0
 00875  1736   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000004"}, ... 108, ) }, ... 108, ) == 0x0
 00876  1736   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00877  1736   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00878  1736   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00879  1736   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00880  1736   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... , Partial, 144, ...
 00874  1744   NtFlushInstructionCache  ... ) == 0x0
 00881  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00882  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00883  1744   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00884  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00885  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00886  1744   NtFlushInstructionCache  (-1, 2090602496, 4476, ...
 00880  1736   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00887  1736   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00888  1736   NtQueryValueKey  (108,  (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 00889  1736   NtQueryValueKey  (108,  (108, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890  1736   NtQueryValueKey  (108,  (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00891  1736   NtQueryValueKey  (108,  (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00892  1736   NtQueryValueKey  (108,  (108, "Version", Partial, 144, ... , Partial, 144, ...
 00886  1744   NtFlushInstructionCache  ... ) == 0x0
 00893  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00894  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00895  1744   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00896  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897  1744   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00898  1744   NtCreateSemaphore  (0x1f0003, {24, 28, 0x80, 4601848, 0,  (0x1f0003, {24, 28, 0x80, 4601848, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... }, 0, 2147483647, ...
 00892  1736   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00899  1736   NtQueryValueKey  (108,  (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00900  1736   NtClose  (108, ... ) == 0x0
 00901  1736   NtClose  (92, ... ) == 0x0
 00902  1736   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x102
 00903  1736   NtClose  (64, ... ) == 0x0
 00898  1744   NtCreateSemaphore  ... 64, ) == STATUS_OBJECT_NAME_EXISTS
 00904  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shell32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905  1744   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SYSTEM\Setup"}, ... 92, ) }, ... 92, ) == 0x0
 00906  1744   NtQueryValueKey  (92,  (92, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00907  1744   NtClose  (92, ... ) == 0x0
 00908  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00909  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00910  1736   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 00911  1736   NtQueryValueKey  (92,  (92, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912  1736   NtClose  (92, ... ) == 0x0
 00913  1736   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 92, ) == 0x0
 00914  1744   NtQueryDefaultUILanguage  (8712080, ...
 00915  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00916  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00917  1744   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00918  1744   NtClose  (-2147482576, ... ) == 0x0
 00919  1744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00920  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... }, ...
 00921  1736   NtAllocateVirtualMemory  (-1, 4603904, 0, 4096, 4096, 4, ... 4603904, 4096, ) == 0x0
 00922  1736   NtWaitForSingleObject  (32, 0, 0x0, ...
 00920  1744   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 00924  1744   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925  1744   NtClose  (-2147481400, ... ) == 0x0
 00926  1744   NtClose  (-2147482576, ... ) == 0x0
 00914  1744   NtQueryDefaultUILanguage  ... ) == 0x0
 00927  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 108, {status=0x0, info=1}, ) }, 1, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00928  1744   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 108, ... 120, ) == 0x0
 00929  1744   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xeb0000), 0x0, 8462336, ) == 0x0
 00930  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931  1744   NtQueryDefaultUILanguage  (2090319928, ...
 00932  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00933  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00934  1744   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00935  1744   NtClose  (-2147482576, ... ) == 0x0
 00936  1744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00937  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 00939  1744   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940  1744   NtClose  (-2147481400, ... ) == 0x0
 00941  1744   NtClose  (-2147482576, ... ) == 0x0
 00931  1744   NtQueryDefaultUILanguage  ... ) == 0x0
 00942  1744   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00943  1744   NtQueryDefaultLocale  (1, 8710176, ... ) == 0x0
 00944  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945  1744   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 8711212, 1179817, 8710936}  (24, {128, 156, new_msg, 0, 2088850039, 8711212, 1179817, 8710936} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\1l\0\0\0\377\377\377\377\0\0\0\0@ \16\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0 \360\204\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1744, 75483, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\1l\0\0\0\377\377\377\377\0\0\0\0@ \16\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0 \360\204\0\0\0\0\0" )  ... {128, 156, reply, 0, 1636, 1744, 75483, 0}  (24, {128, 156, new_msg, 0, 2088850039, 8711212, 1179817, 8710936} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\1l\0\0\0\377\377\377\377\0\0\0\0@ \16\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0 \360\204\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1744, 75483, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\1l\0\0\0\377\377\377\377\0\0\0\0@ \16\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0 \360\204\0\0\0\0\0" )  ) == 0x0
 00946  1744   NtClose  (108, ... ) == 0x0
 00947  1744   NtClose  (120, ... ) == 0x0
 00948  1744   NtUnmapViewOfSection  (-1, 0xeb0000, ... ) == 0x0
 00949  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00950  1744   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00952  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00953  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 8709368, ... ) }, 8709368, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00954  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00955  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00956  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00957  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 8709432, ... ) }, 8709432, ... ) == 0x0
 00958  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 120, {status=0x0, info=1}, ) }, 3, 33, ... 120, {status=0x0, info=1}, ) == 0x0
 00959  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00960  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00961  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 108, ... 124, ) == 0x0
 00962  1744   NtClose  (108, ... ) == 0x0
 00963  1744   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xeb0000), 0x0, 1056768, ) == 0x0
 00964  1744   NtClose  (124, ... ) == 0x0
 00965  1744   NtUnmapViewOfSection  (-1, 0xeb0000, ... ) == 0x0
 00966  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 00967  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 124, ... 108, ) == 0x0
 00968  1744   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00969  1744   NtClose  (124, ... ) == 0x0
 00970  1744   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 00971  1744   NtClose  (108, ... ) == 0x0
 00972  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00973  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00974  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00975  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00976  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00977  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00978  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00979  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00980  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00981  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00982  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00983  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00984  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00985  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00986  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00987  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00988  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00989  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00990  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00991  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00992  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00993  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00994  1744   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 8710912, ... ) , 42, 8710912, ... ) == 0x0
 00995  1744   NtQueryDefaultUILanguage  (8709596, ...
 00996  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00997  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00998  1744   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00999  1744   NtClose  (-2147482576, ... ) == 0x0
 01000  1744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 01001  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01002  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 01003  1744   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01004  1744   NtClose  (-2147481400, ... ) == 0x0
 01005  1744   NtClose  (-2147482576, ... ) == 0x0
 00995  1744   NtQueryDefaultUILanguage  ... ) == 0x0
 01006  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 8708436, ... ) }, 8708436, ... ) == 0x0
 01007  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01008  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 108, ... 124, ) == 0x0
 01009  1744   NtClose  (108, ... ) == 0x0
 01010  1744   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xeb0000), 0x0, 4096, ) == 0x0
 01011  1744   NtClose  (124, ... ) == 0x0
 01012  1744   NtUnmapViewOfSection  (-1, 0xeb0000, ... ) == 0x0
 01013  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 8708032, ... ) }, 8708032, ... ) == 0x0
 01014  1744   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 8708776,  (0x80100080, {24, 0, 0x40, 0, 8708776, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 124, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 124, {status=0x0, info=1}, ) == 0x0
 01015  1744   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 124, ... 108, ) == 0x0
 01016  1744   NtClose  (124, ... ) == 0x0
 01017  1744   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xeb0000), {0, 0}, 4096, ) == 0x0
 01018  1744   NtClose  (108, ... ) == 0x0
 01019  1744   NtUnmapViewOfSection  (-1, 0xeb0000, ... ) == 0x0
 01020  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 108, {status=0x0, info=1}, ) }, 1, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01021  1744   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 108, ... 124, ) == 0x0
 01022  1744   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xeb0000), 0x0, 4096, ) == 0x0
 01023  1744   NtQueryInformationFile  (108, 8708428, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01024  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01025  1744   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 8708728, 1179817, 8708452}  (24, {128, 156, new_msg, 0, 2088850039, 8708728, 1179817, 8708452} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\1l\0\0\0|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0l\346\204\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1744, 75494, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\1l\0\0\0|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0l\346\204\0\0\0\0\0" )  ... {128, 156, reply, 0, 1636, 1744, 75494, 0}  (24, {128, 156, new_msg, 0, 2088850039, 8708728, 1179817, 8708452} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\1l\0\0\0|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0l\346\204\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1744, 75494, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\1l\0\0\0|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0l\346\204\0\0\0\0\0" )  ) == 0x0
 01026  1744   NtClose  (108, ... ) == 0x0
 01027  1744   NtClose  (124, ... ) == 0x0
 01028  1744   NtUnmapViewOfSection  (-1, 0xeb0000, ... ) == 0x0
 01029  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01030  1744   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01031  1744   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 01032  1744   NtUserGetDC  (0, ... ) == 0x1010054
 01033  1744   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 01034  1744   NtUserSystemParametersInfo  (38, 4, 2001086940, 0, ... ) == 0x1
 01035  1744   NtUserSystemParametersInfo  (66, 12, 8710428, 0, ... ) == 0x1
 01036  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01037  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01038  1744   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01039  1744   NtClose  (124, ... ) == 0x0
 01040  1744   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 124, ) }, ... 124, ) == 0x0
 01041  1744   NtOpenProcessToken  (-1, 0x8, ... 108, ) == 0x0
 01042  1744   NtAccessCheck  (4607296, 108, 0x1, 8710260, 8710312, 56, 8710292, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01043  1744   NtClose  (108, ... ) == 0x0
 01044  1744   NtOpenKey  (0x20019, {24, 124, 0x40, 0, 0,  (0x20019, {24, 124, 0x40, 0, 0, "Control Panel\Desktop"}, ... 108, ) }, ... 108, ) == 0x0
 01045  1744   NtQueryValueKey  (108,  (108, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01046  1744   NtClose  (108, ... ) == 0x0
 01047  1744   NtUserSystemParametersInfo  (41, 500, 8710456, 0, ... ) == 0x1
 01048  1744   NtOpenProcessToken  (-1, 0x8, ... 108, ) == 0x0
 01049  1744   NtAccessCheck  (4607296, 108, 0x1, 8710260, 8710312, 56, 8710292, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01050  1744   NtClose  (108, ... ) == 0x0
 01051  1744   NtOpenKey  (0x20019, {24, 124, 0x40, 0, 0,  (0x20019, {24, 124, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 108, ) }, ... 108, ) == 0x0
 01052  1744   NtQueryValueKey  (108,  (108, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01053  1744   NtClose  (108, ... ) == 0x0
 01054  1744   NtUserSystemParametersInfo  (27, 0, 2001085788, 0, ... ) == 0x1
 01055  1744   NtUserSystemParametersInfo  (102, 0, 2001086828, 0, ... ) == 0x1
 01056  1744   NtClose  (124, ... ) == 0x0
 01057  1744   NtUserSystemParametersInfo  (4130, 0, 8710960, 0, ... ) == 0x1
 01058  1744   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 124, ) }, ... 124, ) == 0x0
 01059  1744   NtEnumerateValueKey  (124, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01060  1744   NtClose  (124, ... ) == 0x0
 01061  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01062  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c03b
 01063  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c03d
 01064  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01065  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c03f
 01066  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01067  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c041
 01068  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01069  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c043
 01070  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c045
 01071  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01072  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c047
 01073  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01074  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c049
 01075  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01076  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c04b
 01077  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01078  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c04d
 01079  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01080  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c04f
 01081  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c051
 01082  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01083  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c053
 01084  1744   NtUserFindExistingCursorIcon  (8710204, 8710220, 8710268, ... ) == 0x10011
 01085  1744   NtUserRegisterClassExWOW  (8710148, 8710216, 8710232, 8710248, 0, 384, 0, ... ) == 0x8172c055
 01086  1744   NtUserFindExistingCursorIcon  (8710204, 8710220, 8710268, ... ) == 0x10011
 01087  1744   NtUserRegisterClassExWOW  (8710148, 8710216, 8710232, 8710248, 0, 384, 0, ... ) == 0x8172c057
 01088  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01089  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c059
 01090  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10013
 01091  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c05b
 01092  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01093  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c05d
 01094  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01095  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c05f
 01096  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01097  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c017
 01098  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01099  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c019
 01100  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10013
 01101  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c018
 01102  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01103  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c01a
 01104  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01105  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c01c
 01106  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01107  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c01e
 01108  1744   NtUserFindExistingCursorIcon  (8710200, 8710216, 8710264, ... ) == 0x10011
 01109  1744   NtUserRegisterClassExWOW  (8710200, 8710268, 8710284, 8710300, 0, 384, 0, ... ) == 0x8172c01b
 01110  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01111  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c068
 01112  1744   NtUserFindExistingCursorIcon  (8710208, 8710224, 8710272, ... ) == 0x10011
 01113  1744   NtUserRegisterClassExWOW  (8710152, 8710220, 8710236, 8710252, 0, 384, 0, ... ) == 0x8172c06a
 01114  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 124, ) }, ... 124, ) == 0x0
 01115  1744   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 01116  1744   NtClose  (124, ... ) == 0x0
 01117  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01118  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01119  1744   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01120  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01121  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01122  1744   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01123  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01124  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01125  1744   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01126  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01127  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01128  1744   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01129  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01130  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01131  1744   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01132  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01133  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01134  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15400960, 65536, ) == 0x0
 01135  1744   NtAllocateVirtualMemory  (-1, 15400960, 0, 4096, 4096, 4, ... 15400960, 4096, ) == 0x0
 01136  1744   NtAllocateVirtualMemory  (-1, 15405056, 0, 8192, 4096, 4, ... 15405056, 8192, ) == 0x0
 01137  1744   NtAllocateVirtualMemory  (-1, 4608000, 0, 4096, 4096, 4, ... 4608000, 4096, ) == 0x0
 01138  1744   NtAllocateVirtualMemory  (-1, 15413248, 0, 4096, 4096, 4, ... 15413248, 4096, ) == 0x0
 01139  1744   NtAllocateVirtualMemory  (-1, 15417344, 0, 4096, 4096, 4, ... 15417344, 4096, ) == 0x0
 01140  1744   NtQueryDefaultUILanguage  (8710208, ...
 01141  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01142  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 01143  1744   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01144  1744   NtClose  (-2147482576, ... ) == 0x0
 01145  1744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 01146  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01147  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 01148  1744   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01149  1744   NtClose  (-2147481400, ... ) == 0x0
 01150  1744   NtClose  (-2147482576, ... ) == 0x0
 01140  1744   NtQueryDefaultUILanguage  ... ) == 0x0
 01151  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll"}, 1, 96, ... 124, {status=0x0, info=1}, ) }, 1, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 01152  1744   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 124, ... 108, ) == 0x0
 01153  1744   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xed0000), 0x0, 618496, ) == 0x0
 01154  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01155  1744   NtQueryDefaultLocale  (1, 8708304, ... ) == 0x0
 01156  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01157  1744   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 8709340, 1179817, 8709064}  (24, {128, 156, new_msg, 0, 2088850039, 8709340, 1179817, 8709064} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1|\0\0\0\377\377\377\377\0\0\0\0\340q\364\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\320\350\204\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1744, 75495, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1|\0\0\0\377\377\377\377\0\0\0\0\340q\364\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\320\350\204\0\0\0\0\0" )  ... {128, 156, reply, 0, 1636, 1744, 75495, 0}  (24, {128, 156, new_msg, 0, 2088850039, 8709340, 1179817, 8709064} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1|\0\0\0\377\377\377\377\0\0\0\0\340q\364\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\320\350\204\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1744, 75495, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1|\0\0\0\377\377\377\377\0\0\0\0\340q\364\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\320\350\204\0\0\0\0\0" )  ) == 0x0
 01158  1744   NtClose  (124, ... ) == 0x0
 01159  1744   NtClose  (108, ... ) == 0x0
 01160  1744   NtUnmapViewOfSection  (-1, 0xed0000, ... ) == 0x0
 01161  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01162  1744   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {1636, 0}, ... 108, ) == 0x0
 01163  1744   NtQueryInformationProcess  (108, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01164  1744   NtClose  (108, ... ) == 0x0
 01165  1744   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01166  1744   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 01167  1744   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 01168  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01169  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01170  1744   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01171  1744   NtClose  (108, ... ) == 0x0
 01172  1744   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 108, ) }, ... 108, ) == 0x0
 01173  1744   NtOpenProcessToken  (-1, 0x8, ... 124, ) == 0x0
 01174  1744   NtAccessCheck  (4607296, 124, 0x1, 8711400, 8711452, 56, 8711432, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01175  1744   NtClose  (124, ... ) == 0x0
 01176  1744   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "Control Panel\Desktop"}, ... 124, ) }, ... 124, ) == 0x0
 01177  1744   NtQueryValueKey  (124,  (124, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01178  1744   NtClose  (124, ... ) == 0x0
 01179  1744   NtUserSystemParametersInfo  (41, 500, 8711580, 0, ... ) == 0x1
 01180  1744   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 01181  1744   NtClose  (108, ... ) == 0x0
 01182  1744   NtUserFindExistingCursorIcon  (8711332, 8711348, 8711396, ... ) == 0x10011
 01183  1744   NtUserRegisterClassExWOW  (8711276, 8711344, 8711360, 8711376, 0, 384, 0, ... ) == 0x8172c03b
 01184  1744   NtUserRegisterClassExWOW  (8711276, 8711344, 8711360, 8711376, 0, 384, 0, ... ) == 0x8172c03d
 01185  1744   NtUserFindExistingCursorIcon  (8711332, 8711348, 8711396, ... ) == 0x10011
 01186  1744   NtUserRegisterClassExWOW  (8711276, 8711344, 8711360, 8711376, 0, 384, 0, ... ) == 0x8172c03f
 01187  1744   NtUserFindExistingCursorIcon  (8711332, 8711348, 8711396, ... ) == 0x10011
 01188  1744   NtUserRegisterClassExWOW  (8711276, 8711344, 8711360, 8711376, 0, 384, 0, ... ) == 0x8172c041
 01189  1744   NtUserFindExistingCursorIcon  (8711332, 8711348, 8711396, ... ) == 0x10011
 01190  1744   NtUserRegisterClassExWOW  (8711276, 8711344, 8711360, 8711376, 0, 384, 0, ... ) == 0x8172c043
 01191  1744   NtUserRegisterClassExWOW  (8711276, 8711344, 8711360, 8711376, 0, 384, 0, ... ) == 0x8172c045
 01192  1744   NtUserFindExistingCursorIcon  (8711332, 8711348, 8711396, ... ) == 0x10011
 01193  1744   NtUserRegisterClassExWOW  (8711276, 8711344, 8711360, 8711376, 0, 384, 0, ... ) == 0x8172c047
 01194  1744   NtUserFindExistingCursorIcon  (8711332, 8711348, 8711396, ... ) == 0x10011
 01195  1744   NtUserRegisterClassExWOW  (8711276, 8711344, 8711360, 8711376, 0, 384, 0, ... ) == 0x8172c049
 01196  1744   NtUserFindExistingCursorIcon  (8711332, 8711348, 8711396, ... ) == 0x10011
 01197  1744   NtUserRegisterClassExWOW  (8711276, 8711344, 8711360, 8711376, 0, 384, 0, ... ) == 0x8172c04b
 01198  1744   NtUserFindExistingCursorIcon  (8711332, 8711348, 8711396, ... ) == 0x10011
 01199  1744   NtUserRegisterClassExWOW  (8711276, 8711344, 8711360, 8711376, 0, 384, 0, ... ) == 0x8172c04d
 01200  1744   NtUserFindExistingCursorIcon  (8711332, 8711348, 8711396, ... ) == 0x10011
 01201  1744   NtUserRegisterClassExWOW  (8711276, 8711344, 8711360, 8711376, 0, 384, 0, ... ) == 0x8172c04f
 01202  1744   NtUserRegisterClassExWOW  (8711276, 8711344, 8711360, 8711376, 0, 384, 0, ... ) == 0x8172c051
 01203  1744   NtUserFindExistingCursorIcon  (8711332, 8711348, 8711396, ... ) == 0x10011
 01204  1744   NtUserRegisterClassExWOW  (8711276, 8711344, 8711360, 8711376, 0, 384, 0, ... ) == 0x8172c053
 01205  1744   NtUserFindExistingCursorIcon  (8711328, 8711344, 8711392, ... ) == 0x10011
 01206  1744   NtUserRegisterClassExWOW  (8711272, 8711340, 8711356, 8711372, 0, 384, 0, ... ) == 0x8172c055
 01207  1744   NtUserFindExistingCursorIcon  (8711328, 8711344, 8711392, ... ) == 0x10011
 01208  1744   NtUserRegisterClassExWOW  (8711272, 8711340, 8711356, 8711372, 0, 384, 0, ... ) == 0x8172c057
 01209  1744   NtUserFindExistingCursorIcon  (8711332, 8711348, 8711396, ... ) == 0x10011
 01210  1744   NtUserRegisterClassExWOW  (8711276, 8711344, 8711360, 8711376, 0, 384, 0, ... ) == 0x8172c059
 01211  1744   NtUserFindExistingCursorIcon  (8711332, 8711348, 8711396, ... ) == 0x10013
 01212  1744   NtUserRegisterClassExWOW  (8711276, 8711344, 8711360, 8711376, 0, 384, 0, ... ) == 0x8172c05b
 01213  1744   NtUserFindExistingCursorIcon  (8711332, 8711348, 8711396, ... ) == 0x10011
 01214  1744   NtUserRegisterClassExWOW  (8711276, 8711344, 8711360, 8711376, 0, 384, 0, ... ) == 0x8172c05d
 01215  1744   NtUserFindExistingCursorIcon  (8711332, 8711348, 8711396, ... ) == 0x10011
 01216  1744   NtUserRegisterClassExWOW  (8711276, 8711344, 8711360, 8711376, 0, 384, 0, ... ) == 0x8172c05f
 01217  1744   NtSetEventBoostPriority  (32, ...
 00922  1736   NtWaitForSingleObject  ... ) == 0x0
 01218  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 2290224,  (0x80100080, {24, 0, 0x40, 0, 2290224, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... }, 0x0, 0, 1, 1, 2097252, 0, 0, ...
 01217  1744   NtSetEventBoostPriority  ... ) == 0x0
 01219  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01220  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 8713104, ... ) }, 8713104, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01221  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 8713104, ... ) }, 8713104, ... ) == 0x0
 01222  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01223  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 124, ) == 0x0
 01224  1744   NtQuerySection  (124, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01225  1744   NtClose  (108, ... ) == 0x0
 01226  1744   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01218  1736   NtCreateFile  ... 108, {status=0x0, info=1}, ) == 0x0
 01227  1736   NtQueryInformationFile  (108, 2290660, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01228  1736   NtQueryInformationFile  (108, 2290576, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01229  1736   NtQueryInformationFile  (108, 2290392, 40, Basic, ...
 01226  1744   NtMapViewOfSection  ... (0x77fe0000), 0x0, 69632, ) == 0x0
 01230  1744   NtClose  (124, ... ) == 0x0
 01231  1744   NtProtectVirtualMemory  (-1, (0x77fe1000), 388, 4, ... (0x77fe1000), 4096, 32, ) == 0x0
 01232  1744   NtProtectVirtualMemory  (-1, (0x77fe1000), 4096, 32, ... (0x77fe1000), 4096, 4, ) == 0x0
 01233  1744   NtFlushInstructionCache  (-1, 2013138944, 388, ... ) == 0x0
 01234  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235  1744   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ...
 01229  1736   NtQueryInformationFile  ... {status=0x0, info=40}, ) == 0x0
 01236  1736   NtAllocateVirtualMemory  (-1, 4612096, 0, 8192, 4096, 4, ... 4612096, 8192, ) == 0x0
 01237  1736   NtQueryInformationFile  (108, 4608808, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01238  1736   NtQueryInformationFile  (108, 2288840, 40, Basic, ...
 01235  1744   NtCreateSemaphore  ... 124, ) == 0x0
 01239  1744   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 128, ) == 0x0
 01240  1744   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 132, ) }, ... 132, ) == 0x0
 01241  1744   NtQueryEvent  (132, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 01242  1744   NtClose  (132, ... ) == 0x0
 01243  1744   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 8714676, 140, ... 132, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 8714676, 140, ... 132, 0x0, 0x0, 256, 140, ) == 0x0
 01238  1736   NtQueryInformationFile  ... {status=0x0, info=40}, ) == 0x0
 01244  1736   NtQueryInformationFile  (108, 2289116, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01245  1736   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 2288992,  (0x40110080, {24, 0, 0x40, 0, 2288992, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01246  1736   NtClose  (-2147482576, ...
 01247  1744   NtRequestWaitReplyPort  (132, {28, 52, new_msg, 0, 0, 0, 0, 0}  (132, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\376\1\230MF\0" ... {188, 212, reply, 0, 1636, 1744, 75497, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\376\1\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ... {188, 212, reply, 0, 1636, 1744, 75497, 0}  (132, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\376\1\230MF\0" ... {188, 212, reply, 0, 1636, 1744, 75497, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\376\1\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ) == 0x0
 01248  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 01249  1744   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "ActiveComputerName"}, ... 140, ) }, ... 140, ) == 0x0
 01250  1744   NtQueryValueKey  (140,  (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01251  1744   NtClose  (140, ... ) == 0x0
 01252  1744   NtClose  (136, ...
 01246  1736   NtClose  ... ) == 0x0
 01245  1736   NtCreateFile  ... 140, {status=0x0, info=2}, ) == 0x0
 01253  1736   NtQueryVolumeInformationFile  (140, 2289144, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01254  1736   NtQueryInformationFile  (140, 2288728, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01252  1744   NtClose  ... ) == 0x0
 01255  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx5"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01256  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx6"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01257  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx7"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01258  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx8"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01259  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx9"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01260  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx10"}, ... }, ...
 01261  1736   NtQueryVolumeInformationFile  (108, 2289144, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01262  1736   NtQueryVolumeInformationFile  (108, 2288488, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01263  1736   NtSetInformationFile  (140, 2289044, 8, EndOfFile, ...
 01260  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01264  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx11"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01265  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx12"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01266  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx13"}, ... }, ...
 01263  1736   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01267  1736   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 108, ... 136, ) == 0x0
 01268  1736   NtMapViewOfSection  (136, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xed0000), {0, 0}, 139264, ) == 0x0
 01269  1736   NtClose  (136, ... ) == 0x0
 01266  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01270  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx14"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01271  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx15"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01272  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx16"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01273  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx17"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01274  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx18"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01275  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx19"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01277  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx20"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01278  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx21"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01279  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx22"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01280  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx23"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx24"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01282  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx25"}, ... }, ...
 01276  1736   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\6\0\204\214\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\10\0\0>\0\0\0"\0\0\0\0\0\0\0\240\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\15\0\5\0\4\0\0\0\0\0\0\0t\355\4\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0 \0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \0\0\0\0\0\0\0\240\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\15\0\5\0\4\0\0\0\0\0\0\0t\355\4\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0 \0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01283  1736   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\2554z\274j>R\267V\2206\370A\274E6\350\265\262\3\271\2776\350\261\262\3\251\207\204m\310\247\376\204N\310\255B\370E6\370\255\204\370E\310\2706\370AV\250\372\204J\317rB\370A6\370I\204\370A\317!\5BB\275\275\342\343\346t~\352\325\360\365\274\255U\211\343BB\344\355B\250%\270\274\255\36\331\377\274\2558}\310\252\325\375\365\274\255U\244\343BB\344\355B\250\265\257\274\255\36\331\377\274\255\325\220\365\274\255U\277\343BB\355B\210\331\377\274\255B\250\21\274\274\255\36%\200\274\255\325\244\365\274\255U[\340BB\355B\210\331\377\274\255B\250\21\274\274\255\36i\270\274\255\325\264\365\274\255Uw\340BB\355B\210\331\377\274\255B\250\21\274\274\255\369\275\274\255\325J\372\274\255U\23\340BB\355B\210\331\377\274\255B\250\21\274\274\255\361\275\274\255\325U\372\274\255U/\340BB>y\251\355B\210\331\377\274\255B\250\21\274\274\255\36\231\205\274\255\342~-\3506Q\335A6\300\261\5\274\275\275\275\26\4\262\275\275\275\365N\260\200\231\340\274\2556\310\265\4\255\275\275\275N\306\300\255U \275\275\275\216o\357\3566\370\255\262\36\255\316\2656\350\261U\247\275\275\2750\250\231\340\274\255U\262\275\275\275\346\347\377\206n\313a\334\340\177\255\275\2236}0\200Y\341\274\255\4\255\275\275\275\216}N\260\200\231\340\274\255U\350\275\275\2750\200Y\341\274\255\4\255\275\275\275\216}l\2520\302\271_DU\360\275\275\275\262\36\240\231\340\274\255\316\2356O0\200Y\341\274\255\216}\4\255\275\275\2756\273\254\2720\313\2710\302\271_IU\231\275\275\275\366\304\66G0\210Y\341\274\255\4\255\275\275\275N\30~\6B\274\275\275\262\36\242\317\276\366\310E~\2236}0\210Y", 61440, 0x0, 0, ... , 61440, 0x0, 0, ...
 01282  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01284  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx26"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01285  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx27"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01286  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx28"}, ... }, ...
 01283  1736   NtWriteFile  ... {status=0x0, info=61440}, ) == 0x0
 01287  1736   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\350\312\236\377\377\203\304\10\241p\321D\0\17\277\25 \322D\0\1\320\203\350\11)\303\17\277\5\34\321D\0H\3E\10\211E\10\17\277\5\224\321D\0\17\277\25<\322D\0\1\320\203\350\12\2154\6\241\4\321D\0H9\303s\263\17\277\50\321D\0\3\5\350\321D\0\203\350\119\303vzj\3\241\260\320D\0\3\5\234\320D\0\203\350\12P\215E\371P\377\25\30\270D\0S\377u\10\215E\371P\377\25\10\270D\0V\215E\371P\350?\236\377\377\203\304 \241\\321D\0\3\5X\321D\0\203\350\5\306\4\6=\241\310\321D\0\17\277\25\20\321D\0\1\320H9\303u\14\241L\322D\0\203\350\7\306\4\6=\17\277\5\270\320D\0\3\5\210\321D\0\203\350\16\2154\6\17\277\5\360\321D\0\203\350\2\17\277\25\334\321D\0\203\352\11\210\24\61\300@_^[\311\303\270\1@\0\200\302\20\0\270\1@\0\200\302\10\0\270\1@\0\200\302\30\0VW\213t$\14\211\367\17\277\5 \321D\0\17\277\25,\321D\0\1\320\203\350\129\307}+\17\277\5\370\320D\0\203\300\4\17\257\370\241\14\321D\0@\211\362\1\302\17\277\5\360\321D\0\203\300\2\17\257\320)\327\351Q\1\0\0O\241\274\321D\0\203\300\11\3\5L\321D\09\307}0\241H\322D\0\3\5\354\320D\0\203\350\4\17\257\370\211\370)\360\17\277\25\220\321D\0\17\277\15\364\320D\0\215T\12\1\211\307)\327\351\16\1\0\0O\241\14\321D\0\203\300"9\307}$\17\277\5,\321D\0\3\5L\322D\0\203\350\16\17\257\370\17\277\5\24\321D\0\203\3009)\307\351\335\0\0\0O\17\277\5(\322D\0\203\300 9\307},\241\330\321D\0\17\277\25<\322D\0\1\320\203\350\6\17\257\370\241\274\320D\0", 13824, 0x0, 0, ... {status=0x0, info=13824}, ) 9\307}$\17\277\5,\321D\0\3\5L\322D\0\203\350\16\17\257\370\17\277\5\24\321D\0\203\3009)\307\351\335\0\0\0O\17\277\5(\322D\0\203\300 9\307},\241\330\321D\0\17\277\25<\322D\0\1\320\203\350\6\17\257\370\241\274\320D\0", 13824, 0x0, 0, ... {status=0x0, info=13824}, ) == 0x0
 01288  1736   NtUnmapViewOfSection  (-1, 0xed0000, ... ) == 0x0
 01289  1736   NtSetInformationFile  (140, 2290392, 40, Basic, ...
 01286  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01290  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx29"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01291  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx30"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01292  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx31"}, ... }, ...
 01289  1736   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01293  1736   NtClose  (108, ...
 01292  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01294  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01295  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx33"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01296  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx34"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01297  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx35"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01298  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx36"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01299  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx37"}, ... }, ...
 01293  1736   NtClose  ... ) == 0x0
 01300  1736   NtClose  (140, ... ) == 0x0
 01301  1736   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 140, ) }, ... 140, ) == 0x0
 01302  1736   NtSetValueKey  (140,  (140, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (140, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 01303  1736   NtSetInformationFile  (-2147482448, -140970192, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01304  1736   NtSetInformationFile  (-2147482448, -140970284, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01305  1736   NtSetInformationFile  (-2147482448, -140970592, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01299  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01306  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx38"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01307  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx39"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01308  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx40"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01309  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx41"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01310  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx42"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01311  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx43"}, ... }, ...
 01302  1736   NtSetValueKey  ... ) == 0x0
 01312  1736   NtClose  (140, ... ) == 0x0
 01313  1736   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 140, ) }, 0, ... 140, ) == 0x0
 01314  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 16252928, 2097152, ) == 0x0
 01315  1736   NtAllocateVirtualMemory  (-1, 18341888, 0, 8192, 4096, 4, ... 18341888, 8192, ) == 0x0
 01316  1736   NtProtectVirtualMemory  (-1, (0x117e000), 4096, 260, ... (0x117e000), 4096, 4, ) == 0x0
 01317  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01311  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01318  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx44"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01319  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx45"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01320  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx46"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01321  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx47"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01322  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx48"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01323  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx49"}, ... }, ...
 01317  1736   NtCreateThread  ... 108, {1636, 868}, ) == 0x0
 01324  1736   NtQueryInformationThread  (108, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1636,Tid=868,}, 0x0, ) == 0x0
 01325  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2293460, 2089878865, 4526824, 2089878893}  (24, {28, 56, new_msg, 0, 2293460, 2089878865, 4526824, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0d\6\0\0d\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75498, 0}  (24, {28, 56, new_msg, 0, 2293460, 2089878865, 4526824, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0d\6\0\0d\3\0\0" )  ) == 0x0
 01326  1736   NtResumeThread  (108, ... 1, ) == 0x0
 01327  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 18350080, 2097152, ) == 0x0
 01328  1736   NtAllocateVirtualMemory  (-1, 20439040, 0, 8192, 4096, 4, ... 20439040, 8192, ) == 0x0
 01323  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01329   868   NtTestAlert  (...
 01330  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx50"}, ... }, ...
 01329   868   NtTestAlert  ... ) == 0x0
 01330  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01331   868   NtContinue  (18349360, 1, ...
 01332  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx51"}, ... }, ...
 01333   868   NtRegisterThreadTerminatePort  (24, ...
 01332  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01333   868   NtRegisterThreadTerminatePort  ... ) == 0x0
 01334  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx52"}, ... }, ...
 01335  1736   NtProtectVirtualMemory  (-1, (0x137e000), 4096, 260, ...
 01336   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01335  1736   NtProtectVirtualMemory  ... (0x137e000), 4096, 4, ) == 0x0
 01336   868   NtDuplicateObject  ... 136, ) == 0x0
 01337  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01338   868   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01337  1736   NtCreateThread  ... 144, {1636, 808}, ) == 0x0
 01338   868   NtWaitForSingleObject  ... ) == 0x102
 01339  1736   NtQueryInformationThread  (144, Basic, 28, ...
 01340   868   NtAllocateVirtualMemory  (-1, 18337792, 0, 4096, 4096, 260, ...
 01339  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1636,Tid=808,}, 0x0, ) == 0x0
 01334  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01340   868   NtAllocateVirtualMemory  ... 18337792, 4096, ) == 0x0
 01341  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx53"}, ... }, ...
 01342   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 18346484, ... }, 18346484, ...
 01341  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01342   868   NtQueryAttributesFile  ... ) == 0x0
 01343  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx54"}, ... }, ...
 01344   868   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... }, 5, 96, ...
 01343  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01344   868   NtOpenFile  ... 148, {status=0x0, info=1}, ) == 0x0
 01345  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx55"}, ... }, ...
 01346   868   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 148, ...
 01347  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0(\3\0\0" ...  ...
 01345  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01347  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75499, 0}  ... {28, 56, reply, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0(\3\0\0" )  ) == 0x0
 01348  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx56"}, ... }, ...
 01349  1736   NtResumeThread  (144, ...
 01348  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01349  1736   NtResumeThread  ... 1, ) == 0x0
 01350  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx57"}, ... }, ...
 01351  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01350  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01346   868   NtCreateSection  ... 152, ) == 0x0
 01352   808   NtWaitForSingleObject  (32, 0, 0x0, ...
 01353  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx58"}, ... }, ...
 01354   868   NtClose  (148, ...
 01351  1736   NtAllocateVirtualMemory  ... 20447232, 2097152, ) == 0x0
 01354   868   NtClose  ... ) == 0x0
 01355  1736   NtAllocateVirtualMemory  (-1, 22536192, 0, 8192, 4096, 4, ...
 01356   868   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01355  1736   NtAllocateVirtualMemory  ... 22536192, 8192, ) == 0x0
 01356   868   NtMapViewOfSection  ... (0xed0000), 0x0, 245760, ) == 0x0
 01357  1736   NtProtectVirtualMemory  (-1, (0x157e000), 4096, 260, ...
 01358   868   NtClose  (152, ...
 01357  1736   NtProtectVirtualMemory  ... (0x157e000), 4096, 4, ) == 0x0
 01353  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01359  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01360  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx59"}, ... }, ...
 01358   868   NtClose  ... ) == 0x0
 01360  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01361  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx60"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01362  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx61"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01363  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx62"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01364  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx63"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01365  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx64"}, ... }, ...
 01359  1736   NtCreateThread  ... 152, {1636, 2020}, ) == 0x0
 01366  1736   NtQueryInformationThread  (152, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1636,Tid=2020,}, 0x0, ) == 0x0
 01367  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\344\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75500, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\344\7\0\0" )  ) == 0x0
 01368   868   NtUnmapViewOfSection  (-1, 0xed0000, ...
 01365  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01368   868   NtUnmapViewOfSection  ... ) == 0x0
 01369  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx65"}, ... }, ...
 01370   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 18346792, ... }, 18346792, ...
 01369  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01371  1736   NtResumeThread  (152, ...
 01372  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx66"}, ... }, ...
 01371  1736   NtResumeThread  ... 1, ) == 0x0
 01372  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01373  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01374  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx67"}, ... }, ...
 01373  1736   NtAllocateVirtualMemory  ... 22544384, 2097152, ) == 0x0
 01370   868   NtQueryAttributesFile  ... ) == 0x0
 01375  2020   NtWaitForSingleObject  (32, 0, 0x0, ...
 01376  1736   NtAllocateVirtualMemory  (-1, 24633344, 0, 8192, 4096, 4, ...
 01377   868   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... }, 5, 96, ...
 01376  1736   NtAllocateVirtualMemory  ... 24633344, 8192, ) == 0x0
 01377   868   NtOpenFile  ... 148, {status=0x0, info=1}, ) == 0x0
 01374  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01378  1736   NtProtectVirtualMemory  (-1, (0x177e000), 4096, 260, ...
 01379  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx68"}, ... }, ...
 01378  1736   NtProtectVirtualMemory  ... (0x177e000), 4096, 4, ) == 0x0
 01379  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01380  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01381  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx69"}, ... }, ...
 01380  1736   NtCreateThread  ... 156, {1636, 896}, ) == 0x0
 01381  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01382  1736   NtQueryInformationThread  (156, Basic, 28, ...
 01383  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx70"}, ... }, ...
 01382  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1636,Tid=896,}, 0x0, ) == 0x0
 01384   868   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 148, ...
 01383  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01384   868   NtCreateSection  ... 160, ) == 0x0
 01385  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx71"}, ... }, ...
 01386   868   NtQuerySection  (160, Image, 48, ...
 01385  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01386   868   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01387  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx72"}, ... }, ...
 01388   868   NtClose  (148, ...
 01387  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01388   868   NtClose  ... ) == 0x0
 01389  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx73"}, ... }, ...
 01390  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0d\6\0\0\200\3\0\0" ...  ...
 01391   868   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01390  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75501, 0}  ... {28, 56, reply, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0d\6\0\0\200\3\0\0" )  ) == 0x0
 01391   868   NtMapViewOfSection  ... (0x71a50000), 0x0, 258048, ) == 0x0
 01392  1736   NtResumeThread  (156, ...
 01393   868   NtClose  (160, ...
 01392  1736   NtResumeThread  ... 1, ) == 0x0
 01393   868   NtClose  ... ) == 0x0
 01394  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01395   868   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 01389  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01396   896   NtWaitForSingleObject  (32, 0, 0x0, ...
 01395   868   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 01397  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx74"}, ... }, ...
 01394  1736   NtAllocateVirtualMemory  ... 24641536, 2097152, ) == 0x0
 01397  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01398  1736   NtAllocateVirtualMemory  (-1, 26730496, 0, 8192, 4096, 4, ...
 01399  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx75"}, ... }, ...
 01398  1736   NtAllocateVirtualMemory  ... 26730496, 8192, ) == 0x0
 01399  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01400  1736   NtProtectVirtualMemory  (-1, (0x197e000), 4096, 260, ...
 01401  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx76"}, ... }, ...
 01400  1736   NtProtectVirtualMemory  ... (0x197e000), 4096, 4, ) == 0x0
 01402   868   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 01403  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01402   868   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 01401  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01404   868   NtFlushInstructionCache  (-1, 1906642944, 1060, ...
 01405  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx77"}, ... }, ...
 01404   868   NtFlushInstructionCache  ... ) == 0x0
 01405  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01403  1736   NtCreateThread  ... 160, {1636, 1252}, ) == 0x0
 01406  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx78"}, ... }, ...
 01407  1736   NtQueryInformationThread  (160, Basic, 28, ...
 01406  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01407  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1636,Tid=1252,}, 0x0, ) == 0x0
 01408  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx79"}, ... }, ...
 01409  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\0\0\0d\6\0\0\344\4\0\0" ...  ...
 01410   868   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 01409  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75502, 0}  ... {28, 56, reply, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\0\0\0d\6\0\0\344\4\0\0" )  ) == 0x0
 01410   868   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 01408  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01411   868   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 01412  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx80"}, ... }, ...
 01411   868   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 01412  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01413   868   NtFlushInstructionCache  (-1, 1906642944, 1060, ...
 01414  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx81"}, ... }, ...
 01413   868   NtFlushInstructionCache  ... ) == 0x0
 01414  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01415  1736   NtResumeThread  (160, ...
 01416  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx82"}, ... }, ...
 01415  1736   NtResumeThread  ... 1, ) == 0x0
 01417   868   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 01418  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01417   868   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 01418  1736   NtAllocateVirtualMemory  ... 26738688, 2097152, ) == 0x0
 01419   868   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 01420  1736   NtAllocateVirtualMemory  (-1, 28827648, 0, 8192, 4096, 4, ...
 01419   868   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 01420  1736   NtAllocateVirtualMemory  ... 28827648, 8192, ) == 0x0
 01421   868   NtFlushInstructionCache  (-1, 1906642944, 1060, ...
 01416  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01422  1252   NtWaitForSingleObject  (32, 0, 0x0, ...
 01421   868   NtFlushInstructionCache  ... ) == 0x0
 01423  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx83"}, ... }, ...
 01424  1736   NtProtectVirtualMemory  (-1, (0x1b7e000), 4096, 260, ...
 01423  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01424  1736   NtProtectVirtualMemory  ... (0x1b7e000), 4096, 4, ) == 0x0
 01425  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx84"}, ... }, ...
 01426  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01425  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426  1736   NtCreateThread  ... 148, {1636, 2016}, ) == 0x0
 01427  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx85"}, ... }, ...
 01428  1736   NtQueryInformationThread  (148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1636,Tid=2016,}, 0x0, ) == 0x0
 01429  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\340\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\340\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75503, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\340\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\340\7\0\0" )  ) == 0x0
 01430  1736   NtResumeThread  (148, ... 1, ) == 0x0
 01431  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01427  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   868   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... }, ...
 01433  2016   NtWaitForSingleObject  (32, 0, 0x0, ...
 01434  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx86"}, ... }, ...
 01432   868   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01434  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01435   868   NtQuerySystemInformation  (Basic, 44, ...
 01436  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx87"}, ... }, ...
 01435   868   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01436  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01431  1736   NtAllocateVirtualMemory  ... 28835840, 2097152, ) == 0x0
 01437  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx88"}, ... }, ...
 01438  1736   NtAllocateVirtualMemory  (-1, 30924800, 0, 8192, 4096, 4, ...
 01439   868   NtQuerySystemInformation  (Processor, 12, ...
 01438  1736   NtAllocateVirtualMemory  ... 30924800, 8192, ) == 0x0
 01439   868   NtQuerySystemInformation  ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01440  1736   NtProtectVirtualMemory  (-1, (0x1d7e000), 4096, 260, ...
 01441   868   NtSetEventBoostPriority  (32, ...
 01440  1736   NtProtectVirtualMemory  ... (0x1d7e000), 4096, 4, ) == 0x0
 01352   808   NtWaitForSingleObject  ... ) == 0x0
 01441   868   NtSetEventBoostPriority  ... ) == 0x0
 01442   808   NtSetEventBoostPriority  (32, ...
 01443  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01375  2020   NtWaitForSingleObject  ... ) == 0x0
 01442   808   NtSetEventBoostPriority  ... ) == 0x0
 01444   868   NtWaitForSingleObject  (32, 0, 0x0, ...
 01437  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445  2020   NtSetEventBoostPriority  (32, ...
 01443  1736   NtCreateThread  ... 164, {1636, 2012}, ) == 0x0
 01396   896   NtWaitForSingleObject  ... ) == 0x0
 01445  2020   NtSetEventBoostPriority  ... ) == 0x0
 01446  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx89"}, ... }, ...
 01447   896   NtSetEventBoostPriority  (32, ...
 01448  1736   NtQueryInformationThread  (164, Basic, 28, ...
 01449   808   NtTestAlert  (...
 01422  1252   NtWaitForSingleObject  ... ) == 0x0
 01447   896   NtSetEventBoostPriority  ... ) == 0x0
 01446  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01448  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1636,Tid=2012,}, 0x0, ) == 0x0
 01450  1252   NtSetEventBoostPriority  (32, ...
 01449   808   NtTestAlert  ... ) == 0x0
 01451  2020   NtTestAlert  (...
 01452  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx90"}, ... }, ...
 01433  2016   NtWaitForSingleObject  ... ) == 0x0
 01450  1252   NtSetEventBoostPriority  ... ) == 0x0
 01453  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0d\6\0\0\334\7\0\0" ...  ...
 01454   808   NtContinue  (20446512, 1, ...
 01451  2020   NtTestAlert  ... ) == 0x0
 01455  2016   NtSetEventBoostPriority  (32, ...
 01452  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01456   896   NtTestAlert  (...
 01453  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75504, 0}  ... {28, 56, reply, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0d\6\0\0\334\7\0\0" )  ) == 0x0
 01457   808   NtRegisterThreadTerminatePort  (24, ...
 01444   868   NtWaitForSingleObject  ... ) == 0x0
 01455  2016   NtSetEventBoostPriority  ... ) == 0x0
 01458  2020   NtContinue  (22543664, 1, ...
 01459  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx91"}, ... }, ...
 01456   896   NtTestAlert  ... ) == 0x0
 01460  1252   NtTestAlert  (...
 01461   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01457   808   NtRegisterThreadTerminatePort  ... ) == 0x0
 01462  1736   NtResumeThread  (164, ...
 01463  2020   NtRegisterThreadTerminatePort  (24, ...
 01464  2016   NtTestAlert  (...
 01465   896   NtContinue  (24640816, 1, ...
 01461   868   NtCreateEvent  ... 168, ) == 0x0
 01460  1252   NtTestAlert  ... ) == 0x0
 01466   808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01462  1736   NtResumeThread  ... 1, ) == 0x0
 01463  2020   NtRegisterThreadTerminatePort  ... ) == 0x0
 01464  2016   NtTestAlert  ... ) == 0x0
 01467   896   NtRegisterThreadTerminatePort  (24, ...
 01459  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01468  2012   NtTestAlert  (...
 01469  1252   NtContinue  (26737968, 1, ...
 01470   868   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 01471  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01472  2020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01473  2016   NtContinue  (28835120, 1, ...
 01467   896   NtRegisterThreadTerminatePort  ... ) == 0x0
 01474  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx92"}, ... }, ...
 01468  2012   NtTestAlert  ... ) == 0x0
 01475  1252   NtRegisterThreadTerminatePort  (24, ...
 01470   868   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01471  1736   NtAllocateVirtualMemory  ... 30932992, 2097152, ) == 0x0
 01466   808   NtDuplicateObject  ... 172, ) == 0x0
 01476  2016   NtRegisterThreadTerminatePort  (24, ...
 01477   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01474  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01478  2012   NtContinue  (30932272, 1, ...
 01475  1252   NtRegisterThreadTerminatePort  ... ) == 0x0
 01479   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 18346404, ... }, 18346404, ...
 01480  1736   NtAllocateVirtualMemory  (-1, 33021952, 0, 8192, 4096, 4, ...
 01481   808   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 01476  2016   NtRegisterThreadTerminatePort  ... ) == 0x0
 01472  2020   NtDuplicateObject  ... 176, ) == 0x0
 01482  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx93"}, ... }, ...
 01483  2012   NtRegisterThreadTerminatePort  (24, ...
 01484  1252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01480  1736   NtAllocateVirtualMemory  ... 33021952, 8192, ) == 0x0
 01481   808   NtWaitForSingleObject  ... ) == 0x102
 01485  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01486  2020   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 01482  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01483  2012   NtRegisterThreadTerminatePort  ... ) == 0x0
 01477   896   NtDuplicateObject  ... 180, ) == 0x0
 01484  1252   NtDuplicateObject  ... 184, ) == 0x0
 01487   808   NtAllocateVirtualMemory  (-1, 20434944, 0, 4096, 4096, 260, ...
 01488  1736   NtProtectVirtualMemory  (-1, (0x1f7e000), 4096, 260, ...
 01486  2020   NtWaitForSingleObject  ... ) == 0x102
 01489  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx94"}, ... }, ...
 01485  2016   NtDuplicateObject  ... 188, ) == 0x0
 01479   868   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01490   896   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 01491  1252   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 01487   808   NtAllocateVirtualMemory  ... 20434944, 4096, ) == 0x0
 01488  1736   NtProtectVirtualMemory  ... (0x1f7e000), 4096, 4, ) == 0x0
 01492  2020   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01493  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01494  2016   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 01495   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 18346404, ... }, 18346404, ...
 01490   896   NtWaitForSingleObject  ... ) == 0x102
 01491  1252   NtWaitForSingleObject  ... ) == 0x102
 01489  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01496  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01492  2020   NtCreateEvent  ... 192, ) == 0x0
 01493  2012   NtDuplicateObject  ... 196, ) == 0x0
 01494  2016   NtWaitForSingleObject  ... ) == 0x102
 01495   868   NtQueryAttributesFile  ... ) == 0x0
 01497   896   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01498  1252   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01499  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx95"}, ... }, ...
 01496  1736   NtCreateThread  ... 200, {1636, 1028}, ) == 0x0
 01500   808   NtWaitForSingleObject  (32, 0, 0x0, ...
 01501  2012   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 01502  2016   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01503   868   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... }, 5, 96, ...
 01497   896   NtCreateEvent  ... 204, ) == 0x0
 01498  1252   NtCreateEvent  ... 208, ) == 0x0
 01499  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504  1736   NtQueryInformationThread  (200, Basic, 28, ...
 01501  2012   NtWaitForSingleObject  ... ) == 0x102
 01502  2016   NtCreateEvent  ... 212, ) == 0x0
 01503   868   NtOpenFile  ... 216, {status=0x0, info=1}, ) == 0x0
 01505  2020   NtWaitForSingleObject  (192, 0, 0x0, ...
 01506   896   NtClose  (204, ...
 01507  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx96"}, ... }, ...
 01504  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1636,Tid=1028,}, 0x0, ) == 0x0
 01508  2012   NtWaitForSingleObject  (192, 0, 0x0, ...
 01509  1252   NtClose  (208, ...
 01510   868   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ...
 01506   896   NtClose  ... ) == 0x0
 01507  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01511  2016   NtClose  (212, ...
 01512  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0d\6\0\0\4\4\0\0" ...  ...
 01509  1252   NtClose  ... ) == 0x0
 01513   896   NtWaitForSingleObject  (192, 0, 0x0, ...
 01514  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx97"}, ... }, ...
 01511  2016   NtClose  ... ) == 0x0
 01512  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75505, 0}  ... {28, 56, reply, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0d\6\0\0\4\4\0\0" )  ) == 0x0
 01515  1252   NtWaitForSingleObject  (192, 0, 0x0, ...
 01510   868   NtCreateSection  ... 212, ) == 0x0
 01516  2016   NtWaitForSingleObject  (192, 0, 0x0, ...
 01517  1736   NtResumeThread  (200, ...
 01518   868   NtQuerySection  (212, Image, 48, ...
 01517  1736   NtResumeThread  ... 1, ) == 0x0
 01518   868   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01519  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01520   868   NtClose  (216, ...
 01514  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01521  1028   NtWaitForSingleObject  (32, 0, 0x0, ...
 01520   868   NtClose  ... ) == 0x0
 01522  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx98"}, ... }, ...
 01523   868   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01522  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01519  1736   NtAllocateVirtualMemory  ... 33030144, 2097152, ) == 0x0
 01524  1744   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx99"}, ... }, ...
 01525  1736   NtAllocateVirtualMemory  (-1, 35119104, 0, 8192, 4096, 4, ...
 01524  1744   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01525  1736   NtAllocateVirtualMemory  ... 35119104, 8192, ) == 0x0
 01526  1744   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "kkq-vx_mtx1"}, 0, ... }, 0, ...
 01527  1736   NtProtectVirtualMemory  (-1, (0x217e000), 4096, 260, ...
 01523   868   NtMapViewOfSection  ... (0x662b0000), 0x0, 360448, ) == 0x0
 01527  1736   NtProtectVirtualMemory  ... (0x217e000), 4096, 4, ) == 0x0
 01528   868   NtClose  (212, ...
 01529  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01528   868   NtClose  ... ) == 0x0
 01526  1744   NtCreateMutant  ... 212, ) == 0x0
 01530   868   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01531  1744   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "kkq-vx_mtx5"}, 1, ... }, 1, ...
 01530   868   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01531  1744   NtCreateMutant  ... 216, ) == 0x0
 01532   868   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01533  1744   NtWaitForSingleObject  (216, 0, 0x0, ...
 01529  1736   NtCreateThread  ... 208, {1636, 384}, ) == 0x0
 01533  1744   NtWaitForSingleObject  ... ) == 0x0
 01534  1736   NtQueryInformationThread  (208, Basic, 28, ...
 01532   868   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01534  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1636,Tid=384,}, 0x0, ) == 0x0
 01535   868   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 01536  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0\200\1\0\0" ...  ...
 01535   868   NtFlushInstructionCache  ... ) == 0x0
 01536  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75506, 0}  ... {28, 56, reply, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0\200\1\0\0" )  ) == 0x0
 01537   868   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01538  1744   NtUserFindExistingCursorIcon  (8715164, 8715180, 8715228, ...
 01537   868   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01538  1744   NtUserFindExistingCursorIcon  ... ) == 0x10011
 01539   868   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01540  1744   NtUserFindExistingCursorIcon  (8715164, 8715180, 8715228, ...
 01541  1736   NtResumeThread  (208, ...
 01540  1744   NtUserFindExistingCursorIcon  ... ) == 0x10005
 01541  1736   NtResumeThread  ... 1, ) == 0x0
 01542  1744   NtUserRegisterClassExWOW  (8715380, 8715476, 8715460, 8715448, 0, 386, 0, ...
 01543  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01542  1744   NtUserRegisterClassExWOW  ... ) == 0x8172c15f
 01543  1736   NtAllocateVirtualMemory  ... 35127296, 2097152, ) == 0x0
 01539   868   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01544   384   NtWaitForSingleObject  (32, 0, 0x0, ...
 01545  1736   NtAllocateVirtualMemory  (-1, 37216256, 0, 8192, 4096, 4, ...
 01546   868   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 01545  1736   NtAllocateVirtualMemory  ... 37216256, 8192, ) == 0x0
 01546   868   NtFlushInstructionCache  ... ) == 0x0
 01547  1744   NtUserCreateWindowEx  (-2147483648, 8715684, 8714448, "13238272, 0, 0, 0, 0, 0, 0, 4194304, 0, 1073742848, 0, ...
 01548   868   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01549  1744   NtUserGetIconSize  (65541, 0, 8713208, 8713212, ...
 01548   868   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01549  1744   NtUserGetIconSize  ... ) == 0x1
 01550   868   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01551  1744   NtUserGetIconInfo  (65541, 8713184, 8713176, 8713168, 8713204, 1, ...
 01552  1736   NtProtectVirtualMemory  (-1, (0x237e000), 4096, 260, ... (0x237e000), 4096, 4, ) == 0x0
 01553  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 204, {1636, 1180}, ) == 0x0
 01554  1736   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1636,Tid=1180,}, 0x0, ) == 0x0
 01555  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0\234\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75507, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0\234\4\0\0" )  ) == 0x0
 01556  1736   NtResumeThread  (204, ... 1, ) == 0x0
 01557  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01550   868   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01551  1744   NtUserGetIconInfo  ... ) == 0x1
 01558  1180   NtWaitForSingleObject  (32, 0, 0x0, ...
 01559   868   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 01560  1744   NtWaitForSingleObject  (32, 0, 0x0, ...
 01559   868   NtFlushInstructionCache  ... ) == 0x0
 01561   868   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01562   868   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01563   868   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01564   868   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01565   868   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01557  1736   NtAllocateVirtualMemory  ... 37224448, 2097152, ) == 0x0
 01566  1736   NtAllocateVirtualMemory  (-1, 39313408, 0, 8192, 4096, 4, ... 39313408, 8192, ) == 0x0
 01567  1736   NtProtectVirtualMemory  (-1, (0x257e000), 4096, 260, ... (0x257e000), 4096, 4, ) == 0x0
 01568  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 220, {1636, 420}, ) == 0x0
 01569  1736   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1636,Tid=420,}, 0x0, ) == 0x0
 01570  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0\244\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0\244\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75508, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0\244\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0\244\1\0\0" )  ) == 0x0
 01565   868   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01571   868   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01572   868   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01573   868   NtSetEventBoostPriority  (32, ...
 01500   808   NtWaitForSingleObject  ... ) == 0x0
 01574   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 20442064, ... ) }, 20442064, ... ) == 0x0
 01575   808   NtSetEventBoostPriority  (32, ...
 01521  1028   NtWaitForSingleObject  ... ) == 0x0
 01576  1028   NtSetEventBoostPriority  (32, ...
 01544   384   NtWaitForSingleObject  ... ) == 0x0
 01577   384   NtSetEventBoostPriority  (32, ...
 01558  1180   NtWaitForSingleObject  ... ) == 0x0
 01578  1180   NtSetEventBoostPriority  (32, ...
 01560  1744   NtWaitForSingleObject  ... ) == 0x0
 01579  1744   NtUserFindExistingCursorIcon  (8712948, 8712964, 8713140, ... ) == 0x10005
 01578  1180   NtSetEventBoostPriority  ... ) == 0x0
 01577   384   NtSetEventBoostPriority  ... ) == 0x0
 01576  1028   NtSetEventBoostPriority  ... ) == 0x0
 01575   808   NtSetEventBoostPriority  ... ) == 0x0
 01573   868   NtSetEventBoostPriority  ... ) == 0x0
 01580  1736   NtResumeThread  (220, ...
 01581  1744   NtGdiExtGetObjectW  (1912931921, 24, 8712948, ...
 01582  1180   NtTestAlert  (...
 01583   384   NtTestAlert  (...
 01584   808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01585   868   NtQuerySystemInformation  (Basic, 44, ...
 01580  1736   NtResumeThread  ... 1, ) == 0x0
 01581  1744   NtGdiExtGetObjectW  ... ) == 0x18
 01582  1180   NtTestAlert  ... ) == 0x0
 01583   384   NtTestAlert  ... ) == 0x0
 01584   808   NtCreateEvent  ... 224, ) == 0x0
 01585   868   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01586  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01587  1744   NtGdiGetDIBitsInternal  (-234813853, 1912931921, 0, 64, 4603496, 4603448, 0, 256, 0, ...
 01588  1180   NtContinue  (37223728, 1, ...
 01589   384   NtContinue  (35126576, 1, ...
 01590   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 01591   868   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 01586  1736   NtAllocateVirtualMemory  ... 39321600, 2097152, ) == 0x0
 01587  1744   NtGdiGetDIBitsInternal  ... ) == 0x40
 01592  1180   NtRegisterThreadTerminatePort  (24, ...
 01593   384   NtRegisterThreadTerminatePort  (24, ...
 01590   808   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01591   868   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01594  1736   NtAllocateVirtualMemory  (-1, 41410560, 0, 8192, 4096, 4, ...
 01595  1744   NtUserGetDC  (0, ...
 01592  1180   NtRegisterThreadTerminatePort  ... ) == 0x0
 01593   384   NtRegisterThreadTerminatePort  ... ) == 0x0
 01596   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 20442168, ... }, 20442168, ...
 01597  1028   NtTestAlert  (...
 01598   420   NtWaitForSingleObject  (32, 0, 0x0, ...
 01594  1736   NtAllocateVirtualMemory  ... 41410560, 8192, ) == 0x0
 01595  1744   NtUserGetDC  ... ) == 0x1010054
 01599  1180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01600   384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01601   868   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 01597  1028   NtTestAlert  ... ) == 0x0
 01602  1736   NtProtectVirtualMemory  (-1, (0x277e000), 4096, 260, ...
 01603  1744   NtGdiCreateDIBitmapInternal  (16842836, 16, 32, 2, 0, 2118583256, 0, 48, 0, 0, 0, ...
 01599  1180   NtDuplicateObject  ... 228, ) == 0x0
 01601   868   NtOpenKey  ... 232, ) == 0x0
 01604  1028   NtContinue  (33029424, 1, ...
 01602  1736   NtProtectVirtualMemory  ... (0x277e000), 4096, 4, ) == 0x0
 01603  1744   NtGdiCreateDIBitmapInternal  ... ) == 0x2f0503ba
 01605  1180   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 01606   868   NtQueryValueKey  (232,  (232, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 01607  1028   NtRegisterThreadTerminatePort  (24, ...
 01608  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01609  1744   NtUserCallOneParam  (16842836, 57, ...
 01605  1180   NtWaitForSingleObject  ... ) == 0x102
 01606   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01607  1028   NtRegisterThreadTerminatePort  ... ) == 0x0
 01608  1736   NtCreateThread  ... 236, {1636, 376}, ) == 0x0
 01609  1744   NtUserCallOneParam  ... ) == 0x1
 01610  1180   NtWaitForSingleObject  (192, 0, 0x0, ...
 01611   868   NtClose  (232, ...
 01612  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01613  1736   NtQueryInformationThread  (236, Basic, 28, ...
 01614  1744   NtGdiSelectBitmap  (-234813853, 788857786, ...
 01611   868   NtClose  ... ) == 0x0
 01600   384   NtDuplicateObject  ... 232, ) == 0x0
 01613  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1636,Tid=376,}, 0x0, ) == 0x0
 01614  1744   NtGdiSelectBitmap  ... ) == 0x185000f
 01612  1028   NtDuplicateObject  ... 240, ) == 0x0
 01596   808   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01615   384   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 01616   868   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 01617  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0x\1\0\0" ...  ...
 01618  1028   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 01619   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 20442168, ... }, 20442168, ...
 01615   384   NtWaitForSingleObject  ... ) == 0x102
 01616   868   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01617  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75509, 0}  ... {28, 56, reply, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0x\1\0\0" )  ) == 0x0
 01618  1028   NtWaitForSingleObject  ... ) == 0x102
 01619   808   NtQueryAttributesFile  ... ) == 0x0
 01620   384   NtWaitForSingleObject  (192, 0, 0x0, ...
 01621   868   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01622  1736   NtResumeThread  (236, ...
 01623  1028   NtWaitForSingleObject  (192, 0, 0x0, ...
 01624   808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 01621   868   NtCreateEvent  ... 244, ) == 0x0
 01622  1736   NtResumeThread  ... 1, ) == 0x0
 01624   808   NtOpenFile  ... 248, {status=0x0, info=1}, ) == 0x0
 01625   868   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01626  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01627   808   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 248, ...
 01625   868   NtCreateEvent  ... 252, ) == 0x0
 01628  1744   NtGdiDoPalette  (-234813853, 0, 1, 8712808, 4, 0, ...
 01629   376   NtWaitForSingleObject  (32, 0, 0x0, ...
 01626  1736   NtAllocateVirtualMemory  ... 41418752, 2097152, ) == 0x0
 01627   808   NtCreateSection  ... 256, ) == 0x0
 01628  1744   NtGdiDoPalette  ... ) == 0x1
 01630  1736   NtAllocateVirtualMemory  (-1, 43507712, 0, 8192, 4096, 4, ...
 01631   808   NtQuerySection  (256, Image, 48, ...
 01632  1744   NtGdiStretchDIBitsInternal  (-234813853, 0, 0, 16, 32, 0, 0, 32, 64, 4603496, 4603848, 0, 13369376, 48, 256, 0, ...
 01630  1736   NtAllocateVirtualMemory  ... 43507712, 8192, ) == 0x0
 01631   808   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01632  1744   NtGdiStretchDIBitsInternal  ... ) == 0x40
 01633  1736   NtProtectVirtualMemory  (-1, (0x297e000), 4096, 260, ...
 01634   808   NtClose  (248, ...
 01635  1744   NtGdiSelectBitmap  (-234813853, 25493519, ...
 01633  1736   NtProtectVirtualMemory  ... (0x297e000), 4096, 4, ) == 0x0
 01634   808   NtClose  ... ) == 0x0
 01635  1744   NtGdiSelectBitmap  ... ) == 0x2f0503ba
 01636  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01637   808   NtMapViewOfSection  (256, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01638   868   NtQuerySystemTime  (...
 01639  1744   NtGdiCreateCompatibleDC  (-234813853, ...
 01636  1736   NtCreateThread  ... 248, {1636, 1732}, ) == 0x0
 01638   868   NtQuerySystemTime  ... {936233072, 29922368}, ) == 0x0
 01639  1744   NtGdiCreateCompatibleDC  ... ) == 0xea0104a8
 01640  1736   NtQueryInformationThread  (248, Basic, 28, ...
 01641   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01642  1744   NtGdiExtGetObjectW  (788857786, 24, 8712832, ...
 01640  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1636,Tid=1732,}, 0x0, ) == 0x0
 01641   868   NtCreateEvent  ... 260, ) == 0x0
 01642  1744   NtGdiExtGetObjectW  ... ) == 0x18
 01643  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0\304\6\0\0" ...  ...
 01644   868   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 01645  1744   NtGdiCreateBitmap  (16, 32, 1, 1, 0, ...
 01643  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75510, 0}  ... {28, 56, reply, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0\304\6\0\0" )  ) == 0x0
 01644   868   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01645  1744   NtGdiCreateBitmap  ... ) == 0x3405069c
 01637   808   NtMapViewOfSection  ... (0x76f20000), 0x0, 159744, ) == 0x0
 01646  1736   NtResumeThread  (248, ...
 01647   868   NtQuerySystemInformation  (Performance, 312, ...
 01648   808   NtClose  (256, ...
 01646  1736   NtResumeThread  ... 1, ) == 0x0
 01647   868   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01648   808   NtClose  ... ) == 0x0
 01649  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01650   868   NtQueryInformationProcess  (-1, QuotaLimits, 32, ...
 01651   808   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01649  1736   NtAllocateVirtualMemory  ... 43515904, 2097152, ) == 0x0
 01650   868   NtQueryInformationProcess  ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01651   808   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01652  1736   NtAllocateVirtualMemory  (-1, 45604864, 0, 8192, 4096, 4, ...
 01653   868   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 01654   808   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 01652  1736   NtAllocateVirtualMemory  ... 45604864, 8192, ) == 0x0
 01653   868   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01655  1744   NtGdiSelectBitmap  (-234813853, 788857786, ...
 01656  1732   NtWaitForSingleObject  (32, 0, 0x0, ...
 01654   808   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 01657  1736   NtProtectVirtualMemory  (-1, (0x2b7e000), 4096, 260, ...
 01655  1744   NtGdiSelectBitmap  ... ) == 0x185000f
 01658   808   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01657  1736   NtProtectVirtualMemory  ... (0x2b7e000), 4096, 4, ) == 0x0
 01659  1744   NtGdiSelectBitmap  (-369032024, 872744604, ...
 01658   808   NtFlushInstructionCache  ... ) == 0x0
 01660  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01659  1744   NtGdiSelectBitmap  ... ) == 0x185000f
 01661   808   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01662  1744   NtGdiBitBlt  (-369032024, 0, 0, 16, 32, -234813853, 0, 0, 13369376, -1, 0, ...
 01661   808   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01662  1744   NtGdiBitBlt  ... ) == 0x1
 01663   808   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 01660  1736   NtCreateThread  ... 256, {1636, 1300}, ) == 0x0
 01664   868   NtWaitForSingleObject  (32, 0, 0x0, ...
 01665  1744   NtGdiSelectBitmap  (-234813853, 25493519, ...
 01666  1736   NtQueryInformationThread  (256, Basic, 28, ...
 01665  1744   NtGdiSelectBitmap  ... ) == 0x2f0503ba
 01666  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1636,Tid=1300,}, 0x0, ) == 0x0
 01667  1744   NtGdiSelectBitmap  (-369032024, 25493519, ...
 01668  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0d\6\0\0\24\5\0\0" ...  ...
 01667  1744   NtGdiSelectBitmap  ... ) == 0x3405069c
 01668  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75511, 0}  ... {28, 56, reply, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0d\6\0\0\24\5\0\0" )  ) == 0x0
 01669  1744   NtGdiDeleteObjectApp  (788857786, ...
 01663   808   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 01669  1744   NtGdiDeleteObjectApp  ... ) == 0x1
 01670   808   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01671  1736   NtResumeThread  (256, ...
 01670   808   NtFlushInstructionCache  ... ) == 0x0
 01671  1736   NtResumeThread  ... 1, ) == 0x0
 01672   808   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01673  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01672   808   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01673  1736   NtAllocateVirtualMemory  ... 45613056, 2097152, ) == 0x0
 01674   808   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 01675  1736   NtAllocateVirtualMemory  (-1, 47702016, 0, 8192, 4096, 4, ...
 01676  1744   NtGdiDeleteObjectApp  (-369032024, ...
 01677  1300   NtWaitForSingleObject  (32, 0, 0x0, ...
 01675  1736   NtAllocateVirtualMemory  ... 47702016, 8192, ) == 0x0
 01676  1744   NtGdiDeleteObjectApp  ... ) == 0x1
 01674   808   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 01678  1744   NtGdiExtGetObjectW  (1409615820, 24, 8712948, ...
 01679   808   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01678  1744   NtGdiExtGetObjectW  ... ) == 0x18
 01679   808   NtFlushInstructionCache  ... ) == 0x0
 01680  1744   NtGdiGetDIBitsInternal  (-234813853, 1409615820, 0, 32, 4615860, 4615808, 0, 4096, 0, ...
 01681   808   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01680  1744   NtGdiGetDIBitsInternal  ... ) == 0x20
 01681   808   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01682  1736   NtProtectVirtualMemory  (-1, (0x2d7e000), 4096, 260, ...
 01683   808   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 01682  1736   NtProtectVirtualMemory  ... (0x2d7e000), 4096, 4, ) == 0x0
 01684  1744   NtUserGetDC  (0, ...
 01685  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01684  1744   NtUserGetDC  ... ) == 0x1010054
 01685  1736   NtCreateThread  ... 264, {1636, 500}, ) == 0x0
 01686  1744   NtGdiCreateCompatibleBitmap  (16842836, 16, 16, ...
 01687  1736   NtQueryInformationThread  (264, Basic, 28, ...
 01686  1744   NtGdiCreateCompatibleBitmap  ... ) == 0xec0504a8
 01687  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1636,Tid=500,}, 0x0, ) == 0x0
 01688  1744   NtUserCallOneParam  (16842836, 57, ...
 01683   808   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 01688  1744   NtUserCallOneParam  ... ) == 0x1
 01689   808   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01690  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0d\6\0\0\364\1\0\0" ...  ...
 01689   808   NtFlushInstructionCache  ... ) == 0x0
 01690  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75512, 0}  ... {28, 56, reply, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0d\6\0\0\364\1\0\0" )  ) == 0x0
 01691   808   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01692  1736   NtResumeThread  (264, ...
 01691   808   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01692  1736   NtResumeThread  ... 1, ) == 0x0
 01693   808   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 01694  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01695  1744   NtGdiSelectBitmap  (-234813853, -335215448, ...
 01696   500   NtWaitForSingleObject  (32, 0, 0x0, ...
 01693   808   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 01695  1744   NtGdiSelectBitmap  ... ) == 0x185000f
 01697   808   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01698  1744   NtGdiDoPalette  (-234813853, 0, 1, 8712808, 4, 0, ...
 01697   808   NtFlushInstructionCache  ... ) == 0x0
 01698  1744   NtGdiDoPalette  ... ) == 0x0
 01699   808   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01700  1744   NtGdiStretchDIBitsInternal  (-234813853, 0, 0, 16, 16, 0, 0, 32, 32, 4615860, 4603848, 0, 13369376, 40, 4096, 0, ...
 01699   808   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01700  1744   NtGdiStretchDIBitsInternal  ... ) == 0x20
 01701   808   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 01694  1736   NtAllocateVirtualMemory  ... 47710208, 2097152, ) == 0x0
 01702  1744   NtGdiSelectBitmap  (-234813853, 25493519, ...
 01703  1736   NtAllocateVirtualMemory  (-1, 49799168, 0, 8192, 4096, 4, ...
 01702  1744   NtGdiSelectBitmap  ... ) == 0xec0504a8
 01703  1736   NtAllocateVirtualMemory  ... 49799168, 8192, ) == 0x0
 01704  1744   NtGdiDeleteObjectApp  (1912931921, ...
 01705  1736   NtProtectVirtualMemory  (-1, (0x2f7e000), 4096, 260, ...
 01704  1744   NtGdiDeleteObjectApp  ... ) == 0x1
 01705  1736   NtProtectVirtualMemory  ... (0x2f7e000), 4096, 4, ) == 0x0
 01706  1744   NtGdiDeleteObjectApp  (1409615820, ...
 01707  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01706  1744   NtGdiDeleteObjectApp  ... ) == 0x1
 01701   808   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 01707  1736   NtCreateThread  ... 268, {1636, 948}, ) == 0x0
 01708   808   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01709  1736   NtQueryInformationThread  (268, Basic, 28, ...
 01708   808   NtFlushInstructionCache  ... ) == 0x0
 01709  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1636,Tid=948,}, 0x0, ) == 0x0
 01710   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... }, ...
 01711  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0d\6\0\0\264\3\0\0" ...  ...
 01710   808   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01711  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75513, 0}  ... {28, 56, reply, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0d\6\0\0\264\3\0\0" )  ) == 0x0
 01712   808   NtCreateKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01713  1744   NtUserCallOneParam  (0, 33, ...
 01714  1736   NtResumeThread  (268, ...
 01713  1744   NtUserCallOneParam  ... ) == 0x6000a3
 01714  1736   NtResumeThread  ... 1, ) == 0x0
 01715  1744   NtUserSetCursorIconData  (6291619, 8712992, 8713008, 8713052, ...
 01716  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01715  1744   NtUserSetCursorIconData  ... ) == 0x1
 01716  1736   NtAllocateVirtualMemory  ... 49807360, 2097152, ) == 0x0
 01717  1744   NtWaitForSingleObject  (32, 0, 0x0, ...
 01718  1736   NtAllocateVirtualMemory  (-1, 51896320, 0, 8192, 4096, 4, ... 51896320, 8192, ) == 0x0
 01719  1736   NtProtectVirtualMemory  (-1, (0x317e000), 4096, 260, ... (0x317e000), 4096, 4, ) == 0x0
 01720  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 272, {1636, 1384}, ) == 0x0
 01721  1736   NtQueryInformationThread  (272, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1636,Tid=1384,}, 0x0, ) == 0x0
 01712   808   NtCreateKey  ... 276, 2, ) == 0x0
 01722   948   NtWaitForSingleObject  (32, 0, 0x0, ...
 01723   808   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 280, ) }, ... 280, ) == 0x0
 01724   808   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01725   808   NtQueryValueKey  (280,  (280, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01726   808   NtQueryValueKey  (276,  (276, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01727   808   NtQueryValueKey  (280,  (280, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01728   808   NtQueryValueKey  (276,  (276, "UseDomainNameDevolution", Partial, 144, ... , Partial, 144, ...
 01729  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75513, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0d\6\0\0h\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0d\6\0\0h\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75514, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0d\6\0\0h\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0d\6\0\0h\5\0\0" )  ) == 0x0
 01730  1736   NtResumeThread  (272, ... 1, ) == 0x0
 01731  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 51904512, 2097152, ) == 0x0
 01732  1736   NtAllocateVirtualMemory  (-1, 53993472, 0, 8192, 4096, 4, ... 53993472, 8192, ) == 0x0
 01733  1736   NtProtectVirtualMemory  (-1, (0x337e000), 4096, 260, ... (0x337e000), 4096, 4, ) == 0x0
 01734  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01728   808   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01735  1384   NtWaitForSingleObject  (32, 0, 0x0, ...
 01736   808   NtQueryValueKey  (280,  (280, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01737   808   NtQueryValueKey  (276,  (276, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01738   808   NtQueryValueKey  (280,  (280, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01739   808   NtQueryValueKey  (276,  (276, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01740   808   NtQueryValueKey  (280,  (280, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01741   808   NtQueryValueKey  (280,  (280, "ScreenBadTlds", Partial, 144, ... , Partial, 144, ...
 01734  1736   NtCreateThread  ... 284, {1636, 1600}, ) == 0x0
 01742  1736   NtQueryInformationThread  (284, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1636,Tid=1600,}, 0x0, ) == 0x0
 01743  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75514, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0d\6\0\0@\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0d\6\0\0@\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75515, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0d\6\0\0@\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0d\6\0\0@\6\0\0" )  ) == 0x0
 01744  1736   NtResumeThread  (284, ... 1, ) == 0x0
 01745  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01741   808   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01746  1600   NtWaitForSingleObject  (32, 0, 0x0, ...
 01747   808   NtQueryValueKey  (280,  (280, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01748   808   NtQueryValueKey  (280,  (280, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01749   808   NtQueryValueKey  (280,  (280, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01750   808   NtQueryValueKey  (280,  (280, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01751   808   NtQueryValueKey  (280,  (280, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01752   808   NtQueryValueKey  (280,  (280, "UseHostsFile", Partial, 144, ... , Partial, 144, ...
 01745  1736   NtAllocateVirtualMemory  ... 54001664, 2097152, ) == 0x0
 01753  1736   NtAllocateVirtualMemory  (-1, 56090624, 0, 8192, 4096, 4, ... 56090624, 8192, ) == 0x0
 01754  1736   NtProtectVirtualMemory  (-1, (0x357e000), 4096, 260, ... (0x357e000), 4096, 4, ) == 0x0
 01755  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 288, {1636, 2040}, ) == 0x0
 01756  1736   NtQueryInformationThread  (288, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=1636,Tid=2040,}, 0x0, ) == 0x0
 01757  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75515, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0d\6\0\0\370\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0d\6\0\0\370\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75516, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0d\6\0\0\370\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0d\6\0\0\370\7\0\0" )  ) == 0x0
 01752   808   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01758   808   NtQueryValueKey  (280,  (280, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01759   808   NtQueryValueKey  (276,  (276, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01760   808   NtQueryValueKey  (280,  (280, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01761   808   NtQueryValueKey  (280,  (280, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01762   808   NtQueryValueKey  (276,  (276, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01763   808   NtQueryValueKey  (280,  (280, "RegisterReverseLookup", Partial, 144, ... , Partial, 144, ...
 01764  1736   NtResumeThread  (288, ... 1, ) == 0x0
 01765  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 56098816, 2097152, ) == 0x0
 01766  1736   NtAllocateVirtualMemory  (-1, 58187776, 0, 8192, 4096, 4, ... 58187776, 8192, ) == 0x0
 01767  1736   NtProtectVirtualMemory  (-1, (0x377e000), 4096, 260, ... (0x377e000), 4096, 4, ) == 0x0
 01768  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 292, {1636, 152}, ) == 0x0
 01769  1736   NtQueryInformationThread  (292, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=1636,Tid=152,}, 0x0, ) == 0x0
 01763   808   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01770  2040   NtWaitForSingleObject  (32, 0, 0x0, ...
 01771   808   NtQueryValueKey  (276,  (276, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01772   808   NtQueryValueKey  (280,  (280, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01773   808   NtQueryValueKey  (276,  (276, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01774   808   NtQueryValueKey  (280,  (280, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01775   808   NtQueryValueKey  (276,  (276, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01776   808   NtQueryValueKey  (280,  (280, "RegistrationRefreshInterval", Partial, 144, ... , Partial, 144, ...
 01777  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75516, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0d\6\0\0\230\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0d\6\0\0\230\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75517, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0d\6\0\0\230\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0d\6\0\0\230\0\0\0" )  ) == 0x0
 01778  1736   NtResumeThread  (292, ... 1, ) == 0x0
 01779  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 58195968, 2097152, ) == 0x0
 01780  1736   NtAllocateVirtualMemory  (-1, 60284928, 0, 8192, 4096, 4, ... 60284928, 8192, ) == 0x0
 01781  1736   NtProtectVirtualMemory  (-1, (0x397e000), 4096, 260, ... (0x397e000), 4096, 4, ) == 0x0
 01782  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01776   808   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01783   152   NtWaitForSingleObject  (32, 0, 0x0, ...
 01784   808   NtQueryValueKey  (276,  (276, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01785   808   NtQueryValueKey  (280,  (280, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01786   808   NtQueryValueKey  (276,  (276, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01787   808   NtQueryValueKey  (280,  (280, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01788   808   NtQueryValueKey  (276,  (276, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01789   808   NtQueryValueKey  (280,  (280, "UpdateZoneExcludeFile", Partial, 144, ... , Partial, 144, ...
 01782  1736   NtCreateThread  ... 296, {1636, 900}, ) == 0x0
 01790  1736   NtQueryInformationThread  (296, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=1636,Tid=900,}, 0x0, ) == 0x0
 01791  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75517, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0d\6\0\0\204\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0d\6\0\0\204\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75518, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0d\6\0\0\204\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0d\6\0\0\204\3\0\0" )  ) == 0x0
 01792  1736   NtResumeThread  (296, ... 1, ) == 0x0
 01793  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 60293120, 2097152, ) == 0x0
 01794  1736   NtAllocateVirtualMemory  (-1, 62382080, 0, 8192, 4096, 4, ... 62382080, 8192, ) == 0x0
 01789   808   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01795   900   NtWaitForSingleObject  (32, 0, 0x0, ...
 01796   808   NtQueryValueKey  (280,  (280, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01797   808   NtQueryValueKey  (280,  (280, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01798   808   NtQueryValueKey  (280,  (280, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01799   808   NtQueryValueKey  (280,  (280, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01800   808   NtQueryValueKey  (280,  (280, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01801   808   NtQueryValueKey  (280,  (280, "AdapterTimeoutLimit", Partial, 144, ... , Partial, 144, ...
 01802  1736   NtProtectVirtualMemory  (-1, (0x3b7e000), 4096, 260, ... (0x3b7e000), 4096, 4, ) == 0x0
 01803  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 300, {1636, 1388}, ) == 0x0
 01804  1736   NtQueryInformationThread  (300, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=1636,Tid=1388,}, 0x0, ) == 0x0
 01805  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75518, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\1\0\0d\6\0\0l\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\1\0\0d\6\0\0l\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75519, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\1\0\0d\6\0\0l\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\1\0\0d\6\0\0l\5\0\0" )  ) == 0x0
 01806  1736   NtResumeThread  (300, ... 1, ) == 0x0
 01807  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01801   808   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01808  1388   NtWaitForSingleObject  (32, 0, 0x0, ...
 01809   808   NtQueryValueKey  (280,  (280, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01810   808   NtQueryValueKey  (280,  (280, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01811   808   NtQueryValueKey  (280,  (280, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01812   808   NtQueryValueKey  (280,  (280, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01813   808   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\Setup"}, ... 304, ) }, ... 304, ) == 0x0
 01814   808   NtQueryValueKey  (304,  (304, "SystemSetupInProgress", Partial, 144, ... , Partial, 144, ...
 01807  1736   NtAllocateVirtualMemory  ... 62390272, 2097152, ) == 0x0
 01815  1736   NtAllocateVirtualMemory  (-1, 64479232, 0, 8192, 4096, 4, ... 64479232, 8192, ) == 0x0
 01816  1736   NtProtectVirtualMemory  (-1, (0x3d7e000), 4096, 260, ... (0x3d7e000), 4096, 4, ) == 0x0
 01817  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 308, {1636, 2036}, ) == 0x0
 01818  1736   NtQueryInformationThread  (308, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=1636,Tid=2036,}, 0x0, ) == 0x0
 01819  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75519, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0d\6\0\0\364\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0d\6\0\0\364\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75520, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0d\6\0\0\364\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0d\6\0\0\364\7\0\0" )  ) == 0x0
 01814   808   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01820   808   NtClose  (304, ... ) == 0x0
 01821   808   NtClose  (276, ... ) == 0x0
 01822   808   NtClose  (280, ... ) == 0x0
 01823   808   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 280, ) }, ... 280, ) == 0x0
 01824   808   NtQueryValueKey  (280,  (280, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01825   808   NtQueryValueKey  (280,  (280, "DnsQuickQueryTimeouts", Partial, 144, ... , Partial, 144, ...
 01826  1736   NtResumeThread  (308, ... 1, ) == 0x0
 01827  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 64487424, 2097152, ) == 0x0
 01828  1736   NtAllocateVirtualMemory  (-1, 66576384, 0, 8192, 4096, 4, ... 66576384, 8192, ) == 0x0
 01829  1736   NtProtectVirtualMemory  (-1, (0x3f7e000), 4096, 260, ... (0x3f7e000), 4096, 4, ) == 0x0
 01830  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 276, {1636, 1776}, ) == 0x0
 01831  1736   NtQueryInformationThread  (276, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=1636,Tid=1776,}, 0x0, ) == 0x0
 01825   808   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01832  2036   NtWaitForSingleObject  (32, 0, 0x0, ...
 01833   808   NtQueryValueKey  (280,  (280, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01834   808   NtClose  (280, ... ) == 0x0
 01835   808   NtSetEventBoostPriority  (32, ...
 01598   420   NtWaitForSingleObject  ... ) == 0x0
 01836   420   NtSetEventBoostPriority  (32, ...
 01629   376   NtWaitForSingleObject  ... ) == 0x0
 01837   376   NtSetEventBoostPriority  (32, ...
 01656  1732   NtWaitForSingleObject  ... ) == 0x0
 01838  1732   NtSetEventBoostPriority  (32, ...
 01664   868   NtWaitForSingleObject  ... ) == 0x0
 01839   868   NtSetEventBoostPriority  (32, ...
 01677  1300   NtWaitForSingleObject  ... ) == 0x0
 01840  1300   NtSetEventBoostPriority  (32, ...
 01696   500   NtWaitForSingleObject  ... ) == 0x0
 01841   500   NtAllocateVirtualMemory  (-1, 13193216, 0, 4096, 4096, 4, ... 13193216, 4096, ) == 0x0
 01840  1300   NtSetEventBoostPriority  ... ) == 0x0
 01839   868   NtSetEventBoostPriority  ... ) == 0x0
 01838  1732   NtSetEventBoostPriority  ... ) == 0x0
 01837   376   NtSetEventBoostPriority  ... ) == 0x0
 01836   420   NtSetEventBoostPriority  ... ) == 0x0
 01835   808   NtSetEventBoostPriority  ... ) == 0x0
 01842  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75520, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0d\6\0\0\360\6\0\0" ...  ...
 01843   500   NtSetEventBoostPriority  (32, ...
 01844   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01845  1300   NtTestAlert  (...
 01846  1732   NtTestAlert  (...
 01847   376   NtTestAlert  (...
 01848   808   NtWaitForSingleObject  (32, 0, 0x0, ...
 01842  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75521, 0}  ... {28, 56, reply, 0, 1636, 1736, 75521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0d\6\0\0\360\6\0\0" )  ) == 0x0
 01717  1744   NtWaitForSingleObject  ... ) == 0x0
 01843   500   NtSetEventBoostPriority  ... ) == 0x0
 01849   420   NtTestAlert  (...
 01845  1300   NtTestAlert  ... ) == 0x0
 01846  1732   NtTestAlert  ... ) == 0x0
 01847   376   NtTestAlert  ... ) == 0x0
 01850  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8711868, ... }, 8711868, ...
 01851  1736   NtResumeThread  (276, ...
 01852   500   NtTestAlert  (...
 01849   420   NtTestAlert  ... ) == 0x0
 01853  1300   NtContinue  (45612336, 1, ...
 01854  1732   NtContinue  (43515184, 1, ...
 01850  1744   NtQueryAttributesFile  ... ) == 0x0
 01855   376   NtContinue  (41418032, 1, ...
 01851  1736   NtResumeThread  ... 1, ) == 0x0
 01852   500   NtTestAlert  ... ) == 0x0
 01856   420   NtContinue  (39320880, 1, ...
 01857  1300   NtRegisterThreadTerminatePort  (24, ...
 01858  1732   NtRegisterThreadTerminatePort  (24, ...
 01844   868   NtCreateEvent  ... 280, ) == 0x0
 01859  1776   NtWaitForSingleObject  (32, 0, 0x0, ...
 01860   376   NtRegisterThreadTerminatePort  (24, ...
 01861  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01862   500   NtContinue  (47709488, 1, ...
 01863   420   NtRegisterThreadTerminatePort  (24, ...
 01857  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 01858  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 01864   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01860   376   NtRegisterThreadTerminatePort  ... ) == 0x0
 01865  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... }, 5, 96, ...
 01866   500   NtRegisterThreadTerminatePort  (24, ...
 01863   420   NtRegisterThreadTerminatePort  ... ) == 0x0
 01867  1300   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01868  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01864   868   NtDuplicateObject  ... 304, ) == 0x0
 01869   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01865  1744   NtOpenFile  ... 312, {status=0x0, info=1}, ) == 0x0
 01861  1736   NtAllocateVirtualMemory  ... 66584576, 2097152, ) == 0x0
 01870   420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01866   500   NtRegisterThreadTerminatePort  ... ) == 0x0
 01867  1300   NtDuplicateObject  ... 316, ) == 0x0
 01871   868   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01868  1732   NtDuplicateObject  ... 320, ) == 0x0
 01872  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 312, ...
 01873  1736   NtAllocateVirtualMemory  (-1, 68673536, 0, 8192, 4096, 4, ...
 01869   376   NtDuplicateObject  ... 324, ) == 0x0
 01874   500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01875  1300   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 01871   868   NtOpenKey  ... 328, ) == 0x0
 01876  1732   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 01872  1744   NtCreateSection  ... 332, ) == 0x0
 01873  1736   NtAllocateVirtualMemory  ... 68673536, 8192, ) == 0x0
 01877   376   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 01874   500   NtDuplicateObject  ... 336, ) == 0x0
 01875  1300   NtWaitForSingleObject  ... ) == 0x102
 01878   868   NtQueryValueKey  (328,  (328, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01876  1732   NtWaitForSingleObject  ... ) == 0x102
 01879  1744   NtClose  (312, ...
 01880  1736   NtProtectVirtualMemory  (-1, (0x417e000), 4096, 260, ...
 01877   376   NtWaitForSingleObject  ... ) == 0x102
 01881   500   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 01882  1300   NtWaitForSingleObject  (192, 0, 0x0, ...
 01870   420   NtDuplicateObject  ... 340, ) == 0x0
 01883  1732   NtWaitForSingleObject  (192, 0, 0x0, ...
 01879  1744   NtClose  ... ) == 0x0
 01880  1736   NtProtectVirtualMemory  ... (0x417e000), 4096, 4, ) == 0x0
 01884   376   NtWaitForSingleObject  (192, 0, 0x0, ...
 01881   500   NtWaitForSingleObject  ... ) == 0x102
 01885   420   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 01878   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01886  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01887  1744   NtMapViewOfSection  (332, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01885   420   NtWaitForSingleObject  ... ) == 0x102
 01888   868   NtClose  (328, ...
 01889   500   NtWaitForSingleObject  (192, 0, 0x0, ...
 01887  1744   NtMapViewOfSection  ... (0xed0000), 0x0, 221184, ) == 0x0
 01890   420   NtWaitForSingleObject  (192, 0, 0x0, ...
 01888   868   NtClose  ... ) == 0x0
 01891  1744   NtClose  (332, ...
 01892   868   NtOpenThreadToken  (-2, 0xc, 1, ...
 01891  1744   NtClose  ... ) == 0x0
 01892   868   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01893  1744   NtUnmapViewOfSection  (-1, 0xed0000, ...
 01894   868   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01893  1744   NtUnmapViewOfSection  ... ) == 0x0
 01886  1736   NtCreateThread  ... 332, {1636, 1652}, ) == 0x0
 01894   868   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01895  1736   NtQueryInformationThread  (332, Basic, 28, ...
 01896   868   NtAllocateVirtualMemory  (-1, 4620288, 0, 4096, 4096, 4, ...
 01895  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=1636,Tid=1652,}, 0x0, ) == 0x0
 01896   868   NtAllocateVirtualMemory  ... 4620288, 4096, ) == 0x0
 01897  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75521, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0d\6\0\0t\6\0\0" ...  ...
 01898   868   NtWaitForSingleObject  (32, 0, 0x0, ...
 01897  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75522, 0}  ... {28, 56, reply, 0, 1636, 1736, 75522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0d\6\0\0t\6\0\0" )  ) == 0x0
 01899  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8712176, ... ) }, 8712176, ... ) == 0x0
 01900  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 01901  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 328, ... 312, ) == 0x0
 01902  1744   NtQuerySection  (312, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01903  1744   NtClose  (328, ... ) == 0x0
 01904  1744   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 229376, ) == 0x0
 01905  1736   NtResumeThread  (332, ... 1, ) == 0x0
 01906  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 68681728, 2097152, ) == 0x0
 01907  1736   NtAllocateVirtualMemory  (-1, 70770688, 0, 8192, 4096, 4, ... 70770688, 8192, ) == 0x0
 01908  1736   NtProtectVirtualMemory  (-1, (0x437e000), 4096, 260, ... (0x437e000), 4096, 4, ) == 0x0
 01909  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 328, {1636, 440}, ) == 0x0
 01910  1736   NtQueryInformationThread  (328, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1636,Tid=440,}, 0x0, ) == 0x0
 01911  1744   NtClose  (312, ...
 01912  1652   NtWaitForSingleObject  (32, 0, 0x0, ...
 01911  1744   NtClose  ... ) == 0x0
 01913  1744   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 01914  1744   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 01915  1744   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 01916  1744   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 01917  1744   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 01918  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75522, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0d\6\0\0\270\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0d\6\0\0\270\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75523, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0d\6\0\0\270\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0d\6\0\0\270\1\0\0" )  ) == 0x0
 01919  1736   NtResumeThread  (328, ... 1, ) == 0x0
 01920  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 70778880, 2097152, ) == 0x0
 01921  1736   NtAllocateVirtualMemory  (-1, 72867840, 0, 8192, 4096, 4, ... 72867840, 8192, ) == 0x0
 01922  1736   NtProtectVirtualMemory  (-1, (0x457e000), 4096, 260, ... (0x457e000), 4096, 4, ) == 0x0
 01923  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01924  1744   NtFlushInstructionCache  (-1, 1524043776, 1300, ...
 01925   440   NtWaitForSingleObject  (32, 0, 0x0, ...
 01924  1744   NtFlushInstructionCache  ... ) == 0x0
 01926  1744   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 01927  1744   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 01928  1744   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 01929  1744   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 01930  1744   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 01923  1736   NtCreateThread  ... 312, {1636, 1620}, ) == 0x0
 01931  1736   NtQueryInformationThread  (312, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1636,Tid=1620,}, 0x0, ) == 0x0
 01932  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75523, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0d\6\0\0T\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0d\6\0\0T\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75524, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0d\6\0\0T\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0d\6\0\0T\6\0\0" )  ) == 0x0
 01933  1736   NtResumeThread  (312, ... 1, ) == 0x0
 01934  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 72876032, 2097152, ) == 0x0
 01935  1736   NtAllocateVirtualMemory  (-1, 74964992, 0, 8192, 4096, 4, ... 74964992, 8192, ) == 0x0
 01936  1744   NtFlushInstructionCache  (-1, 1524043776, 1300, ...
 01937  1620   NtWaitForSingleObject  (32, 0, 0x0, ...
 01936  1744   NtFlushInstructionCache  ... ) == 0x0
 01938  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01939  1744   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01940  1744   NtUserCallOneParam  (16842832, 57, ... ) == 0x1
 01941  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01942  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ...
 01943  1736   NtProtectVirtualMemory  (-1, (0x477e000), 4096, 260, ... (0x477e000), 4096, 4, ) == 0x0
 01944  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 344, {1636, 2044}, ) == 0x0
 01945  1736   NtQueryInformationThread  (344, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1636,Tid=2044,}, 0x0, ) == 0x0
 01946  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75524, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0d\6\0\0\374\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0d\6\0\0\374\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75525, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0d\6\0\0\374\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0d\6\0\0\374\7\0\0" )  ) == 0x0
 01947  1736   NtResumeThread  (344, ... 1, ) == 0x0
 01948  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01942  1744   NtOpenProcessTokenEx  ... 348, ) == 0x0
 01949  2044   NtWaitForSingleObject  (32, 0, 0x0, ...
 01950  1744   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01951  1744   NtClose  (348, ... ) == 0x0
 01952  1744   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 348, ) }, ... 348, ) == 0x0
 01953  1744   NtOpenKey  (0x1, {24, 348, 0x40, 0, 0,  (0x1, {24, 348, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 352, ) }, ... 352, ) == 0x0
 01954  1744   NtQueryValueKey  (352,  (352, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01955  1744   NtClose  (352, ...
 01948  1736   NtAllocateVirtualMemory  ... 74973184, 2097152, ) == 0x0
 01956  1736   NtAllocateVirtualMemory  (-1, 77062144, 0, 8192, 4096, 4, ... 77062144, 8192, ) == 0x0
 01957  1736   NtProtectVirtualMemory  (-1, (0x497e000), 4096, 260, ... (0x497e000), 4096, 4, ) == 0x0
 01958  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 356, {1636, 1308}, ) == 0x0
 01959  1736   NtQueryInformationThread  (356, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1636,Tid=1308,}, 0x0, ) == 0x0
 01960  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75525, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0d\6\0\0\34\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0d\6\0\0\34\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75526, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0d\6\0\0\34\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0d\6\0\0\34\5\0\0" )  ) == 0x0
 01955  1744   NtClose  ... ) == 0x0
 01961  1744   NtClose  (348, ... ) == 0x0
 01962  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01963  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 01964  1744   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01965  1744   NtClose  (348, ... ) == 0x0
 01966  1744   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... }, ...
 01967  1736   NtResumeThread  (356, ... 1, ) == 0x0
 01968  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 77070336, 2097152, ) == 0x0
 01969  1736   NtAllocateVirtualMemory  (-1, 79159296, 0, 8192, 4096, 4, ... 79159296, 8192, ) == 0x0
 01970  1736   NtProtectVirtualMemory  (-1, (0x4b7e000), 4096, 260, ... (0x4b7e000), 4096, 4, ) == 0x0
 01971  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 348, {1636, 1376}, ) == 0x0
 01972  1736   NtQueryInformationThread  (348, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1636,Tid=1376,}, 0x0, ) == 0x0
 01966  1744   NtOpenKey  ... 352, ) == 0x0
 01973  1308   NtWaitForSingleObject  (32, 0, 0x0, ...
 01974  1744   NtOpenKey  (0x1, {24, 352, 0x40, 0, 0,  (0x1, {24, 352, 0x40, 0, 0, "Control Panel\Desktop"}, ... 360, ) }, ... 360, ) == 0x0
 01975  1744   NtQueryValueKey  (360,  (360, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01976  1744   NtClose  (360, ... ) == 0x0
 01977  1744   NtClose  (352, ... ) == 0x0
 01978  1744   NtSetEventBoostPriority  (32, ...
 01722   948   NtWaitForSingleObject  ... ) == 0x0
 01979   948   NtSetEventBoostPriority  (32, ...
 01735  1384   NtWaitForSingleObject  ... ) == 0x0
 01980  1384   NtSetEventBoostPriority  (32, ...
 01746  1600   NtWaitForSingleObject  ... ) == 0x0
 01981  1600   NtSetEventBoostPriority  (32, ...
 01770  2040   NtWaitForSingleObject  ... ) == 0x0
 01982  2040   NtSetEventBoostPriority  (32, ...
 01783   152   NtWaitForSingleObject  ... ) == 0x0
 01983   152   NtSetEventBoostPriority  (32, ...
 01795   900   NtWaitForSingleObject  ... ) == 0x0
 01984   900   NtSetEventBoostPriority  (32, ...
 01808  1388   NtWaitForSingleObject  ... ) == 0x0
 01985  1388   NtSetEventBoostPriority  (32, ...
 01832  2036   NtWaitForSingleObject  ... ) == 0x0
 01986  2036   NtSetEventBoostPriority  (32, ...
 01848   808   NtWaitForSingleObject  ... ) == 0x0
 01987   808   NtSetEventBoostPriority  (32, ...
 01859  1776   NtWaitForSingleObject  ... ) == 0x0
 01988  1776   NtSetEventBoostPriority  (32, ...
 01898   868   NtWaitForSingleObject  ... ) == 0x0
 01989   868   NtSetEventBoostPriority  (32, ...
 01912  1652   NtWaitForSingleObject  ... ) == 0x0
 01990  1652   NtSetEventBoostPriority  (32, ...
 01925   440   NtWaitForSingleObject  ... ) == 0x0
 01991   440   NtSetEventBoostPriority  (32, ...
 01937  1620   NtWaitForSingleObject  ... ) == 0x0
 01992  1620   NtSetEventBoostPriority  (32, ...
 01949  2044   NtWaitForSingleObject  ... ) == 0x0
 01993  2044   NtSetEventBoostPriority  (32, ...
 01973  1308   NtWaitForSingleObject  ... ) == 0x0
 01994  1308   NtTestAlert  (... ) == 0x0
 01993  2044   NtSetEventBoostPriority  ... ) == 0x0
 01992  1620   NtSetEventBoostPriority  ... ) == 0x0
 01991   440   NtSetEventBoostPriority  ... ) == 0x0
 01990  1652   NtSetEventBoostPriority  ... ) == 0x0
 01989   868   NtSetEventBoostPriority  ... ) == 0x0
 01988  1776   NtSetEventBoostPriority  ... ) == 0x0
 01987   808   NtSetEventBoostPriority  ... ) == 0x0
 01986  2036   NtSetEventBoostPriority  ... ) == 0x0
 01985  1388   NtSetEventBoostPriority  ... ) == 0x0
 01984   900   NtSetEventBoostPriority  ... ) == 0x0
 01983   152   NtSetEventBoostPriority  ... ) == 0x0
 01982  2040   NtSetEventBoostPriority  ... ) == 0x0
 01981  1600   NtSetEventBoostPriority  ... ) == 0x0
 01980  1384   NtSetEventBoostPriority  ... ) == 0x0
 01979   948   NtSetEventBoostPriority  ... ) == 0x0
 01978  1744   NtSetEventBoostPriority  ... ) == 0x0
 01995  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75526, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0d\6\0\0`\5\0\0" ...  ...
 01996  1308   NtContinue  (77069616, 1, ...
 01997  2044   NtTestAlert  (...
 01998  1620   NtTestAlert  (...
 01999   440   NtTestAlert  (...
 02000  1652   NtTestAlert  (...
 02001   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 18346096, ... }, 18346096, ...
 02002  1776   NtTestAlert  (...
 02003   808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02004  2036   NtTestAlert  (...
 02005  1388   NtTestAlert  (...
 02006   900   NtTestAlert  (...
 02007   152   NtTestAlert  (...
 02008  2040   NtTestAlert  (...
 02009  1600   NtTestAlert  (...
 02010  1384   NtTestAlert  (...
 02011  1744   NtWaitForSingleObject  (32, 0, 0x0, ...
 01995  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75527, 0}  ... {28, 56, reply, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0d\6\0\0`\5\0\0" )  ) == 0x0
 02012  1308   NtRegisterThreadTerminatePort  (24, ...
 01997  2044   NtTestAlert  ... ) == 0x0
 01998  1620   NtTestAlert  ... ) == 0x0
 01999   440   NtTestAlert  ... ) == 0x0
 02000  1652   NtTestAlert  ... ) == 0x0
 02001   868   NtQueryAttributesFile  ... ) == 0x0
 02002  1776   NtTestAlert  ... ) == 0x0
 02003   808   NtCreateEvent  ... 352, ) == 0x0
 02004  2036   NtTestAlert  ... ) == 0x0
 02005  1388   NtTestAlert  ... ) == 0x0
 02006   900   NtTestAlert  ... ) == 0x0
 02007   152   NtTestAlert  ... ) == 0x0
 02008  2040   NtTestAlert  ... ) == 0x0
 02009  1600   NtTestAlert  ... ) == 0x0
 02010  1384   NtTestAlert  ... ) == 0x0
 02013   948   NtTestAlert  (...
 02014  1736   NtResumeThread  (348, ...
 02012  1308   NtRegisterThreadTerminatePort  ... ) == 0x0
 02015  2044   NtContinue  (74972464, 1, ...
 02016  1620   NtContinue  (72875312, 1, ...
 02017   440   NtContinue  (70778160, 1, ...
 02018  1652   NtContinue  (68681008, 1, ...
 02019   868   NtSetEventBoostPriority  (32, ...
 02020  1776   NtContinue  (66583856, 1, ...
 02021   808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02022  2036   NtContinue  (64486704, 1, ...
 02023  1388   NtContinue  (62389552, 1, ...
 02024   900   NtContinue  (60292400, 1, ...
 02025   152   NtContinue  (58195248, 1, ...
 02026  2040   NtContinue  (56098096, 1, ...
 02027  1600   NtContinue  (54000944, 1, ...
 02028  1384   NtContinue  (51903792, 1, ...
 02013   948   NtTestAlert  ... ) == 0x0
 02014  1736   NtResumeThread  ... 1, ) == 0x0
 02029  1308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02030  2044   NtRegisterThreadTerminatePort  (24, ...
 02031  1620   NtRegisterThreadTerminatePort  (24, ...
 02032   440   NtRegisterThreadTerminatePort  (24, ...
 02033  1652   NtRegisterThreadTerminatePort  (24, ...
 02019   868   NtSetEventBoostPriority  ... ) == 0x0
 02034  1776   NtRegisterThreadTerminatePort  (24, ...
 02021   808   NtDuplicateObject  ... 360, ) == 0x0
 02035  2036   NtRegisterThreadTerminatePort  (24, ...
 02036  1388   NtRegisterThreadTerminatePort  (24, ...
 02037   900   NtRegisterThreadTerminatePort  (24, ...
 02038   152   NtRegisterThreadTerminatePort  (24, ...
 02039  2040   NtRegisterThreadTerminatePort  (24, ...
 02040  1600   NtRegisterThreadTerminatePort  (24, ...
 02041  1384   NtRegisterThreadTerminatePort  (24, ...
 02042   948   NtContinue  (49806640, 1, ...
 02043  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02029  1308   NtDuplicateObject  ... 364, ) == 0x0
 02030  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 02031  1620   NtRegisterThreadTerminatePort  ... ) == 0x0
 02032   440   NtRegisterThreadTerminatePort  ... ) == 0x0
 02033  1652   NtRegisterThreadTerminatePort  ... ) == 0x0
 02044   868   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 02034  1776   NtRegisterThreadTerminatePort  ... ) == 0x0
 02045   808   NtDeviceIoControlFile  (56, 0, 0x0, 0x0, 0x390008,  (56, 0, 0x0, 0x0, 0x390008, "\2726"\2165\354\317\361\377\215\266\316\2l\246\374'\201\376\260f$/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \2165\354\317\361\377\215\266\316\2l\246\374'\201\376\260f$/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 02035  2036   NtRegisterThreadTerminatePort  ... ) == 0x0
 02036  1388   NtRegisterThreadTerminatePort  ... ) == 0x0
 02037   900   NtRegisterThreadTerminatePort  ... ) == 0x0
 02038   152   NtRegisterThreadTerminatePort  ... ) == 0x0
 02039  2040   NtRegisterThreadTerminatePort  ... ) == 0x0
 02040  1600   NtRegisterThreadTerminatePort  ... ) == 0x0
 02041  1384   NtRegisterThreadTerminatePort  ... ) == 0x0
 02046   948   NtRegisterThreadTerminatePort  (24, ...
 02011  1744   NtWaitForSingleObject  ... ) == 0x0
 02047  1376   NtWaitForSingleObject  (32, 0, 0x0, ...
 02048  1308   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02049  2044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02050  1620   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02051   440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02052  1652   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02044   868   NtOpenKey  ... 368, ) == 0x0
 02053  1776   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02054   808   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02055  2036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02056  1388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02057   900   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02058   152   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02059  2040   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02060  1600   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02061  1384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02046   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 02062  1744   NtSetEventBoostPriority  (32, ...
 02043  1736   NtAllocateVirtualMemory  ... 79167488, 2097152, ) == 0x0
 02048  1308   NtWaitForSingleObject  ... ) == 0x102
 02049  2044   NtDuplicateObject  ... 372, ) == 0x0
 02050  1620   NtDuplicateObject  ... 376, ) == 0x0
 02051   440   NtDuplicateObject  ... 380, ) == 0x0
 02052  1652   NtDuplicateObject  ... 384, ) == 0x0
 02063   868   NtQueryValueKey  (368,  (368, "Transports", Partial, 144, ... , Partial, 144, ...
 02053  1776   NtDuplicateObject  ... 388, ) == 0x0
 02054   808   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02055  2036   NtDuplicateObject  ... 392, ) == 0x0
 02056  1388   NtDuplicateObject  ... 396, ) == 0x0
 02057   900   NtDuplicateObject  ... 400, ) == 0x0
 02058   152   NtDuplicateObject  ... 404, ) == 0x0
 02059  2040   NtDuplicateObject  ... 408, ) == 0x0
 02060  1600   NtDuplicateObject  ... 412, ) == 0x0
 02064   948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02047  1376   NtWaitForSingleObject  ... ) == 0x0
 02062  1744   NtSetEventBoostPriority  ... ) == 0x0
 02065  1736   NtAllocateVirtualMemory  (-1, 81256448, 0, 8192, 4096, 4, ...
 02066  1308   NtWaitForSingleObject  (192, 0, 0x0, ...
 02067  2044   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02068  1620   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02069   440   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02070  1652   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02063   868   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 02071  1776   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02072   808   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02073  2036   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02074  1388   NtAllocateVirtualMemory  (-1, 4624384, 0, 4096, 4096, 4, ...
 02075   900   NtWaitForSingleObject  (80, 0, 0x0, ...
 02076   152   NtWaitForSingleObject  (80, 0, 0x0, ...
 02077  2040   NtWaitForSingleObject  (80, 0, 0x0, ...
 02078  1600   NtWaitForSingleObject  (80, 0, 0x0, ...
 02061  1384   NtDuplicateObject  ... 416, ) == 0x0
 02079  1376   NtTestAlert  (...
 02080  1744   NtUserGetProcessWindowStation  (...
 02065  1736   NtAllocateVirtualMemory  ... 81256448, 8192, ) == 0x0
 02067  2044   NtWaitForSingleObject  ... ) == 0x102
 02068  1620   NtWaitForSingleObject  ... ) == 0x102
 02069   440   NtWaitForSingleObject  ... ) == 0x102
 02070  1652   NtWaitForSingleObject  ... ) == 0x102
 02081   868   NtQueryValueKey  (368,  (368, "Transports", Partial, 144, ... , Partial, 144, ...
 02071  1776   NtWaitForSingleObject  ... ) == 0x102
 02072   808   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02073  2036   NtWaitForSingleObject  ... ) == 0x102
 02074  1388   NtAllocateVirtualMemory  ... 4624384, 4096, ) == 0x0
 02079  1376   NtTestAlert  ... ) == 0x0
 02082  1384   NtWaitForSingleObject  (80, 0, 0x0, ...
 02080  1744   NtUserGetProcessWindowStation  ... ) == 0x2c
 02083  1736   NtProtectVirtualMemory  (-1, (0x4d7e000), 4096, 260, ...
 02084  2044   NtWaitForSingleObject  (80, 0, 0x0, ...
 02085  1620   NtWaitForSingleObject  (80, 0, 0x0, ...
 02086   440   NtWaitForSingleObject  (80, 0, 0x0, ...
 02087  1652   NtWaitForSingleObject  (80, 0, 0x0, ...
 02081   868   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 02088  1776   NtWaitForSingleObject  (80, 0, 0x0, ...
 02089   808   NtQuerySystemInformation  (Performance, 312, ...
 02090  2036   NtWaitForSingleObject  (80, 0, 0x0, ...
 02091  1388   NtSetEventBoostPriority  (80, ...
 02064   948   NtDuplicateObject  ... 420, ) == 0x0
 02092  1376   NtContinue  (79166768, 1, ...
 02083  1736   NtProtectVirtualMemory  ... (0x4d7e000), 4096, 4, ) == 0x0
 02093   868   NtClose  (368, ...
 02089   808   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02075   900   NtWaitForSingleObject  ... ) == 0x0
 02091  1388   NtSetEventBoostPriority  ... ) == 0x0
 02094   948   NtWaitForSingleObject  (80, 0, 0x0, ...
 02095  1376   NtRegisterThreadTerminatePort  (24, ...
 02096  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02093   868   NtClose  ... ) == 0x0
 02097   900   NtSetEventBoostPriority  (80, ...
 02098   808   NtQuerySystemInformation  (Exception, 16, ...
 02099  1388   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02095  1376   NtRegisterThreadTerminatePort  ... ) == 0x0
 02100  1744   NtUserGetObjectInformation  (44, 2, 8713964, 64, 8713960, ...
 02096  1736   NtCreateThread  ... 368, {1636, 1368}, ) == 0x0
 02076   152   NtWaitForSingleObject  ... ) == 0x0
 02097   900   NtSetEventBoostPriority  ... ) == 0x0
 02101   868   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 02098   808   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02102  1376   NtWaitForSingleObject  (80, 0, 0x0, ...
 02100  1744   NtUserGetObjectInformation  ... ) == 0x1
 02103   152   NtSetEventBoostPriority  (80, ...
 02104  1736   NtQueryInformationThread  (368, Basic, 28, ...
 02099  1388   NtWaitForSingleObject  ... ) == 0x102
 02101   868   NtOpenKey  ... 424, ) == 0x0
 02105   808   NtQuerySystemInformation  (Lookaside, 32, ...
 02077  2040   NtWaitForSingleObject  ... ) == 0x0
 02103   152   NtSetEventBoostPriority  ... ) == 0x0
 02106  1744   NtUserGetGUIThreadInfo  (1744, 8713984, ...
 02104  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1636,Tid=1368,}, 0x0, ) == 0x0
 02107  1388   NtWaitForSingleObject  (80, 0, 0x0, ...
 02108   868   NtQueryValueKey  (424,  (424, "Mapping", Partial, 144, ... , Partial, 144, ...
 02109  2040   NtSetEventBoostPriority  (80, ...
 02105   808   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02110   900   NtWaitForSingleObject  (80, 0, 0x0, ...
 02106  1744   NtUserGetGUIThreadInfo  ... ) == 0x1
 02111  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75527, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0d\6\0\0X\5\0\0" ...  ...
 02078  1600   NtWaitForSingleObject  ... ) == 0x0
 02109  2040   NtSetEventBoostPriority  ... ) == 0x0
 02108   868   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 02112   808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02113  1744   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 8713828, 64, ... , {12, 2, 1, 1}, 0x0, 0x0, 8713828, 64, ...
 02114  1600   NtSetEventBoostPriority  (80, ...
 02111  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75528, 0}  ... {28, 56, reply, 0, 1636, 1736, 75528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0d\6\0\0X\5\0\0" )  ) == 0x0
 02115   152   NtWaitForSingleObject  (80, 0, 0x0, ...
 02116   868   NtWaitForSingleObject  (80, 0, 0x0, ...
 02112   808   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02082  1384   NtWaitForSingleObject  ... ) == 0x0
 02114  1600   NtSetEventBoostPriority  ... ) == 0x0
 02117  2040   NtWaitForSingleObject  (80, 0, 0x0, ...
 02118  1384   NtSetEventBoostPriority  (80, ...
 02119   808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02120  1736   NtResumeThread  (368, ...
 02113  1744   NtConnectPort  ... 428, 0x0, 0x0, 0x0, 64, ) == 0x0
 02084  2044   NtWaitForSingleObject  ... ) == 0x0
 02118  1384   NtSetEventBoostPriority  ... ) == 0x0
 02121  1600   NtWaitForSingleObject  (80, 0, 0x0, ...
 02120  1736   NtResumeThread  ... 1, ) == 0x0
 02122  2044   NtSetEventBoostPriority  (80, ...
 02123  1744   NtRequestWaitReplyPort  (428, {32, 56, new_msg, 0, 0, 0, 0, 0}  (428, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02119   808   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02124  1368   NtTestAlert  (...
 02085  1620   NtWaitForSingleObject  ... ) == 0x0
 02122  2044   NtSetEventBoostPriority  ... ) == 0x0
 02125  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02126   808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02127  1620   NtSetEventBoostPriority  (80, ...
 02124  1368   NtTestAlert  ... ) == 0x0
 02128  1384   NtWaitForSingleObject  (80, 0, 0x0, ...
 02125  1736   NtAllocateVirtualMemory  ... 81264640, 2097152, ) == 0x0
 02086   440   NtWaitForSingleObject  ... ) == 0x0
 02127  1620   NtSetEventBoostPriority  ... ) == 0x0
 02126   808   NtCreateKey  ... -2147482576, 2, ) == 0x0
 02129  1368   NtContinue  (81263920, 1, ...
 02130   440   NtSetEventBoostPriority  (80, ...
 02131  1736   NtAllocateVirtualMemory  (-1, 83353600, 0, 8192, 4096, 4, ...
 02132  2044   NtWaitForSingleObject  (192, 0, 0x0, ...
 02123  1744   NtRequestWaitReplyPort  ... {32, 56, reply, 0, 1636, 1744, 75530, 0}  ... {32, 56, reply, 0, 1636, 1744, 75530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02133   808   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\365X\334\315!\371\234c\4\302\313/@\344\265p\210\377QO\355MB\211Z}\357\20\24\37\302\271\335}\242\27\326\370\3677\366"]7\351;\220'0\375\332;S\275\376\275e\305\226\334\201\231\21_\313\347@\252{N\226\315\326q\312\332\20\215\14\251", 80, ... , 0, 3,  (-2147482576, "Seed", 0, 3, "\365X\334\315!\371\234c\4\302\313/@\344\265p\210\377QO\355MB\211Z}\357\20\24\37\302\271\335}\242\27\326\370\3677\366"]7\351;\220'0\375\332;S\275\376\275e\305\226\334\201\231\21_\313\347@\252{N\226\315\326q\312\332\20\215\14\251", 80, ... ]7\351;\220'0\375\332;S\275\376\275e\305\226\334\201\231\21_\313\347@\252{N\226\315\326q\312\332\20\215\14\251", 80, ...
 02087  1652   NtWaitForSingleObject  ... ) == 0x0
 02130   440   NtSetEventBoostPriority  ... ) == 0x0
 02134  1368   NtRegisterThreadTerminatePort  (24, ...
 02131  1736   NtAllocateVirtualMemory  ... 83353600, 8192, ) == 0x0
 02135  1744   NtRequestWaitReplyPort  (428, {32, 56, new_msg, 0, 0, 0, 0, 0}  (428, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02136  1652   NtSetEventBoostPriority  (80, ...
 02133   808   NtSetValueKey  ... ) == 0x0
 02137  1620   NtWaitForSingleObject  (192, 0, 0x0, ...
 02134  1368   NtRegisterThreadTerminatePort  ... ) == 0x0
 02138   440   NtWaitForSingleObject  (192, 0, 0x0, ...
 02088  1776   NtWaitForSingleObject  ... ) == 0x0
 02136  1652   NtSetEventBoostPriority  ... ) == 0x0
 02139   808   NtClose  (-2147482576, ...
 02140  1736   NtProtectVirtualMemory  (-1, (0x4f7e000), 4096, 260, ...
 02135  1744   NtRequestWaitReplyPort  ... {32, 56, reply, 0, 1636, 1744, 75531, 0}  ... {32, 56, reply, 0, 1636, 1744, 75531, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02141  1776   NtSetEventBoostPriority  (80, ...
 02142  1368   NtWaitForSingleObject  (80, 0, 0x0, ...
 02143  1652   NtWaitForSingleObject  (192, 0, 0x0, ...
 02140  1736   NtProtectVirtualMemory  ... (0x4f7e000), 4096, 4, ) == 0x0
 02090  2036   NtWaitForSingleObject  ... ) == 0x0
 02141  1776   NtSetEventBoostPriority  ... ) == 0x0
 02144  1744   NtUserCallNoParam  (29, ...
 02145  2036   NtSetEventBoostPriority  (80, ...
 02146  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02139   808   NtClose  ... ) == 0x0
 02094   948   NtWaitForSingleObject  ... ) == 0x0
 02145  2036   NtSetEventBoostPriority  ... ) == 0x0
 02147  1744   NtWaitForSingleObject  (80, 0, 0x0, ...
 02146  1736   NtCreateThread  ... 432, {1636, 784}, ) == 0x0
 02148   948   NtSetEventBoostPriority  (80, ...
 02045   808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "7\247L{\177m\276\234\252\234N&\272\2649'\322\374\266\263\252K\203\320\356 \16\252\11\327\270\331>\204/g\251\276\277ZR\336R5\310\306 \351\202\261G\243\207\16\354t\373sLL\347M \302\256\265i\23\235\12\330\2276\221\237\26\316\235\364\226\256\363*\202nK\4@g\231_\34\212\267\353\220V\257\345\16\367\20|)\335\306T'\304\252Q\277\257U\310\313b\24\272\30\240pr\352\365\202\231\37K\250\7\372\326\222oq\17\372\240\345\263\375l<)M\331\241\3\234Z\165j{\235\206\3039\227&\267\261\271\302\325\177\324\233\265m\301\250\314\356\347\214\203$*\300+\327\254\277\26\201\263\2701\311\363M\334P\271\13\321Y\226,Z\377\376\300\20\332C\322\246\373\334\12_\205@\201\25\5t\316\246\27LT\244\340\354\324\257\36\353\15tV\241_\13a\25\231\307\3554Y\234\355v\226zW\253:\360\2539", ) , ) == 0x0
 02149  1776   NtWaitForSingleObject  (192, 0, 0x0, ...
 02150  2036   NtWaitForSingleObject  (192, 0, 0x0, ...
 02102  1376   NtWaitForSingleObject  ... ) == 0x0
 02148   948   NtSetEventBoostPriority  ... ) == 0x0
 02151  1736   NtQueryInformationThread  (432, Basic, 28, ...
 02152   808   NtDeviceIoControlFile  (56, 0, 0x0, 0x0, 0x390008,  (56, 0, 0x0, 0x0, 0x390008, "\2726"\2165\354\317\361\377\215\266\316\2lp\271z\306B\366\202#\326'\201\376\260f$/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \2165\354\317\361\377\215\266\316\2lp\271z\306B\366\202#\326'\201\376\260f$/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 02153  1376   NtSetEventBoostPriority  (80, ...
 02151  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1636,Tid=784,}, 0x0, ) == 0x0
 02107  1388   NtWaitForSingleObject  ... ) == 0x0
 02153  1376   NtSetEventBoostPriority  ... ) == 0x0
 02154   808   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02155   948   NtWaitForSingleObject  (80, 0, 0x0, ...
 02156  1388   NtSetEventBoostPriority  (80, ...
 02157  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75528, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0d\6\0\0\20\3\0\0" ...  ...
 02154   808   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02110   900   NtWaitForSingleObject  ... ) == 0x0
 02156  1388   NtSetEventBoostPriority  ... ) == 0x0
 02157  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75532, 0}  ... {28, 56, reply, 0, 1636, 1736, 75532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0d\6\0\0\20\3\0\0" )  ) == 0x0
 02158   900   NtSetEventBoostPriority  (80, ...
 02159   808   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02160  1376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02115   152   NtWaitForSingleObject  ... ) == 0x0
 02158   900   NtSetEventBoostPriority  ... ) == 0x0
 02161  1736   NtResumeThread  (432, ...
 02162  1388   NtWaitForSingleObject  (192, 0, 0x0, ...
 02163   152   NtSetEventBoostPriority  (80, ...
 02160  1376   NtDuplicateObject  ... 436, ) == 0x0
 02164   900   NtWaitForSingleObject  (80, 0, 0x0, ...
 02161  1736   NtResumeThread  ... 1, ) == 0x0
 02116   868   NtWaitForSingleObject  ... ) == 0x0
 02163   152   NtSetEventBoostPriority  ... ) == 0x0
 02165  1376   NtWaitForSingleObject  (80, 0, 0x0, ...
 02159   808   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02166   784   NtTestAlert  (...
 02167   868   NtSetEventBoostPriority  (80, ...
 02168  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02169   152   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02170   808   NtQuerySystemInformation  (Performance, 312, ...
 02117  2040   NtWaitForSingleObject  ... ) == 0x0
 02167   868   NtSetEventBoostPriority  ... ) == 0x0
 02166   784   NtTestAlert  ... ) == 0x0
 02168  1736   NtAllocateVirtualMemory  ... 83361792, 2097152, ) == 0x0
 02171  2040   NtSetEventBoostPriority  (80, ...
 02170   808   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02169   152   NtCreateEvent  ... 440, ) == 0x0
 02172   784   NtContinue  (83361072, 1, ...
 02121  1600   NtWaitForSingleObject  ... ) == 0x0
 02171  2040   NtSetEventBoostPriority  ... ) == 0x0
 02173  1736   NtAllocateVirtualMemory  (-1, 85450752, 0, 8192, 4096, 4, ...
 02174   808   NtQuerySystemInformation  (Exception, 16, ...
 02175   152   NtWaitForSingleObject  (440, 0, 0x0, ...
 02176  1600   NtSetEventBoostPriority  (80, ...
 02177   784   NtRegisterThreadTerminatePort  (24, ...
 02178  2040   NtWaitForSingleObject  (440, 0, 0x0, ...
 02173  1736   NtAllocateVirtualMemory  ... 85450752, 8192, ) == 0x0
 02174   808   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02128  1384   NtWaitForSingleObject  ... ) == 0x0
 02176  1600   NtSetEventBoostPriority  ... ) == 0x0
 02177   784   NtRegisterThreadTerminatePort  ... ) == 0x0
 02179   868   NtQueryValueKey  (424,  (424, "Mapping", Partial, 144, ... , Partial, 144, ...
 02180  1736   NtProtectVirtualMemory  (-1, (0x517e000), 4096, 260, ...
 02181  1384   NtSetEventBoostPriority  (80, ...
 02182   808   NtQuerySystemInformation  (Lookaside, 32, ...
 02183  1600   NtWaitForSingleObject  (440, 0, 0x0, ...
 02179   868   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 02142  1368   NtWaitForSingleObject  ... ) == 0x0
 02181  1384   NtSetEventBoostPriority  ... ) == 0x0
 02180  1736   NtProtectVirtualMemory  ... (0x517e000), 4096, 4, ) == 0x0
 02184   784   NtWaitForSingleObject  (80, 0, 0x0, ...
 02182   808   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02185  1368   NtSetEventBoostPriority  (80, ...
 02186   868   NtWaitForSingleObject  (80, 0, 0x0, ...
 02187  1384   NtWaitForSingleObject  (440, 0, 0x0, ...
 02188  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02147  1744   NtWaitForSingleObject  ... ) == 0x0
 02185  1368   NtSetEventBoostPriority  ... ) == 0x0
 02189   808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02190  1744   NtSetEventBoostPriority  (80, ...
 02191  1368   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02155   948   NtWaitForSingleObject  ... ) == 0x0
 02189   808   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02190  1744   NtSetEventBoostPriority  ... ) == 0x0
 02188  1736   NtCreateThread  ... 444, {1636, 192}, ) == 0x0
 02192   948   NtSetEventBoostPriority  (80, ...
 02193   808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02194  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8711224, ... }, 8711224, ...
 02195  1736   NtQueryInformationThread  (444, Basic, 28, ...
 02165  1376   NtWaitForSingleObject  ... ) == 0x0
 02192   948   NtSetEventBoostPriority  ... ) == 0x0
 02193   808   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02194  1744   NtQueryAttributesFile  ... ) == 0x0
 02196  1376   NtSetEventBoostPriority  (80, ...
 02195  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1636,Tid=192,}, 0x0, ) == 0x0
 02197   948   NtWaitForSingleObject  (440, 0, 0x0, ...
 02198   808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02191  1368   NtDuplicateObject  ... 448, ) == 0x0
 02164   900   NtWaitForSingleObject  ... ) == 0x0
 02196  1376   NtSetEventBoostPriority  ... ) == 0x0
 02199  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75532, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0d\6\0\0\300\0\0\0" ...  ...
 02200  1744   NtWaitForSingleObject  (80, 0, 0x0, ...
 02201   900   NtSetEventBoostPriority  (80, ...
 02202  1368   NtWaitForSingleObject  (80, 0, 0x0, ...
 02198   808   NtCreateKey  ... -2147482576, 2, ) == 0x0
 02199  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75533, 0}  ... {28, 56, reply, 0, 1636, 1736, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0d\6\0\0\300\0\0\0" )  ) == 0x0
 02184   784   NtWaitForSingleObject  ... ) == 0x0
 02203   808   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\362\371I\253\217\240\2305r\7\316\335\232\243\251K\14\220\36\321\261\230\36E\357B"ZOL\225hP\34Z\177\303\271Cx\350\1\7\375-\327\322\262s\236\11\25\7\301\231\351\303\307\226\347x\301f}#E\351\330\31\13\357\214\362\265l\1n\271\321", 80, ... , 0, 3,  (-2147482576, "Seed", 0, 3, "\362\371I\253\217\240\2305r\7\316\335\232\243\251K\14\220\36\321\261\230\36E\357B"ZOL\225hP\34Z\177\303\271Cx\350\1\7\375-\327\322\262s\236\11\25\7\301\231\351\303\307\226\347x\301f}#E\351\330\31\13\357\214\362\265l\1n\271\321", 80, ... ZOL\225hP\34Z\177\303\271Cx\350\1\7\375-\327\322\262s\236\11\25\7\301\231\351\303\307\226\347x\301f}#E\351\330\31\13\357\214\362\265l\1n\271\321", 80, ...
 02201   900   NtSetEventBoostPriority  ... ) == 0x0
 02204  1376   NtWaitForSingleObject  (80, 0, 0x0, ...
 02205   784   NtSetEventBoostPriority  (80, ...
 02203   808   NtSetValueKey  ... ) == 0x0
 02206   900   NtSetEventBoostPriority  (440, ...
 02186   868   NtWaitForSingleObject  ... ) == 0x0
 02205   784   NtSetEventBoostPriority  ... ) == 0x0
 02207   808   NtClose  (-2147482576, ...
 02208   868   NtSetEventBoostPriority  (80, ...
 02175   152   NtWaitForSingleObject  ... ) == 0x0
 02206   900   NtSetEventBoostPriority  ... ) == 0x0
 02209   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02200  1744   NtWaitForSingleObject  ... ) == 0x0
 02210   152   NtWaitForSingleObject  (80, 0, 0x0, ...
 02208   868   NtSetEventBoostPriority  ... ) == 0x0
 02207   808   NtClose  ... ) == 0x0
 02211  1736   NtResumeThread  (444, ...
 02212   900   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02213  1744   NtSetEventBoostPriority  (80, ...
 02209   784   NtDuplicateObject  ... 452, ) == 0x0
 02152   808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "_\366\21\236 |\345\324\202\222\211'X\227\240\357\227\352\314m\237\351\246\6\177<\1a7l\323\205\242<\321\322\210\321\6\223\310\222\263Z\3657z~\324"\226\357\231\341_\303\26s+%\240a2\272\241\7n(\213\304@\305\21\303\242B\351\240\310\3775\361\314\375\257_\266\247\367\342\361\330\5Q\333{*\312\215\32\227\376\240\214\346\254\373\7\201\336\326\343)\25!B\267\11:\343k>H\216&V\213`\312\313a\314?\22\303\24Z(t\17B/\16Y\6{|\273\37\222.\251xS\347\341\202}9\321S\273F,X\2475aQ\2\274\225\225\246\201j\22\270\220\305\322m\333=\212\15\3720\350\272\300\32Z;\10\371\16<\342\353\225 \255\225\232u\365Y\372\376\377\272\36o\341\234c\251\302\271g\366N\10\200\217\370\377{;\304\232\325\341y\272\22D\10\254r\207=\3\256\376_\336~\214)\22\24|\334\315", ) \226\357\231\341_\303\26s+%\240a2\272\241\7n(\213\304@\305\21\303\242B\351\240\310\3775\361\314\375\257_\266\247\367\342\361\330\5Q\333{*\312\215\32\227\376\240\214\346\254\373\7\201\336\326\343)\25!B\267\11:\343k>H\216&V\213`\312\313a\314?\22\303\24Z(t\17B/\16Y\6{|\273\37\222.\251xS\347\341\202}9\321S\273F,X\2475aQ\2\274\225\225\246\201j\22\270\220\305\322m\333=\212\15\3720\350\272\300\32Z;\10\371\16<\342\353\225 \255\225\232u\365Y\372\376\377\272\36o\341\234c\251\302\271g\366N\10\200\217\370\377{;\304\232\325\341y\272\22D\10\254r\207=\3\256\376_\336~\214)\22\24|\334\315", ) == 0x0
 02211  1736   NtResumeThread  ... 1, ) == 0x0
 02202  1368   NtWaitForSingleObject  ... ) == 0x0
 02213  1744   NtSetEventBoostPriority  ... ) == 0x0
 02212   900   NtWaitForSingleObject  ... ) == 0x102
 02214   784   NtWaitForSingleObject  (80, 0, 0x0, ...
 02215   868   NtQueryValueKey  (424,  (424, "Mapping", Partial, 152, ... , Partial, 152, ...
 02216   192   NtTestAlert  (...
 02217  1368   NtSetEventBoostPriority  (80, ...
 02218  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02144  1744   NtUserCallNoParam  ... ) == 0x0
 02219   900   NtWaitForSingleObject  (80, 0, 0x0, ...
 02215   868   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 02204  1376   NtWaitForSingleObject  ... ) == 0x0
 02217  1368   NtSetEventBoostPriority  ... ) == 0x0
 02216   192   NtTestAlert  ... ) == 0x0
 02218  1736   NtAllocateVirtualMemory  ... 85458944, 2097152, ) == 0x0
 02220   808   NtDeviceIoControlFile  (56, 0, 0x0, 0x0, 0x390008,  (56, 0, 0x0, 0x0, 0x390008, "\2726"\2165\354\317\361\377\215\266\316\2lp\271z\306B\366\202\365\223z\306B\366\202#\326'\201\376\260f$/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \2165\354\317\361\377\215\266\316\2lp\271z\306B\366\202\365\223z\306B\366\202#\326'\201\376\260f$/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 02221  1376   NtSetEventBoostPriority  (80, ...
 02222   868   NtClose  (424, ...
 02223  1744   NtUserSystemParametersInfo  (41, 0, 1524240760, 0, ...
 02224   192   NtContinue  (85458224, 1, ...
 02225  1736   NtAllocateVirtualMemory  (-1, 87547904, 0, 8192, 4096, 4, ...
 02210   152   NtWaitForSingleObject  ... ) == 0x0
 02221  1376   NtSetEventBoostPriority  ... ) == 0x0
 02226   808   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02222   868   NtClose  ... ) == 0x0
 02223  1744   NtUserSystemParametersInfo  ... ) == 0x1
 02227   192   NtRegisterThreadTerminatePort  (24, ...
 02228   152   NtSetEventBoostPriority  (80, ...
 02225  1736   NtAllocateVirtualMemory  ... 87547904, 8192, ) == 0x0
 02229  1376   NtWaitForSingleObject  (440, 0, 0x0, ...
 02226   808   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02230   868   NtWaitForSingleObject  (80, 0, 0x0, ...
 02231  1744   NtWaitForSingleObject  (80, 0, 0x0, ...
 02214   784   NtWaitForSingleObject  ... ) == 0x0
 02228   152   NtSetEventBoostPriority  ... ) == 0x0
 02227   192   NtRegisterThreadTerminatePort  ... ) == 0x0
 02232  1368   NtWaitForSingleObject  (80, 0, 0x0, ...
 02233  1736   NtProtectVirtualMemory  (-1, (0x537e000), 4096, 260, ...
 02234   808   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02235   784   NtSetEventBoostPriority  (80, ...
 02236   152   NtSetEventBoostPriority  (440, ...
 02233  1736   NtProtectVirtualMemory  ... (0x537e000), 4096, 4, ) == 0x0
 02219   900   NtWaitForSingleObject  ... ) == 0x0
 02235   784   NtSetEventBoostPriority  ... ) == 0x0
 02234   808   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02178  2040   NtWaitForSingleObject  ... ) == 0x0
 02236   152   NtSetEventBoostPriority  ... ) == 0x0
 02237   900   NtSetEventBoostPriority  (80, ...
 02238  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02239   192   NtWaitForSingleObject  (80, 0, 0x0, ...
 02240  2040   NtWaitForSingleObject  (80, 0, 0x0, ...
 02241   808   NtQuerySystemInformation  (Performance, 312, ...
 02230   868   NtWaitForSingleObject  ... ) == 0x0
 02237   900   NtSetEventBoostPriority  ... ) == 0x0
 02242   152   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02238  1736   NtCreateThread  ... 424, {1636, 876}, ) == 0x0
 02243   784   NtWaitForSingleObject  (80, 0, 0x0, ...
 02244   868   NtSetEventBoostPriority  (80, ...
 02241   808   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02242   152   NtWaitForSingleObject  ... ) == 0x102
 02245  1736   NtQueryInformationThread  (424, Basic, 28, ...
 02231  1744   NtWaitForSingleObject  ... ) == 0x0
 02244   868   NtSetEventBoostPriority  ... ) == 0x0
 02246   808   NtQuerySystemInformation  (Exception, 16, ...
 02247   152   NtWaitForSingleObject  (192, 0, 0x0, ...
 02248  1744   NtSetEventBoostPriority  (80, ...
 02245  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1636,Tid=876,}, 0x0, ) == 0x0
 02249   900   NtWaitForSingleObject  (192, 0, 0x0, ...
 02246   808   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02250   868   NtWaitForSingleObject  (80, 0, 0x0, ...
 02232  1368   NtWaitForSingleObject  ... ) == 0x0
 02248  1744   NtSetEventBoostPriority  ... ) == 0x0
 02251   808   NtQuerySystemInformation  (Lookaside, 32, ...
 02252  1368   NtSetEventBoostPriority  (80, ...
 02253  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75533, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0d\6\0\0l\3\0\0" ...  ...
 02240  2040   NtWaitForSingleObject  ... ) == 0x0
 02252  1368   NtSetEventBoostPriority  ... ) == 0x0
 02251   808   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02254  2040   NtSetEventBoostPriority  (80, ...
 02253  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75534, 0}  ... {28, 56, reply, 0, 1636, 1736, 75534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0d\6\0\0l\3\0\0" )  ) == 0x0
 02255  1368   NtWaitForSingleObject  (80, 0, 0x0, ...
 02239   192   NtWaitForSingleObject  ... ) == 0x0
 02256   808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02257  1736   NtResumeThread  (424, ...
 02254  2040   NtSetEventBoostPriority  ... ) == 0x0
 02258  1744   NtGdiHfontCreate  (8713352, 356, 0, 0, 4627112, ...
 02259   192   NtSetEventBoostPriority  (80, ...
 02257  1736   NtResumeThread  ... 1, ) == 0x0
 02256   808   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02258  1744   NtGdiHfontCreate  ... ) == 0x750a0651
 02243   784   NtWaitForSingleObject  ... ) == 0x0
 02259   192   NtSetEventBoostPriority  ... ) == 0x0
 02260  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02261   808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02262   784   NtSetEventBoostPriority  (80, ...
 02263  1744   NtGdiHfontCreate  (8713352, 356, 0, 0, 4627104, ...
 02264   192   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02265  2040   NtSetEventBoostPriority  (440, ...
 02266   876   NtTestAlert  (...
 02250   868   NtWaitForSingleObject  ... ) == 0x0
 02262   784   NtSetEventBoostPriority  ... ) == 0x0
 02261   808   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02263  1744   NtGdiHfontCreate  ... ) == 0x480a0482
 02260  1736   NtAllocateVirtualMemory  ... 87556096, 2097152, ) == 0x0
 02183  1600   NtWaitForSingleObject  ... ) == 0x0
 02265  2040   NtSetEventBoostPriority  ... ) == 0x0
 02267   868   NtAllocateVirtualMemory  (-1, 4628480, 0, 4096, 4096, 4, ...
 02266   876   NtTestAlert  ... ) == 0x0
 02268   784   NtWaitForSingleObject  (440, 0, 0x0, ...
 02269   808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02270  1744   NtRequestWaitReplyPort  (428, {32, 56, new_msg, 0, 0, 0, 0, 0}  (428, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02271  1600   NtWaitForSingleObject  (80, 0, 0x0, ...
 02272  1736   NtAllocateVirtualMemory  (-1, 89645056, 0, 8192, 4096, 4, ...
 02267   868   NtAllocateVirtualMemory  ... 4628480, 4096, ) == 0x0
 02273  2040   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02274   876   NtContinue  (87555376, 1, ...
 02264   192   NtDuplicateObject  ... 456, ) == 0x0
 02269   808   NtCreateKey  ... -2147482576, 2, ) == 0x0
 02275   868   NtSetEventBoostPriority  (80, ...
 02272  1736   NtAllocateVirtualMemory  ... 89645056, 8192, ) == 0x0
 02273  2040   NtWaitForSingleObject  ... ) == 0x102
 02276   876   NtRegisterThreadTerminatePort  (24, ...
 02277   192   NtWaitForSingleObject  (80, 0, 0x0, ...
 02278   808   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "S\363\310\2360\365\17\2F>\311\366\362\226\220U\307\2644\234\332\336\257oS\257\323C\337r\24057\243Ot\314L\214\266\31\212!m\276\205H\346E$\223\0\254\24,\321H\343\10?\271\374\233)\262Ml\0<\373Z3\4zH\375\255\203\247", 80, ... , 0, 3,  (-2147482576, "Seed", 0, 3, "S\363\310\2360\365\17\2F>\311\366\362\226\220U\307\2644\234\332\336\257oS\257\323C\337r\24057\243Ot\314L\214\266\31\212!m\276\205H\346E$\223\0\254\24,\321H\343\10?\271\374\233)\262Ml\0<\373Z3\4zH\375\255\203\247", 80, ... , 80, ...
 02279  1736   NtProtectVirtualMemory  (-1, (0x557e000), 4096, 260, ...
 02280  2040   NtWaitForSingleObject  (80, 0, 0x0, ...
 02276   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 02255  1368   NtWaitForSingleObject  ... ) == 0x0
 02275   868   NtSetEventBoostPriority  ... ) == 0x0
 02279  1736   NtProtectVirtualMemory  ... (0x557e000), 4096, 4, ) == 0x0
 02278   808   NtSetValueKey  ... ) == 0x0
 02270  1744   NtRequestWaitReplyPort  ... {32, 56, reply, 0, 1636, 1744, 75535, 0}  ... {32, 56, reply, 0, 1636, 1744, 75535, 0} "\0\0\0\0\0\0\0\0\314\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02281  1368   NtSetEventBoostPriority  (80, ...
 02282   868   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 02283  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02284   808   NtClose  (-2147482576, ...
 02285  1744   NtMapViewOfSection  (460, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ...
 02271  1600   NtWaitForSingleObject  ... ) == 0x0
 02282   868   NtOpenKey  ... 464, ) == 0x0
 02281  1368   NtSetEventBoostPriority  ... ) == 0x0
 02286   876   NtWaitForSingleObject  (80, 0, 0x0, ...
 02284   808   NtClose  ... ) == 0x0
 02287  1600   NtSetEventBoostPriority  (80, ...
 02285  1744   NtMapViewOfSection  ... (0xed0000), {0, 0}, 327680, ) == 0x0
 02288   868   NtQueryValueKey  (464,  (464, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 02289  1368   NtWaitForSingleObject  (440, 0, 0x0, ...
 02277   192   NtWaitForSingleObject  ... ) == 0x0
 02220   808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "]\203\347eH\341\323.U\310\2073\3210\224F\333S\247\303H\304\250\372\255p\34z\200>\301^}f\32\277 ;\3621\344=\250(\367Ve\250\250\21\7[`\363 \33\5R\225\316\236\356t\34\225}\31H\345\226\252\262i)\314\311D\364\204E\253y+\251\202\303%\376{\30\245b\205l\253[\316t\2]:\271[\232\346\331\25\352A\2\327\371;!Q\313,\257\337\11i\321\376\261\207\30\344m/A\23\211\316\223\16\327\353 Kf\317\374\2257\247yl\32\215\211\215\371 \363\237\255r@\3430\2=w\252\364\256\377r\26\317,\271\367#\305q\242B(E#&#\260\201\13\261\21\210\35\217\301\374\351:\343\311S\206\3118#\303\306\333\304A\331\370\227 \321\212\315\331\200\3604\20-\222\340e\255\234\321W,\317\216\252\4\233%\14\275\264?\2j$\7]\305NDWU?3s\2\342\244\314\36", ) , ) == 0x0
 02290  1744   NtUserGetWindowDC  (0, ...
 02288   868   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 02291   192   NtSetEventBoostPriority  (80, ...
 02292   808   NtDeviceIoControlFile  (56, 0, 0x0, 0x0, 0x390008,  (56, 0, 0x0, 0x0, 0x390008, "\2726"\2165\354\317\361\377\215\266\316\2lp\271z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202#\326'\201\376\260f$/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \2165\354\317\361\377\215\266\316\2lp\271z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202#\326'\201\376\260f$/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 02290  1744   NtUserGetWindowDC  ... ) == 0x1010050
 02293   868   NtQueryValueKey  (464,  (464, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 02280  2040   NtWaitForSingleObject  ... ) == 0x0
 02291   192   NtSetEventBoostPriority  ... ) == 0x0
 02294   808   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02295  1744   NtUserCallOneParam  (16842832, 57, ...
 02287  1600   NtSetEventBoostPriority  ... ) == 0x0
 02283  1736   NtCreateThread  ... 468, {1636, 1316}, ) == 0x0
 02296  2040   NtSetEventBoostPriority  (80, ...
 02293   868   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 02297   192   NtWaitForSingleObject  (80, 0, 0x0, ...
 02294   808   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02295  1744   NtUserCallOneParam  ... ) == 0x1
 02286   876   NtWaitForSingleObject  ... ) == 0x0
 02298  1736   NtQueryInformationThread  (468, Basic, 28, ...
 02299   868   NtQueryValueKey  (464,  (464, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 02300   808   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02301  1744   NtUserGetWindowDC  (0, ...
 02302   876   NtSetEventBoostPriority  (80, ...
 02298  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1636,Tid=1316,}, 0x0, ) == 0x0
 02299   868   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02300   808   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02301  1744   NtUserGetWindowDC  ... ) == 0x1010050
 02297   192   NtWaitForSingleObject  ... ) == 0x0
 02302   876   NtSetEventBoostPriority  ... ) == 0x0
 02303  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75534, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0d\6\0\0$\5\0\0" ...  ...
 02304   868   NtQueryValueKey  (464,  (464, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 02305   808   NtQuerySystemInformation  (Performance, 312, ...
 02306   192   NtWaitForSingleObject  (440, 0, 0x0, ...
 02307  1744   NtUserCallOneParam  (16842832, 57, ...
 02308   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02303  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75536, 0}  ... {28, 56, reply, 0, 1636, 1736, 75536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0d\6\0\0$\5\0\0" )  ) == 0x0
 02304   868   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02305   808   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02307  1744   NtUserCallOneParam  ... ) == 0x1
 02296  2040   NtSetEventBoostPriority  ... ) == 0x0
 02309  1600   NtSetEventBoostPriority  (440, ...
 02308   876   NtDuplicateObject  ... 472, ) == 0x0
 02310   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 18347052, ... }, 18347052, ...
 02311   808   NtQuerySystemInformation  (Exception, 16, ...
 02312  1744   NtUserGetWindowDC  (0, ...
 02313  2040   NtWaitForSingleObject  (192, 0, 0x0, ...
 02187  1384   NtWaitForSingleObject  ... ) == 0x0
 02309  1600   NtSetEventBoostPriority  ... ) == 0x0
 02314   876   NtWaitForSingleObject  (440, 0, 0x0, ...
 02315  1736   NtResumeThread  (468, ...
 02310   868   NtQueryAttributesFile  ... ) == 0x0
 02311   808   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02316  1384   NtSetEventBoostPriority  (440, ...
 02317  1600   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02315  1736   NtResumeThread  ... 1, ) == 0x0
 02318   868   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 02197   948   NtWaitForSingleObject  ... ) == 0x0
 02319   808   NtQuerySystemInformation  (Lookaside, 32, ...
 02317  1600   NtWaitForSingleObject  ... ) == 0x102
 02320  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02318   868   NtOpenFile  ... 476, {status=0x0, info=1}, ) == 0x0
 02321   948   NtSetEventBoostPriority  (440, ...
 02319   808   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02322  1600   NtWaitForSingleObject  (192, 0, 0x0, ...
 02320  1736   NtAllocateVirtualMemory  ... 89653248, 2097152, ) == 0x0
 02323   868   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 476, ...
 02229  1376   NtWaitForSingleObject  ... ) == 0x0
 02324   808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02321   948   NtSetEventBoostPriority  ... ) == 0x0
 02316  1384   NtSetEventBoostPriority  ... ) == 0x0
 02312  1744   NtUserGetWindowDC  ... ) == 0x1010050
 02325  1316   NtWaitForSingleObject  (32, 0, 0x0, ...
 02326  1736   NtAllocateVirtualMemory  (-1, 91742208, 0, 8192, 4096, 4, ...
 02323   868   NtCreateSection  ... 480, ) == 0x0
 02327  1376   NtSetEventBoostPriority  (440, ...
 02324   808   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02328   948   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02329  1384   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02330  1744   NtUserCallOneParam  (16842832, 57, ...
 02326  1736   NtAllocateVirtualMemory  ... 91742208, 8192, ) == 0x0
 02331   868   NtClose  (476, ...
 02268   784   NtWaitForSingleObject  ... ) == 0x0
 02332   808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02330  1744   NtUserCallOneParam  ... ) == 0x1
 02327  1376   NtSetEventBoostPriority  ... ) == 0x0
 02328   948   NtWaitForSingleObject  ... ) == 0x102
 02329  1384   NtWaitForSingleObject  ... ) == 0x102
 02333  1736   NtProtectVirtualMemory  (-1, (0x577e000), 4096, 260, ...
 02334   784   NtSetEventBoostPriority  (440, ...
 02331   868   NtClose  ... ) == 0x0
 02335  1744   NtUserGetWindowDC  (0, ...
 02336  1376   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02337   948   NtWaitForSingleObject  (192, 0, 0x0, ...
 02338  1384   NtWaitForSingleObject  (192, 0, 0x0, ...
 02333  1736   NtProtectVirtualMemory  ... (0x577e000), 4096, 4, ) == 0x0
 02289  1368   NtWaitForSingleObject  ... ) == 0x0
 02339   868   NtMapViewOfSection  (480, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02335  1744   NtUserGetWindowDC  ... ) == 0x1010050
 02340  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02341  1368   NtSetEventBoostPriority  (440, ...
 02339   868   NtMapViewOfSection  ... (0xf20000), 0x0, 20480, ) == 0x0
 02342  1744   NtUserCallOneParam  (16842832, 57, ...
 02340  1736   NtCreateThread  ... 476, {1636, 644}, ) == 0x0
 02306   192   NtWaitForSingleObject  ... ) == 0x0
 02341  1368   NtSetEventBoostPriority  ... ) == 0x0
 02343   868   NtClose  (480, ...
 02334   784   NtSetEventBoostPriority  ... ) == 0x0
 02332   808   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02336  1376   NtWaitForSingleObject  ... ) == 0x102
 02344   192   NtSetEventBoostPriority  (440, ...
 02345  1736   NtQueryInformationThread  (476, Basic, 28, ...
 02342  1744   NtUserCallOneParam  ... ) == 0x1
 02343   868   NtClose  ... ) == 0x0
 02346   784   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02347   808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02314   876   NtWaitForSingleObject  ... ) == 0x0
 02344   192   NtSetEventBoostPriority  ... ) == 0x0
 02348  1376   NtWaitForSingleObject  (192, 0, 0x0, ...
 02345  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1636,Tid=644,}, 0x0, ) == 0x0
 02349  1744   NtUserGetWindowDC  (0, ...
 02350   876   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02347   808   NtCreateKey  ... -2147482576, 2, ) == 0x0
 02351  1368   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02346   784   NtWaitForSingleObject  ... ) == 0x102
 02352   192   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02353   868   NtUnmapViewOfSection  (-1, 0xf20000, ...
 02349  1744   NtUserGetWindowDC  ... ) == 0x1010050
 02354   808   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\16N\372!\261xU\271\375\214]\366\17o\331X\315r\363,O\255\22|~\336d\267\0\224XcC\2\255\127\334]\1\5\206\24\237+\3741\227ZF\256e\342\241\313\266Z\220\360\235c\311w\263\253\262\252\247\16\245\270\375>$\263\371}\221\241\33", 80, ... , 0, 3,  (-2147482576, "Seed", 0, 3, "\16N\372!\261xU\271\375\214]\366\17o\331X\315r\363,O\255\22|~\336d\267\0\224XcC\2\255\127\334]\1\5\206\24\237+\3741\227ZF\256e\342\241\313\266Z\220\360\235c\311w\263\253\262\252\247\16\245\270\375>$\263\371}\221\241\33", 80, ... , 80, ...
 02351  1368   NtWaitForSingleObject  ... ) == 0x102
 02355   784   NtWaitForSingleObject  (192, 0, 0x0, ...
 02352   192   NtWaitForSingleObject  ... ) == 0x102
 02353   868   NtUnmapViewOfSection  ... ) == 0x0
 02356  1744   NtUserCallOneParam  (16842832, 57, ...
 02354   808   NtSetValueKey  ... ) == 0x0
 02357  1368   NtWaitForSingleObject  (192, 0, 0x0, ...
 02358   192   NtWaitForSingleObject  (192, 0, 0x0, ...
 02359   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 18347360, ... }, 18347360, ...
 02356  1744   NtUserCallOneParam  ... ) == 0x1
 02360   808   NtClose  (-2147482576, ...
 02359   868   NtQueryAttributesFile  ... ) == 0x0
 02361  1744   NtUserGetWindowDC  (0, ...
 02362  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75536, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0d\6\0\0\204\2\0\0" ...  ...
 02350   876   NtWaitForSingleObject  ... ) == 0x102
 02363   868   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 02360   808   NtClose  ... ) == 0x0
 02362  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75537, 0}  ... {28, 56, reply, 0, 1636, 1736, 75537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0d\6\0\0\204\2\0\0" )  ) == 0x0
 02364   876   NtWaitForSingleObject  (192, 0, 0x0, ...
 02361  1744   NtUserGetWindowDC  ... ) == 0x1010050
 02292   808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "w\307\27\12\232R}J\204x\20\30173\240\343:{\322\254\225\221\11\227\342c\227\32Z\212\3244\10\240z\5\322\240\307\3255\354O\312\17\236\227\262\246\376Uq\317\23V\356\325.IM\241\271\337\367\4\327#c\5Glod9\267pM\325\366\30:\345\35\205qGl0i(\200\223\32!j\23\221\21@e?\16\277gX\257\350\327\263\2\204\302\303\330\360\246\353L\250IE\235\372\36/\25\340\345\277\200&\302\311\302\236\215\374\211\310\220_c\331^\222-\334Q]\241\367\235\237\26\372\25\321s\374r\26\24\207\10\31Q\263\341pM \272\201\347\316z\367\7\30:\357\260&6_o\366'\263\34\330\6=-\353Z\222\276F:\207\262\37]\270\263*\11\344\252<\202=d\343n\33\342\201b\335\32\14J\271\25F\3452}\217K\357S\201\2324\22<\275\3362Hd\21\35S\2105x+\177\310t", ) , ) == 0x0
 02365  1736   NtResumeThread  (476, ...
 02366  1744   NtUserCallOneParam  (16842832, 57, ...
 02367   808   NtDeviceIoControlFile  (56, 0, 0x0, 0x0, 0x390008,  (56, 0, 0x0, 0x0, 0x390008, "\2726"\2165\354\317\361\377\215\266\316\2lp\271z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202#\326'\201\376\260f$/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \2165\354\317\361\377\215\266\316\2lp\271z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202#\326'\201\376\260f$/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 02365  1736   NtResumeThread  ... 1, ) == 0x0
 02366  1744   NtUserCallOneParam  ... ) == 0x1
 02368   808   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02369  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02370  1744   NtUserGetWindowDC  (0, ...
 02368   808   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02363   868   NtOpenFile  ... 480, {status=0x0, info=1}, ) == 0x0
 02371   644   NtWaitForSingleObject  (32, 0, 0x0, ...
 02370  1744   NtUserGetWindowDC  ... ) == 0x1010050
 02372   808   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02373   868   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 480, ...
 02374  1744   NtUserCallOneParam  (16842832, 57, ...
 02369  1736   NtAllocateVirtualMemory  ... 91750400, 2097152, ) == 0x0
 02373   868   NtCreateSection  ... 484, ) == 0x0
 02372   808   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02375  1736   NtAllocateVirtualMemory  (-1, 93839360, 0, 8192, 4096, 4, ...
 02376   868   NtQuerySection  (484, Image, 48, ...
 02377   808   NtQuerySystemInformation  (Performance, 312, ...
 02375  1736   NtAllocateVirtualMemory  ... 93839360, 8192, ) == 0x0
 02376   868   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02377   808   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02378  1736   NtProtectVirtualMemory  (-1, (0x597e000), 4096, 260, ...
 02379   868   NtClose  (480, ...
 02380   808   NtQuerySystemInformation  (Exception, 16, ...
 02378  1736   NtProtectVirtualMemory  ... (0x597e000), 4096, 4, ) == 0x0
 02374  1744   NtUserCallOneParam  ... ) == 0x1
 02380   808   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02381  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02382  1744   NtUserGetWindowDC  (0, ...
 02383   808   NtQuerySystemInformation  (Lookaside, 32, ...
 02379   868   NtClose  ... ) == 0x0
 02382  1744   NtUserGetWindowDC  ... ) == 0x1010050
 02381  1736   NtCreateThread  ... 480, {1636, 624}, ) == 0x0
 02384   868   NtMapViewOfSection  (484, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02385  1744   NtUserCallOneParam  (16842832, 57, ...
 02386  1736   NtQueryInformationThread  (480, Basic, 28, ...
 02384   868   NtMapViewOfSection  ... (0x71a90000), 0x0, 32768, ) == 0x0
 02385  1744   NtUserCallOneParam  ... ) == 0x1
 02386  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1636,Tid=624,}, 0x0, ) == 0x0
 02387   868   NtClose  (484, ...
 02388  1744   NtAllocateVirtualMemory  (-1, 13197312, 0, 4096, 4096, 4, ...
 02389  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75537, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0d\6\0\0p\2\0\0" ...  ...
 02387   868   NtClose  ... ) == 0x0
 02383   808   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02389  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75538, 0}  ... {28, 56, reply, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0d\6\0\0p\2\0\0" )  ) == 0x0
 02390   868   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ...
 02391   808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02388  1744   NtAllocateVirtualMemory  ... 13197312, 4096, ) == 0x0
 02392  1736   NtResumeThread  (480, ...
 02391   808   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02393  1744   NtUserGetWindowDC  (0, ...
 02392  1736   NtResumeThread  ... 1, ) == 0x0
 02394   808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02393  1744   NtUserGetWindowDC  ... ) == 0x1010050
 02395  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02394   808   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02396  1744   NtGdiCreatePatternBrushInternal  (59048383, 0, 0, ...
 02395  1736   NtAllocateVirtualMemory  ... 93847552, 2097152, ) == 0x0
 02397   808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02396  1744   NtGdiCreatePatternBrushInternal  ... ) == 0x6c1007a9
 02398  1736   NtAllocateVirtualMemory  (-1, 95936512, 0, 8192, 4096, 4, ...
 02390   868   NtProtectVirtualMemory  ... (0x71a91000), 4096, 32, ) == 0x0
 02399   624   NtWaitForSingleObject  (32, 0, 0x0, ...
 02400  1744   NtUserCallOneParam  (16842832, 57, ...
 02398  1736   NtAllocateVirtualMemory  ... 95936512, 8192, ) == 0x0
 02401   868   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ...
 02397   808   NtCreateKey  ... -2147482576, 2, ) == 0x0
 02400  1744   NtUserCallOneParam  ... ) == 0x1
 02401   868   NtProtectVirtualMemory  ... (0x71a91000), 4096, 4, ) == 0x0
 02402   808   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\240\353\244(\343>#\1\14\367h3b\367\255\326\211Z\276\361\342\23\237\356\31\335AM]\207k\337\364VO\361X\6\204N\3417A\233[\326\250\D\305\377\370\352\1\201\217\360\263\34d\314\247p\232\272\352\376\310[/\322\346\267\202\351F9o\22", 80, ... , 0, 3,  (-2147482576, "Seed", 0, 3, "\240\353\244(\343>#\1\14\367h3b\367\255\326\211Z\276\361\342\23\237\356\31\335AM]\207k\337\364VO\361X\6\204N\3417A\233[\326\250\D\305\377\370\352\1\201\217\360\263\34d\314\247p\232\272\352\376\310[/\322\346\267\202\351F9o\22", 80, ... , 80, ...
 02403  1744   NtUserCallNoParam  (29, ...
 02404   868   NtFlushInstructionCache  (-1, 1906905088, 128, ...
 02402   808   NtSetValueKey  ... ) == 0x0
 02405  1744   NtWaitForSingleObject  (32, 0, 0x0, ...
 02406  1736   NtProtectVirtualMemory  (-1, (0x5b7e000), 4096, 260, ...
 02407   808   NtClose  (-2147482576, ...
 02406  1736   NtProtectVirtualMemory  ... (0x5b7e000), 4096, 4, ) == 0x0
 02407   808   NtClose  ... ) == 0x0
 02408  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02367   808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "-69-\13"\\273\322\234\223\241\177w\22Y\356\0#\227M\326b%p\12\253I\36TQ\277\300l\241\265\271,\235\343u\211\21\340\244\340N\341\345\21\355\214\214B\215\270\302+\35\37\212U\341\265\221\27\30_\21g\353\301)\34\323\353\246\354\257q|\200\306\206\24\266\344\260\364\356j\210H\242\227v\26\330\212d\200qa@\263DD\272O\366;\22\202\2401!q\222\22\333\27\226\345q\347\64\352\30,i\205\265'\334D>\210\214\261\36\342\221\255\364\232\357\340\215\236e\260\4J <\240\241B1t\204\363\376\257O\307\214\344\220\245B#D\367\247\270\242\364\206\3358.\261u\242!\16\17Sd\207<\345\265\366\321\324\303\375\246\201[r\300o\4QF2\350\3113\303\4\30x\33\302\252\300Z\253&\212\240\36!\344\374\24\21625b!\36@\27\345\225\o\364y N\253`\361\305)\210\221\245I", ) \\273\322\234\223\241\177w\22Y\356\0#\227M\326b%p\12\253I\36TQ\277\300l\241\265\271,\235\343u\211\21\340\244\340N\341\345\21\355\214\214B\215\270\302+\35\37\212U\341\265\221\27\30_\21g\353\301)\34\323\353\246\354\257q|\200\306\206\24\266\344\260\364\356j\210H\242\227v\26\330\212d\200qa@\263DD\272O\366;\22\202\2401!q\222\22\333\27\226\345q\347\64\352\30,i\205\265'\334D>\210\214\261\36\342\221\255\364\232\357\340\215\236e\260\4J <\240\241B1t\204\363\376\257O\307\214\344\220\245B#D\367\247\270\242\364\206\3358.\261u\242!\16\17Sd\207<\345\265\366\321\324\303\375\246\201[r\300o\4QF2\350\3113\303\4\30x\33\302\252\300Z\253&\212\240\36!\344\374\24\21625b!\36@\27\345\225\o\364y N\253`\361\305)\210\221\245I", ) == 0x0
 02408  1736   NtCreateThread  ... 484, {1636, 1124}, ) == 0x0
 02404   868   NtFlushInstructionCache  ... ) == 0x0
 02409  1736   NtQueryInformationThread  (484, Basic, 28, ...
 02410   868   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... }, ...
 02409  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1636,Tid=1124,}, 0x0, ) == 0x0
 02410   868   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02411   808   NtDeviceIoControlFile  (56, 0, 0x0, 0x0, 0x390008,  (56, 0, 0x0, 0x0, 0x390008, "\2726"\2165\354\317\361\377\215\266\316\2lp\271z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202#\326'\201\376\260f$/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \2165\354\317\361\377\215\266\316\2lp\271z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202#\326'\201\376\260f$/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 02412   868   NtSetEventBoostPriority  (32, ...
 02413   808   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02414  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75538, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0d\6\0\0d\4\0\0" ...  ...
 02413   808   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02414  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75539, 0}  ... {28, 56, reply, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0d\6\0\0d\4\0\0" )  ) == 0x0
 02415   808   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02416  1736   NtResumeThread  (484, ...
 02415   808   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02416  1736   NtResumeThread  ... 1, ) == 0x0
 02417   808   NtQuerySystemInformation  (Performance, 312, ...
 02418  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02325  1316   NtWaitForSingleObject  ... ) == 0x0
 02412   868   NtSetEventBoostPriority  ... ) == 0x0
 02419  1124   NtWaitForSingleObject  (32, 0, 0x0, ...
 02417   808   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02420  1316   NtSetEventBoostPriority  (32, ...
 02421   868   NtClose  (464, ...
 02422   808   NtQuerySystemInformation  (Exception, 16, ...
 02371   644   NtWaitForSingleObject  ... ) == 0x0
 02420  1316   NtSetEventBoostPriority  ... ) == 0x0
 02421   868   NtClose  ... ) == 0x0
 02423   644   NtSetEventBoostPriority  (32, ...
 02422   808   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02418  1736   NtAllocateVirtualMemory  ... 95944704, 2097152, ) == 0x0
 02399   624   NtWaitForSingleObject  ... ) == 0x0
 02423   644   NtSetEventBoostPriority  ... ) == 0x0
 02424   868   NtWaitForSingleObject  (32, 0, 0x0, ...
 02425   808   NtQuerySystemInformation  (Lookaside, 32, ...
 02426   624   NtSetEventBoostPriority  (32, ...
 02427  1736   NtAllocateVirtualMemory  (-1, 98033664, 0, 8192, 4096, 4, ...
 02428  1316   NtTestAlert  (...
 02405  1744   NtWaitForSingleObject  ... ) == 0x0
 02426   624   NtSetEventBoostPriority  ... ) == 0x0
 02425   808   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02427  1736   NtAllocateVirtualMemory  ... 98033664, 8192, ) == 0x0
 02429  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8710664, ... }, 8710664, ...
 02428  1316   NtTestAlert  ... ) == 0x0
 02430   644   NtTestAlert  (...
 02431   808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02429  1744   NtQueryAttributesFile  ... ) == 0x0
 02432  1736   NtProtectVirtualMemory  (-1, (0x5d7e000), 4096, 260, ...
 02433  1316   NtContinue  (89652528, 1, ...
 02430   644   NtTestAlert  ... ) == 0x0
 02434   624   NtTestAlert  (...
 02431   808   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02432  1736   NtProtectVirtualMemory  ... (0x5d7e000), 4096, 4, ) == 0x0
 02435  1316   NtRegisterThreadTerminatePort  (24, ...
 02436   644   NtContinue  (91749680, 1, ...
 02434   624   NtTestAlert  ... ) == 0x0
 02437   808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02438  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02435  1316   NtRegisterThreadTerminatePort  ... ) == 0x0
 02439   644   NtRegisterThreadTerminatePort  (24, ...
 02440   624   NtContinue  (93846832, 1, ...
 02437   808   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02441  1744   NtSetEventBoostPriority  (32, ...
 02442  1316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02439   644   NtRegisterThreadTerminatePort  ... ) == 0x0
 02443   624   NtRegisterThreadTerminatePort  (24, ...
 02444   808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02419  1124   NtWaitForSingleObject  ... ) == 0x0
 02441  1744   NtSetEventBoostPriority  ... ) == 0x0
 02438  1736   NtCreateThread  ... 464, {1636, 1404}, ) == 0x0
 02445   644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02443   624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02446  1124   NtSetEventBoostPriority  (32, ...
 02444   808   NtCreateKey  ... -2147482576, 2, ) == 0x0
 02447  1744   NtWaitForSingleObject  (32, 0, 0x0, ...
 02448  1736   NtQueryInformationThread  (464, Basic, 28, ...
 02442  1316   NtDuplicateObject  ... 488, ) == 0x0
 02424   868   NtWaitForSingleObject  ... ) == 0x0
 02446  1124   NtSetEventBoostPriority  ... ) == 0x0
 02449   624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02450   808   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\337g\365\264\21\31'1O\12c\21\363\267$4\233.\341\300\217\32U3 \332\373\20y\320\210\217\271'W\336\243\31\206%\26\11(X\225\367_\344\330\201Z\11\346Z\365\326\336\7J\267\1\370,c\323\276\14\302\216\370\321AOI\305]cD\262\322", 80, ... , 0, 3,  (-2147482576, "Seed", 0, 3, "\337g\365\264\21\31'1O\12c\21\363\267$4\233.\341\300\217\32U3 \332\373\20y\320\210\217\271'W\336\243\31\206%\26\11(X\225\367_\344\330\201Z\11\346Z\365\326\336\7J\267\1\370,c\323\276\14\302\216\370\321AOI\305]cD\262\322", 80, ... , 80, ...
 02448  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1636,Tid=1404,}, 0x0, ) == 0x0
 02451   868   NtSetEventBoostPriority  (32, ...
 02452  1316   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02445   644   NtDuplicateObject  ... 492, ) == 0x0
 02453  1124   NtTestAlert  (...
 02449   624   NtDuplicateObject  ... 496, ) == 0x0
 02447  1744   NtWaitForSingleObject  ... ) == 0x0
 02451   868   NtSetEventBoostPriority  ... ) == 0x0
 02454  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75539, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0d\6\0\0|\5\0\0" ...  ...
 02452  1316   NtWaitForSingleObject  ... ) == 0x102
 02455   644   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02453  1124   NtTestAlert  ... ) == 0x0
 02403  1744   NtUserCallNoParam  ... ) == 0x0
 02456   624   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02450   808   NtSetValueKey  ... ) == 0x0
 02454  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75540, 0}  ... {28, 56, reply, 0, 1636, 1736, 75540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0d\6\0\0|\5\0\0" )  ) == 0x0
 02457  1316   NtWaitForSingleObject  (192, 0, 0x0, ...
 02455   644   NtWaitForSingleObject  ... ) == 0x102
 02458  1744   NtUserCallNoParam  (29, ...
 02459  1124   NtContinue  (95943984, 1, ...
 02456   624   NtWaitForSingleObject  ... ) == 0x102
 02460   808   NtClose  (-2147482576, ...
 02461   868   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 18349696, 67, ... }, 0x0, 0, 3, 3, 0, 18349696, 67, ...
 02462   644   NtWaitForSingleObject  (192, 0, 0x0, ...
 02463  1736   NtResumeThread  (464, ...
 02464  1124   NtRegisterThreadTerminatePort  (24, ...
 02465   624   NtWaitForSingleObject  (192, 0, 0x0, ...
 02460   808   NtClose  ... ) == 0x0
 02461   868   NtCreateFile  ... 500, {status=0x0, info=0}, ) == 0x0
 02463  1736   NtResumeThread  ... 1, ) == 0x0
 02464  1124   NtRegisterThreadTerminatePort  ... ) == 0x0
 02411   808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\275\30\271\373\277%\307\243:\252\275\12@b\260#\337\2u@7\251\376\351\226\263\22\335\273a\0\364Z>\257\351dL\17\117\240\362\\343c[\221\375\256c\224\36\310\266%\6\11\375\337ql\236_\262\23\207s\23\264F\215\207\303\276z\347\251\270\3371\356u\230wr\225\266\204\0\373'\14\204\262\343Z\261\4K\363\351\211Q\204\215\23\351=JXT\77\6\332\307Swz\16\265\260\340~\231\371P\313\305\333\242\25\313\21\10\335H\322Mk?\222\374\271\202\14\317\21*z# \237\273\271h?@^&yV\255j,\15E\255\27\274B\333\360"Tf9W[O\6\372\236\31\303\305\247\362\343tq\275'\356\236o\360\315\266\315)\257\356\357^\35\227Yg\367\376\33\276y\347\3\36\22\242P\274/\201\247/\345\201n{j\353\23445\236\334\10\13\0)\372\109t\306\352\274\250OS"%/\211s", ) Tf9W[O\6\372\236\31\303\305\247\362\343tq\275'\356\236o\360\315\266\315)\257\356\357^\35\227Yg\367\376\33\276y\347\3\36\22\242P\274/\201\247/\345\201n{j\353\23445\236\334\10\13\0)\372\109t\306\352\274\250OS ... {status=0x0, info=256}, "\275\30\271\373\277%\307\243:\252\275\12@b\260#\337\2u@7\251\376\351\226\263\22\335\273a\0\364Z>\257\351dL\17\117\240\362\\343c[\221\375\256c\224\36\310\266%\6\11\375\337ql\236_\262\23\207s\23\264F\215\207\303\276z\347\251\270\3371\356u\230wr\225\266\204\0\373'\14\204\262\343Z\261\4K\363\351\211Q\204\215\23\351=JXT\77\6\332\307Swz\16\265\260\340~\231\371P\313\305\333\242\25\313\21\10\335H\322Mk?\222\374\271\202\14\317\21*z# \237\273\271h?@^&yV\255j,\15E\255\27\274B\333\360"Tf9W[O\6\372\236\31\303\305\247\362\343tq\275'\356\236o\360\315\266\315)\257\356\357^\35\227Yg\367\376\33\276y\347\3\36\22\242P\274/\201\247/\345\201n{j\353\23445\236\334\10\13\0)\372\109t\306\352\274\250OS"%/\211s", ) , ) == 0x0
 02466   868   NtDeviceIoControlFile  (500, 168, 0x0, 0x0, 0x1207b,  (500, 168, 0x0, 0x0, 0x1207b, "\7\0\0\0\220\4E\0\340\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 02467  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02468  1124   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02469   808   NtDeviceIoControlFile  (56, 0, 0x0, 0x0, 0x390008,  (56, 0, 0x0, 0x0, 0x390008, "\2726"\2165\354\317\361\377\215\266\316\2lp\271z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202#\326'\201\376\260f$/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \2165\354\317\361\377\215\266\316\2lp\271z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202\365\223z\306B\366\202#\326'\201\376\260f$/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 02466   868   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0\260\247k\201", ) , ) == 0x0
 02467  1736   NtAllocateVirtualMemory  ... 98041856, 2097152, ) == 0x0
 02470  1744   NtAllocateVirtualMemory  (-1, 4632576, 0, 4096, 4096, 4, ...
 02471  1404   NtTestAlert  (...
 02472   808   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02473   868   NtDeviceIoControlFile  (500, 168, 0x0, 0x0, 0x1207b,  (500, 168, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0\260\247k\201", 16, 16, ... , 16, 16, ...
 02474  1736   NtAllocateVirtualMemory  (-1, 100130816, 0, 8192, 4096, 4, ...
 02470  1744   NtAllocateVirtualMemory  ... 4632576, 4096, ) == 0x0
 02471  1404   NtTestAlert  ... ) == 0x0
 02468  1124   NtDuplicateObject  ... 504, ) == 0x0
 02473   868   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0\260\247k\201", ) , ) == 0x0
 02474  1736   NtAllocateVirtualMemory  ... 100130816, 8192, ) == 0x0
 02475  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8710660, ... }, 8710660, ...
 02476  1404   NtContinue  (98041136, 1, ...
 02477  1124   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02472   808   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02478   868   NtDeviceIoControlFile  (500, 168, 0x0, 0x0, 0x12047,  (500, 168, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0N\0D\0D\0K\0\\03\07\09\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0b\0i\0n\0\\0x\08\06\0;\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 248, 16, ... , 248, 16, ...
 02475  1744   NtQueryAttributesFile  ... ) == 0x0
 02479  1404   NtRegisterThreadTerminatePort  (24, ...
 02477  1124   NtWaitForSingleObject  ... ) == 0x102
 02480   808   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02478   868   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02458  1744   NtUserCallNoParam  ... ) == 0x0
 02479  1404   NtRegisterThreadTerminatePort  ... ) == 0x0
 02481  1124   NtWaitForSingleObject  (192, 0, 0x0, ...
 02480   808   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02482   868   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02483  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 8711872, ... }, 8711872, ...
 02484  1736   NtProtectVirtualMemory  (-1, (0x5f7e000), 4096, 260, ...
 02485   808   NtQuerySystemInformation  (Performance, 312, ...
 02482   868   NtWaitForSingleObject  ... ) == 0x102
 02486  1404   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02484  1736   NtProtectVirtualMemory  ... (0x5f7e000), 4096, 4, ) == 0x0
 02485   808   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02487   868   NtDeviceIoControlFile  (500, 168, 0x0, 0x0, 0x12003,  (500, 168, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02486  1404   NtDuplicateObject  ... 508, ) == 0x0
 02488  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02489   808   NtQuerySystemInformation  (Exception, 16, ...
 02483  1744   NtQueryAttributesFile  ... ) == 0x0
 02490  1404   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 02488  1736   NtCreateThread  ... 512, {1636, 1440}, ) == 0x0
 02487   868   NtDeviceIoControlFile  ... {status=0x0, info=516},  ... {status=0x0, info=516}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02491  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 5, 96, ... }, 5, 96, ...
 02490  1404   NtWaitForSingleObject  ... ) == 0x102
 02492  1736   NtQueryInformationThread  (512, Basic, 28, ...
 02493   868   NtDeviceIoControlFile  (500, 168, 0x0, 0x0, 0x12047,  (500, 168, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0N\0D\0D\0K\0\\03\07\09\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0b\0i\0n\0\\0x\08\06\0;\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 248, 0, ... , 248, 0, ...
 02491  1744   NtOpenFile  ... 520, {status=0x0, info=1}, ) == 0x0
 02494  1404   NtWaitForSingleObject  (192, 0, 0x0, ...
 02492  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1636,Tid=1440,}, 0x0, ) == 0x0
 02493   868   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02495  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 520, ...
 02489   808   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02496   868   NtDeviceIoControlFile  (500, 168, 0x0, 0x0, 0x12037,  (500, 168, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 02495  1744   NtCreateSection  ... 524, ) == 0x0
 02497   808   NtQuerySystemInformation  (Lookaside, 32, ...
 02496   868   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02498  1744   NtClose  (520, ...
 02497   808   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02499  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75540, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0d\6\0\0\240\5\0\0" ...  ...
 02500   868   NtDeviceIoControlFile  (500, 168, 0x0, 0x0, 0x1200b,  (500, 168, 0x0, 0x0, 0x1200b, "\0\376\27\1\5\0\0\0\09F\0", 12, 0, ... , 12, 0, ...
 02501   808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02499  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75541, 0}  ... {28, 56, reply, 0, 1636, 1736, 75541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0d\6\0\0\240\5\0\0" )  ) == 0x0
 02500   868   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02501   808   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02502  1736   NtResumeThread  (512, ...
 02503   868   NtDeviceIoControlFile  (500, 168, 0x0, 0x0, 0x12047,  (500, 168, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\27\1\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0N\0D\0D\0K\0\\03\07\09\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0b\0i\0n\0\\0x\08\06\0;\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 248, 0, ... , 248, 0, ...
 02504   808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02502  1736   NtResumeThread  ... 1, ) == 0x0
 02503   868   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02498  1744   NtClose  ... ) == 0x0
 02505  1440   NtWaitForSingleObject  (32, 0, 0x0, ...
 02506  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02507   868   NtWaitForSingleObject  (32, 0, 0x0, ...
 02508  1744   NtMapViewOfSection  (524, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02504   808   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02508  1744   NtMapViewOfSection  ... (0xf20000), 0x0, 294912, ) == 0x0
 02509   808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02510  1744   NtClose  (524, ...
 02509   808   NtCreateKey  ... -2147482564, 2, ) == 0x0
 02510  1744   NtClose  ... ) == 0x0
 02511   808   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "vD{\361\234\333\177M\244%\231SG\30\273\332\7\20r\337\371\272\200P\20n\204\332\372]\201\205\275JAlqHR\0\24|\177\21\214\363\330v?\242\267\3\306\326\250P\251#\5]\23:*\12\247\377\261\200\3237\233c\245\367V\304\354t\275X", 80, ... ) , 0, 3,  (-2147482564, "Seed", 0, 3, "vD{\361\234\333\177M\244%\231SG\30\273\332\7\20r\337\371\272\200P\20n\204\332\372]\201\205\275JAlqHR\0\24|\177\21\214\363\330v?\242\267\3\306\326\250P\251#\5]\23:*\12\247\377\261\200\3237\233c\245\367V\304\354t\275X", 80, ... ) , 80, ... ) == 0x0
 02512   808   NtClose  (-2147482564, ... ) == 0x0
 02469   808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\14\231$!O)\242\37\30\344*\374\357\11%[\221\356 ~\370\2211\315\316wH\333KB\325\355\312\344\\363\355\307j^\367\303\10\226\337}\3049\22I\270>\207b\275\303\325\210\255\341\3206\360\362\12\244u\251@\375\233\203Re,\216]\250\260|\4\341\3509HcU\207}\240>\307\210\367\252\274D9\10,%S\270i\311|\314\2\13M\352\342\253\356Fx\211\345\262\7\312\344\233{%Yz1\226\243\25\230c\271\200\330\370\10\x$\13^\330\265\341\22AY\337\346\224\6H\227\365\372\326*\261\12\262\247'\267Y\266\221N\367\247\272\210\253\275\353\334\344\327p\362\267\322\236\33\205C\31\10\27\0\22\304\216\3317*T47I\331\353\214\232\247\306\210U\16\272F|\253\23\262:\310\17*\220.]_.\357\17=\310\214\273\264%E\233\321u'\353,\250\233\233\247\225U\202\215\360\322\24\313\331\336", ) , ) == 0x0
 02513   808   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 524, ) == 0x0
 02514   808   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 20442628, 188, ... 520, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 20442628, 188, ... 520, 0x0, 0x0, 0x0, 188, ) == 0x0
 02515   808   NtRequestWaitReplyPort  (520, {200, 224, new_msg, 0, 4603848, 12, 2, 4521985}  (520, {200, 224, new_msg, 0, 4603848, 12, 2, 4521985} "\0\2E\0\274\0\0\0\274oE\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0x\2E\0\4\0\0\0\2\0\0\0\10\0\0\0\5\0\0\0x\1E\0\0\0\0\0\0\0F\0\2\0\0\0\350\263F\0\225\370b\2\300\262F\0`\1E\0\12\0\0\0\0\0\0\0\1\0\0\0(\0\0\0\310\262F\0\350\263F\0\240\2E\0\350\262F\0`\1E\0\0\0\0\0\0\0\0\0\350\262F\0P\0\0\0\360\262F\0\360\6\221|x\2E\0P\0\0\0\346\31\0\0\0\0E\0\204\3547\1\372\31\221|\30\3647\1\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1636, 808, 75543, 0} "\7\2E\0\274\0\0\0\274oE\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2\0\0\0\377\377\377\377\5\0\0\0x\1E\0\0\0\0\0\0\0F\0\2\0\0\0\350\263F\0\225\370b\2\300\262F\0`\1E\0\12\0\0\0\0\0\0\0\1\0\0\0(\0\0\0\310\262F\0\350\263F\0\240\2E\0\350\262F\0`\1E\0\0\0\0\0\0\0\0\0\350\262F\0P\0\0\0\360\262F\0\360\6\221|x\2E\0P\0\0\0\346\31\0\0\0\0E\0\204\3547\1\372\31\221|\30\3647\1\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ... {200, 224, reply, 0, 1636, 808, 75543, 0}  (520, {200, 224, new_msg, 0, 4603848, 12, 2, 4521985} "\0\2E\0\274\0\0\0\274oE\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0x\2E\0\4\0\0\0\2\0\0\0\10\0\0\0\5\0\0\0x\1E\0\0\0\0\0\0\0F\0\2\0\0\0\350\263F\0\225\370b\2\300\262F\0`\1E\0\12\0\0\0\0\0\0\0\1\0\0\0(\0\0\0\310\262F\0\350\263F\0\240\2E\0\350\262F\0`\1E\0\0\0\0\0\0\0\0\0\350\262F\0P\0\0\0\360\262F\0\360\6\221|x\2E\0P\0\0\0\346\31\0\0\0\0E\0\204\3547\1\372\31\221|\30\3647\1\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1636, 808, 75543, 0} "\7\2E\0\274\0\0\0\274oE\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2\0\0\0\377\377\377\377\5\0\0\0x\1E\0\0\0\0\0\0\0F\0\2\0\0\0\350\263F\0\225\370b\2\300\262F\0`\1E\0\12\0\0\0\0\0\0\0\1\0\0\0(\0\0\0\310\262F\0\350\263F\0\240\2E\0\350\262F\0`\1E\0\0\0\0\0\0\0\0\0\350\262F\0P\0\0\0\360\262F\0\360\6\221|x\2E\0P\0\0\0\346\31\0\0\0\0E\0\204\3547\1\372\31\221|\30\3647\1\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02516   808   NtRequestWaitReplyPort  (520, {64, 88, new_msg, 0, 0, 0, 0, 0}  (520, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02517  1744   NtUnmapViewOfSection  (-1, 0xf20000, ... ) == 0x0
 02518  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 8712180, ... }, 8712180, ...
 02506  1736   NtAllocateVirtualMemory  ... 100139008, 2097152, ) == 0x0
 02519  1736   NtAllocateVirtualMemory  (-1, 102227968, 0, 8192, 4096, 4, ... 102227968, 8192, ) == 0x0
 02520  1736   NtProtectVirtualMemory  (-1, (0x617e000), 4096, 260, ... (0x617e000), 4096, 4, ) == 0x0
 02521  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 528, {1636, 1972}, ) == 0x0
 02522  1736   NtQueryInformationThread  (528, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1636,Tid=1972,}, 0x0, ) == 0x0
 02523  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75541, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0d\6\0\0\264\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0d\6\0\0\264\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75545, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0d\6\0\0\264\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0d\6\0\0\264\7\0\0" )  ) == 0x0
 02518  1744   NtQueryAttributesFile  ... ) == 0x0
 02524  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 5, 96, ... 532, {status=0x0, info=1}, ) }, 5, 96, ... 532, {status=0x0, info=1}, ) == 0x0
 02525  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 532, ... 536, ) == 0x0
 02526  1744   NtQuerySection  (536, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02527  1744   NtClose  (532, ... ) == 0x0
 02528  1744   NtMapViewOfSection  (536, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74720000), 0x0, 307200, ) == 0x0
 02529  1744   NtClose  (536, ...
 02530  1736   NtResumeThread  (528, ... 1, ) == 0x0
 02531  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 102236160, 2097152, ) == 0x0
 02532  1736   NtAllocateVirtualMemory  (-1, 104325120, 0, 8192, 4096, 4, ... 104325120, 8192, ) == 0x0
 02533  1736   NtProtectVirtualMemory  (-1, (0x637e000), 4096, 260, ... (0x637e000), 4096, 4, ) == 0x0
 02534  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 532, {1636, 1248}, ) == 0x0
 02535  1736   NtQueryInformationThread  (532, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1636,Tid=1248,}, 0x0, ) == 0x0
 02529  1744   NtClose  ... ) == 0x0
 02536  1972   NtWaitForSingleObject  (32, 0, 0x0, ...
 02537  1744   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 02538  1744   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 02539  1744   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 02540  1744   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 02541  1744   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 02542  1744   NtFlushInstructionCache  (-1, 1953632256, 928, ...
 02543  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75545, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0d\6\0\0\340\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0d\6\0\0\340\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75546, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0d\6\0\0\340\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0d\6\0\0\340\4\0\0" )  ) == 0x0
 02544  1736   NtResumeThread  (532, ... 1, ) == 0x0
 02545  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 104333312, 2097152, ) == 0x0
 02546  1736   NtAllocateVirtualMemory  (-1, 106422272, 0, 8192, 4096, 4, ... 106422272, 8192, ) == 0x0
 02547  1736   NtProtectVirtualMemory  (-1, (0x657e000), 4096, 260, ... (0x657e000), 4096, 4, ) == 0x0
 02548  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02542  1744   NtFlushInstructionCache  ... ) == 0x0
 02549  1248   NtWaitForSingleObject  (32, 0, 0x0, ...
 02550  1744   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 02551  1744   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 02552  1744   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 02553  1744   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 02554  1744   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 02555  1744   NtFlushInstructionCache  (-1, 1953632256, 928, ...
 02548  1736   NtCreateThread  ... 536, {1636, 860}, ) == 0x0
 02516   808   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1636, 808, 75544, 0}  ... {52, 76, reply, 0, 1636, 808, 75544, 0} "\2\332\243\201\1\0\0\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200X\373`\371t\333\243\201\270+\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 02556  1736   NtQueryInformationThread  (536, Basic, 28, ...
 02555  1744   NtFlushInstructionCache  ... ) == 0x0
 02556  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1636,Tid=860,}, 0x0, ) == 0x0
 02557  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSCTF.dll"}, ... }, ...
 02558  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75546, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0d\6\0\0\\3\0\0" ...  ...
 02557  1744   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02558  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75547, 0}  ... {28, 56, reply, 0, 1636, 1736, 75547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0d\6\0\0\\3\0\0" )  ) == 0x0
 02559  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ntdll.dll"}, 8709536, ... }, 8709536, ...
 02560   808   NtClose  (524, ... ) == 0x0
 02561   808   NtClose  (520, ... ) == 0x0
 02562   808   NtWaitForSingleObject  (32, 0, 0x0, ...
 02563  1736   NtResumeThread  (536, ... 1, ) == 0x0
 02564  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 106430464, 2097152, ) == 0x0
 02565  1736   NtAllocateVirtualMemory  (-1, 108519424, 0, 8192, 4096, 4, ... 108519424, 8192, ) == 0x0
 02559  1744   NtQueryAttributesFile  ... ) == 0x0
 02566   860   NtWaitForSingleObject  (32, 0, 0x0, ...
 02567  1744   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02568  1744   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 02569  1744   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.Private", ... ) , ... ) == 0xc0a1
 02570  1744   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.SetFocus", ... ) , ... ) == 0xc0a2
 02571  1744   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ThreadTerminate", ... ) , ... ) == 0xc0a3
 02572  1744   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ThreadItemChange", ... , ...
 02573  1736   NtProtectVirtualMemory  (-1, (0x677e000), 4096, 260, ... (0x677e000), 4096, 4, ) == 0x0
 02574  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 520, {1636, 1756}, ) == 0x0
 02575  1736   NtQueryInformationThread  (520, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1636,Tid=1756,}, 0x0, ) == 0x0
 02576  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75547, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0d\6\0\0\334\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0d\6\0\0\334\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75549, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0d\6\0\0\334\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0d\6\0\0\334\6\0\0" )  ) == 0x0
 02577  1736   NtResumeThread  (520, ... 1, ) == 0x0
 02578  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02572  1744   NtUserRegisterWindowMessage  ... ) == 0xc0a4
 02579  1756   NtWaitForSingleObject  (32, 0, 0x0, ...
 02580  1744   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.LangBarModal", ... ) , ... ) == 0xc0a5
 02581  1744   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.RpcSendReceive", ... ) , ... ) == 0xc0a6
 02582  1744   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ThreadMarshal", ... ) , ... ) == 0xc0a7
 02583  1744   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.CheckThreadInputIdel", ... ) , ... ) == 0xc0a8
 02584  1744   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.StubCleanUp", ... ) , ... ) == 0xc0a9
 02585  1744   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ShowFloating", ... , ...
 02578  1736   NtAllocateVirtualMemory  ... 108527616, 2097152, ) == 0x0
 02586  1736   NtAllocateVirtualMemory  (-1, 110616576, 0, 8192, 4096, 4, ... 110616576, 8192, ) == 0x0
 02587  1736   NtProtectVirtualMemory  (-1, (0x697e000), 4096, 260, ... (0x697e000), 4096, 4, ) == 0x0
 02588  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 524, {1636, 1304}, ) == 0x0
 02589  1736   NtQueryInformationThread  (524, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1636,Tid=1304,}, 0x0, ) == 0x0
 02590  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75549, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0d\6\0\0\30\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0d\6\0\0\30\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75550, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0d\6\0\0\30\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0d\6\0\0\30\5\0\0" )  ) == 0x0
 02585  1744   NtUserRegisterWindowMessage  ... ) == 0xc0aa
 02591  1744   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.LBUpdate", ... ) , ... ) == 0xc0ab
 02592  1744   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.MuiMgrDirtyUpdate", ... ) , ... ) == 0xc0ac
 02593  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\imm32.dll"}, 8709544, ... ) }, 8709544, ... ) == 0x0
 02594  1744   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 3998, 8711936, 0, 0}  (24, {24, 52, new_msg, 0, 3998, 8711936, 0, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\320\6\0\0\0\0\0\0" ... {24, 52, reply, 0, 1636, 1744, 75551, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\320\6\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 1636, 1744, 75551, 0}  (24, {24, 52, new_msg, 0, 3998, 8711936, 0, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\320\6\0\0\0\0\0\0" ... {24, 52, reply, 0, 1636, 1744, 75551, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\320\6\0\0\0\0\0\0" )  ) == 0x0
 02595  1744   NtUserGetThreadDesktop  (1744, 0, ... ) == 0x30
 02596  1736   NtResumeThread  (524, ... 1, ) == 0x0
 02597  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 110624768, 2097152, ) == 0x0
 02598  1736   NtAllocateVirtualMemory  (-1, 112713728, 0, 8192, 4096, 4, ... 112713728, 8192, ) == 0x0
 02599  1736   NtProtectVirtualMemory  (-1, (0x6b7e000), 4096, 260, ... (0x6b7e000), 4096, 4, ) == 0x0
 02600  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 540, {1636, 540}, ) == 0x0
 02601  1736   NtQueryInformationThread  (540, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1636,Tid=540,}, 0x0, ) == 0x0
 02602  1744   NtUserGetObjectInformation  (48, 2, 4626512, 520, 8711844, ...
 02603  1304   NtWaitForSingleObject  (32, 0, 0x0, ...
 02602  1744   NtUserGetObjectInformation  ... ) == 0x1
 02604  1744   NtOpenProcessToken  (-1, 0x8, ... 544, ) == 0x0
 02605  1744   NtQueryInformationToken  (544, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02606  1744   NtQueryInformationToken  (544, User, 36, ... {token info, class 1, size 36}, 36, ) == 0x0
 02607  1744   NtClose  (544, ... ) == 0x0
 02608  1744   NtCreateSection  (0xf0007, {24, 28, 0x80, 0, 0,  (0xf0007, {24, 28, 0x80, 0, 0, "CiceroSharedMemDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, {3240, 0}, 4, 134217728, 0, ... 544, ) }, {3240, 0}, 4, 134217728, 0, ... 544, ) == STATUS_OBJECT_NAME_EXISTS
 02609  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75550, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0d\6\0\0\34\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0d\6\0\0\34\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75552, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0d\6\0\0\34\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0d\6\0\0\34\2\0\0" )  ) == 0x0
 02610  1736   NtResumeThread  (540, ... 1, ) == 0x0
 02611  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 112721920, 2097152, ) == 0x0
 02612  1736   NtAllocateVirtualMemory  (-1, 114810880, 0, 8192, 4096, 4, ... 114810880, 8192, ) == 0x0
 02613  1736   NtProtectVirtualMemory  (-1, (0x6d7e000), 4096, 260, ... (0x6d7e000), 4096, 4, ) == 0x0
 02614  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02615  1744   NtMapViewOfSection  (544, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ...
 02616   540   NtWaitForSingleObject  (32, 0, 0x0, ...
 02615  1744   NtMapViewOfSection  ... (0xf20000), {0, 0}, 4096, ) == 0x0
 02617  1744   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\Compatibility\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02618  1744   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\SystemShared\"}, ... 548, ) }, ... 548, ) == 0x0
 02619  1744   NtQueryValueKey  (548,  (548, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (548, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02620  1744   NtClose  (548, ... ) == 0x0
 02621  1744   NtUserFindExistingCursorIcon  (8711376, 8711392, 8711440, ... ) == 0x10011
 02614  1736   NtCreateThread  ... 548, {1636, 1980}, ) == 0x0
 02622  1736   NtQueryInformationThread  (548, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1636,Tid=1980,}, 0x0, ) == 0x0
 02623  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75552, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0d\6\0\0\274\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0d\6\0\0\274\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75553, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0d\6\0\0\274\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0d\6\0\0\274\7\0\0" )  ) == 0x0
 02624  1736   NtResumeThread  (548, ... 1, ) == 0x0
 02625  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 114819072, 2097152, ) == 0x0
 02626  1736   NtAllocateVirtualMemory  (-1, 116908032, 0, 8192, 4096, 4, ... 116908032, 8192, ) == 0x0
 02627  1744   NtUserRegisterClassExWOW  (8711648, 8711744, 8711728, 8711716, 0, 386, 0, ...
 02628  1980   NtWaitForSingleObject  (32, 0, 0x0, ...
 02627  1744   NtUserRegisterClassExWOW  ... ) == 0x8172c0ad
 02629  1744   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "CTF.LBES.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 552, ) }, 0, ... 552, ) == STATUS_OBJECT_NAME_EXISTS
 02630  1744   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "CTF.Compart.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 556, ) }, 0, ... 556, ) == STATUS_OBJECT_NAME_EXISTS
 02631  1744   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "CTF.Asm.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 560, ) }, 0, ... 560, ) == STATUS_OBJECT_NAME_EXISTS
 02632  1744   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "CTF.Layouts.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 564, ) }, 0, ... 564, ) == STATUS_OBJECT_NAME_EXISTS
 02633  1744   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "CTF.TMD.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 568, ) }, 0, ... 568, ) == STATUS_OBJECT_NAME_EXISTS
 02634  1736   NtProtectVirtualMemory  (-1, (0x6f7e000), 4096, 260, ... (0x6f7e000), 4096, 4, ) == 0x0
 02635  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 572, {1636, 1784}, ) == 0x0
 02636  1736   NtQueryInformationThread  (572, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1636,Tid=1784,}, 0x0, ) == 0x0
 02637  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75553, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0d\6\0\0\370\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0d\6\0\0\370\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75554, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0d\6\0\0\370\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0d\6\0\0\370\6\0\0" )  ) == 0x0
 02638  1736   NtResumeThread  (572, ... 1, ) == 0x0
 02639  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02640  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ...
 02641  1784   NtWaitForSingleObject  (32, 0, 0x0, ...
 02640  1744   NtOpenThreadTokenEx  ... ) == STATUS_NO_TOKEN
 02642  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 576, ) == 0x0
 02643  1744   NtQueryInformationToken  (576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02644  1744   NtClose  (576, ... ) == 0x0
 02645  1744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 576, ) }, ... 576, ) == 0x0
 02646  1744   NtSetInformationObject  (576, Handle, {Inherit=0,ProtectFromClose=1,}, 8651008, ... ) == 0x0
 02639  1736   NtAllocateVirtualMemory  ... 116916224, 2097152, ) == 0x0
 02647  1736   NtAllocateVirtualMemory  (-1, 119005184, 0, 8192, 4096, 4, ... 119005184, 8192, ) == 0x0
 02648  1736   NtProtectVirtualMemory  (-1, (0x717e000), 4096, 260, ... (0x717e000), 4096, 4, ) == 0x0
 02649  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 580, {1636, 1480}, ) == 0x0
 02650  1736   NtQueryInformationThread  (580, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1636,Tid=1480,}, 0x0, ) == 0x0
 02651  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75554, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0d\6\0\0\310\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0d\6\0\0\310\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75555, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0d\6\0\0\310\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0d\6\0\0\310\5\0\0" )  ) == 0x0
 02652  1744   NtOpenKey  (0x20019, {24, 576, 0x40, 0, 0,  (0x20019, {24, 576, 0x40, 0, 0, "Keyboard Layout\Toggle"}, ... 584, ) }, ... 584, ) == 0x0
 02653  1744   NtQueryValueKey  (584,  (584, "Language Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02654  1744   NtQueryValueKey  (584,  (584, "Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02655  1744   NtQueryValueKey  (584,  (584, "Layout Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02656  1744   NtClose  (584, ... ) == 0x0
 02657  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\KERNEL32.dll"}, 8709364, ... ) }, 8709364, ... ) == 0x0
 02658  1736   NtResumeThread  (580, ... 1, ) == 0x0
 02659  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 119013376, 2097152, ) == 0x0
 02660  1736   NtAllocateVirtualMemory  (-1, 121102336, 0, 8192, 4096, 4, ... 121102336, 8192, ) == 0x0
 02661  1736   NtProtectVirtualMemory  (-1, (0x737e000), 4096, 260, ... (0x737e000), 4096, 4, ) == 0x0
 02662  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 584, {1636, 460}, ) == 0x0
 02663  1736   NtQueryInformationThread  (584, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1636,Tid=460,}, 0x0, ) == 0x0
 02664  1744   NtQueryDefaultUILanguage  (8711924, ...
 02665  1480   NtWaitForSingleObject  (32, 0, 0x0, ...
 02666  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02667  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482564, ) == 0x0
 02668  1744   NtQueryInformationToken  (-2147482564, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02669  1744   NtClose  (-2147482564, ... ) == 0x0
 02670  1744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482564, ) }, ... -2147482564, ) == 0x0
 02671  1744   NtOpenKey  (0x80000000, {24, -2147482564, 0x240, 0, 0,  (0x80000000, {24, -2147482564, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... }, ...
 02672  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75555, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0d\6\0\0\314\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0d\6\0\0\314\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75556, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0d\6\0\0\314\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0d\6\0\0\314\1\0\0" )  ) == 0x0
 02673  1736   NtResumeThread  (584, ... 1, ) == 0x0
 02674  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 121110528, 2097152, ) == 0x0
 02675  1736   NtAllocateVirtualMemory  (-1, 123199488, 0, 8192, 4096, 4, ... 123199488, 8192, ) == 0x0
 02676  1736   NtProtectVirtualMemory  (-1, (0x757e000), 4096, 260, ... (0x757e000), 4096, 4, ) == 0x0
 02677  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02671  1744   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02678   460   NtWaitForSingleObject  (32, 0, 0x0, ...
 02679  1744   NtOpenKey  (0x80000000, {24, -2147482564, 0x640, 0, 0,  (0x80000000, {24, -2147482564, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481440, ) }, ... -2147481440, ) == 0x0
 02680  1744   NtQueryValueKey  (-2147481440,  (-2147481440, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02681  1744   NtClose  (-2147481440, ... ) == 0x0
 02682  1744   NtClose  (-2147482564, ... ) == 0x0
 02664  1744   NtQueryDefaultUILanguage  ... ) == 0x0
 02683  1744   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\"}, ... 588, ) }, ... 588, ) == 0x0
 02677  1736   NtCreateThread  ... 592, {1636, 1068}, ) == 0x0
 02684  1736   NtQueryInformationThread  (592, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1636,Tid=1068,}, 0x0, ) == 0x0
 02685  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75556, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0,\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0,\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75557, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0,\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0,\4\0\0" )  ) == 0x0
 02686  1736   NtResumeThread  (592, ... 1, ) == 0x0
 02687  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 123207680, 2097152, ) == 0x0
 02688  1736   NtAllocateVirtualMemory  (-1, 125296640, 0, 8192, 4096, 4, ... 125296640, 8192, ) == 0x0
 02689  1744   NtQueryValueKey  (588,  (588, "EnableAnchorContext", Partial, 144, ... , Partial, 144, ...
 02690  1068   NtWaitForSingleObject  (32, 0, 0x0, ...
 02689  1744   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02691  1744   NtClose  (588, ... ) == 0x0
 02692  1744   NtSetEventBoostPriority  (32, ...
 02505  1440   NtWaitForSingleObject  ... ) == 0x0
 02693  1440   NtSetEventBoostPriority  (32, ...
 02507   868   NtWaitForSingleObject  ... ) == 0x0
 02694   868   NtSetEventBoostPriority  (32, ...
 02536  1972   NtWaitForSingleObject  ... ) == 0x0
 02695  1972   NtSetEventBoostPriority  (32, ...
 02549  1248   NtWaitForSingleObject  ... ) == 0x0
 02696  1248   NtSetEventBoostPriority  (32, ...
 02562   808   NtWaitForSingleObject  ... ) == 0x0
 02697   808   NtSetEventBoostPriority  (32, ...
 02566   860   NtWaitForSingleObject  ... ) == 0x0
 02698   860   NtSetEventBoostPriority  (32, ...
 02579  1756   NtWaitForSingleObject  ... ) == 0x0
 02699  1756   NtSetEventBoostPriority  (32, ...
 02603  1304   NtWaitForSingleObject  ... ) == 0x0
 02700  1304   NtSetEventBoostPriority  (32, ...
 02616   540   NtWaitForSingleObject  ... ) == 0x0
 02701   540   NtSetEventBoostPriority  (32, ...
 02628  1980   NtWaitForSingleObject  ... ) == 0x0
 02702  1980   NtSetEventBoostPriority  (32, ...
 02641  1784   NtWaitForSingleObject  ... ) == 0x0
 02703  1784   NtSetEventBoostPriority  (32, ...
 02665  1480   NtWaitForSingleObject  ... ) == 0x0
 02704  1480   NtSetEventBoostPriority  (32, ...
 02678   460   NtWaitForSingleObject  ... ) == 0x0
 02705   460   NtSetEventBoostPriority  (32, ...
 02690  1068   NtWaitForSingleObject  ... ) == 0x0
 02706  1068   NtTestAlert  (... ) == 0x0
 02705   460   NtSetEventBoostPriority  ... ) == 0x0
 02704  1480   NtSetEventBoostPriority  ... ) == 0x0
 02703  1784   NtSetEventBoostPriority  ... ) == 0x0
 02702  1980   NtSetEventBoostPriority  ... ) == 0x0
 02701   540   NtSetEventBoostPriority  ... ) == 0x0
 02700  1304   NtSetEventBoostPriority  ... ) == 0x0
 02699  1756   NtSetEventBoostPriority  ... ) == 0x0
 02698   860   NtSetEventBoostPriority  ... ) == 0x0
 02697   808   NtSetEventBoostPriority  ... ) == 0x0
 02696  1248   NtSetEventBoostPriority  ... ) == 0x0
 02695  1972   NtSetEventBoostPriority  ... ) == 0x0
 02694   868   NtSetEventBoostPriority  ... ) == 0x0
 02693  1440   NtSetEventBoostPriority  ... ) == 0x0
 02692  1744   NtSetEventBoostPriority  ... ) == 0x0
 02707  1736   NtProtectVirtualMemory  (-1, (0x777e000), 4096, 260, ...
 02708  1068   NtContinue  (123206960, 1, ...
 02709   460   NtTestAlert  (...
 02710  1480   NtTestAlert  (...
 02711  1784   NtTestAlert  (...
 02712  1980   NtTestAlert  (...
 02713   540   NtTestAlert  (...
 02714  1304   NtTestAlert  (...
 02715  1756   NtTestAlert  (...
 02716   860   NtTestAlert  (...
 02717   808   NtCreateKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02718  1248   NtTestAlert  (...
 02719  1972   NtTestAlert  (...
 02720   868   NtDeviceIoControlFile  (500, 168, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 02721  1744   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "CTF.TimListCache.FMPDefaultS-1-5-21-1292428093-1383384898-725345543-1003MUTEX.DefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... }, 0, ...
 02707  1736   NtProtectVirtualMemory  ... (0x777e000), 4096, 4, ) == 0x0
 02722  1068   NtRegisterThreadTerminatePort  (24, ...
 02709   460   NtTestAlert  ... ) == 0x0
 02710  1480   NtTestAlert  ... ) == 0x0
 02711  1784   NtTestAlert  ... ) == 0x0
 02712  1980   NtTestAlert  ... ) == 0x0
 02713   540   NtTestAlert  ... ) == 0x0
 02714  1304   NtTestAlert  ... ) == 0x0
 02715  1756   NtTestAlert  ... ) == 0x0
 02716   860   NtTestAlert  ... ) == 0x0
 02717   808   NtCreateKey  ... 588, 2, ) == 0x0
 02718  1248   NtTestAlert  ... ) == 0x0
 02719  1972   NtTestAlert  ... ) == 0x0
 02720   868   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02721  1744   NtCreateMutant  ... 596, ) == STATUS_OBJECT_NAME_EXISTS
 02723  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02722  1068   NtRegisterThreadTerminatePort  ... ) == 0x0
 02724   460   NtContinue  (121109808, 1, ...
 02725  1480   NtContinue  (119012656, 1, ...
 02726  1784   NtContinue  (116915504, 1, ...
 02727  1980   NtContinue  (114818352, 1, ...
 02728   540   NtContinue  (112721200, 1, ...
 02729  1304   NtContinue  (110624048, 1, ...
 02730  1756   NtContinue  (108526896, 1, ...
 02731   860   NtContinue  (106429744, 1, ...
 02732   808   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02733  1248   NtContinue  (104332592, 1, ...
 02734  1972   NtContinue  (102235440, 1, ...
 02735   868   NtAllocateVirtualMemory  (-1, 4636672, 0, 4096, 4096, 4, ...
 02736  1744   NtOpenSection  (0xf001f, {24, 28, 0x0, 0, 0,  (0xf001f, {24, 28, 0x0, 0, 0, "CTF.TimListCache.FMPDefaultS-1-5-21-1292428093-1383384898-725345543-1003SFM.DefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, ... }, ...
 02723  1736   NtCreateThread  ... 600, {1636, 1604}, ) == 0x0
 02737  1068   NtWaitForSingleObject  (80, 0, 0x0, ...
 02738   460   NtRegisterThreadTerminatePort  (24, ...
 02739  1480   NtRegisterThreadTerminatePort  (24, ...
 02740  1784   NtRegisterThreadTerminatePort  (24, ...
 02741  1980   NtRegisterThreadTerminatePort  (24, ...
 02742   540   NtRegisterThreadTerminatePort  (24, ...
 02743  1304   NtRegisterThreadTerminatePort  (24, ...
 02744  1756   NtRegisterThreadTerminatePort  (24, ...
 02745   860   NtRegisterThreadTerminatePort  (24, ...
 02732   808   NtOpenKey  ... 604, ) == 0x0
 02746  1248   NtRegisterThreadTerminatePort  (24, ...
 02747  1972   NtRegisterThreadTerminatePort  (24, ...
 02735   868   NtAllocateVirtualMemory  ... 4636672, 4096, ) == 0x0
 02748  1440   NtTestAlert  (...
 02749  1736   NtQueryInformationThread  (600, Basic, 28, ...
 02738   460   NtRegisterThreadTerminatePort  ... ) == 0x0
 02739  1480   NtRegisterThreadTerminatePort  ... ) == 0x0
 02740  1784   NtRegisterThreadTerminatePort  ... ) == 0x0
 02741  1980   NtRegisterThreadTerminatePort  ... ) == 0x0
 02742   540   NtRegisterThreadTerminatePort  ... ) == 0x0
 02743  1304   NtRegisterThreadTerminatePort  ... ) == 0x0
 02744  1756   NtRegisterThreadTerminatePort  ... ) == 0x0
 02745   860   NtRegisterThreadTerminatePort  ... ) == 0x0
 02750   808   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02746  1248   NtRegisterThreadTerminatePort  ... ) == 0x0
 02747  1972   NtRegisterThreadTerminatePort  ... ) == 0x0
 02748  1440   NtTestAlert  ... ) == 0x0
 02749  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1636,Tid=1604,}, 0x0, ) == 0x0
 02751   460   NtWaitForSingleObject  (80, 0, 0x0, ...
 02752  1480   NtWaitForSingleObject  (80, 0, 0x0, ...
 02753  1784   NtWaitForSingleObject  (80, 0, 0x0, ...
 02754  1980   NtWaitForSingleObject  (80, 0, 0x0, ...
 02755   540   NtWaitForSingleObject  (80, 0, 0x0, ...
 02756  1304   NtWaitForSingleObject  (80, 0, 0x0, ...
 02757  1756   NtWaitForSingleObject  (80, 0, 0x0, ...
 02758   860   NtWaitForSingleObject  (80, 0, 0x0, ...
 02750   808   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02759  1248   NtWaitForSingleObject  (80, 0, 0x0, ...
 02760  1972   NtWaitForSingleObject  (80, 0, 0x0, ...
 02761  1440   NtContinue  (100138288, 1, ...
 02762   868   NtSetEventBoostPriority  (80, ...
 02736  1744   NtOpenSection  ... 608, ) == 0x0
 02763  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75557, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0d\6\0\0D\6\0\0" ...  ...
 02764   808   NtQueryValueKey  (588,  (588, "Hostname", Partial, 144, ... , Partial, 144, ...
 02765  1440   NtRegisterThreadTerminatePort  (24, ...
 02737  1068   NtWaitForSingleObject  ... ) == 0x0
 02762   868   NtSetEventBoostPriority  ... ) == 0x0
 02766  1744   NtMapViewOfSection  (608, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ...
 02763  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75558, 0}  ... {28, 56, reply, 0, 1636, 1736, 75558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0d\6\0\0D\6\0\0" )  ) == 0x0
 02764   808   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02767  1068   NtSetEventBoostPriority  (80, ...
 02765  1440   NtRegisterThreadTerminatePort  ... ) == 0x0
 02768   868   NtWaitForSingleObject  (80, 0, 0x0, ...
 02766  1744   NtMapViewOfSection  ... (0xf30000), {0, 0}, 262144, ) == 0x0
 02769  1736   NtResumeThread  (600, ...
 02751   460   NtWaitForSingleObject  ... ) == 0x0
 02767  1068   NtSetEventBoostPriority  ... ) == 0x0
 02770   808   NtWaitForSingleObject  (80, 0, 0x0, ...
 02771  1440   NtWaitForSingleObject  (80, 0, 0x0, ...
 02772  1744   NtWaitForSingleObject  (596, 0, {-50000000, -1}, ...
 02773   460   NtSetEventBoostPriority  (80, ...
 02769  1736   NtResumeThread  ... 1, ) == 0x0
 02774  1068   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02775  1604   NtTestAlert  (...
 02752  1480   NtWaitForSingleObject  ... ) == 0x0
 02772  1744   NtWaitForSingleObject  ... ) == 0x0
 02776  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02774  1068   NtDuplicateObject  ... 612, ) == 0x0
 02775  1604   NtTestAlert  ... ) == 0x0
 02777  1480   NtSetEventBoostPriority  (80, ...
 02773   460   NtSetEventBoostPriority  ... ) == 0x0
 02778  1744   NtReleaseMutant  (596, ...
 02779  1068   NtWaitForSingleObject  (80, 0, 0x0, ...
 02780  1604   NtContinue  (125304112, 1, ...
 02753  1784   NtWaitForSingleObject  ... ) == 0x0
 02781   460   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02778  1744   NtReleaseMutant  ... 0x0, ) == 0x0
 02782  1604   NtRegisterThreadTerminatePort  (24, ...
 02783  1784   NtSetEventBoostPriority  (80, ...
 02781   460   NtDuplicateObject  ... 616, ) == 0x0
 02784  1744   NtWaitForSingleObject  (596, 0, {-50000000, -1}, ...
 02782  1604   NtRegisterThreadTerminatePort  ... ) == 0x0
 02754  1980   NtWaitForSingleObject  ... ) == 0x0
 02783  1784   NtSetEventBoostPriority  ... ) == 0x0
 02777  1480   NtSetEventBoostPriority  ... ) == 0x0
 02776  1736   NtAllocateVirtualMemory  ... 125304832, 2097152, ) == 0x0
 02784  1744   NtWaitForSingleObject  ... ) == 0x0
 02785   460   NtWaitForSingleObject  (80, 0, 0x0, ...
 02786  1980   NtSetEventBoostPriority  (80, ...
 02787  1784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02788  1480   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02789  1736   NtAllocateVirtualMemory  (-1, 127393792, 0, 8192, 4096, 4, ...
 02790  1744   NtReleaseMutant  (596, ...
 02755   540   NtWaitForSingleObject  ... ) == 0x0
 02787  1784   NtDuplicateObject  ... 620, ) == 0x0
 02788  1480   NtDuplicateObject  ... 624, ) == 0x0
 02789  1736   NtAllocateVirtualMemory  ... 127393792, 8192, ) == 0x0
 02786  1980   NtSetEventBoostPriority  ... ) == 0x0
 02791  1604   NtWaitForSingleObject  (80, 0, 0x0, ...
 02792   540   NtSetEventBoostPriority  (80, ...
 02790  1744   NtReleaseMutant  ... 0x0, ) == 0x0
 02793  1784   NtWaitForSingleObject  (80, 0, 0x0, ...
 02794  1736   NtProtectVirtualMemory  (-1, (0x797e000), 4096, 260, ...
 02795  1980   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02756  1304   NtWaitForSingleObject  ... ) == 0x0
 02796  1744   NtWaitForSingleObject  (596, 0, {-50000000, -1}, ...
 02794  1736   NtProtectVirtualMemory  ... (0x797e000), 4096, 4, ) == 0x0
 02795  1980   NtDuplicateObject  ... 628, ) == 0x0
 02797  1304   NtSetEventBoostPriority  (80, ...
 02796  1744   NtWaitForSingleObject  ... ) == 0x0
 02798  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02792   540   NtSetEventBoostPriority  ... ) == 0x0
 02799  1480   NtWaitForSingleObject  (80, 0, 0x0, ...
 02757  1756   NtWaitForSingleObject  ... ) == 0x0
 02800  1744   NtReleaseMutant  (596, ...
 02797  1304   NtSetEventBoostPriority  ... ) == 0x0
 02801  1980   NtWaitForSingleObject  (80, 0, 0x0, ...
 02802   540   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02803  1756   NtSetEventBoostPriority  (80, ...
 02800  1744   NtReleaseMutant  ... 0x0, ) == 0x0
 02804  1304   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02802   540   NtDuplicateObject  ... 632, ) == 0x0
 02758   860   NtWaitForSingleObject  ... ) == 0x0
 02803  1756   NtSetEventBoostPriority  ... ) == 0x0
 02798  1736   NtCreateThread  ... 636, {1636, 1156}, ) == 0x0
 02804  1304   NtDuplicateObject  ... 640, ) == 0x0
 02805  1744   NtUserSetWindowsHookEx  (1953628160, 8713404, 1744, 2, 1953694283, 2, ...
 02806   860   NtSetEventBoostPriority  (80, ...
 02807  1756   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02808  1736   NtQueryInformationThread  (636, Basic, 28, ...
 02809   540   NtWaitForSingleObject  (80, 0, 0x0, ...
 02805  1744   NtUserSetWindowsHookEx  ... ) == 0x9500d3
 02759  1248   NtWaitForSingleObject  ... ) == 0x0
 02807  1756   NtDuplicateObject  ... 644, ) == 0x0
 02808  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1636,Tid=1156,}, 0x0, ) == 0x0
 02810  1744   NtUserSetWindowsHookEx  (1953628160, 8713404, 1744, 7, 1953693577, 2, ...
 02811  1248   NtSetEventBoostPriority  (80, ...
 02806   860   NtSetEventBoostPriority  ... ) == 0x0
 02812  1304   NtWaitForSingleObject  (80, 0, 0x0, ...
 02813  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75558, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\0\204\4\0\0" ...  ...
 02810  1744   NtUserSetWindowsHookEx  ... ) == 0x2e020d
 02768   868   NtWaitForSingleObject  ... ) == 0x0
 02814   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02813  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75559, 0}  ... {28, 56, reply, 0, 1636, 1736, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\0\204\4\0\0" )  ) == 0x0
 02815   868   NtAllocateVirtualMemory  (-1, 4640768, 0, 4096, 4096, 4, ...
 02814   860   NtDuplicateObject  ... 648, ) == 0x0
 02811  1248   NtSetEventBoostPriority  ... ) == 0x0
 02816  1756   NtWaitForSingleObject  (80, 0, 0x0, ...
 02817  1744   NtUserMessageCall  (0x80144, WM_NCCREATE, 0x0, 0x84f83c, 0, 670, 1, ...
 02815   868   NtAllocateVirtualMemory  ... 4640768, 4096, ) == 0x0
 02818  1736   NtResumeThread  (636, ...
 02819  1248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02817  1744   NtUserMessageCall  ... ) == 0x1
 02820   860   NtWaitForSingleObject  (80, 0, 0x0, ...
 02818  1736   NtResumeThread  ... 1, ) == 0x0
 02819  1248   NtDuplicateObject  ... 652, ) == 0x0
 02821  1744   NtUserSetWindowFNID  (1048740, 681, ...
 02822  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02823   868   NtSetEventBoostPriority  (80, ...
 02824  1156   NtTestAlert  (...
 02821  1744   NtUserSetWindowFNID  ... ) == 0x1
 02822  1736   NtAllocateVirtualMemory  ... 127401984, 2097152, ) == 0x0
 02760  1972   NtWaitForSingleObject  ... ) == 0x0
 02823   868   NtSetEventBoostPriority  ... ) == 0x0
 02824  1156   NtTestAlert  ... ) == 0x0
 02825  1744   NtWaitForSingleObject  (80, 0, 0x0, ...
 02826  1972   NtSetEventBoostPriority  (80, ...
 02827  1736   NtAllocateVirtualMemory  (-1, 129490944, 0, 8192, 4096, 4, ...
 02828   868   NtWaitForSingleObject  (80, 0, 0x0, ...
 02829  1156   NtContinue  (127401264, 1, ...
 02770   808   NtWaitForSingleObject  ... ) == 0x0
 02827  1736   NtAllocateVirtualMemory  ... 129490944, 8192, ) == 0x0
 02830  1156   NtRegisterThreadTerminatePort  (24, ...
 02831   808   NtSetEventBoostPriority  (80, ...
 02826  1972   NtSetEventBoostPriority  ... ) == 0x0
 02832  1248   NtWaitForSingleObject  (80, 0, 0x0, ...
 02830  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 02771  1440   NtWaitForSingleObject  ... ) == 0x0
 02831   808   NtSetEventBoostPriority  ... ) == 0x0
 02833  1972   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02834  1736   NtProtectVirtualMemory  (-1, (0x7b7e000), 4096, 260, ...
 02835  1440   NtSetEventBoostPriority  (80, ...
 02836  1156   NtWaitForSingleObject  (80, 0, 0x0, ...
 02833  1972   NtDuplicateObject  ... 656, ) == 0x0
 02779  1068   NtWaitForSingleObject  ... ) == 0x0
 02834  1736   NtProtectVirtualMemory  ... (0x7b7e000), 4096, 4, ) == 0x0
 02835  1440   NtSetEventBoostPriority  ... ) == 0x0
 02837   808   NtQueryValueKey  (588,  (588, "Hostname", Partial, 144, ... , Partial, 144, ...
 02838  1068   NtSetEventBoostPriority  (80, ...
 02839  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02840  1440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02837   808   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02785   460   NtWaitForSingleObject  ... ) == 0x0
 02838  1068   NtSetEventBoostPriority  ... ) == 0x0
 02839  1736   NtCreateThread  ... 660, {1636, 712}, ) == 0x0
 02840  1440   NtDuplicateObject  ... 664, ) == 0x0
 02841   460   NtSetEventBoostPriority  (80, ...
 02842   808   NtWaitForSingleObject  (80, 0, 0x0, ...
 02843  1972   NtWaitForSingleObject  (80, 0, 0x0, ...
 02844  1736   NtQueryInformationThread  (660, Basic, 28, ...
 02845  1068   NtWaitForSingleObject  (80, 0, 0x0, ...
 02791  1604   NtWaitForSingleObject  ... ) == 0x0
 02841   460   NtSetEventBoostPriority  ... ) == 0x0
 02844  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1636,Tid=712,}, 0x0, ) == 0x0
 02846  1604   NtSetEventBoostPriority  (80, ...
 02847   460   NtWaitForSingleObject  (80, 0, 0x0, ...
 02848  1440   NtWaitForSingleObject  (80, 0, 0x0, ...
 02793  1784   NtWaitForSingleObject  ... ) == 0x0
 02846  1604   NtSetEventBoostPriority  ... ) == 0x0
 02849  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75559, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0d\6\0\0\310\2\0\0" ...  ...
 02850  1784   NtSetEventBoostPriority  (80, ...
 02851  1604   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02799  1480   NtWaitForSingleObject  ... ) == 0x0
 02850  1784   NtSetEventBoostPriority  ... ) == 0x0
 02849  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75560, 0}  ... {28, 56, reply, 0, 1636, 1736, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0d\6\0\0\310\2\0\0" )  ) == 0x0
 02852  1480   NtSetEventBoostPriority  (80, ...
 02853  1784   NtWaitForSingleObject  (80, 0, 0x0, ...
 02801  1980   NtWaitForSingleObject  ... ) == 0x0
 02852  1480   NtSetEventBoostPriority  ... ) == 0x0
 02854  1736   NtResumeThread  (660, ...
 02851  1604   NtDuplicateObject  ... 668, ) == 0x0
 02855  1980   NtSetEventBoostPriority  (80, ...
 02856  1480   NtWaitForSingleObject  (80, 0, 0x0, ...
 02854  1736   NtResumeThread  ... 1, ) == 0x0
 02809   540   NtWaitForSingleObject  ... ) == 0x0
 02855  1980   NtSetEventBoostPriority  ... ) == 0x0
 02857  1604   NtWaitForSingleObject  (80, 0, 0x0, ...
 02858   712   NtTestAlert  (...
 02859   540   NtSetEventBoostPriority  (80, ...
 02860  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02861  1980   NtWaitForSingleObject  (80, 0, 0x0, ...
 02812  1304   NtWaitForSingleObject  ... ) == 0x0
 02859   540   NtSetEventBoostPriority  ... ) == 0x0
 02858   712   NtTestAlert  ... ) == 0x0
 02860  1736   NtAllocateVirtualMemory  ... 129499136, 2097152, ) == 0x0
 02862  1304   NtSetEventBoostPriority  (80, ...
 02863   540   NtWaitForSingleObject  (80, 0, 0x0, ...
 02864   712   NtContinue  (129498416, 1, ...
 02816  1756   NtWaitForSingleObject  ... ) == 0x0
 02862  1304   NtSetEventBoostPriority  ... ) == 0x0
 02865  1736   NtAllocateVirtualMemory  (-1, 131588096, 0, 8192, 4096, 4, ...
 02866  1756   NtSetEventBoostPriority  (80, ...
 02867   712   NtRegisterThreadTerminatePort  (24, ...
 02868  1304   NtWaitForSingleObject  (80, 0, 0x0, ...
 02820   860   NtWaitForSingleObject  ... ) == 0x0
 02866  1756   NtSetEventBoostPriority  ... ) == 0x0
 02865  1736   NtAllocateVirtualMemory  ... 131588096, 8192, ) == 0x0
 02867   712   NtRegisterThreadTerminatePort  ... ) == 0x0
 02869   860   NtSetEventBoostPriority  (80, ...
 02870  1736   NtProtectVirtualMemory  (-1, (0x7d7e000), 4096, 260, ...
 02871  1756   NtWaitForSingleObject  (80, 0, 0x0, ...
 02825  1744   NtWaitForSingleObject  ... ) == 0x0
 02869   860   NtSetEventBoostPriority  ... ) == 0x0
 02870  1736   NtProtectVirtualMemory  ... (0x7d7e000), 4096, 4, ) == 0x0
 02872  1744   NtSetEventBoostPriority  (80, ...
 02873   860   NtWaitForSingleObject  (80, 0, 0x0, ...
 02828   868   NtWaitForSingleObject  ... ) == 0x0
 02872  1744   NtSetEventBoostPriority  ... ) == 0x0
 02874  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02875   712   NtWaitForSingleObject  (80, 0, 0x0, ...
 02876   868   NtSetEventBoostPriority  (80, ...
 02877  1744   NtUserSetWindowLong  (1048740, 0, 4642904, 0, ...
 02832  1248   NtWaitForSingleObject  ... ) == 0x0
 02876   868   NtSetEventBoostPriority  ... ) == 0x0
 02878  1248   NtSetEventBoostPriority  (80, ...
 02877  1744   NtUserSetWindowLong  ... ) == 0x0
 02874  1736   NtCreateThread  ... 672, {1636, 1764}, ) == 0x0
 02836  1156   NtWaitForSingleObject  ... ) == 0x0
 02878  1248   NtSetEventBoostPriority  ... ) == 0x0
 02879  1744   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\IMM"}, ... }, ...
 02880  1156   NtSetEventBoostPriority  (80, ...
 02881  1736   NtQueryInformationThread  (672, Basic, 28, ...
 02882  1248   NtWaitForSingleObject  (80, 0, 0x0, ...
 02842   808   NtWaitForSingleObject  ... ) == 0x0
 02880  1156   NtSetEventBoostPriority  ... ) == 0x0
 02879  1744   NtOpenKey  ... 676, ) == 0x0
 02881  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1636,Tid=1764,}, 0x0, ) == 0x0
 02883   868   NtWaitForSingleObject  (80, 0, 0x0, ...
 02884   808   NtSetEventBoostPriority  (80, ...
 02885  1156   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02886  1744   NtQueryValueKey  (676,  (676, "Ime File", Partial, 144, ... , Partial, 144, ...
 02887  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75560, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0\344\6\0\0" ...  ...
 02843  1972   NtWaitForSingleObject  ... ) == 0x0
 02884   808   NtSetEventBoostPriority  ... ) == 0x0
 02886  1744   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 02888  1972   NtSetEventBoostPriority  (80, ...
 02887  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75561, 0}  ... {28, 56, reply, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0\344\6\0\0" )  ) == 0x0
 02885  1156   NtDuplicateObject  ... 680, ) == 0x0
 02889   808   NtClose  (588, ...
 02845  1068   NtWaitForSingleObject  ... ) == 0x0
 02888  1972   NtSetEventBoostPriority  ... ) == 0x0
 02890  1744   NtClose  (676, ...
 02891  1156   NtWaitForSingleObject  (80, 0, 0x0, ...
 02892  1068   NtSetEventBoostPriority  (80, ...
 02889   808   NtClose  ... ) == 0x0
 02893  1972   NtWaitForSingleObject  (80, 0, 0x0, ...
 02890  1744   NtClose  ... ) == 0x0
 02848  1440   NtWaitForSingleObject  ... ) == 0x0
 02892  1068   NtSetEventBoostPriority  ... ) == 0x0
 02894   808   NtClose  (604, ...
 02895  1736   NtResumeThread  (672, ...
 02896  1440   NtSetEventBoostPriority  (80, ...
 02897  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "version.dll"}, ... }, ...
 02898  1068   NtWaitForSingleObject  (440, 0, 0x0, ...
 02894   808   NtClose  ... ) == 0x0
 02847   460   NtWaitForSingleObject  ... ) == 0x0
 02896  1440   NtSetEventBoostPriority  ... ) == 0x0
 02895  1736   NtResumeThread  ... 1, ) == 0x0
 02897  1744   NtOpenSection  ... 604, ) == 0x0
 02899  1764   NtWaitForSingleObject  (32, 0, 0x0, ...
 02900   460   NtSetEventBoostPriority  (80, ...
 02901   808   NtWaitForSingleObject  (32, 0, 0x0, ...
 02902  1440   NtWaitForSingleObject  (80, 0, 0x0, ...
 02903  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02904  1744   NtMapViewOfSection  (604, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02853  1784   NtWaitForSingleObject  ... ) == 0x0
 02900   460   NtSetEventBoostPriority  ... ) == 0x0
 02903  1736   NtAllocateVirtualMemory  ... 131596288, 2097152, ) == 0x0
 02904  1744   NtMapViewOfSection  ... (0x77c00000), 0x0, 32768, ) == 0x0
 02905  1784   NtSetEventBoostPriority  (80, ...
 02906   460   NtWaitForSingleObject  (80, 0, 0x0, ...
 02907  1736   NtAllocateVirtualMemory  (-1, 133685248, 0, 8192, 4096, 4, ...
 02857  1604   NtWaitForSingleObject  ... ) == 0x0
 02907  1736   NtAllocateVirtualMemory  ... 133685248, 8192, ) == 0x0
 02908  1604   NtSetEventBoostPriority  (80, ...
 02905  1784   NtSetEventBoostPriority  ... ) == 0x0
 02909  1744   NtClose  (604, ...
 02856  1480   NtWaitForSingleObject  ... ) == 0x0
 02908  1604   NtSetEventBoostPriority  ... ) == 0x0
 02910  1784   NtWaitForSingleObject  (80, 0, 0x0, ...
 02911  1480   NtSetEventBoostPriority  (80, ...
 02909  1744   NtClose  ... ) == 0x0
 02912  1736   NtProtectVirtualMemory  (-1, (0x7f7e000), 4096, 260, ...
 02861  1980   NtWaitForSingleObject  ... ) == 0x0
 02913  1744   NtProtectVirtualMemory  (-1, (0x77c01000), 304, 4, ...
 02912  1736   NtProtectVirtualMemory  ... (0x7f7e000), 4096, 4, ) == 0x0
 02914  1980   NtSetEventBoostPriority  (80, ...
 02913  1744   NtProtectVirtualMemory  ... (0x77c01000), 4096, 32, ) == 0x0
 02915  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02863   540   NtWaitForSingleObject  ... ) == 0x0
 02916  1744   NtProtectVirtualMemory  (-1, (0x77c01000), 4096, 32, ...
 02915  1736   NtCreateThread  ... 604, {1636, 1536}, ) == 0x0
 02917   540   NtSetEventBoostPriority  (80, ...
 02916  1744   NtProtectVirtualMemory  ... (0x77c01000), 4096, 4, ) == 0x0
 02918  1736   NtQueryInformationThread  (604, Basic, 28, ...
 02868  1304   NtWaitForSingleObject  ... ) == 0x0
 02917   540   NtSetEventBoostPriority  ... ) == 0x0
 02914  1980   NtSetEventBoostPriority  ... ) == 0x0
 02911  1480   NtSetEventBoostPriority  ... ) == 0x0
 02919  1604   NtWaitForSingleObject  (80, 0, 0x0, ...
 02918  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1636,Tid=1536,}, 0x0, ) == 0x0
 02920  1304   NtSetEventBoostPriority  (80, ...
 02921   540   NtWaitForSingleObject  (80, 0, 0x0, ...
 02922  1980   NtWaitForSingleObject  (80, 0, 0x0, ...
 02923  1480   NtWaitForSingleObject  (80, 0, 0x0, ...
 02924  1744   NtFlushInstructionCache  (-1, 2009075712, 304, ...
 02871  1756   NtWaitForSingleObject  ... ) == 0x0
 02924  1744   NtFlushInstructionCache  ... ) == 0x0
 02925  1756   NtSetEventBoostPriority  (80, ...
 02926  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\version.dll"}, ... }, ...
 02873   860   NtWaitForSingleObject  ... ) == 0x0
 02925  1756   NtSetEventBoostPriority  ... ) == 0x0
 02927   860   NtAllocateVirtualMemory  (-1, 4644864, 0, 4096, 4096, 4, ...
 02926  1744   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02927   860   NtAllocateVirtualMemory  ... 4644864, 4096, ) == 0x0
 02928  1756   NtWaitForSingleObject  (80, 0, 0x0, ...
 02929   860   NtSetEventBoostPriority  (80, ...
 02930  1744   NtSetEventBoostPriority  (32, ...
 02920  1304   NtSetEventBoostPriority  ... ) == 0x0
 02931  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75561, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\0\6\0\0" ...  ...
 02875   712   NtWaitForSingleObject  ... ) == 0x0
 02899  1764   NtWaitForSingleObject  ... ) == 0x0
 02930  1744   NtSetEventBoostPriority  ... ) == 0x0
 02932  1304   NtWaitForSingleObject  (80, 0, 0x0, ...
 02931  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75562, 0}  ... {28, 56, reply, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\0\6\0\0" )  ) == 0x0
 02933  1764   NtSetEventBoostPriority  (32, ...
 02934   712   NtSetEventBoostPriority  (80, ...
 02929   860   NtSetEventBoostPriority  ... ) == 0x0
 02901   808   NtWaitForSingleObject  ... ) == 0x0
 02933  1764   NtSetEventBoostPriority  ... ) == 0x0
 02935  1736   NtResumeThread  (604, ...
 02883   868   NtWaitForSingleObject  ... ) == 0x0
 02934   712   NtSetEventBoostPriority  ... ) == 0x0
 02936  1744   NtWaitForSingleObject  (32, 0, 0x0, ...
 02937   808   NtSetEventBoostPriority  (32, ...
 02938   860   NtWaitForSingleObject  (80, 0, 0x0, ...
 02939   868   NtSetEventBoostPriority  (80, ...
 02935  1736   NtResumeThread  ... 1, ) == 0x0
 02940   712   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02937   808   NtSetEventBoostPriority  ... ) == 0x0
 02936  1744   NtWaitForSingleObject  ... ) == 0x0
 02882  1248   NtWaitForSingleObject  ... ) == 0x0
 02939   868   NtSetEventBoostPriority  ... ) == 0x0
 02941  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02942  1764   NtTestAlert  (...
 02943  1536   NtWaitForSingleObject  (32, 0, 0x0, ...
 02940   712   NtDuplicateObject  ... 676, ) == 0x0
 02944  1248   NtSetEventBoostPriority  (80, ...
 02945  1744   NtSetEventBoostPriority  (32, ...
 02946   868   NtSetEventBoostPriority  (440, ...
 02947   808   NtWaitForSingleObject  (80, 0, 0x0, ...
 02942  1764   NtTestAlert  ... ) == 0x0
 02891  1156   NtWaitForSingleObject  ... ) == 0x0
 02948   712   NtWaitForSingleObject  (80, 0, 0x0, ...
 02943  1536   NtWaitForSingleObject  ... ) == 0x0
 02945  1744   NtSetEventBoostPriority  ... ) == 0x0
 02944  1248   NtSetEventBoostPriority  ... ) == 0x0
 02941  1736   NtAllocateVirtualMemory  ... 133693440, 2097152, ) == 0x0
 02949  1764   NtContinue  (131595568, 1, ...
 02950  1156   NtSetEventBoostPriority  (80, ...
 02951  1536   NtTestAlert  (...
 02952  1744   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ...
 02953  1248   NtWaitForSingleObject  (80, 0, 0x0, ...
 02954  1736   NtAllocateVirtualMemory  (-1, 135782400, 0, 8192, 4096, 4, ...
 02955  1764   NtRegisterThreadTerminatePort  (24, ...
 02951  1536   NtTestAlert  ... ) == 0x0
 02893  1972   NtWaitForSingleObject  ... ) == 0x0
 02950  1156   NtSetEventBoostPriority  ... ) == 0x0
 02898  1068   NtWaitForSingleObject  ... ) == 0x0
 02946   868   NtSetEventBoostPriority  ... ) == 0x0
 02954  1736   NtAllocateVirtualMemory  ... 135782400, 8192, ) == 0x0
 02955  1764   NtRegisterThreadTerminatePort  ... ) == 0x0
 02952  1744   NtQueryInformationProcess  ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02956  1972   NtSetEventBoostPriority  (80, ...
 02957  1536   NtContinue  (133692720, 1, ...
 02958  1068   NtWaitForSingleObject  (80, 0, 0x0, ...
 02959   868   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02960  1736   NtProtectVirtualMemory  (-1, (0x817e000), 4096, 260, ...
 02961  1764   NtWaitForSingleObject  (80, 0, 0x0, ...
 02902  1440   NtWaitForSingleObject  ... ) == 0x0
 02962  1744   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ...
 02963  1536   NtRegisterThreadTerminatePort  (24, ...
 02959   868   NtCreateEvent  ... 588, ) == 0x0
 02960  1736   NtProtectVirtualMemory  ... (0x817e000), 4096, 4, ) == 0x0
 02956  1972   NtSetEventBoostPriority  ... ) == 0x0
 02964  1156   NtWaitForSingleObject  (80, 0, 0x0, ...
 02965  1440   NtSetEventBoostPriority  (80, ...
 02962  1744   NtSetInformationProcess  ... ) == 0x0
 02963  1536   NtRegisterThreadTerminatePort  ... ) == 0x0
 02966   868   NtWaitForSingleObject  (440, 0, 0x0, ...
 02967  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02968  1972   NtWaitForSingleObject  (80, 0, 0x0, ...
 02906   460   NtWaitForSingleObject  ... ) == 0x0
 02969  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 8710664, ... }, 8710664, ...
 02970  1536   NtWaitForSingleObject  (80, 0, 0x0, ...
 02965  1440   NtSetEventBoostPriority  ... ) == 0x0
 02971   460   NtSetEventBoostPriority  (80, ...
 02969  1744   NtQueryAttributesFile  ... ) == 0x0
 02972  1440   NtWaitForSingleObject  (80, 0, 0x0, ...
 02910  1784   NtWaitForSingleObject  ... ) == 0x0
 02971   460   NtSetEventBoostPriority  ... ) == 0x0
 02973  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... }, 5, 96, ...
 02974  1784   NtSetEventBoostPriority  (80, ...
 02967  1736   NtCreateThread  ... 684, {1636, 1936}, ) == 0x0
 02975   460   NtWaitForSingleObject  (440, 0, 0x0, ...
 02919  1604   NtWaitForSingleObject  ... ) == 0x0
 02974  1784   NtSetEventBoostPriority  ... ) == 0x0
 02976  1736   NtQueryInformationThread  (684, Basic, 28, ...
 02977  1604   NtSetEventBoostPriority  (80, ...
 02973  1744   NtOpenFile  ... 688, {status=0x0, info=1}, ) == 0x0
 02921   540   NtWaitForSingleObject  ... ) == 0x0
 02977  1604   NtSetEventBoostPriority  ... ) == 0x0
 02976  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1636,Tid=1936,}, 0x0, ) == 0x0
 02978   540   NtSetEventBoostPriority  (80, ...
 02979  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 688, ...
 02980  1604   NtWaitForSingleObject  (440, 0, 0x0, ...
 02922  1980   NtWaitForSingleObject  ... ) == 0x0
 02978   540   NtSetEventBoostPriority  ... ) == 0x0
 02981  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75562, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\220\7\0\0" ...  ...
 02979  1744   NtCreateSection  ... 692, ) == 0x0
 02982  1784   NtWaitForSingleObject  (440, 0, 0x0, ...
 02983  1980   NtSetEventBoostPriority  (80, ...
 02981  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75563, 0}  ... {28, 56, reply, 0, 1636, 1736, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\220\7\0\0" )  ) == 0x0
 02984  1744   NtClose  (688, ...
 02923  1480   NtWaitForSingleObject  ... ) == 0x0
 02983  1980   NtSetEventBoostPriority  ... ) == 0x0
 02985   540   NtWaitForSingleObject  (80, 0, 0x0, ...
 02986  1480   NtSetEventBoostPriority  (80, ...
 02984  1744   NtClose  ... ) == 0x0
 02987  1736   NtResumeThread  (684, ...
 02928  1756   NtWaitForSingleObject  ... ) == 0x0
 02986  1480   NtSetEventBoostPriority  ... ) == 0x0
 02988  1744   NtMapViewOfSection  (692, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02989  1756   NtSetEventBoostPriority  (80, ...
 02987  1736   NtResumeThread  ... 1, ) == 0x0
 02990  1980   NtWaitForSingleObject  (80, 0, 0x0, ...
 02932  1304   NtWaitForSingleObject  ... ) == 0x0
 02988  1744   NtMapViewOfSection  ... (0x8180000), 0x0, 180224, ) == 0x0
 02991  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02992  1304   NtSetEventBoostPriority  (80, ...
 02993  1744   NtClose  (692, ...
 02991  1736   NtAllocateVirtualMemory  ... 135987200, 2097152, ) == 0x0
 02938   860   NtWaitForSingleObject  ... ) == 0x0
 02992  1304   NtSetEventBoostPriority  ... ) == 0x0
 02993  1744   NtClose  ... ) == 0x0
 02994   860   NtSetEventBoostPriority  (80, ...
 02995  1736   NtAllocateVirtualMemory  (-1, 138076160, 0, 8192, 4096, 4, ...
 02989  1756   NtSetEventBoostPriority  ... ) == 0x0
 02996  1480   NtWaitForSingleObject  (80, 0, 0x0, ...
 02997  1936   NtWaitForSingleObject  (32, 0, 0x0, ...
 02947   808   NtWaitForSingleObject  ... ) == 0x0
 02994   860   NtSetEventBoostPriority  ... ) == 0x0
 02998  1744   NtUnmapViewOfSection  (-1, 0x8180000, ...
 02995  1736   NtAllocateVirtualMemory  ... 138076160, 8192, ) == 0x0
 02999  1756   NtWaitForSingleObject  (80, 0, 0x0, ...
 03000   808   NtSetEventBoostPriority  (80, ...
 03001   860   NtWaitForSingleObject  (80, 0, 0x0, ...
 03002  1304   NtWaitForSingleObject  (80, 0, 0x0, ...
 02998  1744   NtUnmapViewOfSection  ... ) == 0x0
 02948   712   NtWaitForSingleObject  ... ) == 0x0
 03000   808   NtSetEventBoostPriority  ... ) == 0x0
 03003  1736   NtProtectVirtualMemory  (-1, (0x83ae000), 4096, 260, ...
 03004   712   NtSetEventBoostPriority  (80, ...
 03005  1744   NtSetEventBoostPriority  (32, ...
 03006   808   NtWaitForSingleObject  (80, 0, 0x0, ...
 02953  1248   NtWaitForSingleObject  ... ) == 0x0
 03004   712   NtSetEventBoostPriority  ... ) == 0x0
 03003  1736   NtProtectVirtualMemory  ... (0x83ae000), 4096, 4, ) == 0x0
 02997  1936   NtWaitForSingleObject  ... ) == 0x0
 03005  1744   NtSetEventBoostPriority  ... ) == 0x0
 03007  1248   NtSetEventBoostPriority  (80, ...
 03008  1936   NtTestAlert  (...
 03009  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02958  1068   NtWaitForSingleObject  ... ) == 0x0
 03008  1936   NtTestAlert  ... ) == 0x0
 03007  1248   NtSetEventBoostPriority  ... ) == 0x0
 03010  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 8710260, ... }, 8710260, ...
 03011  1068   NtSetEventBoostPriority  (80, ...
 03009  1736   NtCreateThread  ... 692, {1636, 1896}, ) == 0x0
 03012   712   NtWaitForSingleObject  (80, 0, 0x0, ...
 03013  1936   NtContinue  (135789872, 1, ...
 02964  1156   NtWaitForSingleObject  ... ) == 0x0
 03010  1744   NtQueryAttributesFile  ... ) == 0x0
 03014  1736   NtQueryInformationThread  (692, Basic, 28, ...
 03015  1936   NtRegisterThreadTerminatePort  (24, ...
 03016  1156   NtSetEventBoostPriority  (80, ...
 03017  1744   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 8711004,  (0x80100080, {24, 0, 0x40, 0, 8711004, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... }, 0x0, 0, 5, 1, 96, 0, 0, ...
 03014  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1636,Tid=1896,}, 0x0, ) == 0x0
 03015  1936   NtRegisterThreadTerminatePort  ... ) == 0x0
 02961  1764   NtWaitForSingleObject  ... ) == 0x0
 03016  1156   NtSetEventBoostPriority  ... ) == 0x0
 03011  1068   NtSetEventBoostPriority  ... ) == 0x0
 03018  1248   NtWaitForSingleObject  (80, 0, 0x0, ...
 03017  1744   NtCreateFile  ... 688, {status=0x0, info=1}, ) == 0x0
 03019  1764   NtSetEventBoostPriority  (80, ...
 03020  1936   NtWaitForSingleObject  (80, 0, 0x0, ...
 03021  1156   NtWaitForSingleObject  (80, 0, 0x0, ...
 03022  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75563, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0h\7\0\0" ...  ...
 02968  1972   NtWaitForSingleObject  ... ) == 0x0
 03023  1744   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 688, ...
 03019  1764   NtSetEventBoostPriority  ... ) == 0x0
 03024  1068   NtSetEventBoostPriority  (440, ...
 03022  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75564, 0}  ... {28, 56, reply, 0, 1636, 1736, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0h\7\0\0" )  ) == 0x0
 03025  1972   NtSetEventBoostPriority  (80, ...
 03023  1744   NtCreateSection  ... 696, ) == 0x0
 03026  1764   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02966   868   NtWaitForSingleObject  ... ) == 0x0
 03024  1068   NtSetEventBoostPriority  ... ) == 0x0
 03027  1736   NtResumeThread  (692, ...
 02970  1536   NtWaitForSingleObject  ... ) == 0x0
 03025  1972   NtSetEventBoostPriority  ... ) == 0x0
 03028  1744   NtClose  (688, ...
 03029   868   NtWaitForSingleObject  (80, 0, 0x0, ...
 03026  1764   NtDuplicateObject  ... 700, ) == 0x0
 03030  1068   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 03031  1536   NtSetEventBoostPriority  (80, ...
 03027  1736   NtResumeThread  ... 1, ) == 0x0
 03028  1744   NtClose  ... ) == 0x0
 03032  1972   NtWaitForSingleObject  (80, 0, 0x0, ...
 03033  1896   NtTestAlert  (...
 02972  1440   NtWaitForSingleObject  ... ) == 0x0
 03031  1536   NtSetEventBoostPriority  ... ) == 0x0
 03030  1068   NtWaitForSingleObject  ... ) == 0x102
 03034  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03035  1744   NtMapViewOfSection  (696, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ...
 03036  1440   NtSetEventBoostPriority  (80, ...
 03033  1896   NtTestAlert  ... ) == 0x0
 03037  1764   NtWaitForSingleObject  (80, 0, 0x0, ...
 03038  1068   NtWaitForSingleObject  (192, 0, 0x0, ...
 03039  1536   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03034  1736   NtAllocateVirtualMemory  ... 138084352, 2097152, ) == 0x0
 02985   540   NtWaitForSingleObject  ... ) == 0x0
 03036  1440   NtSetEventBoostPriority  ... ) == 0x0
 03040  1896   NtContinue  (138083632, 1, ...
 03035  1744   NtMapViewOfSection  ... (0x8180000), {0, 0}, 180224, ) == 0x0
 03039  1536   NtDuplicateObject  ... 688, ) == 0x0
 03041   540   NtSetEventBoostPriority  (80, ...
 03042  1736   NtAllocateVirtualMemory  (-1, 140173312, 0, 8192, 4096, 4, ...
 03043  1896   NtRegisterThreadTerminatePort  (24, ...
 03044  1744   NtClose  (696, ...
 02990  1980   NtWaitForSingleObject  ... ) == 0x0
 03041   540   NtSetEventBoostPriority  ... ) == 0x0
 03045  1536   NtWaitForSingleObject  (80, 0, 0x0, ...
 03042  1736   NtAllocateVirtualMemory  ... 140173312, 8192, ) == 0x0
 03043  1896   NtRegisterThreadTerminatePort  ... ) == 0x0
 03046  1980   NtSetEventBoostPriority  (80, ...
 03044  1744   NtClose  ... ) == 0x0
 03047   540   NtWaitForSingleObject  (440, 0, 0x0, ...
 03048  1736   NtProtectVirtualMemory  (-1, (0x85ae000), 4096, 260, ...
 03049  1440   NtWaitForSingleObject  (440, 0, 0x0, ...
 02996  1480   NtWaitForSingleObject  ... ) == 0x0
 03046  1980   NtSetEventBoostPriority  ... ) == 0x0
 03050  1744   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ...
 03051  1896   NtWaitForSingleObject  (80, 0, 0x0, ...
 03048  1736   NtProtectVirtualMemory  ... (0x85ae000), 4096, 4, ) == 0x0
 03052  1480   NtSetEventBoostPriority  (80, ...
 03053  1980   NtWaitForSingleObject  (440, 0, 0x0, ...
 03050  1744   NtQueryInformationProcess  ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02999  1756   NtWaitForSingleObject  ... ) == 0x0
 03052  1480   NtSetEventBoostPriority  ... ) == 0x0
 03054  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03055  1756   NtSetEventBoostPriority  (80, ...
 03056  1744   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ...
 03057  1480   NtWaitForSingleObject  (440, 0, 0x0, ...
 03002  1304   NtWaitForSingleObject  ... ) == 0x0
 03055  1756   NtSetEventBoostPriority  ... ) == 0x0
 03054  1736   NtCreateThread  ... 696, {1636, 388}, ) == 0x0
 03056  1744   NtSetInformationProcess  ... ) == 0x0
 03058  1304   NtSetEventBoostPriority  (80, ...
 03059  1736   NtQueryInformationThread  (696, Basic, 28, ...
 03001   860   NtWaitForSingleObject  ... ) == 0x0
 03058  1304   NtSetEventBoostPriority  ... ) == 0x0
 03060  1744   NtQueryDefaultLocale  (1, 8711624, ...
 03061   860   NtSetEventBoostPriority  (80, ...
 03059  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1636,Tid=388,}, 0x0, ) == 0x0
 03062  1304   NtWaitForSingleObject  (440, 0, 0x0, ...
 03006   808   NtWaitForSingleObject  ... ) == 0x0
 03060  1744   NtQueryDefaultLocale  ... ) == 0x0
 03063  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75564, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0\204\1\0\0" ...  ...
 03061   860   NtSetEventBoostPriority  ... ) == 0x0
 03064  1756   NtWaitForSingleObject  (80, 0, 0x0, ...
 03065   808   NtSetEventBoostPriority  (80, ...
 03066  1744   NtQueryVirtualMemory  (-1, 0x8180000, Basic, 28, ...
 03063  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75565, 0}  ... {28, 56, reply, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0\204\1\0\0" )  ) == 0x0
 03067   860   NtWaitForSingleObject  (440, 0, 0x0, ...
 03012   712   NtWaitForSingleObject  ... ) == 0x0
 03066  1744   NtQueryVirtualMemory  ... {BaseAddress=0x8180000,AllocationBase=0x8180000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 03065   808   NtSetEventBoostPriority  ... ) == 0x0
 03068   712   NtSetEventBoostPriority  (80, ...
 03069  1744   NtQueryVirtualMemory  (-1, 0x8180000, Basic, 28, ...
 03070   808   NtWaitForSingleObject  (80, 0, 0x0, ...
 03018  1248   NtWaitForSingleObject  ... ) == 0x0
 03068   712   NtSetEventBoostPriority  ... ) == 0x0
 03071  1736   NtResumeThread  (696, ...
 03072  1248   NtSetEventBoostPriority  (80, ...
 03073   712   NtWaitForSingleObject  (440, 0, 0x0, ...
 03020  1936   NtWaitForSingleObject  ... ) == 0x0
 03072  1248   NtSetEventBoostPriority  ... ) == 0x0
 03071  1736   NtResumeThread  ... 1, ) == 0x0
 03069  1744   NtQueryVirtualMemory  ... {BaseAddress=0x8180000,AllocationBase=0x8180000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 03074  1936   NtSetEventBoostPriority  (80, ...
 03075  1248   NtWaitForSingleObject  (80, 0, 0x0, ...
 03076  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03021  1156   NtWaitForSingleObject  ... ) == 0x0
 03074  1936   NtSetEventBoostPriority  ... ) == 0x0
 03077  1744   NtUnmapViewOfSection  (-1, 0x8180000, ...
 03078   388   NtTestAlert  (...
 03079  1156   NtSetEventBoostPriority  (80, ...
 03076  1736   NtAllocateVirtualMemory  ... 140181504, 2097152, ) == 0x0
 03077  1744   NtUnmapViewOfSection  ... ) == 0x0
 03029   868   NtWaitForSingleObject  ... ) == 0x0
 03078   388   NtTestAlert  ... ) == 0x0
 03080  1736   NtAllocateVirtualMemory  (-1, 142270464, 0, 8192, 4096, 4, ...
 03081   868   NtSetEventBoostPriority  (80, ...
 03082  1744   NtWaitForSingleObject  (80, 0, 0x0, ...
 03083   388   NtContinue  (140180784, 1, ...
 03032  1972   NtWaitForSingleObject  ... ) == 0x0
 03081   868   NtSetEventBoostPriority  ... ) == 0x0
 03080  1736   NtAllocateVirtualMemory  ... 142270464, 8192, ) == 0x0
 03084  1972   NtSetEventBoostPriority  (80, ...
 03085   388   NtRegisterThreadTerminatePort  (24, ...
 03079  1156   NtSetEventBoostPriority  ... ) == 0x0
 03086  1936   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03087   868   NtSetEventBoostPriority  (440, ...
 03037  1764   NtWaitForSingleObject  ... ) == 0x0
 03084  1972   NtSetEventBoostPriority  ... ) == 0x0
 03085   388   NtRegisterThreadTerminatePort  ... ) == 0x0
 03088  1156   NtWaitForSingleObject  (80, 0, 0x0, ...
 03086  1936   NtDuplicateObject  ... 704, ) == 0x0
 03089  1764   NtSetEventBoostPriority  (80, ...
 02975   460   NtWaitForSingleObject  ... ) == 0x0
 03087   868   NtSetEventBoostPriority  ... ) == 0x0
 03090  1972   NtWaitForSingleObject  (80, 0, 0x0, ...
 03091  1736   NtProtectVirtualMemory  (-1, (0x87ae000), 4096, 260, ...
 03045  1536   NtWaitForSingleObject  ... ) == 0x0
 03092   460   NtWaitForSingleObject  (80, 0, 0x0, ...
 03089  1764   NtSetEventBoostPriority  ... ) == 0x0
 03093  1936   NtWaitForSingleObject  (80, 0, 0x0, ...
 03094   868   NtWaitForSingleObject  (80, 0, 0x0, ...
 03095   388   NtWaitForSingleObject  (80, 0, 0x0, ...
 03096  1536   NtSetEventBoostPriority  (80, ...
 03091  1736   NtProtectVirtualMemory  ... (0x87ae000), 4096, 4, ) == 0x0
 03097  1764   NtWaitForSingleObject  (440, 0, 0x0, ...
 03051  1896   NtWaitForSingleObject  ... ) == 0x0
 03096  1536   NtSetEventBoostPriority  ... ) == 0x0
 03098  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03099  1896   NtSetEventBoostPriority  (80, ...
 03064  1756   NtWaitForSingleObject  ... ) == 0x0
 03100  1756   NtSetEventBoostPriority  (80, ...
 03070   808   NtWaitForSingleObject  ... ) == 0x0
 03101   808   NtSetEventBoostPriority  (80, ...
 03075  1248   NtWaitForSingleObject  ... ) == 0x0
 03102  1248   NtSetEventBoostPriority  (80, ...
 03082  1744   NtWaitForSingleObject  ... ) == 0x0
 03103  1744   NtAllocateVirtualMemory  (-1, 4648960, 0, 4096, 4096, 4, ... 4648960, 4096, ) == 0x0
 03101   808   NtSetEventBoostPriority  ... ) == 0x0
 03100  1756   NtSetEventBoostPriority  ... ) == 0x0
 03099  1896   NtSetEventBoostPriority  ... ) == 0x0
 03098  1736   NtCreateThread  ... 708, {1636, 1864}, ) == 0x0
 03102  1248   NtSetEventBoostPriority  ... ) == 0x0
 03104  1536   NtWaitForSingleObject  (80, 0, 0x0, ...
 03105  1744   NtSetEventBoostPriority  (80, ...
 03106  1756   NtWaitForSingleObject  (80, 0, 0x0, ...
 03107  1896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03108  1736   NtQueryInformationThread  (708, Basic, 28, ...
 03109  1248   NtWaitForSingleObject  (80, 0, 0x0, ...
 03088  1156   NtWaitForSingleObject  ... ) == 0x0
 03105  1744   NtSetEventBoostPriority  ... ) == 0x0
 03110   808   NtWaitForSingleObject  (440, 0, 0x0, ...
 03108  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1636,Tid=1864,}, 0x0, ) == 0x0
 03111  1156   NtSetEventBoostPriority  (80, ...
 03112  1744   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ...
 03107  1896   NtDuplicateObject  ... 712, ) == 0x0
 03092   460   NtWaitForSingleObject  ... ) == 0x0
 03111  1156   NtSetEventBoostPriority  ... ) == 0x0
 03112  1744   NtQueryInformationProcess  ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03113   460   NtSetEventBoostPriority  (80, ...
 03114  1896   NtWaitForSingleObject  (80, 0, 0x0, ...
 03115  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75565, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0d\6\0\0H\7\0\0" ...  ...
 03093  1936   NtWaitForSingleObject  ... ) == 0x0
 03113   460   NtSetEventBoostPriority  ... ) == 0x0
 03116  1744   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ...
 03117  1936   NtSetEventBoostPriority  (80, ...
 03115  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75566, 0}  ... {28, 56, reply, 0, 1636, 1736, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0d\6\0\0H\7\0\0" )  ) == 0x0
 03118  1156   NtWaitForSingleObject  (80, 0, 0x0, ...
 03094   868   NtWaitForSingleObject  ... ) == 0x0
 03117  1936   NtSetEventBoostPriority  ... ) == 0x0
 03116  1744   NtSetInformationProcess  ... ) == 0x0
 03119  1736   NtResumeThread  (708, ...
 03120   868   NtSetEventBoostPriority  (80, ...
 03121   460   NtSetEventBoostPriority  (440, ...
 03122  1936   NtWaitForSingleObject  (80, 0, 0x0, ...
 03095   388   NtWaitForSingleObject  ... ) == 0x0
 03120   868   NtSetEventBoostPriority  ... ) == 0x0
 03119  1736   NtResumeThread  ... 1, ) == 0x0
 02980  1604   NtWaitForSingleObject  ... ) == 0x0
 03121   460   NtSetEventBoostPriority  ... ) == 0x0
 03123   388   NtSetEventBoostPriority  (80, ...
 03124  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 8710656, ... }, 8710656, ...
 03125  1864   NtWaitForSingleObject  (32, 0, 0x0, ...
 03126  1604   NtWaitForSingleObject  (80, 0, 0x0, ...
 03127  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03090  1972   NtWaitForSingleObject  ... ) == 0x0
 03123   388   NtSetEventBoostPriority  ... ) == 0x0
 03128   460   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 03124  1744   NtQueryAttributesFile  ... ) == 0x0
 03129   868   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 18346616, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 18346616, 188, ...
 03130  1972   NtSetEventBoostPriority  (80, ...
 03131   388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03128   460   NtWaitForSingleObject  ... ) == 0x102
 03132  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... }, 5, 96, ...
 03104  1536   NtWaitForSingleObject  ... ) == 0x0
 03130  1972   NtSetEventBoostPriority  ... ) == 0x0
 03127  1736   NtAllocateVirtualMemory  ... 142278656, 2097152, ) == 0x0
 03133   460   NtWaitForSingleObject  (80, 0, 0x0, ...
 03132  1744   NtOpenFile  ... 716, {status=0x0, info=1}, ) == 0x0
 03134  1536   NtSetEventBoostPriority  (80, ...
 03135  1972   NtWaitForSingleObject  (80, 0, 0x0, ...
 03136  1736   NtAllocateVirtualMemory  (-1, 144367616, 0, 8192, 4096, 4, ...
 03131   388   NtDuplicateObject  ... 720, ) == 0x0
 03129   868   NtConnectPort  ... 724, 0x0, 0x0, 0x0, 188, ) == 0x0
 03137  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 716, ...
 03106  1756   NtWaitForSingleObject  ... ) == 0x0
 03134  1536   NtSetEventBoostPriority  ... ) == 0x0
 03136  1736   NtAllocateVirtualMemory  ... 144367616, 8192, ) == 0x0
 03138   388   NtWaitForSingleObject  (80, 0, 0x0, ...
 03139   868   NtRequestWaitReplyPort  (724, {200, 224, new_msg, 0, 2883626, 4642560, 12, 2}  (724, {200, 224, new_msg, 0, 2883626, 4642560, 12, 2} "\0\1E\0X\326F\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\3\0\4\0\0\0X\367F\0\0\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0\210\331F\0\255^\354r\270\341F\0\\1E\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0X\331F\0\230\346F\0\260\1E\0\260\341F\0h\1E\0\0\0\0\0\0\0\0\0\260\341F\0P\0\0\0\270\341F\0\354\363\27\1x\1E\0P\0\0\0\200\300\0\0\0\0E\0\370\360\27\1\372\31\221|\214\370\27\1\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 03140  1756   NtSetEventBoostPriority  (80, ...
 03137  1744   NtCreateSection  ... 728, ) == 0x0
 03141  1536   NtWaitForSingleObject  (440, 0, 0x0, ...
 03142  1736   NtProtectVirtualMemory  (-1, (0x89ae000), 4096, 260, ...
 03109  1248   NtWaitForSingleObject  ... ) == 0x0
 03139   868   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 868, 75568, 0}  ... {200, 224, reply, 0, 1636, 868, 75568, 0} "\7\1E\0X\326F\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0X\367F\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0\210\331F\0\255^\354r\270\341F\0\\1E\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0X\331F\0\230\346F\0\260\1E\0\260\341F\0h\1E\0\0\0\0\0\0\0\0\0\260\341F\0P\0\0\0\270\341F\0\354\363\27\1x\1E\0P\0\0\0\200\300\0\0\0\0E\0\370\360\27\1\372\31\221|\214\370\27\1\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 03140  1756   NtSetEventBoostPriority  ... ) == 0x0
 03143  1744   NtClose  (716, ...
 03142  1736   NtProtectVirtualMemory  ... (0x89ae000), 4096, 4, ) == 0x0
 03144  1248   NtSetEventBoostPriority  (80, ...
 03145  1756   NtWaitForSingleObject  (440, 0, 0x0, ...
 03143  1744   NtClose  ... ) == 0x0
 03146  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03114  1896   NtWaitForSingleObject  ... ) == 0x0
 03144  1248   NtSetEventBoostPriority  ... ) == 0x0
 03147  1744   NtMapViewOfSection  (728, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 03148   868   NtWaitForSingleObject  (80, 0, 0x0, ...
 03149  1896   NtSetEventBoostPriority  (80, ...
 03146  1736   NtCreateThread  ... 716, {1636, 1524}, ) == 0x0
 03147  1744   NtMapViewOfSection  ... (0x8180000), 0x0, 180224, ) == 0x0
 03118  1156   NtWaitForSingleObject  ... ) == 0x0
 03149  1896   NtSetEventBoostPriority  ... ) == 0x0
 03150  1736   NtQueryInformationThread  (716, Basic, 28, ...
 03151  1156   NtSetEventBoostPriority  (80, ...
 03152  1744   NtClose  (728, ...
 03153  1248   NtWaitForSingleObject  (440, 0, 0x0, ...
 03122  1936   NtWaitForSingleObject  ... ) == 0x0
 03151  1156   NtSetEventBoostPriority  ... ) == 0x0
 03150  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1636,Tid=1524,}, 0x0, ) == 0x0
 03152  1744   NtClose  ... ) == 0x0
 03154  1936   NtSetEventBoostPriority  (80, ...
 03155  1156   NtWaitForSingleObject  (80, 0, 0x0, ...
 03156  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75566, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0\364\5\0\0" ...  ...
 03157  1896   NtWaitForSingleObject  (80, 0, 0x0, ...
 03126  1604   NtWaitForSingleObject  ... ) == 0x0
 03154  1936   NtSetEventBoostPriority  ... ) == 0x0
 03158  1744   NtUnmapViewOfSection  (-1, 0x8180000, ...
 03156  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75569, 0}  ... {28, 56, reply, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0\364\5\0\0" )  ) == 0x0
 03159  1604   NtSetEventBoostPriority  (80, ...
 03160  1936   NtWaitForSingleObject  (80, 0, 0x0, ...
 03158  1744   NtUnmapViewOfSection  ... ) == 0x0
 03135  1972   NtWaitForSingleObject  ... ) == 0x0
 03159  1604   NtSetEventBoostPriority  ... ) == 0x0
 03161  1736   NtResumeThread  (716, ...
 03162  1744   NtSetEventBoostPriority  (32, ...
 03163  1972   NtSetEventBoostPriority  (80, ...
 03161  1736   NtResumeThread  ... 1, ) == 0x0
 03125  1864   NtWaitForSingleObject  ... ) == 0x0
 03162  1744   NtSetEventBoostPriority  ... ) == 0x0
 03138   388   NtWaitForSingleObject  ... ) == 0x0
 03163  1972   NtSetEventBoostPriority  ... ) == 0x0
 03164  1864   NtAllocateVirtualMemory  (-1, 13201408, 0, 4096, 4096, 4, ...
 03165  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03166   388   NtSetEventBoostPriority  (80, ...
 03167  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 8710252, ... }, 8710252, ...
 03168  1604   NtSetEventBoostPriority  (440, ...
 03169  1524   NtWaitForSingleObject  (32, 0, 0x0, ...
 03164  1864   NtAllocateVirtualMemory  ... 13201408, 4096, ) == 0x0
 03133   460   NtWaitForSingleObject  ... ) == 0x0
 03166   388   NtSetEventBoostPriority  ... ) == 0x0
 03165  1736   NtAllocateVirtualMemory  ... 144375808, 2097152, ) == 0x0
 03167  1744   NtQueryAttributesFile  ... ) == 0x0
 02982  1784   NtWaitForSingleObject  ... ) == 0x0
 03168  1604   NtSetEventBoostPriority  ... ) == 0x0
 03170  1972   NtWaitForSingleObject  (80, 0, 0x0, ...
 03171   460   NtSetEventBoostPriority  (80, ...
 03172  1864   NtSetEventBoostPriority  (32, ...
 03173  1736   NtAllocateVirtualMemory  (-1, 146464768, 0, 8192, 4096, 4, ...
 03174   388   NtWaitForSingleObject  (80, 0, 0x0, ...
 03175  1784   NtWaitForSingleObject  (80, 0, 0x0, ...
 03176  1604   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 03148   868   NtWaitForSingleObject  ... ) == 0x0
 03169  1524   NtWaitForSingleObject  ... ) == 0x0
 03172  1864   NtSetEventBoostPriority  ... ) == 0x0
 03173  1736   NtAllocateVirtualMemory  ... 146464768, 8192, ) == 0x0
 03176  1604   NtWaitForSingleObject  ... ) == 0x102
 03177  1524   NtTestAlert  (...
 03178   868   NtSetEventBoostPriority  (80, ...
 03179  1864   NtTestAlert  (...
 03171   460   NtSetEventBoostPriority  ... ) == 0x0
 03180  1744   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 8710996,  (0x80100080, {24, 0, 0x40, 0, 8710996, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... }, 0x0, 0, 5, 1, 96, 0, 0, ...
 03177  1524   NtTestAlert  ... ) == 0x0
 03181  1604   NtWaitForSingleObject  (192, 0, 0x0, ...
 03157  1896   NtWaitForSingleObject  ... ) == 0x0
 03178   868   NtSetEventBoostPriority  ... ) == 0x0
 03179  1864   NtTestAlert  ... ) == 0x0
 03182   460   NtWaitForSingleObject  (192, 0, 0x0, ...
 03180  1744   NtCreateFile  ... 728, {status=0x0, info=1}, ) == 0x0
 03183  1736   NtProtectVirtualMemory  (-1, (0x8bae000), 4096, 260, ...
 03184  1524   NtContinue  (144375088, 1, ...
 03185  1896   NtSetEventBoostPriority  (80, ...
 03186   868   NtWaitForSingleObject  (80, 0, 0x0, ...
 03187  1864   NtContinue  (142277936, 1, ...
 03188  1744   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 728, ...
 03183  1736   NtProtectVirtualMemory  ... (0x8bae000), 4096, 4, ) == 0x0
 03155  1156   NtWaitForSingleObject  ... ) == 0x0
 03185  1896   NtSetEventBoostPriority  ... ) == 0x0
 03189  1524   NtRegisterThreadTerminatePort  (24, ...
 03190  1864   NtRegisterThreadTerminatePort  (24, ...
 03188  1744   NtCreateSection  ... 732, ) == 0x0
 03191  1156   NtSetEventBoostPriority  (80, ...
 03192  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03193  1896   NtWaitForSingleObject  (440, 0, 0x0, ...
 03189  1524   NtRegisterThreadTerminatePort  ... ) == 0x0
 03160  1936   NtWaitForSingleObject  ... ) == 0x0
 03194  1744   NtClose  (728, ...
 03192  1736   NtCreateThread  ... 736, {1636, 308}, ) == 0x0
 03191  1156   NtSetEventBoostPriority  ... ) == 0x0
 03190  1864   NtRegisterThreadTerminatePort  ... ) == 0x0
 03195  1524   NtWaitForSingleObject  (80, 0, 0x0, ...
 03196  1936   NtSetEventBoostPriority  (80, ...
 03194  1744   NtClose  ... ) == 0x0
 03197  1736   NtQueryInformationThread  (736, Basic, 28, ...
 03198  1156   NtWaitForSingleObject  (440, 0, 0x0, ...
 03199  1864   NtWaitForSingleObject  (80, 0, 0x0, ...
 03170  1972   NtWaitForSingleObject  ... ) == 0x0
 03196  1936   NtSetEventBoostPriority  ... ) == 0x0
 03197  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1636,Tid=308,}, 0x0, ) == 0x0
 03200  1972   NtSetEventBoostPriority  (80, ...
 03201  1936   NtWaitForSingleObject  (440, 0, 0x0, ...
 03202  1744   NtMapViewOfSection  (732, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ...
 03175  1784   NtWaitForSingleObject  ... ) == 0x0
 03200  1972   NtSetEventBoostPriority  ... ) == 0x0
 03203  1784   NtSetEventBoostPriority  (80, ...
 03202  1744   NtMapViewOfSection  ... (0x8180000), {0, 0}, 180224, ) == 0x0
 03174   388   NtWaitForSingleObject  ... ) == 0x0
 03203  1784   NtSetEventBoostPriority  ... ) == 0x0
 03204  1972   NtWaitForSingleObject  (440, 0, 0x0, ...
 03205   388   NtSetEventBoostPriority  (80, ...
 03206  1744   NtClose  (732, ...
 03207  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0d\6\0\04\1\0\0" ...  ...
 03208  1784   NtSetEventBoostPriority  (440, ...
 03186   868   NtWaitForSingleObject  ... ) == 0x0
 03205   388   NtSetEventBoostPriority  ... ) == 0x0
 03206  1744   NtClose  ... ) == 0x0
 03207  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75570, 0}  ... {28, 56, reply, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0d\6\0\04\1\0\0" )  ) == 0x0
 03209   868   NtSetEventBoostPriority  (80, ...
 03049  1440   NtWaitForSingleObject  ... ) == 0x0
 03208  1784   NtSetEventBoostPriority  ... ) == 0x0
 03210   388   NtWaitForSingleObject  (80, 0, 0x0, ...
 03211  1744   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ...
 03195  1524   NtWaitForSingleObject  ... ) == 0x0
 03212  1440   NtWaitForSingleObject  (80, 0, 0x0, ...
 03213  1736   NtResumeThread  (736, ...
 03214  1784   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 03209   868   NtSetEventBoostPriority  ... ) == 0x0
 03211  1744   NtQueryInformationProcess  ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03215  1524   NtSetEventBoostPriority  (80, ...
 03213  1736   NtResumeThread  ... 1, ) == 0x0
 03214  1784   NtWaitForSingleObject  ... ) == 0x102
 03216   868   NtWaitForSingleObject  (80, 0, 0x0, ...
 03217   308   NtTestAlert  (...
 03199  1864   NtWaitForSingleObject  ... ) == 0x0
 03215  1524   NtSetEventBoostPriority  ... ) == 0x0
 03218  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03219  1784   NtWaitForSingleObject  (192, 0, 0x0, ...
 03220  1864   NtSetEventBoostPriority  (80, ...
 03217   308   NtTestAlert  ... ) == 0x0
 03221  1744   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ...
 03222  1524   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03218  1736   NtAllocateVirtualMemory  ... 146472960, 2097152, ) == 0x0
 03212  1440   NtWaitForSingleObject  ... ) == 0x0
 03220  1864   NtSetEventBoostPriority  ... ) == 0x0
 03223   308   NtContinue  (146472240, 1, ...
 03221  1744   NtSetInformationProcess  ... ) == 0x0
 03222  1524   NtDuplicateObject  ... 732, ) == 0x0
 03224  1440   NtSetEventBoostPriority  (80, ...
 03225  1736   NtAllocateVirtualMemory  (-1, 148561920, 0, 8192, 4096, 4, ...
 03226   308   NtRegisterThreadTerminatePort  (24, ...
 03227  1744   NtQueryDefaultLocale  (1, 8711616, ...
 03210   388   NtWaitForSingleObject  ... ) == 0x0
 03224  1440   NtSetEventBoostPriority  ... ) == 0x0
 03228  1524   NtWaitForSingleObject  (80, 0, 0x0, ...
 03225  1736   NtAllocateVirtualMemory  ... 148561920, 8192, ) == 0x0
 03226   308   NtRegisterThreadTerminatePort  ... ) == 0x0
 03229   388   NtSetEventBoostPriority  (80, ...
 03227  1744   NtQueryDefaultLocale  ... ) == 0x0
 03230  1864   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03231  1736   NtProtectVirtualMemory  (-1, (0x8dae000), 4096, 260, ...
 03232  1440   NtSetEventBoostPriority  (440, ...
 03216   868   NtWaitForSingleObject  ... ) == 0x0
 03233  1744   NtQueryVirtualMemory  (-1, 0x8180000, Basic, 28, ...
 03230  1864   NtDuplicateObject  ... 728, ) == 0x0
 03231  1736   NtProtectVirtualMemory  ... (0x8dae000), 4096, 4, ) == 0x0
 03047   540   NtWaitForSingleObject  ... ) == 0x0
 03232  1440   NtSetEventBoostPriority  ... ) == 0x0
 03234   868   NtSetEventBoostPriority  (80, ...
 03233  1744   NtQueryVirtualMemory  ... {BaseAddress=0x8180000,AllocationBase=0x8180000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 03235  1864   NtWaitForSingleObject  (80, 0, 0x0, ...
 03236   540   NtWaitForSingleObject  (80, 0, 0x0, ...
 03237  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03238  1440   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 03228  1524   NtWaitForSingleObject  ... ) == 0x0
 03234   868   NtSetEventBoostPriority  ... ) == 0x0
 03229   388   NtSetEventBoostPriority  ... ) == 0x0
 03239   308   NtWaitForSingleObject  (80, 0, 0x0, ...
 03240  1744   NtUnmapViewOfSection  (-1, 0x8180000, ...
 03241  1524   NtSetEventBoostPriority  (80, ...
 03238  1440   NtWaitForSingleObject  ... ) == 0x102
 03237  1736   NtCreateThread  ... 740, {1636, 276}, ) == 0x0
 03242   388   NtWaitForSingleObject  (440, 0, 0x0, ...
 03236   540   NtWaitForSingleObject  ... ) == 0x0
 03241  1524   NtSetEventBoostPriority  ... ) == 0x0
 03240  1744   NtUnmapViewOfSection  ... ) == 0x0
 03243  1440   NtWaitForSingleObject  (80, 0, 0x0, ...
 03244  1736   NtQueryInformationThread  (740, Basic, 28, ...
 03245   540   NtSetEventBoostPriority  (80, ...
 03246   868   NtRequestWaitReplyPort  (724, {44, 68, new_msg, 56, 0, 0, 0, 0}  (724, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\250\371F\0\322\0\0\0" ...  ...
 03247  1744   NtWaitForSingleObject  (80, 0, 0x0, ...
 03248  1524   NtWaitForSingleObject  (80, 0, 0x0, ...
 03235  1864   NtWaitForSingleObject  ... ) == 0x0
 03244  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1636,Tid=276,}, 0x0, ) == 0x0
 03246   868   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 868, 75571, 0}  ... {40, 64, reply, 0, 1636, 868, 75571, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\323\1\0\0\350\370\14\0" )  ) == 0x0
 03249  1864   NtSetEventBoostPriority  (80, ...
 03250  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0d\6\0\0\24\1\0\0" ...  ...
 03251   868   NtWaitForSingleObject  (80, 0, 0x0, ...
 03239   308   NtWaitForSingleObject  ... ) == 0x0
 03249  1864   NtSetEventBoostPriority  ... ) == 0x0
 03250  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75572, 0}  ... {28, 56, reply, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0d\6\0\0\24\1\0\0" )  ) == 0x0
 03252   308   NtSetEventBoostPriority  (80, ...
 03245   540   NtSetEventBoostPriority  ... ) == 0x0
 03253  1864   NtWaitForSingleObject  (80, 0, 0x0, ...
 03247  1744   NtWaitForSingleObject  ... ) == 0x0
 03252   308   NtSetEventBoostPriority  ... ) == 0x0
 03254  1736   NtResumeThread  (740, ...
 03255  1744   NtSetEventBoostPriority  (80, ...
 03256   308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03248  1524   NtWaitForSingleObject  ... ) == 0x0
 03255  1744   NtSetEventBoostPriority  ... ) == 0x0
 03254  1736   NtResumeThread  ... 1, ) == 0x0
 03257   540   NtSetEventBoostPriority  (440, ...
 03258  1524   NtSetEventBoostPriority  (80, ...
 03256   308   NtDuplicateObject  ... 744, ) == 0x0
 03259   276   NtTestAlert  (...
 03260  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03251   868   NtWaitForSingleObject  ... ) == 0x0
 03258  1524   NtSetEventBoostPriority  ... ) == 0x0
 03053  1980   NtWaitForSingleObject  ... ) == 0x0
 03257   540   NtSetEventBoostPriority  ... ) == 0x0
 03261   308   NtWaitForSingleObject  (80, 0, 0x0, ...
 03259   276   NtTestAlert  ... ) == 0x0
 03262   868   NtSetEventBoostPriority  (80, ...
 03260  1736   NtAllocateVirtualMemory  ... 148570112, 2097152, ) == 0x0
 03263  1980   NtWaitForSingleObject  (80, 0, 0x0, ...
 03264  1524   NtWaitForSingleObject  (440, 0, 0x0, ...
 03265   540   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 03243  1440   NtWaitForSingleObject  ... ) == 0x0
 03262   868   NtSetEventBoostPriority  ... ) == 0x0
 03266   276   NtContinue  (148569392, 1, ...
 03267  1736   NtAllocateVirtualMemory  (-1, 150659072, 0, 8192, 4096, 4, ...
 03268  1744   NtWaitForSingleObject  (80, 0, 0x0, ...
 03269  1440   NtSetEventBoostPriority  (80, ...
 03265   540   NtWaitForSingleObject  ... ) == 0x102
 03270   276   NtRegisterThreadTerminatePort  (24, ...
 03267  1736   NtAllocateVirtualMemory  ... 150659072, 8192, ) == 0x0
 03253  1864   NtWaitForSingleObject  ... ) == 0x0
 03271   540   NtWaitForSingleObject  (80, 0, 0x0, ...
 03270   276   NtRegisterThreadTerminatePort  ... ) == 0x0
 03269  1440   NtSetEventBoostPriority  ... ) == 0x0
 03272   868   NtRequestWaitReplyPort  (724, {64, 88, new_msg, 56, 4521984, 18346484, 4651424, 0}  (724, {64, 88, new_msg, 56, 4521984, 18346484, 4651424, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\27\1\351\201\347w\214\370\27\1\30\356\220|p\5\221|\1\0\0\0\10\375F\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 03273  1864   NtSetEventBoostPriority  (80, ...
 03274  1736   NtProtectVirtualMemory  (-1, (0x8fae000), 4096, 260, ...
 03275  1440   NtWaitForSingleObject  (192, 0, 0x0, ...
 03261   308   NtWaitForSingleObject  ... ) == 0x0
 03273  1864   NtSetEventBoostPriority  ... ) == 0x0
 03274  1736   NtProtectVirtualMemory  ... (0x8fae000), 4096, 4, ) == 0x0
 03272   868   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 868, 75573, 0}  ... {64, 88, reply, 56, 1636, 868, 75573, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\27\1\351\201\347w\214\370\27\1\30\356\220|p\5\221|\1\0\0\0\10\375F\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 03276   308   NtSetEventBoostPriority  (80, ...
 03277  1864   NtWaitForSingleObject  (440, 0, 0x0, ...
 03278  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03263  1980   NtWaitForSingleObject  ... ) == 0x0
 03276   308   NtSetEventBoostPriority  ... ) == 0x0
 03279   868   NtWaitForSingleObject  (80, 0, 0x0, ...
 03280   276   NtWaitForSingleObject  (80, 0, 0x0, ...
 03281  1980   NtAllocateVirtualMemory  (-1, 4653056, 0, 4096, 4096, 4, ...
 03278  1736   NtCreateThread  ... 748, {1636, 1496}, ) == 0x0
 03281  1980   NtAllocateVirtualMemory  ... 4653056, 4096, ) == 0x0
 03282  1736   NtQueryInformationThread  (748, Basic, 28, ...
 03283   308   NtWaitForSingleObject  (80, 0, 0x0, ...
 03282  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1636,Tid=1496,}, 0x0, ) == 0x0
 03284  1980   NtSetEventBoostPriority  (80, ...
 03268  1744   NtWaitForSingleObject  ... ) == 0x0
 03285  1744   NtSetEventBoostPriority  (80, ...
 03271   540   NtWaitForSingleObject  ... ) == 0x0
 03286   540   NtSetEventBoostPriority  (80, ...
 03279   868   NtWaitForSingleObject  ... ) == 0x0
 03287   868   NtSetEventBoostPriority  (80, ...
 03280   276   NtWaitForSingleObject  ... ) == 0x0
 03288   276   NtSetEventBoostPriority  (80, ...
 03283   308   NtWaitForSingleObject  ... ) == 0x0
 03289   308   NtWaitForSingleObject  (440, 0, 0x0, ...
 03288   276   NtSetEventBoostPriority  ... ) == 0x0
 03290   276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03287   868   NtSetEventBoostPriority  ... ) == 0x0
 03285  1744   NtSetEventBoostPriority  ... ) == 0x0
 03284  1980   NtSetEventBoostPriority  ... ) == 0x0
 03286   540   NtSetEventBoostPriority  ... ) == 0x0
 03291  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0d\6\0\0\330\5\0\0" ...  ...
 03290   276   NtDuplicateObject  ... 752, ) == 0x0
 03292  1744   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ...
 03293  1980   NtSetEventBoostPriority  (440, ...
 03294   540   NtWaitForSingleObject  (192, 0, 0x0, ...
 03291  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75574, 0}  ... {28, 56, reply, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0d\6\0\0\330\5\0\0" )  ) == 0x0
 03295   276   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 03296   868   NtWaitForSingleObject  (440, 0, 0x0, ...
 03057  1480   NtWaitForSingleObject  ... ) == 0x0
 03293  1980   NtSetEventBoostPriority  ... ) == 0x0
 03297  1736   NtResumeThread  (748, ...
 03295   276   NtCreateEvent  ... 756, ) == 0x0
 03298  1480   NtSetEventBoostPriority  (440, ...
 03299  1980   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 03297  1736   NtResumeThread  ... 1, ) == 0x0
 03062  1304   NtWaitForSingleObject  ... ) == 0x0
 03300   276   NtWaitForSingleObject  (756, 0, 0x0, ...
 03301  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03302  1304   NtSetEventBoostPriority  (440, ...
 03298  1480   NtSetEventBoostPriority  ... ) == 0x0
 03292  1744   NtSetInformationThread  ... ) == 0x0
 03303  1496   NtWaitForSingleObject  (32, 0, 0x0, ...
 03299  1980   NtWaitForSingleObject  ... ) == 0x102
 03067   860   NtWaitForSingleObject  ... ) == 0x0
 03304  1480   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 03305  1744   NtSetEventBoostPriority  (756, ...
 03306  1980   NtWaitForSingleObject  (192, 0, 0x0, ...
 03307   860   NtSetEventBoostPriority  (440, ...
 03300   276   NtWaitForSingleObject  ... ) == 0x0
 03305  1744   NtSetEventBoostPriority  ... ) == 0x0
 03308   276   NtWaitForSingleObject  (440, 0, 0x0, ...
 03073   712   NtWaitForSingleObject  ... ) == 0x0
 03307   860   NtSetEventBoostPriority  ... ) == 0x0
 03309   712   NtSetEventBoostPriority  (440, ...
 03310  1744   NtUnmapViewOfSection  (-1, 0x77c00000, ...
 03302  1304   NtSetEventBoostPriority  ... ) == 0x0
 03301  1736   NtAllocateVirtualMemory  ... 150667264, 2097152, ) == 0x0
 03304  1480   NtWaitForSingleObject  ... ) == 0x102
 03097  1764   NtWaitForSingleObject  ... ) == 0x0
 03310  1744   NtUnmapViewOfSection  ... ) == 0x0
 03311  1304   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 03312  1736   NtAllocateVirtualMemory  (-1, 152756224, 0, 8192, 4096, 4, ...
 03313  1480   NtWaitForSingleObject  (192, 0, 0x0, ...
 03314  1764   NtSetEventBoostPriority  (440, ...
 03315  1744   NtSetEventBoostPriority  (32, ...
 03312  1736   NtAllocateVirtualMemory  ... 152756224, 8192, ) == 0x0
 03110   808   NtWaitForSingleObject  ... ) == 0x0
 03314  1764   NtSetEventBoostPriority  ... ) == 0x0
 03309   712   NtSetEventBoostPriority  ... ) == 0x0
 03316   860   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 03311  1304   NtWaitForSingleObject  ... ) == 0x102
 03317  1736   NtProtectVirtualMemory  (-1, (0x91ae000), 4096, 260, ...
 03318   808   NtSetEventBoostPriority  (440, ...
 03319  1764   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 03320   712   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 03316   860   NtWaitForSingleObject  ... ) == 0x102
 03321  1304   NtWaitForSingleObject  (192, 0, 0x0, ...
 03317  1736   NtProtectVirtualMemory  ... (0x91ae000), 4096, 4, ) == 0x0
 03141  1536   NtWaitForSingleObject  ... ) == 0x0
 03318   808   NtSetEventBoostPriority  ... ) == 0x0
 03322   860   NtWaitForSingleObject  (192, 0, 0x0, ...
 03323  1536   NtSetEventBoostPriority  (440, ...
 03324  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03325   808   NtWaitForSingleObject  (440, 0, 0x0, ...
 03145  1756   NtWaitForSingleObject  ... ) == 0x0
 03323  1536   NtSetEventBoostPriority  ... ) == 0x0
 03303  1496   NtWaitForSingleObject  ... ) == 0x0
 03315  1744   NtSetEventBoostPriority  ... ) == 0x0
 03319  1764   NtWaitForSingleObject  ... ) == 0x102
 03320   712   NtWaitForSingleObject  ... ) == 0x102
 03324  1736   NtCreateThread  ... 760, {1636, 1500}, ) == 0x0
 03326  1756   NtSetEventBoostPriority  (440, ...
 03327  1536   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 03328  1496   NtTestAlert  (...
 03329  1744   NtOpenMutant  (0x120001, {24, 28, 0x0, 0, 0,  (0x120001, {24, 28, 0x0, 0, 0, "ShimCacheMutex"}, ... }, ...
 03330  1764   NtWaitForSingleObject  (192, 0, 0x0, ...
 03331   712   NtWaitForSingleObject  (192, 0, 0x0, ...
 03332  1736   NtQueryInformationThread  (760, Basic, 28, ...
 03153  1248   NtWaitForSingleObject  ... ) == 0x0
 03326  1756   NtSetEventBoostPriority  ... ) == 0x0
 03328  1496   NtTestAlert  ... ) == 0x0
 03329  1744   NtOpenMutant  ... 764, ) == 0x0
 03333  1248   NtSetEventBoostPriority  (440, ...
 03332  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1636,Tid=1500,}, 0x0, ) == 0x0
 03327  1536   NtWaitForSingleObject  ... ) == 0x102
 03334  1756   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 03193  1896   NtWaitForSingleObject  ... ) == 0x0
 03333  1248   NtSetEventBoostPriority  ... ) == 0x0
 03335  1744   NtWaitForSingleObject  (764, 0, {-1000000, -1}, ...
 03336  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0d\6\0\0\334\5\0\0" ...  ...
 03337  1536   NtWaitForSingleObject  (192, 0, 0x0, ...
 03338  1896   NtSetEventBoostPriority  (440, ...
 03334  1756   NtWaitForSingleObject  ... ) == 0x102
 03339  1248   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 03335  1744   NtWaitForSingleObject  ... ) == 0x0
 03336  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75575, 0}  ... {28, 56, reply, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0d\6\0\0\334\5\0\0" )  ) == 0x0
 03198  1156   NtWaitForSingleObject  ... ) == 0x0
 03340  1756   NtWaitForSingleObject  (192, 0, 0x0, ...
 03338  1896   NtSetEventBoostPriority  ... ) == 0x0
 03341  1496   NtContinue  (150666544, 1, ...
 03339  1248   NtWaitForSingleObject  ... ) == 0x102
 03342  1744   NtOpenSection  (0x2, {24, 28, 0x0, 0, 0,  (0x2, {24, 28, 0x0, 0, 0, "ShimSharedMemory"}, ... }, ...
 03343  1156   NtSetEventBoostPriority  (440, ...
 03344  1896   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 03345  1496   NtRegisterThreadTerminatePort  (24, ...
 03346  1248   NtWaitForSingleObject  (192, 0, 0x0, ...
 03342  1744   NtOpenSection  ... 768, ) == 0x0
 03201  1936   NtWaitForSingleObject  ... ) == 0x0
 03343  1156   NtSetEventBoostPriority  ... ) == 0x0
 03345  1496   NtRegisterThreadTerminatePort  ... ) == 0x0
 03347  1936   NtSetEventBoostPriority  (440, ...
 03348  1744   NtMapViewOfSection  (768, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ...
 03349  1736   NtResumeThread  (760, ...
 03344  1896   NtWaitForSingleObject  ... ) == 0x102
 03204  1972   NtWaitForSingleObject  ... ) == 0x0
 03347  1936   NtSetEventBoostPriority  ... ) == 0x0
 03350  1496   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03348  1744   NtMapViewOfSection  ... (0x8180000), {0, 0}, 57344, ) == 0x0
 03349  1736   NtResumeThread  ... 1, ) == 0x0
 03351  1972   NtSetEventBoostPriority  (440, ...
 03352  1896   NtWaitForSingleObject  (192, 0, 0x0, ...
 03353  1156   NtWaitForSingleObject  (76, 0, {0, 0}, ...
 03354  1500   NtTestAlert  (...
 03350  1496   NtDuplicateObject  ... 772, ) == 0x0
 03355  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ...
 03242   388   NtWaitForSingleObject  ... ) == 0x0
 03356  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03353  1156   NtWaitForSingleObject  ... ) == 0x102
 03354  1500   NtTestAlert  ... ) == 0x0
 03357  1496   NtWaitForSingleObject  (440, 0, 0x0, ...
 03355  1744   NtOpenThreadTokenEx  ... ) == STATUS_NO_TOKEN
 03358   388   NtSetEventBoostPriority  (440, ...
 03356  1736   NtAllocateVirtualMemory  ... 152764416, 2097152, ) == 0x0
NtAddAtom(>)	1	NtUserGetProcessWindowStation(>)	2	NtGdiExtGetObjectW(>)	6	NtDeviceIoControlFile(>)	34
NtCallbackReturn(>)	1	NtUserGetThreadDesktop(>)	2	NtOpenProcessToken(>)	6	NtOpenSection(>)	38
NtEnumerateValueKey(>)	1	NtUserMessageCall(>)	2	NtReleaseMutant(>)	6	NtCreateEvent(>)	39
NtFsControlFile(>)	1	NtUserSetCursorIconData(>)	2	NtSetInformationFile(>)	7	NtCreateSection(>)	45
NtGdiInit(>)	1	NtUserSetWindowFNID(>)	2	NtUserCallNoParam(>)	7	NtOpenFile(>)	46
NtGdiQueryFontAssocInfo(>)	1	NtUserSetWindowLong(>)	2	NtGdiDeleteObjectApp(>)	8	NtUserFindExistingCursorIcon(>)	56
NtOpenKeyedEvent(>)	1	NtAccessCheck(>)	3	NtQueryDefaultLocale(>)	8	NtUserRegisterClassExWOW(>)	65
NtOpenProcess(>)	1	NtFreeVirtualMemory(>)	3	NtQueryDebugFilterState(>)	9	NtContinue(>)	67
NtOpenSymbolicLinkObject(>)	1	NtGdiCreateBitmap(>)	3	NtSetInformationProcess(>)	9	NtQueryAttributesFile(>)	70
NtQueryEvent(>)	1	NtOpenEvent(>)	3	NtQueryDefaultUILanguage(>)	10	NtMapViewOfSection(>)	75
NtQueryInstallUILanguage(>)	1	NtQueryPerformanceCounter(>)	3	NtQueryInformationFile(>)	10	NtQueryInformationThread(>)	103
NtQueryObject(>)	1	NtSetInformationObject(>)	3	NtCreateFile(>)	11	NtResumeThread(>)	105
NtQuerySymbolicLinkObject(>)	1	NtSetInformationThread(>)	3	NtQueryVirtualMemory(>)	12	NtCreateThread(>)	111
NtSecureConnectPort(>)	1	NtGdiDoPalette(>)	4	NtOpenProcessTokenEx(>)	13	NtFlushInstructionCache(>)	127
NtSetEvent(>)	1	NtGdiGetDIBitsInternal(>)	4	NtUserSystemParametersInfo(>)	13	NtRegisterThreadTerminatePort(>)	130
NtUserCreateWindowEx(>)	1	NtGdiHfontCreate(>)	4	NtCreateMutant(>)	15	NtTestAlert(>)	130
NtGdiBitBlt(>)	2	NtGdiStretchDIBitsInternal(>)	4	NtOpenThreadTokenEx(>)	15	NtRequestWaitReplyPort(>)	131
NtGdiCreateCompatibleBitmap(>)	2	NtOpenThreadToken(>)	4	NtSetValueKey(>)	16	NtDuplicateObject(>)	134
NtGdiCreateDIBitmapInternal(>)	2	NtQueryVolumeInformationFile(>)	4	NtGdiSelectBitmap(>)	17	NtQuerySystemInformation(>)	137
NtGdiCreatePatternBrushInternal(>)	2	NtUserGetObjectInformation(>)	4	NtQueryInformationToken(>)	17	NtOpenKey(>)	164
NtGdiCreateSolidBrush(>)	2	NtUserSetWindowsHookEx(>)	4	NtUserRegisterWindowMessage(>)	17	NtOpenMutant(>)	246
NtNotifyChangeKey(>)	2	NtWriteFile(>)	4	NtQueryInformationProcess(>)	18	NtClose(>)	256
NtOpenDirectoryObject(>)	2	NtCreateSemaphore(>)	5	NtCreateKey(>)	19	NtQueryValueKey(>)	257
NtQuerySystemTime(>)	2	NtGdiCreateCompatibleDC(>)	5	NtQuerySection(>)	19	NtAllocateVirtualMemory(>)	295
NtUserGetGUIThreadInfo(>)	2	NtGdiGetStockObject(>)	5	NtUserGetWindowDC(>)	19	NtProtectVirtualMemory(>)	340
NtUserGetIconInfo(>)	2	NtUserGetDC(>)	5	NtUnmapViewOfSection(>)	26	NtSetEventBoostPriority(>)	560
NtUserGetIconSize(>)	2	NtConnectPort(>)	6	NtUserCallOneParam(>)	27	NtWaitForSingleObject(>)	746