Summary:





NtGdiCreateBitmap(>)  1 
NtQueryDefaultUILanguage(>)  2 
NtFsControlFile(>)  7 
NtQueryAttributesFile(>)  41 


NtGdiInit(>)  1 
NtQueryPerformanceCounter(>)  2 
NtQueryInformationFile(>)  7 
NtFlushInstructionCache(>)  53 


NtGdiQueryFontAssocInfo(>)  1 
NtQuerySystemTime(>)  2 
NtConnectPort(>)  8 
NtContinue(>)  97 


NtGdiSelectBitmap(>)  1 
NtReadFile(>)  2 
NtOpenThreadToken(>)  9 
NtQuerySystemInformation(>)  114 


NtOpenKeyedEvent(>)  1 
NtSetInformationObject(>)  2 
NtQueryInformationProcess(>)  9 
NtCreateEvent(>)  116 


NtOpenSymbolicLinkObject(>)  1 
NtUserGetObjectInformation(>)  2 
NtQueryVirtualMemory(>)  9 
NtOpenKey(>)  131 


NtQueryInstallUILanguage(>)  1 
NtFreeVirtualMemory(>)  3 
NtSetInformationFile(>)  9 
NtResumeThread(>)  138 


NtQueryObject(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtSetInformationThread(>)  9 
NtCreateThread(>)  145 


NtQuerySymbolicLinkObject(>)  1 
NtOpenProcessTokenEx(>)  3 
NtUnmapViewOfSection(>)  9 
NtQueryInformationThread(>)  153 


NtRaiseException(>)  1 
NtOpenThreadTokenEx(>)  3 
NtUserFindExistingCursorIcon(>)  9 
NtTestAlert(>)  183 


NtSetInformationProcess(>)  1 
NtQueryDefaultLocale(>)  3 
NtUserRegisterClassExWOW(>)  14 
NtRequestWaitReplyPort(>)  185 


NtUserCallNoParam(>)  1 
NtQueryVolumeInformationFile(>)  3 
NtQuerySection(>)  15 
NtRegisterThreadTerminatePort(>)  187 


NtUserGetProcessWindowStation(>)  1 
NtSecureConnectPort(>)  3 
NtSetValueKey(>)  17 
NtDuplicateObject(>)  208 


NtUserGetThreadDesktop(>)  1 
NtWriteFile(>)  3 
NtCreateKey(>)  18 
NtClose(>)  212 


NtCallbackReturn(>)  2 
NtCreateIoCompletion(>)  4 
NtOpenSection(>)  22 
NtQueryValueKey(>)  250 


NtGdiCreateSolidBrush(>)  2 
NtGdiGetStockObject(>)  5 
NtCreateSection(>)  26 
NtProtectVirtualMemory(>)  260 


NtNotifyChangeKey(>)  2 
NtCreateMutant(>)  6 
NtOpenFile(>)  26 
NtAllocateVirtualMemory(>)  406 


NtOpenDirectoryObject(>)  2 
NtQueryInformationToken(>)  6 
NtDeviceIoControlFile(>)  34 
NtSetEventBoostPriority(>)  734 


NtOpenProcessToken(>)  2 
NtCreateFile(>)  7 
NtMapViewOfSection(>)  38 
NtWaitForSingleObject(>)  1004 





Trace:

 00001  1736   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1736   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1736   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1736   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1736   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1736   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1736   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1736   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1736   NtClose  (12, ... ) == 0x0
 00015  1736   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1736   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1736   NtClose  (16, ... ) == 0x0
 00021  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1736   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1736   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1736   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1736   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1736   NtClose  (16, ... ) == 0x0
 00030  1736   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1736   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1736   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1736   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75469, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ) == 0x0
 00036  1736   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1736   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1736   NtClose  (16, ... ) == 0x0
 00041  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1736   NtClose  (16, ... ) == 0x0
 00044  1736   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1736   NtClose  (16, ... ) == 0x0
 00048  1736   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1736   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1736   NtClose  (16, ... ) == 0x0
 00052  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1736   NtClose  (16, ... ) == 0x0
 00055  1736   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1736   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1736   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ... {24, 52, reply, 0, 1636, 1736, 75470, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ) == 0x0
 00060  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75471, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ) == 0x0
 00061  1736   NtProtectVirtualMemory  (-1, (0x409000), 94224, 4, ... (0x409000), 98304, 128, ) == 0x0
 00062  1736   NtProtectVirtualMemory  (-1, (0x409000), 98304, 128, ... (0x409000), 98304, 4, ) == 0x0
 00063  1736   NtFlushInstructionCache  (-1, 4231168, 94224, ... ) == 0x0
 00064  1736   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065  1736   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066  1736   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067  1736   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068  1736   NtClose  (16, ... ) == 0x0
 00069  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071  1736   NtClose  (16, ... ) == 0x0
 00072  1736   NtTestAlert  (... ) == 0x0
 00073  1736   NtContinue  (1244464, 1, ...
 00074  1736   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x40283e,}, 4, ... ) == 0x0
 00075  1736   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00076  1736   NtContinue  (1244400, 0, ...
 00077  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00078  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00079  1736   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080  1736   NtClose  (16, ... ) == 0x0
 00081  1736   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00082  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00083  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00084  1736   NtClose  (16, ... ) == 0x0
 00085  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00086  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00087  1736   NtClose  (16, ... ) == 0x0
 00088  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00089  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00090  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00091  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00092  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00093  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00094  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00095  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00096  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00097  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00098  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00099  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00100  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00101  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00102  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00103  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00104  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00105  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00106  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00109  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75472, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ) == 0x0
 00110  1736   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00111  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00112  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00113  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 28, ) == 0x0
 00114  1736   NtClose  (16, ... ) == 0x0
 00115  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x430000), 0x0, 110592, ) == 0x0
 00116  1736   NtClose  (28, ... ) == 0x0
 00117  1736   NtUnmapViewOfSection  (-1, 0x430000, ... ) == 0x0
 00118  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00119  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00120  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 16, ) == 0x0
 00121  1736   NtClose  (28, ... ) == 0x0
 00122  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x430000), 0x0, 110592, ) == 0x0
 00123  1736   NtClose  (16, ... ) == 0x0
 00124  1736   NtUnmapViewOfSection  (-1, 0x430000, ... ) == 0x0
 00125  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00126  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00127  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00128  1736   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00129  1736   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00130  1736   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00131  1736   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00132  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00133  1736   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00134  1736   NtClose  (36, ... ) == 0x0
 00135  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00136  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00137  1736   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00138  1736   NtClose  (36, ... ) == 0x0
 00139  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140  1736   NtClose  (32, ... ) == 0x0
 00141  1736   NtClose  (16, ... ) == 0x0
 00142  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00143  1736   NtClose  (28, ... ) == 0x0
 00144  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00145  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00146  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00147  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00148  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00149  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00150  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00151  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00152  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00153  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00154  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00155  1736   NtClose  (28, ... ) == 0x0
 00156  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00157  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00158  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00159  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00160  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00161  1736   NtClose  (28, ... ) == 0x0
 00162  1736   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00163  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00164  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00165  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00166  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00167  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00168  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00169  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00170  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00171  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00172  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00173  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00174  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00175  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176  1736   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00177  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00178  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00179  1736   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00180  1736   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00181  1736   NtClose  (28, ... ) == 0x0
 00182  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00183  1736   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00184  1736   NtClose  (28, ... ) == 0x0
 00185  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00186  1736   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00187  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00191  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00192  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00194  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00195  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 16, ) }, ... 16, ) == 0x0
 00196  1736   NtQueryValueKey  (16,  (16, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197  1736   NtClose  (16, ... ) == 0x0
 00198  1736   NtMapViewOfSection  (-2147482576, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x430000), 0x0, 1060864, ) == 0x0
 00199  1736   NtClose  (-2147482576, ... ) == 0x0
 00200  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 16, ) == 0x0
 00201  1736   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00202  1736   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482576, ) == 0x0
 00203  1736   NtQueryInformationToken  (-2147482576, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00204  1736   NtQueryInformationToken  (-2147482576, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00205  1736   NtClose  (-2147482576, ... ) == 0x0
 00206  1736   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5505024, 4096, ) == 0x0
 00207  1736   NtFreeVirtualMemory  (-1, (0x540000), 4096, 32768, ... (0x540000), 4096, ) == 0x0
 00208  1736   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00209  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00210  1736   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00211  1736   NtClose  (-2147482576, ... ) == 0x0
 00212  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00213  1736   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00214  1736   NtClose  (-2147482576, ... ) == 0x0
 00215  1736   NtQueryDefaultLocale  (0, -139347636, ... ) == 0x0
 00216  1736   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00217  1736   NtUserCallNoParam  (24, ... ) == 0x0
 00218  1736   NtGdiCreateCompatibleDC  (0, ...
 00219  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5505024, 4096, ) == 0x0
 00218  1736   NtGdiCreateCompatibleDC  ... ) == 0xf2010663
 00220  1736   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00221  1736   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00222  1736   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0xfd0505f7
 00223  1736   NtGdiCreateSolidBrush  (0, 0, ...
 00224  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8716288, 4096, ) == 0x0
 00223  1736   NtGdiCreateSolidBrush  ... ) == 0x4210057d
 00225  1736   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00226  1736   NtGdiCreateCompatibleDC  (0, ... ) == 0x69010363
 00227  1736   NtGdiSelectBitmap  (1761674083, -50002441, ... ) == 0x185000f
 00228  1736   NtUserGetThreadDesktop  (1736, 0, ... ) == 0x24
 00229  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00230  1736   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00231  1736   NtClose  (44, ... ) == 0x0
 00232  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00233  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8173c017
 00234  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00235  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8173c01c
 00236  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00237  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8173c01e
 00238  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00239  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81738002
 00240  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00241  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8173c018
 00242  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00243  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8173c01a
 00244  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00245  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8173c01d
 00246  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00247  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8173c026
 00248  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00249  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8173c019
 00250  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c020
 00251  1736   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8173c022
 00252  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c023
 00253  1736   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8173c024
 00254  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c025
 00255  1736   NtCallbackReturn  (0, 0, 0, ...
 00256  1736   NtGdiInit  (... ) == 0x1
 00257  1736   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00258  1736   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00259  1736   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 8781824, 28672, ) == 0x0
 00260  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00261  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00263  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00264  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 48, ) == 0x0
 00265  1736   NtQuerySection  (48, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00266  1736   NtClose  (44, ... ) == 0x0
 00267  1736   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00268  1736   NtClose  (48, ... ) == 0x0
 00269  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 48, ) }, ... 48, ) == 0x0
 00270  1736   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00271  1736   NtClose  (48, ... ) == 0x0
 00272  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00273  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00274  1736   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00275  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00276  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00277  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00278  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00280  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00281  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00282  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 44, ) == 0x0
 00283  1736   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00284  1736   NtClose  (48, ... ) == 0x0
 00285  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00286  1736   NtClose  (44, ... ) == 0x0
 00287  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00288  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00289  1736   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00290  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00291  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00292  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00293  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00294  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00295  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8847360, 65536, ) == 0x0
 00296  1736   NtAllocateVirtualMemory  (-1, 8847360, 0, 4096, 4096, 4, ... 8847360, 4096, ) == 0x0
 00297  1736   NtAllocateVirtualMemory  (-1, 8851456, 0, 8192, 4096, 4, ... 8851456, 8192, ) == 0x0
 00298  1736   NtAllocateVirtualMemory  (-1, 8859648, 0, 4096, 4096, 4, ... 8859648, 4096, ) == 0x0
 00299  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00300  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x880000), 0x0, 12288, ) == 0x0
 00301  1736   NtClose  (44, ... ) == 0x0
 00302  1736   NtAllocateVirtualMemory  (-1, 8863744, 0, 4096, 4096, 4, ... 8863744, 4096, ) == 0x0
 00303  1736   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00304  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00305  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00306  1736   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00307  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00310  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00311  1736   NtFreeVirtualMemory  (-1, (0x860000), 0, 32768, ... (0x860000), 28672, ) == 0x0
 00312  1736   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00313  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00314  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00315  1736   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00316  1736   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00317  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 8978432, 1048576, ) == 0x0
 00318  1736   NtAllocateVirtualMemory  (-1, 8978432, 0, 32768, 4096, 4, ... 8978432, 32768, ) == 0x0
 00319  1736   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00320  1736   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "Jobaka3"}, 0, ... 48, ) }, 0, ... 48, ) == 0x0
 00321  1736   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00322  1736   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00323  1736   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00324  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00325  1736   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Protocol_Catalog9"}, ... 60, ) }, ... 60, ) == 0x0
 00326  1736   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00327  1736   NtNotifyChangeKey  (60, 56, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00328  1736   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00329  1736   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00330  1736   NtQueryValueKey  (60,  (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00331  1736   NtQueryValueKey  (60,  (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00332  1736   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Catalog_Entries"}, ... 64, ) }, ... 64, ) == 0x0
 00333  1736   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00334  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000001"}, ... 68, ) }, ... 68, ) == 0x0
 00335  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00336  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00337  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0R\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0R\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0S\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0S\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0R\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0R\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0S\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0S\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0R\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0R\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0S\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0S\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00338  1736   NtClose  (68, ... ) == 0x0
 00339  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000002"}, ... 68, ) }, ... 68, ) == 0x0
 00340  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00341  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00342  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00343  1736   NtClose  (68, ... ) == 0x0
 00344  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000003"}, ... 68, ) }, ... 68, ) == 0x0
 00345  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00346  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00347  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00348  1736   NtClose  (68, ... ) == 0x0
 00349  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000004"}, ... 68, ) }, ... 68, ) == 0x0
 00350  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00351  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00352  1736   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00353  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0b\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0b\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0c\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0b\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0b\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0c\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0b\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0b\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0c\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00354  1736   NtClose  (68, ... ) == 0x0
 00355  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000005"}, ... 68, ) }, ... 68, ) == 0x0
 00356  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00357  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00358  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00359  1736   NtClose  (68, ... ) == 0x0
 00360  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000006"}, ... 68, ) }, ... 68, ) == 0x0
 00361  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00362  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00363  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00364  1736   NtClose  (68, ... ) == 0x0
 00365  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000007"}, ... 68, ) }, ... 68, ) == 0x0
 00366  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00367  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00368  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00369  1736   NtClose  (68, ... ) == 0x0
 00370  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000008"}, ... 68, ) }, ... 68, ) == 0x0
 00371  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00372  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00373  1736   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00374  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00375  1736   NtClose  (68, ... ) == 0x0
 00376  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000009"}, ... 68, ) }, ... 68, ) == 0x0
 00377  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00378  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00379  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00380  1736   NtClose  (68, ... ) == 0x0
 00381  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000010"}, ... 68, ) }, ... 68, ) == 0x0
 00382  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00383  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00384  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00385  1736   NtClose  (68, ... ) == 0x0
 00386  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000011"}, ... 68, ) }, ... 68, ) == 0x0
 00387  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00388  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00389  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00390  1736   NtClose  (68, ... ) == 0x0
 00391  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000012"}, ... 68, ) }, ... 68, ) == 0x0
 00392  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00393  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00394  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00395  1736   NtClose  (68, ... ) == 0x0
 00396  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000013"}, ... 68, ) }, ... 68, ) == 0x0
 00397  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00398  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00399  1736   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00400  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00401  1736   NtClose  (68, ... ) == 0x0
 00402  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000014"}, ... 68, ) }, ... 68, ) == 0x0
 00403  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00404  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00405  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00406  1736   NtClose  (68, ... ) == 0x0
 00407  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000015"}, ... 68, ) }, ... 68, ) == 0x0
 00408  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00409  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00410  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00411  1736   NtClose  (68, ... ) == 0x0
 00412  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000016"}, ... 68, ) }, ... 68, ) == 0x0
 00413  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00414  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00415  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00416  1736   NtClose  (68, ... ) == 0x0
 00417  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000017"}, ... 68, ) }, ... 68, ) == 0x0
 00418  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00419  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00420  1736   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00421  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00422  1736   NtClose  (68, ... ) == 0x0
 00423  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000018"}, ... 68, ) }, ... 68, ) == 0x0
 00424  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00425  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00426  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00427  1736   NtClose  (68, ... ) == 0x0
 00428  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000019"}, ... 68, ) }, ... 68, ) == 0x0
 00429  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00430  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00431  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00432  1736   NtClose  (68, ... ) == 0x0
 00433  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000020"}, ... 68, ) }, ... 68, ) == 0x0
 00434  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00435  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00436  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00437  1736   NtClose  (68, ... ) == 0x0
 00438  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000021"}, ... 68, ) }, ... 68, ) == 0x0
 00439  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00440  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00441  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00442  1736   NtClose  (68, ... ) == 0x0
 00443  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000022"}, ... 68, ) }, ... 68, ) == 0x0
 00444  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00445  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00446  1736   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00447  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\304\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\304\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\304\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00448  1736   NtClose  (68, ... ) == 0x0
 00449  1736   NtClose  (64, ... ) == 0x0
 00450  1736   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00451  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00452  1736   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 68, ) }, ... 68, ) == 0x0
 00453  1736   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00454  1736   NtNotifyChangeKey  (68, 64, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00455  1736   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00456  1736   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00457  1736   NtQueryValueKey  (68,  (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00458  1736   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Catalog_Entries"}, ... 72, ) }, ... 72, ) == 0x0
 00459  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000001"}, ... 76, ) }, ... 76, ) == 0x0
 00460  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00461  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00462  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00463  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00464  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00465  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00466  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00467  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00468  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00469  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00470  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00471  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00472  1736   NtClose  (76, ... ) == 0x0
 00473  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000002"}, ... 76, ) }, ... 76, ) == 0x0
 00474  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00475  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00476  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00477  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00478  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00479  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00480  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00481  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00482  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00483  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00484  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00485  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00486  1736   NtClose  (76, ... ) == 0x0
 00487  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000003"}, ... 76, ) }, ... 76, ) == 0x0
 00488  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00489  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00490  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00491  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00492  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00493  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00494  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00495  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00496  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00497  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00498  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00499  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00500  1736   NtClose  (76, ... ) == 0x0
 00501  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000004"}, ... 76, ) }, ... 76, ) == 0x0
 00502  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00503  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00504  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00505  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00506  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00507  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00508  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 00509  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00510  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00511  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00512  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00513  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00514  1736   NtClose  (76, ... ) == 0x0
 00515  1736   NtClose  (72, ... ) == 0x0
 00516  1736   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 00517  1736   NtClose  (52, ... ) == 0x0
 00518  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00519  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00520  1736   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00521  1736   NtQueryValueKey  (52,  (52, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00522  1736   NtClose  (52, ... ) == 0x0
 00523  1736   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00524  1736   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00525  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00526  1736   NtQueryInformationFile  (72, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00527  1736   NtQueryInformationFile  (72, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00528  1736   NtQueryInformationFile  (72, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00529  1736   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 00530  1736   NtQueryInformationFile  (72, 1355896, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00531  1736   NtQueryInformationFile  (72, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00532  1736   NtQueryInformationFile  (72, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00533  1736   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00534  1736   NtClose  (-2147482576, ... ) == 0x0
 00533  1736   NtCreateFile  ... 76, {status=0x0, info=2}, ) == 0x0
 00535  1736   NtQueryVolumeInformationFile  (76, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00536  1736   NtQueryInformationFile  (76, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00537  1736   NtQueryVolumeInformationFile  (72, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00538  1736   NtSetInformationFile  (76, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00539  1736   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 72, ... 80, ) == 0x0
 00540  1736   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x860000), {0, 0}, 28672, ) == 0x0
 00541  1736   NtClose  (80, ... ) == 0x0
 00542  1736   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\231\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\2\0d\347\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\20\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0`\0\0\340.rsr", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) \0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\20\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0`\0\0\340.rsr", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) == 0x0
 00543  1736   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00544  1736   NtSetInformationFile  (76, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00545  1736   NtClose  (72, ... ) == 0x0
 00546  1736   NtClose  (76, ... ) == 0x0
 00547  1736   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 76, ) }, ... 76, ) == 0x0
 00548  1736   NtSetValueKey  (76,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 00549  1736   NtSetInformationFile  (-2147482448, -139348176, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00550  1736   NtSetInformationFile  (-2147482448, -139348268, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00551  1736   NtSetInformationFile  (-2147482448, -139348576, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00548  1736   NtSetValueKey  ... ) == 0x0
 00552  1736   NtClose  (76, ... ) == 0x0
 00553  1736   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 76, ) }, 0, ... 76, ) == 0x0
 00554  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10027008, 1048576, ) == 0x0
 00555  1736   NtAllocateVirtualMemory  (-1, 11067392, 0, 8192, 4096, 4, ... 11067392, 8192, ) == 0x0
 00556  1736   NtProtectVirtualMemory  (-1, (0xa8e000), 4096, 260, ... (0xa8e000), 4096, 4, ) == 0x0
 00557  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 72, {1636, 220}, ) == 0x0
 00558  1736   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=1636,Tid=220,}, 0x0, ) == 0x0
 00559  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0\334\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0\334\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75489, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0\334\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0\334\0\0\0" )  ) == 0x0
 00560  1736   NtResumeThread  (72, ... 1, ) == 0x0
 00561  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11075584, 1048576, ) == 0x0
 00562  1736   NtAllocateVirtualMemory  (-1, 12115968, 0, 8192, 4096, 4, ... 12115968, 8192, ) == 0x0
 00563  1736   NtProtectVirtualMemory  (-1, (0xb8e000), 4096, 260, ...
 00564   220   NtTestAlert  (... ) == 0x0
 00565   220   NtContinue  (11074864, 1, ...
 00566   220   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00567   220   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 80, ) == 0x0
 00568   220   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00569   220   NtAllocateVirtualMemory  (-1, 11063296, 0, 4096, 4096, 260, ...
 00563  1736   NtProtectVirtualMemory  ... (0xb8e000), 4096, 4, ) == 0x0
 00570  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 84, {1636, 1356}, ) == 0x0
 00571  1736   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1636,Tid=1356,}, 0x0, ) == 0x0
 00572  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75489, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0L\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75490, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0L\5\0\0" )  ) == 0x0
 00573  1736   NtResumeThread  (84, ... 1, ) == 0x0
 00574  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12124160, 1048576, ) == 0x0
 00569   220   NtAllocateVirtualMemory  ... 11063296, 4096, ) == 0x0
 00575  1356   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00576   220   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11071988, ... }, 11071988, ...
 00575  1356   NtCreateEvent  ... 88, ) == 0x0
 00576   220   NtQueryAttributesFile  ... ) == 0x0
 00577  1356   NtWaitForSingleObject  (88, 0, 0x0, ...
 00578   220   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00579   220   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 96, ) == 0x0
 00580   220   NtClose  (92, ... ) == 0x0
 00581   220   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc90000), 0x0, 245760, ) == 0x0
 00582   220   NtClose  (96, ...
 00583  1736   NtAllocateVirtualMemory  (-1, 13164544, 0, 8192, 4096, 4, ... 13164544, 8192, ) == 0x0
 00584  1736   NtProtectVirtualMemory  (-1, (0xc8e000), 4096, 260, ... (0xc8e000), 4096, 4, ) == 0x0
 00585  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 92, {1636, 868}, ) == 0x0
 00586  1736   NtQueryInformationThread  (92, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1636,Tid=868,}, 0x0, ) == 0x0
 00587  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0d\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75491, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0d\3\0\0" )  ) == 0x0
 00588  1736   NtResumeThread  (92, ...
 00582   220   NtClose  ... ) == 0x0
 00588  1736   NtResumeThread  ... 1, ) == 0x0
 00589  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13434880, 1048576, ) == 0x0
 00590  1736   NtAllocateVirtualMemory  (-1, 14475264, 0, 8192, 4096, 4, ... 14475264, 8192, ) == 0x0
 00591  1736   NtProtectVirtualMemory  (-1, (0xdce000), 4096, 260, ...
 00592   868   NtWaitForSingleObject  (88, 0, 0x0, ...
 00591  1736   NtProtectVirtualMemory  ... (0xdce000), 4096, 4, ) == 0x0
 00593  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00594   220   NtUnmapViewOfSection  (-1, 0xc90000, ... ) == 0x0
 00595   220   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11072296, ... ) }, 11072296, ... ) == 0x0
 00596   220   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00597   220   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 00598   220   NtQuerySection  (100, Image, 48, ...
 00593  1736   NtCreateThread  ... 104, {1636, 808}, ) == 0x0
 00599  1736   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1636,Tid=808,}, 0x0, ) == 0x0
 00600  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0(\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0(\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75492, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0(\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0(\3\0\0" )  ) == 0x0
 00601  1736   NtResumeThread  (104, ... 1, ) == 0x0
 00602  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14483456, 1048576, ) == 0x0
 00598   220   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00603   808   NtWaitForSingleObject  (88, 0, 0x0, ...
 00604   220   NtClose  (96, ... ) == 0x0
 00605   220   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 00606   220   NtClose  (100, ... ) == 0x0
 00607   220   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00608  1736   NtAllocateVirtualMemory  (-1, 15523840, 0, 8192, 4096, 4, ... 15523840, 8192, ) == 0x0
 00609  1736   NtProtectVirtualMemory  (-1, (0xece000), 4096, 260, ... (0xece000), 4096, 4, ) == 0x0
 00610  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 100, {1636, 2020}, ) == 0x0
 00611   220   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00612   220   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00613   220   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00614   220   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00615   220   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00616  1736   NtQueryInformationThread  (100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1636,Tid=2020,}, 0x0, ) == 0x0
 00617  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\344\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75493, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\344\7\0\0" )  ) == 0x0
 00618  1736   NtResumeThread  (100, ... 1, ) == 0x0
 00619  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15532032, 1048576, ) == 0x0
 00620  1736   NtAllocateVirtualMemory  (-1, 16572416, 0, 8192, 4096, 4, ... 16572416, 8192, ) == 0x0
 00621  1736   NtProtectVirtualMemory  (-1, (0xfce000), 4096, 260, ...
 00622   220   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 00623  2020   NtWaitForSingleObject  (88, 0, 0x0, ...
 00622   220   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 00624   220   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00625   220   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00621  1736   NtProtectVirtualMemory  ... (0xfce000), 4096, 4, ) == 0x0
 00626  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 96, {1636, 896}, ) == 0x0
 00627  1736   NtQueryInformationThread  (96, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1636,Tid=896,}, 0x0, ) == 0x0
 00628  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0d\6\0\0\200\3\0\0" ...  ...
 00629   220   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00630   220   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00631   220   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00632   220   NtSetEventBoostPriority  (88, ...
 00577  1356   NtWaitForSingleObject  ... ) == 0x0
 00633  1356   NtSetEventBoostPriority  (88, ...
 00592   868   NtWaitForSingleObject  ... ) == 0x0
 00634   868   NtSetEventBoostPriority  (88, ...
 00603   808   NtWaitForSingleObject  ... ) == 0x0
 00635   808   NtSetEventBoostPriority  (88, ...
 00623  2020   NtWaitForSingleObject  ... ) == 0x0
 00636  2020   NtTestAlert  (... ) == 0x0
 00635   808   NtSetEventBoostPriority  ... ) == 0x0
 00634   868   NtSetEventBoostPriority  ... ) == 0x0
 00633  1356   NtSetEventBoostPriority  ... ) == 0x0
 00632   220   NtSetEventBoostPriority  ... ) == 0x0
 00628  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75494, 0}  ... {28, 56, reply, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0d\6\0\0\200\3\0\0" )  ) == 0x0
 00637  2020   NtContinue  (15531312, 1, ...
 00638   808   NtTestAlert  (...
 00639   868   NtTestAlert  (...
 00640   220   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00641  1736   NtResumeThread  (96, ...
 00642  2020   NtRegisterThreadTerminatePort  (24, ...
 00638   808   NtTestAlert  ... ) == 0x0
 00639   868   NtTestAlert  ... ) == 0x0
 00640   220   NtCreateEvent  ... 108, ) == 0x0
 00641  1736   NtResumeThread  ... 1, ) == 0x0
 00642  2020   NtRegisterThreadTerminatePort  ... ) == 0x0
 00643   808   NtContinue  (14482736, 1, ...
 00644   868   NtContinue  (13172016, 1, ...
 00645  1356   NtTestAlert  (...
 00646   896   NtTestAlert  (...
 00647  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00648  2020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00649   808   NtRegisterThreadTerminatePort  (24, ...
 00650   868   NtRegisterThreadTerminatePort  (24, ...
 00645  1356   NtTestAlert  ... ) == 0x0
 00646   896   NtTestAlert  ... ) == 0x0
 00647  1736   NtAllocateVirtualMemory  ... 16580608, 1048576, ) == 0x0
 00648  2020   NtDuplicateObject  ... 112, ) == 0x0
 00649   808   NtRegisterThreadTerminatePort  ... ) == 0x0
 00650   868   NtRegisterThreadTerminatePort  ... ) == 0x0
 00651  1356   NtContinue  (12123440, 1, ...
 00652   896   NtContinue  (16579888, 1, ...
 00653   220   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 00654  2020   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00655   808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00656   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00657  1356   NtRegisterThreadTerminatePort  (24, ...
 00658   896   NtRegisterThreadTerminatePort  (24, ...
 00653   220   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00659  1736   NtAllocateVirtualMemory  (-1, 17620992, 0, 8192, 4096, 4, ...
 00654  2020   NtWaitForSingleObject  ... ) == 0x102
 00655   808   NtDuplicateObject  ... 116, ) == 0x0
 00657  1356   NtRegisterThreadTerminatePort  ... ) == 0x0
 00658   896   NtRegisterThreadTerminatePort  ... ) == 0x0
 00660   220   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11071908, ... }, 11071908, ...
 00659  1736   NtAllocateVirtualMemory  ... 17620992, 8192, ) == 0x0
 00661  2020   NtAllocateVirtualMemory  (-1, 15519744, 0, 4096, 4096, 260, ...
 00662   808   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00663  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00656   868   NtDuplicateObject  ... 120, ) == 0x0
 00664  1736   NtProtectVirtualMemory  (-1, (0x10ce000), 4096, 260, ...
 00661  2020   NtAllocateVirtualMemory  ... 15519744, 4096, ) == 0x0
 00662   808   NtWaitForSingleObject  ... ) == 0x102
 00665   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00666   868   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00664  1736   NtProtectVirtualMemory  ... (0x10ce000), 4096, 4, ) == 0x0
 00667  2020   NtWaitForSingleObject  (88, 0, 0x0, ...
 00668   808   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00665   896   NtDuplicateObject  ... 124, ) == 0x0
 00666   868   NtWaitForSingleObject  ... ) == 0x102
 00668   808   NtCreateEvent  ... 128, ) == 0x0
 00669   896   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00670   868   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00663  1356   NtDuplicateObject  ... 132, ) == 0x0
 00671  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00669   896   NtWaitForSingleObject  ... ) == 0x102
 00670   868   NtCreateEvent  ... 136, ) == 0x0
 00672  1356   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00671  1736   NtCreateThread  ... 140, {1636, 2016}, ) == 0x0
 00673   896   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00674   808   NtWaitForSingleObject  (128, 0, 0x0, ...
 00672  1356   NtWaitForSingleObject  ... ) == 0x102
 00675  1736   NtQueryInformationThread  (140, Basic, 28, ...
 00676   868   NtClose  (136, ...
 00677  1356   NtWaitForSingleObject  (128, 0, 0x0, ...
 00675  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1636,Tid=2016,}, 0x0, ) == 0x0
 00676   868   NtClose  ... ) == 0x0
 00678  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0d\6\0\0\340\7\0\0" ...  ...
 00679   868   NtWaitForSingleObject  (128, 0, 0x0, ...
 00673   896   NtCreateEvent  ... 136, ) == 0x0
 00680   896   NtClose  (136, ... ) == 0x0
 00681   896   NtWaitForSingleObject  (128, 0, 0x0, ...
 00660   220   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00682   220   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11071908, ... ) }, 11071908, ... ) == 0x0
 00683   220   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 00684   220   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 136, ...
 00678  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75495, 0}  ... {28, 56, reply, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0d\6\0\0\340\7\0\0" )  ) == 0x0
 00685  1736   NtResumeThread  (140, ... 1, ) == 0x0
 00686  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17629184, 1048576, ) == 0x0
 00687  1736   NtAllocateVirtualMemory  (-1, 18669568, 0, 8192, 4096, 4, ... 18669568, 8192, ) == 0x0
 00688  1736   NtProtectVirtualMemory  (-1, (0x11ce000), 4096, 260, ... (0x11ce000), 4096, 4, ) == 0x0
 00689  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 144, {1636, 1028}, ) == 0x0
 00690  1736   NtQueryInformationThread  (144, Basic, 28, ...
 00684   220   NtCreateSection  ... 148, ) == 0x0
 00691  2016   NtWaitForSingleObject  (88, 0, 0x0, ...
 00692   220   NtQuerySection  (148, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00693   220   NtClose  (136, ... ) == 0x0
 00694   220   NtMapViewOfSection  (148, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x662b0000), 0x0, 360448, ) == 0x0
 00695   220   NtClose  (148, ... ) == 0x0
 00696   220   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00697   220   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 00690  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1636,Tid=1028,}, 0x0, ) == 0x0
 00698  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\4\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75496, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\4\4\0\0" )  ) == 0x0
 00699  1736   NtResumeThread  (144, ... 1, ) == 0x0
 00700  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18677760, 1048576, ) == 0x0
 00701  1736   NtAllocateVirtualMemory  (-1, 19718144, 0, 8192, 4096, 4, ... 19718144, 8192, ) == 0x0
 00702  1736   NtProtectVirtualMemory  (-1, (0x12ce000), 4096, 260, ... (0x12ce000), 4096, 4, ) == 0x0
 00697   220   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 00703  1028   NtWaitForSingleObject  (88, 0, 0x0, ...
 00704   220   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00705   220   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00706   220   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00707   220   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00708   220   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00709   220   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 00710  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 148, {1636, 1180}, ) == 0x0
 00711  1736   NtQueryInformationThread  (148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1636,Tid=1180,}, 0x0, ) == 0x0
 00712  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\234\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75497, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\234\4\0\0" )  ) == 0x0
 00713  1736   NtResumeThread  (148, ... 1, ) == 0x0
 00709   220   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 00714  1180   NtWaitForSingleObject  (88, 0, 0x0, ...
 00715   220   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00716   220   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00717   220   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00718   220   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00719   220   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00720   220   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 00721  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19726336, 1048576, ) == 0x0
 00722  1736   NtAllocateVirtualMemory  (-1, 20766720, 0, 8192, 4096, 4, ... 20766720, 8192, ) == 0x0
 00723  1736   NtProtectVirtualMemory  (-1, (0x13ce000), 4096, 260, ... (0x13ce000), 4096, 4, ) == 0x0
 00724  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 136, {1636, 596}, ) == 0x0
 00725  1736   NtQueryInformationThread  (136, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1636,Tid=596,}, 0x0, ) == 0x0
 00726  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0d\6\0\0T\2\0\0" ...  ...
 00720   220   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 00727   220   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00728   220   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00729   220   NtSetEventBoostPriority  (88, ...
 00726  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75498, 0}  ... {28, 56, reply, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0d\6\0\0T\2\0\0" )  ) == 0x0
 00730  1736   NtResumeThread  (136, ... 1, ) == 0x0
 00731  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20774912, 1048576, ) == 0x0
 00732  1736   NtAllocateVirtualMemory  (-1, 21815296, 0, 8192, 4096, 4, ... 21815296, 8192, ) == 0x0
 00733  1736   NtProtectVirtualMemory  (-1, (0x14ce000), 4096, 260, ... (0x14ce000), 4096, 4, ) == 0x0
 00734  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 152, {1636, 376}, ) == 0x0
 00735  1736   NtQueryInformationThread  (152, Basic, 28, ...
 00667  2020   NtWaitForSingleObject  ... ) == 0x0
 00729   220   NtSetEventBoostPriority  ... ) == 0x0
 00736   596   NtWaitForSingleObject  (88, 0, 0x0, ...
 00737  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15526864, ... }, 15526864, ...
 00738   220   NtWaitForSingleObject  (88, 0, 0x0, ...
 00737  2020   NtQueryAttributesFile  ... ) == 0x0
 00735  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1636,Tid=376,}, 0x0, ) == 0x0
 00739  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0x\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0x\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75499, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0x\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0x\1\0\0" )  ) == 0x0
 00740  1736   NtResumeThread  (152, ... 1, ) == 0x0
 00741  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21823488, 1048576, ) == 0x0
 00742  1736   NtAllocateVirtualMemory  (-1, 22863872, 0, 8192, 4096, 4, ... 22863872, 8192, ) == 0x0
 00743  1736   NtProtectVirtualMemory  (-1, (0x15ce000), 4096, 260, ... (0x15ce000), 4096, 4, ) == 0x0
 00744  2020   NtSetEventBoostPriority  (88, ...
 00745   376   NtWaitForSingleObject  (88, 0, 0x0, ...
 00691  2016   NtWaitForSingleObject  ... ) == 0x0
 00744  2020   NtSetEventBoostPriority  ... ) == 0x0
 00746  2016   NtSetEventBoostPriority  (88, ...
 00703  1028   NtWaitForSingleObject  ... ) == 0x0
 00747  1028   NtSetEventBoostPriority  (88, ...
 00714  1180   NtWaitForSingleObject  ... ) == 0x0
 00748  1180   NtSetEventBoostPriority  (88, ...
 00736   596   NtWaitForSingleObject  ... ) == 0x0
 00749   596   NtSetEventBoostPriority  (88, ...
 00738   220   NtWaitForSingleObject  ... ) == 0x0
 00750   220   NtSetEventBoostPriority  (88, ...
 00745   376   NtWaitForSingleObject  ... ) == 0x0
 00751   376   NtTestAlert  (... ) == 0x0
 00750   220   NtSetEventBoostPriority  ... ) == 0x0
 00749   596   NtSetEventBoostPriority  ... ) == 0x0
 00748  1180   NtSetEventBoostPriority  ... ) == 0x0
 00747  1028   NtSetEventBoostPriority  ... ) == 0x0
 00746  2016   NtSetEventBoostPriority  ... ) == 0x0
 00752  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00753  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00754   376   NtContinue  (21822768, 1, ...
 00755   220   NtQuerySystemInformation  (Basic, 44, ...
 00756   596   NtTestAlert  (...
 00757  1180   NtTestAlert  (...
 00758  1028   NtTestAlert  (...
 00752  2020   NtCreateEvent  ... 156, ) == 0x0
 00753  1736   NtCreateThread  ... 160, {1636, 1732}, ) == 0x0
 00759   376   NtRegisterThreadTerminatePort  (24, ...
 00755   220   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00756   596   NtTestAlert  ... ) == 0x0
 00757  1180   NtTestAlert  ... ) == 0x0
 00758  1028   NtTestAlert  ... ) == 0x0
 00760  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 00761  1736   NtQueryInformationThread  (160, Basic, 28, ...
 00759   376   NtRegisterThreadTerminatePort  ... ) == 0x0
 00762   220   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 00763   596   NtContinue  (20774192, 1, ...
 00764  1180   NtContinue  (19725616, 1, ...
 00765  1028   NtContinue  (18677040, 1, ...
 00760  2020   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1636,Tid=1732,}, 0x0, ) == 0x0
 00766   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00762   220   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00767   596   NtRegisterThreadTerminatePort  (24, ...
 00768  1180   NtRegisterThreadTerminatePort  (24, ...
 00769  1028   NtRegisterThreadTerminatePort  (24, ...
 00770  2016   NtTestAlert  (...
 00771  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\0\0\0d\6\0\0\304\6\0\0" ...  ...
 00766   376   NtDuplicateObject  ... 164, ) == 0x0
 00772   220   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 00767   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 00768  1180   NtRegisterThreadTerminatePort  ... ) == 0x0
 00769  1028   NtRegisterThreadTerminatePort  ... ) == 0x0
 00770  2016   NtTestAlert  ... ) == 0x0
 00773   376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00772   220   NtOpenKey  ... 168, ) == 0x0
 00774   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00775  1180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00776  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00777  2016   NtContinue  (17628464, 1, ...
 00778  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 15526968, ... }, 15526968, ...
 00771  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75500, 0}  ... {28, 56, reply, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\0\0\0d\6\0\0\304\6\0\0" )  ) == 0x0
 00773   376   NtWaitForSingleObject  ... ) == 0x102
 00779   220   NtQueryValueKey  (168,  (168, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 00774   596   NtDuplicateObject  ... 172, ) == 0x0
 00775  1180   NtDuplicateObject  ... 176, ) == 0x0
 00780  2016   NtRegisterThreadTerminatePort  (24, ...
 00781  1736   NtResumeThread  (160, ...
 00782   376   NtWaitForSingleObject  (128, 0, 0x0, ...
 00779   220   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00783   596   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00784  1180   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00780  2016   NtRegisterThreadTerminatePort  ... ) == 0x0
 00781  1736   NtResumeThread  ... 1, ) == 0x0
 00785   220   NtClose  (168, ...
 00783   596   NtWaitForSingleObject  ... ) == 0x102
 00784  1180   NtWaitForSingleObject  ... ) == 0x102
 00786  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00787  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00785   220   NtClose  ... ) == 0x0
 00788   596   NtWaitForSingleObject  (128, 0, 0x0, ...
 00789  1180   NtWaitForSingleObject  (128, 0, 0x0, ...
 00776  1028   NtDuplicateObject  ... 168, ) == 0x0
 00790  1732   NtWaitForSingleObject  (88, 0, 0x0, ...
 00787  1736   NtAllocateVirtualMemory  ... 22872064, 1048576, ) == 0x0
 00791   220   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 00792  1028   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00793  1736   NtAllocateVirtualMemory  (-1, 23912448, 0, 8192, 4096, 4, ...
 00791   220   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00792  1028   NtWaitForSingleObject  ... ) == 0x102
 00786  2016   NtDuplicateObject  ... 180, ) == 0x0
 00793  1736   NtAllocateVirtualMemory  ... 23912448, 8192, ) == 0x0
 00778  2020   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00794  1028   NtWaitForSingleObject  (128, 0, 0x0, ...
 00795  2016   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00796  1736   NtProtectVirtualMemory  (-1, (0x16ce000), 4096, 260, ...
 00797  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 15526968, ... }, 15526968, ...
 00795  2016   NtWaitForSingleObject  ... ) == 0x102
 00796  1736   NtProtectVirtualMemory  ... (0x16ce000), 4096, 4, ) == 0x0
 00798   220   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 00799  2016   NtWaitForSingleObject  (128, 0, 0x0, ...
 00800  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00798   220   NtCreateEvent  ... 184, ) == 0x0
 00800  1736   NtCreateThread  ... 188, {1636, 1300}, ) == 0x0
 00801   220   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 00802  1736   NtQueryInformationThread  (188, Basic, 28, ...
 00801   220   NtCreateEvent  ... 192, ) == 0x0
 00797  2020   NtQueryAttributesFile  ... ) == 0x0
 00803   220   NtQuerySystemTime  (...
 00804  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 00803   220   NtQuerySystemTime  ... {1747847368, 29922242}, ) == 0x0
 00804  2020   NtOpenFile  ... 196, {status=0x0, info=1}, ) == 0x0
 00802  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1636,Tid=1300,}, 0x0, ) == 0x0
 00805   220   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00806  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0d\6\0\0\24\5\0\0" ...  ...
 00805   220   NtCreateEvent  ... 200, ) == 0x0
 00806  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75501, 0}  ... {28, 56, reply, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0d\6\0\0\24\5\0\0" )  ) == 0x0
 00807   220   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 00808  1736   NtResumeThread  (188, ...
 00807   220   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00808  1736   NtResumeThread  ... 1, ) == 0x0
 00809   220   NtQuerySystemInformation  (Performance, 312, ...
 00810  2020   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 196, ...
 00811  1300   NtWaitForSingleObject  (88, 0, 0x0, ...
 00809   220   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00810  2020   NtCreateSection  ... 204, ) == 0x0
 00812  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00813  2020   NtQuerySection  (204, Image, 48, ...
 00812  1736   NtAllocateVirtualMemory  ... 23920640, 1048576, ) == 0x0
 00813  2020   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00814  1736   NtAllocateVirtualMemory  (-1, 24961024, 0, 8192, 4096, 4, ...
 00815  2020   NtClose  (196, ...
 00814  1736   NtAllocateVirtualMemory  ... 24961024, 8192, ) == 0x0
 00815  2020   NtClose  ... ) == 0x0
 00816  1736   NtProtectVirtualMemory  (-1, (0x17ce000), 4096, 260, ...
 00817   220   NtQueryInformationProcess  (-1, QuotaLimits, 32, ...
 00816  1736   NtProtectVirtualMemory  ... (0x17ce000), 4096, 4, ) == 0x0
 00817   220   NtQueryInformationProcess  ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00818  2020   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 00819   220   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 00818  2020   NtMapViewOfSection  ... (0x76f20000), 0x0, 159744, ) == 0x0
 00819   220   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00820  2020   NtClose  (204, ...
 00821   220   NtWaitForSingleObject  (88, 0, 0x0, ...
 00820  2020   NtClose  ... ) == 0x0
 00822  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00823  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00824  2020   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00825  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00826  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 204, {1636, 1132}, ) == 0x0
 00827  1736   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1636,Tid=1132,}, 0x0, ) == 0x0
 00828  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0l\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0l\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75502, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0l\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0l\4\0\0" )  ) == 0x0
 00829  1736   NtResumeThread  (204, ... 1, ) == 0x0
 00830  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24969216, 1048576, ) == 0x0
 00831  1736   NtAllocateVirtualMemory  (-1, 26009600, 0, 8192, 4096, 4, ...
 00832  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 00833  1132   NtWaitForSingleObject  (88, 0, 0x0, ...
 00832  2020   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 00834  2020   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00835  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00836  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00837  2020   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00838  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00831  1736   NtAllocateVirtualMemory  ... 26009600, 8192, ) == 0x0
 00839  1736   NtProtectVirtualMemory  (-1, (0x18ce000), 4096, 260, ... (0x18ce000), 4096, 4, ) == 0x0
 00840  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 196, {1636, 948}, ) == 0x0
 00841  1736   NtQueryInformationThread  (196, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1636,Tid=948,}, 0x0, ) == 0x0
 00842  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0d\6\0\0\264\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0d\6\0\0\264\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75503, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0d\6\0\0\264\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0d\6\0\0\264\3\0\0" )  ) == 0x0
 00843  1736   NtResumeThread  (196, ... 1, ) == 0x0
 00844  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 00845   948   NtWaitForSingleObject  (88, 0, 0x0, ...
 00844  2020   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 00846  2020   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00847  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00848  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00849  2020   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00850  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00851  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26017792, 1048576, ) == 0x0
 00852  1736   NtAllocateVirtualMemory  (-1, 27058176, 0, 8192, 4096, 4, ... 27058176, 8192, ) == 0x0
 00853  1736   NtProtectVirtualMemory  (-1, (0x19ce000), 4096, 260, ... (0x19ce000), 4096, 4, ) == 0x0
 00854  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 208, {1636, 1064}, ) == 0x0
 00855  1736   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1636,Tid=1064,}, 0x0, ) == 0x0
 00856  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0(\4\0\0" ...  ...
 00857  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00858  2020   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00856  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75504, 0}  ... {28, 56, reply, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0(\4\0\0" )  ) == 0x0
 00859  1736   NtResumeThread  (208, ... 1, ) == 0x0
 00860  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27066368, 1048576, ) == 0x0
 00861  1736   NtAllocateVirtualMemory  (-1, 28106752, 0, 8192, 4096, 4, ...
 00862  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... }, ...
 00863  1064   NtWaitForSingleObject  (88, 0, 0x0, ...
 00862  2020   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864  2020   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 212, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 212, 2, ) , 0, ... 212, 2, ) == 0x0
 00865  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 216, ) }, ... 216, ) == 0x0
 00866  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00867  2020   NtQueryValueKey  (216,  (216, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00868  2020   NtQueryValueKey  (212,  (212, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00861  1736   NtAllocateVirtualMemory  ... 28106752, 8192, ) == 0x0
 00869  1736   NtProtectVirtualMemory  (-1, (0x1ace000), 4096, 260, ... (0x1ace000), 4096, 4, ) == 0x0
 00870  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 220, {1636, 188}, ) == 0x0
 00871  1736   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1636,Tid=188,}, 0x0, ) == 0x0
 00872  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0\274\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0\274\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75505, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0\274\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0\274\0\0\0" )  ) == 0x0
 00873  1736   NtResumeThread  (220, ... 1, ) == 0x0
 00874  2020   NtQueryValueKey  (216,  (216, "UseDomainNameDevolution", Partial, 144, ... , Partial, 144, ...
 00875   188   NtWaitForSingleObject  (88, 0, 0x0, ...
 00874  2020   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00876  2020   NtQueryValueKey  (212,  (212, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00877  2020   NtQueryValueKey  (216,  (216, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00878  2020   NtQueryValueKey  (212,  (212, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00879  2020   NtQueryValueKey  (216,  (216, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00880  2020   NtQueryValueKey  (212,  (212, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00881  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28114944, 1048576, ) == 0x0
 00882  1736   NtAllocateVirtualMemory  (-1, 29155328, 0, 8192, 4096, 4, ... 29155328, 8192, ) == 0x0
 00883  1736   NtProtectVirtualMemory  (-1, (0x1bce000), 4096, 260, ... (0x1bce000), 4096, 4, ) == 0x0
 00884  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 224, {1636, 1600}, ) == 0x0
 00885  1736   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1636,Tid=1600,}, 0x0, ) == 0x0
 00886  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0d\6\0\0@\6\0\0" ...  ...
 00887  2020   NtQueryValueKey  (216,  (216, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00888  2020   NtQueryValueKey  (216,  (216, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00889  2020   NtQueryValueKey  (216,  (216, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00886  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75506, 0}  ... {28, 56, reply, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0d\6\0\0@\6\0\0" )  ) == 0x0
 00890  1736   NtResumeThread  (224, ... 1, ) == 0x0
 00891  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29163520, 1048576, ) == 0x0
 00892  1736   NtAllocateVirtualMemory  (-1, 30203904, 0, 8192, 4096, 4, ... 30203904, 8192, ) == 0x0
 00893  1736   NtProtectVirtualMemory  (-1, (0x1cce000), 4096, 260, ... (0x1cce000), 4096, 4, ) == 0x0
 00894  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {1636, 1372}, ) == 0x0
 00895  1736   NtQueryInformationThread  (228, Basic, 28, ...
 00896  2020   NtQueryValueKey  (216,  (216, "FilterClusterIp", Partial, 144, ... , Partial, 144, ...
 00897  1600   NtWaitForSingleObject  (88, 0, 0x0, ...
 00896  2020   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00898  2020   NtQueryValueKey  (216,  (216, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00899  2020   NtQueryValueKey  (216,  (216, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00900  2020   NtQueryValueKey  (216,  (216, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00901  2020   NtQueryValueKey  (216,  (216, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00902  2020   NtQueryValueKey  (216,  (216, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1636,Tid=1372,}, 0x0, ) == 0x0
 00903  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75507, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\\5\0\0" )  ) == 0x0
 00904  1736   NtResumeThread  (228, ... 1, ) == 0x0
 00905  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30212096, 1048576, ) == 0x0
 00906  1736   NtAllocateVirtualMemory  (-1, 31252480, 0, 8192, 4096, 4, ... 31252480, 8192, ) == 0x0
 00907  1736   NtProtectVirtualMemory  (-1, (0x1dce000), 4096, 260, ... (0x1dce000), 4096, 4, ) == 0x0
 00908  2020   NtQueryValueKey  (212,  (212, "DisableDynamicUpdate", Partial, 144, ... , Partial, 144, ...
 00909  1372   NtWaitForSingleObject  (88, 0, 0x0, ...
 00908  2020   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910  2020   NtQueryValueKey  (216,  (216, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00911  2020   NtQueryValueKey  (216,  (216, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912  2020   NtQueryValueKey  (212,  (212, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00913  2020   NtQueryValueKey  (216,  (216, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914  2020   NtQueryValueKey  (212,  (212, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00915  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 232, {1636, 2040}, ) == 0x0
 00916  1736   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=1636,Tid=2040,}, 0x0, ) == 0x0
 00917  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\370\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\370\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75508, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\370\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\370\7\0\0" )  ) == 0x0
 00918  1736   NtResumeThread  (232, ... 1, ) == 0x0
 00919  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31260672, 1048576, ) == 0x0
 00920  1736   NtAllocateVirtualMemory  (-1, 32301056, 0, 8192, 4096, 4, ...
 00921  2020   NtQueryValueKey  (216,  (216, "RegisterWanAdapters", Partial, 144, ... , Partial, 144, ...
 00922  2040   NtWaitForSingleObject  (88, 0, 0x0, ...
 00921  2020   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923  2020   NtQueryValueKey  (212,  (212, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00924  2020   NtQueryValueKey  (216,  (216, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925  2020   NtQueryValueKey  (212,  (212, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00926  2020   NtQueryValueKey  (216,  (216, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00927  2020   NtQueryValueKey  (212,  (212, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00920  1736   NtAllocateVirtualMemory  ... 32301056, 8192, ) == 0x0
 00928  1736   NtProtectVirtualMemory  (-1, (0x1ece000), 4096, 260, ... (0x1ece000), 4096, 4, ) == 0x0
 00929  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {1636, 216}, ) == 0x0
 00930  1736   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=1636,Tid=216,}, 0x0, ) == 0x0
 00931  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0\330\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0\330\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75509, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0\330\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0\330\0\0\0" )  ) == 0x0
 00932  1736   NtResumeThread  (236, ... 1, ) == 0x0
 00933  2020   NtQueryValueKey  (216,  (216, "RegistrationMaxAddressCount", Partial, 144, ... , Partial, 144, ...
 00934   216   NtWaitForSingleObject  (88, 0, 0x0, ...
 00933  2020   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00935  2020   NtQueryValueKey  (212,  (212, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00936  2020   NtQueryValueKey  (216,  (216, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00937  2020   NtQueryValueKey  (212,  (212, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938  2020   NtQueryValueKey  (216,  (216, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00939  2020   NtQueryValueKey  (216,  (216, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32309248, 1048576, ) == 0x0
 00941  1736   NtAllocateVirtualMemory  (-1, 33349632, 0, 8192, 4096, 4, ... 33349632, 8192, ) == 0x0
 00942  1736   NtProtectVirtualMemory  (-1, (0x1fce000), 4096, 260, ... (0x1fce000), 4096, 4, ) == 0x0
 00943  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 240, {1636, 152}, ) == 0x0
 00944  1736   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=1636,Tid=152,}, 0x0, ) == 0x0
 00945  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0\230\0\0\0" ...  ...
 00946  2020   NtQueryValueKey  (216,  (216, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947  2020   NtQueryValueKey  (216,  (216, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948  2020   NtQueryValueKey  (216,  (216, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75510, 0}  ... {28, 56, reply, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0\230\0\0\0" )  ) == 0x0
 00949  1736   NtResumeThread  (240, ... 1, ) == 0x0
 00950  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33357824, 1048576, ) == 0x0
 00951  1736   NtAllocateVirtualMemory  (-1, 34398208, 0, 8192, 4096, 4, ... 34398208, 8192, ) == 0x0
 00952  1736   NtProtectVirtualMemory  (-1, (0x20ce000), 4096, 260, ... (0x20ce000), 4096, 4, ) == 0x0
 00953  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 244, {1636, 900}, ) == 0x0
 00954  1736   NtQueryInformationThread  (244, Basic, 28, ...
 00955  2020   NtQueryValueKey  (216,  (216, "MaxNegativeCacheTtl", Partial, 144, ... , Partial, 144, ...
 00956   152   NtWaitForSingleObject  (88, 0, 0x0, ...
 00955  2020   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00957  2020   NtQueryValueKey  (216,  (216, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958  2020   NtQueryValueKey  (216,  (216, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00959  2020   NtQueryValueKey  (216,  (216, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00960  2020   NtQueryValueKey  (216,  (216, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961  2020   NtQueryValueKey  (216,  (216, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00954  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=1636,Tid=900,}, 0x0, ) == 0x0
 00962  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0\204\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0\204\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75511, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0\204\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0\204\3\0\0" )  ) == 0x0
 00963  1736   NtResumeThread  (244, ... 1, ) == 0x0
 00964  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34406400, 1048576, ) == 0x0
 00965  1736   NtAllocateVirtualMemory  (-1, 35446784, 0, 8192, 4096, 4, ... 35446784, 8192, ) == 0x0
 00966  1736   NtProtectVirtualMemory  (-1, (0x21ce000), 4096, 260, ... (0x21ce000), 4096, 4, ) == 0x0
 00967  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... }, ...
 00968   900   NtWaitForSingleObject  (88, 0, 0x0, ...
 00967  2020   NtOpenKey  ... 248, ) == 0x0
 00969  2020   NtQueryValueKey  (248,  (248, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (248, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00970  2020   NtClose  (248, ... ) == 0x0
 00971  2020   NtClose  (212, ... ) == 0x0
 00972  2020   NtClose  (216, ... ) == 0x0
 00973  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 216, ) }, ... 216, ) == 0x0
 00974  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 212, {1636, 1388}, ) == 0x0
 00975  1736   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=1636,Tid=1388,}, 0x0, ) == 0x0
 00976  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0l\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0l\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75512, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0l\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0l\5\0\0" )  ) == 0x0
 00977  1736   NtResumeThread  (212, ... 1, ) == 0x0
 00978  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35454976, 1048576, ) == 0x0
 00979  1736   NtAllocateVirtualMemory  (-1, 36495360, 0, 8192, 4096, 4, ...
 00980  2020   NtQueryValueKey  (216,  (216, "DnsQueryTimeouts", Partial, 144, ... , Partial, 144, ...
 00981  1388   NtWaitForSingleObject  (88, 0, 0x0, ...
 00980  2020   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00982  2020   NtQueryValueKey  (216,  (216, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00983  2020   NtQueryValueKey  (216,  (216, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00984  2020   NtClose  (216, ... ) == 0x0
 00985  2020   NtSetEventBoostPriority  (88, ...
 00790  1732   NtWaitForSingleObject  ... ) == 0x0
 00986  1732   NtSetEventBoostPriority  (88, ...
 00811  1300   NtWaitForSingleObject  ... ) == 0x0
 00987  1300   NtSetEventBoostPriority  (88, ...
 00821   220   NtWaitForSingleObject  ... ) == 0x0
 00988   220   NtSetEventBoostPriority  (88, ...
 00833  1132   NtWaitForSingleObject  ... ) == 0x0
 00989  1132   NtSetEventBoostPriority  (88, ...
 00845   948   NtWaitForSingleObject  ... ) == 0x0
 00990   948   NtSetEventBoostPriority  (88, ...
 00863  1064   NtWaitForSingleObject  ... ) == 0x0
 00991  1064   NtSetEventBoostPriority  (88, ...
 00875   188   NtWaitForSingleObject  ... ) == 0x0
 00992   188   NtSetEventBoostPriority  (88, ...
 00897  1600   NtWaitForSingleObject  ... ) == 0x0
 00993  1600   NtSetEventBoostPriority  (88, ...
 00909  1372   NtWaitForSingleObject  ... ) == 0x0
 00994  1372   NtSetEventBoostPriority  (88, ...
 00922  2040   NtWaitForSingleObject  ... ) == 0x0
 00995  2040   NtSetEventBoostPriority  (88, ...
 00934   216   NtWaitForSingleObject  ... ) == 0x0
 00996   216   NtSetEventBoostPriority  (88, ...
 00956   152   NtWaitForSingleObject  ... ) == 0x0
 00997   152   NtSetEventBoostPriority  (88, ...
 00968   900   NtWaitForSingleObject  ... ) == 0x0
 00998   900   NtSetEventBoostPriority  (88, ...
 00981  1388   NtWaitForSingleObject  ... ) == 0x0
 00999  1388   NtTestAlert  (... ) == 0x0
 00998   900   NtSetEventBoostPriority  ... ) == 0x0
 00997   152   NtSetEventBoostPriority  ... ) == 0x0
 00996   216   NtSetEventBoostPriority  ... ) == 0x0
 00995  2040   NtSetEventBoostPriority  ... ) == 0x0
 00994  1372   NtSetEventBoostPriority  ... ) == 0x0
 00993  1600   NtSetEventBoostPriority  ... ) == 0x0
 00992   188   NtSetEventBoostPriority  ... ) == 0x0
 00991  1064   NtSetEventBoostPriority  ... ) == 0x0
 00990   948   NtSetEventBoostPriority  ... ) == 0x0
 00989  1132   NtSetEventBoostPriority  ... ) == 0x0
 00988   220   NtSetEventBoostPriority  ... ) == 0x0
 00987  1300   NtSetEventBoostPriority  ... ) == 0x0
 00986  1732   NtSetEventBoostPriority  ... ) == 0x0
 00985  2020   NtSetEventBoostPriority  ... ) == 0x0
 00979  1736   NtAllocateVirtualMemory  ... 36495360, 8192, ) == 0x0
 01000  1388   NtContinue  (35454256, 1, ...
 01001   900   NtTestAlert  (...
 01002   152   NtTestAlert  (...
 01003   216   NtTestAlert  (...
 01004  2040   NtTestAlert  (...
 01005  1372   NtTestAlert  (...
 01006  1600   NtTestAlert  (...
 01007   188   NtTestAlert  (...
 01008  1064   NtTestAlert  (...
 01009   948   NtTestAlert  (...
 01010  1132   NtTestAlert  (...
 01011   220   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01012  1300   NtTestAlert  (...
 01013  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01014  1736   NtProtectVirtualMemory  (-1, (0x22ce000), 4096, 260, ...
 01015  1388   NtRegisterThreadTerminatePort  (24, ...
 01001   900   NtTestAlert  ... ) == 0x0
 01002   152   NtTestAlert  ... ) == 0x0
 01003   216   NtTestAlert  ... ) == 0x0
 01004  2040   NtTestAlert  ... ) == 0x0
 01005  1372   NtTestAlert  ... ) == 0x0
 01006  1600   NtTestAlert  ... ) == 0x0
 01007   188   NtTestAlert  ... ) == 0x0
 01008  1064   NtTestAlert  ... ) == 0x0
 01009   948   NtTestAlert  ... ) == 0x0
 01010  1132   NtTestAlert  ... ) == 0x0
 01011   220   NtCreateEvent  ... 216, ) == 0x0
 01012  1300   NtTestAlert  ... ) == 0x0
 01013  2020   NtCreateEvent  ... 248, ) == 0x0
 01014  1736   NtProtectVirtualMemory  ... (0x22ce000), 4096, 4, ) == 0x0
 01015  1388   NtRegisterThreadTerminatePort  ... ) == 0x0
 01016   900   NtContinue  (34405680, 1, ...
 01017   152   NtContinue  (33357104, 1, ...
 01018   216   NtContinue  (32308528, 1, ...
 01019  2040   NtContinue  (31259952, 1, ...
 01020  1372   NtContinue  (30211376, 1, ...
 01021  1600   NtContinue  (29162800, 1, ...
 01022   188   NtContinue  (28114224, 1, ...
 01023  1064   NtContinue  (27065648, 1, ...
 01024   948   NtContinue  (26017072, 1, ...
 01025  1132   NtContinue  (24968496, 1, ...
 01026   220   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01027  1300   NtContinue  (23919920, 1, ...
 01028  1732   NtTestAlert  (...
 01029  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01030  1388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01031   900   NtRegisterThreadTerminatePort  (24, ...
 01032   152   NtRegisterThreadTerminatePort  (24, ...
 01033   216   NtRegisterThreadTerminatePort  (24, ...
 01034  2040   NtRegisterThreadTerminatePort  (24, ...
 01035  1372   NtRegisterThreadTerminatePort  (24, ...
 01036  1600   NtRegisterThreadTerminatePort  (24, ...
 01037   188   NtRegisterThreadTerminatePort  (24, ...
 01038  1064   NtRegisterThreadTerminatePort  (24, ...
 01039   948   NtRegisterThreadTerminatePort  (24, ...
 01040  1132   NtRegisterThreadTerminatePort  (24, ...
 01026   220   NtDuplicateObject  ... 252, ) == 0x0
 01041  1300   NtRegisterThreadTerminatePort  (24, ...
 01028  1732   NtTestAlert  ... ) == 0x0
 01029  1736   NtCreateThread  ... 256, {1636, 2036}, ) == 0x0
 01030  1388   NtDuplicateObject  ... 260, ) == 0x0
 01031   900   NtRegisterThreadTerminatePort  ... ) == 0x0
 01032   152   NtRegisterThreadTerminatePort  ... ) == 0x0
 01033   216   NtRegisterThreadTerminatePort  ... ) == 0x0
 01034  2040   NtRegisterThreadTerminatePort  ... ) == 0x0
 01035  1372   NtRegisterThreadTerminatePort  ... ) == 0x0
 01036  1600   NtRegisterThreadTerminatePort  ... ) == 0x0
 01037   188   NtRegisterThreadTerminatePort  ... ) == 0x0
 01038  1064   NtRegisterThreadTerminatePort  ... ) == 0x0
 01039   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 01040  1132   NtRegisterThreadTerminatePort  ... ) == 0x0
 01042   220   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01041  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 01043  1732   NtContinue  (22871344, 1, ...
 01044  1736   NtQueryInformationThread  (256, Basic, 28, ...
 01045  1388   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01046   900   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01047   152   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01048   216   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01049  2040   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ...
 01050  1372   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01051  1600   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01052   188   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01053  1064   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01054   948   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01055  1132   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01056  1300   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01057  1732   NtRegisterThreadTerminatePort  (24, ...
 01058  2020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01042   220   NtOpenKey  ... 264, ) == 0x0
 01044  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=1636,Tid=2036,}, 0x0, ) == 0x0
 01045  1388   NtWaitForSingleObject  ... ) == 0x102
 01046   900   NtDuplicateObject  ... 268, ) == 0x0
 01047   152   NtDuplicateObject  ... 272, ) == 0x0
 01048   216   NtDuplicateObject  ... 276, ) == 0x0
 01049  2040   NtAllocateVirtualMemory  ... 1368064, 4096, ) == 0x0
 01050  1372   NtCreateEvent  ... 280, ) == 0x0
 01051  1600   NtCreateEvent  ... 284, ) == 0x0
 01052   188   NtCreateEvent  ... 288, ) == 0x0
 01053  1064   NtCreateEvent  ... 292, ) == 0x0
 01054   948   NtCreateEvent  ... 296, ) == 0x0
 01055  1132   NtCreateEvent  ... 300, ) == 0x0
 01057  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 01058  2020   NtDuplicateObject  ... 304, ) == 0x0
 01059   220   NtQueryValueKey  (264,  (264, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01060  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0d\6\0\0\364\7\0\0" ...  ...
 01061  1388   NtWaitForSingleObject  (128, 0, 0x0, ...
 01062   900   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01063   152   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01064   216   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01065  2040   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01066  1372   NtWaitForSingleObject  (280, 0, 0x0, ...
 01067  1600   NtClose  (284, ...
 01068   188   NtClose  (288, ...
 01069  1064   NtClose  (292, ...
 01070   948   NtClose  (296, ...
 01071  1132   NtClose  (300, ...
 01072  1732   NtWaitForSingleObject  (280, 0, 0x0, ...
 01073  2020   NtWaitForSingleObject  (280, 0, 0x0, ...
 01059   220   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01060  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75513, 0}  ... {28, 56, reply, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0d\6\0\0\364\7\0\0" )  ) == 0x0
 01062   900   NtCreateEvent  ... 308, ) == 0x0
 01063   152   NtCreateEvent  ... 312, ) == 0x0
 01064   216   NtCreateEvent  ... 316, ) == 0x0
 01065  2040   NtCreateEvent  ... 320, ) == 0x0
 01067  1600   NtClose  ... ) == 0x0
 01068   188   NtClose  ... ) == 0x0
 01069  1064   NtClose  ... ) == 0x0
 01070   948   NtClose  ... ) == 0x0
 01071  1132   NtClose  ... ) == 0x0
 01056  1300   NtCreateEvent  ... 300, ) == 0x0
 01074   220   NtClose  (264, ...
 01075  1736   NtResumeThread  (256, ...
 01076   900   NtClose  (308, ...
 01077   152   NtClose  (312, ...
 01078   216   NtClose  (316, ...
 01079  2040   NtClose  (320, ...
 01080  1600   NtWaitForSingleObject  (280, 0, 0x0, ...
 01081   188   NtWaitForSingleObject  (280, 0, 0x0, ...
 01082  1064   NtWaitForSingleObject  (280, 0, 0x0, ...
 01083   948   NtWaitForSingleObject  (280, 0, 0x0, ...
 01084  1132   NtWaitForSingleObject  (280, 0, 0x0, ...
 01085  1300   NtClose  (300, ...
 01074   220   NtClose  ... ) == 0x0
 01075  1736   NtResumeThread  ... 1, ) == 0x0
 01076   900   NtClose  ... ) == 0x0
 01077   152   NtClose  ... ) == 0x0
 01078   216   NtClose  ... ) == 0x0
 01079  2040   NtClose  ... ) == 0x0
 01085  1300   NtClose  ... ) == 0x0
 01086   220   NtWaitForSingleObject  (280, 0, 0x0, ...
 01087  2036   NtAllocateVirtualMemory  (-1, 8867840, 0, 4096, 4096, 4, ...
 01088   900   NtWaitForSingleObject  (280, 0, 0x0, ...
 01089   152   NtWaitForSingleObject  (280, 0, 0x0, ...
 01090   216   NtWaitForSingleObject  (280, 0, 0x0, ...
 01091  2040   NtSetEventBoostPriority  (280, ...
 01092  1300   NtWaitForSingleObject  (280, 0, 0x0, ...
 01093  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01087  2036   NtAllocateVirtualMemory  ... 8867840, 4096, ) == 0x0
 01093  1736   NtAllocateVirtualMemory  ... 36503552, 1048576, ) == 0x0
 01094  2036   NtTestAlert  (...
 01095  1736   NtAllocateVirtualMemory  (-1, 37543936, 0, 8192, 4096, 4, ...
 01094  2036   NtTestAlert  ... ) == 0x0
 01095  1736   NtAllocateVirtualMemory  ... 37543936, 8192, ) == 0x0
 01096  2036   NtContinue  (36502832, 1, ...
 01097  1736   NtProtectVirtualMemory  (-1, (0x23ce000), 4096, 260, ...
 01066  1372   NtWaitForSingleObject  ... ) == 0x0
 01091  2040   NtSetEventBoostPriority  ... ) == 0x0
 01097  1736   NtProtectVirtualMemory  ... (0x23ce000), 4096, 4, ) == 0x0
 01098  1372   NtSetEventBoostPriority  (280, ...
 01099  2040   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01100  2036   NtRegisterThreadTerminatePort  (24, ...
 01073  2020   NtWaitForSingleObject  ... ) == 0x0
 01098  1372   NtSetEventBoostPriority  ... ) == 0x0
 01099  2040   NtDuplicateObject  ... 300, ) == 0x0
 01101  2020   NtSetEventBoostPriority  (280, ...
 01100  2036   NtRegisterThreadTerminatePort  ... ) == 0x0
 01102  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01080  1600   NtWaitForSingleObject  ... ) == 0x0
 01101  2020   NtSetEventBoostPriority  ... ) == 0x0
 01103  2040   NtWaitForSingleObject  (280, 0, 0x0, ...
 01104  2036   NtWaitForSingleObject  (280, 0, 0x0, ...
 01105  1600   NtSetEventBoostPriority  (280, ...
 01102  1736   NtCreateThread  ... 320, {1636, 1884}, ) == 0x0
 01106  1372   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01081   188   NtWaitForSingleObject  ... ) == 0x0
 01105  1600   NtSetEventBoostPriority  ... ) == 0x0
 01107  1736   NtQueryInformationThread  (320, Basic, 28, ...
 01108   188   NtSetEventBoostPriority  (280, ...
 01106  1372   NtDuplicateObject  ... 316, ) == 0x0
 01109  2020   NtWaitForSingleObject  (280, 0, 0x0, ...
 01082  1064   NtWaitForSingleObject  ... ) == 0x0
 01108   188   NtSetEventBoostPriority  ... ) == 0x0
 01107  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=1636,Tid=1884,}, 0x0, ) == 0x0
 01110  1372   NtWaitForSingleObject  (280, 0, 0x0, ...
 01111  1064   NtSetEventBoostPriority  (280, ...
 01112  1600   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01113  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75513, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\1\0\0d\6\0\0\\7\0\0" ...  ...
 01083   948   NtWaitForSingleObject  ... ) == 0x0
 01111  1064   NtSetEventBoostPriority  ... ) == 0x0
 01112  1600   NtDuplicateObject  ... 312, ) == 0x0
 01114   948   NtSetEventBoostPriority  (280, ...
 01113  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75514, 0}  ... {28, 56, reply, 0, 1636, 1736, 75514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\1\0\0d\6\0\0\\7\0\0" )  ) == 0x0
 01115   188   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01084  1132   NtWaitForSingleObject  ... ) == 0x0
 01114   948   NtSetEventBoostPriority  ... ) == 0x0
 01116  1600   NtWaitForSingleObject  (280, 0, 0x0, ...
 01117  1736   NtResumeThread  (320, ...
 01118  1132   NtSetEventBoostPriority  (280, ...
 01115   188   NtDuplicateObject  ... 308, ) == 0x0
 01119  1064   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01072  1732   NtWaitForSingleObject  ... ) == 0x0
 01118  1132   NtSetEventBoostPriority  ... ) == 0x0
 01117  1736   NtResumeThread  ... 1, ) == 0x0
 01120   188   NtWaitForSingleObject  (280, 0, 0x0, ...
 01121  1732   NtSetEventBoostPriority  (280, ...
 01119  1064   NtDuplicateObject  ... 264, ) == 0x0
 01122   948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01123  1884   NtTestAlert  (...
 01124  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01086   220   NtWaitForSingleObject  ... ) == 0x0
 01125  1064   NtWaitForSingleObject  (280, 0, 0x0, ...
 01122   948   NtDuplicateObject  ... 296, ) == 0x0
 01123  1884   NtTestAlert  ... ) == 0x0
 01124  1736   NtAllocateVirtualMemory  ... 37552128, 1048576, ) == 0x0
 01126   220   NtSetEventBoostPriority  (280, ...
 01127   948   NtWaitForSingleObject  (280, 0, 0x0, ...
 01128  1884   NtContinue  (37551408, 1, ...
 01129  1736   NtAllocateVirtualMemory  (-1, 38592512, 0, 8192, 4096, 4, ...
 01088   900   NtWaitForSingleObject  ... ) == 0x0
 01130  1884   NtRegisterThreadTerminatePort  (24, ...
 01126   220   NtSetEventBoostPriority  ... ) == 0x0
 01121  1732   NtSetEventBoostPriority  ... ) == 0x0
 01131  1132   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01132   900   NtSetEventBoostPriority  (280, ...
 01130  1884   NtRegisterThreadTerminatePort  ... ) == 0x0
 01133   220   NtOpenThreadToken  (-2, 0xc, 1, ...
 01134  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01131  1132   NtDuplicateObject  ... 292, ) == 0x0
 01089   152   NtWaitForSingleObject  ... ) == 0x0
 01132   900   NtSetEventBoostPriority  ... ) == 0x0
 01129  1736   NtAllocateVirtualMemory  ... 38592512, 8192, ) == 0x0
 01133   220   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01134  1732   NtDuplicateObject  ... 288, ) == 0x0
 01135  1132   NtWaitForSingleObject  (280, 0, 0x0, ...
 01136   152   NtSetEventBoostPriority  (280, ...
 01137   900   NtWaitForSingleObject  (280, 0, 0x0, ...
 01138  1736   NtProtectVirtualMemory  (-1, (0x24ce000), 4096, 260, ...
 01139  1884   NtWaitForSingleObject  (280, 0, 0x0, ...
 01140   220   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01090   216   NtWaitForSingleObject  ... ) == 0x0
 01138  1736   NtProtectVirtualMemory  ... (0x24ce000), 4096, 4, ) == 0x0
 01140   220   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01141   216   NtSetEventBoostPriority  (280, ...
 01142  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01143   220   NtWaitForSingleObject  (280, 0, 0x0, ...
 01092  1300   NtWaitForSingleObject  ... ) == 0x0
 01142  1736   NtCreateThread  ... 284, {1636, 248}, ) == 0x0
 01144  1300   NtSetEventBoostPriority  (280, ...
 01145  1736   NtQueryInformationThread  (284, Basic, 28, ...
 01103  2040   NtWaitForSingleObject  ... ) == 0x0
 01144  1300   NtSetEventBoostPriority  ... ) == 0x0
 01141   216   NtSetEventBoostPriority  ... ) == 0x0
 01136   152   NtSetEventBoostPriority  ... ) == 0x0
 01146  1732   NtWaitForSingleObject  (280, 0, 0x0, ...
 01147  2040   NtSetEventBoostPriority  (280, ...
 01145  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1636,Tid=248,}, 0x0, ) == 0x0
 01148   216   NtWaitForSingleObject  (280, 0, 0x0, ...
 01149   152   NtWaitForSingleObject  (280, 0, 0x0, ...
 01104  2036   NtWaitForSingleObject  ... ) == 0x0
 01147  2040   NtSetEventBoostPriority  ... ) == 0x0
 01150  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75514, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0d\6\0\0\370\0\0\0" ...  ...
 01151  2036   NtSetEventBoostPriority  (280, ...
 01152  1300   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01109  2020   NtWaitForSingleObject  ... ) == 0x0
 01151  2036   NtSetEventBoostPriority  ... ) == 0x0
 01150  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75515, 0}  ... {28, 56, reply, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0d\6\0\0\370\0\0\0" )  ) == 0x0
 01153  2020   NtSetEventBoostPriority  (280, ...
 01152  1300   NtDuplicateObject  ... 324, ) == 0x0
 01154  2040   NtWaitForSingleObject  (280, 0, 0x0, ...
 01110  1372   NtWaitForSingleObject  ... ) == 0x0
 01153  2020   NtSetEventBoostPriority  ... ) == 0x0
 01155  1736   NtResumeThread  (284, ...
 01156  1300   NtWaitForSingleObject  (280, 0, 0x0, ...
 01157  1372   NtSetEventBoostPriority  (280, ...
 01158  2020   NtWaitForSingleObject  (280, 0, 0x0, ...
 01155  1736   NtResumeThread  ... 1, ) == 0x0
 01116  1600   NtWaitForSingleObject  ... ) == 0x0
 01157  1372   NtSetEventBoostPriority  ... ) == 0x0
 01159  2036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01160   248   NtTestAlert  (...
 01161  1600   NtSetEventBoostPriority  (280, ...
 01162  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01159  2036   NtDuplicateObject  ... 328, ) == 0x0
 01120   188   NtWaitForSingleObject  ... ) == 0x0
 01161  1600   NtSetEventBoostPriority  ... ) == 0x0
 01160   248   NtTestAlert  ... ) == 0x0
 01162  1736   NtAllocateVirtualMemory  ... 38600704, 1048576, ) == 0x0
 01163   188   NtSetEventBoostPriority  (280, ...
 01164  2036   NtWaitForSingleObject  (280, 0, 0x0, ...
 01165  1372   NtWaitForSingleObject  (280, 0, 0x0, ...
 01166   248   NtContinue  (38599984, 1, ...
 01125  1064   NtWaitForSingleObject  ... ) == 0x0
 01163   188   NtSetEventBoostPriority  ... ) == 0x0
 01167  1736   NtAllocateVirtualMemory  (-1, 39641088, 0, 8192, 4096, 4, ...
 01168  1064   NtSetEventBoostPriority  (280, ...
 01169   248   NtRegisterThreadTerminatePort  (24, ...
 01170  1600   NtWaitForSingleObject  (280, 0, 0x0, ...
 01127   948   NtWaitForSingleObject  ... ) == 0x0
 01168  1064   NtSetEventBoostPriority  ... ) == 0x0
 01167  1736   NtAllocateVirtualMemory  ... 39641088, 8192, ) == 0x0
 01169   248   NtRegisterThreadTerminatePort  ... ) == 0x0
 01171   948   NtSetEventBoostPriority  (280, ...
 01172   188   NtWaitForSingleObject  (280, 0, 0x0, ...
 01173  1736   NtProtectVirtualMemory  (-1, (0x25ce000), 4096, 260, ...
 01174  1064   NtWaitForSingleObject  (280, 0, 0x0, ...
 01135  1132   NtWaitForSingleObject  ... ) == 0x0
 01171   948   NtSetEventBoostPriority  ... ) == 0x0
 01173  1736   NtProtectVirtualMemory  ... (0x25ce000), 4096, 4, ) == 0x0
 01175  1132   NtSetEventBoostPriority  (280, ...
 01176   248   NtWaitForSingleObject  (280, 0, 0x0, ...
 01177   948   NtWaitForSingleObject  (280, 0, 0x0, ...
 01137   900   NtWaitForSingleObject  ... ) == 0x0
 01175  1132   NtSetEventBoostPriority  ... ) == 0x0
 01178   900   NtSetEventBoostPriority  (280, ...
 01179  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01139  1884   NtWaitForSingleObject  ... ) == 0x0
 01178   900   NtSetEventBoostPriority  ... ) == 0x0
 01180  1884   NtSetEventBoostPriority  (280, ...
 01179  1736   NtCreateThread  ... 332, {1636, 1652}, ) == 0x0
 01181  1132   NtWaitForSingleObject  (280, 0, 0x0, ...
 01143   220   NtWaitForSingleObject  ... ) == 0x0
 01180  1884   NtSetEventBoostPriority  ... ) == 0x0
 01182  1736   NtQueryInformationThread  (332, Basic, 28, ...
 01183   220   NtSetEventBoostPriority  (280, ...
 01184  1884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01146  1732   NtWaitForSingleObject  ... ) == 0x0
 01183   220   NtSetEventBoostPriority  ... ) == 0x0
 01182  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1636,Tid=1652,}, 0x0, ) == 0x0
 01185   900   NtWaitForSingleObject  (280, 0, 0x0, ...
 01186  1732   NtSetEventBoostPriority  (280, ...
 01184  1884   NtDuplicateObject  ... 336, ) == 0x0
 01187  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75515, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0d\6\0\0t\6\0\0" ...  ...
 01148   216   NtWaitForSingleObject  ... ) == 0x0
 01186  1732   NtSetEventBoostPriority  ... ) == 0x0
 01188  1884   NtWaitForSingleObject  (280, 0, 0x0, ...
 01189   216   NtSetEventBoostPriority  (280, ...
 01190  1732   NtWaitForSingleObject  (280, 0, 0x0, ...
 01149   152   NtWaitForSingleObject  ... ) == 0x0
 01189   216   NtSetEventBoostPriority  ... ) == 0x0
 01191   220   NtWaitForSingleObject  (280, 0, 0x0, ...
 01187  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75516, 0}  ... {28, 56, reply, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0d\6\0\0t\6\0\0" )  ) == 0x0
 01192   152   NtSetEventBoostPriority  (280, ...
 01154  2040   NtWaitForSingleObject  ... ) == 0x0
 01193  2040   NtSetEventBoostPriority  (280, ...
 01156  1300   NtWaitForSingleObject  ... ) == 0x0
 01194  1300   NtSetEventBoostPriority  (280, ...
 01158  2020   NtWaitForSingleObject  ... ) == 0x0
 01195  2020   NtSetEventBoostPriority  (280, ...
 01164  2036   NtWaitForSingleObject  ... ) == 0x0
 01196  2036   NtSetEventBoostPriority  (280, ...
 01165  1372   NtWaitForSingleObject  ... ) == 0x0
 01197  1372   NtSetEventBoostPriority  (280, ...
 01170  1600   NtWaitForSingleObject  ... ) == 0x0
 01198  1600   NtSetEventBoostPriority  (280, ...
 01172   188   NtWaitForSingleObject  ... ) == 0x0
 01199   188   NtSetEventBoostPriority  (280, ...
 01174  1064   NtWaitForSingleObject  ... ) == 0x0
 01200  1064   NtSetEventBoostPriority  (280, ...
 01176   248   NtWaitForSingleObject  ... ) == 0x0
 01201   248   NtSetEventBoostPriority  (280, ...
 01177   948   NtWaitForSingleObject  ... ) == 0x0
 01202   948   NtSetEventBoostPriority  (280, ...
 01181  1132   NtWaitForSingleObject  ... ) == 0x0
 01203  1132   NtSetEventBoostPriority  (280, ...
 01185   900   NtWaitForSingleObject  ... ) == 0x0
 01204   900   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01205   900   NtSetEventBoostPriority  (280, ...
 01203  1132   NtSetEventBoostPriority  ... ) == 0x0
 01202   948   NtSetEventBoostPriority  ... ) == 0x0
 01201   248   NtSetEventBoostPriority  ... ) == 0x0
 01200  1064   NtSetEventBoostPriority  ... ) == 0x0
 01199   188   NtSetEventBoostPriority  ... ) == 0x0
 01198  1600   NtSetEventBoostPriority  ... ) == 0x0
 01197  1372   NtSetEventBoostPriority  ... ) == 0x0
 01196  2036   NtSetEventBoostPriority  ... ) == 0x0
 01194  1300   NtSetEventBoostPriority  ... ) == 0x0
 01193  2040   NtSetEventBoostPriority  ... ) == 0x0
 01192   152   NtSetEventBoostPriority  ... ) == 0x0
 01206  1736   NtResumeThread  (332, ...
 01195  2020   NtSetEventBoostPriority  ... ) == 0x0
 01207   216   NtWaitForSingleObject  (280, 0, 0x0, ...
 01208  1132   NtWaitForSingleObject  (280, 0, 0x0, ...
 01209   948   NtWaitForSingleObject  (280, 0, 0x0, ...
 01210   248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01211  1064   NtWaitForSingleObject  (280, 0, 0x0, ...
 01212   188   NtWaitForSingleObject  (280, 0, 0x0, ...
 01213  1600   NtWaitForSingleObject  (280, 0, 0x0, ...
 01214  1372   NtWaitForSingleObject  (280, 0, 0x0, ...
 01188  1884   NtWaitForSingleObject  ... ) == 0x0
 01205   900   NtSetEventBoostPriority  ... ) == 0x0
 01215  2036   NtWaitForSingleObject  (280, 0, 0x0, ...
 01216  2040   NtWaitForSingleObject  (280, 0, 0x0, ...
 01217  1300   NtWaitForSingleObject  (280, 0, 0x0, ...
 01206  1736   NtResumeThread  ... 1, ) == 0x0
 01218  2020   NtWaitForSingleObject  (280, 0, 0x0, ...
 01219   152   NtWaitForSingleObject  (280, 0, 0x0, ...
 01220  1652   NtTestAlert  (...
 01210   248   NtDuplicateObject  ... 340, ) == 0x0
 01221  1884   NtSetEventBoostPriority  (280, ...
 01222   900   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01223  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01220  1652   NtTestAlert  ... ) == 0x0
 01224   248   NtWaitForSingleObject  (280, 0, 0x0, ...
 01190  1732   NtWaitForSingleObject  ... ) == 0x0
 01221  1884   NtSetEventBoostPriority  ... ) == 0x0
 01222   900   NtCreateEvent  ... 344, ) == 0x0
 01223  1736   NtAllocateVirtualMemory  ... 39649280, 1048576, ) == 0x0
 01225  1652   NtContinue  (39648560, 1, ...
 01226  1732   NtSetEventBoostPriority  (280, ...
 01227   900   NtWaitForSingleObject  (344, 0, 0x0, ...
 01228  1736   NtAllocateVirtualMemory  (-1, 40689664, 0, 8192, 4096, 4, ...
 01191   220   NtWaitForSingleObject  ... ) == 0x0
 01229  1652   NtRegisterThreadTerminatePort  (24, ...
 01226  1732   NtSetEventBoostPriority  ... ) == 0x0
 01230  1884   NtWaitForSingleObject  (280, 0, 0x0, ...
 01231   220   NtSetEventBoostPriority  (280, ...
 01229  1652   NtRegisterThreadTerminatePort  ... ) == 0x0
 01232  1732   NtWaitForSingleObject  (280, 0, 0x0, ...
 01207   216   NtWaitForSingleObject  ... ) == 0x0
 01231   220   NtSetEventBoostPriority  ... ) == 0x0
 01228  1736   NtAllocateVirtualMemory  ... 40689664, 8192, ) == 0x0
 01233   216   NtSetEventBoostPriority  (280, ...
 01234   220   NtSetEventBoostPriority  (344, ...
 01208  1132   NtWaitForSingleObject  ... ) == 0x0
 01233   216   NtSetEventBoostPriority  ... ) == 0x0
 01235  1736   NtProtectVirtualMemory  (-1, (0x26ce000), 4096, 260, ...
 01236  1652   NtWaitForSingleObject  (280, 0, 0x0, ...
 01237  1132   NtSetEventBoostPriority  (280, ...
 01238   216   NtWaitForSingleObject  (344, 0, 0x0, ...
 01235  1736   NtProtectVirtualMemory  ... (0x26ce000), 4096, 4, ) == 0x0
 01209   948   NtWaitForSingleObject  ... ) == 0x0
 01237  1132   NtSetEventBoostPriority  ... ) == 0x0
 01227   900   NtWaitForSingleObject  ... ) == 0x0
 01234   220   NtSetEventBoostPriority  ... ) == 0x0
 01239  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01240   948   NtSetEventBoostPriority  (280, ...
 01241  1132   NtWaitForSingleObject  (344, 0, 0x0, ...
 01242   900   NtWaitForSingleObject  (280, 0, 0x0, ...
 01243   220   NtWaitForSingleObject  (344, 0, 0x0, ...
 01239  1736   NtCreateThread  ... 348, {1636, 588}, ) == 0x0
 01211  1064   NtWaitForSingleObject  ... ) == 0x0
 01244  1736   NtQueryInformationThread  (348, Basic, 28, ...
 01245  1064   NtSetEventBoostPriority  (280, ...
 01240   948   NtSetEventBoostPriority  ... ) == 0x0
 01212   188   NtWaitForSingleObject  ... ) == 0x0
 01246   948   NtWaitForSingleObject  (344, 0, 0x0, ...
 01247   188   NtSetEventBoostPriority  (280, ...
 01213  1600   NtWaitForSingleObject  ... ) == 0x0
 01248  1600   NtSetEventBoostPriority  (280, ...
 01215  2036   NtWaitForSingleObject  ... ) == 0x0
 01249  2036   NtSetEventBoostPriority  (280, ...
 01214  1372   NtWaitForSingleObject  ... ) == 0x0
 01250  1372   NtSetEventBoostPriority  (280, ...
 01217  1300   NtWaitForSingleObject  ... ) == 0x0
 01251  1300   NtSetEventBoostPriority  (280, ...
 01218  2020   NtWaitForSingleObject  ... ) == 0x0
 01252  2020   NtSetEventBoostPriority  (280, ...
 01219   152   NtWaitForSingleObject  ... ) == 0x0
 01253   152   NtSetEventBoostPriority  (280, ...
 01224   248   NtWaitForSingleObject  ... ) == 0x0
 01254   248   NtSetEventBoostPriority  (280, ...
 01216  2040   NtWaitForSingleObject  ... ) == 0x0
 01255  2040   NtSetEventBoostPriority  (280, ...
 01230  1884   NtWaitForSingleObject  ... ) == 0x0
 01256  1884   NtSetEventBoostPriority  (280, ...
 01232  1732   NtWaitForSingleObject  ... ) == 0x0
 01257  1732   NtSetEventBoostPriority  (280, ...
 01236  1652   NtWaitForSingleObject  ... ) == 0x0
 01258  1652   NtSetEventBoostPriority  (280, ...
 01242   900   NtWaitForSingleObject  ... ) == 0x0
 01259   900   NtSetEventBoostPriority  (344, ...
 01241  1132   NtWaitForSingleObject  ... ) == 0x0
 01260  1132   NtSetEventBoostPriority  (344, ...
 01243   220   NtWaitForSingleObject  ... ) == 0x0
 01261   220   NtSetEventBoostPriority  (344, ...
 01238   216   NtWaitForSingleObject  ... ) == 0x0
 01262   216   NtSetEventBoostPriority  (344, ...
 01246   948   NtWaitForSingleObject  ... ) == 0x0
 01263   948   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01261   220   NtSetEventBoostPriority  ... ) == 0x0
 01260  1132   NtSetEventBoostPriority  ... ) == 0x0
 01259   900   NtSetEventBoostPriority  ... ) == 0x0
 01258  1652   NtSetEventBoostPriority  ... ) == 0x0
 01257  1732   NtSetEventBoostPriority  ... ) == 0x0
 01256  1884   NtSetEventBoostPriority  ... ) == 0x0
 01254   248   NtSetEventBoostPriority  ... ) == 0x0
 01253   152   NtSetEventBoostPriority  ... ) == 0x0
 01252  2020   NtSetEventBoostPriority  ... ) == 0x0
 01251  1300   NtSetEventBoostPriority  ... ) == 0x0
 01249  2036   NtSetEventBoostPriority  ... ) == 0x0
 01262   216   NtSetEventBoostPriority  ... ) == 0x0
 01255  2040   NtSetEventBoostPriority  ... ) == 0x0
 01250  1372   NtSetEventBoostPriority  ... ) == 0x0
 01248  1600   NtSetEventBoostPriority  ... ) == 0x0
 01247   188   NtSetEventBoostPriority  ... ) == 0x0
 01245  1064   NtSetEventBoostPriority  ... ) == 0x0
 01244  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1636,Tid=588,}, 0x0, ) == 0x0
 01263   948   NtWaitForSingleObject  ... ) == 0x102
 01264   220   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11071600, ... }, 11071600, ...
 01265  1132   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01266  1652   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01267   900   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01268  1884   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01269  1732   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01270   152   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01271   248   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01272  1300   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01273  2036   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01274   216   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01275  2040   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01276  1372   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01277  1600   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01278   188   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01279  1064   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01280  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75516, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0d\6\0\0L\2\0\0" ...  ...
 01281   948   NtWaitForSingleObject  (128, 0, 0x0, ...
 01264   220   NtQueryAttributesFile  ... ) == 0x0
 01265  1132   NtWaitForSingleObject  ... ) == 0x102
 01282  2020   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01267   900   NtWaitForSingleObject  ... ) == 0x102
 01266  1652   NtDuplicateObject  ... 352, ) == 0x0
 01269  1732   NtWaitForSingleObject  ... ) == 0x102
 01268  1884   NtWaitForSingleObject  ... ) == 0x102
 01271   248   NtWaitForSingleObject  ... ) == 0x102
 01270   152   NtWaitForSingleObject  ... ) == 0x102
 01272  1300   NtWaitForSingleObject  ... ) == 0x102
 01280  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75517, 0}  ... {28, 56, reply, 0, 1636, 1736, 75517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0d\6\0\0L\2\0\0" )  ) == 0x0
 01283   220   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01284  1132   NtWaitForSingleObject  (128, 0, 0x0, ...
 01282  2020   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01285   900   NtWaitForSingleObject  (280, 0, 0x0, ...
 01286  1652   NtWaitForSingleObject  (280, 0, 0x0, ...
 01287  1732   NtWaitForSingleObject  (280, 0, 0x0, ...
 01288  1884   NtWaitForSingleObject  (280, 0, 0x0, ...
 01289   248   NtWaitForSingleObject  (280, 0, 0x0, ...
 01290   152   NtWaitForSingleObject  (280, 0, 0x0, ...
 01291  1300   NtWaitForSingleObject  (280, 0, 0x0, ...
 01292  1736   NtResumeThread  (348, ...
 01283   220   NtOpenKey  ... 356, ) == 0x0
 01293  2020   NtSetEventBoostPriority  (280, ...
 01292  1736   NtResumeThread  ... 1, ) == 0x0
 01294   220   NtQueryValueKey  (356,  (356, "Transports", Partial, 144, ... , Partial, 144, ...
 01285   900   NtWaitForSingleObject  ... ) == 0x0
 01293  2020   NtSetEventBoostPriority  ... ) == 0x0
 01273  2036   NtWaitForSingleObject  ... ) == 0x102
 01274   216   NtWaitForSingleObject  ... ) == 0x102
 01275  2040   NtWaitForSingleObject  ... ) == 0x102
 01276  1372   NtWaitForSingleObject  ... ) == 0x102
 01277  1600   NtWaitForSingleObject  ... ) == 0x102
 01278   188   NtWaitForSingleObject  ... ) == 0x102
 01279  1064   NtWaitForSingleObject  ... ) == 0x102
 01295   588   NtTestAlert  (...
 01296   900   NtSetEventBoostPriority  (280, ...
 01294   220   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01297  2020   NtWaitForSingleObject  (280, 0, 0x0, ...
 01298  2036   NtWaitForSingleObject  (280, 0, 0x0, ...
 01299   216   NtWaitForSingleObject  (280, 0, 0x0, ...
 01300  2040   NtWaitForSingleObject  (280, 0, 0x0, ...
 01301  1372   NtWaitForSingleObject  (280, 0, 0x0, ...
 01302  1600   NtWaitForSingleObject  (280, 0, 0x0, ...
 01303   188   NtWaitForSingleObject  (280, 0, 0x0, ...
 01304  1064   NtWaitForSingleObject  (280, 0, 0x0, ...
 01286  1652   NtWaitForSingleObject  ... ) == 0x0
 01296   900   NtSetEventBoostPriority  ... ) == 0x0
 01295   588   NtTestAlert  ... ) == 0x0
 01305  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01306  1652   NtSetEventBoostPriority  (280, ...
 01307   220   NtQueryValueKey  (356,  (356, "Transports", Partial, 144, ... , Partial, 144, ...
 01308   588   NtContinue  (40697136, 1, ...
 01287  1732   NtWaitForSingleObject  ... ) == 0x0
 01306  1652   NtSetEventBoostPriority  ... ) == 0x0
 01305  1736   NtAllocateVirtualMemory  ... 40697856, 1048576, ) == 0x0
 01307   220   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01309  1732   NtSetEventBoostPriority  (280, ...
 01310   588   NtRegisterThreadTerminatePort  (24, ...
 01311   900   NtWaitForSingleObject  (128, 0, 0x0, ...
 01312  1736   NtAllocateVirtualMemory  (-1, 41738240, 0, 8192, 4096, 4, ...
 01288  1884   NtWaitForSingleObject  ... ) == 0x0
 01309  1732   NtSetEventBoostPriority  ... ) == 0x0
 01313   220   NtClose  (356, ...
 01310   588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01314  1884   NtSetEventBoostPriority  (280, ...
 01312  1736   NtAllocateVirtualMemory  ... 41738240, 8192, ) == 0x0
 01315  1652   NtWaitForSingleObject  (280, 0, 0x0, ...
 01313   220   NtClose  ... ) == 0x0
 01316  1732   NtWaitForSingleObject  (128, 0, 0x0, ...
 01289   248   NtWaitForSingleObject  ... ) == 0x0
 01314  1884   NtSetEventBoostPriority  ... ) == 0x0
 01317  1736   NtProtectVirtualMemory  (-1, (0x27ce000), 4096, 260, ...
 01318   220   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01319   248   NtSetEventBoostPriority  (280, ...
 01320   588   NtWaitForSingleObject  (280, 0, 0x0, ...
 01317  1736   NtProtectVirtualMemory  ... (0x27ce000), 4096, 4, ) == 0x0
 01290   152   NtWaitForSingleObject  ... ) == 0x0
 01319   248   NtSetEventBoostPriority  ... ) == 0x0
 01318   220   NtOpenKey  ... 356, ) == 0x0
 01321  1884   NtWaitForSingleObject  (128, 0, 0x0, ...
 01322   152   NtSetEventBoostPriority  (280, ...
 01323  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01324   248   NtWaitForSingleObject  (128, 0, 0x0, ...
 01291  1300   NtWaitForSingleObject  ... ) == 0x0
 01322   152   NtSetEventBoostPriority  ... ) == 0x0
 01323  1736   NtCreateThread  ... 360, {1636, 1620}, ) == 0x0
 01325  1300   NtSetEventBoostPriority  (280, ...
 01326   220   NtQueryValueKey  (356,  (356, "Mapping", Partial, 144, ... , Partial, 144, ...
 01297  2020   NtWaitForSingleObject  ... ) == 0x0
 01325  1300   NtSetEventBoostPriority  ... ) == 0x0
 01327  1736   NtQueryInformationThread  (360, Basic, 28, ...
 01328  2020   NtSetEventBoostPriority  (280, ...
 01326   220   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01329   152   NtWaitForSingleObject  (128, 0, 0x0, ...
 01298  2036   NtWaitForSingleObject  ... ) == 0x0
 01328  2020   NtSetEventBoostPriority  ... ) == 0x0
 01327  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1636,Tid=1620,}, 0x0, ) == 0x0
 01330   220   NtWaitForSingleObject  (280, 0, 0x0, ...
 01331  2036   NtSetEventBoostPriority  (280, ...
 01332  1300   NtWaitForSingleObject  (128, 0, 0x0, ...
 01333  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75517, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0d\6\0\0T\6\0\0" ...  ...
 01299   216   NtWaitForSingleObject  ... ) == 0x0
 01331  2036   NtSetEventBoostPriority  ... ) == 0x0
 01334   216   NtSetEventBoostPriority  (280, ...
 01333  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75518, 0}  ... {28, 56, reply, 0, 1636, 1736, 75518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0d\6\0\0T\6\0\0" )  ) == 0x0
 01335  2020   NtWaitForSingleObject  (280, 0, 0x0, ...
 01300  2040   NtWaitForSingleObject  ... ) == 0x0
 01334   216   NtSetEventBoostPriority  ... ) == 0x0
 01336  1736   NtResumeThread  (360, ...
 01337  2040   NtSetEventBoostPriority  (280, ...
 01338  2036   NtWaitForSingleObject  (128, 0, 0x0, ...
 01301  1372   NtWaitForSingleObject  ... ) == 0x0
 01337  2040   NtSetEventBoostPriority  ... ) == 0x0
 01336  1736   NtResumeThread  ... 1, ) == 0x0
 01339  1372   NtSetEventBoostPriority  (280, ...
 01340   216   NtWaitForSingleObject  (128, 0, 0x0, ...
 01341  1620   NtTestAlert  (...
 01302  1600   NtWaitForSingleObject  ... ) == 0x0
 01339  1372   NtSetEventBoostPriority  ... ) == 0x0
 01342  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01343  1600   NtSetEventBoostPriority  (280, ...
 01341  1620   NtTestAlert  ... ) == 0x0
 01344  2040   NtWaitForSingleObject  (128, 0, 0x0, ...
 01303   188   NtWaitForSingleObject  ... ) == 0x0
 01343  1600   NtSetEventBoostPriority  ... ) == 0x0
 01342  1736   NtAllocateVirtualMemory  ... 41746432, 1048576, ) == 0x0
 01345  1620   NtContinue  (41745712, 1, ...
 01346   188   NtSetEventBoostPriority  (280, ...
 01347  1372   NtWaitForSingleObject  (128, 0, 0x0, ...
 01348  1736   NtAllocateVirtualMemory  (-1, 42786816, 0, 8192, 4096, 4, ...
 01304  1064   NtWaitForSingleObject  ... ) == 0x0
 01346   188   NtSetEventBoostPriority  ... ) == 0x0
 01349  1620   NtRegisterThreadTerminatePort  (24, ...
 01350  1600   NtWaitForSingleObject  (128, 0, 0x0, ...
 01351  1064   NtSetEventBoostPriority  (280, ...
 01348  1736   NtAllocateVirtualMemory  ... 42786816, 8192, ) == 0x0
 01349  1620   NtRegisterThreadTerminatePort  ... ) == 0x0
 01315  1652   NtWaitForSingleObject  ... ) == 0x0
 01351  1064   NtSetEventBoostPriority  ... ) == 0x0
 01352  1736   NtProtectVirtualMemory  (-1, (0x28ce000), 4096, 260, ...
 01353   188   NtWaitForSingleObject  (128, 0, 0x0, ...
 01354  1652   NtSetEventBoostPriority  (280, ...
 01355  1620   NtWaitForSingleObject  (280, 0, 0x0, ...
 01352  1736   NtProtectVirtualMemory  ... (0x28ce000), 4096, 4, ) == 0x0
 01320   588   NtWaitForSingleObject  ... ) == 0x0
 01354  1652   NtSetEventBoostPriority  ... ) == 0x0
 01356   588   NtSetEventBoostPriority  (280, ...
 01357  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01330   220   NtWaitForSingleObject  ... ) == 0x0
 01356   588   NtSetEventBoostPriority  ... ) == 0x0
 01358  1652   NtWaitForSingleObject  (280, 0, 0x0, ...
 01359   220   NtSetEventBoostPriority  (280, ...
 01357  1736   NtCreateThread  ... 364, {1636, 1588}, ) == 0x0
 01360   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01361  1064   NtWaitForSingleObject  (128, 0, 0x0, ...
 01335  2020   NtWaitForSingleObject  ... ) == 0x0
 01359   220   NtSetEventBoostPriority  ... ) == 0x0
 01362  1736   NtQueryInformationThread  (364, Basic, 28, ...
 01363  2020   NtSetEventBoostPriority  (280, ...
 01360   588   NtDuplicateObject  ... 368, ) == 0x0
 01364   220   NtQueryValueKey  (356,  (356, "Mapping", Partial, 144, ... , Partial, 144, ...
 01355  1620   NtWaitForSingleObject  ... ) == 0x0
 01363  2020   NtSetEventBoostPriority  ... ) == 0x0
 01365   588   NtWaitForSingleObject  (280, 0, 0x0, ...
 01366  1620   NtSetEventBoostPriority  (280, ...
 01364   220   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01367  2020   NtWaitForSingleObject  (280, 0, 0x0, ...
 01358  1652   NtWaitForSingleObject  ... ) == 0x0
 01366  1620   NtSetEventBoostPriority  ... ) == 0x0
 01368   220   NtWaitForSingleObject  (280, 0, 0x0, ...
 01362  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1636,Tid=1588,}, 0x0, ) == 0x0
 01369  1652   NtSetEventBoostPriority  (280, ...
 01370  1620   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01365   588   NtWaitForSingleObject  ... ) == 0x0
 01371  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75518, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0d\6\0\04\6\0\0" ...  ...
 01369  1652   NtSetEventBoostPriority  ... ) == 0x0
 01372   588   NtSetEventBoostPriority  (280, ...
 01371  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75519, 0}  ... {28, 56, reply, 0, 1636, 1736, 75519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0d\6\0\04\6\0\0" )  ) == 0x0
 01373  1652   NtWaitForSingleObject  (344, 0, 0x0, ...
 01368   220   NtWaitForSingleObject  ... ) == 0x0
 01372   588   NtSetEventBoostPriority  ... ) == 0x0
 01374  1736   NtResumeThread  (364, ...
 01375   220   NtSetEventBoostPriority  (280, ...
 01370  1620   NtDuplicateObject  ... 372, ) == 0x0
 01367  2020   NtWaitForSingleObject  ... ) == 0x0
 01375   220   NtSetEventBoostPriority  ... ) == 0x0
 01374  1736   NtResumeThread  ... 1, ) == 0x0
 01376  2020   NtSetEventBoostPriority  (344, ...
 01377  1620   NtWaitForSingleObject  (344, 0, 0x0, ...
 01378   588   NtWaitForSingleObject  (344, 0, 0x0, ...
 01379  1588   NtTestAlert  (...
 01380   220   NtQueryValueKey  (356,  (356, "Mapping", Partial, 152, ... , Partial, 152, ...
 01373  1652   NtWaitForSingleObject  ... ) == 0x0
 01379  1588   NtTestAlert  ... ) == 0x0
 01380   220   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01381  1652   NtSetEventBoostPriority  (344, ...
 01382  1588   NtContinue  (42794288, 1, ...
 01383   220   NtClose  (356, ...
 01377  1620   NtWaitForSingleObject  ... ) == 0x0
 01381  1652   NtSetEventBoostPriority  ... ) == 0x0
 01384  1588   NtRegisterThreadTerminatePort  (24, ...
 01385  1620   NtSetEventBoostPriority  (344, ...
 01383   220   NtClose  ... ) == 0x0
 01376  2020   NtSetEventBoostPriority  ... ) == 0x0
 01386  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01378   588   NtWaitForSingleObject  ... ) == 0x0
 01385  1620   NtSetEventBoostPriority  ... ) == 0x0
 01384  1588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01387   220   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01388  2020   NtWaitForSingleObject  (344, 0, 0x0, ...
 01389   588   NtWaitForSingleObject  (280, 0, 0x0, ...
 01386  1736   NtAllocateVirtualMemory  ... 42795008, 1048576, ) == 0x0
 01390  1652   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01391  1620   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01387   220   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01392  1736   NtAllocateVirtualMemory  (-1, 43835392, 0, 8192, 4096, 4, ...
 01390  1652   NtWaitForSingleObject  ... ) == 0x102
 01391  1620   NtWaitForSingleObject  ... ) == 0x102
 01393  1588   NtWaitForSingleObject  (280, 0, 0x0, ...
 01392  1736   NtAllocateVirtualMemory  ... 43835392, 8192, ) == 0x0
 01394  1652   NtWaitForSingleObject  (128, 0, 0x0, ...
 01395  1620   NtWaitForSingleObject  (128, 0, 0x0, ...
 01396  1736   NtProtectVirtualMemory  (-1, (0x29ce000), 4096, 260, ... (0x29ce000), 4096, 4, ) == 0x0
 01397  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 356, {1636, 2044}, ) == 0x0
 01398  1736   NtQueryInformationThread  (356, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1636,Tid=2044,}, 0x0, ) == 0x0
 01399  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75519, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0d\6\0\0\374\7\0\0" ...  ...
 01400   220   NtSetEventBoostPriority  (280, ...
 01389   588   NtWaitForSingleObject  ... ) == 0x0
 01401   588   NtSetEventBoostPriority  (280, ...
 01393  1588   NtWaitForSingleObject  ... ) == 0x0
 01402  1588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 376, ) == 0x0
 01403  1588   NtWaitForSingleObject  (344, 0, 0x0, ...
 01401   588   NtSetEventBoostPriority  ... ) == 0x0
 01400   220   NtSetEventBoostPriority  ... ) == 0x0
 01399  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75520, 0}  ... {28, 56, reply, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0d\6\0\0\374\7\0\0" )  ) == 0x0
 01404   220   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01405  1736   NtResumeThread  (356, ...
 01404   220   NtOpenKey  ... 380, ) == 0x0
 01405  1736   NtResumeThread  ... 1, ) == 0x0
 01406   220   NtQueryValueKey  (380,  (380, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01407  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01406   220   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01407  1736   NtAllocateVirtualMemory  ... 43843584, 1048576, ) == 0x0
 01408   588   NtSetEventBoostPriority  (344, ...
 01409  2044   NtTestAlert  (...
 01410  1736   NtAllocateVirtualMemory  (-1, 44883968, 0, 8192, 4096, 4, ...
 01388  2020   NtWaitForSingleObject  ... ) == 0x0
 01408   588   NtSetEventBoostPriority  ... ) == 0x0
 01409  2044   NtTestAlert  ... ) == 0x0
 01411   220   NtQueryValueKey  (380,  (380, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01412  2020   NtSetEventBoostPriority  (344, ...
 01413   588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01414  2044   NtContinue  (43842864, 1, ...
 01403  1588   NtWaitForSingleObject  ... ) == 0x0
 01412  2020   NtSetEventBoostPriority  ... ) == 0x0
 01411   220   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01413   588   NtWaitForSingleObject  ... ) == 0x102
 01415  1588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01416  2044   NtRegisterThreadTerminatePort  (24, ...
 01410  1736   NtAllocateVirtualMemory  ... 44883968, 8192, ) == 0x0
 01417   220   NtQueryValueKey  (380,  (380, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01415  1588   NtWaitForSingleObject  ... ) == 0x102
 01418   588   NtWaitForSingleObject  (128, 0, 0x0, ...
 01416  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 01419  1736   NtProtectVirtualMemory  (-1, (0x2ace000), 4096, 260, ...
 01420  1588   NtWaitForSingleObject  (128, 0, 0x0, ...
 01417   220   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01421  2020   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 01419  1736   NtProtectVirtualMemory  ... (0x2ace000), 4096, 4, ) == 0x0
 01422  2044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01423   220   NtQueryValueKey  (380,  (380, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01421  2020   NtOpenFile  ... 384, {status=0x0, info=0}, ) == 0x0
 01424  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01422  2044   NtDuplicateObject  ... 388, ) == 0x0
 01423   220   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01425  2020   NtDeviceIoControlFile  (384, 0, 0x0, 0x0, 0x390008,  (384, 0, 0x0, 0x0, 0x390008, "\37m4\225\17~>\230\320U0\17U\313tr\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01424  1736   NtCreateThread  ... 392, {1636, 1376}, ) == 0x0
 01426  2044   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01427  2020   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01428  1736   NtQueryInformationThread  (392, Basic, 28, ...
 01426  2044   NtWaitForSingleObject  ... ) == 0x102
 01427  2020   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01429   220   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11072556, ... }, 11072556, ...
 01430  2044   NtWaitForSingleObject  (128, 0, 0x0, ...
 01431  2020   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01429   220   NtQueryAttributesFile  ... ) == 0x0
 01428  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1636,Tid=1376,}, 0x0, ) == 0x0
 01432   220   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01433  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75520, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0d\6\0\0`\5\0\0" ...  ...
 01432   220   NtOpenFile  ... 396, {status=0x0, info=1}, ) == 0x0
 01433  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75521, 0}  ... {28, 56, reply, 0, 1636, 1736, 75521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0d\6\0\0`\5\0\0" )  ) == 0x0
 01434   220   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 396, ...
 01435  1736   NtResumeThread  (392, ...
 01434   220   NtCreateSection  ... 400, ) == 0x0
 01435  1736   NtResumeThread  ... 1, ) == 0x0
 01431  2020   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01436   220   NtClose  (396, ...
 01437  1376   NtWaitForSingleObject  (88, 0, 0x0, ...
 01438  2020   NtQuerySystemInformation  (Performance, 312, ...
 01436   220   NtClose  ... ) == 0x0
 01438  2020   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01439   220   NtMapViewOfSection  (400, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01440  2020   NtQuerySystemInformation  (Exception, 16, ...
 01439   220   NtMapViewOfSection  ... (0x860000), 0x0, 20480, ) == 0x0
 01440  2020   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01441   220   NtClose  (400, ...
 01442  2020   NtQuerySystemInformation  (Lookaside, 32, ...
 01441   220   NtClose  ... ) == 0x0
 01443  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01442  2020   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01443  1736   NtAllocateVirtualMemory  ... 44892160, 1048576, ) == 0x0
 01444  2020   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01445  1736   NtAllocateVirtualMemory  (-1, 45932544, 0, 8192, 4096, 4, ...
 01444  2020   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01445  1736   NtAllocateVirtualMemory  ... 45932544, 8192, ) == 0x0
 01446  2020   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01447  1736   NtProtectVirtualMemory  (-1, (0x2bce000), 4096, 260, ...
 01446  2020   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01447  1736   NtProtectVirtualMemory  ... (0x2bce000), 4096, 4, ) == 0x0
 01448  2020   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01449  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 400, {1636, 1368}, ) == 0x0
 01450  1736   NtQueryInformationThread  (400, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1636,Tid=1368,}, 0x0, ) == 0x0
 01451  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75521, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0d\6\0\0X\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0d\6\0\0X\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75522, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0d\6\0\0X\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0d\6\0\0X\5\0\0" )  ) == 0x0
 01452  1736   NtResumeThread  (400, ... 1, ) == 0x0
 01453  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 45940736, 1048576, ) == 0x0
 01454  1736   NtAllocateVirtualMemory  (-1, 46981120, 0, 8192, 4096, 4, ...
 01448  2020   NtCreateKey  ... -2147482576, 2, ) == 0x0
 01455   220   NtUnmapViewOfSection  (-1, 0x860000, ...
 01456  1368   NtWaitForSingleObject  (88, 0, 0x0, ...
 01457  2020   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\224\237n\252\201F\214rV3K\234\352|\347\323\302\235`V\201\310\36\277\277\330\315\335\323y\34\240\222\352\231\270\3018d\37G\15,\225\274LT\333\32\376G\231 f\331]\251\10\21\25\371\264z\343\352\244\360\221\221s\242X\275q\272\241\311b\350E", 80, ... , 0, 3,  (-2147482576, "Seed", 0, 3, "\224\237n\252\201F\214rV3K\234\352|\347\323\302\235`V\201\310\36\277\277\330\315\335\323y\34\240\222\352\231\270\3018d\37G\15,\225\274LT\333\32\376G\231 f\331]\251\10\21\25\371\264z\343\352\244\360\221\221s\242X\275q\272\241\311b\350E", 80, ... , 80, ...
 01455   220   NtUnmapViewOfSection  ... ) == 0x0
 01457  2020   NtSetValueKey  ... ) == 0x0
 01458   220   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11072864, ... }, 11072864, ...
 01459  2020   NtClose  (-2147482576, ...
 01458   220   NtQueryAttributesFile  ... ) == 0x0
 01459  2020   NtClose  ... ) == 0x0
 01454  1736   NtAllocateVirtualMemory  ... 46981120, 8192, ) == 0x0
 01425  2020   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "~\231a\5U\256\224\252\231w\4\374\366)e\325\355\352,QC\221\365%\204\271\22\246\221\361T\1#\203c\310\264\25B\0\351\327\4\207g^sm\366\251eu\326E\37aU\351\333\325x\17\351\344\329\4X\242$3\221\233\206\274G\243k\3\332\271\307\214Ic\345o\231\234j\261p<\346\203\267\341\350\357\270k,\17\220~"Tr\36\334\2737\344\263%W\210\37\2666\333\372\245Z\224\372l\334\360\216]n|\210Fw;Uj\227\226\32\37\276\262\276ur\336\214\32\327]\10X\0\34M\360\301\5 \346\201\1\241Fx]\36c\255\263\265\7q?\0\241\260\242\13\365\303\263S\351\\211\3\12\211\355\251c\7\205\14\33\332N\6\213\220\235\367+\300\316\5\314\262U0\266\215\347\232\266Z\22s\13\20R\6\303#\16t\200\26\376\240\336J\225\372\270\3\34\3547\14\36\207\14\323_\367Nh\237s\310\11", ) Tr\36\334\2737\344\263%W\210\37\2666\333\372\245Z\224\372l\334\360\216]n|\210Fw;Uj\227\226\32\37\276\262\276ur\336\214\32\327]\10X\0\34M\360\301\5 \346\201\1\241Fx]\36c\255\263\265\7q?\0\241\260\242\13\365\303\263S\351\\211\3\12\211\355\251c\7\205\14\33\332N\6\213\220\235\367+\300\316\5\314\262U0\266\215\347\232\266Z\22s\13\20R\6\303#\16t\200\26\376\240\336J\225\372\270\3\34\3547\14\36\207\14\323_\367Nh\237s\310\11", ) == 0x0
 01460  1736   NtProtectVirtualMemory  (-1, (0x2cce000), 4096, 260, ...
 01461   220   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01460  1736   NtProtectVirtualMemory  ... (0x2cce000), 4096, 4, ) == 0x0
 01461   220   NtOpenFile  ... 396, {status=0x0, info=1}, ) == 0x0
 01462  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01463   220   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 396, ...
 01462  1736   NtCreateThread  ... 404, {1636, 1568}, ) == 0x0
 01463   220   NtCreateSection  ... 408, ) == 0x0
 01464  1736   NtQueryInformationThread  (404, Basic, 28, ...
 01465   220   NtQuerySection  (408, Image, 48, ...
 01466  2020   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01465   220   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01466  2020   NtCreateEvent  ... 412, ) == 0x0
 01464  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1636,Tid=1568,}, 0x0, ) == 0x0
 01467  2020   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15527428, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15527428, 188, ...
 01468  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75522, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0d\6\0\0 \6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0d\6\0\0 \6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75524, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0d\6\0\0 \6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0d\6\0\0 \6\0\0" )  ) == 0x0
 01469  1736   NtResumeThread  (404, ... 1, ) == 0x0
 01467  2020   NtConnectPort  ... 416, 0x0, 0x0, 0x0, 188, ) == 0x0
 01470   220   NtClose  (396, ...
 01471  1568   NtWaitForSingleObject  (88, 0, 0x0, ...
 01472  2020   NtRequestWaitReplyPort  (416, {200, 224, new_msg, 0, 1382296, 12, 2, 1310721}  (416, {200, 224, new_msg, 0, 1382296, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\310\25\25\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\243\17\306?\345H\312\273H\27\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0 \27\25\0ob*zx\1\24\0@\27\25\0h\1\24\0\0\0\0\0\0\0\0\0@\27\25\0P\0\0\0H\27\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\354\0\372\31\221|\30\364\354\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01470   220   NtClose  ... ) == 0x0
 01473  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01474   220   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01473  1736   NtAllocateVirtualMemory  ... 46989312, 1048576, ) == 0x0
 01474   220   NtMapViewOfSection  ... (0x71a90000), 0x0, 32768, ) == 0x0
 01475  1736   NtAllocateVirtualMemory  (-1, 48029696, 0, 8192, 4096, 4, ...
 01476   220   NtClose  (408, ...
 01475  1736   NtAllocateVirtualMemory  ... 48029696, 8192, ) == 0x0
 01476   220   NtClose  ... ) == 0x0
 01477  1736   NtProtectVirtualMemory  (-1, (0x2dce000), 4096, 260, ...
 01472  2020   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 2020, 75525, 0}  ... {200, 224, reply, 0, 1636, 2020, 75525, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\243\17\306?\345H\312\273H\27\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0 \27\25\0ob*zx\1\24\0@\27\25\0h\1\24\0\0\0\0\0\0\0\0\0@\27\25\0P\0\0\0H\27\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\354\0\372\31\221|\30\364\354\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01477  1736   NtProtectVirtualMemory  ... (0x2dce000), 4096, 4, ) == 0x0
 01478  2020   NtRequestWaitReplyPort  (416, {64, 88, new_msg, 0, 0, 0, 0, 0}  (416, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01479   220   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 01480   220   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ... (0x71a91000), 4096, 4, ) == 0x0
 01481  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 408, {1636, 1792}, ) == 0x0
 01482  1736   NtQueryInformationThread  (408, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1636,Tid=1792,}, 0x0, ) == 0x0
 01483  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75524, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0d\6\0\0\0\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0d\6\0\0\0\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75527, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0d\6\0\0\0\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0d\6\0\0\0\7\0\0" )  ) == 0x0
 01484  1736   NtResumeThread  (408, ... 1, ) == 0x0
 01485  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 48037888, 1048576, ) == 0x0
 01486  1736   NtAllocateVirtualMemory  (-1, 49078272, 0, 8192, 4096, 4, ...
 01487   220   NtFlushInstructionCache  (-1, 1906905088, 128, ...
 01488  1792   NtWaitForSingleObject  (88, 0, 0x0, ...
 01487   220   NtFlushInstructionCache  ... ) == 0x0
 01489   220   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01490   220   NtSetEventBoostPriority  (88, ...
 01437  1376   NtWaitForSingleObject  ... ) == 0x0
 01491  1376   NtSetEventBoostPriority  (88, ...
 01456  1368   NtWaitForSingleObject  ... ) == 0x0
 01492  1368   NtSetEventBoostPriority  (88, ...
 01471  1568   NtWaitForSingleObject  ... ) == 0x0
 01493  1568   NtSetEventBoostPriority  (88, ...
 01488  1792   NtWaitForSingleObject  ... ) == 0x0
 01494  1792   NtTestAlert  (... ) == 0x0
 01493  1568   NtSetEventBoostPriority  ... ) == 0x0
 01492  1368   NtSetEventBoostPriority  ... ) == 0x0
 01491  1376   NtSetEventBoostPriority  ... ) == 0x0
 01490   220   NtSetEventBoostPriority  ... ) == 0x0
 01486  1736   NtAllocateVirtualMemory  ... 49078272, 8192, ) == 0x0
 01495  1792   NtContinue  (48037168, 1, ...
 01496  1568   NtTestAlert  (...
 01478  2020   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1636, 2020, 75526, 0}  ... {52, 76, reply, 0, 1636, 2020, 75526, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\270+\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 01497  1368   NtTestAlert  (...
 01498   220   NtClose  (380, ...
 01499  1736   NtProtectVirtualMemory  (-1, (0x2ece000), 4096, 260, ...
 01500  1792   NtRegisterThreadTerminatePort  (24, ...
 01496  1568   NtTestAlert  ... ) == 0x0
 01501  2020   NtClose  (412, ...
 01497  1368   NtTestAlert  ... ) == 0x0
 01498   220   NtClose  ... ) == 0x0
 01499  1736   NtProtectVirtualMemory  ... (0x2ece000), 4096, 4, ) == 0x0
 01500  1792   NtRegisterThreadTerminatePort  ... ) == 0x0
 01502  1568   NtContinue  (46988592, 1, ...
 01503  1376   NtTestAlert  (...
 01504  1368   NtContinue  (45940016, 1, ...
 01505   220   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11075200, 67, ... }, 0x0, 0, 3, 3, 0, 11075200, 67, ...
 01506  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01507  1792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01508  1568   NtRegisterThreadTerminatePort  (24, ...
 01503  1376   NtTestAlert  ... ) == 0x0
 01509  1368   NtRegisterThreadTerminatePort  (24, ...
 01506  1736   NtCreateThread  ... 380, {1636, 1612}, ) == 0x0
 01507  1792   NtDuplicateObject  ... 396, ) == 0x0
 01508  1568   NtRegisterThreadTerminatePort  ... ) == 0x0
 01510  1376   NtContinue  (44891440, 1, ...
 01509  1368   NtRegisterThreadTerminatePort  ... ) == 0x0
 01511  1736   NtQueryInformationThread  (380, Basic, 28, ...
 01512  1792   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01513  1568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01514  1376   NtRegisterThreadTerminatePort  (24, ...
 01515  1368   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01505   220   NtCreateFile  ... 420, {status=0x0, info=0}, ) == 0x0
 01501  2020   NtClose  ... ) == 0x0
 01511  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1636,Tid=1612,}, 0x0, ) == 0x0
 01512  1792   NtWaitForSingleObject  ... ) == 0x102
 01514  1376   NtRegisterThreadTerminatePort  ... ) == 0x0
 01513  1568   NtDuplicateObject  ... 412, ) == 0x0
 01516   220   NtDeviceIoControlFile  (420, 108, 0x0, 0x0, 0x1207b,  (420, 108, 0x0, 0x0, 0x1207b, "\7\0\0\0x\1\24\0\340\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 01517  2020   NtClose  (416, ...
 01518  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75527, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0d\6\0\0L\6\0\0" ...  ...
 01519  1792   NtWaitForSingleObject  (128, 0, 0x0, ...
 01520  1376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01521  1568   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01516   220   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0 \376\255\201", ) , ) == 0x0
 01517  2020   NtClose  ... ) == 0x0
 01518  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75529, 0}  ... {28, 56, reply, 0, 1636, 1736, 75529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0d\6\0\0L\6\0\0" )  ) == 0x0
 01515  1368   NtDuplicateObject  ... 416, ) == 0x0
 01521  1568   NtWaitForSingleObject  ... ) == 0x102
 01522   220   NtDeviceIoControlFile  (420, 108, 0x0, 0x0, 0x1207b,  (420, 108, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0 \376\255\201", 16, 16, ... , 16, 16, ...
 01523  2020   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01524  1736   NtResumeThread  (380, ...
 01525  1368   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01526  1568   NtWaitForSingleObject  (128, 0, 0x0, ...
 01522   220   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0 \376\255\201", ) , ) == 0x0
 01523  2020   NtCreateKey  ... 424, 2, ) == 0x0
 01524  1736   NtResumeThread  ... 1, ) == 0x0
 01525  1368   NtWaitForSingleObject  ... ) == 0x102
 01527   220   NtDeviceIoControlFile  (420, 108, 0x0, 0x0, 0x12047,  (420, 108, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01528  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01520  1376   NtDuplicateObject  ... 428, ) == 0x0
 01529  1612   NtTestAlert  (...
 01530  1368   NtWaitForSingleObject  (128, 0, 0x0, ...
 01531  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01527   220   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01532  1376   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 01529  1612   NtTestAlert  ... ) == 0x0
 01531  1736   NtAllocateVirtualMemory  ... 49086464, 1048576, ) == 0x0
 01533   220   NtWaitForSingleObject  (280, 0, 0x0, ...
 01532  1376   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 01534  1612   NtContinue  (49085744, 1, ...
 01535  1736   NtAllocateVirtualMemory  (-1, 50126848, 0, 8192, 4096, 4, ...
 01536  1376   NtSetEventBoostPriority  (280, ...
 01537  1612   NtRegisterThreadTerminatePort  (24, ...
 01535  1736   NtAllocateVirtualMemory  ... 50126848, 8192, ) == 0x0
 01533   220   NtWaitForSingleObject  ... ) == 0x0
 01536  1376   NtSetEventBoostPriority  ... ) == 0x0
 01537  1612   NtRegisterThreadTerminatePort  ... ) == 0x0
 01538   220   NtWaitForSingleObject  (56, 0, {0, 0}, ...
 01539  1736   NtProtectVirtualMemory  (-1, (0x2fce000), 4096, 260, ...
 01540  1376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01528  2020   NtOpenKey  ... 432, ) == 0x0
 01539  1736   NtProtectVirtualMemory  ... (0x2fce000), 4096, 4, ) == 0x0
 01541  1612   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01538   220   NtWaitForSingleObject  ... ) == 0x102
 01542  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01540  1376   NtWaitForSingleObject  ... ) == 0x102
 01541  1612   NtDuplicateObject  ... 436, ) == 0x0
 01543   220   NtDeviceIoControlFile  (420, 108, 0x0, 0x0, 0x12003,  (420, 108, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01542  2020   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01544  1376   NtWaitForSingleObject  (128, 0, 0x0, ...
 01545  1612   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01543   220   NtDeviceIoControlFile  ... {status=0x0, info=440},  ... {status=0x0, info=440}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01546  2020   NtQueryValueKey  (424,  (424, "Hostname", Partial, 144, ... , Partial, 144, ...
 01545  1612   NtWaitForSingleObject  ... ) == 0x102
 01547   220   NtDeviceIoControlFile  (420, 108, 0x0, 0x0, 0x12047,  (420, 108, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01546  2020   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01548  1612   NtWaitForSingleObject  (128, 0, 0x0, ...
 01547   220   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01549  2020   NtQueryValueKey  (424,  (424, "Hostname", Partial, 144, ... , Partial, 144, ...
 01550  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01551   220   NtDeviceIoControlFile  (420, 108, 0x0, 0x0, 0x12037,  (420, 108, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 01550  1736   NtCreateThread  ... 444, {1636, 876}, ) == 0x0
 01551   220   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01552  1736   NtQueryInformationThread  (444, Basic, 28, ...
 01553   220   NtDeviceIoControlFile  (420, 108, 0x0, 0x0, 0x1200b,  (420, 108, 0x0, 0x0, 0x1200b, "\0\376\250\0\5\0\0\0\0\255\24\0", 12, 0, ... , 12, 0, ...
 01552  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1636,Tid=876,}, 0x0, ) == 0x0
 01553   220   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01554  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75529, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0d\6\0\0l\3\0\0" ...  ...
 01555   220   NtDeviceIoControlFile  (420, 108, 0x0, 0x0, 0x12047,  (420, 108, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\250\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 01556   220   NtDeviceIoControlFile  (420, 108, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ... {status=0x0, info=26},  (420, 108, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01557   220   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 01558   220   NtDeviceIoControlFile  (384, 0, 0x0, 0x0, 0x390008,  (384, 0, 0x0, 0x0, 0x390008, "\37m4\225\17~>\360\244\352\350\250\303\211\34u\377\307\342J\313bq\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01559   220   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01549  2020   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01554  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75530, 0}  ... {28, 56, reply, 0, 1636, 1736, 75530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0d\6\0\0l\3\0\0" )  ) == 0x0
 01560  2020   NtClose  (424, ...
 01561  1736   NtResumeThread  (444, ...
 01560  2020   NtClose  ... ) == 0x0
 01561  1736   NtResumeThread  ... 1, ) == 0x0
 01562  2020   NtClose  (432, ...
 01563  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01562  2020   NtClose  ... ) == 0x0
 01563  1736   NtAllocateVirtualMemory  ... 50135040, 1048576, ) == 0x0
 01564  2020   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01565  1736   NtAllocateVirtualMemory  (-1, 51175424, 0, 8192, 4096, 4, ...
 01559   220   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01566   876   NtTestAlert  (...
 01564  2020   NtCreateEvent  ... 432, ) == 0x0
 01567   220   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01566   876   NtTestAlert  ... ) == 0x0
 01568  2020   NtWaitForSingleObject  (432, 0, 0x0, ...
 01567   220   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01569   876   NtContinue  (50134320, 1, ...
 01570   220   NtQuerySystemInformation  (Performance, 312, ...
 01571   876   NtRegisterThreadTerminatePort  (24, ...
 01570   220   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01571   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 01572   220   NtQuerySystemInformation  (Exception, 16, ...
 01565  1736   NtAllocateVirtualMemory  ... 51175424, 8192, ) == 0x0
 01573   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01574  1736   NtProtectVirtualMemory  (-1, (0x30ce000), 4096, 260, ...
 01573   876   NtDuplicateObject  ... 424, ) == 0x0
 01574  1736   NtProtectVirtualMemory  ... (0x30ce000), 4096, 4, ) == 0x0
 01575   876   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01576  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01575   876   NtWaitForSingleObject  ... ) == 0x102
 01576  1736   NtCreateThread  ... 448, {1636, 1628}, ) == 0x0
 01577   876   NtWaitForSingleObject  (128, 0, 0x0, ...
 01578  1736   NtQueryInformationThread  (448, Basic, 28, ...
 01572   220   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01579   220   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01580   220   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01581   220   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01582   220   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482564, 2, ) }, 0, 0x0, 0, ... -2147482564, 2, ) == 0x0
 01583   220   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\322\233!\241Y\345/O\311\377Q\31P\337\2061\221\56\305\242\323\235bC\226\363+p\335\300\376\213h%'\245\265\221\245m\355\253\374\34 \221e\214\227\264\377\374-\200\220U\242\335%a\243\3\261m\302\337\304\351[q\255O\303D\225\314\20\215", 80, ... ) , 0, 3,  (-2147482564, "Seed", 0, 3, "\322\233!\241Y\345/O\311\377Q\31P\337\2061\221\56\305\242\323\235bC\226\363+p\335\300\376\213h%'\245\265\221\245m\355\253\374\34 \221e\214\227\264\377\374-\200\220U\242\335%a\243\3\261m\302\337\304\351[q\255O\303D\225\314\20\215", 80, ... ) , 80, ... ) == 0x0
 01584   220   NtClose  (-2147482564, ...
 01578  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1636,Tid=1628,}, 0x0, ) == 0x0
 01585  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75530, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0d\6\0\0\\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0d\6\0\0\\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75531, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0d\6\0\0\\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0d\6\0\0\\6\0\0" )  ) == 0x0
 01586  1736   NtResumeThread  (448, ... 1, ) == 0x0
 01587  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 51183616, 1048576, ) == 0x0
 01588  1736   NtAllocateVirtualMemory  (-1, 52224000, 0, 8192, 4096, 4, ... 52224000, 8192, ) == 0x0
 01589  1736   NtProtectVirtualMemory  (-1, (0x31ce000), 4096, 260, ... (0x31ce000), 4096, 4, ) == 0x0
 01584   220   NtClose  ... ) == 0x0
 01590  1628   NtTestAlert  (...
 01558   220   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\250fKU\220\213\334\341H!*\237\323\322\251\17\222p\204\27\270|\205\266\357\2\251\246\7\203\0\36\253\243\354)w\373V9h\3\31\374\30\361\237Z\317|\2\201\3\3100:\22\343)\231Z\217jh\25\177\7\3367\260\223\310\205;\257;\17\2762\4to!\30\237#\320\27az\31\336\334\351bJ<\333\375\36\313\231 \257m\256i#\376\347\35\201K(\215QC\253G\340\337\34\2123%\24H>\357G\376\307\265\304\247\16\265\235\233\342~1\/;d\26\343\317\227,\265\210A5\27g\2\2160\317=?~rY\313\356\313\302\372Z\177\236D\274kS\231\271\302d\2230\357\241m\23%x1\266]\24\230\232 O\340A(\365\243\245N\354\221\13\35My\2016!wJ\325\15YH\1\331\315G,\355\222\2021\333\205o\346n\37\326\231>\250\376\2656p\225|\374\357r\370O\233\355\371D\302", ) , ) == 0x0
 01590  1628   NtTestAlert  ... ) == 0x0
 01591   220   NtDeviceIoControlFile  (384, 0, 0x0, 0x0, 0x390008,  (384, 0, 0x0, 0x0, 0x390008, "\37m4\225\17~>\360\244\352\350\250\303\211t\1@\37E\334\211\12v\377\307\342J\313bq\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01592  1628   NtContinue  (51182896, 1, ...
 01593   220   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01594  1628   NtRegisterThreadTerminatePort  (24, ...
 01593   220   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01594  1628   NtRegisterThreadTerminatePort  ... ) == 0x0
 01595   220   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01596  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01597  1628   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01596  1736   NtCreateThread  ... 452, {1636, 940}, ) == 0x0
 01597  1628   NtDuplicateObject  ... 456, ) == 0x0
 01598  1736   NtQueryInformationThread  (452, Basic, 28, ...
 01599  1628   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01598  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1636,Tid=940,}, 0x0, ) == 0x0
 01599  1628   NtWaitForSingleObject  ... ) == 0x102
 01600  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75531, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0d\6\0\0\254\3\0\0" ...  ...
 01601  1628   NtWaitForSingleObject  (128, 0, 0x0, ...
 01600  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75532, 0}  ... {28, 56, reply, 0, 1636, 1736, 75532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0d\6\0\0\254\3\0\0" )  ) == 0x0
 01595   220   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01602  1736   NtResumeThread  (452, ...
 01603   220   NtQuerySystemInformation  (Performance, 312, ...
 01602  1736   NtResumeThread  ... 1, ) == 0x0
 01603   220   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01604  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01605   220   NtQuerySystemInformation  (Exception, 16, ...
 01604  1736   NtAllocateVirtualMemory  ... 52232192, 1048576, ) == 0x0
 01605   220   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01606  1736   NtAllocateVirtualMemory  (-1, 53272576, 0, 8192, 4096, 4, ...
 01607   220   NtQuerySystemInformation  (Lookaside, 32, ...
 01608   940   NtTestAlert  (...
 01606  1736   NtAllocateVirtualMemory  ... 53272576, 8192, ) == 0x0
 01608   940   NtTestAlert  ... ) == 0x0
 01609  1736   NtProtectVirtualMemory  (-1, (0x32ce000), 4096, 260, ...
 01610   940   NtContinue  (52231472, 1, ...
 01609  1736   NtProtectVirtualMemory  ... (0x32ce000), 4096, 4, ) == 0x0
 01611   940   NtRegisterThreadTerminatePort  (24, ...
 01612  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01611   940   NtRegisterThreadTerminatePort  ... ) == 0x0
 01612  1736   NtCreateThread  ... 460, {1636, 1316}, ) == 0x0
 01607   220   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01613  1736   NtQueryInformationThread  (460, Basic, 28, ...
 01614   220   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01615   940   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01614   220   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01615   940   NtDuplicateObject  ... 464, ) == 0x0
 01616   220   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01617   940   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01616   220   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01617   940   NtWaitForSingleObject  ... ) == 0x102
 01618   220   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01619   940   NtWaitForSingleObject  (128, 0, 0x0, ...
 01613  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1636,Tid=1316,}, 0x0, ) == 0x0
 01618   220   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01620  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75532, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0d\6\0\0$\5\0\0" ...  ...
 01621   220   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\14d\11\1\277{\374{\255C\234\34\32\367\2733N\343`\205zJKA\310\333I\6A\17\340\363\315\276\377\237"\253.b\24\347\10\3062\215\370\2\340\15b\247\274'^\324?\316\227\377\234\241\361ceg\227\337@\330\243\303D\227L\2\36\1\312$", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\14d\11\1\277{\374{\255C\234\34\32\367\2733N\343`\205zJKA\310\333I\6A\17\340\363\315\276\377\237"\253.b\24\347\10\3062\215\370\2\340\15b\247\274'^\324?\316\227\377\234\241\361ceg\227\337@\330\243\303D\227L\2\36\1\312$", 80, ... \253.b\24\347\10\3062\215\370\2\340\15b\247\274'^\324?\316\227\377\234\241\361ceg\227\337@\330\243\303D\227L\2\36\1\312$", 80, ...
 01620  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75533, 0}  ... {28, 56, reply, 0, 1636, 1736, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0d\6\0\0$\5\0\0" )  ) == 0x0
 01621   220   NtSetValueKey  ... ) == 0x0
 01622  1736   NtResumeThread  (460, ...
 01623   220   NtClose  (-2147482564, ...
 01622  1736   NtResumeThread  ... 1, ) == 0x0
 01623   220   NtClose  ... ) == 0x0
 01624  1316   NtTestAlert  (...
 01591   220   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\234\307\244=\262{\302\24\242/\270s\221\352\25H\2351\0\303\2\301\250\367_\216%\326\223\270\3542\355\3159f\240\306\242\331\205\347\232\242\3657[\2207\231+\203\356\215\311AL@W\213\262\21Fc\3441\214\225E\3709.\31?>4\4\275\3*|\244\270\352\265\347\350!\261\343\15\20\350\377\16^\257wNzb\375\253\324\355\11\237\227V|,k\327\2\35\216\260E\322X\12\247u*\233\12O\237b\310\237\158\244-\15\344WP\33\321\321\30\24\231c\214\343\206\252sT\300\274\34'>"CU\263\16\360\312?\225\210kRb\16\232Cnp\300\362\214X`\30\336\366\263\212\231\261s\220\273\227\17\222\356O\276\317\226\376\345\22>H\205\312_Y\307\260\274)\266Nfg\7"6\332\207\274\232tRz\36sx\323|\340[\340\310\0\325B\3628b\32\327\367\255\301\1$\270 \33q\30\24A~\15", ) CU\263\16\360\312?\225\210kRb\16\232Cnp\300\362\214X`\30\336\366\263\212\231\261s\220\273\227\17\222\356O\276\317\226\376\345\22>H\205\312_Y\307\260\274)\266Nfg\7 ... {status=0x0, info=256}, "\234\307\244=\262{\302\24\242/\270s\221\352\25H\2351\0\303\2\301\250\367_\216%\326\223\270\3542\355\3159f\240\306\242\331\205\347\232\242\3657[\2207\231+\203\356\215\311AL@W\213\262\21Fc\3441\214\225E\3709.\31?>4\4\275\3*|\244\270\352\265\347\350!\261\343\15\20\350\377\16^\257wNzb\375\253\324\355\11\237\227V|,k\327\2\35\216\260E\322X\12\247u*\233\12O\237b\310\237\158\244-\15\344WP\33\321\321\30\24\231c\214\343\206\252sT\300\274\34'>"CU\263\16\360\312?\225\210kRb\16\232Cnp\300\362\214X`\30\336\366\263\212\231\261s\220\273\227\17\222\356O\276\317\226\376\345\22>H\205\312_Y\307\260\274)\266Nfg\7"6\332\207\274\232tRz\36sx\323|\340[\340\310\0\325B\3628b\32\327\367\255\301\1$\270 \33q\30\24A~\15", ) , ) == 0x0
 01624  1316   NtTestAlert  ... ) == 0x0
 01625  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01626  1316   NtContinue  (53280048, 1, ...
 01625  1736   NtAllocateVirtualMemory  ... 53280768, 1048576, ) == 0x0
 01627  1316   NtRegisterThreadTerminatePort  (24, ...
 01628  1736   NtAllocateVirtualMemory  (-1, 54321152, 0, 8192, 4096, 4, ...
 01627  1316   NtRegisterThreadTerminatePort  ... ) == 0x0
 01628  1736   NtAllocateVirtualMemory  ... 54321152, 8192, ) == 0x0
 01629   220   NtDeviceIoControlFile  (384, 0, 0x0, 0x0, 0x390008,  (384, 0, 0x0, 0x0, 0x390008, "\37m4\225\17~>\360\244\352\350\250\303\211t\1@\37E\334\211b\2@\37E\334\211\12v\377\307\342J\313bq\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01630  1736   NtProtectVirtualMemory  (-1, (0x33ce000), 4096, 260, ...
 01631   220   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01630  1736   NtProtectVirtualMemory  ... (0x33ce000), 4096, 4, ) == 0x0
 01631   220   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01632  1316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01633   220   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01632  1316   NtDuplicateObject  ... 468, ) == 0x0
 01633   220   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01634  1316   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01635   220   NtQuerySystemInformation  (Performance, 312, ...
 01634  1316   NtWaitForSingleObject  ... ) == 0x102
 01636  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01637  1316   NtWaitForSingleObject  (128, 0, 0x0, ...
 01636  1736   NtCreateThread  ... 472, {1636, 1288}, ) == 0x0
 01635   220   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01638  1736   NtQueryInformationThread  (472, Basic, 28, ...
 01639   220   NtQuerySystemInformation  (Exception, 16, ...
 01638  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1636,Tid=1288,}, 0x0, ) == 0x0
 01639   220   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01640  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75533, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0d\6\0\0\10\5\0\0" ...  ...
 01641   220   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01642   220   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01643   220   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01644   220   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482564, 2, ) }, 0, 0x0, 0, ... -2147482564, 2, ) == 0x0
 01645   220   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "V\376\203\327\217K\210\330:\261{\351\13\316p5\242\231\324dK\375\344sc\245\5\203\333\331=\230\351\253;\221\316#\363\177\340\350bDr\341\222\33\301\341\343n%f\325\211\220\210GE\216\276@\371;\211\266\300t\247"\235[\235670G\361\266", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "V\376\203\327\217K\210\330:\261{\351\13\316p5\242\231\324dK\375\344sc\245\5\203\333\331=\230\351\253;\221\316#\363\177\340\350bDr\341\222\33\301\341\343n%f\325\211\220\210GE\216\276@\371;\211\266\300t\247"\235[\235670G\361\266", 80, ... \235[\235670G\361\266", 80, ...
 01640  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75534, 0}  ... {28, 56, reply, 0, 1636, 1736, 75534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0d\6\0\0\10\5\0\0" )  ) == 0x0
 01646  1736   NtResumeThread  (472, ... 1, ) == 0x0
 01647  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 54329344, 1048576, ) == 0x0
 01648  1736   NtAllocateVirtualMemory  (-1, 55369728, 0, 8192, 4096, 4, ... 55369728, 8192, ) == 0x0
 01649  1736   NtProtectVirtualMemory  (-1, (0x34ce000), 4096, 260, ... (0x34ce000), 4096, 4, ) == 0x0
 01650  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 476, {1636, 624}, ) == 0x0
 01651  1736   NtQueryInformationThread  (476, Basic, 28, ...
 01645   220   NtSetValueKey  ... ) == 0x0
 01652  1288   NtTestAlert  (...
 01653   220   NtClose  (-2147482564, ...
 01652  1288   NtTestAlert  ... ) == 0x0
 01653   220   NtClose  ... ) == 0x0
 01654  1288   NtContinue  (54328624, 1, ...
 01629   220   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\17\307\344\177\262\367\242\210\275f\2170o*]nOP\205\363\0iFe\217Yc\344S/W\331@\361\241\23P\350\341;\241/\335\275\354\10\17\321!\346o\333E\205\324\272\10Gd\33\272\333soy\364\234i\7\37\252\371\352\206h\263\306\274\275M\312eY\321\346$\301/F\14/\334 O?\375Z\22\342;d\262o$n\11\336\2\0&\177\253\224K\262<8\15\32jB\341\323\270\222;\345\237&0\305\237\200\33\316YA\331\221\25\310\202\75\23~\10jp\317\317\177\302\223\216L&\31\37\322\335\203\247\372\273\217\363\2641@\366!5\351J\363b\230$\215\14\13G!\213\331\3661\346(\326\364T\306\334\325\360\206\315f\354\22\3'n9e,\320\352m]\310]$2U>5Y\25\307\3343\267\207j\201\4wV \33\240\361\276Fr\263\230!\257\222\254\373\251\376\215\7\257\261f\346/\234\310", ) , ) == 0x0
 01655  1288   NtRegisterThreadTerminatePort  (24, ...
 01656   220   NtDeviceIoControlFile  (384, 0, 0x0, 0x0, 0x390008,  (384, 0, 0x0, 0x0, 0x390008, "\37m4\225\17~>\360\244\352\350\250\303\211t\1@\37E\334\211b\2@\37E\334\211b\2@\37E\334\211\12v\377\307\342J\313bq\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01655  1288   NtRegisterThreadTerminatePort  ... ) == 0x0
 01657   220   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01651  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1636,Tid=624,}, 0x0, ) == 0x0
 01658  1288   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01659  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75534, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0d\6\0\0p\2\0\0" ...  ...
 01658  1288   NtDuplicateObject  ... 480, ) == 0x0
 01659  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75535, 0}  ... {28, 56, reply, 0, 1636, 1736, 75535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0d\6\0\0p\2\0\0" )  ) == 0x0
 01660  1288   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 01661  1736   NtResumeThread  (476, ...
 01660  1288   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 01661  1736   NtResumeThread  ... 1, ) == 0x0
 01662  1288   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01657   220   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01663   624   NtTestAlert  (...
 01664   220   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01663   624   NtTestAlert  ... ) == 0x0
 01664   220   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01665   624   NtContinue  (55377200, 1, ...
 01666   220   NtQuerySystemInformation  (Performance, 312, ...
 01667   624   NtRegisterThreadTerminatePort  (24, ...
 01666   220   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01667   624   NtRegisterThreadTerminatePort  ... ) == 0x0
 01668   220   NtQuerySystemInformation  (Exception, 16, ...
 01669  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01662  1288   NtWaitForSingleObject  ... ) == 0x102
 01670   624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01669  1736   NtAllocateVirtualMemory  ... 55377920, 1048576, ) == 0x0
 01671  1288   NtWaitForSingleObject  (128, 0, 0x0, ...
 01670   624   NtDuplicateObject  ... 484, ) == 0x0
 01672  1736   NtAllocateVirtualMemory  (-1, 56418304, 0, 8192, 4096, 4, ...
 01673   624   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01672  1736   NtAllocateVirtualMemory  ... 56418304, 8192, ) == 0x0
 01673   624   NtWaitForSingleObject  ... ) == 0x102
 01674  1736   NtProtectVirtualMemory  (-1, (0x35ce000), 4096, 260, ...
 01675   624   NtWaitForSingleObject  (128, 0, 0x0, ...
 01674  1736   NtProtectVirtualMemory  ... (0x35ce000), 4096, 4, ) == 0x0
 01668   220   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01676   220   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01677   220   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01678   220   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01679   220   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482564, 2, ) }, 0, 0x0, 0, ... -2147482564, 2, ) == 0x0
 01680  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 488, {1636, 1124}, ) == 0x0
 01681  1736   NtQueryInformationThread  (488, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1636,Tid=1124,}, 0x0, ) == 0x0
 01682  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75535, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0d\6\0\0d\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0d\6\0\0d\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75536, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0d\6\0\0d\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0d\6\0\0d\4\0\0" )  ) == 0x0
 01683  1736   NtResumeThread  (488, ... 1, ) == 0x0
 01684  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 56426496, 1048576, ) == 0x0
 01685  1736   NtAllocateVirtualMemory  (-1, 57466880, 0, 8192, 4096, 4, ...
 01686   220   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "?\262U|\215i\220\321\332\26\341u\227\5\246\234\371qL\335z\310z\224\23\354XH\233\212\311-\202&\222\307\333\0M&\345i\36\243\226}t\20\2367\27\0B\312\246c\337^dT\224\304r=\332\254\37\225\252\242\25C\324\261\225J\273\2439\317", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "?\262U|\215i\220\321\332\26\341u\227\5\246\234\371qL\335z\310z\224\23\354XH\233\212\311-\202&\222\307\333\0M&\345i\36\243\226}t\20\2367\27\0B\312\246c\337^dT\224\304r=\332\254\37\225\252\242\25C\324\261\225J\273\2439\317", 80, ... , 80, ...
 01687  1124   NtTestAlert  (...
 01686   220   NtSetValueKey  ... ) == 0x0
 01687  1124   NtTestAlert  ... ) == 0x0
 01688   220   NtClose  (-2147482564, ...
 01689  1124   NtContinue  (56425776, 1, ...
 01688   220   NtClose  ... ) == 0x0
 01690  1124   NtRegisterThreadTerminatePort  (24, ...
 01656   220   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "ahj4\25\343Z)0\177\265u"\247Q\230\236\330\332\270R\0\353\364\211\301\345\333,M\344*S\210\201\300o\360\207Y\317\357}\263\245\10\235\247I\3265\303\37z@\374\231\370MPbR\306\10\1"\260\350\266\320\335\332\320'\326\316\360\16\262\206c\375\263s\224\345\246f[p\347o]\226~\210>\320nmK\260\3472G\210\31\35Z=\234PAG\35\334o\372*\254\347&\241v\366a\177\213\327~\12\211{\33\314M\370\245\361\22\300\2527\217\206\200\2154;@\220\215\342R/\212\36\251\346\244*=\37\324\322\225\15F\347\207\225\12\346s\365\244BA"B\13\14'i\242G#\255\336V6AA\357\245\264\344\330N\13\377\306\320fP\310\240*\261\374\363\267\275\302B\247\365HdO\371\v\333ca\207\373\3100f\320\215\314\266:\363~\313\260L\6\305y\241,8\376(\217?\251\3132\316^", ) \247Q\230\236\330\332\270R\0\353\364\211\301\345\333,M\344*S\210\201\300o\360\207Y\317\357}\263\245\10\235\247I\3265\303\37z@\374\231\370MPbR\306\10\1 ... {status=0x0, info=256}, "ahj4\25\343Z)0\177\265u"\247Q\230\236\330\332\270R\0\353\364\211\301\345\333,M\344*S\210\201\300o\360\207Y\317\357}\263\245\10\235\247I\3265\303\37z@\374\231\370MPbR\306\10\1"\260\350\266\320\335\332\320'\326\316\360\16\262\206c\375\263s\224\345\246f[p\347o]\226~\210>\320nmK\260\3472G\210\31\35Z=\234PAG\35\334o\372*\254\347&\241v\366a\177\213\327~\12\211{\33\314M\370\245\361\22\300\2527\217\206\200\2154;@\220\215\342R/\212\36\251\346\244*=\37\324\322\225\15F\347\207\225\12\346s\365\244BA"B\13\14'i\242G#\255\336V6AA\357\245\264\344\330N\13\377\306\320fP\310\240*\261\374\363\267\275\302B\247\365HdO\371\v\333ca\207\373\3100f\320\215\314\266:\363~\313\260L\6\305y\241,8\376(\217?\251\3132\316^", ) B\13\14'i\242G#\255\336V6AA\357\245\264\344\330N\13\377\306\320fP\310\240*\261\374\363\267\275\302B\247\365HdO\371\v\333ca\207\373\3100f\320\215\314\266:\363~\313\260L\6\305y\241,8\376(\217?\251\3132\316^", ) == 0x0
 01690  1124   NtRegisterThreadTerminatePort  ... ) == 0x0
 01691   220   NtDeviceIoControlFile  (384, 0, 0x0, 0x0, 0x390008,  (384, 0, 0x0, 0x0, 0x390008, "\37m4\225\17~>\360\244\352\350\250\303\211t\1@\37E\334\211b\2@\37E\334\211b\2@\37E\334\211b\2@\37E\334\211\12v\377\307\342J\313bq\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01685  1736   NtAllocateVirtualMemory  ... 57466880, 8192, ) == 0x0
 01692  1124   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01693  1736   NtProtectVirtualMemory  (-1, (0x36ce000), 4096, 260, ...
 01692  1124   NtDuplicateObject  ... 492, ) == 0x0
 01693  1736   NtProtectVirtualMemory  ... (0x36ce000), 4096, 4, ) == 0x0
 01694  1124   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01695  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01694  1124   NtWaitForSingleObject  ... ) == 0x102
 01695  1736   NtCreateThread  ... 496, {1636, 1404}, ) == 0x0
 01696  1124   NtWaitForSingleObject  (128, 0, 0x0, ...
 01697  1736   NtQueryInformationThread  (496, Basic, 28, ...
 01698   220   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01699   220   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01700   220   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01701   220   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01702   220   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01703   220   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01697  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1636,Tid=1404,}, 0x0, ) == 0x0
 01704  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75536, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0d\6\0\0|\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0d\6\0\0|\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75537, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0d\6\0\0|\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0d\6\0\0|\5\0\0" )  ) == 0x0
 01705  1736   NtResumeThread  (496, ... 1, ) == 0x0
 01706  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 57475072, 1048576, ) == 0x0
 01707  1736   NtAllocateVirtualMemory  (-1, 58515456, 0, 8192, 4096, 4, ... 58515456, 8192, ) == 0x0
 01708  1736   NtProtectVirtualMemory  (-1, (0x37ce000), 4096, 260, ... (0x37ce000), 4096, 4, ) == 0x0
 01709   220   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01710  1404   NtTestAlert  (...
 01709   220   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01710  1404   NtTestAlert  ... ) == 0x0
 01711   220   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01712  1404   NtContinue  (57474352, 1, ...
 01711   220   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01713  1404   NtRegisterThreadTerminatePort  (24, ...
 01714   220   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\0O\351\271\372\130\236\4kM\203\366}\31jUL~\15\337\356\236\20\314v\211\231~\313\13\353*2\376\205M\324\200\214\7\36\307\17\244\205\340.\374j\272\374\3009\361\251\260\333@\270\263\206`bH\331\246\274\253\131B\301\204>Y\211O\34\254", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\0O\351\271\372\130\236\4kM\203\366}\31jUL~\15\337\356\236\20\314v\211\231~\313\13\353*2\376\205M\324\200\214\7\36\307\17\244\205\340.\374j\272\374\3009\361\251\260\333@\270\263\206`bH\331\246\274\253\131B\301\204>Y\211O\34\254", 80, ... , 80, ...
 01713  1404   NtRegisterThreadTerminatePort  ... ) == 0x0
 01714   220   NtSetValueKey  ... ) == 0x0
 01715  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01716  1404   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01715  1736   NtCreateThread  ... 500, {1636, 740}, ) == 0x0
 01716  1404   NtDuplicateObject  ... 504, ) == 0x0
 01717  1736   NtQueryInformationThread  (500, Basic, 28, ...
 01718  1404   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01717  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1636,Tid=740,}, 0x0, ) == 0x0
 01718  1404   NtWaitForSingleObject  ... ) == 0x102
 01719  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75537, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0d\6\0\0\344\2\0\0" ...  ...
 01720  1404   NtWaitForSingleObject  (128, 0, 0x0, ...
 01719  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75538, 0}  ... {28, 56, reply, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0d\6\0\0\344\2\0\0" )  ) == 0x0
 01721   220   NtClose  (-2147482564, ...
 01722  1736   NtResumeThread  (500, ...
 01721   220   NtClose  ... ) == 0x0
 01722  1736   NtResumeThread  ... 1, ) == 0x0
 01691   220   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\210(6\215\356 =\200\305\341#2x\220v\254re\225\277\334\377\336\305\355\13\301\363\247\344\363/\240s\26\261\251\30\207f\333\26v\334\222\344{\263\251B\355z\365J\2\345\312p\203\24\340\240D\3545\371\321\251\357~\10BY\3738\223n]\342\347\350w@\226\22\213\262\27\260jn\274\363\303\5`\225*\247=@\321g;\325\22\347\300M\303\266(E\360\233\226|\302m\10e\311i\20\236E\252\325g^\347\363[Ym| \216N\264\7\351\203E<\361\215d\304&\222iN\270c\17\322\33Rw\304,\262j4\300\3154\242\200\215\6\276\15)\304\372\32\337\210a\177.\371\301\213\320\200V\232\334z\323\332J\3417\327LLQS\235_!", ) \321\251\357~\10BY\3738\223n]\342\347\350w@\226\22\213\262\27\260jn\274\363\303\5`\225*\247=@\321g;\325\22\347\300M\303\266(E\360\233\226|\302m\10e\311i\20\236E\252\325g^\347\363[Ym| \216N\264\7\351\203E<\361\215d\304&\222iN\270c\17\322\33Rw\304,\262j4\300\3154\242\200\215\6\276\15)\304\372\32\337\210a\177.\371\301\213\320\200V\232\334z\323\332J\3417\327LLQS\235_!", ) == 0x0
 01723  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01724   220   NtDeviceIoControlFile  (384, 0, 0x0, 0x0, 0x390008,  (384, 0, 0x0, 0x0, 0x390008, "\37m4\225\17~>\360\244\352\350\250\303\211t\1@\37E\334\211b\2@\37E\334\211b\2@\37E\334\211b\2@\37E\334\211b\2@\37E\334\211\12v\377\307\342J\313bq\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01723  1736   NtAllocateVirtualMemory  ... 58523648, 1048576, ) == 0x0
 01725   220   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01726  1736   NtAllocateVirtualMemory  (-1, 59564032, 0, 8192, 4096, 4, ...
 01725   220   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01727   740   NtTestAlert  (...
 01726  1736   NtAllocateVirtualMemory  ... 59564032, 8192, ) == 0x0
 01727   740   NtTestAlert  ... ) == 0x0
 01728  1736   NtProtectVirtualMemory  (-1, (0x38ce000), 4096, 260, ...
 01729   740   NtContinue  (58522928, 1, ...
 01728  1736   NtProtectVirtualMemory  ... (0x38ce000), 4096, 4, ) == 0x0
 01730   740   NtRegisterThreadTerminatePort  (24, ...
 01731  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01730   740   NtRegisterThreadTerminatePort  ... ) == 0x0
 01731  1736   NtCreateThread  ... 508, {1636, 1716}, ) == 0x0
 01732   220   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01733  1736   NtQueryInformationThread  (508, Basic, 28, ...
 01732   220   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01734   740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01735   220   NtQuerySystemInformation  (Performance, 312, ...
 01734   740   NtDuplicateObject  ... 512, ) == 0x0
 01735   220   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01736   740   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01737   220   NtQuerySystemInformation  (Exception, 16, ...
 01736   740   NtWaitForSingleObject  ... ) == 0x102
 01737   220   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01738   740   NtWaitForSingleObject  (128, 0, 0x0, ...
 01733  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1636,Tid=1716,}, 0x0, ) == 0x0
 01739   220   NtQuerySystemInformation  (Lookaside, 32, ...
 01740  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75538, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0d\6\0\0\264\6\0\0" ...  ...
 01739   220   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01740  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75539, 0}  ... {28, 56, reply, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0d\6\0\0\264\6\0\0" )  ) == 0x0
 01741   220   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01742  1736   NtResumeThread  (508, ...
 01741   220   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01742  1736   NtResumeThread  ... 1, ) == 0x0
 01743   220   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01744  1716   NtTestAlert  (...
 01743   220   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01744  1716   NtTestAlert  ... ) == 0x0
 01745  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01746  1716   NtContinue  (59571504, 1, ...
 01745  1736   NtAllocateVirtualMemory  ... 59572224, 1048576, ) == 0x0
 01747  1716   NtRegisterThreadTerminatePort  (24, ...
 01748  1736   NtAllocateVirtualMemory  (-1, 60612608, 0, 8192, 4096, 4, ...
 01747  1716   NtRegisterThreadTerminatePort  ... ) == 0x0
 01748  1736   NtAllocateVirtualMemory  ... 60612608, 8192, ) == 0x0
 01749   220   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01750  1736   NtProtectVirtualMemory  (-1, (0x39ce000), 4096, 260, ...
 01749   220   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01750  1736   NtProtectVirtualMemory  ... (0x39ce000), 4096, 4, ) == 0x0
 01751   220   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\1779\371\240\226\216\344\35\373\224\325,\35\262~\35T\3479\257iACv\271\2102\307\316\201\222pFa\211\26=\37\344\13\2619T\312\323\201\3150P\314\3212\227\315\207\314\205\23\376J\3361s\232\210\243\255I\200\360]\362\372\317,\275%\30\355s", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\1779\371\240\226\216\344\35\373\224\325,\35\262~\35T\3479\257iACv\271\2102\307\316\201\222pFa\211\26=\37\344\13\2619T\312\323\201\3150P\314\3212\227\315\207\314\205\23\376J\3361s\232\210\243\255I\200\360]\362\372\317,\275%\30\355s", 80, ... , 80, ...
 01752  1716   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01751   220   NtSetValueKey  ... ) == 0x0
 01752  1716   NtDuplicateObject  ... 516, ) == 0x0
 01753   220   NtClose  (-2147482564, ...
 01754  1716   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01753   220   NtClose  ... ) == 0x0
 01754  1716   NtWaitForSingleObject  ... ) == 0x102
 01755  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01756  1716   NtWaitForSingleObject  (128, 0, 0x0, ...
 01755  1736   NtCreateThread  ... 520, {1636, 1972}, ) == 0x0
 01724   220   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "Mx\212\204\354O\36\261w\33QR\23\336\3731\13\15\31\23G\13\216\300\361\203\302\314\31Z"+\357\261,\370\271*6j\16\325|X>no5+a\36\203\215\21\355\345\15g\354\354\327\313\360\303iU\\321\247\212\316\263\203\201\246!\307\261\6\231\\302\15N3\234\275\252\3}{\300\227 \254e\350\256\266\240\243m\220\344\31p-\306\361\252\266\323c\347O\370\344CJ\225P\303\335Q\351\252\267\266\324CL\255\270\3\265//\274sl\311\3g\25+A&>\215Tj\25\3067\230\306W\277\254V\335\217t\327_s{\207]\232!\306X\355\352\332\310C\!?\206\330V\272;\6l~K\247f\331\255\0r\361\200\314:Jn\247\245\331\256\362\216\342\203A\256\242\26\233\1\6xP\254\3503\\3719\211,\366\260P\222\327\177^\215\330\08fD'\305\274U\2112m,\271;\331\333_\30\346l", ) +\357\261,\370\271*6j\16\325|X>no5+a\36\203\215\21\355\345\15g\354\354\327\313\360\303iU\\321\247\212\316\263\203\201\246!\307\261\6\231\\302\15N3\234\275\252\3}{\300\227 \254e\350\256\266\240\243m\220\344\31p-\306\361\252\266\323c\347O\370\344CJ\225P\303\335Q\351\252\267\266\324CL\255\270\3\265//\274sl\311\3g\25+A&>\215Tj\25\3067\230\306W\277\254V\335\217t\327_s{\207]\232!\306X\355\352\332\310C\!?\206\330V\272;\6l~K\247f\331\255\0r\361\200\314:Jn\247\245\331\256\362\216\342\203A\256\242\26\233\1\6xP\254\3503\\3719\211,\366\260P\222\327\177^\215\330\08fD'\305\274U\2112m,\271;\331\333_\30\346l", ) == 0x0
 01757  1736   NtQueryInformationThread  (520, Basic, 28, ...
 01758   220   NtDeviceIoControlFile  (384, 0, 0x0, 0x0, 0x390008,  (384, 0, 0x0, 0x0, 0x390008, "\37m4\225\17~>\360\244\352\350\250\303\211t\1@\37E\334\211b\2@\37E\334\211b\2@\37E\334\211b\2@\37E\334\211b\2@\37E\334\211b\2@\37E\334\211\12v\377\307\342J\313bq\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01757  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1636,Tid=1972,}, 0x0, ) == 0x0
 01759   220   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01760  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75539, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0d\6\0\0\264\7\0\0" ...  ...
 01759   220   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01761   220   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01762   220   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01763   220   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01764   220   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01760  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75540, 0}  ... {28, 56, reply, 0, 1636, 1736, 75540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0d\6\0\0\264\7\0\0" )  ) == 0x0
 01765  1736   NtResumeThread  (520, ... 1, ) == 0x0
 01766  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 60620800, 1048576, ) == 0x0
 01767  1736   NtAllocateVirtualMemory  (-1, 61661184, 0, 8192, 4096, 4, ... 61661184, 8192, ) == 0x0
 01768  1736   NtProtectVirtualMemory  (-1, (0x3ace000), 4096, 260, ... (0x3ace000), 4096, 4, ) == 0x0
 01769  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 524, {1636, 780}, ) == 0x0
 01770  1736   NtQueryInformationThread  (524, Basic, 28, ...
 01771   220   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01772  1972   NtTestAlert  (...
 01771   220   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01772  1972   NtTestAlert  ... ) == 0x0
 01773   220   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01774  1972   NtContinue  (60620080, 1, ...
 01773   220   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01775  1972   NtRegisterThreadTerminatePort  (24, ...
 01776   220   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01775  1972   NtRegisterThreadTerminatePort  ... ) == 0x0
 01776   220   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01770  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1636,Tid=780,}, 0x0, ) == 0x0
 01777  1972   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01778  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75540, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0d\6\0\0\14\3\0\0" ...  ...
 01777  1972   NtDuplicateObject  ... 528, ) == 0x0
 01778  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75541, 0}  ... {28, 56, reply, 0, 1636, 1736, 75541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0d\6\0\0\14\3\0\0" )  ) == 0x0
 01779  1972   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01780  1736   NtResumeThread  (524, ...
 01779  1972   NtWaitForSingleObject  ... ) == 0x102
 01780  1736   NtResumeThread  ... 1, ) == 0x0
 01781  1972   NtWaitForSingleObject  (128, 0, 0x0, ...
 01782   220   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\27\2738\217$\30\275\10=\334\260QR>\32\1V\311\234\303\305)\277Kz\12\230,\252\27\336H;\20\302\233s\270\342S\361JC\361J\207\377\376\237Jp\303\36x\221\310\354&P\3\307\372\253\3474E\244\371+W\265\332\6l\10m \227Yo", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\27\2738\217$\30\275\10=\334\260QR>\32\1V\311\234\303\305)\277Kz\12\230,\252\27\336H;\20\302\233s\270\342S\361JC\361J\207\377\376\237Jp\303\36x\221\310\354&P\3\307\372\253\3474E\244\371+W\265\332\6l\10m \227Yo", 80, ... , 80, ...
 01783   780   NtTestAlert  (...
 01784  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01782   220   NtSetValueKey  ... ) == 0x0
 01783   780   NtTestAlert  ... ) == 0x0
 01784  1736   NtAllocateVirtualMemory  ... 61669376, 1048576, ) == 0x0
 01785   220   NtClose  (-2147482564, ...
 01786   780   NtContinue  (61668656, 1, ...
 01787  1736   NtAllocateVirtualMemory  (-1, 62709760, 0, 8192, 4096, 4, ...
 01785   220   NtClose  ... ) == 0x0
 01788   780   NtRegisterThreadTerminatePort  (24, ...
 01787  1736   NtAllocateVirtualMemory  ... 62709760, 8192, ) == 0x0
 01758   220   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\270\364]`\3742\353x\224\261\34>\35\276\5\217\357.\7,J\226\365\364\212\247(\2\202`\335\351F\232\377\207"\323\304f\213\262s3Q\3037\323\312\202\277\322>\373\236\230^\247\3770\323g\211\213\314\234287\231`f\274vS\232\16\305\1\246\304n0\2252a'\21Ek8x\340'\253\336\256\264\234\352\245\233)%\230\205j\373\372\347\241\341\272\216Z0\334\301q\237\377\306\220\361\201\12\357\225\16S\364\221\277\374\223\253\306C-GqCp\212\2628N\320\346j\364\302%\237e\255\265r\263\353\20\227\212\272Ks\337\354\346[iWu\202T\311\252|6\247\256\222\177Y&\232\350\311\273\376x\331i\353\257\224\234hw\223CP\322\361)X~\370\375\341\263\3\236`~\22~\337'\11\305\246\250\33\271U) \342\254\15\5\274\10\336\302\213\304F\226\354\242\4Kc;#J\215\200,\367\303\271>", ) \323\304f\213\262s3Q\3037\323\312\202\277\322>\373\236\230^\247\3770\323g\211\213\314\234287\231`f\274vS\232\16\305\1\246\304n0\2252a'\21Ek8x\340'\253\336\256\264\234\352\245\233)%\230\205j\373\372\347\241\341\272\216Z0\334\301q\237\377\306\220\361\201\12\357\225\16S\364\221\277\374\223\253\306C-GqCp\212\2628N\320\346j\364\302%\237e\255\265r\263\353\20\227\212\272Ks\337\354\346[iWu\202T\311\252|6\247\256\222\177Y&\232\350\311\273\376x\331i\353\257\224\234hw\223CP\322\361)X~\370\375\341\263\3\236`~\22~\337'\11\305\246\250\33\271U) \342\254\15\5\274\10\336\302\213\304F\226\354\242\4Kc;#J\215\200,\367\303\271>", ) == 0x0
 01788   780   NtRegisterThreadTerminatePort  ... ) == 0x0
 01789  1736   NtProtectVirtualMemory  (-1, (0x3bce000), 4096, 260, ...
 01790   220   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01789  1736   NtProtectVirtualMemory  ... (0x3bce000), 4096, 4, ) == 0x0
 01791   780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01790   220   NtCreateEvent  ... 532, ) == 0x0
 01791   780   NtDuplicateObject  ... 536, ) == 0x0
 01792   220   NtSetEventBoostPriority  (432, ...
 01793   780   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01568  2020   NtWaitForSingleObject  ... ) == 0x0
 01792   220   NtSetEventBoostPriority  ... ) == 0x0
 01794  2020   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01793   780   NtWaitForSingleObject  ... ) == 0x102
 01794  2020   NtCreateEvent  ... 540, ) == 0x0
 01795   220   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 11072120, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 11072120, 188, ...
 01796   780   NtWaitForSingleObject  (128, 0, 0x0, ...
 01797  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01798  2020   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ...
 01797  1736   NtCreateThread  ... 544, {1636, 1036}, ) == 0x0
 01798  2020   NtAllocateVirtualMemory  ... 1396736, 4096, ) == 0x0
 01799  1736   NtQueryInformationThread  (544, Basic, 28, ...
 01800  2020   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15527276, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15527276, 188, ...
 01799  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1636,Tid=1036,}, 0x0, ) == 0x0
 01801  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75541, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0\14\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0\14\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75544, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0\14\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0\14\4\0\0" )  ) == 0x0
 01802  1736   NtResumeThread  (544, ... 1, ) == 0x0
 01803  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 62717952, 1048576, ) == 0x0
 01804  1736   NtAllocateVirtualMemory  (-1, 63758336, 0, 8192, 4096, 4, ...
 01795   220   NtConnectPort  ... 548, 0x0, 0x0, 0x0, 188, ) == 0x0
 01805  1036   NtTestAlert  (...
 01800  2020   NtConnectPort  ... 552, 0x0, 0x0, 0x0, 188, ) == 0x0
 01804  1736   NtAllocateVirtualMemory  ... 63758336, 8192, ) == 0x0
 01805  1036   NtTestAlert  ... ) == 0x0
 01806  2020   NtRequestWaitReplyPort  (552, {200, 224, new_msg, 0, 1382296, 12, 2, 1310721}  (552, {200, 224, new_msg, 0, 1382296, 12, 2, 1310721} "\0\1\24\0\274\0\0\0D@\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0\217\313\322\222I\10\326]x\1\24\0\\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\270O\25\0\216\32Pl\310\1\24\0\330O\25\0h\1\24\0\0\0\0\0\0\0\0\0\330O\25\0P\0\0\0\340O\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\354\0\372\31\221|\200\363\354\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01807  1736   NtProtectVirtualMemory  (-1, (0x3cce000), 4096, 260, ...
 01808  1036   NtContinue  (62717232, 1, ...
 01809   220   NtRequestWaitReplyPort  (548, {200, 224, new_msg, 0, 2883626, 1355840, 12, 2}  (548, {200, 224, new_msg, 0, 2883626, 1355840, 12, 2} "\0\1\0\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\3\0\4\0\0\0\240<\24\0HK\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0|`oZ\15\307\15+@K\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\20\0(\0\0\0HK\25\0\244-\360tx\1\24\0`O\25\0\\1\24\0\0\0\0\0\0\0\0\0`O\25\0P\0\0\0hO\25\0\360\6\221|\30\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\250\0\372\31\221|\214\370\250\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 01807  1736   NtProtectVirtualMemory  ... (0x3cce000), 4096, 4, ) == 0x0
 01810  1036   NtRegisterThreadTerminatePort  (24, ...
 01811  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01810  1036   NtRegisterThreadTerminatePort  ... ) == 0x0
 01809   220   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 220, 75545, 0}  ... {200, 224, reply, 0, 1636, 220, 75545, 0} "\7\1\0\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\240<\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0|`oZ\15\307\15+@K\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\20\0(\0\0\0HK\25\0\244-\360tx\1\24\0`O\25\0\\1\24\0\0\0\0\0\0\0\0\0`O\25\0P\0\0\0hO\25\0\360\6\221|\30\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\250\0\372\31\221|\214\370\250\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 01811  1736   NtCreateThread  ... 556, {1636, 760}, ) == 0x0
 01806  2020   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 2020, 75546, 0}  ... {200, 224, reply, 0, 1636, 2020, 75546, 0} "\7\1\24\0\274\0\0\0D@\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0\217\313\322\222I\10\326]x\1\24\0\\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\270O\25\0\216\32Pl\310\1\24\0\330O\25\0h\1\24\0\0\0\0\0\0\0\0\0\330O\25\0P\0\0\0\340O\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\354\0\372\31\221|\200\363\354\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01812   220   NtRequestWaitReplyPort  (548, {44, 68, new_msg, 56, 0, 0, 0, 0}  (548, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0@Q\25\0\322\0\0\0" ...  ...
 01813  1736   NtQueryInformationThread  (556, Basic, 28, ...
 01814  2020   NtRequestWaitReplyPort  (552, {44, 68, new_msg, 0, 1636, 2020, 75526, 0}  (552, {44, 68, new_msg, 0, 1636, 2020, 75526, 0} "\1\356\0\0A\2\4\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 01812   220   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 220, 75547, 0}  ... {40, 64, reply, 0, 1636, 220, 75547, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\323\1\0\0\350\370\14\0" )  ) == 0x0
 01815  1036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01814  2020   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 2020, 75548, 0}  ... {40, 64, reply, 0, 1636, 2020, 75548, 0} "\2\356Q\200\4\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\320\1\0\0X-\12\0" )  ) == 0x0
 01813  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1636,Tid=760,}, 0x0, ) == 0x0
 01815  1036   NtDuplicateObject  ... 560, ) == 0x0
 01816  2020   NtRequestWaitReplyPort  (552, {64, 88, new_msg, 56, 1389968, 15527788, 15527888, 0}  (552, {64, 88, new_msg, 56, 1389968, 15527788, 15527888, 0} "\10\357\354\0@\0\25\0\346\277\347w\320\357\354\0l\357\354\0\20\0\0\0\250.\362v\46\25\0\1\0\0\0\230R\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\300\332\24\0" ...  ...
 01817  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75544, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0d\6\0\0\370\2\0\0" ...  ...
 01818  1036   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01819   220   NtRequestWaitReplyPort  (548, {64, 88, new_msg, 56, 1310720, 11071988, 1397048, 0}  (548, {64, 88, new_msg, 56, 1310720, 11071988, 1397048, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\270U\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01817  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75549, 0}  ... {28, 56, reply, 0, 1636, 1736, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0d\6\0\0\370\2\0\0" )  ) == 0x0
 01818  1036   NtWaitForSingleObject  ... ) == 0x102
 01820  1736   NtResumeThread  (556, ...
 01821  1036   NtWaitForSingleObject  (128, 0, 0x0, ...
 01819   220   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 220, 75550, 0}  ... {64, 88, reply, 56, 1636, 220, 75550, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\270U\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01820  1736   NtResumeThread  ... 1, ) == 0x0
 01816  2020   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 2020, 75551, 0}  ... {64, 88, reply, 56, 1636, 2020, 75551, 0} "\10\357\354\0@\0\25\0\346\277\347w\320\357\354\0l\357\354\0\20\0\0\0\250.\362v\46\25\0\1\0\0\0\230R\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\300\332\24\0" )  ) == 0x0
 01822   220   NtRequestWaitReplyPort  (548, {44, 68, new_msg, 56, 1636, 220, 75547, 0}  (548, {44, 68, new_msg, 56, 1636, 220, 75547, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0@Q\25\0\322\0\0\0" ...  ...
 01823   760   NtTestAlert  (...
 01824  2020   NtClose  (540, ...
 01823   760   NtTestAlert  ... ) == 0x0
 01824  2020   NtClose  ... ) == 0x0
 01822   220   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 220, 75552, 0}  ... {40, 64, reply, 0, 1636, 220, 75552, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300l\353\10\370X\353Q\200\351\1\0\0\350\232\14\0" )  ) == 0x0
 01825   760   NtContinue  (63765808, 1, ...
 01826  2020   NtClose  (552, ...
 01827  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01828   760   NtRegisterThreadTerminatePort  (24, ...
 01826  2020   NtClose  ... ) == 0x0
 01827  1736   NtAllocateVirtualMemory  ... 63766528, 1048576, ) == 0x0
 01828   760   NtRegisterThreadTerminatePort  ... ) == 0x0
 01829   220   NtRequestWaitReplyPort  (548, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0}  (548, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\340\\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01830  1736   NtAllocateVirtualMemory  (-1, 64806912, 0, 8192, 4096, 4, ...
 01831  2020   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01830  1736   NtAllocateVirtualMemory  ... 64806912, 8192, ) == 0x0
 01831  2020   NtCreateKey  ... 552, 2, ) == 0x0
 01832  1736   NtProtectVirtualMemory  (-1, (0x3dce000), 4096, 260, ...
 01833  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01832  1736   NtProtectVirtualMemory  ... (0x3dce000), 4096, 4, ) == 0x0
 01833  2020   NtOpenKey  ... 540, ) == 0x0
 01834   760   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01829   220   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 220, 75554, 0}  ... {64, 88, reply, 56, 1636, 220, 75554, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\340\\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01835  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01834   760   NtDuplicateObject  ... 564, ) == 0x0
 01836   220   NtRequestWaitReplyPort  (548, {44, 68, new_msg, 56, 1636, 220, 75552, 0}  (548, {44, 68, new_msg, 56, 1636, 220, 75552, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0@Q\25\0\322\0\0\0" ...  ...
 01835  2020   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01837   760   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01836   220   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 220, 75555, 0}  ... {40, 64, reply, 0, 1636, 220, 75555, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300l\253S\371X\353Q\200|\1\0\0h\236\14\0" )  ) == 0x0
 01838  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01837   760   NtWaitForSingleObject  ... ) == 0x102
 01839  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 01838  1736   NtCreateThread  ... 568, {1636, 1756}, ) == 0x0
 01840   760   NtWaitForSingleObject  (128, 0, 0x0, ...
 01839  2020   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01841  1736   NtQueryInformationThread  (568, Basic, 28, ...
 01842   220   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ...
 01843  2020   NtQueryValueKey  (552,  (552, "Domain", Partial, 144, ... , Partial, 144, ...
 01841  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1636,Tid=1756,}, 0x0, ) == 0x0
 01842   220   NtAllocateVirtualMemory  ... 1400832, 4096, ) == 0x0
 01843  2020   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01844  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75549, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0d\6\0\0\334\6\0\0" ...  ...
 01845   220   NtRequestWaitReplyPort  (548, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0}  (548, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\320_\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01846  2020   NtQueryValueKey  (552,  (552, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (552, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01845   220   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 220, 75557, 0}  ... {64, 88, reply, 56, 1636, 220, 75557, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\320_\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01844  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75556, 0}  ... {28, 56, reply, 0, 1636, 1736, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0d\6\0\0\334\6\0\0" )  ) == 0x0
 01847   220   NtClose  (532, ...
 01848  1736   NtResumeThread  (568, ...
 01849  2020   NtClose  (552, ...
 01848  1736   NtResumeThread  ... 1, ) == 0x0
 01849  2020   NtClose  ... ) == 0x0
 01850  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01851  2020   NtClose  (540, ...
 01850  1736   NtAllocateVirtualMemory  ... 64815104, 1048576, ) == 0x0
 01851  2020   NtClose  ... ) == 0x0
 01852  1736   NtAllocateVirtualMemory  (-1, 65855488, 0, 8192, 4096, 4, ...
 01853  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 01847   220   NtClose  ... ) == 0x0
 01854  1756   NtTestAlert  (...
 01853  2020   NtOpenKey  ... 532, ) == 0x0
 01855   220   NtClose  (548, ...
 01854  1756   NtTestAlert  ... ) == 0x0
 01852  1736   NtAllocateVirtualMemory  ... 65855488, 8192, ) == 0x0
 01855   220   NtClose  ... ) == 0x0
 01856  1756   NtContinue  (64814384, 1, ...
 01857  1736   NtProtectVirtualMemory  (-1, (0x3ece000), 4096, 260, ...
 01858   220   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01859  1756   NtRegisterThreadTerminatePort  (24, ...
 01857  1736   NtProtectVirtualMemory  ... (0x3ece000), 4096, 4, ) == 0x0
 01858   220   NtCreateEvent  ... 548, ) == 0x0
 01859  1756   NtRegisterThreadTerminatePort  ... ) == 0x0
 01860  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01861   220   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 01862  2020   NtQueryValueKey  (532,  (532, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 01860  1736   NtCreateThread  ... 540, {1636, 1304}, ) == 0x0
 01863  1756   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01862  2020   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01864  1736   NtQueryInformationThread  (540, Basic, 28, ...
 01863  1756   NtDuplicateObject  ... 552, ) == 0x0
 01865  2020   NtClose  (532, ...
 01861   220   NtOpenKey  ... 572, ) == 0x0
 01866  1756   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01865  2020   NtClose  ... ) == 0x0
 01867   220   NtOpenKey  (0x20019, {24, 572, 0x40, 0, 0,  (0x20019, {24, 572, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 01866  1756   NtWaitForSingleObject  ... ) == 0x102
 01868  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15526864, ... }, 15526864, ...
 01867   220   NtOpenKey  ... 532, ) == 0x0
 01869  1756   NtWaitForSingleObject  (128, 0, 0x0, ...
 01868  2020   NtQueryAttributesFile  ... ) == 0x0
 01870   220   NtQueryValueKey  (532,  (532, "ComputerName", Full, 108, ... , Full, 108, ...
 01864  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1636,Tid=1304,}, 0x0, ) == 0x0
 01870   220   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01871  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75556, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0d\6\0\0\30\5\0\0" ...  ...
 01872   220   NtClose  (532, ...
 01871  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75559, 0}  ... {28, 56, reply, 0, 1636, 1736, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0d\6\0\0\30\5\0\0" )  ) == 0x0
 01873  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 01874  1736   NtResumeThread  (540, ...
 01873  2020   NtOpenFile  ... 576, {status=0x0, info=1}, ) == 0x0
 01874  1736   NtResumeThread  ... 1, ) == 0x0
 01875  2020   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 576, ...
 01872   220   NtClose  ... ) == 0x0
 01876  1304   NtWaitForSingleObject  (88, 0, 0x0, ...
 01875  2020   NtCreateSection  ... 532, ) == 0x0
 01877   220   NtClose  (572, ...
 01878  2020   NtClose  (576, ...
 01877   220   NtClose  ... ) == 0x0
 01878  2020   NtClose  ... ) == 0x0
 01879   220   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ...
 01880  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01879   220   NtCreateIoCompletion  ... 576, ) == 0x0
 01880  1736   NtAllocateVirtualMemory  ... 65863680, 1048576, ) == 0x0
 01881   220   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ...
 01882  1736   NtAllocateVirtualMemory  (-1, 66904064, 0, 8192, 4096, 4, ...
 01883  2020   NtMapViewOfSection  (532, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01882  1736   NtAllocateVirtualMemory  ... 66904064, 8192, ) == 0x0
 01883  2020   NtMapViewOfSection  ... (0x860000), 0x0, 20480, ) == 0x0
 01884  1736   NtProtectVirtualMemory  (-1, (0x3fce000), 4096, 260, ...
 01885  2020   NtClose  (532, ...
 01884  1736   NtProtectVirtualMemory  ... (0x3fce000), 4096, 4, ) == 0x0
 01885  2020   NtClose  ... ) == 0x0
 01881   220   NtCreateIoCompletion  ... 532, ) == 0x0
 01886   220   NtDuplicateObject  (-1, 576, -1, 0x0, 0, 2, ... 572, ) == 0x0
 01887   220   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01888   220   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01889  2020   NtUnmapViewOfSection  (-1, 0x860000, ...
 01890  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01889  2020   NtUnmapViewOfSection  ... ) == 0x0
 01890  1736   NtCreateThread  ... 580, {1636, 1956}, ) == 0x0
 01891  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15527172, ... }, 15527172, ...
 01892  1736   NtQueryInformationThread  (580, Basic, 28, ...
 01891  2020   NtQueryAttributesFile  ... ) == 0x0
 01892  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1636,Tid=1956,}, 0x0, ) == 0x0
 01893  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 01894  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75559, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0d\6\0\0\244\7\0\0" ...  ...
 01893  2020   NtOpenFile  ... 584, {status=0x0, info=1}, ) == 0x0
 01894  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75560, 0}  ... {28, 56, reply, 0, 1636, 1736, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0d\6\0\0\244\7\0\0" )  ) == 0x0
 01888   220   NtCreateEvent  ... 588, ) == 0x0
 01895  1736   NtResumeThread  (580, ...
 01896   220   NtOpenThreadToken  (-2, 0xc, 1, ...
 01895  1736   NtResumeThread  ... 1, ) == 0x0
 01896   220   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01897  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01898   220   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01897  1736   NtAllocateVirtualMemory  ... 66912256, 1048576, ) == 0x0
 01898   220   NtSetInformationThread  ... ) == 0x0
 01899  1736   NtAllocateVirtualMemory  (-1, 67952640, 0, 8192, 4096, 4, ...
 01900   220   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11071680,  (0xc0100080, {24, 0, 0x40, 0, 11071680, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 01901  2020   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 584, ...
 01902  1956   NtWaitForSingleObject  (88, 0, 0x0, ...
 01899  1736   NtAllocateVirtualMemory  ... 67952640, 8192, ) == 0x0
 01901  2020   NtCreateSection  ... 592, ) == 0x0
 01903  1736   NtProtectVirtualMemory  (-1, (0x40ce000), 4096, 260, ...
 01904  2020   NtQuerySection  (592, Image, 48, ...
 01903  1736   NtProtectVirtualMemory  ... (0x40ce000), 4096, 4, ) == 0x0
 01904  2020   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01905  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01906  2020   NtClose  (584, ...
 01905  1736   NtCreateThread  ... 596, {1636, 1980}, ) == 0x0
 01906  2020   NtClose  ... ) == 0x0
 01907  1736   NtQueryInformationThread  (596, Basic, 28, ...
 01900   220   NtCreateFile  ... 584, {status=0x0, info=1}, ) == 0x0
 01908  2020   NtMapViewOfSection  (592, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01909   220   NtSetInformationFile  (584, 11071736, 8, Pipe, ...
 01908  2020   NtMapViewOfSection  ... (0x76fb0000), 0x0, 32768, ) == 0x0
 01909   220   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01910  2020   NtClose  (592, ...
 01911   220   NtSetInformationFile  (584, 11071724, 8, Completion, ...
 01910  2020   NtClose  ... ) == 0x0
 01911   220   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01912  2020   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 01913   220   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01912  2020   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 01907  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1636,Tid=1980,}, 0x0, ) == 0x0
 01913   220   NtSetInformationThread  ... ) == 0x0
 01914  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75560, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0d\6\0\0\274\7\0\0" ...  ...
 01915   220   NtWriteFile  (584, 217, 0, 0,  (584, 217, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 01914  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75561, 0}  ... {28, 56, reply, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0d\6\0\0\274\7\0\0" )  ) == 0x0
 01915   220   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 01916  1736   NtResumeThread  (596, ...
 01917   220   NtReadFile  (584, 217, 0, 0, 1024, {0, 0}, 0, ...
 01916  1736   NtResumeThread  ... 1, ) == 0x0
 01917   220   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01918  2020   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 01919  1980   NtWaitForSingleObject  (88, 0, 0x0, ...
 01920   220   NtFsControlFile  (584, 217, 0x0, 0x0, 0x11c017,  (584, 217, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\250\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 01918  2020   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 01921  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01922  2020   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 01921  1736   NtAllocateVirtualMemory  ... 67960832, 1048576, ) == 0x0
 01922  2020   NtFlushInstructionCache  ... ) == 0x0
 01923  1736   NtAllocateVirtualMemory  (-1, 69001216, 0, 8192, 4096, 4, ...
 01920   220   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01923  1736   NtAllocateVirtualMemory  ... 69001216, 8192, ) == 0x0
 01924   220   NtFsControlFile  (584, 217, 0x0, 0x0, 0x11c017,  (584, 217, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\1\0\0\0\1\0\0\0&\0(\00b\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 01925  1736   NtProtectVirtualMemory  (-1, (0x41ce000), 4096, 260, ...
 01924   220   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) , ) == 0x103
 01925  1736   NtProtectVirtualMemory  ... (0x41ce000), 4096, 4, ) == 0x0
 01926  2020   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 01927   220   NtFsControlFile  (584, 217, 0x0, 0x0, 0x11c017,  (584, 217, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340", 44, 1024, ... , 44, 1024, ...
 01926  2020   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 01927   220   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\20Z\25\0\1\0\0\0\34Z\25\0 \0\0\0\1\0\0\0\30\0\32\0(Z\25\0DZ\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0\300)\25\0\1\0\0\0\5\0\15\0\320)\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01928  2020   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 01929   220   NtClose  (588, ...
 01928  2020   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 01929   220   NtClose  ... ) == 0x0
 01930  2020   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 01931   220   NtClose  (584, ...
 01930  2020   NtFlushInstructionCache  ... ) == 0x0
 01931   220   NtClose  ... ) == 0x0
 01932  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01933  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... }, ...
 01932  1736   NtCreateThread  ... 584, {1636, 1556}, ) == 0x0
 01933  2020   NtOpenSection  ... 588, ) == 0x0
 01934  1736   NtQueryInformationThread  (584, Basic, 28, ...
 01935  2020   NtMapViewOfSection  (588, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01934  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1636,Tid=1556,}, 0x0, ) == 0x0
 01935  2020   NtMapViewOfSection  ... (0x76f60000), 0x0, 180224, ) == 0x0
 01936  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75561, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0d\6\0\0\24\6\0\0" ...  ...
 01937  2020   NtClose  (588, ... ) == 0x0
 01938  2020   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 01939  2020   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 01940  2020   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 01941   220   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1382296, 0x0, 11073604, 188, ... , {12, 2, 1, 1}, 0x0, 1382296, 0x0, 11073604, 188, ...
 01936  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75562, 0}  ... {28, 56, reply, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0d\6\0\0\24\6\0\0" )  ) == 0x0
 01942  1736   NtResumeThread  (584, ... 1, ) == 0x0
 01943  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 69009408, 1048576, ) == 0x0
 01944  1736   NtAllocateVirtualMemory  (-1, 70049792, 0, 8192, 4096, 4, ...
 01941   220   NtSecureConnectPort  ... 588, 0x0, 0x0, 0x0, 188, ) == 0x0
 01945  2020   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ...
 01946  1556   NtWaitForSingleObject  (88, 0, 0x0, ...
 01947   220   NtOpenThreadToken  (-2, 0xc, 1, ...
 01945  2020   NtProtectVirtualMemory  ... (0x76f61000), 4096, 32, ) == 0x0
 01947   220   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01948  2020   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 01949   220   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01948  2020   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 01944  1736   NtAllocateVirtualMemory  ... 70049792, 8192, ) == 0x0
 01950  2020   NtFlushInstructionCache  (-1, 1995837440, 228, ...
 01951  1736   NtProtectVirtualMemory  (-1, (0x42ce000), 4096, 260, ...
 01950  2020   NtFlushInstructionCache  ... ) == 0x0
 01951  1736   NtProtectVirtualMemory  ... (0x42ce000), 4096, 4, ) == 0x0
 01949   220   NtSetInformationThread  ... ) == 0x0
 01952  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01953   220   NtRequestWaitReplyPort  (588, {200, 224, new_msg, 0, 1355840, 12, 2, 1310977}  (588, {200, 224, new_msg, 0, 1355840, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\366\232\203\376.\22\276[\376\273\370\354\210\367^j\12\0\0\0\317>\232\370\359\340\200\0\0\0\0\260X\25\0v\220H:o\261\6\22(\0\0\0\371U\0d\0\0\24\0\240\366\250\0_\370\335\242\0\0\0\0hO\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\250\0\372\31\221|X\376\250\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01952  1736   NtCreateThread  ... 592, {1636, 1068}, ) == 0x0
 01954  1736   NtQueryInformationThread  (592, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1636,Tid=1068,}, 0x0, ) == 0x0
 01955  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75562, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0,\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0,\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75565, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0,\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0,\4\0\0" )  ) == 0x0
 01956  1736   NtResumeThread  (592, ... 1, ) == 0x0
 01957  2020   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 01958  1068   NtWaitForSingleObject  (88, 0, 0x0, ...
 01953   220   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 220, 75564, 0}  ... {200, 224, reply, 0, 1636, 220, 75564, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\366\232\203\376.\22\276[\376\273\370\354\210\367^j\12\0\0\0\317>\232\370\359\340\200\0\0\0\0\260X\25\0v\220H:o\261\6\22(\0\0\0\371U\0d\0\0\24\0\240\366\250\0_\370\335\242\0\0\0\0hO\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\250\0\372\31\221|X\376\250\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01957  2020   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 01959   220   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01960  2020   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 01959   220   NtSetInformationThread  ... ) == 0x0
 01960  2020   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 01961  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01962  2020   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 01961  1736   NtAllocateVirtualMemory  ... 70057984, 1048576, ) == 0x0
 01962  2020   NtFlushInstructionCache  ... ) == 0x0
 01963  1736   NtAllocateVirtualMemory  (-1, 71098368, 0, 8192, 4096, 4, ...
 01964   220   NtRequestWaitReplyPort  (588, {56, 80, new_msg, 0, 44, 3, 20, 0}  (588, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0b\363\222I\243j\304#\242z\321\340\1\0\0\0\0\0\0\0&\0(\0\244\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 01963  1736   NtAllocateVirtualMemory  ... 71098368, 8192, ) == 0x0
 01965  1736   NtProtectVirtualMemory  (-1, (0x43ce000), 4096, 260, ... (0x43ce000), 4096, 4, ) == 0x0
 01966  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01967  2020   NtAllocateVirtualMemory  (-1, 8871936, 0, 4096, 4096, 4, ... 8871936, 4096, ) == 0x0
 01968  2020   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 600, ) == 0x0
 01969  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 604, ) }, ... 604, ) == 0x0
 01970  2020   NtQueryValueKey  (604,  (604, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (604, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01971  2020   NtClose  (604, ... ) == 0x0
 01972  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 604, {1636, 1856}, ) == 0x0
 01973  1736   NtQueryInformationThread  (604, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1636,Tid=1856,}, 0x0, ) == 0x0
 01974  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75565, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0@\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0@\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75567, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0@\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0@\7\0\0" )  ) == 0x0
 01975  1736   NtResumeThread  (604, ... 1, ) == 0x0
 01976  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 71106560, 1048576, ) == 0x0
 01977  1736   NtAllocateVirtualMemory  (-1, 72146944, 0, 8192, 4096, 4, ...
 01978  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... }, ...
 01964   220   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 1636, 220, 75566, 0}  ... {44, 68, reply, 0, 1636, 220, 75566, 0} "\4\376\255\201\0\0\0\0\200Y\274\201\356\12$\342\264\311\275\201:\332R\200X\253v\367\324\376\255\201\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01979  1856   NtWaitForSingleObject  (88, 0, 0x0, ...
 01978  2020   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01980   220   NtRaiseException  (11074064, 11073324, 1, ...
 01981  2020   NtQueryPerformanceCounter  (...
 01982   220   NtQueryVirtualMemory  (-1, 0x77ea0470, BasicVlm, 16, ...
 01981  2020   NtQueryPerformanceCounter  ... {1109157049, 16}, {3579545, 0}, ) == 0x0
 01982   220   NtQueryVirtualMemory  ... {memory info, class 3, size 16}, 0x0, ) == 0x0
 01977  1736   NtAllocateVirtualMemory  ... 72146944, 8192, ) == 0x0
 01983  2020   NtSetEventBoostPriority  (88, ...
 01984  1736   NtProtectVirtualMemory  (-1, (0x44ce000), 4096, 260, ...
 01876  1304   NtWaitForSingleObject  ... ) == 0x0
 01983  2020   NtSetEventBoostPriority  ... ) == 0x0
 01985  1304   NtSetEventBoostPriority  (88, ...
 01984  1736   NtProtectVirtualMemory  ... (0x44ce000), 4096, 4, ) == 0x0
 01902  1956   NtWaitForSingleObject  ... ) == 0x0
 01985  1304   NtSetEventBoostPriority  ... ) == 0x0
 01986  2020   NtWaitForSingleObject  (88, 0, 0x0, ...
 01987  1956   NtSetEventBoostPriority  (88, ...
 01988  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01989   220   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 01919  1980   NtWaitForSingleObject  ... ) == 0x0
 01987  1956   NtSetEventBoostPriority  ... ) == 0x0
 01988  1736   NtCreateThread  ... 608, {1636, 1596}, ) == 0x0
 01990  1980   NtSetEventBoostPriority  (88, ...
 01989   220   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01991  1304   NtTestAlert  (...
 01946  1556   NtWaitForSingleObject  ... ) == 0x0
 01990  1980   NtSetEventBoostPriority  ... ) == 0x0
 01992  1736   NtQueryInformationThread  (608, Basic, 28, ...
 01993   220   NtContinue  (11072292, 0, ...
 01994  1556   NtSetEventBoostPriority  (88, ...
 01991  1304   NtTestAlert  ... ) == 0x0
 01995  1956   NtTestAlert  (...
 01996  1980   NtTestAlert  (...
 01958  1068   NtWaitForSingleObject  ... ) == 0x0
 01994  1556   NtSetEventBoostPriority  ... ) == 0x0
 01997  1304   NtContinue  (65862960, 1, ...
 01995  1956   NtTestAlert  ... ) == 0x0
 01998  1068   NtSetEventBoostPriority  (88, ...
 01996  1980   NtTestAlert  ... ) == 0x0
 01992  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1636,Tid=1596,}, 0x0, ) == 0x0
 01999  1304   NtRegisterThreadTerminatePort  (24, ...
 01979  1856   NtWaitForSingleObject  ... ) == 0x0
 01998  1068   NtSetEventBoostPriority  ... ) == 0x0
 02000  1956   NtContinue  (66911536, 1, ...
 02001  1980   NtContinue  (67960112, 1, ...
 02002  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75567, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0d\6\0\0<\6\0\0" ...  ...
 02003  1856   NtSetEventBoostPriority  (88, ...
 01999  1304   NtRegisterThreadTerminatePort  ... ) == 0x0
 02004  1556   NtTestAlert  (...
 02005   220   NtDeviceIoControlFile  (420, 108, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 02006  1956   NtRegisterThreadTerminatePort  (24, ...
 02007  1980   NtRegisterThreadTerminatePort  (24, ...
 01986  2020   NtWaitForSingleObject  ... ) == 0x0
 02003  1856   NtSetEventBoostPriority  ... ) == 0x0
 02002  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75568, 0}  ... {28, 56, reply, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0d\6\0\0<\6\0\0" )  ) == 0x0
 02008  1304   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02004  1556   NtTestAlert  ... ) == 0x0
 02005   220   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 02006  1956   NtRegisterThreadTerminatePort  ... ) == 0x0
 02009  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15526864, ... }, 15526864, ...
 02007  1980   NtRegisterThreadTerminatePort  ... ) == 0x0
 02010  1068   NtTestAlert  (...
 02011  1736   NtResumeThread  (608, ...
 02012  1856   NtTestAlert  (...
 02013  1556   NtContinue  (69008688, 1, ...
 02014   220   NtWaitForSingleObject  (108, 1, {-5000000, -1}, ...
 02009  2020   NtQueryAttributesFile  ... ) == 0x0
 02015  1956   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02016  1980   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02010  1068   NtTestAlert  ... ) == 0x0
 02011  1736   NtResumeThread  ... 1, ) == 0x0
 02012  1856   NtTestAlert  ... ) == 0x0
 02017  1556   NtRegisterThreadTerminatePort  (24, ...
 02008  1304   NtDuplicateObject  ... 612, ) == 0x0
 02018  1596   NtWaitForSingleObject  (88, 0, 0x0, ...
 02019  2020   NtSetEventBoostPriority  (88, ...
 02015  1956   NtDuplicateObject  ... 616, ) == 0x0
 02020  1068   NtContinue  (70057264, 1, ...
 02016  1980   NtDuplicateObject  ... 620, ) == 0x0
 02021  1856   NtContinue  (71105840, 1, ...
 02017  1556   NtRegisterThreadTerminatePort  ... ) == 0x0
 02022  1304   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02018  1596   NtWaitForSingleObject  ... ) == 0x0
 02019  2020   NtSetEventBoostPriority  ... ) == 0x0
 02023  1956   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02024  1068   NtRegisterThreadTerminatePort  (24, ...
 02025  1980   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02026  1856   NtRegisterThreadTerminatePort  (24, ...
 02027  1556   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02028  1596   NtTestAlert  (...
 02022  1304   NtWaitForSingleObject  ... ) == 0x102
 02029  2020   NtQuerySystemInformation  (Basic, 44, ...
 02023  1956   NtWaitForSingleObject  ... ) == 0x102
 02024  1068   NtRegisterThreadTerminatePort  ... ) == 0x0
 02025  1980   NtWaitForSingleObject  ... ) == 0x102
 02026  1856   NtRegisterThreadTerminatePort  ... ) == 0x0
 02030  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02028  1596   NtTestAlert  ... ) == 0x0
 02031  1304   NtWaitForSingleObject  (128, 0, 0x0, ...
 02029  2020   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02032  1956   NtWaitForSingleObject  (128, 0, 0x0, ...
 02033  1068   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02034  1980   NtWaitForSingleObject  (128, 0, 0x0, ...
 02035  1856   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02030  1736   NtAllocateVirtualMemory  ... 72155136, 1048576, ) == 0x0
 02027  1556   NtDuplicateObject  ... 624, ) == 0x0
 02036  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 02037  1596   NtContinue  (72154416, 1, ...
 02033  1068   NtDuplicateObject  ... 628, ) == 0x0
 02038  1736   NtAllocateVirtualMemory  (-1, 73195520, 0, 8192, 4096, 4, ...
 02039  1556   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02036  2020   NtAllocateVirtualMemory  ... 8781824, 65536, ) == 0x0
 02040  1596   NtRegisterThreadTerminatePort  (24, ...
 02041  1068   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02038  1736   NtAllocateVirtualMemory  ... 73195520, 8192, ) == 0x0
 02039  1556   NtWaitForSingleObject  ... ) == 0x102
 02035  1856   NtDuplicateObject  ... 632, ) == 0x0
 02040  1596   NtRegisterThreadTerminatePort  ... ) == 0x0
 02041  1068   NtWaitForSingleObject  ... ) == 0x102
 02042  1736   NtProtectVirtualMemory  (-1, (0x45ce000), 4096, 260, ...
 02043  1556   NtWaitForSingleObject  (128, 0, 0x0, ...
 02044  1856   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02045  1596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02046  1068   NtWaitForSingleObject  (128, 0, 0x0, ...
 02042  1736   NtProtectVirtualMemory  ... (0x45ce000), 4096, 4, ) == 0x0
 02044  1856   NtWaitForSingleObject  ... ) == 0x102
 02045  1596   NtDuplicateObject  ... 636, ) == 0x0
 02047  2020   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ...
 02048  1856   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ...
 02049  1596   NtWaitForSingleObject  (280, 0, 0x0, ...
 02047  2020   NtAllocateVirtualMemory  ... 8781824, 4096, ) == 0x0
 02048  1856   NtAllocateVirtualMemory  ... 1404928, 4096, ) == 0x0
 02050  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02051  2020   NtWaitForSingleObject  (280, 0, 0x0, ...
 02050  1736   NtCreateThread  ... 640, {1636, 1156}, ) == 0x0
 02052  1736   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1636,Tid=1156,}, 0x0, ) == 0x0
 02053  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75568, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0d\6\0\0\204\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0d\6\0\0\204\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75569, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0d\6\0\0\204\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0d\6\0\0\204\4\0\0" )  ) == 0x0
 02054  1736   NtResumeThread  (640, ... 1, ) == 0x0
 02055  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 73203712, 1048576, ) == 0x0
 02056  1736   NtAllocateVirtualMemory  (-1, 74244096, 0, 8192, 4096, 4, ...
 02057  1856   NtSetEventBoostPriority  (280, ...
 02058  1156   NtWaitForSingleObject  (280, 0, 0x0, ...
 02049  1596   NtWaitForSingleObject  ... ) == 0x0
 02057  1856   NtSetEventBoostPriority  ... ) == 0x0
 02059  1596   NtSetEventBoostPriority  (280, ...
 02051  2020   NtWaitForSingleObject  ... ) == 0x0
 02060  2020   NtSetEventBoostPriority  (280, ...
 02058  1156   NtWaitForSingleObject  ... ) == 0x0
 02061  1156   NtTestAlert  (... ) == 0x0
 02060  2020   NtSetEventBoostPriority  ... ) == 0x0
 02062  1856   NtWaitForSingleObject  (128, 0, 0x0, ...
 02059  1596   NtSetEventBoostPriority  ... ) == 0x0
 02056  1736   NtAllocateVirtualMemory  ... 74244096, 8192, ) == 0x0
 02063  1156   NtContinue  (73202992, 1, ...
 02064  1596   NtWaitForSingleObject  (344, 0, 0x0, ...
 02065  1736   NtProtectVirtualMemory  (-1, (0x46ce000), 4096, 260, ...
 02066  1156   NtRegisterThreadTerminatePort  (24, ...
 02065  1736   NtProtectVirtualMemory  ... (0x46ce000), 4096, 4, ) == 0x0
 02066  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 02067  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02068  1156   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02067  1736   NtCreateThread  ... 644, {1636, 1700}, ) == 0x0
 02068  1156   NtDuplicateObject  ... 648, ) == 0x0
 02069  1736   NtQueryInformationThread  (644, Basic, 28, ...
 02070  1156   NtWaitForSingleObject  (344, 0, 0x0, ...
 02071  2020   NtSetEventBoostPriority  (344, ...
 02069  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1636,Tid=1700,}, 0x0, ) == 0x0
 02064  1596   NtWaitForSingleObject  ... ) == 0x0
 02071  2020   NtSetEventBoostPriority  ... ) == 0x0
 02072  1596   NtSetEventBoostPriority  (344, ...
 02073  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0d\6\0\0\244\6\0\0" ...  ...
 02072  1596   NtSetEventBoostPriority  ... ) == 0x0
 02074  2020   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ...
 02073  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75570, 0}  ... {28, 56, reply, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0d\6\0\0\244\6\0\0" )  ) == 0x0
 02070  1156   NtWaitForSingleObject  ... ) == 0x0
 02074  2020   NtAllocateVirtualMemory  ... 8785920, 8192, ) == 0x0
 02075  1736   NtResumeThread  (644, ...
 02076  1156   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02077  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 15526864, ... }, 15526864, ...
 02075  1736   NtResumeThread  ... 1, ) == 0x0
 02076  1156   NtWaitForSingleObject  ... ) == 0x102
 02077  2020   NtQueryAttributesFile  ... ) == 0x0
 02078  1596   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02079  1700   NtWaitForSingleObject  (88, 0, 0x0, ...
 02080  1156   NtWaitForSingleObject  (128, 0, 0x0, ...
 02081  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02078  1596   NtWaitForSingleObject  ... ) == 0x102
 02082  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... }, 5, 96, ...
 02081  1736   NtAllocateVirtualMemory  ... 74252288, 1048576, ) == 0x0
 02083  1596   NtWaitForSingleObject  (128, 0, 0x0, ...
 02082  2020   NtOpenFile  ... 652, {status=0x0, info=1}, ) == 0x0
 02084  1736   NtAllocateVirtualMemory  (-1, 75292672, 0, 8192, 4096, 4, ...
 02085  2020   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 652, ...
 02084  1736   NtAllocateVirtualMemory  ... 75292672, 8192, ) == 0x0
 02085  2020   NtCreateSection  ... 656, ) == 0x0
 02086  1736   NtProtectVirtualMemory  (-1, (0x47ce000), 4096, 260, ...
 02087  2020   NtClose  (652, ...
 02086  1736   NtProtectVirtualMemory  ... (0x47ce000), 4096, 4, ) == 0x0
 02087  2020   NtClose  ... ) == 0x0
 02088  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 652, {1636, 1728}, ) == 0x0
 02089  1736   NtQueryInformationThread  (652, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1636,Tid=1728,}, 0x0, ) == 0x0
 02090  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0d\6\0\0\300\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0d\6\0\0\300\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75571, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0d\6\0\0\300\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0d\6\0\0\300\6\0\0" )  ) == 0x0
 02091  1736   NtResumeThread  (652, ... 1, ) == 0x0
 02092  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 75300864, 1048576, ) == 0x0
 02093  1736   NtAllocateVirtualMemory  (-1, 76341248, 0, 8192, 4096, 4, ...
 02094  2020   NtMapViewOfSection  (656, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02095  1728   NtWaitForSingleObject  (88, 0, 0x0, ...
 02094  2020   NtMapViewOfSection  ... (0xc90000), 0x0, 110592, ) == 0x0
 02096  2020   NtClose  (656, ... ) == 0x0
 02093  1736   NtAllocateVirtualMemory  ... 76341248, 8192, ) == 0x0
 02097  1736   NtProtectVirtualMemory  (-1, (0x48ce000), 4096, 260, ... (0x48ce000), 4096, 4, ) == 0x0
 02098  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02099  2020   NtUnmapViewOfSection  (-1, 0xc90000, ... ) == 0x0
 02100  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 15527172, ... ) }, 15527172, ... ) == 0x0
 02101  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 656, {status=0x0, info=1}, ) }, 5, 96, ... 656, {status=0x0, info=1}, ) == 0x0
 02098  1736   NtCreateThread  ... 660, {1636, 712}, ) == 0x0
 02102  1736   NtQueryInformationThread  (660, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1636,Tid=712,}, 0x0, ) == 0x0
 02103  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0d\6\0\0\310\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0d\6\0\0\310\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75572, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0d\6\0\0\310\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0d\6\0\0\310\2\0\0" )  ) == 0x0
 02104  1736   NtResumeThread  (660, ... 1, ) == 0x0
 02105  2020   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 656, ...
 02106   712   NtWaitForSingleObject  (88, 0, 0x0, ...
 02105  2020   NtCreateSection  ... 664, ) == 0x0
 02107  2020   NtQuerySection  (664, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02108  2020   NtClose  (656, ... ) == 0x0
 02109  2020   NtMapViewOfSection  (664, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x751d0000), 0x0, 122880, ) == 0x0
 02110  2020   NtClose  (664, ... ) == 0x0
 02111  2020   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02112  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 76349440, 1048576, ) == 0x0
 02113  1736   NtAllocateVirtualMemory  (-1, 77389824, 0, 8192, 4096, 4, ... 77389824, 8192, ) == 0x0
 02114  1736   NtProtectVirtualMemory  (-1, (0x49ce000), 4096, 260, ... (0x49ce000), 4096, 4, ) == 0x0
 02115  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 664, {1636, 212}, ) == 0x0
 02116  1736   NtQueryInformationThread  (664, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1636,Tid=212,}, 0x0, ) == 0x0
 02117  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0d\6\0\0\324\0\0\0" ...  ...
 02118  2020   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02119  2020   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02117  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75573, 0}  ... {28, 56, reply, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0d\6\0\0\324\0\0\0" )  ) == 0x0
 02120  1736   NtResumeThread  (664, ... 1, ) == 0x0
 02121  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 77398016, 1048576, ) == 0x0
 02122  1736   NtAllocateVirtualMemory  (-1, 78438400, 0, 8192, 4096, 4, ... 78438400, 8192, ) == 0x0
 02123  1736   NtProtectVirtualMemory  (-1, (0x4ace000), 4096, 260, ... (0x4ace000), 4096, 4, ) == 0x0
 02124  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 656, {1636, 1256}, ) == 0x0
 02125  1736   NtQueryInformationThread  (656, Basic, 28, ...
 02126  2020   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ...
 02127   212   NtWaitForSingleObject  (88, 0, 0x0, ...
 02126  2020   NtProtectVirtualMemory  ... (0x751d1000), 4096, 32, ) == 0x0
 02128  2020   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02129  2020   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02130  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02131  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 15526348, ... }, 15526348, ...
 02125  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1636,Tid=1256,}, 0x0, ) == 0x0
 02132  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0d\6\0\0\350\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0d\6\0\0\350\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75574, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0d\6\0\0\350\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0d\6\0\0\350\4\0\0" )  ) == 0x0
 02133  1736   NtResumeThread  (656, ... 1, ) == 0x0
 02134  1256   NtWaitForSingleObject  (88, 0, 0x0, ...
 02135  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 78446592, 1048576, ) == 0x0
 02136  1736   NtAllocateVirtualMemory  (-1, 79486976, 0, 8192, 4096, 4, ... 79486976, 8192, ) == 0x0
 02137  1736   NtProtectVirtualMemory  (-1, (0x4bce000), 4096, 260, ... (0x4bce000), 4096, 4, ) == 0x0
 02138  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 668, {1636, 464}, ) == 0x0
 02139  1736   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1636,Tid=464,}, 0x0, ) == 0x0
 02140  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0\320\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0\320\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75575, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0\320\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0\320\1\0\0" )  ) == 0x0
 02141  1736   NtResumeThread  (668, ... 1, ) == 0x0
 02142  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 79495168, 1048576, ) == 0x0
 02143  1736   NtAllocateVirtualMemory  (-1, 80535552, 0, 8192, 4096, 4, ...
 02131  2020   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02144   464   NtWaitForSingleObject  (88, 0, 0x0, ...
 02145  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 15526348, ... ) }, 15526348, ... ) == 0x0
 02146  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 672, {status=0x0, info=1}, ) }, 5, 96, ... 672, {status=0x0, info=1}, ) == 0x0
 02147  2020   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 672, ... 676, ) == 0x0
 02148  2020   NtQuerySection  (676, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02149  2020   NtClose  (672, ... ) == 0x0
 02150  2020   NtMapViewOfSection  (676, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02143  1736   NtAllocateVirtualMemory  ... 80535552, 8192, ) == 0x0
 02151  1736   NtProtectVirtualMemory  (-1, (0x4cce000), 4096, 260, ... (0x4cce000), 4096, 4, ) == 0x0
 02152  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {1636, 1536}, ) == 0x0
 02153  1736   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1636,Tid=1536,}, 0x0, ) == 0x0
 02154  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0\0\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0\0\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75576, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0\0\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0\0\6\0\0" )  ) == 0x0
 02155  1736   NtResumeThread  (672, ... 1, ) == 0x0
 02150  2020   NtMapViewOfSection  ... (0x77920000), 0x0, 995328, ) == 0x0
 02156  1536   NtWaitForSingleObject  (88, 0, 0x0, ...
 02157  2020   NtClose  (676, ... ) == 0x0
 02158  2020   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02159  2020   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02160  2020   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02161  2020   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02162  2020   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ...
 02163  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 80543744, 1048576, ) == 0x0
 02164  1736   NtAllocateVirtualMemory  (-1, 81584128, 0, 8192, 4096, 4, ... 81584128, 8192, ) == 0x0
 02165  1736   NtProtectVirtualMemory  (-1, (0x4dce000), 4096, 260, ... (0x4dce000), 4096, 4, ) == 0x0
 02166  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 676, {1636, 444}, ) == 0x0
 02167  1736   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1636,Tid=444,}, 0x0, ) == 0x0
 02168  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\274\1\0\0" ...  ...
 02162  2020   NtProtectVirtualMemory  ... (0x77921000), 4096, 4, ) == 0x0
 02169  2020   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02170  2020   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02171  2020   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ...
 02168  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75577, 0}  ... {28, 56, reply, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\274\1\0\0" )  ) == 0x0
 02172  1736   NtResumeThread  (676, ... 1, ) == 0x0
 02173  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 81592320, 1048576, ) == 0x0
 02174  1736   NtAllocateVirtualMemory  (-1, 82632704, 0, 8192, 4096, 4, ... 82632704, 8192, ) == 0x0
 02175  1736   NtProtectVirtualMemory  (-1, (0x4ece000), 4096, 260, ... (0x4ece000), 4096, 4, ) == 0x0
 02176  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {1636, 1904}, ) == 0x0
 02177  1736   NtQueryInformationThread  (680, Basic, 28, ...
 02171  2020   NtProtectVirtualMemory  ... (0x77921000), 4096, 4, ) == 0x0
 02178   444   NtWaitForSingleObject  (88, 0, 0x0, ...
 02179  2020   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02180  2020   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02181  2020   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02182  2020   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02183  2020   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02184  2020   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ...
 02177  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1636,Tid=1904,}, 0x0, ) == 0x0
 02185  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0p\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0p\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75578, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0p\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0p\7\0\0" )  ) == 0x0
 02186  1736   NtResumeThread  (680, ... 1, ) == 0x0
 02187  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 82640896, 1048576, ) == 0x0
 02188  1736   NtAllocateVirtualMemory  (-1, 83681280, 0, 8192, 4096, 4, ... 83681280, 8192, ) == 0x0
 02189  1736   NtProtectVirtualMemory  (-1, (0x4fce000), 4096, 260, ... (0x4fce000), 4096, 4, ) == 0x0
 02184  2020   NtProtectVirtualMemory  ... (0x77921000), 4096, 4, ) == 0x0
 02190  1904   NtWaitForSingleObject  (88, 0, 0x0, ...
 02191  2020   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02192  2020   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02193  2020   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02194  2020   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02195  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {1636, 1936}, ) == 0x0
 02196  1736   NtQueryInformationThread  (684, Basic, 28, ...
 02197  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... }, ...
 02196  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1636,Tid=1936,}, 0x0, ) == 0x0
 02198  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\220\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\220\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75579, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\220\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\220\7\0\0" )  ) == 0x0
 02199  1736   NtResumeThread  (684, ... 1, ) == 0x0
 02200  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 83689472, 1048576, ) == 0x0
 02201  1736   NtAllocateVirtualMemory  (-1, 84729856, 0, 8192, 4096, 4, ... 84729856, 8192, ) == 0x0
 02202  1736   NtProtectVirtualMemory  (-1, (0x50ce000), 4096, 260, ... (0x50ce000), 4096, 4, ) == 0x0
 02197  2020   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02203  1936   NtWaitForSingleObject  (88, 0, 0x0, ...
 02204  2020   NtQueryDefaultUILanguage  (2090319928, ...
 02205  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02206  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482564, ) == 0x0
 02207  2020   NtQueryInformationToken  (-2147482564, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02208  2020   NtClose  (-2147482564, ... ) == 0x0
 02209  2020   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482564, ) }, ... -2147482564, ) == 0x0
 02210  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 688, {1636, 1648}, ) == 0x0
 02211  1736   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1636,Tid=1648,}, 0x0, ) == 0x0
 02212  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0p\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0p\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75580, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0p\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0p\6\0\0" )  ) == 0x0
 02213  1736   NtResumeThread  (688, ... 1, ) == 0x0
 02214  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 84738048, 1048576, ) == 0x0
 02215  1736   NtAllocateVirtualMemory  (-1, 85778432, 0, 8192, 4096, 4, ...
 02216  2020   NtOpenKey  (0x80000000, {24, -2147482564, 0x240, 0, 0,  (0x80000000, {24, -2147482564, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... }, ...
 02217  1648   NtWaitForSingleObject  (88, 0, 0x0, ...
 02216  2020   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02218  2020   NtOpenKey  (0x80000000, {24, -2147482564, 0x640, 0, 0,  (0x80000000, {24, -2147482564, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481440, ) }, ... -2147481440, ) == 0x0
 02219  2020   NtQueryValueKey  (-2147481440,  (-2147481440, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02220  2020   NtClose  (-2147481440, ... ) == 0x0
 02221  2020   NtClose  (-2147482564, ... ) == 0x0
 02204  2020   NtQueryDefaultUILanguage  ... ) == 0x0
 02222  2020   NtAllocateVirtualMemory  (-1, 15515648, 0, 4096, 4096, 260, ...
 02215  1736   NtAllocateVirtualMemory  ... 85778432, 8192, ) == 0x0
 02223  1736   NtProtectVirtualMemory  (-1, (0x51ce000), 4096, 260, ... (0x51ce000), 4096, 4, ) == 0x0
 02224  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 692, {1636, 1944}, ) == 0x0
 02225  1736   NtQueryInformationThread  (692, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1636,Tid=1944,}, 0x0, ) == 0x0
 02226  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0\230\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0\230\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75581, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0\230\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0\230\7\0\0" )  ) == 0x0
 02227  1736   NtResumeThread  (692, ... 1, ) == 0x0
 02222  2020   NtAllocateVirtualMemory  ... 15515648, 4096, ) == 0x0
 02228  1944   NtWaitForSingleObject  (88, 0, 0x0, ...
 02229  2020   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 02230  2020   NtQueryDefaultLocale  (1, 15527068, ... ) == 0x0
 02231  2020   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02232  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 696, ) }, ... 696, ) == 0x0
 02233  2020   NtQueryValueKey  (696,  (696, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (696, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02234  2020   NtClose  (696, ...
 02235  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 85786624, 1048576, ) == 0x0
 02236  1736   NtAllocateVirtualMemory  (-1, 86827008, 0, 8192, 4096, 4, ... 86827008, 8192, ) == 0x0
 02237  1736   NtProtectVirtualMemory  (-1, (0x52ce000), 4096, 260, ... (0x52ce000), 4096, 4, ) == 0x0
 02238  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 700, {1636, 432}, ) == 0x0
 02239  1736   NtQueryInformationThread  (700, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1636,Tid=432,}, 0x0, ) == 0x0
 02240  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0d\6\0\0\260\1\0\0" ...  ...
 02234  2020   NtClose  ... ) == 0x0
 02241  2020   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 696, ) == 0x0
 02242  2020   NtCallbackReturn  (0, 0, 0, ...
 02243  2020   NtUserGetProcessWindowStation  (... ) == 0x20
 02240  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75582, 0}  ... {28, 56, reply, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0d\6\0\0\260\1\0\0" )  ) == 0x0
 02244  1736   NtResumeThread  (700, ... 1, ) == 0x0
 02245  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 86835200, 1048576, ) == 0x0
 02246  1736   NtAllocateVirtualMemory  (-1, 87875584, 0, 8192, 4096, 4, ... 87875584, 8192, ) == 0x0
 02247  1736   NtProtectVirtualMemory  (-1, (0x53ce000), 4096, 260, ... (0x53ce000), 4096, 4, ) == 0x0
 02248  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 704, {1636, 1020}, ) == 0x0
 02249  1736   NtQueryInformationThread  (704, Basic, 28, ...
 02250  2020   NtUserGetObjectInformation  (32, 1, 15526664, 12, 15526676, ...
 02251   432   NtWaitForSingleObject  (88, 0, 0x0, ...
 02250  2020   NtUserGetObjectInformation  ... ) == 0x1
 02252  2020   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02253  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\WPA\PnP"}, ... 708, ) }, ... 708, ) == 0x0
 02254  2020   NtQueryValueKey  (708,  (708, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (708, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 02255  2020   NtClose  (708, ... ) == 0x0
 02256  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 708, ) }, ... 708, ) == 0x0
 02249  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1636,Tid=1020,}, 0x0, ) == 0x0
 02257  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\374\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\374\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75583, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\374\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\374\3\0\0" )  ) == 0x0
 02258  1736   NtResumeThread  (704, ... 1, ) == 0x0
 02259  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 87883776, 1048576, ) == 0x0
 02260  1736   NtAllocateVirtualMemory  (-1, 88924160, 0, 8192, 4096, 4, ... 88924160, 8192, ) == 0x0
 02261  1736   NtProtectVirtualMemory  (-1, (0x54ce000), 4096, 260, ... (0x54ce000), 4096, 4, ) == 0x0
 02262  2020   NtQueryValueKey  (708,  (708, "OsLoaderPath", Partial, 144, ... , Partial, 144, ...
 02263  1020   NtWaitForSingleObject  (88, 0, 0x0, ...
 02262  2020   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02264  2020   NtQueryValueKey  (708,  (708, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (708, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02265  2020   NtClose  (708, ... ) == 0x0
 02266  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 708, ) }, ... 708, ) == 0x0
 02267  2020   NtQueryValueKey  (708,  (708, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (708, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02268  2020   NtQueryValueKey  (708,  (708, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (708, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02269  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 712, {1636, 1864}, ) == 0x0
 02270  1736   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1636,Tid=1864,}, 0x0, ) == 0x0
 02271  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0H\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0H\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75584, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0H\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0H\7\0\0" )  ) == 0x0
 02272  1736   NtResumeThread  (712, ... 1, ) == 0x0
 02273  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 88932352, 1048576, ) == 0x0
 02274  1736   NtAllocateVirtualMemory  (-1, 89972736, 0, 8192, 4096, 4, ...
 02275  2020   NtClose  (708, ...
 02276  1864   NtWaitForSingleObject  (88, 0, 0x0, ...
 02275  2020   NtClose  ... ) == 0x0
 02277  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 708, ) }, ... 708, ) == 0x0
 02278  2020   NtQueryValueKey  (708,  (708, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (708, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02279  2020   NtQueryValueKey  (708,  (708, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (708, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02280  2020   NtClose  (708, ... ) == 0x0
 02281  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 708, ) }, ... 708, ) == 0x0
 02274  1736   NtAllocateVirtualMemory  ... 89972736, 8192, ) == 0x0
 02282  1736   NtProtectVirtualMemory  (-1, (0x55ce000), 4096, 260, ... (0x55ce000), 4096, 4, ) == 0x0
 02283  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 716, {1636, 1524}, ) == 0x0
 02284  1736   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1636,Tid=1524,}, 0x0, ) == 0x0
 02285  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0\364\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0\364\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75585, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0\364\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0\364\5\0\0" )  ) == 0x0
 02286  1736   NtResumeThread  (716, ... 1, ) == 0x0
 02287  2020   NtQueryValueKey  (708,  (708, "ServicePackSourcePath", Partial, 144, ... , Partial, 144, ...
 02288  1524   NtWaitForSingleObject  (88, 0, 0x0, ...
 02287  2020   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02289  2020   NtQueryValueKey  (708,  (708, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (708, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02290  2020   NtClose  (708, ... ) == 0x0
 02291  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 708, ) }, ... 708, ) == 0x0
 02292  2020   NtQueryValueKey  (708,  (708, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (708, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02293  2020   NtQueryValueKey  (708,  (708, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (708, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02294  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 89980928, 1048576, ) == 0x0
 02295  1736   NtAllocateVirtualMemory  (-1, 91021312, 0, 8192, 4096, 4, ... 91021312, 8192, ) == 0x0
 02296  1736   NtProtectVirtualMemory  (-1, (0x56ce000), 4096, 260, ... (0x56ce000), 4096, 4, ) == 0x0
 02297  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 720, {1636, 1584}, ) == 0x0
 02298  1736   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1636,Tid=1584,}, 0x0, ) == 0x0
 02299  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75585, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\00\6\0\0" ...  ...
 02300  2020   NtClose  (708, ... ) == 0x0
 02301  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 708, ) }, ... 708, ) == 0x0
 02302  2020   NtQueryValueKey  (708,  (708, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (708, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02299  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75586, 0}  ... {28, 56, reply, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\00\6\0\0" )  ) == 0x0
 02303  1736   NtResumeThread  (720, ... 1, ) == 0x0
 02304  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 91029504, 1048576, ) == 0x0
 02305  1736   NtAllocateVirtualMemory  (-1, 92069888, 0, 8192, 4096, 4, ... 92069888, 8192, ) == 0x0
 02306  1736   NtProtectVirtualMemory  (-1, (0x57ce000), 4096, 260, ... (0x57ce000), 4096, 4, ) == 0x0
 02307  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 724, {1636, 240}, ) == 0x0
 02308  1736   NtQueryInformationThread  (724, Basic, 28, ...
 02309  2020   NtQueryValueKey  (708,  (708, "DriverCachePath", Partial, 144, ... , Partial, 144, ...
 02310  1584   NtWaitForSingleObject  (88, 0, 0x0, ...
 02309  2020   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02311  2020   NtClose  (708, ... ) == 0x0
 02312  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 708, ) }, ... 708, ) == 0x0
 02313  2020   NtQueryValueKey  (708,  (708, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02314  2020   NtQueryValueKey  (708,  (708, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (708, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 02315  2020   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 02308  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1636,Tid=240,}, 0x0, ) == 0x0
 02316  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75586, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0d\6\0\0\360\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0d\6\0\0\360\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75587, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0d\6\0\0\360\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0d\6\0\0\360\0\0\0" )  ) == 0x0
 02317  1736   NtResumeThread  (724, ... 1, ) == 0x0
 02318  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 92078080, 1048576, ) == 0x0
 02319  1736   NtAllocateVirtualMemory  (-1, 93118464, 0, 8192, 4096, 4, ... 93118464, 8192, ) == 0x0
 02320  1736   NtProtectVirtualMemory  (-1, (0x58ce000), 4096, 260, ... (0x58ce000), 4096, 4, ) == 0x0
 02321  2020   NtClose  (708, ...
 02322   240   NtWaitForSingleObject  (88, 0, 0x0, ...
 02321  2020   NtClose  ... ) == 0x0
 02323  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 708, ) == 0x0
 02324  2020   NtCreateMutant  (0x1f0001, 0x0, 0, ... 728, ) == 0x0
 02325  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 732, ) == 0x0
 02326  2020   NtCreateMutant  (0x1f0001, 0x0, 0, ... 736, ) == 0x0
 02327  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 740, ) == 0x0
 02328  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 744, {1636, 968}, ) == 0x0
 02329  1736   NtQueryInformationThread  (744, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1636,Tid=968,}, 0x0, ) == 0x0
 02330  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75587, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0d\6\0\0\310\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0d\6\0\0\310\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75588, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0d\6\0\0\310\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0d\6\0\0\310\3\0\0" )  ) == 0x0
 02331  1736   NtResumeThread  (744, ... 1, ) == 0x0
 02332  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 93126656, 1048576, ) == 0x0
 02333  1736   NtAllocateVirtualMemory  (-1, 94167040, 0, 8192, 4096, 4, ...
 02334  2020   NtCreateMutant  (0x1f0001, 0x0, 0, ...
 02335   968   NtWaitForSingleObject  (88, 0, 0x0, ...
 02334  2020   NtCreateMutant  ... 748, ) == 0x0
 02336  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 752, ) }, ... 752, ) == 0x0
 02337  2020   NtQueryValueKey  (752,  (752, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (752, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02338  2020   NtQueryValueKey  (752,  (752, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (752, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02339  2020   NtQueryValueKey  (752,  (752, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02340  2020   NtOpenKey  (0x1, {24, 752, 0x40, 0, 0,  (0x1, {24, 752, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02333  1736   NtAllocateVirtualMemory  ... 94167040, 8192, ) == 0x0
 02341  1736   NtProtectVirtualMemory  (-1, (0x59ce000), 4096, 260, ... (0x59ce000), 4096, 4, ) == 0x0
 02342  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 756, {1636, 308}, ) == 0x0
 02343  1736   NtQueryInformationThread  (756, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1636,Tid=308,}, 0x0, ) == 0x0
 02344  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75588, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\04\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\04\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75589, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\04\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\04\1\0\0" )  ) == 0x0
 02345  1736   NtResumeThread  (756, ... 1, ) == 0x0
 02346  2020   NtClose  (752, ...
 02347   308   NtWaitForSingleObject  (88, 0, 0x0, ...
 02346  2020   NtClose  ... ) == 0x0
 02348  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 15526580, ... ) }, 15526580, ... ) == 0x0
 02349  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 752, ) }, ... 752, ) == 0x0
 02350  2020   NtQueryValueKey  (752,  (752, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (752, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (752, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02351  2020   NtClose  (752, ... ) == 0x0
 02352  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 752, ) }, ... 752, ) == 0x0
 02353  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 94175232, 1048576, ) == 0x0
 02354  1736   NtAllocateVirtualMemory  (-1, 95215616, 0, 8192, 4096, 4, ... 95215616, 8192, ) == 0x0
 02355  1736   NtProtectVirtualMemory  (-1, (0x5ace000), 4096, 260, ... (0x5ace000), 4096, 4, ) == 0x0
 02356  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 760, {1636, 1688}, ) == 0x0
 02357  1736   NtQueryInformationThread  (760, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1636,Tid=1688,}, 0x0, ) == 0x0
 02358  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75589, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0d\6\0\0\230\6\0\0" ...  ...
 02359  2020   NtQueryValueKey  (752,  (752, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (752, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (752, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 02360  2020   NtClose  (752, ... ) == 0x0
 02361  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02358  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75590, 0}  ... {28, 56, reply, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0d\6\0\0\230\6\0\0" )  ) == 0x0
 02362  1736   NtResumeThread  (760, ... 1, ) == 0x0
 02363  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 95223808, 1048576, ) == 0x0
 02364  1736   NtAllocateVirtualMemory  (-1, 96264192, 0, 8192, 4096, 4, ... 96264192, 8192, ) == 0x0
 02365  1736   NtProtectVirtualMemory  (-1, (0x5bce000), 4096, 260, ... (0x5bce000), 4096, 4, ) == 0x0
 02366  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 752, {1636, 1496}, ) == 0x0
 02367  1736   NtQueryInformationThread  (752, Basic, 28, ...
 02368  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 02369  1688   NtWaitForSingleObject  (88, 0, 0x0, ...
 02368  2020   NtOpenKey  ... 764, ) == 0x0
 02370  2020   NtQueryValueKey  (764,  (764, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (764, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (764, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02371  2020   NtClose  (764, ... ) == 0x0
 02372  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshbth.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02373  2020   NtSetEventBoostPriority  (88, ...
 02079  1700   NtWaitForSingleObject  ... ) == 0x0
 02374  1700   NtSetEventBoostPriority  (88, ...
 02095  1728   NtWaitForSingleObject  ... ) == 0x0
 02375  1728   NtSetEventBoostPriority  (88, ...
 02106   712   NtWaitForSingleObject  ... ) == 0x0
 02376   712   NtSetEventBoostPriority  (88, ...
 02127   212   NtWaitForSingleObject  ... ) == 0x0
 02377   212   NtSetEventBoostPriority  (88, ...
 02134  1256   NtWaitForSingleObject  ... ) == 0x0
 02378  1256   NtSetEventBoostPriority  (88, ...
 02144   464   NtWaitForSingleObject  ... ) == 0x0
 02379   464   NtSetEventBoostPriority  (88, ...
 02156  1536   NtWaitForSingleObject  ... ) == 0x0
 02380  1536   NtSetEventBoostPriority  (88, ...
 02178   444   NtWaitForSingleObject  ... ) == 0x0
 02381   444   NtSetEventBoostPriority  (88, ...
 02190  1904   NtWaitForSingleObject  ... ) == 0x0
 02382  1904   NtSetEventBoostPriority  (88, ...
 02203  1936   NtWaitForSingleObject  ... ) == 0x0
 02383  1936   NtSetEventBoostPriority  (88, ...
 02217  1648   NtWaitForSingleObject  ... ) == 0x0
 02384  1648   NtSetEventBoostPriority  (88, ...
 02228  1944   NtWaitForSingleObject  ... ) == 0x0
 02385  1944   NtSetEventBoostPriority  (88, ...
 02251   432   NtWaitForSingleObject  ... ) == 0x0
 02386   432   NtSetEventBoostPriority  (88, ...
 02263  1020   NtWaitForSingleObject  ... ) == 0x0
 02387  1020   NtSetEventBoostPriority  (88, ...
 02276  1864   NtWaitForSingleObject  ... ) == 0x0
 02388  1864   NtSetEventBoostPriority  (88, ...
 02288  1524   NtWaitForSingleObject  ... ) == 0x0
 02389  1524   NtSetEventBoostPriority  (88, ...
 02310  1584   NtWaitForSingleObject  ... ) == 0x0
 02390  1584   NtSetEventBoostPriority  (88, ...
 02322   240   NtWaitForSingleObject  ... ) == 0x0
 02391   240   NtSetEventBoostPriority  (88, ...
 02335   968   NtWaitForSingleObject  ... ) == 0x0
 02392   968   NtAllocateVirtualMemory  (-1, 8876032, 0, 4096, 4096, 4, ... 8876032, 4096, ) == 0x0
 02391   240   NtSetEventBoostPriority  ... ) == 0x0
 02390  1584   NtSetEventBoostPriority  ... ) == 0x0
 02389  1524   NtSetEventBoostPriority  ... ) == 0x0
 02388  1864   NtSetEventBoostPriority  ... ) == 0x0
 02387  1020   NtSetEventBoostPriority  ... ) == 0x0
 02386   432   NtSetEventBoostPriority  ... ) == 0x0
 02385  1944   NtSetEventBoostPriority  ... ) == 0x0
 02384  1648   NtSetEventBoostPriority  ... ) == 0x0
 02383  1936   NtSetEventBoostPriority  ... ) == 0x0
 02382  1904   NtSetEventBoostPriority  ... ) == 0x0
 02381   444   NtSetEventBoostPriority  ... ) == 0x0
 02380  1536   NtSetEventBoostPriority  ... ) == 0x0
 02379   464   NtSetEventBoostPriority  ... ) == 0x0
 02378  1256   NtSetEventBoostPriority  ... ) == 0x0
 02377   212   NtSetEventBoostPriority  ... ) == 0x0
 02376   712   NtSetEventBoostPriority  ... ) == 0x0
 02375  1728   NtSetEventBoostPriority  ... ) == 0x0
 02374  1700   NtSetEventBoostPriority  ... ) == 0x0
 02373  2020   NtSetEventBoostPriority  ... ) == 0x0
 02367  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1636,Tid=1496,}, 0x0, ) == 0x0
 02393   968   NtSetEventBoostPriority  (88, ...
 02394   240   NtTestAlert  (...
 02395  1584   NtTestAlert  (...
 02396  1524   NtTestAlert  (...
 02397  1864   NtTestAlert  (...
 02398  1020   NtTestAlert  (...
 02399   432   NtTestAlert  (...
 02400  1944   NtTestAlert  (...
 02401  1648   NtTestAlert  (...
 02402  1936   NtTestAlert  (...
 02403  1904   NtTestAlert  (...
 02404   444   NtTestAlert  (...
 02405  1536   NtTestAlert  (...
 02406   464   NtTestAlert  (...
 02407  1256   NtTestAlert  (...
 02408   212   NtTestAlert  (...
 02409   712   NtTestAlert  (...
 02410  1728   NtTestAlert  (...
 02411  2020   NtWaitForSingleObject  (88, 0, 0x0, ...
 02412  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75590, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0d\6\0\0\330\5\0\0" ...  ...
 02347   308   NtWaitForSingleObject  ... ) == 0x0
 02393   968   NtSetEventBoostPriority  ... ) == 0x0
 02394   240   NtTestAlert  ... ) == 0x0
 02395  1584   NtTestAlert  ... ) == 0x0
 02396  1524   NtTestAlert  ... ) == 0x0
 02397  1864   NtTestAlert  ... ) == 0x0
 02398  1020   NtTestAlert  ... ) == 0x0
 02399   432   NtTestAlert  ... ) == 0x0
 02400  1944   NtTestAlert  ... ) == 0x0
 02401  1648   NtTestAlert  ... ) == 0x0
 02402  1936   NtTestAlert  ... ) == 0x0
 02403  1904   NtTestAlert  ... ) == 0x0
 02404   444   NtTestAlert  ... ) == 0x0
 02405  1536   NtTestAlert  ... ) == 0x0
 02406   464   NtTestAlert  ... ) == 0x0
 02407  1256   NtTestAlert  ... ) == 0x0
 02408   212   NtTestAlert  ... ) == 0x0
 02409   712   NtTestAlert  ... ) == 0x0
 02410  1728   NtTestAlert  ... ) == 0x0
 02413   308   NtSetEventBoostPriority  (88, ...
 02412  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75591, 0}  ... {28, 56, reply, 0, 1636, 1736, 75591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0d\6\0\0\330\5\0\0" )  ) == 0x0
 02414   968   NtTestAlert  (...
 02415   240   NtContinue  (92077360, 1, ...
 02416  1584   NtContinue  (91028784, 1, ...
 02417  1524   NtContinue  (89980208, 1, ...
 02418  1864   NtContinue  (88931632, 1, ...
 02419  1020   NtContinue  (87883056, 1, ...
 02420   432   NtContinue  (86834480, 1, ...
 02421  1944   NtContinue  (85785904, 1, ...
 02422  1648   NtContinue  (84737328, 1, ...
 02423  1936   NtContinue  (83688752, 1, ...
 02424  1904   NtContinue  (82640176, 1, ...
 02425   444   NtContinue  (81591600, 1, ...
 02426  1536   NtContinue  (80543024, 1, ...
 02427   464   NtContinue  (79494448, 1, ...
 02428  1256   NtContinue  (78445872, 1, ...
 02429   212   NtContinue  (77397296, 1, ...
 02430   712   NtContinue  (76348720, 1, ...
 02369  1688   NtWaitForSingleObject  ... ) == 0x0
 02413   308   NtSetEventBoostPriority  ... ) == 0x0
 02431  1728   NtContinue  (75300144, 1, ...
 02432  1736   NtResumeThread  (752, ...
 02414   968   NtTestAlert  ... ) == 0x0
 02433   240   NtRegisterThreadTerminatePort  (24, ...
 02434  1584   NtRegisterThreadTerminatePort  (24, ...
 02435  1524   NtRegisterThreadTerminatePort  (24, ...
 02436  1864   NtRegisterThreadTerminatePort  (24, ...
 02437  1020   NtRegisterThreadTerminatePort  (24, ...
 02438   432   NtRegisterThreadTerminatePort  (24, ...
 02439  1944   NtRegisterThreadTerminatePort  (24, ...
 02440  1648   NtRegisterThreadTerminatePort  (24, ...
 02441  1936   NtRegisterThreadTerminatePort  (24, ...
 02442  1904   NtRegisterThreadTerminatePort  (24, ...
 02443   444   NtRegisterThreadTerminatePort  (24, ...
 02444  1536   NtRegisterThreadTerminatePort  (24, ...
 02445   464   NtRegisterThreadTerminatePort  (24, ...
 02446  1256   NtRegisterThreadTerminatePort  (24, ...
 02447   212   NtRegisterThreadTerminatePort  (24, ...
 02448  1688   NtSetEventBoostPriority  (88, ...
 02449   712   NtRegisterThreadTerminatePort  (24, ...
 02450  1700   NtTestAlert  (...
 02451  1728   NtRegisterThreadTerminatePort  (24, ...
 02432  1736   NtResumeThread  ... 1, ) == 0x0
 02452   968   NtContinue  (93125936, 1, ...
 02433   240   NtRegisterThreadTerminatePort  ... ) == 0x0
 02434  1584   NtRegisterThreadTerminatePort  ... ) == 0x0
 02435  1524   NtRegisterThreadTerminatePort  ... ) == 0x0
 02436  1864   NtRegisterThreadTerminatePort  ... ) == 0x0
 02437  1020   NtRegisterThreadTerminatePort  ... ) == 0x0
 02438   432   NtRegisterThreadTerminatePort  ... ) == 0x0
 02439  1944   NtRegisterThreadTerminatePort  ... ) == 0x0
 02440  1648   NtRegisterThreadTerminatePort  ... ) == 0x0
 02441  1936   NtRegisterThreadTerminatePort  ... ) == 0x0
 02442  1904   NtRegisterThreadTerminatePort  ... ) == 0x0
 02443   444   NtRegisterThreadTerminatePort  ... ) == 0x0
 02444  1536   NtRegisterThreadTerminatePort  ... ) == 0x0
 02445   464   NtRegisterThreadTerminatePort  ... ) == 0x0
 02446  1256   NtRegisterThreadTerminatePort  ... ) == 0x0
 02411  2020   NtWaitForSingleObject  ... ) == 0x0
 02448  1688   NtSetEventBoostPriority  ... ) == 0x0
 02447   212   NtRegisterThreadTerminatePort  ... ) == 0x0
 02449   712   NtRegisterThreadTerminatePort  ... ) == 0x0
 02450  1700   NtTestAlert  ... ) == 0x0
 02451  1728   NtRegisterThreadTerminatePort  ... ) == 0x0
 02453   308   NtTestAlert  (...
 02454  1496   NtWaitForSingleObject  (88, 0, 0x0, ...
 02455   968   NtRegisterThreadTerminatePort  (24, ...
 02456   240   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02457  1584   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02458  1524   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02459  1864   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02460  1020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02461   432   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02462  1944   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02463  1648   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02464  1936   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02465  1904   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02466   444   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02467  1536   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02468   464   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02469  2020   NtSetEventBoostPriority  (88, ...
 02470  1256   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02471  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02472   212   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02473   712   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02474  1700   NtContinue  (74251568, 1, ...
 02475  1728   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02453   308   NtTestAlert  ... ) == 0x0
 02476  1688   NtTestAlert  (...
 02455   968   NtRegisterThreadTerminatePort  ... ) == 0x0
 02456   240   NtDuplicateObject  ... 764, ) == 0x0
 02457  1584   NtDuplicateObject  ... 768, ) == 0x0
 02458  1524   NtDuplicateObject  ... 772, ) == 0x0
 02459  1864   NtDuplicateObject  ... 776, ) == 0x0
 02460  1020   NtDuplicateObject  ... 780, ) == 0x0
 02461   432   NtDuplicateObject  ... 784, ) == 0x0
 02462  1944   NtDuplicateObject  ... 788, ) == 0x0
 02463  1648   NtDuplicateObject  ... 792, ) == 0x0
 02464  1936   NtDuplicateObject  ... 796, ) == 0x0
 02465  1904   NtDuplicateObject  ... 800, ) == 0x0
 02466   444   NtDuplicateObject  ... 804, ) == 0x0
 02467  1536   NtDuplicateObject  ... 808, ) == 0x0
 02454  1496   NtWaitForSingleObject  ... ) == 0x0
 02469  2020   NtSetEventBoostPriority  ... ) == 0x0
 02468   464   NtDuplicateObject  ... 812, ) == 0x0
 02471  1736   NtAllocateVirtualMemory  ... 96272384, 1048576, ) == 0x0
 02470  1256   NtDuplicateObject  ... 816, ) == 0x0
 02472   212   NtDuplicateObject  ... 820, ) == 0x0
 02477  1700   NtRegisterThreadTerminatePort  (24, ...
 02473   712   NtDuplicateObject  ... 824, ) == 0x0
 02478   308   NtContinue  (94174512, 1, ...
 02476  1688   NtTestAlert  ... ) == 0x0
 02479   968   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02480   240   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02481  1584   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02482  1524   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02483  1864   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02484  1020   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02485   432   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02486  1944   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02487  1648   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02488  1936   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02489  1904   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02490   444   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02491  1496   NtTestAlert  (...
 02492  1536   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02475  1728   NtDuplicateObject  ... 828, ) == 0x0
 02493   464   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02494  1736   NtAllocateVirtualMemory  (-1, 97312768, 0, 8192, 4096, 4, ...
 02495  1256   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02496   212   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02477  1700   NtRegisterThreadTerminatePort  ... ) == 0x0
 02497   712   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ...
 02498   308   NtRegisterThreadTerminatePort  (24, ...
 02499  1688   NtContinue  (95223088, 1, ...
 02479   968   NtDuplicateObject  ... 832, ) == 0x0
 02480   240   NtWaitForSingleObject  ... ) == 0x102
 02481  1584   NtWaitForSingleObject  ... ) == 0x102
 02482  1524   NtWaitForSingleObject  ... ) == 0x102
 02483  1864   NtWaitForSingleObject  ... ) == 0x102
 02484  1020   NtWaitForSingleObject  ... ) == 0x102
 02485   432   NtWaitForSingleObject  ... ) == 0x102
 02486  1944   NtWaitForSingleObject  ... ) == 0x102
 02487  1648   NtWaitForSingleObject  ... ) == 0x102
 02488  1936   NtWaitForSingleObject  ... ) == 0x102
 02489  1904   NtWaitForSingleObject  ... ) == 0x102
 02491  1496   NtTestAlert  ... ) == 0x0
 02490   444   NtWaitForSingleObject  ... ) == 0x102
 02492  1536   NtWaitForSingleObject  ... ) == 0x102
 02500  1728   NtWaitForSingleObject  (280, 0, 0x0, ...
 02493   464   NtWaitForSingleObject  ... ) == 0x102
 02494  1736   NtAllocateVirtualMemory  ... 97312768, 8192, ) == 0x0
 02495  1256   NtWaitForSingleObject  ... ) == 0x102
 02496   212   NtWaitForSingleObject  ... ) == 0x102
 02501  1700   NtWaitForSingleObject  (280, 0, 0x0, ...
 02497   712   NtAllocateVirtualMemory  ... 1413120, 4096, ) == 0x0
 02498   308   NtRegisterThreadTerminatePort  ... ) == 0x0
 02502  1688   NtRegisterThreadTerminatePort  (24, ...
 02503   968   NtWaitForSingleObject  (280, 0, 0x0, ...
 02504   240   NtWaitForSingleObject  (280, 0, 0x0, ...
 02505  1584   NtWaitForSingleObject  (280, 0, 0x0, ...
 02506  1524   NtWaitForSingleObject  (280, 0, 0x0, ...
 02507  1864   NtWaitForSingleObject  (280, 0, 0x0, ...
 02508  1020   NtWaitForSingleObject  (280, 0, 0x0, ...
 02509   432   NtWaitForSingleObject  (280, 0, 0x0, ...
 02510  1944   NtWaitForSingleObject  (280, 0, 0x0, ...
 02511  1648   NtWaitForSingleObject  (280, 0, 0x0, ...
 02512  1936   NtWaitForSingleObject  (280, 0, 0x0, ...
 02513  1904   NtWaitForSingleObject  (280, 0, 0x0, ...
 02514  2020   NtWaitForSingleObject  (280, 0, 0x0, ...
 02515   444   NtWaitForSingleObject  (280, 0, 0x0, ...
 02516  1536   NtWaitForSingleObject  (280, 0, 0x0, ...
 02517   464   NtWaitForSingleObject  (280, 0, 0x0, ...
 02518  1736   NtProtectVirtualMemory  (-1, (0x5cce000), 4096, 260, ...
 02519  1256   NtWaitForSingleObject  (280, 0, 0x0, ...
 02520   212   NtWaitForSingleObject  (280, 0, 0x0, ...
 02521  1496   NtContinue  (96271664, 1, ...
 02522   712   NtSetEventBoostPriority  (280, ...
 02523   308   NtWaitForSingleObject  (280, 0, 0x0, ...
 02502  1688   NtRegisterThreadTerminatePort  ... ) == 0x0
 02518  1736   NtProtectVirtualMemory  ... (0x5cce000), 4096, 4, ) == 0x0
 02524  1496   NtRegisterThreadTerminatePort  (24, ...
 02500  1728   NtWaitForSingleObject  ... ) == 0x0
 02522   712   NtSetEventBoostPriority  ... ) == 0x0
 02525  1688   NtWaitForSingleObject  (280, 0, 0x0, ...
 02526  1728   NtSetEventBoostPriority  (280, ...
 02524  1496   NtRegisterThreadTerminatePort  ... ) == 0x0
 02527   712   NtWaitForSingleObject  (280, 0, 0x0, ...
 02528  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02503   968   NtWaitForSingleObject  ... ) == 0x0
 02526  1728   NtSetEventBoostPriority  ... ) == 0x0
 02529  1496   NtWaitForSingleObject  (280, 0, 0x0, ...
 02530   968   NtSetEventBoostPriority  (280, ...
 02528  1736   NtCreateThread  ... 836, {1636, 1528}, ) == 0x0
 02504   240   NtWaitForSingleObject  ... ) == 0x0
 02530   968   NtSetEventBoostPriority  ... ) == 0x0
 02531   240   NtSetEventBoostPriority  (280, ...
 02532  1736   NtQueryInformationThread  (836, Basic, 28, ...
 02533  1728   NtWaitForSingleObject  (280, 0, 0x0, ...
 02505  1584   NtWaitForSingleObject  ... ) == 0x0
 02531   240   NtSetEventBoostPriority  ... ) == 0x0
 02532  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1636,Tid=1528,}, 0x0, ) == 0x0
 02534  1584   NtSetEventBoostPriority  (280, ...
 02535   968   NtWaitForSingleObject  (280, 0, 0x0, ...
 02506  1524   NtWaitForSingleObject  ... ) == 0x0
 02534  1584   NtSetEventBoostPriority  ... ) == 0x0
 02536  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75591, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\3\0\0d\6\0\0\370\5\0\0" ...  ...
 02537  1524   NtSetEventBoostPriority  (280, ...
 02538   240   NtWaitForSingleObject  (128, 0, 0x0, ...
 02507  1864   NtWaitForSingleObject  ... ) == 0x0
 02537  1524   NtSetEventBoostPriority  ... ) == 0x0
 02539  1864   NtSetEventBoostPriority  (280, ...
 02540  1584   NtWaitForSingleObject  (128, 0, 0x0, ...
 02536  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75592, 0}  ... {28, 56, reply, 0, 1636, 1736, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\3\0\0d\6\0\0\370\5\0\0" )  ) == 0x0
 02508  1020   NtWaitForSingleObject  ... ) == 0x0
 02539  1864   NtSetEventBoostPriority  ... ) == 0x0
 02541  1020   NtSetEventBoostPriority  (280, ...
 02542  1736   NtResumeThread  (836, ...
 02543  1524   NtWaitForSingleObject  (128, 0, 0x0, ...
 02509   432   NtWaitForSingleObject  ... ) == 0x0
 02541  1020   NtSetEventBoostPriority  ... ) == 0x0
 02542  1736   NtResumeThread  ... 1, ) == 0x0
 02544   432   NtSetEventBoostPriority  (280, ...
 02545  1864   NtWaitForSingleObject  (128, 0, 0x0, ...
 02546  1528   NtWaitForSingleObject  (280, 0, 0x0, ...
 02510  1944   NtWaitForSingleObject  ... ) == 0x0
 02544   432   NtSetEventBoostPriority  ... ) == 0x0
 02547  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02548  1944   NtSetEventBoostPriority  (280, ...
 02549  1020   NtWaitForSingleObject  (128, 0, 0x0, ...
 02511  1648   NtWaitForSingleObject  ... ) == 0x0
 02548  1944   NtSetEventBoostPriority  ... ) == 0x0
 02547  1736   NtAllocateVirtualMemory  ... 97320960, 1048576, ) == 0x0
 02550  1648   NtSetEventBoostPriority  (280, ...
 02551   432   NtWaitForSingleObject  (128, 0, 0x0, ...
 02512  1936   NtWaitForSingleObject  ... ) == 0x0
 02550  1648   NtSetEventBoostPriority  ... ) == 0x0
 02552  1736   NtAllocateVirtualMemory  (-1, 98361344, 0, 8192, 4096, 4, ...
 02553  1936   NtSetEventBoostPriority  (280, ...
 02554  1944   NtWaitForSingleObject  (128, 0, 0x0, ...
 02555  1648   NtWaitForSingleObject  (128, 0, 0x0, ...
 02513  1904   NtWaitForSingleObject  ... ) == 0x0
 02553  1936   NtSetEventBoostPriority  ... ) == 0x0
 02556  1904   NtSetEventBoostPriority  (280, ...
 02552  1736   NtAllocateVirtualMemory  ... 98361344, 8192, ) == 0x0
 02514  2020   NtWaitForSingleObject  ... ) == 0x0
 02556  1904   NtSetEventBoostPriority  ... ) == 0x0
 02557  2020   NtSetEventBoostPriority  (280, ...
 02558  1736   NtProtectVirtualMemory  (-1, (0x5dce000), 4096, 260, ...
 02559  1936   NtWaitForSingleObject  (128, 0, 0x0, ...
 02515   444   NtWaitForSingleObject  ... ) == 0x0
 02557  2020   NtSetEventBoostPriority  ... ) == 0x0
 02558  1736   NtProtectVirtualMemory  ... (0x5dce000), 4096, 4, ) == 0x0
 02560   444   NtSetEventBoostPriority  (280, ...
 02561  2020   NtSetEventBoostPriority  (128, ...
 02516  1536   NtWaitForSingleObject  ... ) == 0x0
 02560   444   NtSetEventBoostPriority  ... ) == 0x0
 02562  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02563  1904   NtWaitForSingleObject  (128, 0, 0x0, ...
 02564  1536   NtSetEventBoostPriority  (280, ...
 00674   808   NtWaitForSingleObject  ... ) == 0x0
 02561  2020   NtSetEventBoostPriority  ... ) == 0x0
 02562  1736   NtCreateThread  ... 840, {1636, 932}, ) == 0x0
 02517   464   NtWaitForSingleObject  ... ) == 0x0
 02564  1536   NtSetEventBoostPriority  ... ) == 0x0
 02565   808   NtWaitForSingleObject  (280, 0, 0x0, ...
 02566  2020   NtWaitForSingleObject  (280, 0, 0x0, ...
 02567   464   NtSetEventBoostPriority  (280, ...
 02568  1736   NtQueryInformationThread  (840, Basic, 28, ...
 02569   444   NtWaitForSingleObject  (128, 0, 0x0, ...
 02519  1256   NtWaitForSingleObject  ... ) == 0x0
 02567   464   NtSetEventBoostPriority  ... ) == 0x0
 02570  1536   NtWaitForSingleObject  (128, 0, 0x0, ...
 02571  1256   NtSetEventBoostPriority  (280, ...
 02568  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1636,Tid=932,}, 0x0, ) == 0x0
 02520   212   NtWaitForSingleObject  ... ) == 0x0
 02571  1256   NtSetEventBoostPriority  ... ) == 0x0
 02572   212   NtSetEventBoostPriority  (280, ...
 02573  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75592, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0d\6\0\0\244\3\0\0" ...  ...
 02574   464   NtWaitForSingleObject  (128, 0, 0x0, ...
 02501  1700   NtWaitForSingleObject  ... ) == 0x0
 02572   212   NtSetEventBoostPriority  ... ) == 0x0
 02573  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75593, 0}  ... {28, 56, reply, 0, 1636, 1736, 75593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0d\6\0\0\244\3\0\0" )  ) == 0x0
 02575  1700   NtSetEventBoostPriority  (280, ...
 02576  1256   NtWaitForSingleObject  (128, 0, 0x0, ...
 02523   308   NtWaitForSingleObject  ... ) == 0x0
 02577  1736   NtResumeThread  (840, ...
 02578   308   NtSetEventBoostPriority  (280, ...
 02577  1736   NtResumeThread  ... 1, ) == 0x0
 02525  1688   NtWaitForSingleObject  ... ) == 0x0
 02578   308   NtSetEventBoostPriority  ... ) == 0x0
 02575  1700   NtSetEventBoostPriority  ... ) == 0x0
 02579   212   NtWaitForSingleObject  (128, 0, 0x0, ...
 02580   932   NtWaitForSingleObject  (88, 0, 0x0, ...
 02581  1688   NtSetEventBoostPriority  (280, ...
 02582   308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02583  1700   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02527   712   NtWaitForSingleObject  ... ) == 0x0
 02582   308   NtDuplicateObject  ... 844, ) == 0x0
 02583  1700   NtDuplicateObject  ... 848, ) == 0x0
 02584   712   NtSetEventBoostPriority  (280, ...
 02581  1688   NtSetEventBoostPriority  ... ) == 0x0
 02585  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02586   308   NtWaitForSingleObject  (280, 0, 0x0, ...
 02529  1496   NtWaitForSingleObject  ... ) == 0x0
 02587  1688   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02585  1736   NtAllocateVirtualMemory  ... 98369536, 1048576, ) == 0x0
 02588  1496   NtSetEventBoostPriority  (280, ...
 02587  1688   NtDuplicateObject  ... 852, ) == 0x0
 02589  1736   NtAllocateVirtualMemory  (-1, 99409920, 0, 8192, 4096, 4, ...
 02533  1728   NtWaitForSingleObject  ... ) == 0x0
 02588  1496   NtSetEventBoostPriority  ... ) == 0x0
 02584   712   NtSetEventBoostPriority  ... ) == 0x0
 02590  1700   NtWaitForSingleObject  (280, 0, 0x0, ...
 02591  1728   NtSetEventBoostPriority  (280, ...
 02589  1736   NtAllocateVirtualMemory  ... 99409920, 8192, ) == 0x0
 02592  1688   NtWaitForSingleObject  (280, 0, 0x0, ...
 02593   712   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02535   968   NtWaitForSingleObject  ... ) == 0x0
 02591  1728   NtSetEventBoostPriority  ... ) == 0x0
 02594  1736   NtProtectVirtualMemory  (-1, (0x5ece000), 4096, 260, ...
 02595   968   NtSetEventBoostPriority  (280, ...
 02596  1728   NtWaitForSingleObject  (280, 0, 0x0, ...
 02546  1528   NtWaitForSingleObject  ... ) == 0x0
 02595   968   NtSetEventBoostPriority  ... ) == 0x0
 02594  1736   NtProtectVirtualMemory  ... (0x5ece000), 4096, 4, ) == 0x0
 02597  1496   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02593   712   NtWaitForSingleObject  ... ) == 0x102
 02598  1528   NtSetEventBoostPriority  (280, ...
 02599   968   NtWaitForSingleObject  (344, 0, 0x0, ...
 02597  1496   NtDuplicateObject  ... 856, ) == 0x0
 02565   808   NtWaitForSingleObject  ... ) == 0x0
 02598  1528   NtSetEventBoostPriority  ... ) == 0x0
 02600   712   NtWaitForSingleObject  (280, 0, 0x0, ...
 02601  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02602   808   NtSetEventBoostPriority  (280, ...
 02603  1496   NtWaitForSingleObject  (280, 0, 0x0, ...
 02566  2020   NtWaitForSingleObject  ... ) == 0x0
 02602   808   NtSetEventBoostPriority  ... ) == 0x0
 02601  1736   NtCreateThread  ... 860, {1636, 1780}, ) == 0x0
 02604  2020   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ...
 02605  1528   NtSetEventBoostPriority  (88, ...
 02604  2020   NtAllocateVirtualMemory  ... 1417216, 4096, ) == 0x0
 02606  1736   NtQueryInformationThread  (860, Basic, 28, ...
 02580   932   NtWaitForSingleObject  ... ) == 0x0
 02605  1528   NtSetEventBoostPriority  ... ) == 0x0
 02607   808   NtWaitForSingleObject  (280, 0, 0x0, ...
 02608   932   NtWaitForSingleObject  (280, 0, 0x0, ...
 02606  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1636,Tid=1780,}, 0x0, ) == 0x0
 02609  1528   NtTestAlert  (...
 02610  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75593, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\3\0\0d\6\0\0\364\6\0\0" ...  ...
 02609  1528   NtTestAlert  ... ) == 0x0
 02611  1528   NtContinue  (97320240, 1, ...
 02612  1528   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02613  1528   NtWaitForSingleObject  (280, 0, 0x0, ...
 02614  2020   NtSetEventBoostPriority  (280, ...
 02586   308   NtWaitForSingleObject  ... ) == 0x0
 02615   308   NtSetEventBoostPriority  (280, ...
 02590  1700   NtWaitForSingleObject  ... ) == 0x0
 02616  1700   NtSetEventBoostPriority  (280, ...
 02592  1688   NtWaitForSingleObject  ... ) == 0x0
 02617  1688   NtSetEventBoostPriority  (280, ...
 02596  1728   NtWaitForSingleObject  ... ) == 0x0
 02618  1728   NtSetEventBoostPriority  (280, ...
 02600   712   NtWaitForSingleObject  ... ) == 0x0
 02619   712   NtSetEventBoostPriority  (280, ...
 02603  1496   NtWaitForSingleObject  ... ) == 0x0
 02620  1496   NtSetEventBoostPriority  (280, ...
 02608   932   NtWaitForSingleObject  ... ) == 0x0
 02621   932   NtSetEventBoostPriority  (280, ...
 02607   808   NtWaitForSingleObject  ... ) == 0x0
 02622   808   NtSetEventBoostPriority  (280, ...
 02613  1528   NtWaitForSingleObject  ... ) == 0x0
 02623  1528   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 864, ) == 0x0
 02622   808   NtSetEventBoostPriority  ... ) == 0x0
 02621   932   NtSetEventBoostPriority  ... ) == 0x0
 02620  1496   NtSetEventBoostPriority  ... ) == 0x0
 02619   712   NtSetEventBoostPriority  ... ) == 0x0
 02617  1688   NtSetEventBoostPriority  ... ) == 0x0
 02616  1700   NtSetEventBoostPriority  ... ) == 0x0
 02615   308   NtSetEventBoostPriority  ... ) == 0x0
 02618  1728   NtSetEventBoostPriority  ... ) == 0x0
 02614  2020   NtSetEventBoostPriority  ... ) == 0x0
 02610  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75594, 0}  ... {28, 56, reply, 0, 1636, 1736, 75594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\3\0\0d\6\0\0\364\6\0\0" )  ) == 0x0
 02624   808   NtSetEventBoostPriority  (128, ...
 02625  1528   NtWaitForSingleObject  (344, 0, 0x0, ...
 02626   932   NtTestAlert  (...
 02627  1496   NtWaitForSingleObject  (344, 0, 0x0, ...
 02628  1688   NtWaitForSingleObject  (344, 0, 0x0, ...
 02629  1700   NtWaitForSingleObject  (344, 0, 0x0, ...
 02630   308   NtWaitForSingleObject  (344, 0, 0x0, ...
 02631  1728   NtSetEventBoostPriority  (344, ...
 02632  2020   NtWaitForSingleObject  (344, 0, 0x0, ...
 02633  1736   NtResumeThread  (860, ...
 02634   712   NtWaitForSingleObject  (128, 0, 0x0, ...
 02626   932   NtTestAlert  ... ) == 0x0
 00677  1356   NtWaitForSingleObject  ... ) == 0x0
 02624   808   NtSetEventBoostPriority  ... ) == 0x0
 02599   968   NtWaitForSingleObject  ... ) == 0x0
 02631  1728   NtSetEventBoostPriority  ... ) == 0x0
 02633  1736   NtResumeThread  ... 1, ) == 0x0
 02635   932   NtContinue  (98368816, 1, ...
 02636  1356   NtSetEventBoostPriority  (128, ...
 02637   968   NtSetEventBoostPriority  (344, ...
 02638   808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02639  1780   NtTestAlert  (...
 02640  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02641   932   NtRegisterThreadTerminatePort  (24, ...
 02625  1528   NtWaitForSingleObject  ... ) == 0x0
 00679   868   NtWaitForSingleObject  ... ) == 0x0
 02636  1356   NtSetEventBoostPriority  ... ) == 0x0
 02638   808   NtCreateEvent  ... 868, ) == 0x0
 02639  1780   NtTestAlert  ... ) == 0x0
 02640  1736   NtAllocateVirtualMemory  ... 99418112, 1048576, ) == 0x0
 02641   932   NtRegisterThreadTerminatePort  ... ) == 0x0
 02642   868   NtSetEventBoostPriority  (128, ...
 02643  1528   NtSetEventBoostPriority  (344, ...
 02637   968   NtSetEventBoostPriority  ... ) == 0x0
 02644  1728   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02645   808   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ...
 02646  1780   NtContinue  (99417392, 1, ...
 02647  1736   NtAllocateVirtualMemory  (-1, 100458496, 0, 8192, 4096, 4, ...
 00681   896   NtWaitForSingleObject  ... ) == 0x0
 02642   868   NtSetEventBoostPriority  ... ) == 0x0
 02648   932   NtWaitForSingleObject  (280, 0, 0x0, ...
 02627  1496   NtWaitForSingleObject  ... ) == 0x0
 02643  1528   NtSetEventBoostPriority  ... ) == 0x0
 02649   968   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02644  1728   NtWaitForSingleObject  ... ) == 0x102
 02645   808   NtAllocateVirtualMemory  ... 1421312, 4096, ) == 0x0
 02650  1780   NtRegisterThreadTerminatePort  (24, ...
 02651  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02652   896   NtWaitForSingleObject  (280, 0, 0x0, ...
 02647  1736   NtAllocateVirtualMemory  ... 100458496, 8192, ) == 0x0
 02653   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02654  1496   NtWaitForSingleObject  (280, 0, 0x0, ...
 02655  1528   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02656  1728   NtWaitForSingleObject  (128, 0, 0x0, ...
 02657   808   NtSetEventBoostPriority  (280, ...
 02650  1780   NtRegisterThreadTerminatePort  ... ) == 0x0
 02651  1356   NtCreateEvent  ... 872, ) == 0x0
 02658  1736   NtProtectVirtualMemory  (-1, (0x5fce000), 4096, 260, ...
 02653   868   NtCreateEvent  ... 876, ) == 0x0
 02649   968   NtWaitForSingleObject  ... ) == 0x102
 02655  1528   NtWaitForSingleObject  ... ) == 0x102
 02652   896   NtWaitForSingleObject  ... ) == 0x0
 02657   808   NtSetEventBoostPriority  ... ) == 0x0
 02659  1356   NtWaitForSingleObject  (280, 0, 0x0, ...
 02658  1736   NtProtectVirtualMemory  ... (0x5fce000), 4096, 4, ) == 0x0
 02660   868   NtWaitForSingleObject  (280, 0, 0x0, ...
 02661   968   NtWaitForSingleObject  (128, 0, 0x0, ...
 02662   896   NtSetEventBoostPriority  (280, ...
 02663  1528   NtWaitForSingleObject  (128, 0, 0x0, ...
 02664   808   NtWaitForSingleObject  (280, 0, 0x0, ...
 02665  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02654  1496   NtWaitForSingleObject  ... ) == 0x0
 02666  1496   NtSetEventBoostPriority  (280, ...
 02648   932   NtWaitForSingleObject  ... ) == 0x0
 02667   932   NtSetEventBoostPriority  (280, ...
 02659  1356   NtWaitForSingleObject  ... ) == 0x0
 02668  1356   NtSetEventBoostPriority  (280, ...
 02660   868   NtWaitForSingleObject  ... ) == 0x0
 02669   868   NtSetEventBoostPriority  (280, ...
 02664   808   NtWaitForSingleObject  ... ) == 0x0
 02670   808   NtAllocateVirtualMemory  (-1, 14471168, 0, 4096, 4096, 260, ... 14471168, 4096, ) == 0x0
 02669   868   NtSetEventBoostPriority  ... ) == 0x0
 02668  1356   NtSetEventBoostPriority  ... ) == 0x0
 02666  1496   NtSetEventBoostPriority  ... ) == 0x0
 02665  1736   NtCreateThread  ... 880, {1636, 1128}, ) == 0x0
 02667   932   NtSetEventBoostPriority  ... ) == 0x0
 02662   896   NtSetEventBoostPriority  ... ) == 0x0
 02671  1780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02672   808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02673   868   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ...
 02674  1356   NtWaitForSingleObject  (280, 0, 0x0, ...
 02675  1736   NtQueryInformationThread  (880, Basic, 28, ...
 02676   932   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02677  1496   NtSetEventBoostPriority  (344, ...
 02671  1780   NtDuplicateObject  ... 884, ) == 0x0
 02672   808   NtCreateEvent  ... 888, ) == 0x0
 02673   868   NtAllocateVirtualMemory  ... 1425408, 4096, ) == 0x0
 02678   896   NtSetEventBoostPriority  (128, ...
 02676   932   NtDuplicateObject  ... 892, ) == 0x0
 02628  1688   NtWaitForSingleObject  ... ) == 0x0
 02677  1496   NtSetEventBoostPriority  ... ) == 0x0
 02679  1780   NtWaitForSingleObject  (280, 0, 0x0, ...
 02680   808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02681   868   NtSetEventBoostPriority  (280, ...
 00782   376   NtWaitForSingleObject  ... ) == 0x0
 02678   896   NtSetEventBoostPriority  ... ) == 0x0
 02675  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1636,Tid=1128,}, 0x0, ) == 0x0
 02682  1688   NtSetEventBoostPriority  (344, ...
 02683  1496   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02680   808   NtDuplicateObject  ... 896, ) == 0x0
 02684   376   NtWaitForSingleObject  (280, 0, 0x0, ...
 02674  1356   NtWaitForSingleObject  ... ) == 0x0
 02681   868   NtSetEventBoostPriority  ... ) == 0x0
 02685   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02629  1700   NtWaitForSingleObject  ... ) == 0x0
 02686  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75594, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0d\6\0\0h\4\0\0" ...  ...
 02683  1496   NtWaitForSingleObject  ... ) == 0x102
 02687  1356   NtSetEventBoostPriority  (280, ...
 02688   808   NtWaitForSingleObject  (280, 0, 0x0, ...
 02689   868   NtWaitForSingleObject  (280, 0, 0x0, ...
 02685   896   NtCreateEvent  ... 900, ) == 0x0
 02690  1700   NtWaitForSingleObject  (280, 0, 0x0, ...
 02686  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75595, 0}  ... {28, 56, reply, 0, 1636, 1736, 75595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0d\6\0\0h\4\0\0" )  ) == 0x0
 02679  1780   NtWaitForSingleObject  ... ) == 0x0
 02687  1356   NtSetEventBoostPriority  ... ) == 0x0
 02691  1496   NtWaitForSingleObject  (280, 0, 0x0, ...
 02692   896   NtWaitForSingleObject  (280, 0, 0x0, ...
 02693  1780   NtSetEventBoostPriority  (280, ...
 02694  1736   NtResumeThread  (880, ...
 02695  1356   NtWaitForSingleObject  (280, 0, 0x0, ...
 02682  1688   NtSetEventBoostPriority  ... ) == 0x0
 02696   932   NtWaitForSingleObject  (280, 0, 0x0, ...
 02684   376   NtWaitForSingleObject  ... ) == 0x0
 02693  1780   NtSetEventBoostPriority  ... ) == 0x0
 02694  1736   NtResumeThread  ... 1, ) == 0x0
 02697  1688   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02698   376   NtSetEventBoostPriority  (280, ...
 02699  1128   NtWaitForSingleObject  (280, 0, 0x0, ...
 02700  1780   NtWaitForSingleObject  (280, 0, 0x0, ...
 02688   808   NtWaitForSingleObject  ... ) == 0x0
 02698   376   NtSetEventBoostPriority  ... ) == 0x0
 02701   808   NtSetEventBoostPriority  (280, ...
 02702  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02697  1688   NtWaitForSingleObject  ... ) == 0x102
 02689   868   NtWaitForSingleObject  ... ) == 0x0
 02701   808   NtSetEventBoostPriority  ... ) == 0x0
 02702  1736   NtAllocateVirtualMemory  ... 100466688, 1048576, ) == 0x0
 02703   868   NtSetEventBoostPriority  (280, ...
 02704  1688   NtWaitForSingleObject  (128, 0, 0x0, ...
 02705   376   NtWaitForSingleObject  (280, 0, 0x0, ...
 02690  1700   NtWaitForSingleObject  ... ) == 0x0
 02703   868   NtSetEventBoostPriority  ... ) == 0x0
 02706  1736   NtAllocateVirtualMemory  (-1, 101507072, 0, 8192, 4096, 4, ...
 02707  1700   NtSetEventBoostPriority  (280, ...
 02708   808   NtWaitForSingleObject  (280, 0, 0x0, ...
 02692   896   NtWaitForSingleObject  ... ) == 0x0
 02706  1736   NtAllocateVirtualMemory  ... 101507072, 8192, ) == 0x0
 02709   896   NtSetEventBoostPriority  (280, ...
 02710  1736   NtProtectVirtualMemory  (-1, (0x60ce000), 4096, 260, ...
 02691  1496   NtWaitForSingleObject  ... ) == 0x0
 02709   896   NtSetEventBoostPriority  ... ) == 0x0
 02711  1496   NtSetEventBoostPriority  (280, ...
 02710  1736   NtProtectVirtualMemory  ... (0x60ce000), 4096, 4, ) == 0x0
 02707  1700   NtSetEventBoostPriority  ... ) == 0x0
 02712   868   NtWaitForSingleObject  (280, 0, 0x0, ...
 02696   932   NtWaitForSingleObject  ... ) == 0x0
 02711  1496   NtSetEventBoostPriority  ... ) == 0x0
 02713   896   NtWaitForSingleObject  (280, 0, 0x0, ...
 02714  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02715   932   NtSetEventBoostPriority  (280, ...
 02716  1496   NtWaitForSingleObject  (128, 0, 0x0, ...
 02714  1736   NtCreateThread  ... 904, {1636, 1804}, ) == 0x0
 02695  1356   NtWaitForSingleObject  ... ) == 0x0
 02715   932   NtSetEventBoostPriority  ... ) == 0x0
 02717  1356   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ...
 02718  1736   NtQueryInformationThread  (904, Basic, 28, ...
 02717  1356   NtAllocateVirtualMemory  ... 1429504, 4096, ) == 0x0
 02719   932   NtWaitForSingleObject  (280, 0, 0x0, ...
 02720  1356   NtSetEventBoostPriority  (280, ...
 02718  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1636,Tid=1804,}, 0x0, ) == 0x0
 02721  1700   NtSetEventBoostPriority  (344, ...
 02699  1128   NtWaitForSingleObject  ... ) == 0x0
 02722  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75595, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0d\6\0\0\14\7\0\0" ...  ...
 02632  2020   NtWaitForSingleObject  ... ) == 0x0
 02721  1700   NtSetEventBoostPriority  ... ) == 0x0
 02723  1128   NtSetEventBoostPriority  (280, ...
 02724  2020   NtWaitForSingleObject  (280, 0, 0x0, ...
 02725  1700   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02700  1780   NtWaitForSingleObject  ... ) == 0x0
 02723  1128   NtSetEventBoostPriority  ... ) == 0x0
 02726  1780   NtSetEventBoostPriority  (280, ...
 02725  1700   NtWaitForSingleObject  ... ) == 0x102
 02720  1356   NtSetEventBoostPriority  ... ) == 0x0
 02722  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75596, 0}  ... {28, 56, reply, 0, 1636, 1736, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0d\6\0\0\14\7\0\0" )  ) == 0x0
 02705   376   NtWaitForSingleObject  ... ) == 0x0
 02726  1780   NtSetEventBoostPriority  ... ) == 0x0
 02727  1700   NtWaitForSingleObject  (280, 0, 0x0, ...
 02728  1128   NtTestAlert  (...
 02729   376   NtSetEventBoostPriority  (280, ...
 02730  1736   NtResumeThread  (904, ...
 02731  1780   NtWaitForSingleObject  (344, 0, 0x0, ...
 02732  1356   NtWaitForSingleObject  (280, 0, 0x0, ...
 02708   808   NtWaitForSingleObject  ... ) == 0x0
 02729   376   NtSetEventBoostPriority  ... ) == 0x0
 02728  1128   NtTestAlert  ... ) == 0x0
 02730  1736   NtResumeThread  ... 1, ) == 0x0
 02733   808   NtSetEventBoostPriority  (280, ...
 02734   376   NtWaitForSingleObject  (280, 0, 0x0, ...
 02735  1128   NtContinue  (100465968, 1, ...
 02712   868   NtWaitForSingleObject  ... ) == 0x0
 02733   808   NtSetEventBoostPriority  ... ) == 0x0
 02736  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02737  1804   NtWaitForSingleObject  (280, 0, 0x0, ...
 02738   868   NtSetEventBoostPriority  (280, ...
 02739  1128   NtRegisterThreadTerminatePort  (24, ...
 02740   808   NtWaitForSingleObject  (344, 0, 0x0, ...
 02736  1736   NtAllocateVirtualMemory  ... 101515264, 1048576, ) == 0x0
 02713   896   NtWaitForSingleObject  ... ) == 0x0
 02738   868   NtSetEventBoostPriority  ... ) == 0x0
 02739  1128   NtRegisterThreadTerminatePort  ... ) == 0x0
 02741   896   NtSetEventBoostPriority  (280, ...
 02742  1736   NtAllocateVirtualMemory  (-1, 102555648, 0, 8192, 4096, 4, ...
 02743   868   NtWaitForSingleObject  (280, 0, 0x0, ...
 02724  2020   NtWaitForSingleObject  ... ) == 0x0
 02741   896   NtSetEventBoostPriority  ... ) == 0x0
 02744  1128   NtWaitForSingleObject  (280, 0, 0x0, ...
 02742  1736   NtAllocateVirtualMemory  ... 102555648, 8192, ) == 0x0
 02745  2020   NtSetEventBoostPriority  (280, ...
 02746   896   NtWaitForSingleObject  (280, 0, 0x0, ...
 02719   932   NtWaitForSingleObject  ... ) == 0x0
 02745  2020   NtSetEventBoostPriority  ... ) == 0x0
 02747  1736   NtProtectVirtualMemory  (-1, (0x61ce000), 4096, 260, ...
 02748   932   NtSetEventBoostPriority  (280, ...
 02727  1700   NtWaitForSingleObject  ... ) == 0x0
 02749  1700   NtSetEventBoostPriority  (280, ...
 02732  1356   NtWaitForSingleObject  ... ) == 0x0
 02750  1356   NtSetEventBoostPriority  (280, ...
 02737  1804   NtWaitForSingleObject  ... ) == 0x0
 02751  1804   NtSetEventBoostPriority  (280, ...
 02734   376   NtWaitForSingleObject  ... ) == 0x0
 02752   376   NtSetEventBoostPriority  (280, ...
 02743   868   NtWaitForSingleObject  ... ) == 0x0
 02753   868   NtSetEventBoostPriority  (280, ...
 02744  1128   NtWaitForSingleObject  ... ) == 0x0
 02754  1128   NtSetEventBoostPriority  (280, ...
 02746   896   NtWaitForSingleObject  ... ) == 0x0
 02755   896   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ... 1433600, 4096, ) == 0x0
 02756   896   NtAllocateVirtualMemory  (-1, 16568320, 0, 4096, 4096, 260, ... 16568320, 4096, ) == 0x0
 02751  1804   NtSetEventBoostPriority  ... ) == 0x0
 02750  1356   NtSetEventBoostPriority  ... ) == 0x0
 02747  1736   NtProtectVirtualMemory  ... (0x61ce000), 4096, 4, ) == 0x0
 02754  1128   NtSetEventBoostPriority  ... ) == 0x0
 02753   868   NtSetEventBoostPriority  ... ) == 0x0
 02752   376   NtSetEventBoostPriority  ... ) == 0x0
 02749  1700   NtSetEventBoostPriority  ... ) == 0x0
 02748   932   NtSetEventBoostPriority  ... ) == 0x0
 02757  2020   NtSetEventBoostPriority  (344, ...
 02758   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02759  1356   NtAllocateVirtualMemory  (-1, 12111872, 0, 4096, 4096, 260, ...
 02760  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02761  1128   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02762   868   NtAllocateVirtualMemory  (-1, 13160448, 0, 4096, 4096, 260, ...
 02763   376   NtSetEventBoostPriority  (128, ...
 02764  1700   NtWaitForSingleObject  (128, 0, 0x0, ...
 02765   932   NtWaitForSingleObject  (344, 0, 0x0, ...
 02630   308   NtWaitForSingleObject  ... ) == 0x0
 02757  2020   NtSetEventBoostPriority  ... ) == 0x0
 02758   896   NtCreateEvent  ... 908, ) == 0x0
 02766  1804   NtTestAlert  (...
 02760  1736   NtCreateThread  ... 912, {1636, 1644}, ) == 0x0
 02761  1128   NtDuplicateObject  ... 916, ) == 0x0
 02762   868   NtAllocateVirtualMemory  ... 13160448, 4096, ) == 0x0
 00788   596   NtWaitForSingleObject  ... ) == 0x0
 02763   376   NtSetEventBoostPriority  ... ) == 0x0
 02767   308   NtSetEventBoostPriority  (344, ...
 02768  2020   NtWaitForSingleObject  (344, 0, 0x0, ...
 02769   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02766  1804   NtTestAlert  ... ) == 0x0
 02770  1736   NtQueryInformationThread  (912, Basic, 28, ...
 02759  1356   NtAllocateVirtualMemory  ... 12111872, 4096, ) == 0x0
 02771  1128   NtWaitForSingleObject  (344, 0, 0x0, ...
 02772   596   NtSetEventBoostPriority  (128, ...
 02773   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02731  1780   NtWaitForSingleObject  ... ) == 0x0
 02769   896   NtDuplicateObject  ... 920, ) == 0x0
 02774  1804   NtContinue  (101514544, 1, ...
 02767   308   NtSetEventBoostPriority  ... ) == 0x0
 02775   376   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02776  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00789  1180   NtWaitForSingleObject  ... ) == 0x0
 02772   596   NtSetEventBoostPriority  ... ) == 0x0
 02773   868   NtCreateEvent  ... 924, ) == 0x0
 02777  1780   NtSetEventBoostPriority  (344, ...
 02778   896   NtWaitForSingleObject  (344, 0, 0x0, ...
 02779  1804   NtRegisterThreadTerminatePort  (24, ...
 02780   308   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02775   376   NtCreateEvent  ... 928, ) == 0x0
 02781  1180   NtSetEventBoostPriority  (128, ...
 02776  1356   NtCreateEvent  ... 932, ) == 0x0
 02770  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1636,Tid=1644,}, 0x0, ) == 0x0
 02782   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02740   808   NtWaitForSingleObject  ... ) == 0x0
 02779  1804   NtRegisterThreadTerminatePort  ... ) == 0x0
 00794  1028   NtWaitForSingleObject  ... ) == 0x0
 02781  1180   NtSetEventBoostPriority  ... ) == 0x0
 02783   376   NtAllocateVirtualMemory  (-1, 21811200, 0, 4096, 4096, 260, ...
 02784  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02785  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75596, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0d\6\0\0l\6\0\0" ...  ...
 02782   868   NtDuplicateObject  ... 936, ) == 0x0
 02786   808   NtSetEventBoostPriority  (344, ...
 02787  1028   NtSetEventBoostPriority  (128, ...
 02788  1804   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02777  1780   NtSetEventBoostPriority  ... ) == 0x0
 02789   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02780   308   NtWaitForSingleObject  ... ) == 0x102
 02783   376   NtAllocateVirtualMemory  ... 21811200, 4096, ) == 0x0
 02784  1356   NtDuplicateObject  ... 940, ) == 0x0
 02785  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75597, 0}  ... {28, 56, reply, 0, 1636, 1736, 75597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0d\6\0\0l\6\0\0" )  ) == 0x0
 02790   868   NtWaitForSingleObject  (344, 0, 0x0, ...
 00799  2016   NtWaitForSingleObject  ... ) == 0x0
 02787  1028   NtSetEventBoostPriority  ... ) == 0x0
 02765   932   NtWaitForSingleObject  ... ) == 0x0
 02786   808   NtSetEventBoostPriority  ... ) == 0x0
 02791  1180   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02792  1780   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02789   596   NtCreateEvent  ... 944, ) == 0x0
 02793   308   NtWaitForSingleObject  (128, 0, 0x0, ...
 02794   376   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02795  1356   NtWaitForSingleObject  (344, 0, 0x0, ...
 02796  1736   NtResumeThread  (912, ...
 02797  2016   NtSetEventBoostPriority  (128, ...
 02788  1804   NtDuplicateObject  ... 948, ) == 0x0
 02798   932   NtSetEventBoostPriority  (344, ...
 02799   808   NtWaitForSingleObject  (432, 0, 0x0, ...
 02791  1180   NtCreateEvent  ... 952, ) == 0x0
 02800   596   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ...
 02794   376   NtCreateEvent  ... 956, ) == 0x0
 02801  1028   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02792  1780   NtWaitForSingleObject  ... ) == 0x102
 01061  1388   NtWaitForSingleObject  ... ) == 0x0
 02797  2016   NtSetEventBoostPriority  ... ) == 0x0
 02796  1736   NtResumeThread  ... 1, ) == 0x0
 02802  1804   NtWaitForSingleObject  (280, 0, 0x0, ...
 02768  2020   NtWaitForSingleObject  ... ) == 0x0
 02798   932   NtSetEventBoostPriority  ... ) == 0x0
 02803  1180   NtWaitForSingleObject  (280, 0, 0x0, ...
 02800   596   NtAllocateVirtualMemory  ... 1437696, 4096, ) == 0x0
 02804  1644   NtWaitForSingleObject  (280, 0, 0x0, ...
 02801  1028   NtCreateEvent  ... 960, ) == 0x0
 02805  1388   NtWaitForSingleObject  (280, 0, 0x0, ...
 02806  1780   NtWaitForSingleObject  (128, 0, 0x0, ...
 02807   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02808  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02809  2020   NtWaitForSingleObject  (280, 0, 0x0, ...
 02810  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02811   596   NtSetEventBoostPriority  (280, ...
 02812  1028   NtWaitForSingleObject  (280, 0, 0x0, ...
 02807   376   NtDuplicateObject  ... 964, ) == 0x0
 02808  2016   NtCreateEvent  ... 968, ) == 0x0
 02810  1736   NtAllocateVirtualMemory  ... 102563840, 1048576, ) == 0x0
 02802  1804   NtWaitForSingleObject  ... ) == 0x0
 02811   596   NtSetEventBoostPriority  ... ) == 0x0
 02813   376   NtWaitForSingleObject  (280, 0, 0x0, ...
 02814  2016   NtWaitForSingleObject  (280, 0, 0x0, ...
 02815  1804   NtSetEventBoostPriority  (280, ...
 02816  1736   NtAllocateVirtualMemory  (-1, 103604224, 0, 8192, 4096, 4, ...
 02817   932   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02803  1180   NtWaitForSingleObject  ... ) == 0x0
 02815  1804   NtSetEventBoostPriority  ... ) == 0x0
 02816  1736   NtAllocateVirtualMemory  ... 103604224, 8192, ) == 0x0
 02818  1180   NtSetEventBoostPriority  (280, ...
 02817   932   NtWaitForSingleObject  ... ) == 0x102
 02819   596   NtWaitForSingleObject  (280, 0, 0x0, ...
 02804  1644   NtWaitForSingleObject  ... ) == 0x0
 02818  1180   NtSetEventBoostPriority  ... ) == 0x0
 02820  1736   NtProtectVirtualMemory  (-1, (0x62ce000), 4096, 260, ...
 02821   932   NtWaitForSingleObject  (128, 0, 0x0, ...
 02822  1644   NtSetEventBoostPriority  (280, ...
 02823  1804   NtWaitForSingleObject  (344, 0, 0x0, ...
 02820  1736   NtProtectVirtualMemory  ... (0x62ce000), 4096, 4, ) == 0x0
 02805  1388   NtWaitForSingleObject  ... ) == 0x0
 02822  1644   NtSetEventBoostPriority  ... ) == 0x0
 02824  1180   NtWaitForSingleObject  (280, 0, 0x0, ...
 02825  1388   NtSetEventBoostPriority  (280, ...
 02826  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02809  2020   NtWaitForSingleObject  ... ) == 0x0
 02825  1388   NtSetEventBoostPriority  ... ) == 0x0
 02827  2020   NtSetEventBoostPriority  (280, ...
 02826  1736   NtCreateThread  ... 972, {1636, 988}, ) == 0x0
 02828  1644   NtTestAlert  (...
 02812  1028   NtWaitForSingleObject  ... ) == 0x0
 02827  2020   NtSetEventBoostPriority  ... ) == 0x0
 02829  1736   NtQueryInformationThread  (972, Basic, 28, ...
 02830  1028   NtSetEventBoostPriority  (280, ...
 02828  1644   NtTestAlert  ... ) == 0x0
 02831  1388   NtWaitForSingleObject  (280, 0, 0x0, ...
 02813   376   NtWaitForSingleObject  ... ) == 0x0
 02830  1028   NtSetEventBoostPriority  ... ) == 0x0
 02829  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1636,Tid=988,}, 0x0, ) == 0x0
 02832  1644   NtContinue  (102563120, 1, ...
 02833   376   NtSetEventBoostPriority  (280, ...
 02834  2020   NtSetEventBoostPriority  (344, ...
 02835  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75597, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\3\0\0d\6\0\0\334\3\0\0" ...  ...
 02814  2016   NtWaitForSingleObject  ... ) == 0x0
 02833   376   NtSetEventBoostPriority  ... ) == 0x0
 02836  1644   NtRegisterThreadTerminatePort  (24, ...
 02771  1128   NtWaitForSingleObject  ... ) == 0x0
 02834  2020   NtSetEventBoostPriority  ... ) == 0x0
 02837  2016   NtSetEventBoostPriority  (280, ...
 02835  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75598, 0}  ... {28, 56, reply, 0, 1636, 1736, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\3\0\0d\6\0\0\334\3\0\0" )  ) == 0x0
 02838  1028   NtWaitForSingleObject  (280, 0, 0x0, ...
 02839  1128   NtWaitForSingleObject  (280, 0, 0x0, ...
 02836  1644   NtRegisterThreadTerminatePort  ... ) == 0x0
 02819   596   NtWaitForSingleObject  ... ) == 0x0
 02837  2016   NtSetEventBoostPriority  ... ) == 0x0
 02840  2020   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02841  1736   NtResumeThread  (972, ...
 02842   596   NtSetEventBoostPriority  (280, ...
 02843  1644   NtWaitForSingleObject  (280, 0, 0x0, ...
 02844   376   NtWaitForSingleObject  (280, 0, 0x0, ...
 02840  2020   NtCreateEvent  ... 976, ) == 0x0
 02824  1180   NtWaitForSingleObject  ... ) == 0x0
 02842   596   NtSetEventBoostPriority  ... ) == 0x0
 02841  1736   NtResumeThread  ... 1, ) == 0x0
 02845  2016   NtWaitForSingleObject  (280, 0, 0x0, ...
 02846  1180   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ...
 02847  2020   NtWaitForSingleObject  (344, 0, 0x0, ...
 02848   596   NtWaitForSingleObject  (280, 0, 0x0, ...
 02849  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02846  1180   NtAllocateVirtualMemory  ... 1441792, 4096, ) == 0x0
 02850   988   NtWaitForSingleObject  (280, 0, 0x0, ...
 02851  1180   NtSetEventBoostPriority  (280, ...
 02849  1736   NtAllocateVirtualMemory  ... 103612416, 1048576, ) == 0x0
 02852  1736   NtAllocateVirtualMemory  (-1, 104652800, 0, 8192, 4096, 4, ... 104652800, 8192, ) == 0x0
 02853  1736   NtProtectVirtualMemory  (-1, (0x63ce000), 4096, 260, ... (0x63ce000), 4096, 4, ) == 0x0
 02831  1388   NtWaitForSingleObject  ... ) == 0x0
 02851  1180   NtSetEventBoostPriority  ... ) == 0x0
 02854  1388   NtSetEventBoostPriority  (280, ...
 02855  1180   NtWaitForSingleObject  (280, 0, 0x0, ...
 02839  1128   NtWaitForSingleObject  ... ) == 0x0
 02854  1388   NtSetEventBoostPriority  ... ) == 0x0
 02856  1128   NtSetEventBoostPriority  (280, ...
 02838  1028   NtWaitForSingleObject  ... ) == 0x0
 02857  1028   NtSetEventBoostPriority  (280, ...
 02844   376   NtWaitForSingleObject  ... ) == 0x0
 02858   376   NtSetEventBoostPriority  (280, ...
 02845  2016   NtWaitForSingleObject  ... ) == 0x0
 02859  2016   NtAllocateVirtualMemory  (-1, 1445888, 0, 4096, 4096, 4, ... 1445888, 4096, ) == 0x0
 02860  2016   NtSetEventBoostPriority  (280, ...
 02858   376   NtSetEventBoostPriority  ... ) == 0x0
 02857  1028   NtSetEventBoostPriority  ... ) == 0x0
 02856  1128   NtSetEventBoostPriority  ... ) == 0x0
 02861  1388   NtWaitForSingleObject  (280, 0, 0x0, ...
 02862  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02863   376   NtWaitForSingleObject  (280, 0, 0x0, ...
 02864  1028   NtWaitForSingleObject  (280, 0, 0x0, ...
 02843  1644   NtWaitForSingleObject  ... ) == 0x0
 02860  2016   NtSetEventBoostPriority  ... ) == 0x0
 02865  1128   NtSetEventBoostPriority  (344, ...
 02862  1736   NtCreateThread  ... 980, {1636, 1692}, ) == 0x0
 02866  1644   NtSetEventBoostPriority  (280, ...
 02867  2016   NtWaitForSingleObject  (280, 0, 0x0, ...
 02778   896   NtWaitForSingleObject  ... ) == 0x0
 02865  1128   NtSetEventBoostPriority  ... ) == 0x0
 02868  1736   NtQueryInformationThread  (980, Basic, 28, ...
 02850   988   NtWaitForSingleObject  ... ) == 0x0
 02869   896   NtWaitForSingleObject  (280, 0, 0x0, ...
 02870  1128   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02868  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1636,Tid=1692,}, 0x0, ) == 0x0
 02871   988   NtSetEventBoostPriority  (280, ...
 02870  1128   NtWaitForSingleObject  ... ) == 0x102
 02872  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75598, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\3\0\0d\6\0\0\234\6\0\0" ...  ...
 02848   596   NtWaitForSingleObject  ... ) == 0x0
 02871   988   NtSetEventBoostPriority  ... ) == 0x0
 02873  1128   NtWaitForSingleObject  (280, 0, 0x0, ...
 02874   596   NtSetEventBoostPriority  (280, ...
 02872  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75599, 0}  ... {28, 56, reply, 0, 1636, 1736, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\3\0\0d\6\0\0\234\6\0\0" )  ) == 0x0
 02866  1644   NtSetEventBoostPriority  ... ) == 0x0
 02875   988   NtTestAlert  (...
 02855  1180   NtWaitForSingleObject  ... ) == 0x0
 02876  1736   NtResumeThread  (980, ...
 02877  1644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02875   988   NtTestAlert  ... ) == 0x0
 02878  1180   NtSetEventBoostPriority  (280, ...
 02876  1736   NtResumeThread  ... 1, ) == 0x0
 02877  1644   NtDuplicateObject  ... 984, ) == 0x0
 02879   988   NtContinue  (103611696, 1, ...
 02861  1388   NtWaitForSingleObject  ... ) == 0x0
 02878  1180   NtSetEventBoostPriority  ... ) == 0x0
 02880  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02874   596   NtSetEventBoostPriority  ... ) == 0x0
 02881  1692   NtWaitForSingleObject  (280, 0, 0x0, ...
 02882  1388   NtSetEventBoostPriority  (280, ...
 02883   988   NtRegisterThreadTerminatePort  (24, ...
 02884  1644   NtWaitForSingleObject  (280, 0, 0x0, ...
 02880  1736   NtAllocateVirtualMemory  ... 104660992, 1048576, ) == 0x0
 02885   596   NtWaitForSingleObject  (280, 0, 0x0, ...
 02863   376   NtWaitForSingleObject  ... ) == 0x0
 02883   988   NtRegisterThreadTerminatePort  ... ) == 0x0
 02886  1736   NtAllocateVirtualMemory  (-1, 105701376, 0, 8192, 4096, 4, ...
 02887   376   NtSetEventBoostPriority  (280, ...
 02888   988   NtWaitForSingleObject  (280, 0, 0x0, ...
 02882  1388   NtSetEventBoostPriority  ... ) == 0x0
 02889  1180   NtWaitForSingleObject  (280, 0, 0x0, ...
 02867  2016   NtWaitForSingleObject  ... ) == 0x0
 02887   376   NtSetEventBoostPriority  ... ) == 0x0
 02886  1736   NtAllocateVirtualMemory  ... 105701376, 8192, ) == 0x0
 02890  1388   NtSetEventBoostPriority  (128, ...
 02891  2016   NtSetEventBoostPriority  (280, ...
 02892   376   NtWaitForSingleObject  (280, 0, 0x0, ...
 02893  1736   NtProtectVirtualMemory  (-1, (0x64ce000), 4096, 260, ...
 01281   948   NtWaitForSingleObject  ... ) == 0x0
 02890  1388   NtSetEventBoostPriority  ... ) == 0x0
 02869   896   NtWaitForSingleObject  ... ) == 0x0
 02891  2016   NtSetEventBoostPriority  ... ) == 0x0
 02894   948   NtWaitForSingleObject  (280, 0, 0x0, ...
 02893  1736   NtProtectVirtualMemory  ... (0x64ce000), 4096, 4, ) == 0x0
 02895   896   NtSetEventBoostPriority  (280, ...
 02896  1388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02864  1028   NtWaitForSingleObject  ... ) == 0x0
 02895   896   NtSetEventBoostPriority  ... ) == 0x0
 02897  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02898  1028   NtAllocateVirtualMemory  (-1, 1449984, 0, 4096, 4096, 4, ...
 02896  1388   NtCreateEvent  ... 988, ) == 0x0
 02899  2016   NtWaitForSingleObject  (280, 0, 0x0, ...
 02898  1028   NtAllocateVirtualMemory  ... 1449984, 4096, ) == 0x0
 02897  1736   NtCreateThread  ... 992, {1636, 1808}, ) == 0x0
 02900  1388   NtWaitForSingleObject  (280, 0, 0x0, ...
 02901  1028   NtSetEventBoostPriority  (280, ...
 02902  1736   NtQueryInformationThread  (992, Basic, 28, ...
 02873  1128   NtWaitForSingleObject  ... ) == 0x0
 02901  1028   NtSetEventBoostPriority  ... ) == 0x0
 02903   896   NtSetEventBoostPriority  (344, ...
 02904  1128   NtSetEventBoostPriority  (280, ...
 02902  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1636,Tid=1808,}, 0x0, ) == 0x0
 02790   868   NtWaitForSingleObject  ... ) == 0x0
 02903   896   NtSetEventBoostPriority  ... ) == 0x0
 02881  1692   NtWaitForSingleObject  ... ) == 0x0
 02905   868   NtWaitForSingleObject  (280, 0, 0x0, ...
 02906  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75599, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\3\0\0d\6\0\0\20\7\0\0" ...  ...
 02907   896   NtWaitForSingleObject  (432, 0, 0x0, ...
 02908  1692   NtSetEventBoostPriority  (280, ...
 02906  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75600, 0}  ... {28, 56, reply, 0, 1636, 1736, 75600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\3\0\0d\6\0\0\20\7\0\0" )  ) == 0x0
 02884  1644   NtWaitForSingleObject  ... ) == 0x0
 02908  1692   NtSetEventBoostPriority  ... ) == 0x0
 02909  1644   NtSetEventBoostPriority  (280, ...
 02910  1736   NtResumeThread  (992, ...
 02904  1128   NtSetEventBoostPriority  ... ) == 0x0
 02911  1028   NtWaitForSingleObject  (280, 0, 0x0, ...
 02885   596   NtWaitForSingleObject  ... ) == 0x0
 02909  1644   NtSetEventBoostPriority  ... ) == 0x0
 02910  1736   NtResumeThread  ... 1, ) == 0x0
 02912  1128   NtWaitForSingleObject  (128, 0, 0x0, ...
 02913   596   NtSetEventBoostPriority  (280, ...
 02914  1644   NtWaitForSingleObject  (280, 0, 0x0, ...
 02915  1692   NtTestAlert  (...
 02916  1808   NtWaitForSingleObject  (280, 0, 0x0, ...
 02889  1180   NtWaitForSingleObject  ... ) == 0x0
 02913   596   NtSetEventBoostPriority  ... ) == 0x0
 02917  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02915  1692   NtTestAlert  ... ) == 0x0
 02918  1180   NtSetEventBoostPriority  (280, ...
 02917  1736   NtAllocateVirtualMemory  ... 105709568, 1048576, ) == 0x0
 02892   376   NtWaitForSingleObject  ... ) == 0x0
 02918  1180   NtSetEventBoostPriority  ... ) == 0x0
 02919  1692   NtContinue  (104660272, 1, ...
 02920   596   NtWaitForSingleObject  (280, 0, 0x0, ...
 02921   376   NtSetEventBoostPriority  (280, ...
 02922  1736   NtAllocateVirtualMemory  (-1, 106749952, 0, 8192, 4096, 4, ...
 02923  1180   NtWaitForSingleObject  (280, 0, 0x0, ...
 02924  1692   NtRegisterThreadTerminatePort  (24, ...
 02888   988   NtWaitForSingleObject  ... ) == 0x0
 02921   376   NtSetEventBoostPriority  ... ) == 0x0
 02922  1736   NtAllocateVirtualMemory  ... 106749952, 8192, ) == 0x0
 02925   988   NtSetEventBoostPriority  (280, ...
 02924  1692   NtRegisterThreadTerminatePort  ... ) == 0x0
 02894   948   NtWaitForSingleObject  ... ) == 0x0
 02926  1736   NtProtectVirtualMemory  (-1, (0x65ce000), 4096, 260, ...
 02927   948   NtSetEventBoostPriority  (280, ...
 02928  1692   NtWaitForSingleObject  (280, 0, 0x0, ...
 02899  2016   NtWaitForSingleObject  ... ) == 0x0
 02927   948   NtSetEventBoostPriority  ... ) == 0x0
 02926  1736   NtProtectVirtualMemory  ... (0x65ce000), 4096, 4, ) == 0x0
 02925   988   NtSetEventBoostPriority  ... ) == 0x0
 02929   376   NtWaitForSingleObject  (280, 0, 0x0, ...
 02930  2016   NtSetEventBoostPriority  (280, ...
 02931   948   NtWaitForSingleObject  (280, 0, 0x0, ...
 02932   988   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02900  1388   NtWaitForSingleObject  ... ) == 0x0
 02930  2016   NtSetEventBoostPriority  ... ) == 0x0
 02933  1388   NtSetEventBoostPriority  (280, ...
 02932   988   NtDuplicateObject  ... 996, ) == 0x0
 02905   868   NtWaitForSingleObject  ... ) == 0x0
 02933  1388   NtSetEventBoostPriority  ... ) == 0x0
 02934  2016   NtWaitForSingleObject  (280, 0, 0x0, ...
 02935  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02936   868   NtSetEventBoostPriority  (280, ...
 02937   988   NtWaitForSingleObject  (280, 0, 0x0, ...
 02938  1388   NtWaitForSingleObject  (280, 0, 0x0, ...
 02911  1028   NtWaitForSingleObject  ... ) == 0x0
 02936   868   NtSetEventBoostPriority  ... ) == 0x0
 02935  1736   NtCreateThread  ... 1000, {1636, 1348}, ) == 0x0
 02939  1028   NtSetEventBoostPriority  (280, ...
 02916  1808   NtWaitForSingleObject  ... ) == 0x0
 02940  1808   NtSetEventBoostPriority  (280, ...
 02914  1644   NtWaitForSingleObject  ... ) == 0x0
 02941  1644   NtSetEventBoostPriority  (280, ...
 02920   596   NtWaitForSingleObject  ... ) == 0x0
 02942   596   NtSetEventBoostPriority  (280, ...
 02923  1180   NtWaitForSingleObject  ... ) == 0x0
 02943  1180   NtSetEventBoostPriority  (280, ...
 02928  1692   NtWaitForSingleObject  ... ) == 0x0
 02944  1692   NtSetEventBoostPriority  (280, ...
 02929   376   NtWaitForSingleObject  ... ) == 0x0
 02945   376   NtSetEventBoostPriority  (280, ...
 02931   948   NtWaitForSingleObject  ... ) == 0x0
 02946   948   NtSetEventBoostPriority  (280, ...
 02937   988   NtWaitForSingleObject  ... ) == 0x0
 02947   988   NtSetEventBoostPriority  (280, ...
 02938  1388   NtWaitForSingleObject  ... ) == 0x0
 02948  1388   NtAllocateVirtualMemory  (-1, 1454080, 0, 4096, 4096, 4, ... 1454080, 4096, ) == 0x0
 02949  1388   NtSetEventBoostPriority  (280, ...
 02947   988   NtSetEventBoostPriority  ... ) == 0x0
 02946   948   NtSetEventBoostPriority  ... ) == 0x0
 02945   376   NtSetEventBoostPriority  ... ) == 0x0
 02942   596   NtSetEventBoostPriority  ... ) == 0x0
 02940  1808   NtSetEventBoostPriority  ... ) == 0x0
 02939  1028   NtSetEventBoostPriority  ... ) == 0x0
 02950  1736   NtQueryInformationThread  (1000, Basic, 28, ...
 02944  1692   NtSetEventBoostPriority  ... ) == 0x0
 02943  1180   NtSetEventBoostPriority  ... ) == 0x0
 02941  1644   NtSetEventBoostPriority  ... ) == 0x0
 02951   868   NtSetEventBoostPriority  (344, ...
 02952   988   NtWaitForSingleObject  (280, 0, 0x0, ...
 02953   948   NtSetEventBoostPriority  (128, ...
 02954   376   NtWaitForSingleObject  (280, 0, 0x0, ...
 02955   596   NtWaitForSingleObject  (280, 0, 0x0, ...
 02934  2016   NtWaitForSingleObject  ... ) == 0x0
 02949  1388   NtSetEventBoostPriority  ... ) == 0x0
 02956  1028   NtWaitForSingleObject  (280, 0, 0x0, ...
 02950  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1636,Tid=1348,}, 0x0, ) == 0x0
 02957  1692   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02958  1180   NtWaitForSingleObject  (280, 0, 0x0, ...
 02959  1644   NtWaitForSingleObject  (344, 0, 0x0, ...
 02795  1356   NtWaitForSingleObject  ... ) == 0x0
 02951   868   NtSetEventBoostPriority  ... ) == 0x0
 02960  1808   NtTestAlert  (...
 01284  1132   NtWaitForSingleObject  ... ) == 0x0
 02953   948   NtSetEventBoostPriority  ... ) == 0x0
 02961  2016   NtSetEventBoostPriority  (280, ...
 02962  1388   NtWaitForSingleObject  (280, 0, 0x0, ...
 02963  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75600, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0d\6\0\0D\5\0\0" ...  ...
 02957  1692   NtDuplicateObject  ... 1004, ) == 0x0
 02964  1356   NtWaitForSingleObject  (280, 0, 0x0, ...
 02965   868   NtWaitForSingleObject  (432, 0, 0x0, ...
 02960  1808   NtTestAlert  ... ) == 0x0
 02966  1132   NtSetEventBoostPriority  (128, ...
 02967   948   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02952   988   NtWaitForSingleObject  ... ) == 0x0
 02963  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75601, 0}  ... {28, 56, reply, 0, 1636, 1736, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0d\6\0\0D\5\0\0" )  ) == 0x0
 02961  2016   NtSetEventBoostPriority  ... ) == 0x0
 02968  1808   NtContinue  (105708848, 1, ...
 01311   900   NtWaitForSingleObject  ... ) == 0x0
 02966  1132   NtSetEventBoostPriority  ... ) == 0x0
 02967   948   NtCreateEvent  ... 1008, ) == 0x0
 02969   988   NtSetEventBoostPriority  (280, ...
 02970  1736   NtResumeThread  (1000, ...
 02971  2016   NtWaitForSingleObject  (280, 0, 0x0, ...
 02972   900   NtWaitForSingleObject  (280, 0, 0x0, ...
 02973  1808   NtRegisterThreadTerminatePort  (24, ...
 02974  1692   NtWaitForSingleObject  (280, 0, 0x0, ...
 02975   948   NtWaitForSingleObject  (280, 0, 0x0, ...
 02954   376   NtWaitForSingleObject  ... ) == 0x0
 02970  1736   NtResumeThread  ... 1, ) == 0x0
 02973  1808   NtRegisterThreadTerminatePort  ... ) == 0x0
 02976   376   NtSetEventBoostPriority  (280, ...
 02977  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02978  1808   NtWaitForSingleObject  (280, 0, 0x0, ...
 02955   596   NtWaitForSingleObject  ... ) == 0x0
 02977  1736   NtAllocateVirtualMemory  ... 106758144, 1048576, ) == 0x0
 02976   376   NtSetEventBoostPriority  ... ) == 0x0
 02969   988   NtSetEventBoostPriority  ... ) == 0x0
 02979  1132   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02980  1348   NtWaitForSingleObject  (280, 0, 0x0, ...
 02981   596   NtSetEventBoostPriority  (280, ...
 02982  1736   NtAllocateVirtualMemory  (-1, 107798528, 0, 8192, 4096, 4, ...
 02983   376   NtWaitForSingleObject  (344, 0, 0x0, ...
 02984   988   NtWaitForSingleObject  (344, 0, 0x0, ...
 02979  1132   NtCreateEvent  ... 1012, ) == 0x0
 02958  1180   NtWaitForSingleObject  ... ) == 0x0
 02981   596   NtSetEventBoostPriority  ... ) == 0x0
 02985  1132   NtWaitForSingleObject  (280, 0, 0x0, ...
 02986  1180   NtSetEventBoostPriority  (280, ...
 02987   596   NtWaitForSingleObject  (280, 0, 0x0, ...
 02962  1388   NtWaitForSingleObject  ... ) == 0x0
 02986  1180   NtSetEventBoostPriority  ... ) == 0x0
 02988  1388   NtSetEventBoostPriority  (280, ...
 02982  1736   NtAllocateVirtualMemory  ... 107798528, 8192, ) == 0x0
 02956  1028   NtWaitForSingleObject  ... ) == 0x0
 02988  1388   NtSetEventBoostPriority  ... ) == 0x0
 02989  1028   NtSetEventBoostPriority  (280, ...
 02990  1736   NtProtectVirtualMemory  (-1, (0x66ce000), 4096, 260, ...
 02991  1180   NtWaitForSingleObject  (280, 0, 0x0, ...
 02964  1356   NtWaitForSingleObject  ... ) == 0x0
 02990  1736   NtProtectVirtualMemory  ... (0x66ce000), 4096, 4, ) == 0x0
 02992  1356   NtSetEventBoostPriority  (280, ...
 02972   900   NtWaitForSingleObject  ... ) == 0x0
 02993   900   NtSetEventBoostPriority  (280, ...
 02971  2016   NtWaitForSingleObject  ... ) == 0x0
 02994  2016   NtSetEventBoostPriority  (280, ...
 02974  1692   NtWaitForSingleObject  ... ) == 0x0
 02995  1692   NtSetEventBoostPriority  (280, ...
 02975   948   NtWaitForSingleObject  ... ) == 0x0
 02996   948   NtSetEventBoostPriority  (280, ...
 02980  1348   NtWaitForSingleObject  ... ) == 0x0
 02997  1348   NtSetEventBoostPriority  (280, ...
 02978  1808   NtWaitForSingleObject  ... ) == 0x0
 02998  1808   NtSetEventBoostPriority  (280, ...
 02985  1132   NtWaitForSingleObject  ... ) == 0x0
 02999  1132   NtSetEventBoostPriority  (280, ...
 02987   596   NtWaitForSingleObject  ... ) == 0x0
 03000   596   NtSetEventBoostPriority  (280, ...
 02991  1180   NtWaitForSingleObject  ... ) == 0x0
 03001  1180   NtAllocateVirtualMemory  (-1, 19714048, 0, 4096, 4096, 260, ... 19714048, 4096, ) == 0x0
 03002  1180   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03000   596   NtSetEventBoostPriority  ... ) == 0x0
 02999  1132   NtSetEventBoostPriority  ... ) == 0x0
 02997  1348   NtSetEventBoostPriority  ... ) == 0x0
 02996   948   NtSetEventBoostPriority  ... ) == 0x0
 02995  1692   NtSetEventBoostPriority  ... ) == 0x0
 02994  2016   NtSetEventBoostPriority  ... ) == 0x0
 02993   900   NtSetEventBoostPriority  ... ) == 0x0
 03003  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02998  1808   NtSetEventBoostPriority  ... ) == 0x0
 02992  1356   NtSetEventBoostPriority  ... ) == 0x0
 02989  1028   NtSetEventBoostPriority  ... ) == 0x0
 03004  1388   NtAllocateVirtualMemory  (-1, 35442688, 0, 4096, 4096, 260, ...
 03002  1180   NtCreateEvent  ... 1016, ) == 0x0
 03005   596   NtAllocateVirtualMemory  (-1, 20762624, 0, 4096, 4096, 260, ...
 03006  1132   NtAllocateVirtualMemory  (-1, 24956928, 0, 4096, 4096, 260, ...
 03007  1348   NtTestAlert  (...
 03008  1692   NtWaitForSingleObject  (344, 0, 0x0, ...
 03009   948   NtAllocateVirtualMemory  (-1, 1458176, 0, 4096, 4096, 4, ...
 03010  2016   NtWaitForSingleObject  (280, 0, 0x0, ...
 03003  1736   NtCreateThread  ... 1020, {1636, 1852}, ) == 0x0
 03011  1808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03012   900   NtSetEventBoostPriority  (128, ...
 03013  1028   NtWaitForSingleObject  (280, 0, 0x0, ...
 03004  1388   NtAllocateVirtualMemory  ... 35442688, 4096, ) == 0x0
 03014  1180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03005   596   NtAllocateVirtualMemory  ... 20762624, 4096, ) == 0x0
 03006  1132   NtAllocateVirtualMemory  ... 24956928, 4096, ) == 0x0
 03007  1348   NtTestAlert  ... ) == 0x0
 03015  1356   NtSetEventBoostPriority  (344, ...
 03009   948   NtAllocateVirtualMemory  ... 1458176, 4096, ) == 0x0
 03016  1736   NtQueryInformationThread  (1020, Basic, 28, ...
 03011  1808   NtDuplicateObject  ... 1024, ) == 0x0
 01316  1732   NtWaitForSingleObject  ... ) == 0x0
 03012   900   NtSetEventBoostPriority  ... ) == 0x0
 03017  1388   NtWaitForSingleObject  (280, 0, 0x0, ...
 03014  1180   NtDuplicateObject  ... 1028, ) == 0x0
 03018   596   NtWaitForSingleObject  (280, 0, 0x0, ...
 03019  1132   NtWaitForSingleObject  (280, 0, 0x0, ...
 03020  1348   NtContinue  (106757424, 1, ...
 02823  1804   NtWaitForSingleObject  ... ) == 0x0
 03015  1356   NtSetEventBoostPriority  ... ) == 0x0
 03021   948   NtSetEventBoostPriority  (280, ...
 03016  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1636,Tid=1852,}, 0x0, ) == 0x0
 03022  1732   NtWaitForSingleObject  (280, 0, 0x0, ...
 03023   900   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03024  1180   NtWaitForSingleObject  (280, 0, 0x0, ...
 03025  1804   NtWaitForSingleObject  (280, 0, 0x0, ...
 03026  1348   NtRegisterThreadTerminatePort  (24, ...
 03027  1356   NtWaitForSingleObject  (432, 0, 0x0, ...
 03010  2016   NtWaitForSingleObject  ... ) == 0x0
 03021   948   NtSetEventBoostPriority  ... ) == 0x0
 03028  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75601, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\3\0\0d\6\0\0<\7\0\0" ...  ...
 03023   900   NtCreateEvent  ... 1032, ) == 0x0
 03026  1348   NtRegisterThreadTerminatePort  ... ) == 0x0
 03029  2016   NtSetEventBoostPriority  (280, ...
 03030   948   NtWaitForSingleObject  (280, 0, 0x0, ...
 03028  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75602, 0}  ... {28, 56, reply, 0, 1636, 1736, 75602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\3\0\0d\6\0\0<\7\0\0" )  ) == 0x0
 03031   900   NtWaitForSingleObject  (280, 0, 0x0, ...
 03013  1028   NtWaitForSingleObject  ... ) == 0x0
 03029  2016   NtSetEventBoostPriority  ... ) == 0x0
 03032  1348   NtWaitForSingleObject  (280, 0, 0x0, ...
 03033  1736   NtResumeThread  (1020, ...
 03034  1028   NtSetEventBoostPriority  (280, ...
 03035  2016   NtWaitForSingleObject  (280, 0, 0x0, ...
 03036  1808   NtWaitForSingleObject  (280, 0, 0x0, ...
 03017  1388   NtWaitForSingleObject  ... ) == 0x0
 03034  1028   NtSetEventBoostPriority  ... ) == 0x0
 03033  1736   NtResumeThread  ... 1, ) == 0x0
 03037  1388   NtSetEventBoostPriority  (280, ...
 03038  1852   NtWaitForSingleObject  (280, 0, 0x0, ...
 03039  1028   NtWaitForSingleObject  (280, 0, 0x0, ...
 03018   596   NtWaitForSingleObject  ... ) == 0x0
 03037  1388   NtSetEventBoostPriority  ... ) == 0x0
 03040   596   NtSetEventBoostPriority  (280, ...
 03041  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03019  1132   NtWaitForSingleObject  ... ) == 0x0
 03040   596   NtSetEventBoostPriority  ... ) == 0x0
 03042  1132   NtSetEventBoostPriority  (280, ...
 03041  1736   NtAllocateVirtualMemory  ... 107806720, 1048576, ) == 0x0
 03043  1388   NtWaitForSingleObject  (280, 0, 0x0, ...
 03022  1732   NtWaitForSingleObject  ... ) == 0x0
 03042  1132   NtSetEventBoostPriority  ... ) == 0x0
 03044  1736   NtAllocateVirtualMemory  (-1, 108847104, 0, 8192, 4096, 4, ...
 03045  1732   NtSetEventBoostPriority  (280, ...
 03046   596   NtWaitForSingleObject  (280, 0, 0x0, ...
 03025  1804   NtWaitForSingleObject  ... ) == 0x0
 03045  1732   NtSetEventBoostPriority  ... ) == 0x0
 03044  1736   NtAllocateVirtualMemory  ... 108847104, 8192, ) == 0x0
 03047  1804   NtSetEventBoostPriority  (280, ...
 03048  1132   NtWaitForSingleObject  (280, 0, 0x0, ...
 03024  1180   NtWaitForSingleObject  ... ) == 0x0
 03047  1804   NtSetEventBoostPriority  ... ) == 0x0
 03049  1736   NtProtectVirtualMemory  (-1, (0x67ce000), 4096, 260, ...
 03050  1180   NtSetEventBoostPriority  (280, ...
 03051  1732   NtWaitForSingleObject  (280, 0, 0x0, ...
 03030   948   NtWaitForSingleObject  ... ) == 0x0
 03050  1180   NtSetEventBoostPriority  ... ) == 0x0
 03049  1736   NtProtectVirtualMemory  ... (0x67ce000), 4096, 4, ) == 0x0
 03052   948   NtSetEventBoostPriority  (280, ...
 03053  1804   NtSetEventBoostPriority  (344, ...
 03054  1180   NtWaitForSingleObject  (280, 0, 0x0, ...
 03031   900   NtWaitForSingleObject  ... ) == 0x0
 03052   948   NtSetEventBoostPriority  ... ) == 0x0
 02847  2020   NtWaitForSingleObject  ... ) == 0x0
 03053  1804   NtSetEventBoostPriority  ... ) == 0x0
 03055   900   NtSetEventBoostPriority  (280, ...
 03056  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03057  2020   NtSetEventBoostPriority  (344, ...
 03032  1348   NtWaitForSingleObject  ... ) == 0x0
 03055   900   NtSetEventBoostPriority  ... ) == 0x0
 03058  1804   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02959  1644   NtWaitForSingleObject  ... ) == 0x0
 03059  1348   NtSetEventBoostPriority  (280, ...
 03057  2020   NtSetEventBoostPriority  ... ) == 0x0
 03056  1736   NtCreateThread  ... 1036, {1636, 1420}, ) == 0x0
 03060   948   NtWaitForSingleObject  (280, 0, 0x0, ...
 03061  1644   NtSetEventBoostPriority  (344, ...
 03036  1808   NtWaitForSingleObject  ... ) == 0x0
 03058  1804   NtWaitForSingleObject  ... ) == 0x102
 03059  1348   NtSetEventBoostPriority  ... ) == 0x0
 03062   900   NtWaitForSingleObject  (280, 0, 0x0, ...
 03063  1736   NtQueryInformationThread  (1036, Basic, 28, ...
 02983   376   NtWaitForSingleObject  ... ) == 0x0
 03061  1644   NtSetEventBoostPriority  ... ) == 0x0
 03064  1808   NtSetEventBoostPriority  (280, ...
 03065  1804   NtWaitForSingleObject  (128, 0, 0x0, ...
 03066  1348   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03067   376   NtWaitForSingleObject  (280, 0, 0x0, ...
 03063  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1636,Tid=1420,}, 0x0, ) == 0x0
 03068  2020   NtSetEventBoostPriority  (432, ...
 03035  2016   NtWaitForSingleObject  ... ) == 0x0
 03064  1808   NtSetEventBoostPriority  ... ) == 0x0
 03069  1644   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03066  1348   NtDuplicateObject  ... 1040, ) == 0x0
 03070  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75602, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\4\0\0d\6\0\0\214\5\0\0" ...  ...
 03071  2016   NtSetEventBoostPriority  (280, ...
 02799   808   NtWaitForSingleObject  ... ) == 0x0
 03068  2020   NtSetEventBoostPriority  ... ) == 0x0
 03072  1808   NtWaitForSingleObject  (344, 0, 0x0, ...
 03069  1644   NtWaitForSingleObject  ... ) == 0x102
 03038  1852   NtWaitForSingleObject  ... ) == 0x0
 03073   808   NtSetEventBoostPriority  (432, ...
 03074  2020   NtWaitForSingleObject  (280, 0, 0x0, ...
 03071  2016   NtSetEventBoostPriority  ... ) == 0x0
 03075  1348   NtWaitForSingleObject  (280, 0, 0x0, ...
 03070  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75603, 0}  ... {28, 56, reply, 0, 1636, 1736, 75603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\4\0\0d\6\0\0\214\5\0\0" )  ) == 0x0
 03076  1644   NtWaitForSingleObject  (128, 0, 0x0, ...
 02907   896   NtWaitForSingleObject  ... ) == 0x0
 03073   808   NtSetEventBoostPriority  ... ) == 0x0
 03077  1852   NtSetEventBoostPriority  (280, ...
 03078  2016   NtAllocateVirtualMemory  (-1, 17616896, 0, 4096, 4096, 260, ...
 03079  1736   NtResumeThread  (1036, ...
 03080   896   NtSetEventBoostPriority  (432, ...
 03039  1028   NtWaitForSingleObject  ... ) == 0x0
 03077  1852   NtSetEventBoostPriority  ... ) == 0x0
 03078  2016   NtAllocateVirtualMemory  ... 17616896, 4096, ) == 0x0
 02965   868   NtWaitForSingleObject  ... ) == 0x0
 03081  1028   NtSetEventBoostPriority  (280, ...
 03080   896   NtSetEventBoostPriority  ... ) == 0x0
 03079  1736   NtResumeThread  ... 1, ) == 0x0
 03082   808   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 03083  1852   NtTestAlert  (...
 03084  1420   NtTestAlert  (...
 03085   868   NtSetEventBoostPriority  (432, ...
 03043  1388   NtWaitForSingleObject  ... ) == 0x0
 03081  1028   NtSetEventBoostPriority  ... ) == 0x0
 03086  2016   NtWaitForSingleObject  (280, 0, 0x0, ...
 03087  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03082   808   NtCreateEvent  ... 1044, ) == 0x0
 03083  1852   NtTestAlert  ... ) == 0x0
 03027  1356   NtWaitForSingleObject  ... ) == 0x0
 03088  1388   NtSetEventBoostPriority  (280, ...
 03085   868   NtSetEventBoostPriority  ... ) == 0x0
 03084  1420   NtTestAlert  ... ) == 0x0
 03089  1028   NtAllocateVirtualMemory  (-1, 18665472, 0, 4096, 4096, 260, ...
 03087  1736   NtAllocateVirtualMemory  ... 108855296, 1048576, ) == 0x0
 03090   808   NtWaitForSingleObject  (1044, 0, 0x0, ...
 03091  1356   NtWaitForSingleObject  (1044, 0, 0x0, ...
 03046   596   NtWaitForSingleObject  ... ) == 0x0
 03088  1388   NtSetEventBoostPriority  ... ) == 0x0
 03092  1852   NtContinue  (107806000, 1, ...
 03093   896   NtWaitForSingleObject  (1044, 0, 0x0, ...
 03094  1420   NtContinue  (108854576, 1, ...
 03095   868   NtWaitForSingleObject  (1044, 0, 0x0, ...
 03096  1736   NtAllocateVirtualMemory  (-1, 109895680, 0, 8192, 4096, 4, ...
 03097   596   NtSetEventBoostPriority  (280, ...
 03098  1388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03099  1852   NtRegisterThreadTerminatePort  (24, ...
 03100  1420   NtRegisterThreadTerminatePort  (24, ...
 03089  1028   NtAllocateVirtualMemory  ... 18665472, 4096, ) == 0x0
 03048  1132   NtWaitForSingleObject  ... ) == 0x0
 03097   596   NtSetEventBoostPriority  ... ) == 0x0
 03096  1736   NtAllocateVirtualMemory  ... 109895680, 8192, ) == 0x0
 03099  1852   NtRegisterThreadTerminatePort  ... ) == 0x0
 03100  1420   NtRegisterThreadTerminatePort  ... ) == 0x0
 03101  1132   NtSetEventBoostPriority  (280, ...
 03102  1028   NtWaitForSingleObject  (280, 0, 0x0, ...
 03103   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03104  1736   NtProtectVirtualMemory  (-1, (0x68ce000), 4096, 260, ...
 03105  1852   NtWaitForSingleObject  (280, 0, 0x0, ...
 03098  1388   NtCreateEvent  ... 1048, ) == 0x0
 03051  1732   NtWaitForSingleObject  ... ) == 0x0
 03101  1132   NtSetEventBoostPriority  ... ) == 0x0
 03106  1420   NtWaitForSingleObject  (280, 0, 0x0, ...
 03104  1736   NtProtectVirtualMemory  ... (0x68ce000), 4096, 4, ) == 0x0
 03103   596   NtCreateEvent  ... 1052, ) == 0x0
 03107  1732   NtSetEventBoostPriority  (280, ...
 03108  1388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03109  1132   NtWaitForSingleObject  (280, 0, 0x0, ...
 03110  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03054  1180   NtWaitForSingleObject  ... ) == 0x0
 03107  1732   NtSetEventBoostPriority  ... ) == 0x0
 03111   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03108  1388   NtDuplicateObject  ... 1056, ) == 0x0
 03112  1180   NtSetEventBoostPriority  (280, ...
 03110  1736   NtCreateThread  ... 1060, {1636, 1252}, ) == 0x0
 03113  1732   NtSetEventBoostPriority  (128, ...
 03111   596   NtDuplicateObject  ... 1064, ) == 0x0
 03060   948   NtWaitForSingleObject  ... ) == 0x0
 03112  1180   NtSetEventBoostPriority  ... ) == 0x0
 03114  1388   NtWaitForSingleObject  (280, 0, 0x0, ...
 03115  1736   NtQueryInformationThread  (1060, Basic, 28, ...
 03116   948   NtSetEventBoostPriority  (280, ...
 03117   596   NtWaitForSingleObject  (280, 0, 0x0, ...
 03118  1180   NtWaitForSingleObject  (280, 0, 0x0, ...
 01321  1884   NtWaitForSingleObject  ... ) == 0x0
 03113  1732   NtSetEventBoostPriority  ... ) == 0x0
 03062   900   NtWaitForSingleObject  ... ) == 0x0
 03116   948   NtSetEventBoostPriority  ... ) == 0x0
 03115  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=1636,Tid=1252,}, 0x0, ) == 0x0
 03119  1884   NtWaitForSingleObject  (280, 0, 0x0, ...
 03120   900   NtAllocateVirtualMemory  (-1, 1462272, 0, 4096, 4096, 4, ...
 03121  1732   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03122   948   NtWaitForSingleObject  (280, 0, 0x0, ...
 03123  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75603, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\4\0\0d\6\0\0\344\4\0\0" ...  ...
 03120   900   NtAllocateVirtualMemory  ... 1462272, 4096, ) == 0x0
 03121  1732   NtCreateEvent  ... 1068, ) == 0x0
 03124   900   NtSetEventBoostPriority  (280, ...
 03123  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75604, 0}  ... {28, 56, reply, 0, 1636, 1736, 75604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\4\0\0d\6\0\0\344\4\0\0" )  ) == 0x0
 03125  1732   NtWaitForSingleObject  (280, 0, 0x0, ...
 03126  1736   NtResumeThread  (1060, ... 1, ) == 0x0
 03127  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 109903872, 1048576, ) == 0x0
 03128  1736   NtAllocateVirtualMemory  (-1, 110944256, 0, 8192, 4096, 4, ... 110944256, 8192, ) == 0x0
 03129  1736   NtProtectVirtualMemory  (-1, (0x69ce000), 4096, 260, ... (0x69ce000), 4096, 4, ) == 0x0
 03067   376   NtWaitForSingleObject  ... ) == 0x0
 03124   900   NtSetEventBoostPriority  ... ) == 0x0
 03130  1252   NtWaitForSingleObject  (280, 0, 0x0, ...
 03131   376   NtSetEventBoostPriority  (280, ...
 03132   900   NtWaitForSingleObject  (280, 0, 0x0, ...
 03074  2020   NtWaitForSingleObject  ... ) == 0x0
 03131   376   NtSetEventBoostPriority  ... ) == 0x0
 03133  2020   NtSetEventBoostPriority  (280, ...
 03134  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03075  1348   NtWaitForSingleObject  ... ) == 0x0
 03133  2020   NtSetEventBoostPriority  ... ) == 0x0
 03135  1348   NtSetEventBoostPriority  (280, ...
 03134  1736   NtCreateThread  ... 1072, {1636, 384}, ) == 0x0
 03136   376   NtSetEventBoostPriority  (344, ...
 03086  2016   NtWaitForSingleObject  ... ) == 0x0
 03135  1348   NtSetEventBoostPriority  ... ) == 0x0
 03137  1736   NtQueryInformationThread  (1072, Basic, 28, ...
 03138  2016   NtSetEventBoostPriority  (280, ...
 02984   988   NtWaitForSingleObject  ... ) == 0x0
 03136   376   NtSetEventBoostPriority  ... ) == 0x0
 03139  1348   NtWaitForSingleObject  (344, 0, 0x0, ...
 03102  1028   NtWaitForSingleObject  ... ) == 0x0
 03140   988   NtWaitForSingleObject  (280, 0, 0x0, ...
 03138  2016   NtSetEventBoostPriority  ... ) == 0x0
 03137  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=1636,Tid=384,}, 0x0, ) == 0x0
 03141   376   NtWaitForSingleObject  (1044, 0, 0x0, ...
 03142  2020   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15527092, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15527092, 188, ...
 03143  1028   NtSetEventBoostPriority  (280, ...
 03144  2016   NtWaitForSingleObject  (280, 0, 0x0, ...
 03145  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75604, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\4\0\0d\6\0\0\200\1\0\0" ...  ...
 03106  1420   NtWaitForSingleObject  ... ) == 0x0
 03143  1028   NtSetEventBoostPriority  ... ) == 0x0
 03142  2020   NtConnectPort  ... 1076, 0x0, 0x0, 0x0, 188, ) == 0x0
 03146  1420   NtSetEventBoostPriority  (280, ...
 03145  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75606, 0}  ... {28, 56, reply, 0, 1636, 1736, 75606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\4\0\0d\6\0\0\200\1\0\0" )  ) == 0x0
 03105  1852   NtWaitForSingleObject  ... ) == 0x0
 03146  1420   NtSetEventBoostPriority  ... ) == 0x0
 03147  2020   NtRequestWaitReplyPort  (1076, {200, 224, new_msg, 0, 1379992, 12, 2, 1310721}  (1076, {200, 224, new_msg, 0, 1379992, 12, 2, 1310721} "\0\0\0\0\274\0\0\0\204B\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\370\2\24\0\4\0\0\0\0\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\362\333\226\275\212 YWl\2\375\24\246\225\3[\12\0\0\0\313\300\273\250\0\0\1\0\0\0\0\0\340\347\24\0X&\26\0G\354\372h\330$\26\0`\1\24\0\0\0\0\0\0\0\0\0\330$\26\0P\0\0\0\340$\26\0(\356\354\0\370\2\24\0P\0\0\0\200\300\0\0\0\0\24\04\353\354\0\372\31\221|\310\362\354\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 03148  1852   NtSetEventBoostPriority  (280, ...
 03149  1736   NtResumeThread  (1072, ...
 03150  1420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03109  1132   NtWaitForSingleObject  ... ) == 0x0
 03149  1736   NtResumeThread  ... 1, ) == 0x0
 03147  2020   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 2020, 75607, 0}  ... {200, 224, reply, 0, 1636, 2020, 75607, 0} "\7\0\0\0\274\0\0\0\204B\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\362\333\226\275\212 YWl\2\375\24\246\225\3[\12\0\0\0\313\300\273\250\0\0\1\0\0\0\0\0\340\347\24\0X&\26\0G\354\372h\330$\26\0`\1\24\0\0\0\0\0\0\0\0\0\330$\26\0P\0\0\0\340$\26\0(\356\354\0\370\2\24\0P\0\0\0\200\300\0\0\0\0\24\04\353\354\0\372\31\221|\310\362\354\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 03148  1852   NtSetEventBoostPriority  ... ) == 0x0
 03151  1028   NtWaitForSingleObject  (280, 0, 0x0, ...
 03152  1132   NtSetEventBoostPriority  (280, ...
 03153  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03150  1420   NtDuplicateObject  ... 1080, ) == 0x0
 03154   384   NtWaitForSingleObject  (88, 0, 0x0, ...
 03155  1852   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03114  1388   NtWaitForSingleObject  ... ) == 0x0
 03153  1736   NtAllocateVirtualMemory  ... 110952448, 1048576, ) == 0x0
 03156  1420   NtWaitForSingleObject  (280, 0, 0x0, ...
 03155  1852   NtDuplicateObject  ... 1084, ) == 0x0
 03157  1388   NtSetEventBoostPriority  (280, ...
 03158  1736   NtAllocateVirtualMemory  (-1, 111992832, 0, 8192, 4096, 4, ...
 03152  1132   NtSetEventBoostPriority  ... ) == 0x0
 03159  2020   NtSetEventBoostPriority  (1044, ...
 03117   596   NtWaitForSingleObject  ... ) == 0x0
 03157  1388   NtSetEventBoostPriority  ... ) == 0x0
 03160  1852   NtWaitForSingleObject  (280, 0, 0x0, ...
 03161  1132   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03162   596   NtSetEventBoostPriority  (280, ...
 03091  1356   NtWaitForSingleObject  ... ) == 0x0
 03159  2020   NtSetEventBoostPriority  ... ) == 0x0
 03158  1736   NtAllocateVirtualMemory  ... 111992832, 8192, ) == 0x0
 03119  1884   NtWaitForSingleObject  ... ) == 0x0
 03163  1356   NtWaitForSingleObject  (280, 0, 0x0, ...
 03162   596   NtSetEventBoostPriority  ... ) == 0x0
 03161  1132   NtCreateEvent  ... 1088, ) == 0x0