Summary:


NtGdiCreateBitmap(>)  1 
NtQueryDefaultUILanguage(>)  2 
NtConnectPort(>)  9 
NtFlushInstructionCache(>)  57 

NtGdiInit(>)  1 
NtQuerySystemTime(>)  2 
NtSetInformationThread(>)  9 
NtContinue(>)  100 

NtGdiQueryFontAssocInfo(>)  1 
NtUserGetObjectInformation(>)  2 
NtUserFindExistingCursorIcon(>)  9 
NtQuerySystemInformation(>)  119 

NtGdiSelectBitmap(>)  1 
NtFreeVirtualMemory(>)  3 
NtOpenThreadToken(>)  10 
NtCreateEvent(>)  131 

NtOpenKeyedEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryVirtualMemory(>)  10 
NtResumeThread(>)  134 

NtOpenSymbolicLinkObject(>)  1 
NtQueryDebugFilterState(>)  3 
NtSetInformationFile(>)  10 
NtOpenKey(>)  140 

NtQueryInstallUILanguage(>)  1 
NtQueryDefaultLocale(>)  3 
NtUnmapViewOfSection(>)  11 
NtQueryInformationThread(>)  140 

NtQueryObject(>)  1 
NtQueryVolumeInformationFile(>)  3 
NtCreateFile(>)  12 
NtCreateThread(>)  154 

NtQueryPerformanceCounter(>)  1 
NtSecureConnectPort(>)  3 
NtQuerySection(>)  14 
NtTestAlert(>)  184 

NtQuerySymbolicLinkObject(>)  1 
NtSetInformationObject(>)  3 
NtUserRegisterClassExWOW(>)  14 
NtRequestWaitReplyPort(>)  185 

NtRaiseException(>)  1 
NtCreateIoCompletion(>)  4 
NtSetValueKey(>)  17 
NtRegisterThreadTerminatePort(>)  188 

NtSetInformationProcess(>)  1 
NtOpenProcessTokenEx(>)  4 
NtReadFile(>)  21 
NtDuplicateObject(>)  214 

NtUserCallNoParam(>)  1 
NtOpenThreadTokenEx(>)  4 
NtOpenSection(>)  22 
NtClose(>)  243 

NtUserGetProcessWindowStation(>)  1 
NtCreateMutant(>)  5 
NtWriteFile(>)  22 
NtProtectVirtualMemory(>)  247 

NtUserGetThreadDesktop(>)  1 
NtGdiGetStockObject(>)  5 
NtCreateKey(>)  23 
NtQueryValueKey(>)  262 

NtCallbackReturn(>)  2 
NtQueryDirectoryFile(>)  6 
NtCreateSection(>)  23 
NtAllocateVirtualMemory(>)  402 

NtGdiCreateSolidBrush(>)  2 
NtFsControlFile(>)  7 
NtOpenFile(>)  26 
NtSetEventBoostPriority(>)  668 

NtNotifyChangeKey(>)  2 
NtQueryInformationFile(>)  7 
NtDeviceIoControlFile(>)  35 
NtWaitForSingleObject(>)  946 

NtOpenDirectoryObject(>)  2 
NtQueryInformationToken(>)  7 
NtMapViewOfSection(>)  37 

NtOpenProcessToken(>)  2 
NtQueryInformationProcess(>)  8 

Trace:
 00001   760   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003   760   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006   760   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007   760   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009   760   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010   760   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011   760   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012   760   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013   760   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014   760   NtClose  (12, ... ) == 0x0
 00015   760   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016   760   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   760   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   760   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020   760   NtClose  (16, ... ) == 0x0
 00021   760   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022   760   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023   760   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024   760   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025   760   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027   760   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028   760   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029   760   NtClose  (16, ... ) == 0x0
 00030   760   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031   760   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033   760   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034   760   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1764, 760, 57928, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57928, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1764, 760, 57928, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036   760   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037   760   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038   760   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039   760   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040   760   NtClose  (16, ... ) == 0x0
 00041   760   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042   760   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043   760   NtClose  (16, ... ) == 0x0
 00044   760   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045   760   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046   760   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047   760   NtClose  (16, ... ) == 0x0
 00048   760   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049   760   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050   760   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051   760   NtClose  (16, ... ) == 0x0
 00052   760   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053   760   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054   760   NtClose  (16, ... ) == 0x0
 00055   760   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056   760   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057   760   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058   760   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059   760   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1764, 760, 57929, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 1764, 760, 57929, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1764, 760, 57929, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57930, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57930, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57930, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061   760   NtProtectVirtualMemory  (-1, (0x409000), 65552, 4, ... (0x409000), 69632, 128, ) == 0x0
 00062   760   NtProtectVirtualMemory  (-1, (0x409000), 69632, 128, ... (0x409000), 69632, 4, ) == 0x0
 00063   760   NtFlushInstructionCache  (-1, 4231168, 65552, ... ) == 0x0
 00064   760   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065   760   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00066   760   NtReadFile  (16, 0, 0, 0, 4, {64602, 0}, 0, ... {status=0x0, info=4},  (16, 0, 0, 0, 4, {64602, 0}, 0, ... {status=0x0, info=4}, "\343g\21]", ) , ) == 0x0
 00067   760   NtClose  (16, ... ) == 0x0
 00068   760   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00069   760   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00070   760   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00071   760   NtClose  (16, ... ) == 0x0
 00072   760   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00073   760   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00074   760   NtClose  (16, ... ) == 0x0
 00075   760   NtTestAlert  (... ) == 0x0
 00076   760   NtContinue  (1244464, 1, ...
 00077   760   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x41a000,}, 4, ... ) == 0x0
 00078   760   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00079   760   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080   760   NtClose  (16, ... ) == 0x0
 00081   760   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00082   760   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00083   760   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00084   760   NtClose  (16, ... ) == 0x0
 00085   760   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00086   760   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00087   760   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00088   760   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00089   760   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00090   760   NtClose  (16, ... ) == 0x0
 00091   760   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00092   760   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00093   760   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00094   760   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00095   760   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00096   760   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00097   760   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00098   760   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00099   760   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00100   760   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00101   760   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00102   760   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00103   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00104   760   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00105   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   760   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00107   760   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00108   760   NtQueryValueKey  (16,  (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00109   760   NtClose  (16, ... ) == 0x0
 00110   760   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 16, ) }, ... 16, ) == 0x0
 00111   760   NtQueryValueKey  (16,  (16, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00112   760   NtClose  (16, ... ) == 0x0
 00113   760   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 16, ) }, ... 16, ) == 0x0
 00114   760   NtSetInformationObject  (16, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00115   760   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00116   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00117   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00118   760   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00119   760   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 28, ) == 0x0
 00120   760   NtQueryInformationToken  (28, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00121   760   NtClose  (28, ... ) == 0x0
 00122   760   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 28, ) }, ... 28, ) == 0x0
 00123   760   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00124   760   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 32, ) }, ... 32, ) == 0x0
 00125   760   NtQueryValueKey  (32,  (32, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126   760   NtClose  (32, ... ) == 0x0
 00127   760   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00128   760   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00129   760   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 32, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 32, {status=0x0, info=1}, ) == 0x0
 00130   760   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00131   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp"}, 1233816, ... ) }, 1233816, ... ) == 0x0
 00132   760   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1234168, 2089878865, 1315608, 2089878893}  (24, {20, 48, new_msg, 0, 1234168, 2089878865, 1315608, 2089878893} "\0\0\0\0\2\0\1\0\250C\24\0y\221\0\0\2\0\0\0" ... {20, 48, reply, 0, 1764, 760, 57931, 0} "\0\0\0\0\2\0\1\0\2\0\0\0y\221\0\0\2\0\0\0" )  ... {20, 48, reply, 0, 1764, 760, 57931, 0}  (24, {20, 48, new_msg, 0, 1234168, 2089878865, 1315608, 2089878893} "\0\0\0\0\2\0\1\0\250C\24\0y\221\0\0\2\0\0\0" ... {20, 48, reply, 0, 1764, 760, 57931, 0} "\0\0\0\0\2\0\1\0\2\0\0\0y\221\0\0\2\0\0\0" )  ) == 0x0
 00133   760   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233824,  (0x80100080, {24, 0, 0x40, 0, 1233824, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\uas2.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 00134   760   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 00135   760   NtClose  (-2147482740, ... ) == 0x0
 00136   760   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00137   760   NtClose  (-2147482740, ... ) == 0x0
 00138   760   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00139   760   NtClose  (-2147482740, ... ) == 0x0
 00133   760   NtCreateFile  ... 36, {status=0x0, info=2}, ) == 0x0
 00140   760   NtClose  (36, ... ) == 0x0
 00141   760   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\uas2.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00142   760   NtClose  (-2147482740, ... ) == 0x0
 00143   760   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 00144   760   NtClose  (-2147482740, ... ) == 0x0
 00145   760   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00146   760   NtClose  (-2147482740, ... ) == 0x0
 00147   760   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00148   760   NtClose  (-2147482740, ... ) == 0x0
 00141   760   NtCreateFile  ... 36, {status=0x0, info=3}, ) == 0x0
 00149   760   NtSetInformationFile  (32, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00150   760   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\356\233P\0\241\301\0\0\247\301\17\0\>\0\0\33\301\0\0\243\301\0\0\343\301\32\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\303\0\0\31\321\0\16\274u\11\315\202y\1Ln\340\220\220\367\251is\203\261ro\304\263am\203\254us\327\341be\203\263un\203\264nd\306\263 W\312\25732\256\313$7\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0\243\301\0\0", ) , ) == 0x0
 00151   760   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... , 10240, 0x0, 0, ...
 00152   760   NtContinue  (-136421932, 0, ...
 00151   760   NtWriteFile  ... {status=0x0, info=10240}, ) == 0x0
 00153   760   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\366\3116\34\314\375ME\314\263y,\3\254a\10\223\302\201\7k\11f\331\301\1A\304k\202\310<\241\215r\334K0jD\311\241Q\271\247\332|\377\205\3X}&n\16D\370i\310\270+\220\177\300\305JP\1\363Wkg\302\303@\315\337\376\1\2\35\205-\32 \3\5RV\364Q\21)\303e\203q\252K\335\251C,Kc\322\305\240\370\350\353\375\226\334\200\244F\200\302t\312wC\217\320"\301\262\301\12^\376\275\168\356P\3311\376\332\26\313Q\330\225\30sP\12\17\326\213Q\354\311d\2033\305\10#o\23,\210\223\7{\22\342\317\341\311[\207(IG\367\33\37\247\16\360fs=\2643\245\2\341\15\222C\3704}\255B\266\363\245\360X\235\367\322 g\363GWkE\310\257\357\357qPJ\205\0(\242\35\200\24 \373*\12\323\304\5\34\310j\326\12K\221\322<\205\261\256\10\365\265u\310\346G\25\212~\14\354\10e\301g) \370\370\251X\345\312\232\341\2029R\271\201W\3443\3671\15(\2004\324\12h\315\\352\324\5-o\345\230\365\343\314R\314\363R\200\221\16S\356\334:\20$\370\6\274UucJ]\304h\230\226\357/\2\250\306\17q\264F\363\317\341\224\233\11S\1=i7\225\205\25(\217\20r\305\223U\373'\250\2\301\276m\314\371\203x\373\2540\213\27JJX\216\345\7\220\334\11 ^\272"+\227\267>\377\12\217\271<\231\202\331d\360wPx]\236\357\243\261w\244\347\354\242\32\14p\251\37\363P\304\242\310\266\275\203#\350\332)\135\312w\344&G\231\17\11~\340\2\241\241@\31\211\250\211\341\231;2\207\232\347\324w\222\243\17'\320\262\1O\336\261\22\307\211\310\324\244\5Z\274\306h\347$\250\312\33a%\15\206[\171\335\17", ) \301\262\301\12^\376\275\168\356P\3311\376\332\26\313Q\330\225\30sP\12\17\326\213Q\354\311d\2033\305\10#o\23,\210\223\7{\22\342\317\341\311[\207(IG\367\33\37\247\16\360fs=\2643\245\2\341\15\222C\3704}\255B\266\363\245\360X\235\367\322 g\363GWkE\310\257\357\357qPJ\205\0(\242\35\200\24 \373*\12\323\304\5\34\310j\326\12K\221\322<\205\261\256\10\365\265u\310\346G\25\212~\14\354\10e\301g) \370\370\251X\345\312\232\341\2029R\271\201W\3443\3671\15(\2004\324\12h\315\\352\324\5-o\345\230\365\343\314R\314\363R\200\221\16S\356\334:\20$\370\6\274UucJ]\304h\230\226\357/\2\250\306\17q\264F\363\317\341\224\233\11S\1=i7\225\205\25(\217\20r\305\223U\373'\250\2\301\276m\314\371\203x\373\2540\213\27JJX\216\345\7\220\334\11 ^\272 (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\366\3116\34\314\375ME\314\263y,\3\254a\10\223\302\201\7k\11f\331\301\1A\304k\202\310<\241\215r\334K0jD\311\241Q\271\247\332|\377\205\3X}&n\16D\370i\310\270+\220\177\300\305JP\1\363Wkg\302\303@\315\337\376\1\2\35\205-\32 \3\5RV\364Q\21)\303e\203q\252K\335\251C,Kc\322\305\240\370\350\353\375\226\334\200\244F\200\302t\312wC\217\320"\301\262\301\12^\376\275\168\356P\3311\376\332\26\313Q\330\225\30sP\12\17\326\213Q\354\311d\2033\305\10#o\23,\210\223\7{\22\342\317\341\311[\207(IG\367\33\37\247\16\360fs=\2643\245\2\341\15\222C\3704}\255B\266\363\245\360X\235\367\322 g\363GWkE\310\257\357\357qPJ\205\0(\242\35\200\24 \373*\12\323\304\5\34\310j\326\12K\221\322<\205\261\256\10\365\265u\310\346G\25\212~\14\354\10e\301g) \370\370\251X\345\312\232\341\2029R\271\201W\3443\3671\15(\2004\324\12h\315\\352\324\5-o\345\230\365\343\314R\314\363R\200\221\16S\356\334:\20$\370\6\274UucJ]\304h\230\226\357/\2\250\306\17q\264F\363\317\341\224\233\11S\1=i7\225\205\25(\217\20r\305\223U\373'\250\2\301\276m\314\371\203x\373\2540\213\27JJX\216\345\7\220\334\11 ^\272"+\227\267>\377\12\217\271<\231\202\331d\360wPx]\236\357\243\261w\244\347\354\242\32\14p\251\37\363P\304\242\310\266\275\203#\350\332)\135\312w\344&G\231\17\11~\340\2\241\241@\31\211\250\211\341\231;2\207\232\347\324w\222\243\17'\320\262\1O\336\261\22\307\211\310\324\244\5Z\274\306h\347$\250\312\33a%\15\206[\171\335\17", ) , ) == 0x0
 00154   760   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "U\106\34o\301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00155   760   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "t\3\13X\33\323\25w\222\313\14Hp\214\303\30\351WL\340\366d\262H\243j\222\345\23D\267}\273\205@\221FQeZ\307\235XY\255\232\232\0\361\212cT\363\2459d\270\243\246\307\241\221\3453\244j!\317\251Q\226\340Wr\14\327\261,\35j\241\313z\337\364x@\211@\230C\263\275\32\301\334D\224\2358\241g\20\15\261\273\363\232jV%\261I\149\210E\20\274\244J\20699\200\214\14+\256@\323\6*\276\213KG\10\231\21t9U\207\2733\11\210\325\256;\35W\4Z\255E]\24\305F4P\207\37\306\25\203\24\270\15-\24\5\257\217\5>\247VJV\223\267\242\310IG=\366\246\312\200K\343\231\303\131FU?\250\261\303k\14\354\353\221\37%\310\257\227\11\1\367\242\357\370\27G\207al\320Fn\31GBST\321\264e\1\215\302\210\4\31441\322)\221\26D\263\3037\304&\277\213w\230\360\311\212\353\202D\10_>B\267\374\301\10\215\326\316\213|\253\3061\300)\317;J_\264\267~\2\232\216\\2513\34\16U\2\337\237\352\264\342o\370j\361\371\264\201$\16\242\370\370~~dg\5\216\5;\200\233\346\17M\247\232\373\302\321%\205\257\314v\277\202\327n\211\321\252\240\13\212\344K*\201S\223\356\356B>\337\177xKXc7K^\12&\232So\317\275\36\13\265\331\217\36\256\370\364\355\256?X\32#&\3379h=\267\0\354\320\30\33\326-\355\355\225\303\261 4*\310?#$\337:\25\1\355\355\271*\342\35)\255\32\221\317\331B\3051>\302\11[&KuSN\243:(\376\263\4#\376\5\266\376b\7\203r\216\1\267\2543\377\255\11vJ\20\331\306\376\261\321\312w\15\254~\311\3\351\35\252\5\237\6\377\321-\33\377BFO9\1", ) , ) == 0x0
 00156   760   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\327\302\13X\270\22\25w1\12\14H\323M\303\30J\226L\340U\245\262H\0\253\222\345\260\205\267}\30D@\221\345\220eZd\XY\16[\232\0RKcTPd9d\33b\246d`\221\345\220ej!lhQ\226C\226r\14tp,\35\311`\313z|5x@*\201\230C\20|\32\301\177\205\224\235\233`g\20\256p\273\3639\253V%\22\210\149+\204\20\274\7\213\2069\232A\214\14\210o@\323\377\367*\276(\212G\10:\320t9\366F\2733\252I\325\256\230\334W\4\371lE]\267\4F4\363F\37\306\266B\24\270\256\354\24\5\14N\5>\4\227JV0v\242\310\352\206=\366\5\13\200K@X\303\13\222\207U?\13p\303k\257-\353\221\274\344\310\2574\310\1\367\1.\370\27\344Fals\207n\31\344\203STrue\1.\3\210\4o\3651\322\212P\26D\20\27\304\205~\213w;1\311\212HCD\10\374\377B\267_\0\10\215u\17\213|\10\71\300\212\16;J\374u\267~\241[\216\\12\362\34\16\366\303\337\237Iu\342o[\253\361\371\27@$\16\19\370~\335\245g\5-\304;\2008'\17M\4[\373\302r\344\205\257o\267\277\202t\257\211\321\11a\13\212G\212*\201\360R\356\356\341\377\337\177\333\212Xc\224\212^\12\205[Sol|\36\13\26\30\217\36\159\364\355\15\376X\32\200\347\3379\313\374\267\0O\21\30\33u\354\355\3556\2\261 \227\353\310?\200\345\337:\266\300\355\355\32\353\342\35\212l\32\221l\30B\305\222\377\302\11\370\347Ku\360\217\243:\213?\263\4\200?\5\266]\243\7\203\321O\1\267\17\362\377\255\252\267J\20z\7\376\261r\13w\15\17\277\311\3J\334\252\5<\307\377\321\216\332\377B\345\2169\1", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00157   760   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "5*\375\265#\26\254f\360H\205\6\265A\212\265\324\7\205\227\334\317w\21\305~\264\22\366\315e\211\252aY\6\20\6a\35\223}\34\210\27\272\237\240)L\225>\251\301\264\274\304\357G\263\322\353\3000\272\230\2334\242\6\2\316'c_\271*V4t\253\233\4\310>E\226\244\210\37\361t\300\232S\364\366\223$\361\366\311R"\344A\3065+ME\13\353C\253\200\15K\14&\212A1\254\236%\353\12\276\312w\266UG\375\13\354KU\373\264\220Ev\226\247\301i\223@\3441d\235v\214\206\271,\2\251\201\202\32'\312\370B\4\327\200{\226w\20\31m_p\353\244\345\324\350\220A\226t \203'!\313\230@{0\303\215\5\267'\303\377\216\354\354N\305`\227\360\305f \364\266G\240\266w\313\364\364s\13\20\240\201\221\260\326\216\30\7C_\214o\0\230\221"\16\242\335A\340\303Vb\364\340K\22\20W\233\246\266\245\310o\21[1\254\0\273!\4U\215\310)*\252\305\247\26\253\221l\253\375\23\4hI'\247\341\307*HKY\3639z\217\265jV\307\360\354M\252R\321p\201\370\234a\3034\0\360\266~\350\334\261k\330\17\321\37\322[\224]8", ) \344A\3065+ME\13\353C\253\200\15K\14&\212A1\254\236%\353\12\276\312w\266UG\375\13\354KU\373\264\220Ev\226\247\301i\223@\3441d\235v\214\206\271,\2\251\201\202\32'\312\370B\4\327\200{\226w\20\31m_p\353\244\345\324\350\220A\226t \203'!\313\230@{0\303\215\5\267'\303\377\216\354\354N\305`\227\360\305f \364\266G\240\266w\313\364\364s\13\20\240\201\221\260\326\216\30\7C_\214o\0\230\221217\340#\207\263\266<8\270\263\310\310\237\371<8\212\340&\205\4&O\210\244\32;w\370\317\224\341\242\315\240\346b\\0\233\253\273\6\243\270\303.,f\6V\272\11\360\26zU\3\20\360\362L\222` \327\24\310G\235\222\246\3rOXS*\34\30\377a\253akr\20\35\220\10T\174K\33\0$-\30\1a\261\331\22\1\317\303^\234\300\362\204\370F+\271\366?\364\15\267\4\322\3367E\376\324\227\330\353\211\320,\332\241\207\374\26}\2743:\237\274\13`7\330J\33\255[hO2\205]\25\253\345 (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "5*\375\265#\26\254f\360H\205\6\265A\212\265\324\7\205\227\334\317w\21\305~\264\22\366\315e\211\252aY\6\20\6a\35\223}\34\210\27\272\237\240)L\225>\251\301\264\274\304\357G\263\322\353\3000\272\230\2334\242\6\2\316'c_\271*V4t\253\233\4\310>E\226\244\210\37\361t\300\232S\364\366\223$\361\366\311R"\344A\3065+ME\13\353C\253\200\15K\14&\212A1\254\236%\353\12\276\312w\266UG\375\13\354KU\373\264\220Ev\226\247\301i\223@\3441d\235v\214\206\271,\2\251\201\202\32'\312\370B\4\327\200{\226w\20\31m_p\353\244\345\324\350\220A\226t \203'!\313\230@{0\303\215\5\267'\303\377\216\354\354N\305`\227\360\305f \364\266G\240\266w\313\364\364s\13\20\240\201\221\260\326\216\30\7C_\214o\0\230\221"\16\242\335A\340\303Vb\364\340K\22\20W\233\246\266\245\310o\21[1\254\0\273!\4U\215\310)*\252\305\247\26\253\221l\253\375\23\4hI'\247\341\307*HKY\3639z\217\265jV\307\360\354M\252R\321p\201\370\234a\3034\0\360\266~\350\334\261k\330\17\321\37\322[\224]8", ) , ) == 0x0
 00158   760   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240 (36, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00159   760   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=6276},  (32, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=6276}, "\274\256\302#\202\321\300\11\33\355\322\345\307\316\251y\305\3\201\307\343\243\33\341\275\343\202|\242\311\202.\373\327\25&\200j\350{\342s\303\270\255\315\270%\342}\321\273*\231&wuLp\30\264y\261\263d\313\211\34j\323}\314\345{\13 \253\227\233\3015i\332\233\316\314\346{/\301\356Yy\253\34\334\177\351\7\361\326\24\255\210\241\305\307]\243\177!\264E)\21x\231\247\37a\23\11`\315W\334\374\252\366S*\262\11\301U\315\335V8\322\226\267%_\327\336W\307\255\312\2C\206\351\2328H\300\357\305\1\342n\5\23\10vYO\254\15P\215\234\354\271\324\215x\353\236p\272\370\263\265\11F\177\331n\303\253g'\25\177\337\10D\334Y\355\242\300\341\265\347c\201\271\14\220\200\325\222\337\300\276v+\340\2070\27\17p\302\272\10Iq\364\222;\370\20\236\24\237\326\210\244;\346Au>\307\254\330C\367\2674J\367\2\210=\243\313\352\4\23\373 m\231\250\273\303\305\10h*\225\330\325\241SN(\30\226q\253\366\221\31d$=\250\15X\224\3'h/\362\333\265\270A\3540\224\10\364\246\272\312\2105\11f6\31\225\357q\265\253\327\20\214I\326\211\342\217\14\335q\313i\260$\347tI\4\243\324\210\367\251\237P\345\233Zl\362\261\261E\344\363y\31F9M\13\254&\241\211\24uA\204\35\311\2054=\245\241#FxL\246H\15~\214\2\345\177\353 \313\243\227\213/\300\1X\33C\245I\257\230\347\362\261!c\2qQ\344i\257\257\340\14Q\304\5\333\242\333\340\262\254F\235\330\251I;t\221?\276j\251X\340\340\361m;\205\36\266\246\21\37\340\260\177\23\10\226\30\257WS|\365cA\357#pHi\260\333\27\217\364\23[\370\312\374\26\311\221\31\222\215\265\15)\343\250\213H\7", ) , ) == 0x0
 00160   760   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00161   760   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00162   760   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\274\256\302#\202\321\300\11\33\355\322\345\307\316\251y\305\3\201\307\343\243\33\341\275\343\202|\242\311\202.\373\327\25&\200j\350{\342s\303\270\255\315\270%\342}\321\273*\231&wuLp\30\264y\261\263d\313\211\34j\323}\314\345{\13 \253\227\233\3015i\332\233\316\314\346{/\301\356Yy\253\34\334\177\351\7\361\326\24\255\210\241\305\307]\243\177!\264E)\21x\231\247\37a\23\11`\315W\334\374\252\366S*\262\11\301U\315\335V8\322\226\267%_\327\336W\307\255\312\2C\206\351\2328H\300\357\305\1\342n\5\23\10vYO\254\15P\215\234\354\271\324\215x\353\236p\272\370\263\265\11F\177\331n\303\253g'\25\177\337\10D\334Y\355\242\300\341\265\347c\201\271\14\220\200\325\222\337\300\276v+\340\2070\27\17p\302\272\10Iq\364\222;\370\20\236\24\237\326\210\244;\346Au>\307\254\330C\367\2674J\367\2\210=\243\313\352\4\23\373 m\231\250\273\303\305\10h*\225\330\325\241SN(\30\226q\253\366\221\31d$=\250\15X\224\3'h/\362\333\265\270A\3540\224\10\364\246\272\312\2105\11f6\31\225\357q\265\253\327\20\214I\326\211\342\217\14\335q\313i\260$\347tI\4\243\324\210\367\251\237P\345\233Zl\362\261\261E\344\363y\31F9M\13\254&\241\211\24uA\204\35\311\2054=\245\241#FxL\246H\15~\214\2\345\177\353 \313\243\227\213/\300\1X\33C\245I\257\230\347\362\261!c\2qQ\344i\257\257\340\14Q\304\5\333\242\333\340\262\254F\235\330\251I;t\221?\276j\251X\340\340\361m;\205\36\266\246\21\37\340\260\177\23\10\226\30\257WS|\365cA\357#pHi\260\333\27\217\364\23[\370\312\374\26\311\221\31\222\215\265\15)\343\250\213H\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00163   760   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00164   760   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00165   760   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00166   760   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\274\256\302#\202\321\300\11\33\355\322\345\307\316\251y\305\3\201\307\343\243\33\341\275\343\202|\242\311\202.\373\327\25&\200j\350{\342s\303\270\255\315\270%\342}\321\273*\231&wuLp\30\264y\261\263d\313\211\34j\323}\314\345{\13 \253\227\233\3015i\332\233\316\314\346{/\301\356Yy\253\34\334\177\351\7\361\326\24\255\210\241\305\307]\243\177!\264E)\21x\231\247\37a\23\11`\315W\334\374\252\366S*\262\11\301U\315\335V8\322\226\267%_\327\336W\307\255\312\2C\206\351\2328H\300\357\305\1\342n\5\23\10vYO\254\15P\215\234\354\271\324\215x\353\236p\272\370\263\265\11F\177\331n\303\253g'\25\177\337\10D\334Y\355\242\300\341\265\347c\201\271\14\220\200\325\222\337\300\276v+\340\2070\27\17p\302\272\10Iq\364\222;\370\20\236\24\237\326\210\244;\346Au>\307\254\330C\367\2674J\367\2\210=\243\313\352\4\23\373 m\231\250\273\303\305\10h*\225\330\325\241SN(\30\226q\253\366\221\31d$=\250\15X\224\3'h/\362\333\265\270A\3540\224\10\364\246\272\312\2105\11f6\31\225\357q\265\253\327\20\214I\326\211\342\217\14\335q\313i\260$\347tI\4\243\324\210\367\251\237P\345\233Zl\362\261\261E\344\363y\31F9M\13\254&\241\211\24uA\204\35\311\2054=\245\241#FxL\246H\15~\214\2\345\177\353 \313\243\227\213/\300\1X\33C\245I\257\230\347\362\261!c\2qQ\344i\257\257\340\14Q\304\5\333\242\333\340\262\254F\235\330\251I;t\221?\276j\251X\340\340\361m;\205\36\266\246\21\37\340\260\177\23\10\226\30\257WS|\365cA\357#pHi\260\333\27\217\364\23[\370\312\374\26\311\221\31\222\215\265\15)\343\250\213H\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00167   760   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00168   760   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00169   760   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00170   760   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\274\256\302#\202\321\300\11\33\355\322\345\307\316\251y\305\3\201\307\343\243\33\341\275\343\202|\242\311\202.\373\327\25&\200j\350{\342s\303\270\255\315\270%\342}\321\273*\231&wuLp\30\264y\261\263d\313\211\34j\323}\314\345{\13 \253\227\233\3015i\332\233\316\314\346{/\301\356Yy\253\34\334\177\351\7\361\326\24\255\210\241\305\307]\243\177!\264E)\21x\231\247\37a\23\11`\315W\334\374\252\366S*\262\11\301U\315\335V8\322\226\267%_\327\336W\307\255\312\2C\206\351\2328H\300\357\305\1\342n\5\23\10vYO\254\15P\215\234\354\271\324\215x\353\236p\272\370\263\265\11F\177\331n\303\253g'\25\177\337\10D\334Y\355\242\300\341\265\347c\201\271\14\220\200\325\222\337\300\276v+\340\2070\27\17p\302\272\10Iq\364\222;\370\20\236\24\237\326\210\244;\346Au>\307\254\330C\367\2674J\367\2\210=\243\313\352\4\23\373 m\231\250\273\303\305\10h*\225\330\325\241SN(\30\226q\253\366\221\31d$=\250\15X\224\3'h/\362\333\265\270A\3540\224\10\364\246\272\312\2105\11f6\31\225\357q\265\253\327\20\214I\326\211\342\217\14\335q\313i\260$\347tI\4\243\324\210\367\251\237P\345\233Zl\362\261\261E\344\363y\31F9M\13\254&\241\211\24uA\204\35\311\2054=\245\241#FxL\246H\15~\214\2\345\177\353 \313\243\227\213/\300\1X\33C\245I\257\230\347\362\261!c\2qQ\344i\257\257\340\14Q\304\5\333\242\333\340\262\254F\235\330\251I;t\221?\276j\251X\340\340\361m;\205\36\266\246\21\37\340\260\177\23\10\226\30\257WS|\365cA\357#pHi\260\333\27\217\364\23[\370\312\374\26\311\221\31\222\215\265\15)\343\250\213H\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00171   760   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00172   760   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00173   760   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00174   760   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\274\256\302#\202\321\300\11\33\355\322\345\307\316\251y\305\3\201\307\343\243\33\341\275\343\202|\242\311\202.\373\327\25&\200j\350{\342s\303\270\255\315\270%\342}\321\273*\231&wuLp\30\264y\261\263d\313\211\34j\323}\314\345{\13 \253\227\233\3015i\332\233\316\314\346{/\301\356Yy\253\34\334\177\351\7\361\326\24\255\210\241\305\307]\243\177!\264E)\21x\231\247\37a\23\11`\315W\334\374\252\366S*\262\11\301U\315\335V8\322\226\267%_\327\336W\307\255\312\2C\206\351\2328H\300\357\305\1\342n\5\23\10vYO\254\15P\215\234\354\271\324\215x\353\236p\272\370\263\265\11F\177\331n\303\253g'\25\177\337\10D\334Y\355\242\300\341\265\347c\201\271\14\220\200\325\222\337\300\276v+\340\2070\27\17p\302\272\10Iq\364\222;\370\20\236\24\237\326\210\244;\346Au>\307\254\330C\367\2674J\367\2\210=\243\313\352\4\23\373 m\231\250\273\303\305\10h*\225\330\325\241SN(\30\226q\253\366\221\31d$=\250\15X\224\3'h/\362\333\265\270A\3540\224\10\364\246\272\312\2105\11f6\31\225\357q\265\253\327\20\214I\326\211\342\217\14\335q\313i\260$\347tI\4\243\324\210\367\251\237P\345\233Zl\362\261\261E\344\363y\31F9M\13\254&\241\211\24uA\204\35\311\2054=\245\241#FxL\246H\15~\214\2\345\177\353 \313\243\227\213/\300\1X\33C\245I\257\230\347\362\261!c\2qQ\344i\257\257\340\14Q\304\5\333\242\333\340\262\254F\235\330\251I;t\221?\276j\251X\340\340\361m;\205\36\266\246\21\37\340\260\177\23\10\226\30\257WS|\365cA\357#pHi\260\333\27\217\364\23[\370\312\374\26\311\221\31\222\215\265\15)\343\250\213H\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00175   760   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00176   760   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00177   760   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00178   760   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\274\256\302#\202\321\300\11\33\355\322\345\307\316\251y\305\3\201\307\343\243\33\341\275\343\202|\242\311\202.\373\327\25&\200j\350{\342s\303\270\255\315\270%\342}\321\273*\231&wuLp\30\264y\261\263d\313\211\34j\323}\314\345{\13 \253\227\233\3015i\332\233\316\314\346{/\301\356Yy\253\34\334\177\351\7\361\326\24\255\210\241\305\307]\243\177!\264E)\21x\231\247\37a\23\11`\315W\334\374\252\366S*\262\11\301U\315\335V8\322\226\267%_\327\336W\307\255\312\2C\206\351\2328H\300\357\305\1\342n\5\23\10vYO\254\15P\215\234\354\271\324\215x\353\236p\272\370\263\265\11F\177\331n\303\253g'\25\177\337\10D\334Y\355\242\300\341\265\347c\201\271\14\220\200\325\222\337\300\276v+\340\2070\27\17p\302\272\10Iq\364\222;\370\20\236\24\237\326\210\244;\346Au>\307\254\330C\367\2674J\367\2\210=\243\313\352\4\23\373 m\231\250\273\303\305\10h*\225\330\325\241SN(\30\226q\253\366\221\31d$=\250\15X\224\3'h/\362\333\265\270A\3540\224\10\364\246\272\312\2105\11f6\31\225\357q\265\253\327\20\214I\326\211\342\217\14\335q\313i\260$\347tI\4\243\324\210\367\251\237P\345\233Zl\362\261\261E\344\363y\31F9M\13\254&\241\211\24uA\204\35\311\2054=\245\241#FxL\246H\15~\214\2\345\177\353 \313\243\227\213/\300\1X\33C\245I\257\230\347\362\261!c\2qQ\344i\257\257\340\14Q\304\5\333\242\333\340\262\254F\235\330\251I;t\221?\276j\251X\340\340\361m;\205\36\266\246\21\37\340\260\177\23\10\226\30\257WS|\365cA\357#pHi\260\333\27\217\364\23[\370\312\374\26\311\221\31\222\215\265\15)\343\250\213H\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00179   760   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00180   760   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00181   760   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00182   760   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\274\256\302#\202\321\300\11\33\355\322\345\307\316\251y\305\3\201\307\343\243\33\341\275\343\202|\242\311\202.\373\327\25&\200j\350{\342s\303\270\255\315\270%\342}\321\273*\231&wuLp\30\264y\261\263d\313\211\34j\323}\314\345{\13 \253\227\233\3015i\332\233\316\314\346{/\301\356Yy\253\34\334\177\351\7\361\326\24\255\210\241\305\307]\243\177!\264E)\21x\231\247\37a\23\11`\315W\334\374\252\366S*\262\11\301U\315\335V8\322\226\267%_\327\336W\307\255\312\2C\206\351\2328H\300\357\305\1\342n\5\23\10vYO\254\15P\215\234\354\271\324\215x\353\236p\272\370\263\265\11F\177\331n\303\253g'\25\177\337\10D\334Y\355\242\300\341\265\347c\201\271\14\220\200\325\222\337\300\276v+\340\2070\27\17p\302\272\10Iq\364\222;\370\20\236\24\237\326\210\244;\346Au>\307\254\330C\367\2674J\367\2\210=\243\313\352\4\23\373 m\231\250\273\303\305\10h*\225\330\325\241SN(\30\226q\253\366\221\31d$=\250\15X\224\3'h/\362\333\265\270A\3540\224\10\364\246\272\312\2105\11f6\31\225\357q\265\253\327\20\214I\326\211\342\217\14\335q\313i\260$\347tI\4\243\324\210\367\251\237P\345\233Zl\362\261\261E\344\363y\31F9M\13\254&\241\211\24uA\204\35\311\2054=\245\241#FxL\246H\15~\214\2\345\177\353 \313\243\227\213/\300\1X\33C\245I\257\230\347\362\261!c\2qQ\344i\257\257\340\14Q\304\5\333\242\333\340\262\254F\235\330\251I;t\221?\276j\251X\340\340\361m;\205\36\266\246\21\37\340\260\177\23\10\226\30\257WS|\365cA\357#pHi\260\333\27\217\364\23[\370\312\374\26\311\221\31\222\215\265\15)\343\250\213H\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00183   760   NtReadFile  (32, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00184   760   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00185   760   NtReadFile  (32, 0, 0, 0, 2048, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00186   760   NtWriteFile  (36, 0, 0, 0,  (36, 0, 0, 0, "\274\256\302#\202\321\300\11\33\355\322\345\307\316\251y\305\3\201\307\343\243\33\341\275\343\202|\242\311\202.\373\327\25&\200j\350{\342s\303\270\255\315\270%\342}\321\273*\231&wuLp\30\264y\261\263d\313\211\34j\323}\314\345{\13 \253\227\233\3015i\332\233\316\314\346{/\301\356Yy\253\34\334\177\351\7\361\326\24\255\210\241\305\307]\243\177!\264E)\21x\231\247\37a\23\11`\315W\334\374\252\366S*\262\11\301U\315\335V8\322\226\267%_\327\336W\307\255\312\2C\206\351\2328H\300\357\305\1\342n\5\23\10vYO\254\15P\215\234\354\271\324\215x\353\236p\272\370\263\265\11F\177\331n\303\253g'\25\177\337\10D\334Y\355\242\300\341\265\347c\201\271\14\220\200\325\222\337\300\276v+\340\2070\27\17p\302\272\10Iq\364\222;\370\20\236\24\237\326\210\244;\346Au>\307\254\330C\367\2674J\367\2\210=\243\313\352\4\23\373 m\231\250\273\303\305\10h*\225\330\325\241SN(\30\226q\253\366\221\31d$=\250\15X\224\3'h/\362\333\265\270A\3540\224\10\364\246\272\312\2105\11f6\31\225\357q\265\253\327\20\214I\326\211\342\217\14\335q\313i\260$\347tI\4\243\324\210\367\251\237P\345\233Zl\362\261\261E\344\363y\31F9M\13\254&\241\211\24uA\204\35\311\2054=\245\241#FxL\246H\15~\214\2\345\177\353 \313\243\227\213/\300\1X\33C\245I\257\230\347\362\261!c\2qQ\344i\257\257\340\14Q\304\5\333\242\333\340\262\254F\235\330\251I;t\221?\276j\251X\340\340\361m;\205\36\266\246\21\37\340\260\177\23\10\226\30\257WS|\365cA\357#pHi\260\333\27\217\364\23[\370\312\374\26\311\221\31\222\215\265\15)\343\250\213H\7", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) , 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00187   760   NtClose  (36, ... ) == 0x0
 00188   760   NtClose  (32, ... ) == 0x0
 00189   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\uas2.tmp"}, 1242360, ... ) }, 1242360, ... ) == 0x0
 00190   760   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\uas2.tmp"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00191   760   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 36, ) == 0x0
 00192   760   NtClose  (32, ... ) == 0x0
 00193   760   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x320000), 0x0, 176128, ) == 0x0
 00194   760   NtClose  (36, ... ) == 0x0
 00195   760   NtUnmapViewOfSection  (-1, 0x320000, ... ) == 0x0
 00196   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\uas2.tmp"}, 1242668, ... ) }, 1242668, ... ) == 0x0
 00197   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\uas2.tmp"}, 1242668, ... ) }, 1242668, ... ) == 0x0
 00198   760   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\uas2.tmp"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00199   760   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 32, ) == 0x0
 00200   760   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00201   760   NtOpenProcessToken  (-1, 0x8, ... 40, ) == 0x0
 00202   760   NtQueryInformationToken  (40, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00203   760   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00204   760   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 44, ) }, ... 44, ) == 0x0
 00205   760   NtQueryValueKey  (44,  (44, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (44, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00206   760   NtClose  (44, ... ) == 0x0
 00207   760   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00208   760   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 44, ) == 0x0
 00209   760   NtQueryInformationToken  (44, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00210   760   NtClose  (44, ... ) == 0x0
 00211   760   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00212   760   NtClose  (40, ... ) == 0x0
 00213   760   NtClose  (36, ... ) == 0x0
 00214   760   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x320000), 0x0, 471040, ) == STATUS_IMAGE_NOT_AT_BASE
 00215   760   NtQueryVirtualMemory  (-1, 0x7c91c5c0, Basic, 28, ... {BaseAddress=0x7c91c000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x60000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00216   760   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00217   760   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00218   760   NtContinue  (1241096, 0, ...
 00219   760   NtUnmapViewOfSection  (-1, 0x320000, ... ) == 0x0
 00220   760   NtClose  (32, ... ) == 0x0
 00221   760   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00222   760   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00223   760   NtContinue  (1244400, 0, ...
 00224   760   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00225   760   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00226   760   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00227   760   NtClose  (32, ... ) == 0x0
 00228   760   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00229   760   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00230   760   NtClose  (32, ... ) == 0x0
 00231   760   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00232   760   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00233   760   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00234   760   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00235   760   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00236   760   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00237   760   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00238   760   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00239   760   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00240   760   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00241   760   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00242   760   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00243   760   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00244   760   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00245   760   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00246   760   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00247   760   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00248   760   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00249   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00250   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00252   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 1241830, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 1241830, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1764, 760, 57938, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57938, 0}  (24, {28, 56, new_msg, 0, 2089900645, 1241830, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1764, 760, 57938, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00253   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00254   760   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00255   760   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 36, ) == 0x0
 00256   760   NtClose  (32, ... ) == 0x0
 00257   760   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00258   760   NtClose  (36, ... ) == 0x0
 00259   760   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00260   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00261   760   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00262   760   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 36, ... 32, ) == 0x0
 00263   760   NtClose  (36, ... ) == 0x0
 00264   760   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00265   760   NtClose  (32, ... ) == 0x0
 00266   760   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00267   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00268   760   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00269   760   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 36, ) == 0x0
 00270   760   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00271   760   NtClose  (32, ... ) == 0x0
 00272   760   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00273   760   NtClose  (36, ... ) == 0x0
 00274   760   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00275   760   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00276   760   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00277   760   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00278   760   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00279   760   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00280   760   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00281   760   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00282   760   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00283   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00285   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00286   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00287   760   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00288   760   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 36, ) }, ... 36, ) == 0x0
 00289   760   NtQueryValueKey  (36,  (36, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00290   760   NtClose  (36, ... ) == 0x0
 00291   760   NtMapViewOfSection  (-2147482740, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x420000), 0x0, 1060864, ) == 0x0
 00292   760   NtClose  (-2147482740, ... ) == 0x0
 00293   760   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00294   760   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00295   760   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482740, ) == 0x0
 00296   760   NtQueryInformationToken  (-2147482740, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00297   760   NtQueryInformationToken  (-2147482740, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00298   760   NtClose  (-2147482740, ... ) == 0x0
 00299   760   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5439488, 4096, ) == 0x0
 00300   760   NtFreeVirtualMemory  (-1, (0x530000), 4096, 32768, ... (0x530000), 4096, ) == 0x0
 00301   760   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 44, ) == 0x0
 00302   760   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00303   760   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   760   NtClose  (-2147482740, ... ) == 0x0
 00305   760   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00306   760   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00307   760   NtClose  (-2147482740, ... ) == 0x0
 00308   760   NtQueryDefaultLocale  (0, -140232372, ... ) == 0x0
 00309   760   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00310   760   NtUserCallNoParam  (24, ... ) == 0x0
 00311   760   NtGdiCreateCompatibleDC  (0, ...
 00312   760   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5439488, 4096, ) == 0x0
 00311   760   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00313   760   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00314   760   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00315   760   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00316   760   NtGdiCreateSolidBrush  (0, 0, ...
 00317   760   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8650752, 4096, ) == 0x0
 00316   760   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00318   760   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00319   760   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00320   760   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00321   760   NtUserGetThreadDesktop  (760, 0, ... ) == 0x28
 00322   760   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 48, ) }, ... 48, ) == 0x0
 00323   760   NtQueryValueKey  (48,  (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00324   760   NtClose  (48, ... ) == 0x0
 00325   760   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00326   760   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x816ec017
 00327   760   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00328   760   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x816ec01c
 00329   760   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00330   760   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x816ec01e
 00331   760   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00332   760   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x816e8002
 00333   760   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00334   760   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x816ec018
 00335   760   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00336   760   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x816ec01a
 00337   760   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00338   760   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x816ec01d
 00339   760   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00340   760   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x816ec026
 00341   760   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00342   760   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x816ec019
 00343   760   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x816ec020
 00344   760   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x816ec022
 00345   760   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x816ec023
 00346   760   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x816ec024
 00347   760   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x816ec025
 00348   760   NtCallbackReturn  (0, 0, 0, ...
 00349   760   NtGdiInit  (... ) == 0x1
 00350   760   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00351   760   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00352   760   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 8716288, 28672, ) == 0x0
 00353   760   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00354   760   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00355   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00356   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00357   760   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00358   760   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 52, ) == 0x0
 00359   760   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00360   760   NtClose  (48, ... ) == 0x0
 00361   760   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00362   760   NtClose  (52, ... ) == 0x0
 00363   760   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00364   760   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00365   760   NtClose  (52, ... ) == 0x0
 00366   760   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00367   760   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00368   760   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00369   760   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00370   760   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00371   760   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00372   760   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00373   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00374   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00375   760   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00376   760   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 48, ) == 0x0
 00377   760   NtQuerySection  (48, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00378   760   NtClose  (52, ... ) == 0x0
 00379   760   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00380   760   NtClose  (48, ... ) == 0x0
 00381   760   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00382   760   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00383   760   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00384   760   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00385   760   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00386   760   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00387   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00388   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00389   760   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8781824, 65536, ) == 0x0
 00390   760   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00391   760   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ... 8785920, 8192, ) == 0x0
 00392   760   NtAllocateVirtualMemory  (-1, 8794112, 0, 4096, 4096, 4, ... 8794112, 4096, ) == 0x0
 00393   760   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 48, ) }, ... 48, ) == 0x0
 00394   760   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x870000), 0x0, 12288, ) == 0x0
 00395   760   NtClose  (48, ... ) == 0x0
 00396   760   NtAllocateVirtualMemory  (-1, 8798208, 0, 4096, 4096, 4, ... 8798208, 4096, ) == 0x0
 00397   760   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00398   760   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00399   760   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00400   760   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00401   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00403   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00404   760   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00405   760   NtFreeVirtualMemory  (-1, (0x850000), 0, 32768, ... (0x850000), 28672, ) == 0x0
 00406   760   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00407   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00408   760   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00409   760   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00410   760   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00411   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 8912896, 1048576, ) == 0x0
 00412   760   NtAllocateVirtualMemory  (-1, 8912896, 0, 32768, 4096, 4, ... 8912896, 32768, ) == 0x0
 00413   760   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 48, ) }, ... 48, ) == 0x0
 00414   760   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "Jobaka3"}, 0, ... 52, ) }, 0, ... 52, ) == 0x0
 00415   760   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 56, ) }, ... 56, ) == 0x0
 00416   760   NtQueryValueKey  (56,  (56, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00417   760   NtQueryValueKey  (56,  (56, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00418   760   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 60, ) == 0x0
 00419   760   NtOpenKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "Protocol_Catalog9"}, ... 64, ) }, ... 64, ) == 0x0
 00420   760   NtQueryValueKey  (64,  (64, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00421   760   NtNotifyChangeKey  (64, 60, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00422   760   NtQueryValueKey  (64,  (64, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00423   760   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00424   760   NtQueryValueKey  (64,  (64, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00425   760   NtQueryValueKey  (64,  (64, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00426   760   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Catalog_Entries"}, ... 68, ) }, ... 68, ) == 0x0
 00427   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000001"}, ... 72, ) }, ... 72, ) == 0x0
 00428   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00429   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00430   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\257\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\257\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\260\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\261\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\257\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\257\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\260\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\261\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\257\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\257\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\260\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\261\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00431   760   NtClose  (72, ... ) == 0x0
 00432   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000002"}, ... 72, ) }, ... 72, ) == 0x0
 00433   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00434   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00435   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\264\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\264\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\265\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\265\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\266\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\264\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\264\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\265\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\265\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\266\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\264\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\264\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\265\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\265\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\266\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00436   760   NtClose  (72, ... ) == 0x0
 00437   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000003"}, ... 72, ) }, ... 72, ) == 0x0
 00438   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00439   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00440   760   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00441   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\272\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\272\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\273\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\274\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\272\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\272\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\273\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\274\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\272\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\272\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\273\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\274\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00442   760   NtClose  (72, ... ) == 0x0
 00443   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000004"}, ... 72, ) }, ... 72, ) == 0x0
 00444   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00445   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00446   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\277\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\277\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\300\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\300\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\301\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\277\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\277\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\300\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\300\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\301\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\277\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\277\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\300\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\300\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\301\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00447   760   NtClose  (72, ... ) == 0x0
 00448   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000005"}, ... 72, ) }, ... 72, ) == 0x0
 00449   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00450   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00451   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\304\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\304\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\305\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\306\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\304\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\304\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\305\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\306\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\304\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\304\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\305\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\306\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00452   760   NtClose  (72, ... ) == 0x0
 00453   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000006"}, ... 72, ) }, ... 72, ) == 0x0
 00454   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00455   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00456   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\311\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\311\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\312\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\312\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\313\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\311\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\311\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\312\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\312\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\313\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\311\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\311\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\312\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\312\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\313\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00457   760   NtClose  (72, ... ) == 0x0
 00458   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000007"}, ... 72, ) }, ... 72, ) == 0x0
 00459   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00460   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00461   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\316\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\316\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\317\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\320\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\320\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\321\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\316\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\316\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\317\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\320\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\320\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\321\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\320\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\321\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\316\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\316\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\317\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\320\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\320\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\321\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00462   760   NtClose  (72, ... ) == 0x0
 00463   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000008"}, ... 72, ) }, ... 72, ) == 0x0
 00464   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00465   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00466   760   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00467   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\324\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\324\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\325\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\325\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\326\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\324\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\324\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\325\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\325\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\326\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\324\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\324\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\325\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\325\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\326\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00468   760   NtClose  (72, ... ) == 0x0
 00469   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000009"}, ... 72, ) }, ... 72, ) == 0x0
 00470   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00471   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00472   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\331\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\331\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\332\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\332\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\333\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\333\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\334\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\331\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\331\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\332\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\332\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\333\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\333\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\334\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\333\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\334\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\331\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\331\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\332\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\332\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\333\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\333\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\334\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00473   760   NtClose  (72, ... ) == 0x0
 00474   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000010"}, ... 72, ) }, ... 72, ) == 0x0
 00475   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00476   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00477   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\336\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\336\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\337\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\337\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\340\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\340\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\341\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\336\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\336\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\337\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\337\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\340\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\340\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\341\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\340\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\341\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\336\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\336\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\337\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\337\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\340\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\340\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\341\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00478   760   NtClose  (72, ... ) == 0x0
 00479   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000011"}, ... 72, ) }, ... 72, ) == 0x0
 00480   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00481   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00482   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\343\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\343\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\344\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\344\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\345\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\345\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\346\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\343\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\343\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\344\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\344\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\345\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\345\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\346\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\345\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\346\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\343\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\343\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\344\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\344\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\345\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\345\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\346\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00483   760   NtClose  (72, ... ) == 0x0
 00484   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000012"}, ... 72, ) }, ... 72, ) == 0x0
 00485   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00486   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00487   760   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00488   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\351\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\351\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\352\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\352\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\353\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\351\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\351\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\352\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\352\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\353\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\351\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\351\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\352\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\352\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\353\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00489   760   NtClose  (72, ... ) == 0x0
 00490   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000013"}, ... 72, ) }, ... 72, ) == 0x0
 00491   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00492   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00493   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\356\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\356\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\357\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\357\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\360\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\360\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\361\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\356\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\356\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\357\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\357\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\360\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\360\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\361\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\360\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\361\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\356\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\356\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\357\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\357\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\360\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\360\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\361\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00494   760   NtClose  (72, ... ) == 0x0
 00495   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000014"}, ... 72, ) }, ... 72, ) == 0x0
 00496   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00497   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00498   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\363\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\363\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\364\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\364\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\365\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\365\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\366\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\363\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\363\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\364\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\364\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\365\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\365\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\366\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\365\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\366\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\363\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\363\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\364\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\364\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\365\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\365\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\366\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00499   760   NtClose  (72, ... ) == 0x0
 00500   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000015"}, ... 72, ) }, ... 72, ) == 0x0
 00501   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00502   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00503   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\370\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\370\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\371\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\371\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\372\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\370\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\370\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\371\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\371\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\372\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\370\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\370\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\371\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\371\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\372\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00504   760   NtClose  (72, ... ) == 0x0
 00505   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000016"}, ... 72, ) }, ... 72, ) == 0x0
 00506   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00507   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00508   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\375\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\375\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\376\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\376\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\377\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\377\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\375\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\375\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\376\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\376\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\377\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\377\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\377\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\375\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\375\1\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\376\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\376\1\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\377\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\377\1\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00509   760   NtClose  (72, ... ) == 0x0
 00510   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000017"}, ... 72, ) }, ... 72, ) == 0x0
 00511   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00512   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00513   760   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00514   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\3\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\3\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\4\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\4\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\5\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\3\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\3\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\4\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\4\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\5\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\3\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\3\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\4\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\4\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\5\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00515   760   NtClose  (72, ... ) == 0x0
 00516   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000018"}, ... 72, ) }, ... 72, ) == 0x0
 00517   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00518   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00519   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\10\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\10\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\11\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\11\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\12\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\10\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\10\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\11\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\11\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\12\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\10\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\10\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\11\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\11\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\12\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00520   760   NtClose  (72, ... ) == 0x0
 00521   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000019"}, ... 72, ) }, ... 72, ) == 0x0
 00522   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00523   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00524   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\15\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\15\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\16\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\17\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\15\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\15\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\16\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\17\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\15\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\15\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\16\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\17\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00525   760   NtClose  (72, ... ) == 0x0
 00526   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000020"}, ... 72, ) }, ... 72, ) == 0x0
 00527   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00528   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00529   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\22\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\22\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\23\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\23\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\24\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\24\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\25\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\22\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\22\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\23\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\23\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\24\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\24\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\25\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\24\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\25\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\22\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\22\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\23\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\23\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\24\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\24\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\25\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00530   760   NtClose  (72, ... ) == 0x0
 00531   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000021"}, ... 72, ) }, ... 72, ) == 0x0
 00532   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00533   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00534   760   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00535   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\30\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\30\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\31\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\31\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\32\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\32\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\33\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\30\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\30\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\31\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\31\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\32\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\32\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\33\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\32\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\33\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\30\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\30\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\31\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\200O\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\31\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0\32\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\32\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\33\2\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00536   760   NtClose  (72, ... ) == 0x0
 00537   760   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000022"}, ... 72, ) }, ... 72, ) == 0x0
 00538   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00539   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00540   760   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\35\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\35\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\36\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\36\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\37\2\0\0\344\6\0\0\370\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\2\0\0\344\6\0\0\370\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0 \2\0\0\344\6\0\0\370\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0 \2\0\0\344\6\0\0\370\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0!\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\08\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0PO\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\35\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\35\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\36\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\36\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\37\2\0\0\344\6\0\0\370\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\2\0\0\344\6\0\0\370\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0 \2\0\0\344\6\0\0\370\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0 \2\0\0\344\6\0\0\370\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0!\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\08\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0PO\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\35\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0\35\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\36\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\36\2\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\37\2\0\0\344\6\0\0\370\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\2\0\0\344\6\0\0\370\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0 \2\0\0\344\6\0\0\370\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0 \2\0\0\344\6\0\0\370\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0!\2\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\08\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0PO\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00541   760   NtClose  (72, ... ) == 0x0
 00542   760   NtClose  (68, ... ) == 0x0
 00543   760   NtWaitForSingleObject  (60, 0, {0, 0}, ... ) == 0x102
 00544   760   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00545   760   NtOpenKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 72, ) }, ... 72, ) == 0x0
 00546   760   NtQueryValueKey  (72,  (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00547   760   NtNotifyChangeKey  (72, 68, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00548   760   NtQueryValueKey  (72,  (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00549   760   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00550   760   NtQueryValueKey  (72,  (72, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00551   760   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Catalog_Entries"}, ... 76, ) }, ... 76, ) == 0x0
 00552   760   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000001"}, ... 80, ) }, ... 80, ) == 0x0
 00553   760   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00554   760   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00555   760   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00556   760   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00557   760   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00558   760   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00559   760   NtQueryValueKey  (80,  (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00560   760   NtQueryValueKey  (80,  (80, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00561   760   NtQueryValueKey  (80,  (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00562   760   NtQueryValueKey  (80,  (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00563   760   NtQueryValueKey  (80,  (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00564   760   NtQueryValueKey  (80,  (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00565   760   NtClose  (80, ... ) == 0x0
 00566   760   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000002"}, ... 80, ) }, ... 80, ) == 0x0
 00567   760   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00568   760   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00569   760   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00570   760   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00571   760   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00572   760   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00573   760   NtQueryValueKey  (80,  (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00574   760   NtQueryValueKey  (80,  (80, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575   760   NtQueryValueKey  (80,  (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00576   760   NtQueryValueKey  (80,  (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00577   760   NtQueryValueKey  (80,  (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00578   760   NtQueryValueKey  (80,  (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00579   760   NtClose  (80, ... ) == 0x0
 00580   760   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000003"}, ... 80, ) }, ... 80, ) == 0x0
 00581   760   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00582   760   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00583   760   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00584   760   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00585   760   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00586   760   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00587   760   NtQueryValueKey  (80,  (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00588   760   NtQueryValueKey  (80,  (80, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00589   760   NtQueryValueKey  (80,  (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00590   760   NtQueryValueKey  (80,  (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00591   760   NtQueryValueKey  (80,  (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00592   760   NtQueryValueKey  (80,  (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00593   760   NtClose  (80, ... ) == 0x0
 00594   760   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000004"}, ... 80, ) }, ... 80, ) == 0x0
 00595   760   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00596   760   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00597   760   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00598   760   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00599   760   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00600   760   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00601   760   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00602   760   NtQueryValueKey  (80,  (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 00603   760   NtQueryValueKey  (80,  (80, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00604   760   NtQueryValueKey  (80,  (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00605   760   NtQueryValueKey  (80,  (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00606   760   NtQueryValueKey  (80,  (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00607   760   NtQueryValueKey  (80,  (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00608   760   NtClose  (80, ... ) == 0x0
 00609   760   NtClose  (76, ... ) == 0x0
 00610   760   NtWaitForSingleObject  (68, 0, {0, 0}, ... ) == 0x102
 00611   760   NtClose  (56, ... ) == 0x0
 00612   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00613   760   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00614   760   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 56, ) }, ... 56, ) == 0x0
 00615   760   NtQueryValueKey  (56,  (56, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00616   760   NtClose  (56, ... ) == 0x0
 00617   760   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 56, ) == 0x0
 00618   760   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00619   760   NtQueryInformationFile  (76, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00620   760   NtQueryInformationFile  (76, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00621   760   NtQueryInformationFile  (76, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00622   760   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 00623   760   NtQueryInformationFile  (76, 1356544, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00624   760   NtQueryInformationFile  (76, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00625   760   NtQueryInformationFile  (76, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00626   760   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00627   760   NtClose  (-2147482740, ... ) == 0x0
 00626   760   NtCreateFile  ... 80, {status=0x0, info=2}, ) == 0x0
 00628   760   NtQueryVolumeInformationFile  (80, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00629   760   NtQueryInformationFile  (80, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00630   760   NtQueryVolumeInformationFile  (76, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00631   760   NtSetInformationFile  (80, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00632   760   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 76, ... 84, ) == 0x0
 00633   760   NtMapViewOfSection  (84, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x850000), {0, 0}, 65536, ) == 0x0
 00634   760   NtClose  (84, ... ) == 0x0
 00635   760   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\3\0d\347\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0\0\240\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 64606, 0x0, 0, ... {status=0x0, info=64606}, ) \0\0\0\0\0\0\0\240\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 64606, 0x0, 0, ... {status=0x0, info=64606}, ) == 0x0
 00636   760   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 00637   760   NtSetInformationFile  (80, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00638   760   NtClose  (76, ... ) == 0x0
 00639   760   NtClose  (80, ... ) == 0x0
 00640   760   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 80, ) }, ... 80, ) == 0x0
 00641   760   NtSetValueKey  (80,  (80, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (80, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 00642   760   NtSetInformationFile  (-2147482448, -140232912, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00643   760   NtSetInformationFile  (-2147482448, -140233004, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00644   760   NtSetInformationFile  (-2147482448, -140233312, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00641   760   NtSetValueKey  ... ) == 0x0
 00645   760   NtClose  (80, ... ) == 0x0
 00646   760   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 80, ) }, 0, ... 80, ) == 0x0
 00647   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9961472, 1048576, ) == 0x0
 00648   760   NtAllocateVirtualMemory  (-1, 11001856, 0, 8192, 4096, 4, ... 11001856, 8192, ) == 0x0
 00649   760   NtProtectVirtualMemory  (-1, (0xa7e000), 4096, 260, ... (0xa7e000), 4096, 4, ) == 0x0
 00650   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 76, {1764, 1972}, ) == 0x0
 00651   760   NtQueryInformationThread  (76, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=1764,Tid=1972,}, 0x0, ) == 0x0
 00652   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\0\0\0\344\6\0\0\264\7\0\0" ... {28, 56, reply, 0, 1764, 760, 57941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\0\0\0\344\6\0\0\264\7\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57941, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\0\0\0\344\6\0\0\264\7\0\0" ... {28, 56, reply, 0, 1764, 760, 57941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\0\0\0\344\6\0\0\264\7\0\0" )  ) == 0x0
 00653   760   NtResumeThread  (76, ... 1, ) == 0x0
 00654   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11010048, 1048576, ) == 0x0
 00655   760   NtAllocateVirtualMemory  (-1, 12050432, 0, 8192, 4096, 4, ... 12050432, 8192, ) == 0x0
 00656  1972   NtTestAlert  (... ) == 0x0
 00657  1972   NtContinue  (11009328, 1, ...
 00658  1972   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00659  1972   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 84, ) == 0x0
 00660  1972   NtWaitForSingleObject  (60, 0, {0, 0}, ... ) == 0x102
 00661  1972   NtAllocateVirtualMemory  (-1, 10997760, 0, 4096, 4096, 260, ...
 00662   760   NtProtectVirtualMemory  (-1, (0xb7e000), 4096, 260, ... (0xb7e000), 4096, 4, ) == 0x0
 00663   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 88, {1764, 928}, ) == 0x0
 00664   760   NtQueryInformationThread  (88, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1764,Tid=928,}, 0x0, ) == 0x0
 00665   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57941, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\0\0\0\344\6\0\0\240\3\0\0" ... {28, 56, reply, 0, 1764, 760, 57942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\0\0\0\344\6\0\0\240\3\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57942, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\0\0\0\344\6\0\0\240\3\0\0" ... {28, 56, reply, 0, 1764, 760, 57942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\0\0\0\344\6\0\0\240\3\0\0" )  ) == 0x0
 00666   760   NtResumeThread  (88, ... 1, ) == 0x0
 00667   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00661  1972   NtAllocateVirtualMemory  ... 10997760, 4096, ) == 0x0
 00668   928   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00669  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006452, ... }, 11006452, ...
 00668   928   NtCreateEvent  ... 92, ) == 0x0
 00669  1972   NtQueryAttributesFile  ... ) == 0x0
 00670   928   NtWaitForSingleObject  (92, 0, 0x0, ...
 00671  1972   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00672  1972   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 96, ... 100, ) == 0x0
 00673  1972   NtClose  (96, ... ) == 0x0
 00674  1972   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 00667   760   NtAllocateVirtualMemory  ... 12058624, 1048576, ) == 0x0
 00675   760   NtAllocateVirtualMemory  (-1, 13099008, 0, 8192, 4096, 4, ... 13099008, 8192, ) == 0x0
 00676   760   NtProtectVirtualMemory  (-1, (0xc7e000), 4096, 260, ... (0xc7e000), 4096, 4, ) == 0x0
 00677   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 96, {1764, 1740}, ) == 0x0
 00678   760   NtQueryInformationThread  (96, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1764,Tid=1740,}, 0x0, ) == 0x0
 00679   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57942, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0\344\6\0\0\314\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0\344\6\0\0\314\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57943, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0\344\6\0\0\314\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0\344\6\0\0\314\6\0\0" )  ) == 0x0
 00674  1972   NtMapViewOfSection  ... (0xc80000), 0x0, 245760, ) == 0x0
 00680  1972   NtClose  (100, ... ) == 0x0
 00681  1972   NtUnmapViewOfSection  (-1, 0xc80000, ... ) == 0x0
 00682  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006760, ... ) }, 11006760, ... ) == 0x0
 00683  1972   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00684  1972   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ...
 00685   760   NtResumeThread  (96, ... 1, ) == 0x0
 00686   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13107200, 1048576, ) == 0x0
 00687   760   NtAllocateVirtualMemory  (-1, 14147584, 0, 8192, 4096, 4, ... 14147584, 8192, ) == 0x0
 00688   760   NtProtectVirtualMemory  (-1, (0xd7e000), 4096, 260, ... (0xd7e000), 4096, 4, ) == 0x0
 00689   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 104, {1764, 1656}, ) == 0x0
 00690   760   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1764,Tid=1656,}, 0x0, ) == 0x0
 00684  1972   NtCreateSection  ... 108, ) == 0x0
 00691  1740   NtWaitForSingleObject  (92, 0, 0x0, ...
 00692  1972   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00693  1972   NtClose  (100, ... ) == 0x0
 00694  1972   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 00695  1972   NtClose  (108, ... ) == 0x0
 00696  1972   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00697   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57943, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\344\6\0\0x\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\344\6\0\0x\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57944, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\344\6\0\0x\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\344\6\0\0x\6\0\0" )  ) == 0x0
 00698   760   NtResumeThread  (104, ... 1, ) == 0x0
 00699   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00700  1972   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 00701  1656   NtWaitForSingleObject  (92, 0, 0x0, ...
 00700  1972   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 00702  1972   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00703  1972   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00704  1972   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00705  1972   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00706  1972   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 00699   760   NtAllocateVirtualMemory  ... 14155776, 1048576, ) == 0x0
 00707   760   NtAllocateVirtualMemory  (-1, 15196160, 0, 8192, 4096, 4, ... 15196160, 8192, ) == 0x0
 00708   760   NtProtectVirtualMemory  (-1, (0xe7e000), 4096, 260, ... (0xe7e000), 4096, 4, ) == 0x0
 00709   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 108, {1764, 1248}, ) == 0x0
 00710   760   NtQueryInformationThread  (108, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1764,Tid=1248,}, 0x0, ) == 0x0
 00711   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57944, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0\344\6\0\0\340\4\0\0" ... {28, 56, reply, 0, 1764, 760, 57945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0\344\6\0\0\340\4\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57945, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0\344\6\0\0\340\4\0\0" ... {28, 56, reply, 0, 1764, 760, 57945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0\344\6\0\0\340\4\0\0" )  ) == 0x0
 00706  1972   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 00712  1972   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00713  1972   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00714   760   NtResumeThread  (108, ... 1, ) == 0x0
 00715   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15204352, 1048576, ) == 0x0
 00716   760   NtAllocateVirtualMemory  (-1, 16244736, 0, 8192, 4096, 4, ... 16244736, 8192, ) == 0x0
 00717  1248   NtWaitForSingleObject  (92, 0, 0x0, ...
 00718  1972   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00719  1972   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00720  1972   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00721  1972   NtSetEventBoostPriority  (92, ...
 00670   928   NtWaitForSingleObject  ... ) == 0x0
 00722   928   NtSetEventBoostPriority  (92, ...
 00691  1740   NtWaitForSingleObject  ... ) == 0x0
 00723  1740   NtSetEventBoostPriority  (92, ...
 00701  1656   NtWaitForSingleObject  ... ) == 0x0
 00724  1656   NtSetEventBoostPriority  (92, ...
 00717  1248   NtWaitForSingleObject  ... ) == 0x0
 00725  1248   NtTestAlert  (... ) == 0x0
 00724  1656   NtSetEventBoostPriority  ... ) == 0x0
 00723  1740   NtSetEventBoostPriority  ... ) == 0x0
 00722   928   NtSetEventBoostPriority  ... ) == 0x0
 00721  1972   NtSetEventBoostPriority  ... ) == 0x0
 00726   760   NtProtectVirtualMemory  (-1, (0xf7e000), 4096, 260, ...
 00727  1248   NtContinue  (15203632, 1, ...
 00728  1656   NtTestAlert  (...
 00729  1740   NtTestAlert  (...
 00730  1972   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00726   760   NtProtectVirtualMemory  ... (0xf7e000), 4096, 4, ) == 0x0
 00731  1248   NtRegisterThreadTerminatePort  (24, ...
 00728  1656   NtTestAlert  ... ) == 0x0
 00729  1740   NtTestAlert  ... ) == 0x0
 00730  1972   NtCreateEvent  ... 100, ) == 0x0
 00732   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00731  1248   NtRegisterThreadTerminatePort  ... ) == 0x0
 00733  1656   NtContinue  (14155056, 1, ...
 00734  1740   NtContinue  (13106480, 1, ...
 00735  1972   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 00732   760   NtCreateThread  ... 112, {1764, 1036}, ) == 0x0
 00736  1248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00737  1656   NtRegisterThreadTerminatePort  (24, ...
 00738  1740   NtRegisterThreadTerminatePort  (24, ...
 00739   928   NtTestAlert  (...
 00740   760   NtQueryInformationThread  (112, Basic, 28, ...
 00736  1248   NtDuplicateObject  ... 116, ) == 0x0
 00737  1656   NtRegisterThreadTerminatePort  ... ) == 0x0
 00738  1740   NtRegisterThreadTerminatePort  ... ) == 0x0
 00739   928   NtTestAlert  ... ) == 0x0
 00740   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1764,Tid=1036,}, 0x0, ) == 0x0
 00741  1248   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 00742  1656   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00743  1740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00744   928   NtContinue  (12057904, 1, ...
 00735  1972   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00745   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57945, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\344\6\0\0\14\4\0\0" ...  ...
 00741  1248   NtWaitForSingleObject  ... ) == 0x102
 00742  1656   NtDuplicateObject  ... 120, ) == 0x0
 00746   928   NtRegisterThreadTerminatePort  (24, ...
 00747  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11006372, ... }, 11006372, ...
 00745   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57946, 0}  ... {28, 56, reply, 0, 1764, 760, 57946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\344\6\0\0\14\4\0\0" )  ) == 0x0
 00748  1248   NtAllocateVirtualMemory  (-1, 15192064, 0, 4096, 4096, 260, ...
 00749  1656   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 00746   928   NtRegisterThreadTerminatePort  ... ) == 0x0
 00750   760   NtResumeThread  (112, ...
 00748  1248   NtAllocateVirtualMemory  ... 15192064, 4096, ) == 0x0
 00749  1656   NtWaitForSingleObject  ... ) == 0x102
 00751   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00750   760   NtResumeThread  ... 1, ) == 0x0
 00752  1248   NtWaitForSingleObject  (92, 0, 0x0, ...
 00753  1656   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00743  1740   NtDuplicateObject  ... 124, ) == 0x0
 00754  1036   NtWaitForSingleObject  (92, 0, 0x0, ...
 00755   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00753  1656   NtCreateEvent  ... 128, ) == 0x0
 00756  1740   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 00751   928   NtDuplicateObject  ... 132, ) == 0x0
 00755   760   NtAllocateVirtualMemory  ... 16252928, 1048576, ) == 0x0
 00756  1740   NtWaitForSingleObject  ... ) == 0x102
 00757   928   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 00758   760   NtAllocateVirtualMemory  (-1, 17293312, 0, 8192, 4096, 4, ...
 00759  1740   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00757   928   NtWaitForSingleObject  ... ) == 0x102
 00758   760   NtAllocateVirtualMemory  ... 17293312, 8192, ) == 0x0
 00759  1740   NtCreateEvent  ... 136, ) == 0x0
 00760   928   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00761   760   NtProtectVirtualMemory  (-1, (0x107e000), 4096, 260, ...
 00762  1656   NtWaitForSingleObject  (128, 0, 0x0, ...
 00760   928   NtCreateEvent  ... 140, ) == 0x0
 00761   760   NtProtectVirtualMemory  ... (0x107e000), 4096, 4, ) == 0x0
 00763  1740   NtClose  (136, ...
 00764   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00763  1740   NtClose  ... ) == 0x0
 00765   928   NtClose  (140, ...
 00747  1972   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00766  1740   NtWaitForSingleObject  (128, 0, 0x0, ...
 00765   928   NtClose  ... ) == 0x0
 00764   760   NtCreateThread  ... 140, {1764, 464}, ) == 0x0
 00767   928   NtWaitForSingleObject  (128, 0, 0x0, ...
 00768   760   NtQueryInformationThread  (140, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1764,Tid=464,}, 0x0, ) == 0x0
 00769   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57946, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\344\6\0\0\320\1\0\0" ... {28, 56, reply, 0, 1764, 760, 57947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\344\6\0\0\320\1\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57947, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\344\6\0\0\320\1\0\0" ... {28, 56, reply, 0, 1764, 760, 57947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\344\6\0\0\320\1\0\0" )  ) == 0x0
 00770   760   NtResumeThread  (140, ... 1, ) == 0x0
 00771   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17301504, 1048576, ) == 0x0
 00772   760   NtAllocateVirtualMemory  (-1, 18341888, 0, 8192, 4096, 4, ... 18341888, 8192, ) == 0x0
 00773  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11006372, ... }, 11006372, ...
 00774   464   NtWaitForSingleObject  (92, 0, 0x0, ...
 00773  1972   NtQueryAttributesFile  ... ) == 0x0
 00775  1972   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 00776  1972   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 136, ... 144, ) == 0x0
 00777  1972   NtQuerySection  (144, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00778  1972   NtClose  (136, ... ) == 0x0
 00779  1972   NtMapViewOfSection  (144, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x662b0000), 0x0, 360448, ) == 0x0
 00780   760   NtProtectVirtualMemory  (-1, (0x117e000), 4096, 260, ... (0x117e000), 4096, 4, ) == 0x0
 00781   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 136, {1764, 860}, ) == 0x0
 00782   760   NtQueryInformationThread  (136, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1764,Tid=860,}, 0x0, ) == 0x0
 00783   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57947, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\344\6\0\0\\3\0\0" ... {28, 56, reply, 0, 1764, 760, 57948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\344\6\0\0\\3\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57948, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\344\6\0\0\\3\0\0" ... {28, 56, reply, 0, 1764, 760, 57948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\344\6\0\0\\3\0\0" )  ) == 0x0
 00784   760   NtResumeThread  (136, ... 1, ) == 0x0
 00785   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00786  1972   NtClose  (144, ...
 00787   860   NtWaitForSingleObject  (92, 0, 0x0, ...
 00786  1972   NtClose  ... ) == 0x0
 00788  1972   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00789  1972   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00790  1972   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00791  1972   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00792  1972   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00785   760   NtAllocateVirtualMemory  ... 18350080, 1048576, ) == 0x0
 00793   760   NtAllocateVirtualMemory  (-1, 19390464, 0, 8192, 4096, 4, ... 19390464, 8192, ) == 0x0
 00794   760   NtProtectVirtualMemory  (-1, (0x127e000), 4096, 260, ... (0x127e000), 4096, 4, ) == 0x0
 00795   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 144, {1764, 484}, ) == 0x0
 00796   760   NtQueryInformationThread  (144, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1764,Tid=484,}, 0x0, ) == 0x0
 00797   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57948, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\6\0\0\344\1\0\0" ... {28, 56, reply, 0, 1764, 760, 57949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\6\0\0\344\1\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57949, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\6\0\0\344\1\0\0" ... {28, 56, reply, 0, 1764, 760, 57949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\6\0\0\344\1\0\0" )  ) == 0x0
 00798  1972   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00799  1972   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00800  1972   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00801  1972   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00802  1972   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00803  1972   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00804   760   NtResumeThread  (144, ... 1, ) == 0x0
 00805   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19398656, 1048576, ) == 0x0
 00806   760   NtAllocateVirtualMemory  (-1, 20439040, 0, 8192, 4096, 4, ... 20439040, 8192, ) == 0x0
 00807   760   NtProtectVirtualMemory  (-1, (0x137e000), 4096, 260, ... (0x137e000), 4096, 4, ) == 0x0
 00808   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 148, {1764, 748}, ) == 0x0
 00809   760   NtQueryInformationThread  (148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1764,Tid=748,}, 0x0, ) == 0x0
 00810  1972   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 00811   484   NtWaitForSingleObject  (92, 0, 0x0, ...
 00810  1972   NtFlushInstructionCache  ... ) == 0x0
 00812  1972   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00813  1972   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00814  1972   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00815  1972   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00816  1972   NtSetEventBoostPriority  (92, ...
 00752  1248   NtWaitForSingleObject  ... ) == 0x0
 00817  1248   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15199184, ... ) }, 15199184, ... ) == 0x0
 00818  1248   NtSetEventBoostPriority  (92, ...
 00754  1036   NtWaitForSingleObject  ... ) == 0x0
 00819  1036   NtSetEventBoostPriority  (92, ...
 00774   464   NtWaitForSingleObject  ... ) == 0x0
 00820   464   NtSetEventBoostPriority  (92, ...
 00787   860   NtWaitForSingleObject  ... ) == 0x0
 00821   860   NtSetEventBoostPriority  (92, ...
 00811   484   NtWaitForSingleObject  ... ) == 0x0
 00822   484   NtTestAlert  (... ) == 0x0
 00821   860   NtSetEventBoostPriority  ... ) == 0x0
 00820   464   NtSetEventBoostPriority  ... ) == 0x0
 00819  1036   NtSetEventBoostPriority  ... ) == 0x0
 00818  1248   NtSetEventBoostPriority  ... ) == 0x0
 00816  1972   NtSetEventBoostPriority  ... ) == 0x0
 00823   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57949, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\344\6\0\0\354\2\0\0" ...  ...
 00824   484   NtContinue  (19397936, 1, ...
 00825   860   NtTestAlert  (...
 00826   464   NtTestAlert  (...
 00827  1248   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00828  1036   NtTestAlert  (...
 00823   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57950, 0}  ... {28, 56, reply, 0, 1764, 760, 57950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\344\6\0\0\354\2\0\0" )  ) == 0x0
 00829   484   NtRegisterThreadTerminatePort  (24, ...
 00825   860   NtTestAlert  ... ) == 0x0
 00826   464   NtTestAlert  ... ) == 0x0
 00827  1248   NtCreateEvent  ... 152, ) == 0x0
 00828  1036   NtTestAlert  ... ) == 0x0
 00830   760   NtResumeThread  (148, ...
 00829   484   NtRegisterThreadTerminatePort  ... ) == 0x0
 00831   860   NtContinue  (18349360, 1, ...
 00832   464   NtContinue  (17300784, 1, ...
 00833  1248   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 00834  1036   NtContinue  (16252208, 1, ...
 00830   760   NtResumeThread  ... 1, ) == 0x0
 00835   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00836   860   NtRegisterThreadTerminatePort  (24, ...
 00837   464   NtRegisterThreadTerminatePort  (24, ...
 00833  1248   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00838  1036   NtRegisterThreadTerminatePort  (24, ...
 00839   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00835   484   NtDuplicateObject  ... 156, ) == 0x0
 00836   860   NtRegisterThreadTerminatePort  ... ) == 0x0
 00837   464   NtRegisterThreadTerminatePort  ... ) == 0x0
 00840  1972   NtWaitForSingleObject  (92, 0, 0x0, ...
 00841   748   NtWaitForSingleObject  (92, 0, 0x0, ...
 00838  1036   NtRegisterThreadTerminatePort  ... ) == 0x0
 00842  1248   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 15199288, ... }, 15199288, ...
 00843   484   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 00844   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00845   464   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00846  1036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00839   760   NtAllocateVirtualMemory  ... 20447232, 1048576, ) == 0x0
 00843   484   NtWaitForSingleObject  ... ) == 0x102
 00844   860   NtDuplicateObject  ... 160, ) == 0x0
 00845   464   NtDuplicateObject  ... 164, ) == 0x0
 00847   760   NtAllocateVirtualMemory  (-1, 21487616, 0, 8192, 4096, 4, ...
 00848   484   NtWaitForSingleObject  (128, 0, 0x0, ...
 00849   860   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 00850   464   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 00847   760   NtAllocateVirtualMemory  ... 21487616, 8192, ) == 0x0
 00849   860   NtWaitForSingleObject  ... ) == 0x102
 00850   464   NtWaitForSingleObject  ... ) == 0x102
 00851   760   NtProtectVirtualMemory  (-1, (0x147e000), 4096, 260, ...
 00852   860   NtWaitForSingleObject  (128, 0, 0x0, ...
 00853   464   NtWaitForSingleObject  (128, 0, 0x0, ...
 00851   760   NtProtectVirtualMemory  ... (0x147e000), 4096, 4, ) == 0x0
 00854   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 168, {1764, 1580}, ) == 0x0
 00855   760   NtQueryInformationThread  (168, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1764,Tid=1580,}, 0x0, ) == 0x0
 00856   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57950, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0\344\6\0\0,\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0\344\6\0\0,\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57951, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0\344\6\0\0,\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0\344\6\0\0,\6\0\0" )  ) == 0x0
 00846  1036   NtDuplicateObject  ... 172, ) == 0x0
 00857  1036   NtWaitForSingleObject  (68, 0, {0, 0}, ... ) == 0x102
 00858  1036   NtWaitForSingleObject  (128, 0, 0x0, ...
 00859   760   NtResumeThread  (168, ... 1, ) == 0x0
 00860   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21495808, 1048576, ) == 0x0
 00861   760   NtAllocateVirtualMemory  (-1, 22536192, 0, 8192, 4096, 4, ... 22536192, 8192, ) == 0x0
 00862  1580   NtWaitForSingleObject  (92, 0, 0x0, ...
 00863   760   NtProtectVirtualMemory  (-1, (0x157e000), 4096, 260, ... (0x157e000), 4096, 4, ) == 0x0
 00864   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 176, {1764, 1756}, ) == 0x0
 00865   760   NtQueryInformationThread  (176, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1764,Tid=1756,}, 0x0, ) == 0x0
 00842  1248   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00866  1248   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 15199288, ... ) }, 15199288, ... ) == 0x0
 00867  1248   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 00868  1248   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 00869  1248   NtQuerySection  (184, Image, 48, ...
 00870   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57951, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\344\6\0\0\334\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\344\6\0\0\334\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57952, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\344\6\0\0\334\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\344\6\0\0\334\6\0\0" )  ) == 0x0
 00871   760   NtResumeThread  (176, ... 1, ) == 0x0
 00872   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 22544384, 1048576, ) == 0x0
 00873   760   NtAllocateVirtualMemory  (-1, 23584768, 0, 8192, 4096, 4, ... 23584768, 8192, ) == 0x0
 00874   760   NtProtectVirtualMemory  (-1, (0x167e000), 4096, 260, ... (0x167e000), 4096, 4, ) == 0x0
 00875   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00869  1248   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00876  1756   NtWaitForSingleObject  (92, 0, 0x0, ...
 00877  1248   NtClose  (180, ... ) == 0x0
 00878  1248   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 00879  1248   NtClose  (184, ... ) == 0x0
 00880  1248   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00881  1248   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00882  1248   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 00875   760   NtCreateThread  ... 184, {1764, 1292}, ) == 0x0
 00883   760   NtQueryInformationThread  (184, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1764,Tid=1292,}, 0x0, ) == 0x0
 00884   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57952, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\344\6\0\0\14\5\0\0" ... {28, 56, reply, 0, 1764, 760, 57953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\344\6\0\0\14\5\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57953, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\344\6\0\0\14\5\0\0" ... {28, 56, reply, 0, 1764, 760, 57953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\344\6\0\0\14\5\0\0" )  ) == 0x0
 00885   760   NtResumeThread  (184, ... 1, ) == 0x0
 00886   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23592960, 1048576, ) == 0x0
 00887   760   NtAllocateVirtualMemory  (-1, 24633344, 0, 8192, 4096, 4, ... 24633344, 8192, ) == 0x0
 00882  1248   NtFlushInstructionCache  ... ) == 0x0
 00888  1292   NtWaitForSingleObject  (92, 0, 0x0, ...
 00889  1248   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00890  1248   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00891  1248   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00892  1248   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00893  1248   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00894  1248   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 00895   760   NtProtectVirtualMemory  (-1, (0x177e000), 4096, 260, ... (0x177e000), 4096, 4, ) == 0x0
 00896   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 180, {1764, 1956}, ) == 0x0
 00897   760   NtQueryInformationThread  (180, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1764,Tid=1956,}, 0x0, ) == 0x0
 00898   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57953, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\344\6\0\0\244\7\0\0" ... {28, 56, reply, 0, 1764, 760, 57954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\344\6\0\0\244\7\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57954, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\344\6\0\0\244\7\0\0" ... {28, 56, reply, 0, 1764, 760, 57954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\344\6\0\0\244\7\0\0" )  ) == 0x0
 00899   760   NtResumeThread  (180, ... 1, ) == 0x0
 00900   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00894  1248   NtFlushInstructionCache  ... ) == 0x0
 00901  1956   NtWaitForSingleObject  (92, 0, 0x0, ...
 00902  1248   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00903  1248   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00904  1248   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00905  1248   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00906  1248   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00907  1248   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 00900   760   NtAllocateVirtualMemory  ... 24641536, 1048576, ) == 0x0
 00908   760   NtAllocateVirtualMemory  (-1, 25681920, 0, 8192, 4096, 4, ... 25681920, 8192, ) == 0x0
 00909   760   NtProtectVirtualMemory  (-1, (0x187e000), 4096, 260, ... (0x187e000), 4096, 4, ) == 0x0
 00910   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 188, {1764, 1980}, ) == 0x0
 00911   760   NtQueryInformationThread  (188, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1764,Tid=1980,}, 0x0, ) == 0x0
 00912   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57954, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\344\6\0\0\274\7\0\0" ... {28, 56, reply, 0, 1764, 760, 57955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\344\6\0\0\274\7\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57955, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\344\6\0\0\274\7\0\0" ... {28, 56, reply, 0, 1764, 760, 57955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\344\6\0\0\274\7\0\0" )  ) == 0x0
 00907  1248   NtFlushInstructionCache  ... ) == 0x0
 00913  1248   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00914  1248   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00915  1248   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00916  1248   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917  1248   NtCreateKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 192, 2, ) }, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 192, 2, ) , 0, ... 192, 2, ) == 0x0
 00918  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 00919   760   NtResumeThread  (188, ... 1, ) == 0x0
 00920   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25690112, 1048576, ) == 0x0
 00921   760   NtAllocateVirtualMemory  (-1, 26730496, 0, 8192, 4096, 4, ... 26730496, 8192, ) == 0x0
 00922   760   NtProtectVirtualMemory  (-1, (0x197e000), 4096, 260, ... (0x197e000), 4096, 4, ) == 0x0
 00923   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 196, {1764, 1784}, ) == 0x0
 00924   760   NtQueryInformationThread  (196, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1764,Tid=1784,}, 0x0, ) == 0x0
 00918  1248   NtOpenKey  ... 200, ) == 0x0
 00925  1980   NtWaitForSingleObject  (92, 0, 0x0, ...
 00926  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00927  1248   NtQueryValueKey  (200,  (200, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00928  1248   NtQueryValueKey  (192,  (192, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00929  1248   NtQueryValueKey  (200,  (200, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00930  1248   NtQueryValueKey  (192,  (192, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00931  1248   NtQueryValueKey  (200,  (200, "PrioritizeRecordData", Partial, 144, ... , Partial, 144, ...
 00932   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57955, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0\344\6\0\0\370\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0\344\6\0\0\370\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57956, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0\344\6\0\0\370\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0\344\6\0\0\370\6\0\0" )  ) == 0x0
 00933   760   NtResumeThread  (196, ... 1, ) == 0x0
 00934   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26738688, 1048576, ) == 0x0
 00935   760   NtAllocateVirtualMemory  (-1, 27779072, 0, 8192, 4096, 4, ... 27779072, 8192, ) == 0x0
 00936   760   NtProtectVirtualMemory  (-1, (0x1a7e000), 4096, 260, ... (0x1a7e000), 4096, 4, ) == 0x0
 00937   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00931  1248   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938  1784   NtWaitForSingleObject  (92, 0, 0x0, ...
 00939  1248   NtQueryValueKey  (192,  (192, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940  1248   NtQueryValueKey  (200,  (200, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00941  1248   NtQueryValueKey  (192,  (192, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00942  1248   NtQueryValueKey  (200,  (200, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00943  1248   NtQueryValueKey  (200,  (200, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944  1248   NtQueryValueKey  (200,  (200, "ScreenUnreachableServers", Partial, 144, ... , Partial, 144, ...
 00937   760   NtCreateThread  ... 204, {1764, 1480}, ) == 0x0
 00945   760   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1764,Tid=1480,}, 0x0, ) == 0x0
 00946   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57956, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\6\0\0\310\5\0\0" ... {28, 56, reply, 0, 1764, 760, 57957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\6\0\0\310\5\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57957, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\6\0\0\310\5\0\0" ... {28, 56, reply, 0, 1764, 760, 57957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\6\0\0\310\5\0\0" )  ) == 0x0
 00947   760   NtResumeThread  (204, ... 1, ) == 0x0
 00948   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27787264, 1048576, ) == 0x0
 00949   760   NtAllocateVirtualMemory  (-1, 28827648, 0, 8192, 4096, 4, ... 28827648, 8192, ) == 0x0
 00944  1248   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950  1480   NtWaitForSingleObject  (92, 0, 0x0, ...
 00951  1248   NtQueryValueKey  (200,  (200, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952  1248   NtQueryValueKey  (200,  (200, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953  1248   NtQueryValueKey  (200,  (200, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00954  1248   NtQueryValueKey  (200,  (200, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955  1248   NtQueryValueKey  (200,  (200, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00956  1248   NtQueryValueKey  (200,  (200, "RegistrationEnabled", Partial, 144, ... , Partial, 144, ...
 00957   760   NtProtectVirtualMemory  (-1, (0x1b7e000), 4096, 260, ... (0x1b7e000), 4096, 4, ) == 0x0
 00958   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 208, {1764, 1556}, ) == 0x0
 00959   760   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1764,Tid=1556,}, 0x0, ) == 0x0
 00960   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57957, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\344\6\0\0\24\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\344\6\0\0\24\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57958, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\344\6\0\0\24\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\344\6\0\0\24\6\0\0" )  ) == 0x0
 00961   760   NtResumeThread  (208, ... 1, ) == 0x0
 00962   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00956  1248   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963  1556   NtWaitForSingleObject  (92, 0, 0x0, ...
 00964  1248   NtQueryValueKey  (192,  (192, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965  1248   NtQueryValueKey  (200,  (200, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00966  1248   NtQueryValueKey  (200,  (200, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967  1248   NtQueryValueKey  (192,  (192, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00968  1248   NtQueryValueKey  (200,  (200, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969  1248   NtQueryValueKey  (192,  (192, "DisableReverseAddressRegistrations", Partial, 144, ... , Partial, 144, ...
 00962   760   NtAllocateVirtualMemory  ... 28835840, 1048576, ) == 0x0
 00970   760   NtAllocateVirtualMemory  (-1, 29876224, 0, 8192, 4096, 4, ... 29876224, 8192, ) == 0x0
 00971   760   NtProtectVirtualMemory  (-1, (0x1c7e000), 4096, 260, ... (0x1c7e000), 4096, 4, ) == 0x0
 00972   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 212, {1764, 460}, ) == 0x0
 00973   760   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1764,Tid=460,}, 0x0, ) == 0x0
 00974   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57958, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\6\0\0\314\1\0\0" ... {28, 56, reply, 0, 1764, 760, 57959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\6\0\0\314\1\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57959, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\6\0\0\314\1\0\0" ... {28, 56, reply, 0, 1764, 760, 57959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\6\0\0\314\1\0\0" )  ) == 0x0
 00969  1248   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975  1248   NtQueryValueKey  (200,  (200, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00976  1248   NtQueryValueKey  (192,  (192, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00977  1248   NtQueryValueKey  (200,  (200, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00978  1248   NtQueryValueKey  (192,  (192, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00979  1248   NtQueryValueKey  (200,  (200, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00980  1248   NtQueryValueKey  (192,  (192, "DefaultRegistrationRefreshInterval", Partial, 144, ... , Partial, 144, ...
 00981   760   NtResumeThread  (212, ... 1, ) == 0x0
 00982   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29884416, 1048576, ) == 0x0
 00983   760   NtAllocateVirtualMemory  (-1, 30924800, 0, 8192, 4096, 4, ... 30924800, 8192, ) == 0x0
 00984   760   NtProtectVirtualMemory  (-1, (0x1d7e000), 4096, 260, ... (0x1d7e000), 4096, 4, ) == 0x0
 00985   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 216, {1764, 1068}, ) == 0x0
 00986   760   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=1764,Tid=1068,}, 0x0, ) == 0x0
 00980  1248   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00987   460   NtWaitForSingleObject  (92, 0, 0x0, ...
 00988  1248   NtQueryValueKey  (200,  (200, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00989  1248   NtQueryValueKey  (192,  (192, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00990  1248   NtQueryValueKey  (200,  (200, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991  1248   NtQueryValueKey  (192,  (192, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00992  1248   NtQueryValueKey  (200,  (200, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00993  1248   NtQueryValueKey  (200,  (200, "UpdateTopLevelDomainZones", Partial, 144, ... , Partial, 144, ...
 00994   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57959, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\6\0\0,\4\0\0" ... {28, 56, reply, 0, 1764, 760, 57960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\6\0\0,\4\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57960, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\6\0\0,\4\0\0" ... {28, 56, reply, 0, 1764, 760, 57960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\6\0\0,\4\0\0" )  ) == 0x0
 00995   760   NtResumeThread  (216, ... 1, ) == 0x0
 00996   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30932992, 1048576, ) == 0x0
 00997   760   NtAllocateVirtualMemory  (-1, 31973376, 0, 8192, 4096, 4, ... 31973376, 8192, ) == 0x0
 00998   760   NtProtectVirtualMemory  (-1, (0x1e7e000), 4096, 260, ... (0x1e7e000), 4096, 4, ) == 0x0
 00999   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00993  1248   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01000  1068   NtWaitForSingleObject  (92, 0, 0x0, ...
 01001  1248   NtQueryValueKey  (200,  (200, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01002  1248   NtQueryValueKey  (200,  (200, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01003  1248   NtQueryValueKey  (200,  (200, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01004  1248   NtQueryValueKey  (200,  (200, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01005  1248   NtQueryValueKey  (200,  (200, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01006  1248   NtQueryValueKey  (200,  (200, "ServerPriorityTimeLimit", Partial, 144, ... , Partial, 144, ...
 00999   760   NtCreateThread  ... 220, {1764, 1856}, ) == 0x0
 01007   760   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=1764,Tid=1856,}, 0x0, ) == 0x0
 01008   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57960, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\6\0\0@\7\0\0" ... {28, 56, reply, 0, 1764, 760, 57961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\6\0\0@\7\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57961, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\6\0\0@\7\0\0" ... {28, 56, reply, 0, 1764, 760, 57961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\6\0\0@\7\0\0" )  ) == 0x0
 01009   760   NtResumeThread  (220, ... 1, ) == 0x0
 01010   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31981568, 1048576, ) == 0x0
 01011   760   NtAllocateVirtualMemory  (-1, 33021952, 0, 8192, 4096, 4, ... 33021952, 8192, ) == 0x0
 01006  1248   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01012  1856   NtWaitForSingleObject  (92, 0, 0x0, ...
 01013  1248   NtQueryValueKey  (200,  (200, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01014  1248   NtQueryValueKey  (200,  (200, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01015  1248   NtQueryValueKey  (200,  (200, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01016  1248   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 224, ) }, ... 224, ) == 0x0
 01017  1248   NtQueryValueKey  (224,  (224, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (224, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01018  1248   NtClose  (224, ...
 01019   760   NtProtectVirtualMemory  (-1, (0x1f7e000), 4096, 260, ... (0x1f7e000), 4096, 4, ) == 0x0
 01020   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {1764, 1596}, ) == 0x0
 01021   760   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=1764,Tid=1596,}, 0x0, ) == 0x0
 01022   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57961, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\6\0\0<\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\6\0\0<\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57962, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\6\0\0<\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\6\0\0<\6\0\0" )  ) == 0x0
 01023   760   NtResumeThread  (228, ... 1, ) == 0x0
 01024   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01018  1248   NtClose  ... ) == 0x0
 01025  1596   NtWaitForSingleObject  (92, 0, 0x0, ...
 01026  1248   NtClose  (192, ... ) == 0x0
 01027  1248   NtClose  (200, ... ) == 0x0
 01028  1248   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 200, ) }, ... 200, ) == 0x0
 01029  1248   NtQueryValueKey  (200,  (200, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01030  1248   NtQueryValueKey  (200,  (200, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01031  1248   NtQueryValueKey  (200,  (200, "DnsMulticastQueryTimeouts", Partial, 144, ... , Partial, 144, ...
 01024   760   NtAllocateVirtualMemory  ... 33030144, 1048576, ) == 0x0
 01032   760   NtAllocateVirtualMemory  (-1, 34070528, 0, 8192, 4096, 4, ... 34070528, 8192, ) == 0x0
 01033   760   NtProtectVirtualMemory  (-1, (0x207e000), 4096, 260, ... (0x207e000), 4096, 4, ) == 0x0
 01034   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 192, {1764, 1128}, ) == 0x0
 01035   760   NtQueryInformationThread  (192, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=1764,Tid=1128,}, 0x0, ) == 0x0
 01036   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57962, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\344\6\0\0h\4\0\0" ... {28, 56, reply, 0, 1764, 760, 57963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\344\6\0\0h\4\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57963, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\344\6\0\0h\4\0\0" ... {28, 56, reply, 0, 1764, 760, 57963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\344\6\0\0h\4\0\0" )  ) == 0x0
 01031  1248   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01037  1248   NtClose  (200, ... ) == 0x0
 01038  1248   NtSetEventBoostPriority  (92, ...
 00840  1972   NtWaitForSingleObject  ... ) == 0x0
 01039  1972   NtSetEventBoostPriority  (92, ...
 00841   748   NtWaitForSingleObject  ... ) == 0x0
 01040   748   NtSetEventBoostPriority  (92, ...
 00862  1580   NtWaitForSingleObject  ... ) == 0x0
 01041  1580   NtSetEventBoostPriority  (92, ...
 00876  1756   NtWaitForSingleObject  ... ) == 0x0
 01042  1756   NtSetEventBoostPriority  (92, ...
 00888  1292   NtWaitForSingleObject  ... ) == 0x0
 01043  1292   NtSetEventBoostPriority  (92, ...
 00901  1956   NtWaitForSingleObject  ... ) == 0x0
 01044  1956   NtSetEventBoostPriority  (92, ...
 00925  1980   NtWaitForSingleObject  ... ) == 0x0
 01045  1980   NtSetEventBoostPriority  (92, ...
 00938  1784   NtWaitForSingleObject  ... ) == 0x0
 01046  1784   NtSetEventBoostPriority  (92, ...
 00950  1480   NtWaitForSingleObject  ... ) == 0x0
 01047  1480   NtSetEventBoostPriority  (92, ...
 00963  1556   NtWaitForSingleObject  ... ) == 0x0
 01048  1556   NtSetEventBoostPriority  (92, ...
 00987   460   NtWaitForSingleObject  ... ) == 0x0
 01049   460   NtSetEventBoostPriority  (92, ...
 01000  1068   NtWaitForSingleObject  ... ) == 0x0
 01050  1068   NtSetEventBoostPriority  (92, ...
 01012  1856   NtWaitForSingleObject  ... ) == 0x0
 01051  1856   NtSetEventBoostPriority  (92, ...
 01025  1596   NtWaitForSingleObject  ... ) == 0x0
 01052  1596   NtTestAlert  (... ) == 0x0
 01051  1856   NtSetEventBoostPriority  ... ) == 0x0
 01050  1068   NtSetEventBoostPriority  ... ) == 0x0
 01049   460   NtSetEventBoostPriority  ... ) == 0x0
 01048  1556   NtSetEventBoostPriority  ... ) == 0x0
 01047  1480   NtSetEventBoostPriority  ... ) == 0x0
 01046  1784   NtSetEventBoostPriority  ... ) == 0x0
 01045  1980   NtSetEventBoostPriority  ... ) == 0x0
 01044  1956   NtSetEventBoostPriority  ... ) == 0x0
 01043  1292   NtSetEventBoostPriority  ... ) == 0x0
 01042  1756   NtSetEventBoostPriority  ... ) == 0x0
 01041  1580   NtSetEventBoostPriority  ... ) == 0x0
 01040   748   NtSetEventBoostPriority  ... ) == 0x0
 01039  1972   NtSetEventBoostPriority  ... ) == 0x0
 01038  1248   NtSetEventBoostPriority  ... ) == 0x0
 01053   760   NtResumeThread  (192, ...
 01054  1596   NtContinue  (33029424, 1, ...
 01055  1856   NtTestAlert  (...
 01056  1068   NtTestAlert  (...
 01057   460   NtTestAlert  (...
 01058  1556   NtTestAlert  (...
 01059  1480   NtTestAlert  (...
 01060  1784   NtTestAlert  (...
 01061  1980   NtTestAlert  (...
 01062  1956   NtTestAlert  (...
 01063  1292   NtTestAlert  (...
 01064  1756   NtTestAlert  (...
 01065  1580   NtTestAlert  (...
 01066  1972   NtQuerySystemInformation  (Basic, 44, ...
 01067  1248   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01053   760   NtResumeThread  ... 1, ) == 0x0
 01068  1596   NtRegisterThreadTerminatePort  (24, ...
 01055  1856   NtTestAlert  ... ) == 0x0
 01056  1068   NtTestAlert  ... ) == 0x0
 01057   460   NtTestAlert  ... ) == 0x0
 01058  1556   NtTestAlert  ... ) == 0x0
 01059  1480   NtTestAlert  ... ) == 0x0
 01060  1784   NtTestAlert  ... ) == 0x0
 01061  1980   NtTestAlert  ... ) == 0x0
 01062  1956   NtTestAlert  ... ) == 0x0
 01063  1292   NtTestAlert  ... ) == 0x0
 01064  1756   NtTestAlert  ... ) == 0x0
 01065  1580   NtTestAlert  ... ) == 0x0
 01069   748   NtTestAlert  (...
 01070  1128   NtTestAlert  (...
 01066  1972   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01071   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01068  1596   NtRegisterThreadTerminatePort  ... ) == 0x0
 01072  1856   NtContinue  (31980848, 1, ...
 01073  1068   NtContinue  (30932272, 1, ...
 01074   460   NtContinue  (29883696, 1, ...
 01075  1556   NtContinue  (28835120, 1, ...
 01076  1480   NtContinue  (27786544, 1, ...
 01077  1784   NtContinue  (26737968, 1, ...
 01078  1980   NtContinue  (25689392, 1, ...
 01079  1956   NtContinue  (24640816, 1, ...
 01080  1292   NtContinue  (23592240, 1, ...
 01081  1756   NtContinue  (22543664, 1, ...
 01082  1580   NtContinue  (21495088, 1, ...
 01069   748   NtTestAlert  ... ) == 0x0
 01070  1128   NtTestAlert  ... ) == 0x0
 01083  1972   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 01071   760   NtAllocateVirtualMemory  ... 34078720, 1048576, ) == 0x0
 01084  1596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01085  1856   NtRegisterThreadTerminatePort  (24, ...
 01086  1068   NtRegisterThreadTerminatePort  (24, ...
 01087   460   NtRegisterThreadTerminatePort  (24, ...
 01088  1556   NtRegisterThreadTerminatePort  (24, ...
 01089  1480   NtRegisterThreadTerminatePort  (24, ...
 01090  1784   NtRegisterThreadTerminatePort  (24, ...
 01091  1980   NtRegisterThreadTerminatePort  (24, ...
 01092  1956   NtRegisterThreadTerminatePort  (24, ...
 01093  1292   NtRegisterThreadTerminatePort  (24, ...
 01094  1756   NtRegisterThreadTerminatePort  (24, ...
 01095  1580   NtRegisterThreadTerminatePort  (24, ...
 01096   748   NtContinue  (20446512, 1, ...
 01067  1248   NtCreateEvent  ... 200, ) == 0x0
 01083  1972   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01097   760   NtAllocateVirtualMemory  (-1, 35119104, 0, 8192, 4096, 4, ...
 01084  1596   NtDuplicateObject  ... 224, ) == 0x0
 01085  1856   NtRegisterThreadTerminatePort  ... ) == 0x0
 01086  1068   NtRegisterThreadTerminatePort  ... ) == 0x0
 01087   460   NtRegisterThreadTerminatePort  ... ) == 0x0
 01088  1556   NtRegisterThreadTerminatePort  ... ) == 0x0
 01089  1480   NtRegisterThreadTerminatePort  ... ) == 0x0
 01090  1784   NtRegisterThreadTerminatePort  ... ) == 0x0
 01091  1980   NtRegisterThreadTerminatePort  ... ) == 0x0
 01092  1956   NtRegisterThreadTerminatePort  ... ) == 0x0
 01093  1292   NtRegisterThreadTerminatePort  ... ) == 0x0
 01094  1756   NtRegisterThreadTerminatePort  ... ) == 0x0
 01095  1580   NtRegisterThreadTerminatePort  ... ) == 0x0
 01098   748   NtRegisterThreadTerminatePort  (24, ...
 01099  1248   NtWaitForSingleObject  (200, 0, 0x0, ...
 01100  1972   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 01097   760   NtAllocateVirtualMemory  ... 35119104, 8192, ) == 0x0
 01101  1596   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01102  1856   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01103  1068   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01104   460   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01105  1556   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01106  1480   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01107  1784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01108  1980   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01109  1956   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01110  1292   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01111  1756   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01112  1580   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01098   748   NtRegisterThreadTerminatePort  ... ) == 0x0
 01100  1972   NtOpenKey  ... 232, ) == 0x0
 01113  1128   NtContinue  (34078000, 1, ...
 01114   760   NtProtectVirtualMemory  (-1, (0x217e000), 4096, 260, ...
 01101  1596   NtWaitForSingleObject  ... ) == 0x102
 01102  1856   NtDuplicateObject  ... 236, ) == 0x0
 01103  1068   NtDuplicateObject  ... 240, ) == 0x0
 01104   460   NtDuplicateObject  ... 244, ) == 0x0
 01105  1556   NtDuplicateObject  ... 248, ) == 0x0
 01106  1480   NtDuplicateObject  ... 252, ) == 0x0
 01107  1784   NtDuplicateObject  ... 256, ) == 0x0
 01108  1980   NtDuplicateObject  ... 260, ) == 0x0
 01109  1956   NtDuplicateObject  ... 264, ) == 0x0
 01110  1292   NtDuplicateObject  ... 268, ) == 0x0
 01111  1756   NtDuplicateObject  ... 272, ) == 0x0
 01115   748   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01116  1972   NtQueryValueKey  (232,  (232, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 01117  1128   NtRegisterThreadTerminatePort  (24, ...
 01114   760   NtProtectVirtualMemory  ... (0x217e000), 4096, 4, ) == 0x0
 01118  1596   NtWaitForSingleObject  (128, 0, 0x0, ...
 01119  1856   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01120  1068   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01121   460   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01122  1556   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01123  1480   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01124  1784   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01125  1980   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01126  1956   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01127  1292   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01128  1756   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01112  1580   NtDuplicateObject  ... 276, ) == 0x0
 01115   748   NtDuplicateObject  ... 280, ) == 0x0
 01117  1128   NtRegisterThreadTerminatePort  ... ) == 0x0
 01129   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01119  1856   NtWaitForSingleObject  ... ) == 0x102
 01120  1068   NtWaitForSingleObject  ... ) == 0x102
 01121   460   NtWaitForSingleObject  ... ) == 0x102
 01122  1556   NtWaitForSingleObject  ... ) == 0x102
 01123  1480   NtWaitForSingleObject  ... ) == 0x102
 01124  1784   NtWaitForSingleObject  ... ) == 0x102
 01125  1980   NtWaitForSingleObject  ... ) == 0x102
 01126  1956   NtWaitForSingleObject  ... ) == 0x102
 01127  1292   NtWaitForSingleObject  ... ) == 0x102
 01128  1756   NtWaitForSingleObject  ... ) == 0x102
 01130  1580   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01131   748   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01132  1128   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ...
 01129   760   NtCreateThread  ... 284, {1764, 1256}, ) == 0x0
 01133  1856   NtWaitForSingleObject  (128, 0, 0x0, ...
 01134  1068   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01135   460   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01136  1556   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01137  1480   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01138  1784   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01139  1980   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01140  1956   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01141  1292   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01142  1756   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01130  1580   NtWaitForSingleObject  ... ) == 0x102
 01131   748   NtWaitForSingleObject  ... ) == 0x102
 01132  1128   NtAllocateVirtualMemory  ... 1368064, 4096, ) == 0x0
 01143   760   NtQueryInformationThread  (284, Basic, 28, ...
 01134  1068   NtCreateEvent  ... 288, ) == 0x0
 01135   460   NtCreateEvent  ... 292, ) == 0x0
 01136  1556   NtCreateEvent  ... 296, ) == 0x0
 01137  1480   NtCreateEvent  ... 300, ) == 0x0
 01138  1784   NtCreateEvent  ... 304, ) == 0x0
 01139  1980   NtCreateEvent  ... 308, ) == 0x0
 01140  1956   NtCreateEvent  ... 312, ) == 0x0
 01141  1292   NtCreateEvent  ... 316, ) == 0x0
 01142  1756   NtCreateEvent  ... 320, ) == 0x0
 01144  1580   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01145   748   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01146  1128   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01143   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=1764,Tid=1256,}, 0x0, ) == 0x0
 01116  1972   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01147  1068   NtWaitForSingleObject  (288, 0, 0x0, ...
 01148   460   NtClose  (292, ...
 01149  1556   NtClose  (296, ...
 01150  1480   NtClose  (300, ...
 01151  1784   NtClose  (304, ...
 01152  1980   NtClose  (308, ...
 01153  1956   NtClose  (312, ...
 01154  1292   NtClose  (316, ...
 01144  1580   NtCreateEvent  ... 324, ) == 0x0
 01145   748   NtCreateEvent  ... 328, ) == 0x0
 01155  1756   NtClose  (320, ...
 01146  1128   NtCreateEvent  ... 332, ) == 0x0
 01156  1972   NtClose  (232, ...
 01148   460   NtClose  ... ) == 0x0
 01149  1556   NtClose  ... ) == 0x0
 01150  1480   NtClose  ... ) == 0x0
 01151  1784   NtClose  ... ) == 0x0
 01152  1980   NtClose  ... ) == 0x0
 01153  1956   NtClose  ... ) == 0x0
 01154  1292   NtClose  ... ) == 0x0
 01157   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57963, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\344\6\0\0\350\4\0\0" ...  ...
 01158  1580   NtClose  (324, ...
 01155  1756   NtClose  ... ) == 0x0
 01159  1128   NtClose  (332, ...
 01156  1972   NtClose  ... ) == 0x0
 01160   460   NtWaitForSingleObject  (288, 0, 0x0, ...
 01161  1556   NtWaitForSingleObject  (288, 0, 0x0, ...
 01162  1480   NtWaitForSingleObject  (288, 0, 0x0, ...
 01163  1784   NtWaitForSingleObject  (288, 0, 0x0, ...
 01164  1980   NtWaitForSingleObject  (288, 0, 0x0, ...
 01165  1956   NtWaitForSingleObject  (288, 0, 0x0, ...
 01166  1292   NtWaitForSingleObject  (288, 0, 0x0, ...
 01157   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57964, 0}  ... {28, 56, reply, 0, 1764, 760, 57964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\344\6\0\0\350\4\0\0" )  ) == 0x0
 01158  1580   NtClose  ... ) == 0x0
 01167  1756   NtWaitForSingleObject  (288, 0, 0x0, ...
 01159  1128   NtClose  ... ) == 0x0
 01168  1972   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 01169   760   NtResumeThread  (284, ...
 01170  1580   NtWaitForSingleObject  (288, 0, 0x0, ...
 01171  1128   NtSetEventBoostPriority  (288, ...
 01168  1972   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01169   760   NtResumeThread  ... 1, ) == 0x0
 01147  1068   NtWaitForSingleObject  ... ) == 0x0
 01171  1128   NtSetEventBoostPriority  ... ) == 0x0
 01172  1972   NtWaitForSingleObject  (288, 0, 0x0, ...
 01173  1068   NtSetEventBoostPriority  (288, ...
 01174   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01175  1128   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01176   748   NtClose  (328, ...
 01177  1256   NtTestAlert  (...
 01160   460   NtWaitForSingleObject  ... ) == 0x0
 01173  1068   NtSetEventBoostPriority  ... ) == 0x0
 01174   760   NtAllocateVirtualMemory  ... 35127296, 1048576, ) == 0x0
 01176   748   NtClose  ... ) == 0x0
 01178   460   NtSetEventBoostPriority  (288, ...
 01177  1256   NtTestAlert  ... ) == 0x0
 01179  1068   NtWaitForSingleObject  (128, 0, 0x0, ...
 01180   760   NtAllocateVirtualMemory  (-1, 36167680, 0, 8192, 4096, 4, ...
 01161  1556   NtWaitForSingleObject  ... ) == 0x0
 01178   460   NtSetEventBoostPriority  ... ) == 0x0
 01181   748   NtWaitForSingleObject  (288, 0, 0x0, ...
 01182  1256   NtContinue  (35126576, 1, ...
 01175  1128   NtDuplicateObject  ... 328, ) == 0x0
 01183  1556   NtSetEventBoostPriority  (288, ...
 01180   760   NtAllocateVirtualMemory  ... 36167680, 8192, ) == 0x0
 01184  1256   NtRegisterThreadTerminatePort  (24, ...
 01162  1480   NtWaitForSingleObject  ... ) == 0x0
 01183  1556   NtSetEventBoostPriority  ... ) == 0x0
 01185  1128   NtWaitForSingleObject  (288, 0, 0x0, ...
 01186   760   NtProtectVirtualMemory  (-1, (0x227e000), 4096, 260, ...
 01187  1480   NtSetEventBoostPriority  (288, ...
 01184  1256   NtRegisterThreadTerminatePort  ... ) == 0x0
 01188   460   NtWaitForSingleObject  (128, 0, 0x0, ...
 01163  1784   NtWaitForSingleObject  ... ) == 0x0
 01187  1480   NtSetEventBoostPriority  ... ) == 0x0
 01186   760   NtProtectVirtualMemory  ... (0x227e000), 4096, 4, ) == 0x0
 01189  1556   NtWaitForSingleObject  (128, 0, 0x0, ...
 01190  1784   NtSetEventBoostPriority  (288, ...
 01191  1256   NtWaitForSingleObject  (288, 0, 0x0, ...
 01192   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01164  1980   NtWaitForSingleObject  ... ) == 0x0
 01190  1784   NtSetEventBoostPriority  ... ) == 0x0
 01193  1480   NtWaitForSingleObject  (128, 0, 0x0, ...
 01194  1980   NtSetEventBoostPriority  (288, ...
 01192   760   NtCreateThread  ... 332, {1764, 220}, ) == 0x0
 01165  1956   NtWaitForSingleObject  ... ) == 0x0
 01194  1980   NtSetEventBoostPriority  ... ) == 0x0
 01195  1956   NtSetEventBoostPriority  (288, ...
 01196   760   NtQueryInformationThread  (332, Basic, 28, ...
 01197  1784   NtWaitForSingleObject  (128, 0, 0x0, ...
 01166  1292   NtWaitForSingleObject  ... ) == 0x0
 01195  1956   NtSetEventBoostPriority  ... ) == 0x0
 01196   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=1764,Tid=220,}, 0x0, ) == 0x0
 01198  1292   NtSetEventBoostPriority  (288, ...
 01199  1980   NtWaitForSingleObject  (128, 0, 0x0, ...
 01167  1756   NtWaitForSingleObject  ... ) == 0x0
 01198  1292   NtSetEventBoostPriority  ... ) == 0x0
 01200   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57964, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\344\6\0\0\334\0\0\0" ...  ...
 01201  1756   NtSetEventBoostPriority  (288, ...
 01202  1956   NtWaitForSingleObject  (128, 0, 0x0, ...
 01170  1580   NtWaitForSingleObject  ... ) == 0x0
 01201  1756   NtSetEventBoostPriority  ... ) == 0x0
 01200   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57965, 0}  ... {28, 56, reply, 0, 1764, 760, 57965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\344\6\0\0\334\0\0\0" )  ) == 0x0
 01203  1580   NtSetEventBoostPriority  (288, ...
 01204  1292   NtWaitForSingleObject  (128, 0, 0x0, ...
 01205  1756   NtWaitForSingleObject  (128, 0, 0x0, ...
 01172  1972   NtWaitForSingleObject  ... ) == 0x0
 01203  1580   NtSetEventBoostPriority  ... ) == 0x0
 01206  1972   NtSetEventBoostPriority  (288, ...
 01207   760   NtResumeThread  (332, ...
 01181   748   NtWaitForSingleObject  ... ) == 0x0
 01207   760   NtResumeThread  ... 1, ) == 0x0
 01208   748   NtSetEventBoostPriority  (288, ...
 01209   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01185  1128   NtWaitForSingleObject  ... ) == 0x0
 01208   748   NtSetEventBoostPriority  ... ) == 0x0
 01210  1128   NtSetEventBoostPriority  (288, ...
 01209   760   NtAllocateVirtualMemory  ... 36175872, 1048576, ) == 0x0
 01206  1972   NtSetEventBoostPriority  ... ) == 0x0
 01211  1580   NtWaitForSingleObject  (128, 0, 0x0, ...
 01212   220   NtAllocateVirtualMemory  (-1, 8802304, 0, 4096, 4096, 4, ...
 01191  1256   NtWaitForSingleObject  ... ) == 0x0
 01210  1128   NtSetEventBoostPriority  ... ) == 0x0
 01213   760   NtAllocateVirtualMemory  (-1, 37216256, 0, 8192, 4096, 4, ...
 01214  1972   NtWaitForSingleObject  (288, 0, 0x0, ...
 01215  1256   NtSetEventBoostPriority  (288, ...
 01212   220   NtAllocateVirtualMemory  ... 8802304, 4096, ) == 0x0
 01216   748   NtWaitForSingleObject  (128, 0, 0x0, ...
 01213   760   NtAllocateVirtualMemory  ... 37216256, 8192, ) == 0x0
 01215  1256   NtSetEventBoostPriority  ... ) == 0x0
 01217   220   NtTestAlert  (...
 01218  1128   NtWaitForSingleObject  (288, 0, 0x0, ...
 01214  1972   NtWaitForSingleObject  ... ) == 0x0
 01219  1256   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01217   220   NtTestAlert  ... ) == 0x0
 01220  1972   NtSetEventBoostPriority  (288, ...
 01221   760   NtProtectVirtualMemory  (-1, (0x237e000), 4096, 260, ...
 01222   220   NtContinue  (36175152, 1, ...
 01218  1128   NtWaitForSingleObject  ... ) == 0x0
 01220  1972   NtSetEventBoostPriority  ... ) == 0x0
 01221   760   NtProtectVirtualMemory  ... (0x237e000), 4096, 4, ) == 0x0
 01219  1256   NtDuplicateObject  ... 324, ) == 0x0
 01223  1128   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01224  1972   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01225   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01223  1128   NtCreateEvent  ... 232, ) == 0x0
 01226  1256   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01224  1972   NtCreateEvent  ... 320, ) == 0x0
 01227  1128   NtWaitForSingleObject  (232, 0, 0x0, ...
 01225   760   NtCreateThread  ... 316, {1764, 1800}, ) == 0x0
 01226  1256   NtCreateEvent  ... 312, ) == 0x0
 01228  1972   NtClose  (320, ...
 01229   220   NtRegisterThreadTerminatePort  (24, ...
 01230   760   NtQueryInformationThread  (316, Basic, 28, ...
 01231  1256   NtClose  (312, ...
 01229   220   NtRegisterThreadTerminatePort  ... ) == 0x0
 01230   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=1764,Tid=1800,}, 0x0, ) == 0x0
 01231  1256   NtClose  ... ) == 0x0
 01232   220   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01228  1972   NtClose  ... ) == 0x0
 01233  1256   NtWaitForSingleObject  (232, 0, 0x0, ...
 01232   220   NtDuplicateObject  ... 320, ) == 0x0
 01234  1972   NtSetEventBoostPriority  (232, ...
 01235   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57965, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\344\6\0\0\10\7\0\0" ...  ...
 01236   220   NtWaitForSingleObject  (232, 0, 0x0, ...
 01227  1128   NtWaitForSingleObject  ... ) == 0x0
 01234  1972   NtSetEventBoostPriority  ... ) == 0x0
 01235   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57966, 0}  ... {28, 56, reply, 0, 1764, 760, 57966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\344\6\0\0\10\7\0\0" )  ) == 0x0
 01237  1128   NtSetEventBoostPriority  (232, ...
 01238  1972   NtWaitForSingleObject  (232, 0, 0x0, ...
 01236   220   NtWaitForSingleObject  ... ) == 0x0
 01239   760   NtResumeThread  (316, ...
 01240   220   NtSetEventBoostPriority  (232, ...
 01239   760   NtResumeThread  ... 1, ) == 0x0
 01238  1972   NtWaitForSingleObject  ... ) == 0x0
 01240   220   NtSetEventBoostPriority  ... ) == 0x0
 01241  1972   NtSetEventBoostPriority  (232, ...
 01242   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01237  1128   NtSetEventBoostPriority  ... ) == 0x0
 01243  1800   NtTestAlert  (...
 01233  1256   NtWaitForSingleObject  ... ) == 0x0
 01241  1972   NtSetEventBoostPriority  ... ) == 0x0
 01244   220   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01245  1128   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01246  1256   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01243  1800   NtTestAlert  ... ) == 0x0
 01242   760   NtAllocateVirtualMemory  ... 37224448, 1048576, ) == 0x0
 01244   220   NtWaitForSingleObject  ... ) == 0x102
 01246  1256   NtWaitForSingleObject  ... ) == 0x102
 01247  1800   NtContinue  (37223728, 1, ...
 01248   760   NtAllocateVirtualMemory  (-1, 38264832, 0, 8192, 4096, 4, ...
 01249  1256   NtWaitForSingleObject  (128, 0, 0x0, ...
 01250   220   NtWaitForSingleObject  (128, 0, 0x0, ...
 01251  1800   NtRegisterThreadTerminatePort  (24, ...
 01248   760   NtAllocateVirtualMemory  ... 38264832, 8192, ) == 0x0
 01252  1972   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01245  1128   NtWaitForSingleObject  ... ) == 0x102
 01251  1800   NtRegisterThreadTerminatePort  ... ) == 0x0
 01253   760   NtProtectVirtualMemory  (-1, (0x247e000), 4096, 260, ...
 01252  1972   NtCreateEvent  ... 312, ) == 0x0
 01254  1128   NtWaitForSingleObject  (128, 0, 0x0, ...
 01253   760   NtProtectVirtualMemory  ... (0x247e000), 4096, 4, ) == 0x0
 01255  1972   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01256   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01255  1972   NtCreateEvent  ... 308, ) == 0x0
 01257  1800   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01258  1972   NtQuerySystemTime  (...
 01257  1800   NtDuplicateObject  ... 304, ) == 0x0
 01258  1972   NtQuerySystemTime  ... {1712190440, 29915235}, ) == 0x0
 01259  1800   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01256   760   NtCreateThread  ... 300, {1764, 1796}, ) == 0x0
 01259  1800   NtWaitForSingleObject  ... ) == 0x102
 01260   760   NtQueryInformationThread  (300, Basic, 28, ...
 01261  1800   NtWaitForSingleObject  (128, 0, 0x0, ...
 01260   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1764,Tid=1796,}, 0x0, ) == 0x0
 01262  1972   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01263   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57966, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\1\0\0\344\6\0\0\4\7\0\0" ...  ...
 01262  1972   NtCreateEvent  ... 296, ) == 0x0
 01263   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57967, 0}  ... {28, 56, reply, 0, 1764, 760, 57967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\1\0\0\344\6\0\0\4\7\0\0" )  ) == 0x0
 01264  1972   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01265  1972   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01266  1972   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01267  1972   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01268  1972   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01269   760   NtResumeThread  (300, ... 1, ) == 0x0
 01270   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38273024, 1048576, ) == 0x0
 01271   760   NtAllocateVirtualMemory  (-1, 39313408, 0, 8192, 4096, 4, ... 39313408, 8192, ) == 0x0
 01272   760   NtProtectVirtualMemory  (-1, (0x257e000), 4096, 260, ... (0x257e000), 4096, 4, ) == 0x0
 01273   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 292, {1764, 1808}, ) == 0x0
 01274   760   NtQueryInformationThread  (292, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1764,Tid=1808,}, 0x0, ) == 0x0
 01275  1972   NtSetEventBoostPriority  (200, ...
 01276  1796   NtTestAlert  (...
 01099  1248   NtWaitForSingleObject  ... ) == 0x0
 01275  1972   NtSetEventBoostPriority  ... ) == 0x0
 01277  1248   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01276  1796   NtTestAlert  ... ) == 0x0
 01277  1248   NtCreateEvent  ... 336, ) == 0x0
 01278  1972   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01279  1796   NtContinue  (38272304, 1, ...
 01280   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57967, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\344\6\0\0\20\7\0\0" ...  ...
 01278  1972   NtCreateEvent  ... 340, ) == 0x0
 01281  1796   NtRegisterThreadTerminatePort  (24, ...
 01280   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57968, 0}  ... {28, 56, reply, 0, 1764, 760, 57968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\344\6\0\0\20\7\0\0" )  ) == 0x0
 01282  1972   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01281  1796   NtRegisterThreadTerminatePort  ... ) == 0x0
 01283   760   NtResumeThread  (292, ...
 01282  1972   NtDuplicateObject  ... 344, ) == 0x0
 01284  1248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01283   760   NtResumeThread  ... 1, ) == 0x0
 01285  1796   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01284  1248   NtDuplicateObject  ... 348, ) == 0x0
 01286   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01285  1796   NtDuplicateObject  ... 352, ) == 0x0
 01287  1248   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01288  1972   NtWaitForSingleObject  (288, 0, 0x0, ...
 01289  1808   NtTestAlert  (...
 01290  1796   NtWaitForSingleObject  (288, 0, 0x0, ...
 01287  1248   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01289  1808   NtTestAlert  ... ) == 0x0
 01291  1248   NtSetEventBoostPriority  (288, ...
 01292  1808   NtContinue  (39320880, 1, ...
 01288  1972   NtWaitForSingleObject  ... ) == 0x0
 01291  1248   NtSetEventBoostPriority  ... ) == 0x0
 01293  1972   NtSetEventBoostPriority  (288, ...
 01294  1808   NtRegisterThreadTerminatePort  (24, ...
 01286   760   NtAllocateVirtualMemory  ... 39321600, 1048576, ) == 0x0
 01290  1796   NtWaitForSingleObject  ... ) == 0x0
 01293  1972   NtSetEventBoostPriority  ... ) == 0x0
 01294  1808   NtRegisterThreadTerminatePort  ... ) == 0x0
 01295  1796   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01296   760   NtAllocateVirtualMemory  (-1, 40361984, 0, 8192, 4096, 4, ...
 01297  1972   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01298  1248   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 01296   760   NtAllocateVirtualMemory  ... 40361984, 8192, ) == 0x0
 01299  1808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01295  1796   NtWaitForSingleObject  ... ) == 0x102
 01298  1248   NtOpenFile  ... 356, {status=0x0, info=0}, ) == 0x0
 01300   760   NtProtectVirtualMemory  (-1, (0x267e000), 4096, 260, ...
 01299  1808   NtDuplicateObject  ... 360, ) == 0x0
 01301  1796   NtWaitForSingleObject  (128, 0, 0x0, ...
 01302  1248   NtDeviceIoControlFile  (356, 0, 0x0, 0x0, 0x390008,  (356, 0, 0x0, 0x0, 0x390008, "z\336\234\22\33r\11\242\26\276\3160sa\206s\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01300   760   NtProtectVirtualMemory  ... (0x267e000), 4096, 4, ) == 0x0
 01303  1808   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01304  1248   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01305   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01303  1808   NtWaitForSingleObject  ... ) == 0x102
 01304  1248   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01297  1972   NtOpenKey  ... 364, ) == 0x0
 01306  1808   NtWaitForSingleObject  (128, 0, 0x0, ...
 01307  1248   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01308  1972   NtQueryValueKey  (364,  (364, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01305   760   NtCreateThread  ... 368, {1764, 1700}, ) == 0x0
 01308  1972   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01309   760   NtQueryInformationThread  (368, Basic, 28, ...
 01310  1972   NtClose  (364, ...
 01309   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1764,Tid=1700,}, 0x0, ) == 0x0
 01310  1972   NtClose  ... ) == 0x0
 01311   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57968, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\344\6\0\0\244\6\0\0" ...  ...
 01312  1972   NtOpenThreadToken  (-2, 0xc, 1, ...
 01311   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57969, 0}  ... {28, 56, reply, 0, 1764, 760, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\344\6\0\0\244\6\0\0" )  ) == 0x0
 01307  1248   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01312  1972   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01313  1248   NtQuerySystemInformation  (Performance, 312, ...
 01314  1972   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01313  1248   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01314  1972   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01315  1248   NtQuerySystemInformation  (Exception, 16, ...
 01316  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006064, ... }, 11006064, ...
 01315  1248   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01316  1972   NtQueryAttributesFile  ... ) == 0x0
 01317  1248   NtQuerySystemInformation  (Lookaside, 32, ...
 01318  1972   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01319   760   NtResumeThread  (368, ...
 01317  1248   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01319   760   NtResumeThread  ... 1, ) == 0x0
 01320  1248   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01321   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01320  1248   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01321   760   NtAllocateVirtualMemory  ... 40370176, 1048576, ) == 0x0
 01322  1248   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01323   760   NtAllocateVirtualMemory  (-1, 41410560, 0, 8192, 4096, 4, ...
 01322  1248   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01323   760   NtAllocateVirtualMemory  ... 41410560, 8192, ) == 0x0
 01324  1248   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01318  1972   NtOpenKey  ... 364, ) == 0x0
 01325  1700   NtTestAlert  (...
 01324  1248   NtCreateKey  ... -2147482740, 2, ) == 0x0
 01326  1972   NtQueryValueKey  (364,  (364, "Transports", Partial, 144, ... , Partial, 144, ...
 01325  1700   NtTestAlert  ... ) == 0x0
 01327  1248   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\315\346\315\336V\264\256D{\362:u\367x\37="\273\214\17\301>\203\324\243%\3642tk\305\\273\230(t]\326\211\355L\242Z\372S8\1\226\224%:O\326\14H\310\334\245\221p\365\200\301\227\240\262\203\232G\313\207\212\213\255\203s\267\242\10\300", 80, ... , 0, 3,  (-2147482740, "Seed", 0, 3, "\315\346\315\336V\264\256D{\362:u\367x\37="\273\214\17\301>\203\324\243%\3642tk\305\\273\230(t]\326\211\355L\242Z\372S8\1\226\224%:O\326\14H\310\334\245\221p\365\200\301\227\240\262\203\232G\313\207\212\213\255\203s\267\242\10\300", 80, ... \273\214\17\301>\203\324\243%\3642tk\305\\273\230(t]\326\211\355L\242Z\372S8\1\226\224%:O\326\14H\310\334\245\221p\365\200\301\227\240\262\203\232G\313\207\212\213\255\203s\267\242\10\300", 80, ...
 01326  1972   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01328  1700   NtContinue  (40369456, 1, ...
 01327  1248   NtSetValueKey  ... ) == 0x0
 01329  1972   NtQueryValueKey  (364,  (364, "Transports", Partial, 144, ... , Partial, 144, ...
 01330  1700   NtRegisterThreadTerminatePort  (24, ...
 01331  1248   NtClose  (-2147482740, ...
 01329  1972   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01330  1700   NtRegisterThreadTerminatePort  ... ) == 0x0
 01331  1248   NtClose  ... ) == 0x0
 01332  1972   NtClose  (364, ...
 01333   760   NtProtectVirtualMemory  (-1, (0x277e000), 4096, 260, ...
 01334  1700   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01302  1248   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "*\301\354\256\226\214\200k\250_\303\215\302d\357\242GQ\251\331&\273#m_\255f\230AB\262nY\17>\254(\304\33\273\227\324x\327\355\301\3017'\362U\360\\31})l1\366\27\243@,\13\325\200\374\362\202\244v.Y\325BM\356\321\7\227\365\23\341\25\342\373~2x\260|B\352\251\341\323\373\213\245@kUu\216\20\362-\325\321Y|\0\343\3j7\267\14\26\231\226hy!'2\261\336\206\203\36\255m\255\26e\303TB\265\367F\300l\251p\2121\177\375=\311\200\252\372\32}X\22\236f\364C\13qi\300w`\236\275\11\204\355\33\1;\212\255\7\213\235\2768\375\256\3769\350\35n\300\0]~}\7NN.\344\204\265\267:Y\235\336\333\300N\340\336\4\33\252\347\206\265\207\263\341"\220]g\6\325\236\244\13\273dM\236o\224\213\236\325\265\272bf\32e\263{\2\215#\69\240", ) \220]g\6\325\236\244\13\273dM\236o\224\213\236\325\265\272bf\32e\263{\2\215#\69\240", ) == 0x0
 01333   760   NtProtectVirtualMemory  ... (0x277e000), 4096, 4, ) == 0x0
 01334  1700   NtDuplicateObject  ... 372, ) == 0x0
 01335  1248   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01336   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01337  1700   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01335  1248   NtCreateEvent  ... 376, ) == 0x0
 01336   760   NtCreateThread  ... 380, {1764, 1156}, ) == 0x0
 01337  1700   NtWaitForSingleObject  ... ) == 0x102
 01338  1248   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15199748, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15199748, 188, ...
 01339   760   NtQueryInformationThread  (380, Basic, 28, ...
 01340  1700   NtWaitForSingleObject  (128, 0, 0x0, ...
 01339   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1764,Tid=1156,}, 0x0, ) == 0x0
 01338  1248   NtConnectPort  ... 384, 0x0, 0x0, 0x0, 188, ) == 0x0
 01332  1972   NtClose  ... ) == 0x0
 01341   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57969, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\344\6\0\0\204\4\0\0" ...  ...
 01342  1972   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01341   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57971, 0}  ... {28, 56, reply, 0, 1764, 760, 57971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\344\6\0\0\204\4\0\0" )  ) == 0x0
 01342  1972   NtOpenKey  ... 364, ) == 0x0
 01343   760   NtResumeThread  (380, ...
 01344  1972   NtQueryValueKey  (364,  (364, "Mapping", Partial, 144, ... , Partial, 144, ...
 01343   760   NtResumeThread  ... 1, ) == 0x0
 01344  1972   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01345   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01346  1972   NtQueryValueKey  (364,  (364, "Mapping", Partial, 144, ... , Partial, 144, ...
 01347  1248   NtRequestWaitReplyPort  (384, {200, 224, new_msg, 0, 1379672, 12, 2, 1}  (384, {200, 224, new_msg, 0, 1379672, 12, 2, 1} "\0\4\24\0\274\0\0\0l8\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0x\4\24\0\4\0\0\0\1\0\0\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\36\216\32\177ryZ`\330\14\25\0h\1\24\0\12\0\0\0\0\0\0\0\1\0\0\0(\0\0\0\340\14\25\0\350\12K#\240\4\24\0\0\15\25\0h\1\24\0\0\0\0\0\0\0\0\0\0\15\25\0P\0\0\0\10\15\25\0\360\6\221|x\4\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\347\0\372\31\221|\30\364\347\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01348  1156   NtTestAlert  (...
 01345   760   NtAllocateVirtualMemory  ... 41418752, 1048576, ) == 0x0
 01348  1156   NtTestAlert  ... ) == 0x0
 01349   760   NtAllocateVirtualMemory  (-1, 42459136, 0, 8192, 4096, 4, ...
 01347  1248   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1764, 1248, 57972, 0}  ... {200, 224, reply, 0, 1764, 1248, 57972, 0} "\7\4\24\0\274\0\0\0l8\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\1\0\0\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\36\216\32\177ryZ`\330\14\25\0h\1\24\0\12\0\0\0\0\0\0\0\1\0\0\0(\0\0\0\340\14\25\0\350\12K#\240\4\24\0\0\15\25\0h\1\24\0\0\0\0\0\0\0\0\0\0\15\25\0P\0\0\0\10\15\25\0\360\6\221|x\4\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\347\0\372\31\221|\30\364\347\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01350  1156   NtContinue  (41418032, 1, ...
 01349   760   NtAllocateVirtualMemory  ... 42459136, 8192, ) == 0x0
 01351  1248   NtRequestWaitReplyPort  (384, {64, 88, new_msg, 0, 0, 0, 0, 0}  (384, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01352  1156   NtRegisterThreadTerminatePort  (24, ...
 01353   760   NtProtectVirtualMemory  (-1, (0x287e000), 4096, 260, ...
 01352  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 01353   760   NtProtectVirtualMemory  ... (0x287e000), 4096, 4, ) == 0x0
 01346  1972   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01354   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01355  1972   NtQueryValueKey  (364,  (364, "Mapping", Partial, 152, ... , Partial, 152, ...
 01356  1156   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01355  1972   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01356  1156   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01357  1972   NtClose  (364, ...
 01358  1156   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01357  1972   NtClose  ... ) == 0x0
 01358  1156   NtDuplicateObject  ... 364, ) == 0x0
 01359  1972   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01360  1156   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01354   760   NtCreateThread  ... 388, {1764, 1728}, ) == 0x0
 01361   760   NtQueryInformationThread  (388, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1764,Tid=1728,}, 0x0, ) == 0x0
 01362   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57971, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\6\0\0\300\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\6\0\0\300\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57974, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\6\0\0\300\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\6\0\0\300\6\0\0" )  ) == 0x0
 01363   760   NtResumeThread  (388, ... 1, ) == 0x0
 01364   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 42467328, 1048576, ) == 0x0
 01365   760   NtAllocateVirtualMemory  (-1, 43507712, 0, 8192, 4096, 4, ... 43507712, 8192, ) == 0x0
 01359  1972   NtOpenKey  ... 392, ) == 0x0
 01366  1728   NtTestAlert  (...
 01360  1156   NtWaitForSingleObject  ... ) == 0x102
 01367  1972   NtQueryValueKey  (392,  (392, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01366  1728   NtTestAlert  ... ) == 0x0
 01368  1156   NtWaitForSingleObject  (128, 0, 0x0, ...
 01367  1972   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01369  1728   NtContinue  (42466608, 1, ...
 01370  1972   NtQueryValueKey  (392,  (392, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01371  1728   NtRegisterThreadTerminatePort  (24, ...
 01370  1972   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01371  1728   NtRegisterThreadTerminatePort  ... ) == 0x0
 01372  1972   NtQueryValueKey  (392,  (392, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01373   760   NtProtectVirtualMemory  (-1, (0x297e000), 4096, 260, ...
 01374  1728   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01351  1248   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1764, 1248, 57973, 0}  ... {52, 76, reply, 0, 1764, 1248, 57973, 0} "\2\356Q\200\1\0\0\0P\306\233\201\0\220\372\177\220\353\3\370\370\37`\300l\353\3\370X\353Q\200\260\37\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 01373   760   NtProtectVirtualMemory  ... (0x297e000), 4096, 4, ) == 0x0
 01374  1728   NtDuplicateObject  ... 396, ) == 0x0
 01372  1972   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01375   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01376  1728   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01377  1972   NtQueryValueKey  (392,  (392, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01375   760   NtCreateThread  ... 400, {1764, 1536}, ) == 0x0
 01376  1728   NtWaitForSingleObject  ... ) == 0x102
 01377  1972   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01378   760   NtQueryInformationThread  (400, Basic, 28, ...
 01379  1728   NtWaitForSingleObject  (128, 0, 0x0, ...
 01380  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11007020, ... }, 11007020, ...
 01378   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1764,Tid=1536,}, 0x0, ) == 0x0
 01381  1248   NtClose  (376, ...
 01380  1972   NtQueryAttributesFile  ... ) == 0x0
 01381  1248   NtClose  ... ) == 0x0
 01382  1972   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01383  1248   NtClose  (384, ...
 01384   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57974, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\344\6\0\0\0\6\0\0" ...  ...
 01383  1248   NtClose  ... ) == 0x0
 01384   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57976, 0}  ... {28, 56, reply, 0, 1764, 760, 57976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\344\6\0\0\0\6\0\0" )  ) == 0x0
 01385  1248   NtWaitForSingleObject  (92, 0, 0x0, ...
 01386   760   NtResumeThread  (400, ... 1, ) == 0x0
 01387   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 43515904, 1048576, ) == 0x0
 01388   760   NtAllocateVirtualMemory  (-1, 44556288, 0, 8192, 4096, 4, ... 44556288, 8192, ) == 0x0
 01389   760   NtProtectVirtualMemory  (-1, (0x2a7e000), 4096, 260, ... (0x2a7e000), 4096, 4, ) == 0x0
 01390   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01382  1972   NtOpenFile  ... 384, {status=0x0, info=1}, ) == 0x0
 01391  1536   NtWaitForSingleObject  (92, 0, 0x0, ...
 01392  1972   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 384, ... 376, ) == 0x0
 01393  1972   NtClose  (384, ... ) == 0x0
 01394  1972   NtMapViewOfSection  (376, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x850000), 0x0, 20480, ) == 0x0
 01395  1972   NtClose  (376, ... ) == 0x0
 01390   760   NtCreateThread  ... 376, {1764, 444}, ) == 0x0
 01396   760   NtQueryInformationThread  (376, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1764,Tid=444,}, 0x0, ) == 0x0
 01397   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57976, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\344\6\0\0\274\1\0\0" ... {28, 56, reply, 0, 1764, 760, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\344\6\0\0\274\1\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57977, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\344\6\0\0\274\1\0\0" ... {28, 56, reply, 0, 1764, 760, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\344\6\0\0\274\1\0\0" )  ) == 0x0
 01398  1972   NtUnmapViewOfSection  (-1, 0x850000, ...
 01399   760   NtResumeThread  (376, ... 1, ) == 0x0
 01400   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 44564480, 1048576, ) == 0x0
 01401   760   NtAllocateVirtualMemory  (-1, 45604864, 0, 8192, 4096, 4, ... 45604864, 8192, ) == 0x0
 01402   760   NtProtectVirtualMemory  (-1, (0x2b7e000), 4096, 260, ... (0x2b7e000), 4096, 4, ) == 0x0
 01403   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 384, {1764, 1904}, ) == 0x0
 01404   760   NtQueryInformationThread  (384, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1764,Tid=1904,}, 0x0, ) == 0x0
 01398  1972   NtUnmapViewOfSection  ... ) == 0x0
 01405   444   NtWaitForSingleObject  (92, 0, 0x0, ...
 01406  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11007328, ... ) }, 11007328, ... ) == 0x0
 01407  1972   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 404, {status=0x0, info=1}, ) }, 5, 96, ... 404, {status=0x0, info=1}, ) == 0x0
 01408  1972   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 404, ... 408, ) == 0x0
 01409  1972   NtQuerySection  (408, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01410  1972   NtClose  (404, ... ) == 0x0
 01411  1972   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01412   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57977, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\344\6\0\0p\7\0\0" ... {28, 56, reply, 0, 1764, 760, 57978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\344\6\0\0p\7\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57978, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\344\6\0\0p\7\0\0" ... {28, 56, reply, 0, 1764, 760, 57978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\344\6\0\0p\7\0\0" )  ) == 0x0
 01413   760   NtResumeThread  (384, ... 1, ) == 0x0
 01414   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 45613056, 1048576, ) == 0x0
 01415   760   NtAllocateVirtualMemory  (-1, 46653440, 0, 8192, 4096, 4, ... 46653440, 8192, ) == 0x0
 01416   760   NtProtectVirtualMemory  (-1, (0x2c7e000), 4096, 260, ... (0x2c7e000), 4096, 4, ) == 0x0
 01417   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01411  1972   NtMapViewOfSection  ... (0x71a90000), 0x0, 32768, ) == 0x0
 01418  1904   NtWaitForSingleObject  (92, 0, 0x0, ...
 01419  1972   NtClose  (408, ... ) == 0x0
 01420  1972   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 01421  1972   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ... (0x71a91000), 4096, 4, ) == 0x0
 01422  1972   NtFlushInstructionCache  (-1, 1906905088, 128, ... ) == 0x0
 01417   760   NtCreateThread  ... 408, {1764, 1936}, ) == 0x0
 01423   760   NtQueryInformationThread  (408, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1764,Tid=1936,}, 0x0, ) == 0x0
 01424   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57978, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\344\6\0\0\220\7\0\0" ... {28, 56, reply, 0, 1764, 760, 57979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\344\6\0\0\220\7\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57979, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\344\6\0\0\220\7\0\0" ... {28, 56, reply, 0, 1764, 760, 57979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\344\6\0\0\220\7\0\0" )  ) == 0x0
 01425  1972   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426  1972   NtSetEventBoostPriority  (92, ...
 01385  1248   NtWaitForSingleObject  ... ) == 0x0
 01427  1248   NtSetEventBoostPriority  (92, ...
 01391  1536   NtWaitForSingleObject  ... ) == 0x0
 01428  1536   NtSetEventBoostPriority  (92, ...
 01405   444   NtWaitForSingleObject  ... ) == 0x0
 01429   444   NtSetEventBoostPriority  (92, ...
 01418  1904   NtWaitForSingleObject  ... ) == 0x0
 01430  1904   NtTestAlert  (... ) == 0x0
 01429   444   NtSetEventBoostPriority  ... ) == 0x0
 01428  1536   NtSetEventBoostPriority  ... ) == 0x0
 01427  1248   NtSetEventBoostPriority  ... ) == 0x0
 01426  1972   NtSetEventBoostPriority  ... ) == 0x0
 01431   760   NtResumeThread  (408, ...
 01432  1904   NtContinue  (45612336, 1, ...
 01433   444   NtTestAlert  (...
 01434  1536   NtTestAlert  (...
 01435  1972   NtClose  (392, ...
 01431   760   NtResumeThread  ... 1, ) == 0x0
 01436  1904   NtRegisterThreadTerminatePort  (24, ...
 01433   444   NtTestAlert  ... ) == 0x0
 01434  1536   NtTestAlert  ... ) == 0x0
 01437  1248   NtCreateKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01438  1936   NtTestAlert  (...
 01439   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01436  1904   NtRegisterThreadTerminatePort  ... ) == 0x0
 01440   444   NtContinue  (44563760, 1, ...
 01441  1536   NtContinue  (43515184, 1, ...
 01437  1248   NtCreateKey  ... 404, 2, ) == 0x0
 01438  1936   NtTestAlert  ... ) == 0x0
 01439   760   NtAllocateVirtualMemory  ... 46661632, 1048576, ) == 0x0
 01442  1904   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01443   444   NtRegisterThreadTerminatePort  (24, ...
 01444  1536   NtRegisterThreadTerminatePort  (24, ...
 01445  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01446  1936   NtContinue  (46660912, 1, ...
 01447   760   NtAllocateVirtualMemory  (-1, 47702016, 0, 8192, 4096, 4, ...
 01442  1904   NtDuplicateObject  ... 412, ) == 0x0
 01443   444   NtRegisterThreadTerminatePort  ... ) == 0x0
 01444  1536   NtRegisterThreadTerminatePort  ... ) == 0x0
 01445  1248   NtOpenKey  ... 416, ) == 0x0
 01448  1936   NtRegisterThreadTerminatePort  (24, ...
 01447   760   NtAllocateVirtualMemory  ... 47702016, 8192, ) == 0x0
 01449  1904   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01450   444   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01451  1536   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01452  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01448  1936   NtRegisterThreadTerminatePort  ... ) == 0x0
 01435  1972   NtClose  ... ) == 0x0
 01453   760   NtProtectVirtualMemory  (-1, (0x2d7e000), 4096, 260, ...
 01449  1904   NtWaitForSingleObject  ... ) == 0x102
 01450   444   NtDuplicateObject  ... 392, ) == 0x0
 01452  1248   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01451  1536   NtDuplicateObject  ... 420, ) == 0x0
 01454  1972   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11009664, 67, ... }, 0x0, 0, 3, 3, 0, 11009664, 67, ...
 01453   760   NtProtectVirtualMemory  ... (0x2d7e000), 4096, 4, ) == 0x0
 01455  1904   NtWaitForSingleObject  (128, 0, 0x0, ...
 01456   444   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01457  1936   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01458  1536   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01454  1972   NtCreateFile  ... 424, {status=0x0, info=0}, ) == 0x0
 01459   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01456   444   NtWaitForSingleObject  ... ) == 0x102
 01457  1936   NtDuplicateObject  ... 428, ) == 0x0
 01458  1536   NtWaitForSingleObject  ... ) == 0x102
 01460  1972   NtDeviceIoControlFile  (424, 100, 0x0, 0x0, 0x1207b,  (424, 100, 0x0, 0x0, 0x1207b, "\7\0\0\0x\1\24\0\340\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 01459   760   NtCreateThread  ... 432, {1764, 1648}, ) == 0x0
 01461   444   NtWaitForSingleObject  (128, 0, 0x0, ...
 01462  1936   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01463  1536   NtWaitForSingleObject  (128, 0, 0x0, ...
 01460  1972   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0 \376\255\201", ) , ) == 0x0
 01464   760   NtQueryInformationThread  (432, Basic, 28, ...
 01462  1936   NtWaitForSingleObject  ... ) == 0x102
 01465  1972   NtDeviceIoControlFile  (424, 100, 0x0, 0x0, 0x1207b,  (424, 100, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0 \376\255\201", 16, 16, ... , 16, 16, ...
 01464   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1764,Tid=1648,}, 0x0, ) == 0x0
 01466  1936   NtWaitForSingleObject  (128, 0, 0x0, ...
 01467  1248   NtQueryValueKey  (404,  (404, "Hostname", Partial, 144, ... , Partial, 144, ...
 01465  1972   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0 \376\255\201", ) , ) == 0x0
 01468   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57979, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\6\0\0p\6\0\0" ...  ...
 01467  1248   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01469  1972   NtDeviceIoControlFile  (424, 100, 0x0, 0x0, 0x12047,  (424, 100, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01468   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57980, 0}  ... {28, 56, reply, 0, 1764, 760, 57980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\6\0\0p\6\0\0" )  ) == 0x0
 01470  1248   NtQueryValueKey  (404,  (404, "Hostname", Partial, 144, ... , Partial, 144, ...
 01469  1972   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01471   760   NtResumeThread  (432, ...
 01470  1248   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01471   760   NtResumeThread  ... 1, ) == 0x0
 01472  1248   NtClose  (404, ...
 01473   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01472  1248   NtClose  ... ) == 0x0
 01474  1972   NtWaitForSingleObject  (60, 0, {0, 0}, ...
 01475  1648   NtTestAlert  (...
 01473   760   NtAllocateVirtualMemory  ... 47710208, 1048576, ) == 0x0
 01474  1972   NtWaitForSingleObject  ... ) == 0x102
 01475  1648   NtTestAlert  ... ) == 0x0
 01476   760   NtAllocateVirtualMemory  (-1, 48750592, 0, 8192, 4096, 4, ...
 01477  1972   NtDeviceIoControlFile  (424, 100, 0x0, 0x0, 0x12003,  (424, 100, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01478  1648   NtContinue  (47709488, 1, ...
 01476   760   NtAllocateVirtualMemory  ... 48750592, 8192, ) == 0x0
 01477  1972   NtDeviceIoControlFile  ... {status=0x0, info=404},  ... {status=0x0, info=404}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01479  1648   NtRegisterThreadTerminatePort  (24, ...
 01480   760   NtProtectVirtualMemory  (-1, (0x2e7e000), 4096, 260, ...
 01481  1248   NtClose  (416, ...
 01479  1648   NtRegisterThreadTerminatePort  ... ) == 0x0
 01480   760   NtProtectVirtualMemory  ... (0x2e7e000), 4096, 4, ) == 0x0
 01481  1248   NtClose  ... ) == 0x0
 01482  1972   NtDeviceIoControlFile  (424, 100, 0x0, 0x0, 0x12047,  (424, 100, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01483   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01484  1248   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 01482  1972   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01485  1648   NtWaitForSingleObject  (288, 0, 0x0, ...
 01484  1248   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 01486  1972   NtDeviceIoControlFile  (424, 100, 0x0, 0x0, 0x12037,  (424, 100, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 01487  1248   NtSetEventBoostPriority  (288, ...
 01486  1972   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01485  1648   NtWaitForSingleObject  ... ) == 0x0
 01487  1248   NtSetEventBoostPriority  ... ) == 0x0
 01488  1648   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01489  1972   NtDeviceIoControlFile  (424, 100, 0x0, 0x0, 0x1200b,  (424, 100, 0x0, 0x0, 0x1200b, "\0\376\247\0\5\0\0\0\0\260\24\0", 12, 0, ... , 12, 0, ...
 01483   760   NtCreateThread  ... 416, {1764, 148}, ) == 0x0
 01488  1648   NtDuplicateObject  ... 436, ) == 0x0
 01489  1972   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01490  1648   NtWaitForSingleObject  (232, 0, 0x0, ...
 01491   760   NtQueryInformationThread  (416, Basic, 28, ...
 01492  1248   NtSetEventBoostPriority  (232, ...
 01493  1972   NtDeviceIoControlFile  (424, 100, 0x0, 0x0, 0x12047,  (424, 100, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\247\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01491   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1764,Tid=148,}, 0x0, ) == 0x0
 01492  1248   NtSetEventBoostPriority  ... ) == 0x0
 01493  1972   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01494   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57980, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\344\6\0\0\224\0\0\0" ...  ...
 01495  1248   NtDeviceIoControlFile  (356, 0, 0x0, 0x0, 0x390008,  (356, 0, 0x0, 0x0, 0x390008, "z\336\234\22\33r\11v\2278\354\15\3075\7\207\341\22\267\32"!N\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... !N\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01496  1972   NtDeviceIoControlFile  (424, 100, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 01494   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57981, 0}  ... {28, 56, reply, 0, 1764, 760, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\344\6\0\0\224\0\0\0" )  ) == 0x0
 01497  1248   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01496  1972   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01490  1648   NtWaitForSingleObject  ... ) == 0x0
 01497  1248   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01498  1972   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01499  1648   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01500  1248   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01498  1972   NtCreateEvent  ... 440, ) == 0x0
 01499  1648   NtWaitForSingleObject  ... ) == 0x102
 01501   760   NtResumeThread  (416, ...
 01500  1248   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01502  1648   NtWaitForSingleObject  (128, 0, 0x0, ...
 01501   760   NtResumeThread  ... 1, ) == 0x0
 01503  1248   NtQuerySystemInformation  (Performance, 312, ...
 01504  1972   NtWaitForSingleObject  (440, 0, 0x0, ...
 01505   148   NtTestAlert  (...
 01506   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01503  1248   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01505   148   NtTestAlert  ... ) == 0x0
 01506   760   NtAllocateVirtualMemory  ... 48758784, 1048576, ) == 0x0
 01507  1248   NtQuerySystemInformation  (Exception, 16, ...
 01508   148   NtContinue  (48758064, 1, ...
 01509   760   NtAllocateVirtualMemory  (-1, 49799168, 0, 8192, 4096, 4, ...
 01507  1248   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01510   148   NtRegisterThreadTerminatePort  (24, ...
 01509   760   NtAllocateVirtualMemory  ... 49799168, 8192, ) == 0x0
 01511  1248   NtQuerySystemInformation  (Lookaside, 32, ...
 01510   148   NtRegisterThreadTerminatePort  ... ) == 0x0
 01512   760   NtProtectVirtualMemory  (-1, (0x2f7e000), 4096, 260, ...
 01511  1248   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01512   760   NtProtectVirtualMemory  ... (0x2f7e000), 4096, 4, ) == 0x0
 01513  1248   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01514   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01513  1248   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01514   760   NtCreateThread  ... 444, {1764, 1828}, ) == 0x0
 01515  1248   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01516   760   NtQueryInformationThread  (444, Basic, 28, ...
 01515  1248   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01516   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1764,Tid=1828,}, 0x0, ) == 0x0
 01517  1248   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01518   148   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01519   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57981, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\6\0\0$\7\0\0" ...  ...
 01518   148   NtDuplicateObject  ... 448, ) == 0x0
 01519   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57982, 0}  ... {28, 56, reply, 0, 1764, 760, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\6\0\0$\7\0\0" )  ) == 0x0
 01520   148   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01521   760   NtResumeThread  (444, ...
 01520   148   NtWaitForSingleObject  ... ) == 0x102
 01521   760   NtResumeThread  ... 1, ) == 0x0
 01522   148   NtWaitForSingleObject  (128, 0, 0x0, ...
 01523   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01517  1248   NtCreateKey  ... -2147481344, 2, ) == 0x0
 01524  1828   NtTestAlert  (...
 01525  1248   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\276\335\241r\27\35\4\12\243=\262RD\375\346\341O\311\272\323D\333a\0\363U2\21f\303^\216\347\334KW\324\316\365g\4&\251p\21\244o\337\375\245\233\343\212\236\247x\360@x;S\2\254\36\356;\247"Ae!"1\5*\256]OA", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\276\335\241r\27\35\4\12\243=\262RD\375\346\341O\311\272\323D\333a\0\363U2\21f\303^\216\347\334KW\324\316\365g\4&\251p\21\244o\337\375\245\233\343\212\236\247x\360@x;S\2\254\36\356;\247"Ae!"1\5*\256]OA", 80, ... Ae! (-2147481344, "Seed", 0, 3, "\276\335\241r\27\35\4\12\243=\262RD\375\346\341O\311\272\323D\333a\0\363U2\21f\303^\216\347\334KW\324\316\365g\4&\251p\21\244o\337\375\245\233\343\212\236\247x\360@x;S\2\254\36\356;\247"Ae!"1\5*\256]OA", 80, ... , 80, ...
 01524  1828   NtTestAlert  ... ) == 0x0
 01525  1248   NtSetValueKey  ... ) == 0x0
 01526  1828   NtContinue  (49806640, 1, ...
 01527  1248   NtClose  (-2147481344, ...
 01528  1828   NtRegisterThreadTerminatePort  (24, ...
 01527  1248   NtClose  ... ) == 0x0
 01528  1828   NtRegisterThreadTerminatePort  ... ) == 0x0
 01495  1248   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\300R\267\217H\34\336{hh\21\345\226\335KI\13E\256E7\200:\342\33|\23\261E\242\11\240\262\255v,Y\217-\260\213H\267\31\206\314\253\221+\236\364\216C\206\237\212\234\36\350\231\12\377\2\242\232\247m\255\277/\321\24067\234\264\373-\253\317_p\311\253,\334X\324\303:\323\305\11\327\367\277\3375\14\274\172,\254\36\372Pw\10\371\227\320 \302\202\341\276\245\251\365\334\225L\347\244x\214\276\371\310Q\363\367I\24Ae\341\240\216\337\362R\7ii\260\201\210[\370z\22#8`\330\334\6\17n\30FClL_N\205\\335\326\25\261\246\177\333=\23363\324A\340\374\362\333\330GNe\344\224\211\204\370t\373\343&5\346\365\16\2203\334\262w\235\322>\354W`\34\3046\277E\373P\262W\310A\335\227.\270\3\7\246\366\305\343\221\324\322\357\25\205\245\227\307\32^\213\267\200\210/\310\212C", ) , ) == 0x0
 01523   760   NtAllocateVirtualMemory  ... 49807360, 1048576, ) == 0x0
 01529  1828   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01530   760   NtAllocateVirtualMemory  (-1, 50847744, 0, 8192, 4096, 4, ...
 01529  1828   NtDuplicateObject  ... 452, ) == 0x0
 01530   760   NtAllocateVirtualMemory  ... 50847744, 8192, ) == 0x0
 01531  1828   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01532   760   NtProtectVirtualMemory  (-1, (0x307e000), 4096, 260, ...
 01531  1828   NtWaitForSingleObject  ... ) == 0x102
 01532   760   NtProtectVirtualMemory  ... (0x307e000), 4096, 4, ) == 0x0
 01533  1828   NtWaitForSingleObject  (128, 0, 0x0, ...
 01534   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01535  1248   NtDeviceIoControlFile  (356, 0, 0x0, 0x0, 0x390008,  (356, 0, 0x0, 0x0, 0x390008, "z\336\234\22\33r\11v\2278\354\15\3075\323\6g0\212\256v\240\272\341\22\267\32"!N\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... !N\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01536  1248   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01537  1248   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01538  1248   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01539  1248   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01540  1248   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01541  1248   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01534   760   NtCreateThread  ... 456, {1764, 1864}, ) == 0x0
 01542   760   NtQueryInformationThread  (456, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1764,Tid=1864,}, 0x0, ) == 0x0
 01543   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57982, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\344\6\0\0H\7\0\0" ... {28, 56, reply, 0, 1764, 760, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\344\6\0\0H\7\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57983, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\344\6\0\0H\7\0\0" ... {28, 56, reply, 0, 1764, 760, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\344\6\0\0H\7\0\0" )  ) == 0x0
 01544   760   NtResumeThread  (456, ... 1, ) == 0x0
 01545   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 50855936, 1048576, ) == 0x0
 01546   760   NtAllocateVirtualMemory  (-1, 51896320, 0, 8192, 4096, 4, ... 51896320, 8192, ) == 0x0
 01541  1248   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01547  1864   NtTestAlert  (...
 01548  1248   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01547  1864   NtTestAlert  ... ) == 0x0
 01548  1248   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01549  1864   NtContinue  (50855216, 1, ...
 01550  1248   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01551  1864   NtRegisterThreadTerminatePort  (24, ...
 01550  1248   NtCreateKey  ... -2147481344, 2, ) == 0x0
 01551  1864   NtRegisterThreadTerminatePort  ... ) == 0x0
 01552  1248   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\200~\226\217\15h\344}\271*\333a\335`\343\374W\235z\266\21\237797\355jh\242=\303]\300\255\215%\217#\264\315#\315\352g\7\311\265\201d\252\222\273\222\22\230\3715h/\223\300\33\230\257x\356\302\262\233\356H0Ft\213\217R\204\214\275", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\200~\226\217\15h\344}\271*\333a\335`\343\374W\235z\266\21\237797\355jh\242=\303]\300\255\215%\217#\264\315#\315\352g\7\311\265\201d\252\222\273\222\22\230\3715h/\223\300\33\230\257x\356\302\262\233\356H0Ft\213\217R\204\214\275", 80, ... , 80, ...
 01553   760   NtProtectVirtualMemory  (-1, (0x317e000), 4096, 260, ...
 01554  1864   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01553   760   NtProtectVirtualMemory  ... (0x317e000), 4096, 4, ) == 0x0
 01554  1864   NtDuplicateObject  ... 460, ) == 0x0
 01555   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01556  1864   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01555   760   NtCreateThread  ... 464, {1764, 1896}, ) == 0x0
 01556  1864   NtWaitForSingleObject  ... ) == 0x102
 01557   760   NtQueryInformationThread  (464, Basic, 28, ...
 01558  1864   NtWaitForSingleObject  (128, 0, 0x0, ...
 01557   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1764,Tid=1896,}, 0x0, ) == 0x0
 01552  1248   NtSetValueKey  ... ) == 0x0
 01559  1248   NtClose  (-2147481344, ... ) == 0x0
 01535  1248   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "O\121J(\15/\264\300t\271\274\271\230\310V\316\257\321\314\214C\265\353q7e@\\1Lb6`\226\235\3453\360"\366@\267\265\326?\243\206\32\330\3668\241\216\315G\226\334kb-\225\251\303\350\6n\16\224.O\0\252\222p\361\224So\364a\336>\325M\360'\211\341h\330\13\342\317\373BJ-n\206`\200"\303\211,\341\375RH<\226\246\355"\234]\265\27\241\350\35\34\235<\227\320>\240\250\240\310VT}\367\265\343\245\33F\321\311\22|\334\20\325\265\346\2225\340p\2\260\332\212\216\210\314\271\310\270}\263\242{]\302z\37\377\275\367[\310\7\256\225\265\314\312=*?\320=p\242\212\201>\3348\236}\5\2\266sE\323\1\3736\5\261\234\374\3519p\235\267L\225;\270\366\276\35\210\17G\341\14\264{\342o*\310q\245\10T<\272\337L\2\0\361\27\205\300\333t\14a\250nY\320\344", ) \366@\267\265\326?\243\206\32\330\3668\241\216\315G\226\334kb-\225\251\303\350\6n\16\224.O\0\252\222p\361\224So\364a\336>\325M\360'\211\341h\330\13\342\317\373BJ-n\206`\200 ... {status=0x0, info=256}, "O\121J(\15/\264\300t\271\274\271\230\310V\316\257\321\314\214C\265\353q7e@\\1Lb6`\226\235\3453\360"\366@\267\265\326?\243\206\32\330\3668\241\216\315G\226\334kb-\225\251\303\350\6n\16\224.O\0\252\222p\361\224So\364a\336>\325M\360'\211\341h\330\13\342\317\373BJ-n\206`\200"\303\211,\341\375RH<\226\246\355"\234]\265\27\241\350\35\34\235<\227\320>\240\250\240\310VT}\367\265\343\245\33F\321\311\22|\334\20\325\265\346\2225\340p\2\260\332\212\216\210\314\271\310\270}\263\242{]\302z\37\377\275\367[\310\7\256\225\265\314\312=*?\320=p\242\212\201>\3348\236}\5\2\266sE\323\1\3736\5\261\234\374\3519p\235\267L\225;\270\366\276\35\210\17G\341\14\264{\342o*\310q\245\10T<\272\337L\2\0\361\27\205\300\333t\14a\250nY\320\344", ) \234]\265\27\241\350\35\34\235<\227\320>\240\250\240\310VT}\367\265\343\245\33F\321\311\22|\334\20\325\265\346\2225\340p\2\260\332\212\216\210\314\271\310\270}\263\242{]\302z\37\377\275\367[\310\7\256\225\265\314\312=*?\320=p\242\212\201>\3348\236}\5\2\266sE\323\1\3736\5\261\234\374\3519p\235\267L\225;\270\366\276\35\210\17G\341\14\264{\342o*\310q\245\10T<\272\337L\2\0\361\27\205\300\333t\14a\250nY\320\344", ) == 0x0
 01560  1248   NtDeviceIoControlFile  (356, 0, 0x0, 0x0, 0x390008,  (356, 0, 0x0, 0x0, 0x390008, "z\336\234\22\33r\11v\2278\354\15\3075\323\6g0\212\256vt;g0\212\256v\240\272\341\22\267\32"!N\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... !N\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01561  1248   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01562  1248   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01563  1248   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01564  1248   NtQuerySystemInformation  (Exception, 16, ...
 01565   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57983, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\344\6\0\0h\7\0\0" ... {28, 56, reply, 0, 1764, 760, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\344\6\0\0h\7\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57984, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\344\6\0\0h\7\0\0" ... {28, 56, reply, 0, 1764, 760, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\344\6\0\0h\7\0\0" )  ) == 0x0
 01566   760   NtResumeThread  (464, ... 1, ) == 0x0
 01567   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 51904512, 1048576, ) == 0x0
 01568   760   NtAllocateVirtualMemory  (-1, 52944896, 0, 8192, 4096, 4, ... 52944896, 8192, ) == 0x0
 01569   760   NtProtectVirtualMemory  (-1, (0x327e000), 4096, 260, ... (0x327e000), 4096, 4, ) == 0x0
 01570   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01564  1248   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01571  1896   NtTestAlert  (...
 01572  1248   NtQuerySystemInformation  (Lookaside, 32, ...
 01571  1896   NtTestAlert  ... ) == 0x0
 01572  1248   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01573  1896   NtContinue  (51903792, 1, ...
 01574  1248   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01575  1896   NtRegisterThreadTerminatePort  (24, ...
 01574  1248   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01575  1896   NtRegisterThreadTerminatePort  ... ) == 0x0
 01576  1248   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01570   760   NtCreateThread  ... 468, {1764, 1524}, ) == 0x0
 01577  1896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01578   760   NtQueryInformationThread  (468, Basic, 28, ...
 01577  1896   NtDuplicateObject  ... 472, ) == 0x0
 01578   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1764,Tid=1524,}, 0x0, ) == 0x0
 01579  1896   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01580   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57984, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\344\6\0\0\364\5\0\0" ...  ...
 01579  1896   NtWaitForSingleObject  ... ) == 0x102
 01580   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57985, 0}  ... {28, 56, reply, 0, 1764, 760, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\344\6\0\0\364\5\0\0" )  ) == 0x0
 01581  1896   NtWaitForSingleObject  (128, 0, 0x0, ...
 01576  1248   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01582   760   NtResumeThread  (468, ...
 01583  1248   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01582   760   NtResumeThread  ... 1, ) == 0x0
 01583  1248   NtCreateKey  ... -2147481344, 2, ) == 0x0
 01584   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01585  1248   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "9\345y\356\237\34\355\353\352\317'pv\327u\314\255\376G\122B\365By\360\270\35\364W\331\273i\251\331\316\24&:\311\376\232$\320\0\317afw\36\\377\262\207\203\250\26\26\27a?\354\223\235\214\345\267@\224.\334\377\206\214P\206\354F\334\275", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "9\345y\356\237\34\355\353\352\317'pv\327u\314\255\376G\122B\365By\360\270\35\364W\331\273i\251\331\316\24&:\311\376\232$\320\0\317afw\36\\377\262\207\203\250\26\26\27a?\354\223\235\214\345\267@\224.\334\377\206\214P\206\354F\334\275", 80, ... , 80, ...
 01584   760   NtAllocateVirtualMemory  ... 52953088, 1048576, ) == 0x0
 01585  1248   NtSetValueKey  ... ) == 0x0
 01586   760   NtAllocateVirtualMemory  (-1, 53993472, 0, 8192, 4096, 4, ...
 01587  1248   NtClose  (-2147481344, ...
 01586   760   NtAllocateVirtualMemory  ... 53993472, 8192, ) == 0x0
 01588  1524   NtTestAlert  (...
 01587  1248   NtClose  ... ) == 0x0
 01588  1524   NtTestAlert  ... ) == 0x0
 01560  1248   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\27\30N\373\14lV|\30O\33\371\370{\224r\266\213Q\217\27\211\307\22\361\3431\266\26\314\341?\325\212\177:7\341\12\240 \336\327\26\371?\13\3255\22\212\353\232.\11\373t\177\303\15d\243\250 \223r\261Y8\237\223#\277,\216\264\27\235\17S\30N\230e\255U\1`\304:\202aya\274\\202\14\356\332o)X\312\2443\220d'\2449y5#\326\0\31\217\374k\314\243K\254\207Mn\211`\365P\204\2104QW \204\22K\260\341\275\273\321\231\378$\301\26c\234+\4\230\375\323\320\375\342\277uSi\364\212!\374\12U\240\240\370j\223\251\270\344\221\317\217\337\256Jw\267B\321/NC/J\210\267n7w\2673\5\233\216\12i\37k\344\232\306\203V\241B\344t\367\270\365\317\300\15\276\346\224QP\360\237\3551"%\234\253\217\3J\338\3751\177\342\374\315\343\21\15o\303\35A\244=", ) %\234\253\217\3J\338\3751\177\342\374\315\343\21\15o\303\35A\244=", ) == 0x0
 01589  1524   NtContinue  (52952368, 1, ...
 01590  1248   NtDeviceIoControlFile  (356, 0, 0x0, 0x0, 0x390008,  (356, 0, 0x0, 0x0, 0x390008, "z\336\234\22\33r\11v\2278\354\15\3075\323\6g0\212\256vt;g0\212\256vt;g0\212\256v\240\272\341\22\267\32"!N\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... !N\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01591  1524   NtRegisterThreadTerminatePort  (24, ...
 01592  1248   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01591  1524   NtRegisterThreadTerminatePort  ... ) == 0x0
 01592  1248   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01593   760   NtProtectVirtualMemory  (-1, (0x337e000), 4096, 260, ...
 01594  1248   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01593   760   NtProtectVirtualMemory  ... (0x337e000), 4096, 4, ) == 0x0
 01595  1524   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01596   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01595  1524   NtDuplicateObject  ... 476, ) == 0x0
 01596   760   NtCreateThread  ... 480, {1764, 1944}, ) == 0x0
 01597  1524   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01598   760   NtQueryInformationThread  (480, Basic, 28, ...
 01597  1524   NtWaitForSingleObject  ... ) == 0x102
 01598   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1764,Tid=1944,}, 0x0, ) == 0x0
 01599  1524   NtWaitForSingleObject  (128, 0, 0x0, ...
 01594  1248   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01600   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57985, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\344\6\0\0\230\7\0\0" ...  ...
 01601  1248   NtQuerySystemInformation  (Performance, 312, ...
 01600   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57986, 0}  ... {28, 56, reply, 0, 1764, 760, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\344\6\0\0\230\7\0\0" )  ) == 0x0
 01601  1248   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01602   760   NtResumeThread  (480, ...
 01603  1248   NtQuerySystemInformation  (Exception, 16, ...
 01602   760   NtResumeThread  ... 1, ) == 0x0
 01603  1248   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01604   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01605  1248   NtQuerySystemInformation  (Lookaside, 32, ...
 01606  1944   NtTestAlert  (...
 01604   760   NtAllocateVirtualMemory  ... 54001664, 1048576, ) == 0x0
 01606  1944   NtTestAlert  ... ) == 0x0
 01607   760   NtAllocateVirtualMemory  (-1, 55042048, 0, 8192, 4096, 4, ...
 01608  1944   NtContinue  (54000944, 1, ...
 01607   760   NtAllocateVirtualMemory  ... 55042048, 8192, ) == 0x0
 01609  1944   NtRegisterThreadTerminatePort  (24, ...
 01610   760   NtProtectVirtualMemory  (-1, (0x347e000), 4096, 260, ...
 01609  1944   NtRegisterThreadTerminatePort  ... ) == 0x0
 01610   760   NtProtectVirtualMemory  ... (0x347e000), 4096, 4, ) == 0x0
 01605  1248   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01611   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01612  1248   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01613  1944   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01612  1248   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01613  1944   NtDuplicateObject  ... 484, ) == 0x0
 01614  1248   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01615  1944   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01614  1248   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01615  1944   NtWaitForSingleObject  ... ) == 0x102
 01616  1248   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01617  1944   NtWaitForSingleObject  (128, 0, 0x0, ...
 01611   760   NtCreateThread  ... 488, {1764, 2044}, ) == 0x0
 01616  1248   NtCreateKey  ... -2147481344, 2, ) == 0x0
 01618   760   NtQueryInformationThread  (488, Basic, 28, ...
 01619  1248   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "L\303\266\15\267y\306\202G~\367\2\363\271-\277\14)\222\227\375\12\272\2364 \20w\324[\306\333!e]\224\16\2326Ni+\362\177\367\263\342p\11\327I-\361\347=\0\211+\1.<\372\7{\350\177?\372\261\312\312V\177\205\320\35\341\266\23", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "L\303\266\15\267y\306\202G~\367\2\363\271-\277\14)\222\227\375\12\272\2364 \20w\324[\306\333!e]\224\16\2326Ni+\362\177\367\263\342p\11\327I-\361\347=\0\211+\1.<\372\7{\350\177?\372\261\312\312V\177\205\320\35\341\266\23", 80, ... , 80, ...
 01618   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1764,Tid=2044,}, 0x0, ) == 0x0
 01619  1248   NtSetValueKey  ... ) == 0x0
 01620   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57986, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\6\0\0\374\7\0\0" ...  ...
 01621  1248   NtClose  (-2147481344, ...
 01620   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57987, 0}  ... {28, 56, reply, 0, 1764, 760, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\6\0\0\374\7\0\0" )  ) == 0x0
 01621  1248   NtClose  ... ) == 0x0
 01590  1248   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "]\337ow\274\302\320'-M\357\341\260N/'\20\202-\3449\16i\11{\33fAvW9\344\317gr\21\1#5{\270\30O\202\221\177R\364\264L\255G9\377!\377g\203US\251\366\257\220a\234\12\33\344[pt`\213\213.\351\220\216\316^\377\267\355\357?n"\360\326\5\341360\326\5\341331\336t3\210\246\216\205f\20M\354\327xK\216\305\362L\343\377$\315\15\326\26\10vPK\211yf\323\376\262\236\225atD1\377,6\350\273\362\310\226\233\207\225\244n\2H)P\224\16\27'\337&w\200\223\12\212\377o\313M\316\330\343\22)?\2503\235\270m\310AmV\315*\262\203\211Z\220\35426\274\3263}\350\345\242\375\271je\10\311\31\321\212\271\144k\306\332\226\346\372\363)\27I\231\253\303X\360\320\3\5Vu\226m\324L\375\375\315\304X\35\221\313\302\244\3614Z\261\241R\2+\325\213", ) == 0x0
 01622  1248   NtDeviceIoControlFile  (356, 0, 0x0, 0x0, 0x390008,  (356, 0, 0x0, 0x0, 0x390008, "z\336\234\22\33r\11v\2278\354\15\3075\323\6g0\212\256vt;g0\212\256vt;g0\212\256vt;g0\212\256v\240\272\341\22\267\32"!N\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... !N\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01623  1248   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01624  1248   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01625  1248   NtQuerySystemInformation  (Performance, 312, ...
 01626   760   NtResumeThread  (488, ... 1, ) == 0x0
 01627   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 55050240, 1048576, ) == 0x0
 01628   760   NtAllocateVirtualMemory  (-1, 56090624, 0, 8192, 4096, 4, ... 56090624, 8192, ) == 0x0
 01629   760   NtProtectVirtualMemory  (-1, (0x357e000), 4096, 260, ... (0x357e000), 4096, 4, ) == 0x0
 01630   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 492, {1764, 240}, ) == 0x0
 01631   760   NtQueryInformationThread  (492, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1764,Tid=240,}, 0x0, ) == 0x0
 01625  1248   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01632  2044   NtTestAlert  (...
 01633  1248   NtQuerySystemInformation  (Exception, 16, ...
 01632  2044   NtTestAlert  ... ) == 0x0
 01633  1248   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01634  2044   NtContinue  (55049520, 1, ...
 01635  1248   NtQuerySystemInformation  (Lookaside, 32, ...
 01636  2044   NtRegisterThreadTerminatePort  (24, ...
 01635  1248   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01636  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 01637  1248   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01638   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57987, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\344\6\0\0\360\0\0\0" ...  ...
 01639  2044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01638   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57988, 0}  ... {28, 56, reply, 0, 1764, 760, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\344\6\0\0\360\0\0\0" )  ) == 0x0
 01639  2044   NtDuplicateObject  ... 496, ) == 0x0
 01640   760   NtResumeThread  (492, ...
 01641  2044   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01640   760   NtResumeThread  ... 1, ) == 0x0
 01641  2044   NtWaitForSingleObject  ... ) == 0x102
 01642   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01643  2044   NtWaitForSingleObject  (128, 0, 0x0, ...
 01637  1248   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01644   240   NtTestAlert  (...
 01642   760   NtAllocateVirtualMemory  ... 56098816, 1048576, ) == 0x0
 01645  1248   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01644   240   NtTestAlert  ... ) == 0x0
 01646   760   NtAllocateVirtualMemory  (-1, 57139200, 0, 8192, 4096, 4, ...
 01645  1248   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01647   240   NtContinue  (56098096, 1, ...
 01646   760   NtAllocateVirtualMemory  ... 57139200, 8192, ) == 0x0
 01648  1248   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01649   240   NtRegisterThreadTerminatePort  (24, ...
 01650   760   NtProtectVirtualMemory  (-1, (0x367e000), 4096, 260, ...
 01648  1248   NtCreateKey  ... -2147481344, 2, ) == 0x0
 01649   240   NtRegisterThreadTerminatePort  ... ) == 0x0
 01650   760   NtProtectVirtualMemory  ... (0x367e000), 4096, 4, ) == 0x0
 01651  1248   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "_\234I\371\2\3\324b\366\265\311\305(\201\254\256#\212\20370\335\251\276)\257\367n\212\361\227\10u\355B\204\235\211\241\216c\256\233\270\37U\262\241#\210\322~\2169\204\265\310\202\322\307\332\351\220\262\331k\324p\363\246\23\302\261:y,)\205a\251", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "_\234I\371\2\3\324b\366\265\311\305(\201\254\256#\212\20370\335\251\276)\257\367n\212\361\227\10u\355B\204\235\211\241\216c\256\233\270\37U\262\241#\210\322~\2169\204\265\310\202\322\307\332\351\220\262\331k\324p\363\246\23\302\261:y,)\205a\251", 80, ... , 80, ...
 01652   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01653   240   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01651  1248   NtSetValueKey  ... ) == 0x0
 01653   240   NtDuplicateObject  ... 500, ) == 0x0
 01654  1248   NtClose  (-2147481344, ...
 01655   240   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01654  1248   NtClose  ... ) == 0x0
 01655   240   NtWaitForSingleObject  ... ) == 0x102
 01622  1248   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\320\375\252\30E<\234\377\4\375\200\25\276-\214~m\267\341\361 \312\236\346\341\6N9\275D\220\300\32o\37\205\321E2\261hX@\321\323-\376Zj[\10E\327\336/s\\33\272\20\330c o9kGH\0\245\265gn\789\231~\261\305\373/\356]\372))\35\374\7\26)\374\324/+\341\22\354\342\220G\256\376\360*e\21\331\354\233\211}QTR\230\367\20D\207\31\223\231\\205\347\36RMU'\33\232\223\335\217Fi\3643\2567N\2333\253\341D\31\23d\332^u\343\2043C$\356D\244r}c\20K\26\246G\254\254\33\312^0\302\250\205\352\24\373\3636\16\374\346\345\306\243\114\14V\236\245\253\307w\312Ou4\355\364\257@\244\36\366\377\236\2009-A\331^r>\216\267\11-\302\257\270&\277:\376i\37\236j~\350\20~\226\246\23q\345\357U\266\317\216\2074\345\211\347n", ) , ) == 0x0
 01656   240   NtWaitForSingleObject  (128, 0, 0x0, ...
 01657  1248   NtDeviceIoControlFile  (356, 0, 0x0, 0x0, 0x390008,  (356, 0, 0x0, 0x0, 0x390008, "z\336\234\22\33r\11v\2278\354\15\3075\323\6g0\212\256vt;g0\212\256vt;g0\212\256vt;g0\212\256vt;g0\212\256v\240\272\341\22\267\32"!N\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... !N\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01652   760   NtCreateThread  ... 504, {1764, 968}, ) == 0x0
 01658  1248   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01659   760   NtQueryInformationThread  (504, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1764,Tid=968,}, 0x0, ) == 0x0
 01660   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57988, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\6\0\0\310\3\0\0" ... {28, 56, reply, 0, 1764, 760, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\6\0\0\310\3\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57989, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\6\0\0\310\3\0\0" ... {28, 56, reply, 0, 1764, 760, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\6\0\0\310\3\0\0" )  ) == 0x0
 01661   760   NtResumeThread  (504, ... 1, ) == 0x0
 01662   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 57147392, 1048576, ) == 0x0
 01663   760   NtAllocateVirtualMemory  (-1, 58187776, 0, 8192, 4096, 4, ... 58187776, 8192, ) == 0x0
 01658  1248   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01664   968   NtTestAlert  (...
 01665  1248   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01664   968   NtTestAlert  ... ) == 0x0
 01665  1248   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01666   968   NtContinue  (57146672, 1, ...
 01667  1248   NtQuerySystemInformation  (Performance, 312, ...
 01668   968   NtRegisterThreadTerminatePort  (24, ...
 01667  1248   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01668   968   NtRegisterThreadTerminatePort  ... ) == 0x0
 01669  1248   NtQuerySystemInformation  (Exception, 16, ...
 01670   760   NtProtectVirtualMemory  (-1, (0x377e000), 4096, 260, ...
 01671   968   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01670   760   NtProtectVirtualMemory  ... (0x377e000), 4096, 4, ) == 0x0
 01671   968   NtDuplicateObject  ... 508, ) == 0x0
 01672   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01673   968   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 01672   760   NtCreateThread  ... 512, {1764, 308}, ) == 0x0
 01673   968   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 01674   760   NtQueryInformationThread  (512, Basic, 28, ...
 01675   968   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01674   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1764,Tid=308,}, 0x0, ) == 0x0
 01675   968   NtWaitForSingleObject  ... ) == 0x102
 01669  1248   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01676   968   NtWaitForSingleObject  (128, 0, 0x0, ...
 01677  1248   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01678  1248   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01679  1248   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01680  1248   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481344, 2, ) }, 0, 0x0, 0, ... -2147481344, 2, ) == 0x0
 01681  1248   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\326\245\255xg\323U\232\325\206\221\353\210\36\277#!\331b\276\254\334\322\20U\11\300(\27\231BE\16\330\10\246|\220\205\202\336\263R\236g\201\20\240\\332\335\274c:\24o\27177\317K\17f\17<\332c<\351\372\216\320\205\336\301}\230\333\370\317", 80, ... ) , 0, 3,  (-2147481344, "Seed", 0, 3, "\326\245\255xg\323U\232\325\206\221\353\210\36\277#!\331b\276\254\334\322\20U\11\300(\27\231BE\16\330\10\246|\220\205\202\336\263R\236g\201\20\240\\332\335\274c:\24o\27177\317K\17f\17<\332c<\351\372\216\320\205\336\301}\230\333\370\317", 80, ... ) , 80, ... ) == 0x0
 01682  1248   NtClose  (-2147481344, ...
 01683   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57989, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\6\0\04\1\0\0" ... {28, 56, reply, 0, 1764, 760, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\6\0\04\1\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57990, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\6\0\04\1\0\0" ... {28, 56, reply, 0, 1764, 760, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\6\0\04\1\0\0" )  ) == 0x0
 01684   760   NtResumeThread  (512, ... 1, ) == 0x0
 01685   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 58195968, 1048576, ) == 0x0
 01686   760   NtAllocateVirtualMemory  (-1, 59236352, 0, 8192, 4096, 4, ... 59236352, 8192, ) == 0x0
 01687   760   NtProtectVirtualMemory  (-1, (0x387e000), 4096, 260, ... (0x387e000), 4096, 4, ) == 0x0
 01688   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01682  1248   NtClose  ... ) == 0x0
 01689   308   NtTestAlert  (...
 01657  1248   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "k!\311\270@\275\212\244\207a\177\247\360\234\1z\\275\231\356\224\22w\343PW\35\222\\334\1H\36UM\366\372\360%7~P\301\322\214x\22\347]\322?c1("\224H\15n\22\253\330@\324\36\341M\304\232\207o\246\3103"\24\23\340^\26<\312\300\333\307\357\331\370j\325\316\32%\177^;R\307\177O\312bI\240\311Xr\32\333\257\236\33,\312\276Q\313\203S\244Pr,\274&\27\242;|\321,ah@\314\0\277\340\371`\327\22\263\347"\205\220\326;\22\217\257\211\240]+\3253\325\245Dr\302\261\256\3j\210A\237\\376\3306\35\362\266\203e\315R\366T\20\253\243\345s\375\327\273C\353\202\271\324\10\2\3\256|\244\215\345\13j3\331\340\217R\252\316\4\202\354\210ZN\253s\257\352\210\366\205\210v\4+\321m\377\30\315\31\313e\316P-\353\324T"\373\365\305U\306\245\27_\362\311", ) \224H\15n\22\253\330@\324\36\341M\304\232\207o\246\3103 ... {status=0x0, info=256}, "k!\311\270@\275\212\244\207a\177\247\360\234\1z\\275\231\356\224\22w\343PW\35\222\\334\1H\36UM\366\372\360%7~P\301\322\214x\22\347]\322?c1("\224H\15n\22\253\330@\324\36\341M\304\232\207o\246\3103"\24\23\340^\26<\312\300\333\307\357\331\370j\325\316\32%\177^;R\307\177O\312bI\240\311Xr\32\333\257\236\33,\312\276Q\313\203S\244Pr,\274&\27\242;|\321,ah@\314\0\277\340\371`\327\22\263\347"\205\220\326;\22\217\257\211\240]+\3253\325\245Dr\302\261\256\3j\210A\237\\376\3306\35\362\266\203e\315R\366T\20\253\243\345s\375\327\273C\353\202\271\324\10\2\3\256|\244\215\345\13j3\331\340\217R\252\316\4\202\354\210ZN\253s\257\352\210\366\205\210v\4+\321m\377\30\315\31\313e\316P-\353\324T"\373\365\305U\306\245\27_\362\311", ) \205\220\326;\22\217\257\211\240]+\3253\325\245Dr\302\261\256\3j\210A\237\\376\3306\35\362\266\203e\315R\366T\20\253\243\345s\375\327\273C\353\202\271\324\10\2\3\256|\244\215\345\13j3\331\340\217R\252\316\4\202\354\210ZN\253s\257\352\210\366\205\210v\4+\321m\377\30\315\31\313e\316P-\353\324T ... {status=0x0, info=256}, "k!\311\270@\275\212\244\207a\177\247\360\234\1z\\275\231\356\224\22w\343PW\35\222\\334\1H\36UM\366\372\360%7~P\301\322\214x\22\347]\322?c1("\224H\15n\22\253\330@\324\36\341M\304\232\207o\246\3103"\24\23\340^\26<\312\300\333\307\357\331\370j\325\316\32%\177^;R\307\177O\312bI\240\311Xr\32\333\257\236\33,\312\276Q\313\203S\244Pr,\274&\27\242;|\321,ah@\314\0\277\340\371`\327\22\263\347"\205\220\326;\22\217\257\211\240]+\3253\325\245Dr\302\261\256\3j\210A\237\\376\3306\35\362\266\203e\315R\366T\20\253\243\345s\375\327\273C\353\202\271\324\10\2\3\256|\244\215\345\13j3\331\340\217R\252\316\4\202\354\210ZN\253s\257\352\210\366\205\210v\4+\321m\377\30\315\31\313e\316P-\353\324T"\373\365\305U\306\245\27_\362\311", ) , ) == 0x0
 01689   308   NtTestAlert  ... ) == 0x0
 01690  1248   NtDeviceIoControlFile  (356, 0, 0x0, 0x0, 0x390008,  (356, 0, 0x0, 0x0, 0x390008, "z\336\234\22\33r\11v\2278\354\15\3075\323\6g0\212\256vt;g0\212\256vt;g0\212\256vt;g0\212\256vt;g0\212\256vt;g0\212\256v\240\272\341\22\267\32"!N\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... !N\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01691   308   NtContinue  (58195248, 1, ...
 01692  1248   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01693   308   NtRegisterThreadTerminatePort  (24, ...
 01692  1248   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01693   308   NtRegisterThreadTerminatePort  ... ) == 0x0
 01694  1248   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01688   760   NtCreateThread  ... 516, {1764, 764}, ) == 0x0
 01695   308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01696   760   NtQueryInformationThread  (516, Basic, 28, ...
 01695   308   NtDuplicateObject  ... 520, ) == 0x0
 01696   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1764,Tid=764,}, 0x0, ) == 0x0
 01697   308   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01698   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57990, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\344\6\0\0\374\2\0\0" ...  ...
 01697   308   NtWaitForSingleObject  ... ) == 0x102
 01698   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57991, 0}  ... {28, 56, reply, 0, 1764, 760, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\344\6\0\0\374\2\0\0" )  ) == 0x0
 01699   308   NtWaitForSingleObject  (128, 0, 0x0, ...
 01694  1248   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01700   760   NtResumeThread  (516, ...
 01701  1248   NtQuerySystemInformation  (Performance, 312, ...
 01700   760   NtResumeThread  ... 1, ) == 0x0
 01701  1248   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01702   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01703  1248   NtQuerySystemInformation  (Exception, 16, ...
 01702   760   NtAllocateVirtualMemory  ... 59244544, 1048576, ) == 0x0
 01703  1248   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01704   760   NtAllocateVirtualMemory  (-1, 60284928, 0, 8192, 4096, 4, ...
 01705  1248   NtQuerySystemInformation  (Lookaside, 32, ...
 01704   760   NtAllocateVirtualMemory  ... 60284928, 8192, ) == 0x0
 01706   764   NtTestAlert  (...
 01705  1248   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01706   764   NtTestAlert  ... ) == 0x0
 01707  1248   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01708   764   NtContinue  (59243824, 1, ...
 01707  1248   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01709   764   NtRegisterThreadTerminatePort  (24, ...
 01710  1248   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01709   764   NtRegisterThreadTerminatePort  ... ) == 0x0
 01710  1248   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01711   760   NtProtectVirtualMemory  (-1, (0x397e000), 4096, 260, ...
 01712  1248   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01711   760   NtProtectVirtualMemory  ... (0x397e000), 4096, 4, ) == 0x0
 01713   764   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01714   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01713   764   NtDuplicateObject  ... 524, ) == 0x0
 01714   760   NtCreateThread  ... 528, {1764, 2000}, ) == 0x0
 01715   764   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01716   760   NtQueryInformationThread  (528, Basic, 28, ...
 01715   764   NtWaitForSingleObject  ... ) == 0x102
 01716   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1764,Tid=2000,}, 0x0, ) == 0x0
 01717   764   NtWaitForSingleObject  (128, 0, 0x0, ...
 01712  1248   NtCreateKey  ... -2147481344, 2, ) == 0x0
 01718   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57991, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\6\0\0\320\7\0\0" ...  ...
 01719  1248   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "NvJ\312\20^\2639g\3\370\34M$\25\347+\27\17\302/F\0\322\332\33h\313Y`|c+*\371\270g\327\30 @\325\212{?U\0s\261\353\367C\360\301f+\362\247\231\0\327\246\375\212{\260\254\2337\246\20\260j\374RQ;\303\312\353", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "NvJ\312\20^\2639g\3\370\34M$\25\347+\27\17\302/F\0\322\332\33h\313Y`|c+*\371\270g\327\30 @\325\212{?U\0s\261\353\367C\360\301f+\362\247\231\0\327\246\375\212{\260\254\2337\246\20\260j\374RQ;\303\312\353", 80, ... , 80, ...
 01718   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57992, 0}  ... {28, 56, reply, 0, 1764, 760, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\6\0\0\320\7\0\0" )  ) == 0x0
 01719  1248   NtSetValueKey  ... ) == 0x0
 01720   760   NtResumeThread  (528, ...
 01721  1248   NtClose  (-2147481344, ...
 01720   760   NtResumeThread  ... 1, ) == 0x0
 01721  1248   NtClose  ... ) == 0x0
 01722   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01690  1248   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\31\306\342\221\301\276\204\3t\3674\313RY+\212\207\215\352\267\354E\15\36=\2\234\27\225G\335\355K\261\357)\34o\17\315\20\34\250\14\363f\266E\244U\253\6\371\315E\260a\323\16y\3726\15Z\361T\377\254i>FQP\275Lo\374\271\11Q!\277\274\213\37ca\230\30\221\12\344C^\261)Z\373\271F\351\20\235e\10\345\314\23|rN>\334$\344"\230\330\37\323\217>.n=/'4\350\337\264\366\216\25vi1\375O +\25C/\27\12\207&\300_\257\217\37\6\257\33\214\307W9q\31\243\32\20!v\3036#\276\237&\243\341aN\276\34\362w\11\317\303\355UF7\312\33\330\305\261\246{J\39\316\216\1,\22\354,\337\215\261\16\340\357}W*\200\6A\262B\302\355\333-\366\362\261y\222W#\342\226\5\270\237~\246u\276\203\366\272@\336h!\317_\317mt\363\357\253\14J", ) \230\330\37\323\217>.n=/'4\350\337\264\366\216\25vi1\375O +\25C/\27\12\207&\300_\257\217\37\6\257\33\214\307W9q\31\243\32\20!v\3036#\276\237&\243\341aN\276\34\362w\11\317\303\355UF7\312\33\330\305\261\246{J\39\316\216\1,\22\354,\337\215\261\16\340\357}W*\200\6A\262B\302\355\333-\366\362\261y\222W#\342\226\5\270\237~\246u\276\203\366\272@\336h!\317_\317mt\363\357\253\14J", ) == 0x0
 01723  2000   NtTestAlert  (...
 01722   760   NtAllocateVirtualMemory  ... 60293120, 1048576, ) == 0x0
 01723  2000   NtTestAlert  ... ) == 0x0
 01724   760   NtAllocateVirtualMemory  (-1, 61333504, 0, 8192, 4096, 4, ...
 01725  2000   NtContinue  (60292400, 1, ...
 01724   760   NtAllocateVirtualMemory  ... 61333504, 8192, ) == 0x0
 01726  2000   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01727  2000   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 532, ) == 0x0
 01728  2000   NtWaitForSingleObject  (68, 0, {0, 0}, ... ) == 0x102
 01729  2000   NtWaitForSingleObject  (128, 0, 0x0, ...
 01730   760   NtProtectVirtualMemory  (-1, (0x3a7e000), 4096, 260, ...
 01731  1248   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01730   760   NtProtectVirtualMemory  ... (0x3a7e000), 4096, 4, ) == 0x0
 01731  1248   NtCreateEvent  ... 536, ) == 0x0
 01732   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01733  1248   NtSetEventBoostPriority  (440, ...
 01732   760   NtCreateThread  ... 540, {1764, 1852}, ) == 0x0
 01504  1972   NtWaitForSingleObject  ... ) == 0x0
 01733  1248   NtSetEventBoostPriority  ... ) == 0x0
 01734  1972   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 01735   760   NtQueryInformationThread  (540, Basic, 28, ...
 01734  1972   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 01736  1248   NtWaitForSingleObject  (288, 0, 0x0, ...
 01737  1972   NtSetEventBoostPriority  (288, ...
 01735   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1764,Tid=1852,}, 0x0, ) == 0x0
 01736  1248   NtWaitForSingleObject  ... ) == 0x0
 01737  1972   NtSetEventBoostPriority  ... ) == 0x0
 01738  1248   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15199596, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15199596, 188, ...
 01739  1972   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 544, ) == 0x0
 01740  1972   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 11006584, 188, ... 548, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 1}, 0x0, 0x0, 11006584, 188, ... 548, 0x0, 0x0, 0x0, 188, ) == 0x0
 01741  1972   NtRequestWaitReplyPort  (548, {200, 224, new_msg, 0, 2883626, 1356488, 12, 2}  (548, {200, 224, new_msg, 0, 2883626, 1356488, 12, 2} "\0\1\0\0 \5\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\1\0\4\0\4\0\0\0\107\24\0\3\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0\26\0e\362\371H\310MXL\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\1\0(\0\0\0`L\25\0\351\361\246\322 \5\24\0\200L\25\0h\1\24\0\0\0\0\0\0\0\0\0\200L\25\0P\0\0\0\210L\25\0\360\6\221|\370\4\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\247\0\372\31\221|\214\370\247\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1764, 1972, 57995, 0} "\7\1\0\0 \5\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\107\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0\26\0e\362\371H\310MXL\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\1\0(\0\0\0`L\25\0\351\361\246\322 \5\24\0\200L\25\0h\1\24\0\0\0\0\0\0\0\0\0\200L\25\0P\0\0\0\210L\25\0\360\6\221|\370\4\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\247\0\372\31\221|\214\370\247\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ... {200, 224, reply, 0, 1764, 1972, 57995, 0}  (548, {200, 224, new_msg, 0, 2883626, 1356488, 12, 2} "\0\1\0\0 \5\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\1\0\4\0\4\0\0\0\107\24\0\3\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0\26\0e\362\371H\310MXL\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\1\0(\0\0\0`L\25\0\351\361\246\322 \5\24\0\200L\25\0h\1\24\0\0\0\0\0\0\0\0\0\200L\25\0P\0\0\0\210L\25\0\360\6\221|\370\4\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\247\0\372\31\221|\214\370\247\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1764, 1972, 57995, 0} "\7\1\0\0 \5\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\107\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0\26\0e\362\371H\310MXL\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\1\0(\0\0\0`L\25\0\351\361\246\322 \5\24\0\200L\25\0h\1\24\0\0\0\0\0\0\0\0\0\200L\25\0P\0\0\0\210L\25\0\360\6\221|\370\4\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\247\0\372\31\221|\214\370\247\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 01742  1972   NtRequestWaitReplyPort  (548, {44, 68, new_msg, 56, 0, 0, 0, 0}  (548, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\350M\25\0\322\0\0\0" ... {40, 64, reply, 0, 1764, 1972, 57996, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\323\1\0\0\350\370\14\0" )  ... {40, 64, reply, 0, 1764, 1972, 57996, 0}  (548, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\350M\25\0\322\0\0\0" ... {40, 64, reply, 0, 1764, 1972, 57996, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\323\1\0\0\350\370\14\0" )  ) == 0x0
 01743   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57992, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\344\6\0\0<\7\0\0" ...  ...
 01738  1248   NtConnectPort  ... 552, 0x0, 0x0, 0x0, 188, ) == 0x0
 01743   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 57997, 0}  ... {28, 56, reply, 0, 1764, 760, 57997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\344\6\0\0<\7\0\0" )  ) == 0x0
 01744  1248   NtRequestWaitReplyPort  (552, {200, 224, new_msg, 0, 1379672, 12, 2, 1310721}  (552, {200, 224, new_msg, 0, 1379672, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0m\354_\3\206 q\25@A\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\2405\25\0V\234\242_x\1\24\08A\25\0h\1\24\0\0\0\0\0\0\0\0\08A\25\0P\0\0\0@A\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\347\0\372\31\221|\200\363\347\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01745   760   NtResumeThread  (540, ... 1, ) == 0x0
 01746   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01744  1248   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1764, 1248, 57998, 0}  ... {200, 224, reply, 0, 1764, 1248, 57998, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0m\354_\3\206 q\25@A\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\2405\25\0V\234\242_x\1\24\08A\25\0h\1\24\0\0\0\0\0\0\0\0\08A\25\0P\0\0\0@A\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\347\0\372\31\221|\200\363\347\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01747  1972   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ...
 01748  1852   NtTestAlert  (...
 01749  1248   NtRequestWaitReplyPort  (552, {44, 68, new_msg, 0, 1764, 1248, 57973, 0}  (552, {44, 68, new_msg, 0, 1764, 1248, 57973, 0} "\1\356\0\0A\2\4\0P\306\233\201\0\220\372\177\220\353\3\370\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 01747  1972   NtAllocateVirtualMemory  ... 1396736, 4096, ) == 0x0
 01748  1852   NtTestAlert  ... ) == 0x0
 01750  1972   NtRequestWaitReplyPort  (548, {64, 88, new_msg, 56, 1310720, 11006452, 1396192, 0}  (548, {64, 88, new_msg, 56, 1310720, 11006452, 1396192, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\340N\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01751  1852   NtContinue  (61340976, 1, ...
 01752  1852   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01750  1972   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1764, 1972, 58000, 0}  ... {64, 88, reply, 56, 1764, 1972, 58000, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\340N\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01746   760   NtAllocateVirtualMemory  ... 61341696, 1048576, ) == 0x0
 01749  1248   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1764, 1248, 57999, 0}  ... {40, 64, reply, 0, 1764, 1248, 57999, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\220\372\177\220\353\3\370\370\37`\300l\353\3\370X\353Q\200\320\1\0\0X-\12\0" )  ) == 0x0
 01753  1972   NtRequestWaitReplyPort  (548, {44, 68, new_msg, 56, 1764, 1972, 57996, 0}  (548, {44, 68, new_msg, 56, 1764, 1972, 57996, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0\350M\25\0\322\0\0\0" ...  ...
 01754   760   NtAllocateVirtualMemory  (-1, 62382080, 0, 8192, 4096, 4, ...
 01755  1248   NtRequestWaitReplyPort  (552, {64, 88, new_msg, 56, 1373504, 15200108, 15200208, 0}  (552, {64, 88, new_msg, 56, 1373504, 15200108, 15200208, 0} "\10\357\347\0@\0\24\0\346\277\347w\320\357\347\0l\357\347\0\20\0\0\0\250.\362v\264\365\24\0\1\0\0\0\330[\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\310\362\24\0" ...  ...
 01756  1852   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01754   760   NtAllocateVirtualMemory  ... 62382080, 8192, ) == 0x0
 01756  1852   NtDuplicateObject  ... 556, ) == 0x0
 01757   760   NtProtectVirtualMemory  (-1, (0x3b7e000), 4096, 260, ...
 01755  1248   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1764, 1248, 58001, 0}  ... {64, 88, reply, 56, 1764, 1248, 58001, 0} "\10\357\347\0@\0\24\0\346\277\347w\320\357\347\0l\357\347\0\20\0\0\0\250.\362v\264\365\24\0\1\0\0\0\330[\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\310\362\24\0" )  ) == 0x0
 01758  1852   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01757   760   NtProtectVirtualMemory  ... (0x3b7e000), 4096, 4, ) == 0x0
 01759  1248   NtClose  (536, ...
 01758  1852   NtWaitForSingleObject  ... ) == 0x102
 01760   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01759  1248   NtClose  ... ) == 0x0
 01761  1852   NtWaitForSingleObject  (128, 0, 0x0, ...
 01753  1972   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1764, 1972, 58002, 0}  ... {40, 64, reply, 0, 1764, 1972, 58002, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\351\1\0\0\350\232\14\0" )  ) == 0x0
 01760   760   NtCreateThread  ... 536, {1764, 1420}, ) == 0x0
 01762  1248   NtClose  (552, ...
 01763  1972   NtRequestWaitReplyPort  (548, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0}  (548, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\230D\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01764   760   NtQueryInformationThread  (536, Basic, 28, ...
 01762  1248   NtClose  ... ) == 0x0
 01764   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1764,Tid=1420,}, 0x0, ) == 0x0
 01765  1248   NtCreateKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01763  1972   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1764, 1972, 58004, 0}  ... {64, 88, reply, 56, 1764, 1972, 58004, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\230D\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01766   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 57997, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 57997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\6\0\0\214\5\0\0" ...  ...
 01765  1248   NtCreateKey  ... 552, 2, ) == 0x0
 01767  1972   NtRequestWaitReplyPort  (548, {44, 68, new_msg, 56, 1764, 1972, 58002, 0}  (548, {44, 68, new_msg, 56, 1764, 1972, 58002, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0\350M\25\0\322\0\0\0" ...  ...
 01766   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58005, 0}  ... {28, 56, reply, 0, 1764, 760, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\6\0\0\214\5\0\0" )  ) == 0x0
 01768  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01767  1972   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1764, 1972, 58006, 0}  ... {40, 64, reply, 0, 1764, 1972, 58006, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0|\1\0\0h\236\14\0" )  ) == 0x0
 01768  1248   NtOpenKey  ... 560, ) == 0x0
 01769  1972   NtRequestWaitReplyPort  (548, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0}  (548, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0PG\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01770   760   NtResumeThread  (536, ... 1, ) == 0x0
 01771   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 62390272, 1048576, ) == 0x0
 01772   760   NtAllocateVirtualMemory  (-1, 63430656, 0, 8192, 4096, 4, ... 63430656, 8192, ) == 0x0
 01769  1972   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1764, 1972, 58007, 0}  ... {64, 88, reply, 56, 1764, 1972, 58007, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0PG\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01773  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01774  1420   NtTestAlert  (...
 01775  1972   NtClose  (544, ...
 01773  1248   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01774  1420   NtTestAlert  ... ) == 0x0
 01776   760   NtProtectVirtualMemory  (-1, (0x3c7e000), 4096, 260, ...
 01777  1248   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 01778  1420   NtContinue  (62389552, 1, ...
 01776   760   NtProtectVirtualMemory  ... (0x3c7e000), 4096, 4, ) == 0x0
 01777  1248   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01779  1420   NtRegisterThreadTerminatePort  (24, ...
 01780   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01781  1248   NtQueryValueKey  (552,  (552, "Domain", Partial, 144, ... , Partial, 144, ...
 01779  1420   NtRegisterThreadTerminatePort  ... ) == 0x0
 01780   760   NtCreateThread  ... 564, {1764, 164}, ) == 0x0
 01781  1248   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01775  1972   NtClose  ... ) == 0x0
 01782   760   NtQueryInformationThread  (564, Basic, 28, ...
 01783  1420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01784  1972   NtClose  (548, ...
 01782   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1764,Tid=164,}, 0x0, ) == 0x0
 01783  1420   NtDuplicateObject  ... 544, ) == 0x0
 01784  1972   NtClose  ... ) == 0x0
 01785  1248   NtQueryValueKey  (552,  (552, "Domain", Partial, 144, ... , Partial, 144, ...
 01786  1420   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01787  1972   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01785  1248   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01786  1420   NtWaitForSingleObject  ... ) == 0x102
 01787  1972   NtCreateEvent  ... 548, ) == 0x0
 01788  1248   NtClose  (552, ...
 01789  1420   NtWaitForSingleObject  (128, 0, 0x0, ...
 01790  1972   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 01788  1248   NtClose  ... ) == 0x0
 01791   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58005, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\344\6\0\0\244\0\0\0" ...  ...
 01792  1248   NtClose  (560, ...
 01791   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58010, 0}  ... {28, 56, reply, 0, 1764, 760, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\344\6\0\0\244\0\0\0" )  ) == 0x0
 01792  1248   NtClose  ... ) == 0x0
 01793   760   NtResumeThread  (564, ...
 01790  1972   NtOpenKey  ... 560, ) == 0x0
 01793   760   NtResumeThread  ... 1, ) == 0x0
 01794  1972   NtOpenKey  (0x20019, {24, 560, 0x40, 0, 0,  (0x20019, {24, 560, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 01795   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01794  1972   NtOpenKey  ... 552, ) == 0x0
 01796  1248   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 01797   164   NtTestAlert  (...
 01798  1972   NtQueryValueKey  (552,  (552, "ComputerName", Full, 108, ... , Full, 108, ...
 01796  1248   NtOpenKey  ... 568, ) == 0x0
 01797   164   NtTestAlert  ... ) == 0x0
 01798  1972   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01799  1248   NtQueryValueKey  (568,  (568, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 01800   164   NtContinue  (63438128, 1, ...
 01801  1972   NtClose  (552, ...
 01799  1248   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01802   164   NtRegisterThreadTerminatePort  (24, ...
 01795   760   NtAllocateVirtualMemory  ... 63438848, 1048576, ) == 0x0
 01803  1248   NtClose  (568, ...
 01802   164   NtRegisterThreadTerminatePort  ... ) == 0x0
 01804   760   NtAllocateVirtualMemory  (-1, 64479232, 0, 8192, 4096, 4, ...
 01803  1248   NtClose  ... ) == 0x0
 01801  1972   NtClose  ... ) == 0x0
 01804   760   NtAllocateVirtualMemory  ... 64479232, 8192, ) == 0x0
 01805   164   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01806  1972   NtClose  (560, ...
 01807   760   NtProtectVirtualMemory  (-1, (0x3d7e000), 4096, 260, ...
 01805   164   NtDuplicateObject  ... 552, ) == 0x0
 01806  1972   NtClose  ... ) == 0x0
 01807   760   NtProtectVirtualMemory  ... (0x3d7e000), 4096, 4, ) == 0x0
 01808   164   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01809  1972   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ...
 01810   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01808   164   NtWaitForSingleObject  ... ) == 0x102
 01809  1972   NtCreateIoCompletion  ... 560, ) == 0x0
 01811  1248   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15199184, ... }, 15199184, ...
 01812   164   NtWaitForSingleObject  (128, 0, 0x0, ...
 01813  1972   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ...
 01811  1248   NtQueryAttributesFile  ... ) == 0x0
 01810   760   NtCreateThread  ... 568, {1764, 1592}, ) == 0x0
 01814  1248   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 01815   760   NtQueryInformationThread  (568, Basic, 28, ...
 01814  1248   NtOpenFile  ... 572, {status=0x0, info=1}, ) == 0x0
 01815   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1764,Tid=1592,}, 0x0, ) == 0x0
 01816  1248   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 572, ...
 01817   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58010, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\6\0\08\6\0\0" ...  ...
 01816  1248   NtCreateSection  ... 576, ) == 0x0
 01817   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58011, 0}  ... {28, 56, reply, 0, 1764, 760, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\6\0\08\6\0\0" )  ) == 0x0
 01813  1972   NtCreateIoCompletion  ... 580, ) == 0x0
 01818  1248   NtClose  (572, ...
 01819  1972   NtDuplicateObject  (-1, 560, -1, 0x0, 0, 2, ...
 01818  1248   NtClose  ... ) == 0x0
 01819  1972   NtDuplicateObject  ... 572, ) == 0x0
 01820  1248   NtMapViewOfSection  (576, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01821  1972   NtOpenThreadToken  (-2, 0xc, 1, ...
 01820  1248   NtMapViewOfSection  ... (0x850000), 0x0, 20480, ) == 0x0
 01821  1972   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01822  1248   NtClose  (576, ...
 01823  1972   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01822  1248   NtClose  ... ) == 0x0
 01824   760   NtResumeThread  (568, ...
 01823  1972   NtCreateEvent  ... 576, ) == 0x0
 01824   760   NtResumeThread  ... 1, ) == 0x0
 01825  1972   NtOpenThreadToken  (-2, 0xc, 1, ...
 01826   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01825  1972   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01826   760   NtAllocateVirtualMemory  ... 64487424, 1048576, ) == 0x0
 01827  1972   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01828   760   NtAllocateVirtualMemory  (-1, 65527808, 0, 8192, 4096, 4, ...
 01827  1972   NtSetInformationThread  ... ) == 0x0
 01828   760   NtAllocateVirtualMemory  ... 65527808, 8192, ) == 0x0
 01829  1972   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11006144,  (0xc0100080, {24, 0, 0x40, 0, 11006144, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 01830  1592   NtWaitForSingleObject  (92, 0, 0x0, ...
 01831   760   NtProtectVirtualMemory  (-1, (0x3e7e000), 4096, 260, ...
 01832  1248   NtUnmapViewOfSection  (-1, 0x850000, ...
 01831   760   NtProtectVirtualMemory  ... (0x3e7e000), 4096, 4, ) == 0x0
 01832  1248   NtUnmapViewOfSection  ... ) == 0x0
 01833   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01834  1248   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15199492, ... }, 15199492, ...
 01833   760   NtCreateThread  ... 584, {1764, 2032}, ) == 0x0
 01834  1248   NtQueryAttributesFile  ... ) == 0x0
 01835   760   NtQueryInformationThread  (584, Basic, 28, ...
 01829  1972   NtCreateFile  ... 588, {status=0x0, info=1}, ) == 0x0
 01835   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1764,Tid=2032,}, 0x0, ) == 0x0
 01836  1972   NtSetInformationFile  (588, 11006200, 8, Pipe, ...
 01837  1248   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 01836  1972   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01837  1248   NtOpenFile  ... 592, {status=0x0, info=1}, ) == 0x0
 01838  1972   NtSetInformationFile  (588, 11006188, 8, Completion, ...
 01839  1248   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 592, ...
 01838  1972   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01839  1248   NtCreateSection  ... 596, ) == 0x0
 01840  1972   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01841  1248   NtQuerySection  (596, Image, 48, ...
 01842   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58011, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\6\0\0\360\7\0\0" ...  ...
 01841  1248   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01842   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58012, 0}  ... {28, 56, reply, 0, 1764, 760, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\6\0\0\360\7\0\0" )  ) == 0x0
 01840  1972   NtSetInformationThread  ... ) == 0x0
 01843   760   NtResumeThread  (584, ...
 01844  1972   NtWriteFile  (588, 341, 0, 0,  (588, 341, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 01843   760   NtResumeThread  ... 1, ) == 0x0
 01844  1972   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 01845   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01846  1972   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ...
 01847  1248   NtClose  (592, ...
 01848  2032   NtWaitForSingleObject  (92, 0, 0x0, ...
 01846  1972   NtAllocateVirtualMemory  ... 1400832, 4096, ) == 0x0
 01847  1248   NtClose  ... ) == 0x0
 01849  1972   NtReadFile  (588, 341, 0, 0, 1024, {0, 0}, 0, ...
 01850  1248   NtMapViewOfSection  (596, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01845   760   NtAllocateVirtualMemory  ... 65536000, 1048576, ) == 0x0
 01850  1248   NtMapViewOfSection  ... (0x76fb0000), 0x0, 32768, ) == 0x0
 01851   760   NtAllocateVirtualMemory  (-1, 66576384, 0, 8192, 4096, 4, ...
 01852  1248   NtClose  (596, ...
 01851   760   NtAllocateVirtualMemory  ... 66576384, 8192, ) == 0x0
 01852  1248   NtClose  ... ) == 0x0
 01853   760   NtProtectVirtualMemory  (-1, (0x3f7e000), 4096, 260, ...
 01849  1972   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01853   760   NtProtectVirtualMemory  ... (0x3f7e000), 4096, 4, ) == 0x0
 01854  1972   NtFsControlFile  (588, 341, 0x0, 0x0, 0x11c017,  (588, 341, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\247\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 01855   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01854  1972   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01856  1248   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 01857  1972   NtFsControlFile  (588, 341, 0x0, 0x0, 0x11c017,  (588, 341, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\1\0\0\0\1\0\0\0&\0(\0\330H\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 01856  1248   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 01857  1972   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\0\0\0\0", ) , ) == 0x103
 01858  1248   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 01859  1972   NtFsControlFile  (588, 341, 0x0, 0x0, 0x11c017,  (588, 341, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse", 44, 1024, ... , 44, 1024, ...
 01858  1248   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 01855   760   NtCreateThread  ... 596, {1764, 1500}, ) == 0x0
 01859  1972   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\360Z\25\0\1\0\0\0\374Z\25\0 \0\0\0\1\0\0\0\30\0\32\0\10[\25\0$[\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0X[\25\0\1\0\0\0\5\0i\0h[\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01860   760   NtQueryInformationThread  (596, Basic, 28, ...
 01861  1972   NtClose  (576, ...
 01860   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1764,Tid=1500,}, 0x0, ) == 0x0
 01861  1972   NtClose  ... ) == 0x0
 01862  1248   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 01863  1972   NtClose  (588, ...
 01862  1248   NtFlushInstructionCache  ... ) == 0x0
 01863  1972   NtClose  ... ) == 0x0
 01864  1248   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 01865  1972   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1379672, 0x0, 11008068, 188, ... , {12, 2, 1, 1}, 0x0, 1379672, 0x0, 11008068, 188, ...
 01864  1248   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 01866   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58012, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\6\0\0\334\5\0\0" ...  ...
 01867  1248   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 01866   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58013, 0}  ... {28, 56, reply, 0, 1764, 760, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\6\0\0\334\5\0\0" )  ) == 0x0
 01867  1248   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 01868   760   NtResumeThread  (596, ...
 01865  1972   NtSecureConnectPort  ... 588, 0x0, 0x0, 0x0, 188, ) == 0x0
 01868   760   NtResumeThread  ... 1, ) == 0x0
 01869  1972   NtOpenThreadToken  (-2, 0xc, 1, ...
 01870   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01869  1972   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01871  1248   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 01872  1500   NtWaitForSingleObject  (92, 0, 0x0, ...
 01873  1972   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01871  1248   NtFlushInstructionCache  ... ) == 0x0
 01873  1972   NtSetInformationThread  ... ) == 0x0
 01874  1248   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... }, ...
 01870   760   NtAllocateVirtualMemory  ... 66584576, 1048576, ) == 0x0
 01874  1248   NtOpenSection  ... 576, ) == 0x0
 01875   760   NtAllocateVirtualMemory  (-1, 67624960, 0, 8192, 4096, 4, ...
 01876  1248   NtMapViewOfSection  (576, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01875   760   NtAllocateVirtualMemory  ... 67624960, 8192, ) == 0x0
 01876  1248   NtMapViewOfSection  ... (0x76f60000), 0x0, 180224, ) == 0x0
 01877   760   NtProtectVirtualMemory  (-1, (0x407e000), 4096, 260, ...
 01878  1972   NtRequestWaitReplyPort  (588, {200, 224, new_msg, 0, 1356488, 12, 2, 1310977}  (588, {200, 224, new_msg, 0, 1356488, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\234\6S\254\243{M\226\302\375\352x\344\23yA\12\0\0\0\361\317\200\267xx\206\35\0\0\0\0\360\37\25\0\335\3131\17\324\242\205\231(\0\0\0\257\22\0\5\0\0\24\0\240\366\247\0\373'\303O\0\0\0\0\3008\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\247\0\372\31\221|X\376\247\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01877   760   NtProtectVirtualMemory  ... (0x407e000), 4096, 4, ) == 0x0
 01879   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01878  1972   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1764, 1972, 58015, 0}  ... {200, 224, reply, 0, 1764, 1972, 58015, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\234\6S\254\243{M\226\302\375\352x\344\23yA\12\0\0\0\361\317\200\267xx\206\35\0\0\0\0\360\37\25\0\335\3131\17\324\242\205\231(\0\0\0\257\22\0\5\0\0\24\0\240\366\247\0\373'\303O\0\0\0\0\3008\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\247\0\372\31\221|X\376\247\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01880  1248   NtClose  (576, ...
 01881  1972   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01880  1248   NtClose  ... ) == 0x0
 01881  1972   NtSetInformationThread  ... ) == 0x0
 01882  1248   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ...
 01883  1972   NtRequestWaitReplyPort  (588, {56, 80, new_msg, 0, 44, 3, 20, 0}  (588, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0\215\373FC\227[\347p\214Nse\1\0\0\0\0\0\0\0&\0(\0\250\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 01882  1248   NtProtectVirtualMemory  ... (0x76f61000), 4096, 32, ) == 0x0
 01879   760   NtCreateThread  ... 576, {1764, 932}, ) == 0x0
 01884  1248   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 01885   760   NtQueryInformationThread  (576, Basic, 28, ...
 01884  1248   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 01885   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1764,Tid=932,}, 0x0, ) == 0x0
 01886   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58013, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\6\0\0\244\3\0\0" ... {28, 56, reply, 0, 1764, 760, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\6\0\0\244\3\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58017, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\6\0\0\244\3\0\0" ... {28, 56, reply, 0, 1764, 760, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\6\0\0\244\3\0\0" )  ) == 0x0
 01887   760   NtResumeThread  (576, ... 1, ) == 0x0
 01888   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 67633152, 1048576, ) == 0x0
 01889   760   NtAllocateVirtualMemory  (-1, 68673536, 0, 8192, 4096, 4, ... 68673536, 8192, ) == 0x0
 01890  1248   NtFlushInstructionCache  (-1, 1995837440, 228, ...
 01891   932   NtWaitForSingleObject  (92, 0, 0x0, ...
 01890  1248   NtFlushInstructionCache  ... ) == 0x0
 01892  1248   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 01893  1248   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 01894  1248   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 01895  1248   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 01896  1248   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 01897   760   NtProtectVirtualMemory  (-1, (0x417e000), 4096, 260, ... (0x417e000), 4096, 4, ) == 0x0
 01898   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 592, {1764, 1528}, ) == 0x0
 01899   760   NtQueryInformationThread  (592, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1764,Tid=1528,}, 0x0, ) == 0x0
 01900   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58017, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\6\0\0\370\5\0\0" ... {28, 56, reply, 0, 1764, 760, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\6\0\0\370\5\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58018, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\6\0\0\370\5\0\0" ... {28, 56, reply, 0, 1764, 760, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\6\0\0\370\5\0\0" )  ) == 0x0
 01901   760   NtResumeThread  (592, ... 1, ) == 0x0
 01902   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01903  1248   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 01883  1972   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 1764, 1972, 58016, 0}  ... {44, 68, reply, 0, 1764, 1972, 58016, 0} "\4\31\221|\0\0\221|\200\300\227|p\31\221|\0\276\21\0\330\0\0\0\204-|\2\0\220\366\177\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01904  1528   NtWaitForSingleObject  (92, 0, 0x0, ...
 01903  1248   NtFlushInstructionCache  ... ) == 0x0
 01905  1972   NtRaiseException  (11008528, 11007788, 1, ...
 01906  1248   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... }, ...
 01907  1972   NtQueryVirtualMemory  (-1, 0x77ea0470, BasicVlm, 16, ...
 01906  1248   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01907  1972   NtQueryVirtualMemory  ... {memory info, class 3, size 16}, 0x0, ) == 0x0
 01908  1248   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01909  1972   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 01908  1248   NtCreateEvent  ... 600, ) == 0x0
 01902   760   NtAllocateVirtualMemory  ... 68681728, 1048576, ) == 0x0
 01909  1972   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01910   760   NtAllocateVirtualMemory  (-1, 69722112, 0, 8192, 4096, 4, ...
 01911  1972   NtContinue  (11006756, 0, ...
 01910   760   NtAllocateVirtualMemory  ... 69722112, 8192, ) == 0x0
 01912   760   NtProtectVirtualMemory  (-1, (0x427e000), 4096, 260, ... (0x427e000), 4096, 4, ) == 0x0
 01913   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01914  1972   NtDeviceIoControlFile  (424, 100, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ... {status=0x0, info=0}, "", ) == 0x103
 01915  1972   NtWaitForSingleObject  (100, 1, {-5000000, -1}, ...
 01913   760   NtCreateThread  ... 604, {1764, 1780}, ) == 0x0
 01916   760   NtQueryInformationThread  (604, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1764,Tid=1780,}, 0x0, ) == 0x0
 01917   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58018, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\6\0\0\364\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\6\0\0\364\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58019, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\6\0\0\364\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\6\0\0\364\6\0\0" )  ) == 0x0
 01918  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 608, ) }, ... 608, ) == 0x0
 01919  1248   NtQueryValueKey  (608,  (608, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (608, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01920  1248   NtClose  (608, ... ) == 0x0
 01921  1248   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01922   760   NtResumeThread  (604, ... 1, ) == 0x0
 01923   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 69730304, 1048576, ) == 0x0
 01924   760   NtAllocateVirtualMemory  (-1, 70770688, 0, 8192, 4096, 4, ... 70770688, 8192, ) == 0x0
 01925  1248   NtAllocateVirtualMemory  (-1, 8806400, 0, 4096, 4096, 4, ...
 01926  1780   NtWaitForSingleObject  (92, 0, 0x0, ...
 01925  1248   NtAllocateVirtualMemory  ... 8806400, 4096, ) == 0x0
 01927  1248   NtQueryPerformanceCounter  (... {925311986, 10}, {3579545, 0}, ) == 0x0
 01928  1248   NtSetEventBoostPriority  (92, ...
 01830  1592   NtWaitForSingleObject  ... ) == 0x0
 01929  1592   NtSetEventBoostPriority  (92, ...
 01848  2032   NtWaitForSingleObject  ... ) == 0x0
 01930  2032   NtSetEventBoostPriority  (92, ...
 01872  1500   NtWaitForSingleObject  ... ) == 0x0
 01931  1500   NtSetEventBoostPriority  (92, ...
 01891   932   NtWaitForSingleObject  ... ) == 0x0
 01932   932   NtSetEventBoostPriority  (92, ...
 01904  1528   NtWaitForSingleObject  ... ) == 0x0
 01933  1528   NtSetEventBoostPriority  (92, ...
 01926  1780   NtWaitForSingleObject  ... ) == 0x0
 01934  1780   NtTestAlert  (... ) == 0x0
 01933  1528   NtSetEventBoostPriority  ... ) == 0x0
 01932   932   NtSetEventBoostPriority  ... ) == 0x0
 01931  1500   NtSetEventBoostPriority  ... ) == 0x0
 01930  2032   NtSetEventBoostPriority  ... ) == 0x0
 01929  1592   NtSetEventBoostPriority  ... ) == 0x0
 01928  1248   NtSetEventBoostPriority  ... ) == 0x0
 01935   760   NtProtectVirtualMemory  (-1, (0x437e000), 4096, 260, ...
 01936  1780   NtContinue  (69729584, 1, ...
 01937  1528   NtTestAlert  (...
 01938   932   NtTestAlert  (...
 01939  1500   NtTestAlert  (...
 01940  2032   NtTestAlert  (...
 01941  1248   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15199184, ... }, 15199184, ...
 01935   760   NtProtectVirtualMemory  ... (0x437e000), 4096, 4, ) == 0x0
 01942  1780   NtRegisterThreadTerminatePort  (24, ...
 01937  1528   NtTestAlert  ... ) == 0x0
 01938   932   NtTestAlert  ... ) == 0x0
 01939  1500   NtTestAlert  ... ) == 0x0
 01940  2032   NtTestAlert  ... ) == 0x0
 01941  1248   NtQueryAttributesFile  ... ) == 0x0
 01943   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01942  1780   NtRegisterThreadTerminatePort  ... ) == 0x0
 01944  1528   NtContinue  (68681008, 1, ...
 01945   932   NtContinue  (67632432, 1, ...
 01946  1500   NtContinue  (66583856, 1, ...
 01947  2032   NtContinue  (65535280, 1, ...
 01948  1248   NtQuerySystemInformation  (Basic, 44, ...
 01943   760   NtCreateThread  ... 608, {1764, 1804}, ) == 0x0
 01949  1780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01950  1528   NtRegisterThreadTerminatePort  (24, ...
 01951   932   NtRegisterThreadTerminatePort  (24, ...
 01952  1500   NtRegisterThreadTerminatePort  (24, ...
 01953  2032   NtRegisterThreadTerminatePort  (24, ...
 01948  1248   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01954   760   NtQueryInformationThread  (608, Basic, 28, ...
 01949  1780   NtDuplicateObject  ... 612, ) == 0x0
 01950  1528   NtRegisterThreadTerminatePort  ... ) == 0x0
 01951   932   NtRegisterThreadTerminatePort  ... ) == 0x0
 01952  1500   NtRegisterThreadTerminatePort  ... ) == 0x0
 01953  2032   NtRegisterThreadTerminatePort  ... ) == 0x0
 01955  1248   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 01954   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1764,Tid=1804,}, 0x0, ) == 0x0
 01956  1780   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01957  1528   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01958   932   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01959  1500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01960  2032   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01961  1592   NtTestAlert  (...
 01955  1248   NtAllocateVirtualMemory  ... 8716288, 65536, ) == 0x0
 01962   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58019, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\6\0\0\14\7\0\0" ...  ...
 01956  1780   NtWaitForSingleObject  ... ) == 0x102
 01957  1528   NtDuplicateObject  ... 616, ) == 0x0
 01958   932   NtDuplicateObject  ... 620, ) == 0x0
 01959  1500   NtDuplicateObject  ... 624, ) == 0x0
 01961  1592   NtTestAlert  ... ) == 0x0
 01963  1248   NtAllocateVirtualMemory  (-1, 8716288, 0, 4096, 4096, 4, ...
 01962   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58020, 0}  ... {28, 56, reply, 0, 1764, 760, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\6\0\0\14\7\0\0" )  ) == 0x0
 01964  1780   NtWaitForSingleObject  (128, 0, 0x0, ...
 01965  1528   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01966   932   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01967  1500   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01968  1592   NtContinue  (64486704, 1, ...
 01963  1248   NtAllocateVirtualMemory  ... 8716288, 4096, ) == 0x0
 01969   760   NtResumeThread  (608, ...
 01965  1528   NtWaitForSingleObject  ... ) == 0x102
 01966   932   NtWaitForSingleObject  ... ) == 0x102
 01967  1500   NtWaitForSingleObject  ... ) == 0x102
 01970  1592   NtRegisterThreadTerminatePort  (24, ...
 01971  1248   NtAllocateVirtualMemory  (-1, 8720384, 0, 8192, 4096, 4, ...
 01969   760   NtResumeThread  ... 1, ) == 0x0
 01972  1528   NtWaitForSingleObject  (128, 0, 0x0, ...
 01973   932   NtWaitForSingleObject  (128, 0, 0x0, ...
 01974  1500   NtWaitForSingleObject  (128, 0, 0x0, ...
 01970  1592   NtRegisterThreadTerminatePort  ... ) == 0x0
 01971  1248   NtAllocateVirtualMemory  ... 8720384, 8192, ) == 0x0
 01975   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01976  1592   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01977  1248   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 15199184, ... }, 15199184, ...
 01960  2032   NtDuplicateObject  ... 628, ) == 0x0
 01978  1804   NtWaitForSingleObject  (92, 0, 0x0, ...
 01975   760   NtAllocateVirtualMemory  ... 70778880, 1048576, ) == 0x0
 01976  1592   NtDuplicateObject  ... 632, ) == 0x0
 01979  2032   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01980   760   NtAllocateVirtualMemory  (-1, 71819264, 0, 8192, 4096, 4, ...
 01981  1592   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 01979  2032   NtWaitForSingleObject  ... ) == 0x102
 01980   760   NtAllocateVirtualMemory  ... 71819264, 8192, ) == 0x0
 01981  1592   NtWaitForSingleObject  ... ) == 0x102
 01982  2032   NtWaitForSingleObject  (128, 0, 0x0, ...
 01983   760   NtProtectVirtualMemory  (-1, (0x447e000), 4096, 260, ...
 01984  1592   NtWaitForSingleObject  (128, 0, 0x0, ...
 01983   760   NtProtectVirtualMemory  ... (0x447e000), 4096, 4, ) == 0x0
 01985   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 636, {1764, 1644}, ) == 0x0
 01986   760   NtQueryInformationThread  (636, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1764,Tid=1644,}, 0x0, ) == 0x0
 01987   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58020, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\6\0\0l\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\6\0\0l\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58021, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\6\0\0l\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\6\0\0l\6\0\0" )  ) == 0x0
 01977  1248   NtQueryAttributesFile  ... ) == 0x0
 01988  1248   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 640, {status=0x0, info=1}, ) }, 5, 96, ... 640, {status=0x0, info=1}, ) == 0x0
 01989  1248   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 640, ... 644, ) == 0x0
 01990  1248   NtClose  (640, ... ) == 0x0
 01991  1248   NtMapViewOfSection  (644, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x4480000), 0x0, 110592, ) == 0x0
 01992  1248   NtClose  (644, ... ) == 0x0
 01993   760   NtResumeThread  (636, ... 1, ) == 0x0
 01994   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 71958528, 1048576, ) == 0x0
 01995   760   NtAllocateVirtualMemory  (-1, 72998912, 0, 8192, 4096, 4, ... 72998912, 8192, ) == 0x0
 01996  1644   NtWaitForSingleObject  (92, 0, 0x0, ...
 01997   760   NtProtectVirtualMemory  (-1, (0x459e000), 4096, 260, ... (0x459e000), 4096, 4, ) == 0x0
 01998   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 644, {1764, 336}, ) == 0x0
 01999   760   NtQueryInformationThread  (644, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1764,Tid=336,}, 0x0, ) == 0x0
 02000  1248   NtUnmapViewOfSection  (-1, 0x4480000, ... ) == 0x0
 02001  1248   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 15199492, ... ) }, 15199492, ... ) == 0x0
 02002  1248   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 640, {status=0x0, info=1}, ) }, 5, 96, ... 640, {status=0x0, info=1}, ) == 0x0
 02003  1248   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 640, ... 648, ) == 0x0
 02004  1248   NtQuerySection  (648, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02005  1248   NtClose  (640, ...
 02006   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58021, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\6\0\0P\1\0\0" ... {28, 56, reply, 0, 1764, 760, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\6\0\0P\1\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58022, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\6\0\0P\1\0\0" ... {28, 56, reply, 0, 1764, 760, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\6\0\0P\1\0\0" )  ) == 0x0
 02007   760   NtResumeThread  (644, ... 1, ) == 0x0
 02008   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 73007104, 1048576, ) == 0x0
 02009   760   NtAllocateVirtualMemory  (-1, 74047488, 0, 8192, 4096, 4, ... 74047488, 8192, ) == 0x0
 02010   760   NtProtectVirtualMemory  (-1, (0x469e000), 4096, 260, ... (0x469e000), 4096, 4, ) == 0x0
 02011   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02005  1248   NtClose  ... ) == 0x0
 02012   336   NtWaitForSingleObject  (92, 0, 0x0, ...
 02013  1248   NtMapViewOfSection  (648, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x751d0000), 0x0, 122880, ) == 0x0
 02014  1248   NtClose  (648, ... ) == 0x0
 02015  1248   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02016  1248   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02017  1248   NtFlushInstructionCache  (-1, 1964838912, 224, ...
 02011   760   NtCreateThread  ... 648, {1764, 800}, ) == 0x0
 02018   760   NtQueryInformationThread  (648, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1764,Tid=800,}, 0x0, ) == 0x0
 02019   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58022, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\6\0\0 \3\0\0" ... {28, 56, reply, 0, 1764, 760, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\6\0\0 \3\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58023, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\6\0\0 \3\0\0" ... {28, 56, reply, 0, 1764, 760, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\6\0\0 \3\0\0" )  ) == 0x0
 02020   760   NtResumeThread  (648, ... 1, ) == 0x0
 02021   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 74055680, 1048576, ) == 0x0
 02022   760   NtAllocateVirtualMemory  (-1, 75096064, 0, 8192, 4096, 4, ... 75096064, 8192, ) == 0x0
 02017  1248   NtFlushInstructionCache  ... ) == 0x0
 02023   800   NtWaitForSingleObject  (92, 0, 0x0, ...
 02024  1248   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02025  1248   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02026  1248   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02027  1248   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02028  1248   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 02029  1248   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 15198668, ... }, 15198668, ...
 02030   760   NtProtectVirtualMemory  (-1, (0x479e000), 4096, 260, ... (0x479e000), 4096, 4, ) == 0x0
 02031   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 640, {1764, 504}, ) == 0x0
 02032   760   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1764,Tid=504,}, 0x0, ) == 0x0
 02033   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58023, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\6\0\0\370\1\0\0" ... {28, 56, reply, 0, 1764, 760, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\6\0\0\370\1\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58024, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\6\0\0\370\1\0\0" ... {28, 56, reply, 0, 1764, 760, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\6\0\0\370\1\0\0" )  ) == 0x0
 02034   760   NtResumeThread  (640, ... 1, ) == 0x0
 02035   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02036   504   NtWaitForSingleObject  (92, 0, 0x0, ...
 02035   760   NtAllocateVirtualMemory  ... 75104256, 1048576, ) == 0x0
 02037   760   NtAllocateVirtualMemory  (-1, 76144640, 0, 8192, 4096, 4, ... 76144640, 8192, ) == 0x0
 02038   760   NtProtectVirtualMemory  (-1, (0x489e000), 4096, 260, ... (0x489e000), 4096, 4, ) == 0x0
 02039   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 652, {1764, 888}, ) == 0x0
 02040   760   NtQueryInformationThread  (652, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1764,Tid=888,}, 0x0, ) == 0x0
 02041   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58024, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\344\6\0\0x\3\0\0" ... {28, 56, reply, 0, 1764, 760, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\344\6\0\0x\3\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58025, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\344\6\0\0x\3\0\0" ... {28, 56, reply, 0, 1764, 760, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\344\6\0\0x\3\0\0" )  ) == 0x0
 02042   760   NtResumeThread  (652, ... 1, ) == 0x0
 02043   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 76152832, 1048576, ) == 0x0
 02044   760   NtAllocateVirtualMemory  (-1, 77193216, 0, 8192, 4096, 4, ... 77193216, 8192, ) == 0x0
 02045   888   NtWaitForSingleObject  (92, 0, 0x0, ...
 02046   760   NtProtectVirtualMemory  (-1, (0x499e000), 4096, 260, ... (0x499e000), 4096, 4, ) == 0x0
 02047   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 656, {1764, 1392}, ) == 0x0
 02048   760   NtQueryInformationThread  (656, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1764,Tid=1392,}, 0x0, ) == 0x0
 02049   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58025, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\6\0\0p\5\0\0" ... {28, 56, reply, 0, 1764, 760, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\6\0\0p\5\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58026, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\6\0\0p\5\0\0" ... {28, 56, reply, 0, 1764, 760, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\6\0\0p\5\0\0" )  ) == 0x0
 02050   760   NtResumeThread  (656, ... 1, ) == 0x0
 02051   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02052  1392   NtWaitForSingleObject  (92, 0, 0x0, ...
 02051   760   NtAllocateVirtualMemory  ... 77201408, 1048576, ) == 0x0
 02053   760   NtAllocateVirtualMemory  (-1, 78241792, 0, 8192, 4096, 4, ... 78241792, 8192, ) == 0x0
 02054   760   NtProtectVirtualMemory  (-1, (0x4a9e000), 4096, 260, ... (0x4a9e000), 4096, 4, ) == 0x0
 02055   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 660, {1764, 2020}, ) == 0x0
 02056   760   NtQueryInformationThread  (660, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1764,Tid=2020,}, 0x0, ) == 0x0
 02057   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58026, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1764, 760, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\6\0\0\344\7\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58027, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1764, 760, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\6\0\0\344\7\0\0" )  ) == 0x0
 02058   760   NtResumeThread  (660, ... 1, ) == 0x0
 02059   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 78249984, 1048576, ) == 0x0
 02060   760   NtAllocateVirtualMemory  (-1, 79290368, 0, 8192, 4096, 4, ... 79290368, 8192, ) == 0x0
 02061  2020   NtWaitForSingleObject  (92, 0, 0x0, ...
 02062   760   NtProtectVirtualMemory  (-1, (0x4b9e000), 4096, 260, ... (0x4b9e000), 4096, 4, ) == 0x0
 02063   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 664, {1764, 740}, ) == 0x0
 02064   760   NtQueryInformationThread  (664, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1764,Tid=740,}, 0x0, ) == 0x0
 02065   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58027, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\6\0\0\344\2\0\0" ... {28, 56, reply, 0, 1764, 760, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\6\0\0\344\2\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58028, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\6\0\0\344\2\0\0" ... {28, 56, reply, 0, 1764, 760, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\6\0\0\344\2\0\0" )  ) == 0x0
 02066   760   NtResumeThread  (664, ... 1, ) == 0x0
 02067   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02068   740   NtWaitForSingleObject  (92, 0, 0x0, ...
 02067   760   NtAllocateVirtualMemory  ... 79298560, 1048576, ) == 0x0
 02069   760   NtAllocateVirtualMemory  (-1, 80338944, 0, 8192, 4096, 4, ... 80338944, 8192, ) == 0x0
 02070   760   NtProtectVirtualMemory  (-1, (0x4c9e000), 4096, 260, ... (0x4c9e000), 4096, 4, ) == 0x0
 02071   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02029  1248   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02072  1248   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 15198668, ... ) }, 15198668, ... ) == 0x0
 02073  1248   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 668, {status=0x0, info=1}, ) }, 5, 96, ... 668, {status=0x0, info=1}, ) == 0x0
 02074  1248   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 668, ... 672, ) == 0x0
 02075  1248   NtQuerySection  (672, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02071   760   NtCreateThread  ... 676, {1764, 1676}, ) == 0x0
 02076   760   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1764,Tid=1676,}, 0x0, ) == 0x0
 02077   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58028, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\6\0\0\214\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\6\0\0\214\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58029, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\6\0\0\214\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\6\0\0\214\6\0\0" )  ) == 0x0
 02078   760   NtResumeThread  (676, ... 1, ) == 0x0
 02079   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 80347136, 1048576, ) == 0x0
 02080   760   NtAllocateVirtualMemory  (-1, 81387520, 0, 8192, 4096, 4, ... 81387520, 8192, ) == 0x0
 02081  1248   NtClose  (668, ...
 02082  1676   NtWaitForSingleObject  (92, 0, 0x0, ...
 02081  1248   NtClose  ... ) == 0x0
 02083  1248   NtMapViewOfSection  (672, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 02084  1248   NtClose  (672, ... ) == 0x0
 02085  1248   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02086  1248   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02087  1248   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02088   760   NtProtectVirtualMemory  (-1, (0x4d9e000), 4096, 260, ... (0x4d9e000), 4096, 4, ) == 0x0
 02089   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {1764, 496}, ) == 0x0
 02090   760   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1764,Tid=496,}, 0x0, ) == 0x0
 02091   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58029, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\6\0\0\360\1\0\0" ... {28, 56, reply, 0, 1764, 760, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\6\0\0\360\1\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58030, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\6\0\0\360\1\0\0" ... {28, 56, reply, 0, 1764, 760, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\6\0\0\360\1\0\0" )  ) == 0x0
 02092   760   NtResumeThread  (672, ... 1, ) == 0x0
 02093   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02094  1248   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ...
 02095   496   NtWaitForSingleObject  (92, 0, 0x0, ...
 02094  1248   NtProtectVirtualMemory  ... (0x77921000), 4096, 32, ) == 0x0
 02096  1248   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02097  1248   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02098  1248   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02099  1248   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02100  1248   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02093   760   NtAllocateVirtualMemory  ... 81395712, 1048576, ) == 0x0
 02101   760   NtAllocateVirtualMemory  (-1, 82436096, 0, 8192, 4096, 4, ... 82436096, 8192, ) == 0x0
 02102   760   NtProtectVirtualMemory  (-1, (0x4e9e000), 4096, 260, ... (0x4e9e000), 4096, 4, ) == 0x0
 02103   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 668, {1764, 1020}, ) == 0x0
 02104   760   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1764,Tid=1020,}, 0x0, ) == 0x0
 02105   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58030, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\6\0\0\374\3\0\0" ... {28, 56, reply, 0, 1764, 760, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\6\0\0\374\3\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58031, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\6\0\0\374\3\0\0" ... {28, 56, reply, 0, 1764, 760, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\6\0\0\374\3\0\0" )  ) == 0x0
 02106  1248   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02107  1248   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02108  1248   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02109  1248   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02110  1248   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02111  1248   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02112   760   NtResumeThread  (668, ... 1, ) == 0x0
 02113   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 82444288, 1048576, ) == 0x0
 02114   760   NtAllocateVirtualMemory  (-1, 83484672, 0, 8192, 4096, 4, ... 83484672, 8192, ) == 0x0
 02115   760   NtProtectVirtualMemory  (-1, (0x4f9e000), 4096, 260, ... (0x4f9e000), 4096, 4, ) == 0x0
 02116   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {1764, 432}, ) == 0x0
 02117   760   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1764,Tid=432,}, 0x0, ) == 0x0
 02118  1248   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ...
 02119  1020   NtWaitForSingleObject  (92, 0, 0x0, ...
 02118  1248   NtProtectVirtualMemory  ... (0x751d1000), 4096, 32, ) == 0x0
 02120  1248   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02121  1248   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02122   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58031, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\6\0\0\260\1\0\0" ... {28, 56, reply, 0, 1764, 760, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\6\0\0\260\1\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58032, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\6\0\0\260\1\0\0" ... {28, 56, reply, 0, 1764, 760, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\6\0\0\260\1\0\0" )  ) == 0x0
 02123   760   NtResumeThread  (680, ... 1, ) == 0x0
 02124   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02125  1248   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... }, ...
 02126   432   NtWaitForSingleObject  (92, 0, 0x0, ...
 02125  1248   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02127  1248   NtQueryDefaultUILanguage  (2090319928, ...
 02128  1248   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02129  1248   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481344, ) == 0x0
 02130  1248   NtQueryInformationToken  (-2147481344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02131  1248   NtClose  (-2147481344, ...
 02124   760   NtAllocateVirtualMemory  ... 83492864, 1048576, ) == 0x0
 02132   760   NtAllocateVirtualMemory  (-1, 84533248, 0, 8192, 4096, 4, ... 84533248, 8192, ) == 0x0
 02133   760   NtProtectVirtualMemory  (-1, (0x509e000), 4096, 260, ... (0x509e000), 4096, 4, ) == 0x0
 02134   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {1764, 1332}, ) == 0x0
 02135   760   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1764,Tid=1332,}, 0x0, ) == 0x0
 02136   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58032, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\6\0\04\5\0\0" ... {28, 56, reply, 0, 1764, 760, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\6\0\04\5\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58033, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\6\0\04\5\0\0" ... {28, 56, reply, 0, 1764, 760, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\6\0\04\5\0\0" )  ) == 0x0
 02131  1248   NtClose  ... ) == 0x0
 02137  1248   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481344, ) }, ... -2147481344, ) == 0x0
 02138  1248   NtOpenKey  (0x80000000, {24, -2147481344, 0x240, 0, 0,  (0x80000000, {24, -2147481344, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02139  1248   NtOpenKey  (0x80000000, {24, -2147481344, 0x640, 0, 0,  (0x80000000, {24, -2147481344, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482132, ) }, ... -2147482132, ) == 0x0
 02140  1248   NtQueryValueKey  (-2147482132,  (-2147482132, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02141   760   NtResumeThread  (684, ... 1, ) == 0x0
 02142   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 84541440, 1048576, ) == 0x0
 02143   760   NtAllocateVirtualMemory  (-1, 85581824, 0, 8192, 4096, 4, ... 85581824, 8192, ) == 0x0
 02144   760   NtProtectVirtualMemory  (-1, (0x519e000), 4096, 260, ... (0x519e000), 4096, 4, ) == 0x0
 02145   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 688, {1764, 1328}, ) == 0x0
 02146   760   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1764,Tid=1328,}, 0x0, ) == 0x0
 02147  1248   NtClose  (-2147482132, ...
 02148  1332   NtWaitForSingleObject  (92, 0, 0x0, ...
 02147  1248   NtClose  ... ) == 0x0
 02149  1248   NtClose  (-2147481344, ... ) == 0x0
 02127  1248   NtQueryDefaultUILanguage  ... ) == 0x0
 02150  1248   NtAllocateVirtualMemory  (-1, 15187968, 0, 4096, 4096, 260, ... 15187968, 4096, ) == 0x0
 02151  1248   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 02152  1248   NtQueryDefaultLocale  (1, 15199388, ... ) == 0x0
 02153  1248   NtQueryInformationProcess  (-1, Wow64, 4, ...
 02154   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58033, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\6\0\00\5\0\0" ... {28, 56, reply, 0, 1764, 760, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\6\0\00\5\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58034, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\6\0\00\5\0\0" ... {28, 56, reply, 0, 1764, 760, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\6\0\00\5\0\0" )  ) == 0x0
 02155   760   NtResumeThread  (688, ... 1, ) == 0x0
 02156   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 85590016, 1048576, ) == 0x0
 02157   760   NtAllocateVirtualMemory  (-1, 86630400, 0, 8192, 4096, 4, ... 86630400, 8192, ) == 0x0
 02158   760   NtProtectVirtualMemory  (-1, (0x529e000), 4096, 260, ... (0x529e000), 4096, 4, ) == 0x0
 02159   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02153  1248   NtQueryInformationProcess  ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02160  1328   NtWaitForSingleObject  (92, 0, 0x0, ...
 02161  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 692, ) }, ... 692, ) == 0x0
 02162  1248   NtQueryValueKey  (692,  (692, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (692, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02163  1248   NtClose  (692, ... ) == 0x0
 02164  1248   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 692, ) == 0x0
 02165  1248   NtCallbackReturn  (0, 0, 0, ...
 02166  1248   NtUserGetProcessWindowStation  (... ) == 0x20
 02159   760   NtCreateThread  ... 696, {1764, 752}, ) == 0x0
 02167   760   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1764,Tid=752,}, 0x0, ) == 0x0
 02168   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58034, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1764, 760, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\6\0\0\360\2\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58035, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1764, 760, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\6\0\0\360\2\0\0" )  ) == 0x0
 02169   760   NtResumeThread  (696, ... 1, ) == 0x0
 02170   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 86638592, 1048576, ) == 0x0
 02171   760   NtAllocateVirtualMemory  (-1, 87678976, 0, 8192, 4096, 4, ... 87678976, 8192, ) == 0x0
 02172  1248   NtUserGetObjectInformation  (32, 1, 15198984, 12, 15198996, ...
 02173   752   NtWaitForSingleObject  (92, 0, 0x0, ...
 02172  1248   NtUserGetObjectInformation  ... ) == 0x1
 02174  1248   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02175  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\WPA\PnP"}, ... 700, ) }, ... 700, ) == 0x0
 02176  1248   NtQueryValueKey  (700,  (700, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (700, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 02177  1248   NtClose  (700, ... ) == 0x0
 02178  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 700, ) }, ... 700, ) == 0x0
 02179   760   NtProtectVirtualMemory  (-1, (0x539e000), 4096, 260, ... (0x539e000), 4096, 4, ) == 0x0
 02180   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 704, {1764, 120}, ) == 0x0
 02181   760   NtQueryInformationThread  (704, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1764,Tid=120,}, 0x0, ) == 0x0
 02182   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58035, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1764, 760, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\6\0\0x\0\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58036, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1764, 760, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\6\0\0x\0\0\0" )  ) == 0x0
 02183   760   NtResumeThread  (704, ... 1, ) == 0x0
 02184   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02185  1248   NtQueryValueKey  (700,  (700, "OsLoaderPath", Partial, 144, ... , Partial, 144, ...
 02186   120   NtWaitForSingleObject  (92, 0, 0x0, ...
 02185  1248   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02187  1248   NtQueryValueKey  (700,  (700, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (700, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02188  1248   NtClose  (700, ... ) == 0x0
 02189  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 700, ) }, ... 700, ) == 0x0
 02190  1248   NtQueryValueKey  (700,  (700, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (700, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02191  1248   NtQueryValueKey  (700,  (700, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (700, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02184   760   NtAllocateVirtualMemory  ... 87687168, 1048576, ) == 0x0
 02192   760   NtAllocateVirtualMemory  (-1, 88727552, 0, 8192, 4096, 4, ... 88727552, 8192, ) == 0x0
 02193   760   NtProtectVirtualMemory  (-1, (0x549e000), 4096, 260, ... (0x549e000), 4096, 4, ) == 0x0
 02194   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 708, {1764, 1732}, ) == 0x0
 02195   760   NtQueryInformationThread  (708, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1764,Tid=1732,}, 0x0, ) == 0x0
 02196   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58036, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\6\0\0\304\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\6\0\0\304\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58037, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\6\0\0\304\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\6\0\0\304\6\0\0" )  ) == 0x0
 02197  1248   NtClose  (700, ... ) == 0x0
 02198  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 700, ) }, ... 700, ) == 0x0
 02199  1248   NtQueryValueKey  (700,  (700, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (700, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02200  1248   NtQueryValueKey  (700,  (700, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (700, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02201  1248   NtClose  (700, ... ) == 0x0
 02202  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 700, ) }, ... 700, ) == 0x0
 02203   760   NtResumeThread  (708, ... 1, ) == 0x0
 02204   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 88735744, 1048576, ) == 0x0
 02205   760   NtAllocateVirtualMemory  (-1, 89776128, 0, 8192, 4096, 4, ... 89776128, 8192, ) == 0x0
 02206   760   NtProtectVirtualMemory  (-1, (0x559e000), 4096, 260, ... (0x559e000), 4096, 4, ) == 0x0
 02207   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 712, {1764, 188}, ) == 0x0
 02208   760   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1764,Tid=188,}, 0x0, ) == 0x0
 02209  1248   NtQueryValueKey  (700,  (700, "ServicePackSourcePath", Partial, 144, ... , Partial, 144, ...
 02210  1732   NtWaitForSingleObject  (92, 0, 0x0, ...
 02209  1248   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02211  1248   NtQueryValueKey  (700,  (700, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (700, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02212  1248   NtClose  (700, ... ) == 0x0
 02213  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 700, ) }, ... 700, ) == 0x0
 02214  1248   NtQueryValueKey  (700,  (700, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (700, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02215  1248   NtQueryValueKey  (700,  (700, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (700, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02216   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58037, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\6\0\0\274\0\0\0" ... {28, 56, reply, 0, 1764, 760, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\6\0\0\274\0\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58038, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\6\0\0\274\0\0\0" ... {28, 56, reply, 0, 1764, 760, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\6\0\0\274\0\0\0" )  ) == 0x0
 02217   760   NtResumeThread  (712, ... 1, ) == 0x0
 02218   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 89784320, 1048576, ) == 0x0
 02219   760   NtAllocateVirtualMemory  (-1, 90824704, 0, 8192, 4096, 4, ... 90824704, 8192, ) == 0x0
 02220   760   NtProtectVirtualMemory  (-1, (0x569e000), 4096, 260, ... (0x569e000), 4096, 4, ) == 0x0
 02221   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02222  1248   NtClose  (700, ...
 02223   188   NtWaitForSingleObject  (92, 0, 0x0, ...
 02222  1248   NtClose  ... ) == 0x0
 02224  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 700, ) }, ... 700, ) == 0x0
 02225  1248   NtQueryValueKey  (700,  (700, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (700, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02226  1248   NtQueryValueKey  (700,  (700, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (700, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02227  1248   NtClose  (700, ... ) == 0x0
 02228  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 700, ) }, ... 700, ) == 0x0
 02221   760   NtCreateThread  ... 716, {1764, 1636}, ) == 0x0
 02229   760   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1764,Tid=1636,}, 0x0, ) == 0x0
 02230   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58038, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\6\0\0d\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\6\0\0d\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58039, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\6\0\0d\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\6\0\0d\6\0\0" )  ) == 0x0
 02231   760   NtResumeThread  (716, ... 1, ) == 0x0
 02232   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 90832896, 1048576, ) == 0x0
 02233   760   NtAllocateVirtualMemory  (-1, 91873280, 0, 8192, 4096, 4, ... 91873280, 8192, ) == 0x0
 02234  1248   NtQueryValueKey  (700,  (700, "DevicePath", Partial, 144, ... , Partial, 144, ...
 02235  1636   NtWaitForSingleObject  (92, 0, 0x0, ...
 02234  1248   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 02236  1248   NtQueryValueKey  (700,  (700, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (700, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 02237  1248   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 02238  1248   NtClose  (700, ... ) == 0x0
 02239  1248   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 700, ) == 0x0
 02240  1248   NtCreateMutant  (0x1f0001, 0x0, 0, ... 720, ) == 0x0
 02241   760   NtProtectVirtualMemory  (-1, (0x579e000), 4096, 260, ... (0x579e000), 4096, 4, ) == 0x0
 02242   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 724, {1764, 624}, ) == 0x0
 02243   760   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1764,Tid=624,}, 0x0, ) == 0x0
 02244   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58039, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\6\0\0p\2\0\0" ... {28, 56, reply, 0, 1764, 760, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\6\0\0p\2\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58040, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\6\0\0p\2\0\0" ... {28, 56, reply, 0, 1764, 760, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\6\0\0p\2\0\0" )  ) == 0x0
 02245   760   NtResumeThread  (724, ... 1, ) == 0x0
 02246   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02247  1248   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02248   624   NtWaitForSingleObject  (92, 0, 0x0, ...
 02247  1248   NtCreateEvent  ... 728, ) == 0x0
 02249  1248   NtCreateMutant  (0x1f0001, 0x0, 0, ... 732, ) == 0x0
 02250  1248   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 736, ) == 0x0
 02251  1248   NtCreateMutant  (0x1f0001, 0x0, 0, ... 740, ) == 0x0
 02252  1248   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 744, ) }, ... 744, ) == 0x0
 02253  1248   NtQueryValueKey  (744,  (744, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (744, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02246   760   NtAllocateVirtualMemory  ... 91881472, 1048576, ) == 0x0
 02254   760   NtAllocateVirtualMemory  (-1, 92921856, 0, 8192, 4096, 4, ... 92921856, 8192, ) == 0x0
 02255   760   NtProtectVirtualMemory  (-1, (0x589e000), 4096, 260, ... (0x589e000), 4096, 4, ) == 0x0
 02256   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 748, {1764, 1948}, ) == 0x0
 02257   760   NtQueryInformationThread  (748, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1764,Tid=1948,}, 0x0, ) == 0x0
 02258   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58040, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\6\0\0\234\7\0\0" ... {28, 56, reply, 0, 1764, 760, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\6\0\0\234\7\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58041, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\6\0\0\234\7\0\0" ... {28, 56, reply, 0, 1764, 760, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\6\0\0\234\7\0\0" )  ) == 0x0
 02259  1248   NtQueryValueKey  (744,  (744, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (744, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02260  1248   NtQueryValueKey  (744,  (744, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02261  1248   NtOpenKey  (0x1, {24, 744, 0x40, 0, 0,  (0x1, {24, 744, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02262  1248   NtClose  (744, ... ) == 0x0
 02263  1248   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 15198900, ... ) }, 15198900, ... ) == 0x0
 02264  1248   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 744, ) }, ... 744, ) == 0x0
 02265   760   NtResumeThread  (748, ... 1, ) == 0x0
 02266   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 92930048, 1048576, ) == 0x0
 02267   760   NtAllocateVirtualMemory  (-1, 93970432, 0, 8192, 4096, 4, ... 93970432, 8192, ) == 0x0
 02268   760   NtProtectVirtualMemory  (-1, (0x599e000), 4096, 260, ... (0x599e000), 4096, 4, ) == 0x0
 02269   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 752, {1764, 988}, ) == 0x0
 02270   760   NtQueryInformationThread  (752, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1764,Tid=988,}, 0x0, ) == 0x0
 02271  1248   NtQueryValueKey  (744,  (744, "ComputerName", Full, 128, ... , Full, 128, ...
 02272  1948   NtWaitForSingleObject  (92, 0, 0x0, ...
 02271  1248   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02273  1248   NtClose  (744, ... ) == 0x0
 02274  1248   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 744, ) }, ... 744, ) == 0x0
 02275  1248   NtQueryValueKey  (744,  (744, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (744, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (744, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 02276  1248   NtClose  (744, ... ) == 0x0
 02277  1248   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02278   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58041, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\6\0\0\334\3\0\0" ... {28, 56, reply, 0, 1764, 760, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\6\0\0\334\3\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58042, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\6\0\0\334\3\0\0" ... {28, 56, reply, 0, 1764, 760, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\6\0\0\334\3\0\0" )  ) == 0x0
 02279   760   NtResumeThread  (752, ... 1, ) == 0x0
 02280   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 93978624, 1048576, ) == 0x0
 02281   760   NtAllocateVirtualMemory  (-1, 95019008, 0, 8192, 4096, 4, ... 95019008, 8192, ) == 0x0
 02282   760   NtProtectVirtualMemory  (-1, (0x5a9e000), 4096, 260, ... (0x5a9e000), 4096, 4, ) == 0x0
 02283   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02284  1248   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 02285   988   NtWaitForSingleObject  (92, 0, 0x0, ...
 02284  1248   NtOpenKey  ... 744, ) == 0x0
 02286  1248   NtQueryValueKey  (744,  (744, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (744, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (744, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02287  1248   NtClose  (744, ... ) == 0x0
 02288  1248   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshbth.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02289  1248   NtSetEventBoostPriority  (92, ...
 01978  1804   NtWaitForSingleObject  ... ) == 0x0
 02290  1804   NtSetEventBoostPriority  (92, ...
 01996  1644   NtWaitForSingleObject  ... ) == 0x0
 02291  1644   NtSetEventBoostPriority  (92, ...
 02012   336   NtWaitForSingleObject  ... ) == 0x0
 02292   336   NtSetEventBoostPriority  (92, ...
 02023   800   NtWaitForSingleObject  ... ) == 0x0
 02293   800   NtSetEventBoostPriority  (92, ...
 02036   504   NtWaitForSingleObject  ... ) == 0x0
 02294   504   NtSetEventBoostPriority  (92, ...
 02045   888   NtWaitForSingleObject  ... ) == 0x0
 02295   888   NtSetEventBoostPriority  (92, ...
 02052  1392   NtWaitForSingleObject  ... ) == 0x0
 02296  1392   NtSetEventBoostPriority  (92, ...
 02061  2020   NtWaitForSingleObject  ... ) == 0x0
 02297  2020   NtSetEventBoostPriority  (92, ...
 02068   740   NtWaitForSingleObject  ... ) == 0x0
 02298   740   NtSetEventBoostPriority  (92, ...
 02082  1676   NtWaitForSingleObject  ... ) == 0x0
 02299  1676   NtSetEventBoostPriority  (92, ...
 02095   496   NtWaitForSingleObject  ... ) == 0x0
 02300   496   NtSetEventBoostPriority  (92, ...
 02119  1020   NtWaitForSingleObject  ... ) == 0x0
 02301  1020   NtSetEventBoostPriority  (92, ...
 02126   432   NtWaitForSingleObject  ... ) == 0x0
 02302   432   NtSetEventBoostPriority  (92, ...
 02148  1332   NtWaitForSingleObject  ... ) == 0x0
 02303  1332   NtSetEventBoostPriority  (92, ...
 02160  1328   NtWaitForSingleObject  ... ) == 0x0
 02304  1328   NtSetEventBoostPriority  (92, ...
 02173   752   NtWaitForSingleObject  ... ) == 0x0
 02305   752   NtSetEventBoostPriority  (92, ...
 02186   120   NtWaitForSingleObject  ... ) == 0x0
 02306   120   NtSetEventBoostPriority  (92, ...
 02210  1732   NtWaitForSingleObject  ... ) == 0x0
 02307  1732   NtSetEventBoostPriority  (92, ...
 02223   188   NtWaitForSingleObject  ... ) == 0x0
 02308   188   NtSetEventBoostPriority  (92, ...
 02235  1636   NtWaitForSingleObject  ... ) == 0x0
 02309  1636   NtSetEventBoostPriority  (92, ...
 02248   624   NtWaitForSingleObject  ... ) == 0x0
 02310   624   NtSetEventBoostPriority  (92, ...
 02272  1948   NtWaitForSingleObject  ... ) == 0x0
 02311  1948   NtAllocateVirtualMemory  (-1, 8810496, 0, 4096, 4096, 4, ... 8810496, 4096, ) == 0x0
 02310   624   NtSetEventBoostPriority  ... ) == 0x0
 02309  1636   NtSetEventBoostPriority  ... ) == 0x0
 02308   188   NtSetEventBoostPriority  ... ) == 0x0
 02307  1732   NtSetEventBoostPriority  ... ) == 0x0
 02306   120   NtSetEventBoostPriority  ... ) == 0x0
 02305   752   NtSetEventBoostPriority  ... ) == 0x0
 02304  1328   NtSetEventBoostPriority  ... ) == 0x0
 02303  1332   NtSetEventBoostPriority  ... ) == 0x0
 02302   432   NtSetEventBoostPriority  ... ) == 0x0
 02301  1020   NtSetEventBoostPriority  ... ) == 0x0
 02300   496   NtSetEventBoostPriority  ... ) == 0x0
 02299  1676   NtSetEventBoostPriority  ... ) == 0x0
 02298   740   NtSetEventBoostPriority  ... ) == 0x0
 02297  2020   NtSetEventBoostPriority  ... ) == 0x0
 02296  1392   NtSetEventBoostPriority  ... ) == 0x0
 02295   888   NtSetEventBoostPriority  ... ) == 0x0
 02294   504   NtSetEventBoostPriority  ... ) == 0x0
 02293   800   NtSetEventBoostPriority  ... ) == 0x0
 02292   336   NtSetEventBoostPriority  ... ) == 0x0
 02291  1644   NtSetEventBoostPriority  ... ) == 0x0
 02290  1804   NtSetEventBoostPriority  ... ) == 0x0
 02289  1248   NtSetEventBoostPriority  ... ) == 0x0
 02283   760   NtCreateThread  ... 744, {1764, 468}, ) == 0x0
 02312  1948   NtSetEventBoostPriority  (92, ...
 02313   624   NtTestAlert  (...
 02314  1636   NtTestAlert  (...
 02315   188   NtTestAlert  (...
 02316  1732   NtTestAlert  (...
 02317   120   NtTestAlert  (...
 02318   752   NtTestAlert  (...
 02319  1328   NtTestAlert  (...
 02320  1332   NtTestAlert  (...
 02321   432   NtTestAlert  (...
 02322  1020   NtTestAlert  (...
 02323   496   NtTestAlert  (...
 02324  1676   NtTestAlert  (...
 02325   740   NtTestAlert  (...
 02326  2020   NtTestAlert  (...
 02327  1392   NtTestAlert  (...
 02328   888   NtTestAlert  (...
 02329   504   NtTestAlert  (...
 02330   800   NtTestAlert  (...
 02331   336   NtTestAlert  (...
 02332  1644   NtTestAlert  (...
 02333  1248   NtWaitForSingleObject  (92, 0, 0x0, ...
 02334   760   NtQueryInformationThread  (744, Basic, 28, ...
 02285   988   NtWaitForSingleObject  ... ) == 0x0
 02312  1948   NtSetEventBoostPriority  ... ) == 0x0
 02313   624   NtTestAlert  ... ) == 0x0
 02314  1636   NtTestAlert  ... ) == 0x0
 02315   188   NtTestAlert  ... ) == 0x0
 02316  1732   NtTestAlert  ... ) == 0x0
 02317   120   NtTestAlert  ... ) == 0x0
 02318   752   NtTestAlert  ... ) == 0x0
 02319  1328   NtTestAlert  ... ) == 0x0
 02320  1332   NtTestAlert  ... ) == 0x0
 02321   432   NtTestAlert  ... ) == 0x0
 02322  1020   NtTestAlert  ... ) == 0x0
 02323   496   NtTestAlert  ... ) == 0x0
 02324  1676   NtTestAlert  ... ) == 0x0
 02325   740   NtTestAlert  ... ) == 0x0
 02326  2020   NtTestAlert  ... ) == 0x0
 02327  1392   NtTestAlert  ... ) == 0x0
 02328   888   NtTestAlert  ... ) == 0x0
 02329   504   NtTestAlert  ... ) == 0x0
 02330   800   NtTestAlert  ... ) == 0x0
 02331   336   NtTestAlert  ... ) == 0x0
 02332  1644   NtTestAlert  ... ) == 0x0
 02335   988   NtSetEventBoostPriority  (92, ...
 02334   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1764,Tid=468,}, 0x0, ) == 0x0
 02336  1948   NtTestAlert  (...
 02337   624   NtContinue  (91880752, 1, ...
 02338  1636   NtContinue  (90832176, 1, ...
 02339   188   NtContinue  (89783600, 1, ...
 02340  1732   NtContinue  (88735024, 1, ...
 02341   120   NtContinue  (87686448, 1, ...
 02342   752   NtContinue  (86637872, 1, ...
 02343  1328   NtContinue  (85589296, 1, ...
 02344  1332   NtContinue  (84540720, 1, ...
 02345   432   NtContinue  (83492144, 1, ...
 02346  1020   NtContinue  (82443568, 1, ...
 02347   496   NtContinue  (81394992, 1, ...
 02348  1676   NtContinue  (80346416, 1, ...
 02349   740   NtContinue  (79297840, 1, ...
 02350  2020   NtContinue  (78249264, 1, ...
 02351  1392   NtContinue  (77200688, 1, ...
 02352   888   NtContinue  (76152112, 1, ...
 02353   504   NtContinue  (75103536, 1, ...
 02354   800   NtContinue  (74054960, 1, ...
 02355   336   NtContinue  (73006384, 1, ...
 02333  1248   NtWaitForSingleObject  ... ) == 0x0
 02335   988   NtSetEventBoostPriority  ... ) == 0x0
 02356  1644   NtContinue  (71826736, 1, ...
 02357   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58042, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\6\0\0\324\1\0\0" ...  ...
 02336  1948   NtTestAlert  ... ) == 0x0
 02358   624   NtRegisterThreadTerminatePort  (24, ...
 02359  1636   NtRegisterThreadTerminatePort  (24, ...
 02360   188   NtRegisterThreadTerminatePort  (24, ...
 02361  1732   NtRegisterThreadTerminatePort  (24, ...
 02362   120   NtRegisterThreadTerminatePort  (24, ...
 02363   752   NtRegisterThreadTerminatePort  (24, ...
 02364  1328   NtRegisterThreadTerminatePort  (24, ...
 02365  1332   NtRegisterThreadTerminatePort  (24, ...
 02366   432   NtRegisterThreadTerminatePort  (24, ...
 02367  1020   NtRegisterThreadTerminatePort  (24, ...
 02368   496   NtRegisterThreadTerminatePort  (24, ...
 02369  1676   NtRegisterThreadTerminatePort  (24, ...
 02370   740   NtRegisterThreadTerminatePort  (24, ...
 02371  2020   NtRegisterThreadTerminatePort  (24, ...
 02372  1392   NtRegisterThreadTerminatePort  (24, ...
 02373   888   NtRegisterThreadTerminatePort  (24, ...
 02374   504   NtRegisterThreadTerminatePort  (24, ...
 02375   800   NtRegisterThreadTerminatePort  (24, ...
 02376  1248   NtSetEventBoostPriority  (128, ...
 02377   336   NtRegisterThreadTerminatePort  (24, ...
 02378  1804   NtTestAlert  (...
 02379  1644   NtRegisterThreadTerminatePort  (24, ...
 02357   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58043, 0}  ... {28, 56, reply, 0, 1764, 760, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\6\0\0\324\1\0\0" )  ) == 0x0
 02380  1948   NtContinue  (92929328, 1, ...
 02358   624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02359  1636   NtRegisterThreadTerminatePort  ... ) == 0x0
 02360   188   NtRegisterThreadTerminatePort  ... ) == 0x0
 02361  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 02362   120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02363   752   NtRegisterThreadTerminatePort  ... ) == 0x0
 02364  1328   NtRegisterThreadTerminatePort  ... ) == 0x0
 02365  1332   NtRegisterThreadTerminatePort  ... ) == 0x0
 02366   432   NtRegisterThreadTerminatePort  ... ) == 0x0
 02367  1020   NtRegisterThreadTerminatePort  ... ) == 0x0
 02368   496   NtRegisterThreadTerminatePort  ... ) == 0x0
 02369  1676   NtRegisterThreadTerminatePort  ... ) == 0x0
 02370   740   NtRegisterThreadTerminatePort  ... ) == 0x0
 02371  2020   NtRegisterThreadTerminatePort  ... ) == 0x0
 02372  1392   NtRegisterThreadTerminatePort  ... ) == 0x0
 02373   888   NtRegisterThreadTerminatePort  ... ) == 0x0
 02374   504   NtRegisterThreadTerminatePort  ... ) == 0x0
 02375   800   NtRegisterThreadTerminatePort  ... ) == 0x0
 02377   336   NtRegisterThreadTerminatePort  ... ) == 0x0
 02378  1804   NtTestAlert  ... ) == 0x0
 02379  1644   NtRegisterThreadTerminatePort  ... ) == 0x0
 02381   988   NtTestAlert  (...
 00762  1656   NtWaitForSingleObject  ... ) == 0x0
 02376  1248   NtSetEventBoostPriority  ... ) == 0x0
 02382  1948   NtRegisterThreadTerminatePort  (24, ...
 02383   624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02384  1636   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02385   188   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02386  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02387   120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02388   752   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02389  1328   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02390  1332   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02391   432   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02392  1020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02393   496   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02394  1676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02395   740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02396  2020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02397  1392   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02398   888   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02399   504   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02400   800   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02401   336   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02402  1804   NtContinue  (70778160, 1, ...
 02403  1644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02381   988   NtTestAlert  ... ) == 0x0
 02404  1656   NtSetEventBoostPriority  (128, ...
 02405  1248   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02406   760   NtResumeThread  (744, ...
 02382  1948   NtRegisterThreadTerminatePort  ... ) == 0x0
 02383   624   NtDuplicateObject  ... 756, ) == 0x0
 02384  1636   NtDuplicateObject  ... 760, ) == 0x0
 02385   188   NtDuplicateObject  ... 764, ) == 0x0
 02386  1732   NtDuplicateObject  ... 768, ) == 0x0
 02387   120   NtDuplicateObject  ... 772, ) == 0x0
 02388   752   NtDuplicateObject  ... 776, ) == 0x0
 02389  1328   NtDuplicateObject  ... 780, ) == 0x0
 02390  1332   NtDuplicateObject  ... 784, ) == 0x0
 02391   432   NtDuplicateObject  ... 788, ) == 0x0
 02392  1020   NtDuplicateObject  ... 792, ) == 0x0
 02393   496   NtDuplicateObject  ... 796, ) == 0x0
 02394  1676   NtDuplicateObject  ... 800, ) == 0x0
 02395   740   NtDuplicateObject  ... 804, ) == 0x0
 02396  2020   NtDuplicateObject  ... 808, ) == 0x0
 02397  1392   NtDuplicateObject  ... 812, ) == 0x0
 02398   888   NtDuplicateObject  ... 816, ) == 0x0
 02399   504   NtDuplicateObject  ... 820, ) == 0x0
 02400   800   NtDuplicateObject  ... 824, ) == 0x0
 02407  1804   NtRegisterThreadTerminatePort  (24, ...
 02401   336   NtDuplicateObject  ... 828, ) == 0x0
 02408   988   NtContinue  (93977904, 1, ...
 00766  1740   NtWaitForSingleObject  ... ) == 0x0
 02404  1656   NtSetEventBoostPriority  ... ) == 0x0
 02405  1248   NtCreateEvent  ... 832, ) == 0x0
 02406   760   NtResumeThread  ... 1, ) == 0x0
 02409  1948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02410   624   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02411  1636   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02412   188   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02413  1732   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02414   120   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02415   752   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02416  1328   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02417  1332   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02418   432   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02419  1020   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02420   496   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02421  1676   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02422   740   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02423  2020   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02424  1392   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02425   888   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02426   504   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02427   800   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ...
 02407  1804   NtRegisterThreadTerminatePort  ... ) == 0x0
 02428   336   NtWaitForSingleObject  (288, 0, 0x0, ...
 02429  1740   NtWaitForSingleObject  (288, 0, 0x0, ...
 02430   988   NtRegisterThreadTerminatePort  (24, ...
 02431  1656   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02432  1248   NtWaitForSingleObject  (288, 0, 0x0, ...
 02433   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02409  1948   NtDuplicateObject  ... 836, ) == 0x0
 02410   624   NtWaitForSingleObject  ... ) == 0x102
 02411  1636   NtWaitForSingleObject  ... ) == 0x102
 02412   188   NtWaitForSingleObject  ... ) == 0x102
 02413  1732   NtWaitForSingleObject  ... ) == 0x102
 02414   120   NtWaitForSingleObject  ... ) == 0x102
 02415   752   NtWaitForSingleObject  ... ) == 0x102
 02416  1328   NtWaitForSingleObject  ... ) == 0x102
 02417  1332   NtWaitForSingleObject  ... ) == 0x102
 02418   432   NtWaitForSingleObject  ... ) == 0x102
 02419  1020   NtWaitForSingleObject  ... ) == 0x102
 02420   496   NtWaitForSingleObject  ... ) == 0x102
 02421  1676   NtWaitForSingleObject  ... ) == 0x102
 02422   740   NtWaitForSingleObject  ... ) == 0x102
 02423  2020   NtWaitForSingleObject  ... ) == 0x102
 02424  1392   NtWaitForSingleObject  ... ) == 0x102
 02425   888   NtWaitForSingleObject  ... ) == 0x102
 02426   504   NtWaitForSingleObject  ... ) == 0x102
 02427   800   NtAllocateVirtualMemory  ... 1413120, 4096, ) == 0x0
 02434  1804   NtWaitForSingleObject  (288, 0, 0x0, ...
 02430   988   NtRegisterThreadTerminatePort  ... ) == 0x0
 02403  1644   NtDuplicateObject  ... 840, ) == 0x0
 02435   468   NtWaitForSingleObject  (288, 0, 0x0, ...
 02433   760   NtAllocateVirtualMemory  ... 95027200, 1048576, ) == 0x0
 02436  1948   NtWaitForSingleObject  (288, 0, 0x0, ...
 02437   624   NtWaitForSingleObject  (288, 0, 0x0, ...
 02438  1636   NtWaitForSingleObject  (288, 0, 0x0, ...
 02439   188   NtWaitForSingleObject  (288, 0, 0x0, ...
 02440  1732   NtWaitForSingleObject  (288, 0, 0x0, ...
 02441   120   NtWaitForSingleObject  (288, 0, 0x0, ...
 02442   752   NtWaitForSingleObject  (288, 0, 0x0, ...
 02443  1328   NtWaitForSingleObject  (288, 0, 0x0, ...
 02444  1332   NtWaitForSingleObject  (288, 0, 0x0, ...
 02445   432   NtWaitForSingleObject  (288, 0, 0x0, ...
 02446  1020   NtWaitForSingleObject  (288, 0, 0x0, ...
 02447   496   NtWaitForSingleObject  (288, 0, 0x0, ...
 02448  1676   NtWaitForSingleObject  (288, 0, 0x0, ...
 02449   740   NtWaitForSingleObject  (288, 0, 0x0, ...
 02450  2020   NtWaitForSingleObject  (288, 0, 0x0, ...
 02451  1392   NtWaitForSingleObject  (288, 0, 0x0, ...
 02452   888   NtWaitForSingleObject  (288, 0, 0x0, ...
 02453   504   NtWaitForSingleObject  (288, 0, 0x0, ...
 02454   800   NtSetEventBoostPriority  (288, ...
 02431  1656   NtCreateEvent  ... 844, ) == 0x0
 02455   988   NtWaitForSingleObject  (288, 0, 0x0, ...
 02456  1644   NtWaitForSingleObject  (288, 0, 0x0, ...
 02457   760   NtAllocateVirtualMemory  (-1, 96067584, 0, 8192, 4096, 4, ...
 02429  1740   NtWaitForSingleObject  ... ) == 0x0
 02454   800   NtSetEventBoostPriority  ... ) == 0x0
 02458  1656   NtWaitForSingleObject  (288, 0, 0x0, ...
 02459  1740   NtSetEventBoostPriority  (288, ...
 02457   760   NtAllocateVirtualMemory  ... 96067584, 8192, ) == 0x0
 02460   800   NtWaitForSingleObject  (288, 0, 0x0, ...
 02428   336   NtWaitForSingleObject  ... ) == 0x0
 02459  1740   NtSetEventBoostPriority  ... ) == 0x0
 02461   760   NtProtectVirtualMemory  (-1, (0x5b9e000), 4096, 260, ...
 02462   336   NtSetEventBoostPriority  (288, ...
 02432  1248   NtWaitForSingleObject  ... ) == 0x0
 02463  1248   NtSetEventBoostPriority  (288, ...
 02435   468   NtWaitForSingleObject  ... ) == 0x0
 02464   468   NtSetEventBoostPriority  (288, ...
 02436  1948   NtWaitForSingleObject  ... ) == 0x0
 02465  1948   NtSetEventBoostPriority  (288, ...
 02437   624   NtWaitForSingleObject  ... ) == 0x0
 02466   624   NtSetEventBoostPriority  (288, ...
 02438  1636   NtWaitForSingleObject  ... ) == 0x0
 02467  1636   NtSetEventBoostPriority  (288, ...
 02439   188   NtWaitForSingleObject  ... ) == 0x0
 02468   188   NtSetEventBoostPriority  (288, ...
 02440  1732   NtWaitForSingleObject  ... ) == 0x0
 02469  1732   NtSetEventBoostPriority  (288, ...
 02441   120   NtWaitForSingleObject  ... ) == 0x0
 02470   120   NtSetEventBoostPriority  (288, ...
 02442   752   NtWaitForSingleObject  ... ) == 0x0
 02471   752   NtSetEventBoostPriority  (288, ...
 02443  1328   NtWaitForSingleObject  ... ) == 0x0
 02472  1328   NtSetEventBoostPriority  (288, ...
 02444  1332   NtWaitForSingleObject  ... ) == 0x0
 02473  1332   NtSetEventBoostPriority  (288, ...
 02445   432   NtWaitForSingleObject  ... ) == 0x0
 02474   432   NtSetEventBoostPriority  (288, ...
 02446  1020   NtWaitForSingleObject  ... ) == 0x0
 02475  1020   NtSetEventBoostPriority  (288, ...
 02447   496   NtWaitForSingleObject  ... ) == 0x0
 02476   496   NtSetEventBoostPriority  (288, ...
 02448  1676   NtWaitForSingleObject  ... ) == 0x0
 02477  1676   NtSetEventBoostPriority  (288, ...
 02449   740   NtWaitForSingleObject  ... ) == 0x0
 02478   740   NtSetEventBoostPriority  (288, ...
 02450  2020   NtWaitForSingleObject  ... ) == 0x0
 02479  2020   NtSetEventBoostPriority  (288, ...
 02451  1392   NtWaitForSingleObject  ... ) == 0x0
 02480  1392   NtSetEventBoostPriority  (288, ...
 02452   888   NtWaitForSingleObject  ... ) == 0x0
 02481   888   NtSetEventBoostPriority  (288, ...
 02453   504   NtWaitForSingleObject  ... ) == 0x0
 02482   504   NtSetEventBoostPriority  (288, ...
 02434  1804   NtWaitForSingleObject  ... ) == 0x0
 02483  1804   NtSetEventBoostPriority  (288, ...
 02456  1644   NtWaitForSingleObject  ... ) == 0x0
 02484  1644   NtSetEventBoostPriority  (288, ...
 02458  1656   NtWaitForSingleObject  ... ) == 0x0
 02485  1656   NtSetEventBoostPriority  (288, ...
 02455   988   NtWaitForSingleObject  ... ) == 0x0
 02486   988   NtSetEventBoostPriority  (288, ...
 02460   800   NtWaitForSingleObject  ... ) == 0x0
 02487   800   NtWaitForSingleObject  (232, 0, 0x0, ...
 02485  1656   NtSetEventBoostPriority  ... ) == 0x0
 02484  1644   NtSetEventBoostPriority  ... ) == 0x0
 02482   504   NtSetEventBoostPriority  ... ) == 0x0
 02481   888   NtSetEventBoostPriority  ... ) == 0x0
 02480  1392   NtSetEventBoostPriority  ... ) == 0x0
 02479  2020   NtSetEventBoostPriority  ... ) == 0x0
 02478   740   NtSetEventBoostPriority  ... ) == 0x0
 02477  1676   NtSetEventBoostPriority  ... ) == 0x0
 02476   496   NtSetEventBoostPriority  ... ) == 0x0
 02475  1020   NtSetEventBoostPriority  ... ) == 0x0
 02474   432   NtSetEventBoostPriority  ... ) == 0x0
 02473  1332   NtSetEventBoostPriority  ... ) == 0x0
 02472  1328   NtSetEventBoostPriority  ... ) == 0x0
 02471   752   NtSetEventBoostPriority  ... ) == 0x0
 02470   120   NtSetEventBoostPriority  ... ) == 0x0
 02469  1732   NtSetEventBoostPriority  ... ) == 0x0
 02468   188   NtSetEventBoostPriority  ... ) == 0x0
 02467  1636   NtSetEventBoostPriority  ... ) == 0x0
 02466   624   NtSetEventBoostPriority  ... ) == 0x0
 02465  1948   NtSetEventBoostPriority  ... ) == 0x0
 02464   468   NtSetEventBoostPriority  ... ) == 0x0
 02463  1248   NtSetEventBoostPriority  ... ) == 0x0
 02462   336   NtSetEventBoostPriority  ... ) == 0x0
 02461   760   NtProtectVirtualMemory  ... (0x5b9e000), 4096, 4, ) == 0x0
 02486   988   NtSetEventBoostPriority  ... ) == 0x0
 02483  1804   NtSetEventBoostPriority  ... ) == 0x0
 02488  1740   NtSetEventBoostPriority  (128, ...
 02489  1656   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ...
 02490  1644   NtWaitForSingleObject  (288, 0, 0x0, ...
 02491   504   NtWaitForSingleObject  (128, 0, 0x0, ...
 02492   888   NtWaitForSingleObject  (128, 0, 0x0, ...
 02493  1392   NtWaitForSingleObject  (128, 0, 0x0, ...
 02494  2020   NtWaitForSingleObject  (128, 0, 0x0, ...
 02495   740   NtWaitForSingleObject  (128, 0, 0x0, ...
 02496  1676   NtWaitForSingleObject  (128, 0, 0x0, ...
 02497   496   NtWaitForSingleObject  (128, 0, 0x0, ...
 02498  1020   NtWaitForSingleObject  (128, 0, 0x0, ...
 02499   432   NtWaitForSingleObject  (128, 0, 0x0, ...
 02500  1332   NtWaitForSingleObject  (128, 0, 0x0, ...
 02501  1328   NtWaitForSingleObject  (128, 0, 0x0, ...
 02502   752   NtWaitForSingleObject  (128, 0, 0x0, ...
 02503   120   NtWaitForSingleObject  (128, 0, 0x0, ...
 02504  1732   NtWaitForSingleObject  (128, 0, 0x0, ...
 02505   188   NtWaitForSingleObject  (128, 0, 0x0, ...
 02506  1636   NtWaitForSingleObject  (128, 0, 0x0, ...
 02507   624   NtWaitForSingleObject  (128, 0, 0x0, ...
 02508  1948   NtWaitForSingleObject  (288, 0, 0x0, ...
 02509   468   NtTestAlert  (...
 02510  1248   NtSetEventBoostPriority  (232, ...
 02511   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02512   988   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02513  1804   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00767   928   NtWaitForSingleObject  ... ) == 0x0
 02488  1740   NtSetEventBoostPriority  ... ) == 0x0
 02489  1656   NtAllocateVirtualMemory  ... 1417216, 4096, ) == 0x0
 02509   468   NtTestAlert  ... ) == 0x0
 02487   800   NtWaitForSingleObject  ... ) == 0x0
 02510  1248   NtSetEventBoostPriority  ... ) == 0x0
 02511   760   NtCreateThread  ... 848, {1764, 380}, ) == 0x0
 02512   988   NtDuplicateObject  ... 852, ) == 0x0
 02514   928   NtWaitForSingleObject  (288, 0, 0x0, ...
 02513  1804   NtDuplicateObject  ... 856, ) == 0x0
 02515  1740   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02516  1656   NtSetEventBoostPriority  (288, ...
 02517   800   NtWaitForSingleObject  (288, 0, 0x0, ...
 02518   468   NtContinue  (95026480, 1, ...
 02519  1248   NtWaitForSingleObject  (288, 0, 0x0, ...
 02520   760   NtQueryInformationThread  (848, Basic, 28, ...
 02521   336   NtWaitForSingleObject  (288, 0, 0x0, ...
 02522   988   NtWaitForSingleObject  (288, 0, 0x0, ...
 02515  1740   NtCreateEvent  ... 860, ) == 0x0
 02490  1644   NtWaitForSingleObject  ... ) == 0x0
 02516  1656   NtSetEventBoostPriority  ... ) == 0x0
 02523   468   NtRegisterThreadTerminatePort  (24, ...
 02520   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1764,Tid=380,}, 0x0, ) == 0x0
 02524  1644   NtSetEventBoostPriority  (288, ...
 02525  1740   NtWaitForSingleObject  (288, 0, 0x0, ...
 02526  1656   NtWaitForSingleObject  (288, 0, 0x0, ...
 02523   468   NtRegisterThreadTerminatePort  ... ) == 0x0
 02527  1804   NtWaitForSingleObject  (288, 0, 0x0, ...
 02508  1948   NtWaitForSingleObject  ... ) == 0x0
 02524  1644   NtSetEventBoostPriority  ... ) == 0x0
 02528   468   NtWaitForSingleObject  (288, 0, 0x0, ...
 02529  1948   NtSetEventBoostPriority  (288, ...
 02530  1644   NtWaitForSingleObject  (232, 0, 0x0, ...
 02531   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58043, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0\344\6\0\0|\1\0\0" ...  ...
 02514   928   NtWaitForSingleObject  ... ) == 0x0
 02529  1948   NtSetEventBoostPriority  ... ) == 0x0
 02532   928   NtSetEventBoostPriority  (288, ...
 02531   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58044, 0}  ... {28, 56, reply, 0, 1764, 760, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0\344\6\0\0|\1\0\0" )  ) == 0x0
 02517   800   NtWaitForSingleObject  ... ) == 0x0
 02532   928   NtSetEventBoostPriority  ... ) == 0x0
 02533  1948   NtWaitForSingleObject  (232, 0, 0x0, ...
 02534   800   NtSetEventBoostPriority  (288, ...
 02535   760   NtResumeThread  (848, ...
 02536   928   NtWaitForSingleObject  (288, 0, 0x0, ...
 02519  1248   NtWaitForSingleObject  ... ) == 0x0
 02535   760   NtResumeThread  ... 1, ) == 0x0
 02537  1248   NtSetEventBoostPriority  (288, ...
 02538   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02521   336   NtWaitForSingleObject  ... ) == 0x0
 02537  1248   NtSetEventBoostPriority  ... ) == 0x0
 02534   800   NtSetEventBoostPriority  ... ) == 0x0
 02539   380   NtWaitForSingleObject  (288, 0, 0x0, ...
 02540   336   NtSetEventBoostPriority  (288, ...
 02538   760   NtAllocateVirtualMemory  ... 96075776, 1048576, ) == 0x0
 02541  1248   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15199412, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15199412, 188, ...
 02522   988   NtWaitForSingleObject  ... ) == 0x0
 02540   336   NtSetEventBoostPriority  ... ) == 0x0
 02542   760   NtAllocateVirtualMemory  (-1, 97116160, 0, 8192, 4096, 4, ...
 02543   988   NtSetEventBoostPriority  (288, ...
 02544   336   NtWaitForSingleObject  (232, 0, 0x0, ...
 02525  1740   NtWaitForSingleObject  ... ) == 0x0
 02543   988   NtSetEventBoostPriority  ... ) == 0x0
 02542   760   NtAllocateVirtualMemory  ... 97116160, 8192, ) == 0x0
 02541  1248   NtConnectPort  ... 864, 0x0, 0x0, 0x0, 188, ) == 0x0
 02545   800   NtSetEventBoostPriority  (232, ...
 02546  1740   NtSetEventBoostPriority  (288, ...
 02547   988   NtWaitForSingleObject  (288, 0, 0x0, ...
 02548   760   NtProtectVirtualMemory  (-1, (0x5c9e000), 4096, 260, ...
 02549  1248   NtRequestWaitReplyPort  (864, {200, 224, new_msg, 0, 1380824, 12, 2, 1310721}  (864, {200, 224, new_msg, 0, 1380824, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\273\24\254\335\@Z\334\240\243\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\230\220\25\0\27\303M\320x\1\24\0\230\243\25\0h\1\24\0\0\0\0\0\0\0\0\0\230\243\25\0P\0\0\0\240\243\25\0(\356\347\0x\1\24\0P\0\0\0\200\300\0\0\0\0\24\04\353\347\0\372\31\221|\310\362\347\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02526  1656   NtWaitForSingleObject  ... ) == 0x0
 02546  1740   NtSetEventBoostPriority  ... ) == 0x0
 02530  1644   NtWaitForSingleObject  ... ) == 0x0
 02545   800   NtSetEventBoostPriority  ... ) == 0x0
 02548   760   NtProtectVirtualMemory  ... (0x5c9e000), 4096, 4, ) == 0x0
 02550  1656   NtSetEventBoostPriority  (288, ...
 02549  1248   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1764, 1248, 58046, 0}  ... {200, 224, reply, 0, 1764, 1248, 58046, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\273\24\254\335\@Z\334\240\243\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\230\220\25\0\27\303M\320x\1\24\0\230\243\25\0h\1\24\0\0\0\0\0\0\0\0\0\230\243\25\0P\0\0\0\240\243\25\0(\356\347\0x\1\24\0P\0\0\0\200\300\0\0\0\0\24\04\353\347\0\372\31\221|\310\362\347\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02551  1644   NtWaitForSingleObject  (288, 0, 0x0, ...
 02552   800   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02527  1804   NtWaitForSingleObject  ... ) == 0x0
 02550  1656   NtSetEventBoostPriority  ... ) == 0x0
 02553   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02554  1740   NtWaitForSingleObject  (288, 0, 0x0, ...
 02555  1804   NtSetEventBoostPriority  (288, ...
 02552   800   NtWaitForSingleObject  ... ) == 0x102
 02556  1248   NtRequestWaitReplyPort  (864, {64, 88, new_msg, 0, 1764, 1248, 57999, 0}  (864, {64, 88, new_msg, 0, 1764, 1248, 57999, 0} "\1\356\0\0A\2\10\0P\306\233\201\0\220\372\177\220\353\3\370\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02557  1656   NtWaitForSingleObject  (288, 0, 0x0, ...
 02528   468   NtWaitForSingleObject  ... ) == 0x0
 02555  1804   NtSetEventBoostPriority  ... ) == 0x0
 02558   800   NtWaitForSingleObject  (128, 0, 0x0, ...
 02559   468   NtSetEventBoostPriority  (288, ...
 02560  1804   NtWaitForSingleObject  (288, 0, 0x0, ...
 02556  1248   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1764, 1248, 58047, 0}  ... {52, 76, reply, 0, 1764, 1248, 58047, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200H\36\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 02553   760   NtCreateThread  ... 868, {1764, 1692}, ) == 0x0
 02536   928   NtWaitForSingleObject  ... ) == 0x0
 02559   468   NtSetEventBoostPriority  ... ) == 0x0
 02561  1248   NtWaitForSingleObject  (288, 0, 0x0, ...
 02562   760   NtQueryInformationThread  (868, Basic, 28, ...
 02563   928   NtSetEventBoostPriority  (288, ...
 02564   468   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02562   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1764,Tid=1692,}, 0x0, ) == 0x0
 02539   380   NtWaitForSingleObject  ... ) == 0x0
 02563   928   NtSetEventBoostPriority  ... ) == 0x0
 02564   468   NtDuplicateObject  ... 872, ) == 0x0
 02565   380   NtSetEventBoostPriority  (288, ...
 02566   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58044, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0\344\6\0\0\234\6\0\0" ...  ...
 02567   928   NtWaitForSingleObject  (288, 0, 0x0, ...
 02547   988   NtWaitForSingleObject  ... ) == 0x0
 02565   380   NtSetEventBoostPriority  ... ) == 0x0
 02566   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58048, 0}  ... {28, 56, reply, 0, 1764, 760, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0\344\6\0\0\234\6\0\0" )  ) == 0x0
 02568   468   NtWaitForSingleObject  (288, 0, 0x0, ...
 02569   988   NtSetEventBoostPriority  (288, ...
 02570   380   NtTestAlert  (...
 02551  1644   NtWaitForSingleObject  ... ) == 0x0
 02571  1644   NtSetEventBoostPriority  (288, ...
 02554  1740   NtWaitForSingleObject  ... ) == 0x0
 02572  1740   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ... 1421312, 4096, ) == 0x0
 02573  1740   NtSetEventBoostPriority  (288, ...
 02570   380   NtTestAlert  ... ) == 0x0
 02571  1644   NtSetEventBoostPriority  ... ) == 0x0
 02569   988   NtSetEventBoostPriority  ... ) == 0x0
 02574   760   NtResumeThread  (868, ...
 02575   380   NtContinue  (96075056, 1, ...
 02557  1656   NtWaitForSingleObject  ... ) == 0x0
 02573  1740   NtSetEventBoostPriority  ... ) == 0x0
 02576   988   NtWaitForSingleObject  (232, 0, 0x0, ...
 02574   760   NtResumeThread  ... 1, ) == 0x0
 02577   380   NtRegisterThreadTerminatePort  (24, ...
 02578  1656   NtSetEventBoostPriority  (288, ...
 02579  1740   NtWaitForSingleObject  (288, 0, 0x0, ...
 02580   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02577   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 02561  1248   NtWaitForSingleObject  ... ) == 0x0
 02578  1656   NtSetEventBoostPriority  ... ) == 0x0
 02580   760   NtAllocateVirtualMemory  ... 97124352, 1048576, ) == 0x0
 02581  1248   NtSetEventBoostPriority  (288, ...
 02582   380   NtWaitForSingleObject  (288, 0, 0x0, ...
 02583  1656   NtWaitForSingleObject  (288, 0, 0x0, ...
 02560  1804   NtWaitForSingleObject  ... ) == 0x0
 02581  1248   NtSetEventBoostPriority  ... ) == 0x0
 02584   760   NtAllocateVirtualMemory  (-1, 98164736, 0, 8192, 4096, 4, ...
 02585  1644   NtSetEventBoostPriority  (232, ...
 02586  1692   NtWaitForSingleObject  (288, 0, 0x0, ...
 02587  1804   NtSetEventBoostPriority  (288, ...
 02584   760   NtAllocateVirtualMemory  ... 98164736, 8192, ) == 0x0
 02533  1948   NtWaitForSingleObject  ... ) == 0x0
 02585  1644   NtSetEventBoostPriority  ... ) == 0x0
 02567   928   NtWaitForSingleObject  ... ) == 0x0
 02587  1804   NtSetEventBoostPriority  ... ) == 0x0
 02588  1248   NtWaitForSingleObject  (232, 0, 0x0, ...
 02589  1948   NtSetEventBoostPriority  (232, ...
 02590  1644   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02591   928   NtSetEventBoostPriority  (288, ...
 02592  1804   NtWaitForSingleObject  (232, 0, 0x0, ...
 02544   336   NtWaitForSingleObject  ... ) == 0x0
 02590  1644   NtWaitForSingleObject  ... ) == 0x102
 02568   468   NtWaitForSingleObject  ... ) == 0x0
 02593   336   NtWaitForSingleObject  (288, 0, 0x0, ...
 02594  1644   NtWaitForSingleObject  (128, 0, 0x0, ...
 02595   468   NtSetEventBoostPriority  (288, ...
 02591   928   NtSetEventBoostPriority  ... ) == 0x0
 02589  1948   NtSetEventBoostPriority  ... ) == 0x0
 02596   760   NtProtectVirtualMemory  (-1, (0x5d9e000), 4096, 260, ...
 02579  1740   NtWaitForSingleObject  ... ) == 0x0
 02595   468   NtSetEventBoostPriority  ... ) == 0x0
 02597   928   NtSetEventBoostPriority  (128, ...
 02598  1948   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02599  1740   NtSetEventBoostPriority  (288, ...
 02596   760   NtProtectVirtualMemory  ... (0x5d9e000), 4096, 4, ) == 0x0
 02600   468   NtWaitForSingleObject  (288, 0, 0x0, ...
 00848   484   NtWaitForSingleObject  ... ) == 0x0
 02597   928   NtSetEventBoostPriority  ... ) == 0x0
 02582   380   NtWaitForSingleObject  ... ) == 0x0
 02599  1740   NtSetEventBoostPriority  ... ) == 0x0
 02601   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02598  1948   NtWaitForSingleObject  ... ) == 0x102
 02602   484   NtWaitForSingleObject  (288, 0, 0x0, ...
 02603   380   NtSetEventBoostPriority  (288, ...
 02604   928   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02601   760   NtCreateThread  ... 876, {1764, 1792}, ) == 0x0
 02583  1656   NtWaitForSingleObject  ... ) == 0x0
 02605  1948   NtWaitForSingleObject  (128, 0, 0x0, ...
 02604   928   NtCreateEvent  ... 880, ) == 0x0
 02606   760   NtQueryInformationThread  (876, Basic, 28, ...
 02607  1656   NtSetEventBoostPriority  (288, ...
 02608   928   NtWaitForSingleObject  (288, 0, 0x0, ...
 02606   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1764,Tid=1792,}, 0x0, ) == 0x0
 02586  1692   NtWaitForSingleObject  ... ) == 0x0
 02607  1656   NtSetEventBoostPriority  ... ) == 0x0
 02603   380   NtSetEventBoostPriority  ... ) == 0x0
 02609  1740   NtWaitForSingleObject  (288, 0, 0x0, ...
 02610  1692   NtSetEventBoostPriority  (288, ...
 02611  1656   NtWaitForSingleObject  (288, 0, 0x0, ...
 02612   380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02593   336   NtWaitForSingleObject  ... ) == 0x0
 02610  1692   NtSetEventBoostPriority  ... ) == 0x0
 02613   336   NtSetEventBoostPriority  (288, ...
 02612   380   NtDuplicateObject  ... 884, ) == 0x0
 02614   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58048, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\344\6\0\0\0\7\0\0" ...  ...
 02600   468   NtWaitForSingleObject  ... ) == 0x0
 02613   336   NtSetEventBoostPriority  ... ) == 0x0
 02615  1692   NtTestAlert  (...
 02614   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58049, 0}  ... {28, 56, reply, 0, 1764, 760, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\344\6\0\0\0\7\0\0" )  ) == 0x0
 02616   468   NtSetEventBoostPriority  (288, ...
 02617   380   NtWaitForSingleObject  (288, 0, 0x0, ...
 02615  1692   NtTestAlert  ... ) == 0x0
 02618   760   NtResumeThread  (876, ...
 02602   484   NtWaitForSingleObject  ... ) == 0x0
 02619  1692   NtContinue  (97123632, 1, ...
 02620   484   NtSetEventBoostPriority  (288, ...
 02618   760   NtResumeThread  ... 1, ) == 0x0
 02608   928   NtWaitForSingleObject  ... ) == 0x0
 02620   484   NtSetEventBoostPriority  ... ) == 0x0
 02621  1692   NtRegisterThreadTerminatePort  (24, ...
 02622   928   NtSetEventBoostPriority  (288, ...
 02623   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02616   468   NtSetEventBoostPriority  ... ) == 0x0
 02624   336   NtSetEventBoostPriority  (232, ...
 02625  1792   NtWaitForSingleObject  (288, 0, 0x0, ...
 02609  1740   NtWaitForSingleObject  ... ) == 0x0
 02622   928   NtSetEventBoostPriority  ... ) == 0x0
 02621  1692   NtRegisterThreadTerminatePort  ... ) == 0x0
 02626   484   NtSetEventBoostPriority  (128, ...
 02627   468   NtWaitForSingleObject  (232, 0, 0x0, ...
 02576   988   NtWaitForSingleObject  ... ) == 0x0
 02624   336   NtSetEventBoostPriority  ... ) == 0x0
 02628  1740   NtSetEventBoostPriority  (288, ...
 02623   760   NtAllocateVirtualMemory  ... 98172928, 1048576, ) == 0x0
 02629  1692   NtWaitForSingleObject  (288, 0, 0x0, ...
 00852   860   NtWaitForSingleObject  ... ) == 0x0
 02626   484   NtSetEventBoostPriority  ... ) == 0x0
 02630   988   NtWaitForSingleObject  (288, 0, 0x0, ...
 02611  1656   NtWaitForSingleObject  ... ) == 0x0
 02628  1740   NtSetEventBoostPriority  ... ) == 0x0
 02631   336   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02632   760   NtAllocateVirtualMemory  (-1, 99213312, 0, 8192, 4096, 4, ...
 02633   928   NtWaitForSingleObject  (288, 0, 0x0, ...
 02634   860   NtWaitForSingleObject  (288, 0, 0x0, ...
 02635  1656   NtSetEventBoostPriority  (288, ...
 02636   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02637  1740   NtWaitForSingleObject  (288, 0, 0x0, ...
 02631   336   NtWaitForSingleObject  ... ) == 0x102
 02632   760   NtAllocateVirtualMemory  ... 99213312, 8192, ) == 0x0
 02617   380   NtWaitForSingleObject  ... ) == 0x0
 02635  1656   NtSetEventBoostPriority  ... ) == 0x0
 02636   484   NtCreateEvent  ... 888, ) == 0x0
 02638   336   NtWaitForSingleObject  (288, 0, 0x0, ...
 02639   380   NtSetEventBoostPriority  (288, ...
 02640   760   NtProtectVirtualMemory  (-1, (0x5e9e000), 4096, 260, ...
 02641   484   NtWaitForSingleObject  (288, 0, 0x0, ...
 02642  1656   NtWaitForSingleObject  (288, 0, 0x0, ...
 02625  1792   NtWaitForSingleObject  ... ) == 0x0
 02639   380   NtSetEventBoostPriority  ... ) == 0x0
 02640   760   NtProtectVirtualMemory  ... (0x5e9e000), 4096, 4, ) == 0x0
 02643  1792   NtSetEventBoostPriority  (288, ...
 02644   380   NtWaitForSingleObject  (288, 0, 0x0, ...
 02630   988   NtWaitForSingleObject  ... ) == 0x0
 02643  1792   NtSetEventBoostPriority  ... ) == 0x0
 02645   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02646   988   NtSetEventBoostPriority  (288, ...
 02647  1792   NtTestAlert  (...
 02634   860   NtWaitForSingleObject  ... ) == 0x0
 02646   988   NtSetEventBoostPriority  ... ) == 0x0
 02648   860   NtSetEventBoostPriority  (288, ...
 02647  1792   NtTestAlert  ... ) == 0x0
 02645   760   NtCreateThread  ... 892, {1764, 784}, ) == 0x0
 02633   928   NtWaitForSingleObject  ... ) == 0x0
 02648   860   NtSetEventBoostPriority  ... ) == 0x0
 02649  1792   NtContinue  (98172208, 1, ...
 02650   928   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ...
 02651   760   NtQueryInformationThread  (892, Basic, 28, ...
 02652   988   NtSetEventBoostPriority  (232, ...
 02650   928   NtAllocateVirtualMemory  ... 1425408, 4096, ) == 0x0
 02653  1792   NtRegisterThreadTerminatePort  (24, ...
 02651   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1764,Tid=784,}, 0x0, ) == 0x0
 02654   928   NtSetEventBoostPriority  (288, ...
 02588  1248   NtWaitForSingleObject  ... ) == 0x0
 02652   988   NtSetEventBoostPriority  ... ) == 0x0
 02653  1792   NtRegisterThreadTerminatePort  ... ) == 0x0
 02655   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58049, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0\344\6\0\0\20\3\0\0" ...  ...
 02656   860   NtWaitForSingleObject  (288, 0, 0x0, ...
 02657  1248   NtSetEventBoostPriority  (232, ...
 02658   988   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02659  1792   NtWaitForSingleObject  (288, 0, 0x0, ...
 02655   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58050, 0}  ... {28, 56, reply, 0, 1764, 760, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0\344\6\0\0\20\3\0\0" )  ) == 0x0
 02592  1804   NtWaitForSingleObject  ... ) == 0x0
 02657  1248   NtSetEventBoostPriority  ... ) == 0x0
 02658   988   NtWaitForSingleObject  ... ) == 0x102
 02629  1692   NtWaitForSingleObject  ... ) == 0x0
 02654   928   NtSetEventBoostPriority  ... ) == 0x0
 02660  1804   NtSetEventBoostPriority  (232, ...
 02661  1248   NtClose  (832, ...
 02662   988   NtWaitForSingleObject  (288, 0, 0x0, ...
 02663  1692   NtSetEventBoostPriority  (288, ...
 02627   468   NtWaitForSingleObject  ... ) == 0x0
 02660  1804   NtSetEventBoostPriority  ... ) == 0x0
 02664   928   NtWaitForSingleObject  (288, 0, 0x0, ...
 02665   760   NtResumeThread  (892, ...
 02661  1248   NtClose  ... ) == 0x0
 02666   468   NtWaitForSingleObject  (288, 0, 0x0, ...
 02637  1740   NtWaitForSingleObject  ... ) == 0x0
 02663  1692   NtSetEventBoostPriority  ... ) == 0x0
 02665   760   NtResumeThread  ... 1, ) == 0x0
 02667  1248   NtClose  (864, ...
 02668  1740   NtSetEventBoostPriority  (288, ...
 02669  1692   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02670   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02667  1248   NtClose  ... ) == 0x0
 02641   484   NtWaitForSingleObject  ... ) == 0x0
 02669  1692   NtDuplicateObject  ... 864, ) == 0x0
 02670   760   NtAllocateVirtualMemory  ... 99221504, 1048576, ) == 0x0
 02671  1248   NtWaitForSingleObject  (232, 0, 0x0, ...
 02672   484   NtSetEventBoostPriority  (288, ...
 02668  1740   NtSetEventBoostPriority  ... ) == 0x0
 02673  1804   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02674   784   NtWaitForSingleObject  (288, 0, 0x0, ...
 02675   760   NtAllocateVirtualMemory  (-1, 100261888, 0, 8192, 4096, 4, ...
 02642  1656   NtWaitForSingleObject  ... ) == 0x0
 02672   484   NtSetEventBoostPriority  ... ) == 0x0
 02676  1740   NtWaitForSingleObject  (288, 0, 0x0, ...
 02673  1804   NtWaitForSingleObject  ... ) == 0x102
 02677  1656   NtSetEventBoostPriority  (288, ...
 02675   760   NtAllocateVirtualMemory  ... 100261888, 8192, ) == 0x0
 02678  1692   NtWaitForSingleObject  (288, 0, 0x0, ...
 02638   336   NtWaitForSingleObject  ... ) == 0x0
 02677  1656   NtSetEventBoostPriority  ... ) == 0x0
 02679  1804   NtWaitForSingleObject  (288, 0, 0x0, ...
 02680   484   NtWaitForSingleObject  (288, 0, 0x0, ...
 02681   336   NtSetEventBoostPriority  (288, ...
 02682  1656   NtAllocateVirtualMemory  (-1, 14143488, 0, 4096, 4096, 260, ...
 02644   380   NtWaitForSingleObject  ... ) == 0x0
 02681   336   NtSetEventBoostPriority  ... ) == 0x0
 02683   760   NtProtectVirtualMemory  (-1, (0x5f9e000), 4096, 260, ...
 02684   380   NtSetEventBoostPriority  (288, ...
 02685   336   NtWaitForSingleObject  (128, 0, 0x0, ...
 02683   760   NtProtectVirtualMemory  ... (0x5f9e000), 4096, 4, ) == 0x0
 02656   860   NtWaitForSingleObject  ... ) == 0x0
 02686   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02687   860   NtSetEventBoostPriority  (288, ...
 02686   760   NtCreateThread  ... 832, {1764, 1520}, ) == 0x0
 02659  1792   NtWaitForSingleObject  ... ) == 0x0
 02687   860   NtSetEventBoostPriority  ... ) == 0x0
 02688  1792   NtSetEventBoostPriority  (288, ...
 02689   760   NtQueryInformationThread  (832, Basic, 28, ...
 02662   988   NtWaitForSingleObject  ... ) == 0x0
 02690   860   NtSetEventBoostPriority  (128, ...
 02689   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1764,Tid=1520,}, 0x0, ) == 0x0
 02691   988   NtSetEventBoostPriority  (288, ...
 02688  1792   NtSetEventBoostPriority  ... ) == 0x0
 02684   380   NtSetEventBoostPriority  ... ) == 0x0
 02682  1656   NtAllocateVirtualMemory  ... 14143488, 4096, ) == 0x0
 00853   464   NtWaitForSingleObject  ... ) == 0x0
 02690   860   NtSetEventBoostPriority  ... ) == 0x0
 02664   928   NtWaitForSingleObject  ... ) == 0x0
 02692  1792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02693   380   NtWaitForSingleObject  (288, 0, 0x0, ...
 02694  1656   NtWaitForSingleObject  (288, 0, 0x0, ...
 02695   464   NtWaitForSingleObject  (288, 0, 0x0, ...
 02696   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02697   928   NtSetEventBoostPriority  (288, ...
 02692  1792   NtDuplicateObject  ... 896, ) == 0x0
 02696   860   NtCreateEvent  ... 900, ) == 0x0
 02666   468   NtWaitForSingleObject  ... ) == 0x0
 02697   928   NtSetEventBoostPriority  ... ) == 0x0
 02691   988   NtSetEventBoostPriority  ... ) == 0x0
 02698   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58050, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0\344\6\0\0\360\5\0\0" ...  ...
 02699   468   NtSetEventBoostPriority  (288, ...
 02700   860   NtWaitForSingleObject  (288, 0, 0x0, ...
 02701  1792   NtWaitForSingleObject  (288, 0, 0x0, ...
 02702   988   NtWaitForSingleObject  (128, 0, 0x0, ...
 02674   784   NtWaitForSingleObject  ... ) == 0x0
 02699   468   NtSetEventBoostPriority  ... ) == 0x0
 02698   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58052, 0}  ... {28, 56, reply, 0, 1764, 760, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0\344\6\0\0\360\5\0\0" )  ) == 0x0
 02703   784   NtSetEventBoostPriority  (288, ...
 02704   928   NtWaitForSingleObject  (288, 0, 0x0, ...
 02676  1740   NtWaitForSingleObject  ... ) == 0x0
 02703   784   NtSetEventBoostPriority  ... ) == 0x0
 02705   760   NtResumeThread  (832, ...
 02706  1740   NtSetEventBoostPriority  (288, ...
 02707   468   NtSetEventBoostPriority  (232, ...
 02678  1692   NtWaitForSingleObject  ... ) == 0x0
 02706  1740   NtSetEventBoostPriority  ... ) == 0x0
 02705   760   NtResumeThread  ... 1, ) == 0x0
 02708  1692   NtSetEventBoostPriority  (288, ...
 02671  1248   NtWaitForSingleObject  ... ) == 0x0
 02707   468   NtSetEventBoostPriority  ... ) == 0x0
 02709   784   NtTestAlert  (...
 02710  1520   NtWaitForSingleObject  (288, 0, 0x0, ...
 02679  1804   NtWaitForSingleObject  ... ) == 0x0
 02711  1248   NtCreateKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02708  1692   NtSetEventBoostPriority  ... ) == 0x0
 02712   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02713   468   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02709   784   NtTestAlert  ... ) == 0x0
 02714  1804   NtSetEventBoostPriority  (288, ...
 02711  1248   NtCreateKey  ... 904, 2, ) == 0x0
 02715  1692   NtWaitForSingleObject  (288, 0, 0x0, ...
 02716  1740   NtWaitForSingleObject  (288, 0, 0x0, ...
 02713   468   NtWaitForSingleObject  ... ) == 0x102
 02680   484   NtWaitForSingleObject  ... ) == 0x0
 02714  1804   NtSetEventBoostPriority  ... ) == 0x0
 02717   784   NtContinue  (99220784, 1, ...
 02712   760   NtAllocateVirtualMemory  ... 100270080, 1048576, ) == 0x0
 02718  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02719   484   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ...
 02720   468   NtWaitForSingleObject  (128, 0, 0x0, ...
 02721   784   NtRegisterThreadTerminatePort  (24, ...
 02722   760   NtAllocateVirtualMemory  (-1, 101310464, 0, 8192, 4096, 4, ...
 02719   484   NtAllocateVirtualMemory  ... 1429504, 4096, ) == 0x0
 02718  1248   NtOpenKey  ... 908, ) == 0x0
 02723  1804   NtWaitForSingleObject  (128, 0, 0x0, ...
 02721   784   NtRegisterThreadTerminatePort  ... ) == 0x0
 02724   484   NtSetEventBoostPriority  (288, ...
 02722   760   NtAllocateVirtualMemory  ... 101310464, 8192, ) == 0x0
 02725  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02726   784   NtWaitForSingleObject  (288, 0, 0x0, ...
 02727   760   NtProtectVirtualMemory  (-1, (0x609e000), 4096, 260, ...
 02725  1248   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02693   380   NtWaitForSingleObject  ... ) == 0x0
 02724   484   NtSetEventBoostPriority  ... ) == 0x0
 02727   760   NtProtectVirtualMemory  ... (0x609e000), 4096, 4, ) == 0x0
 02728  1248   NtQueryValueKey  (904,  (904, "Hostname", Partial, 144, ... , Partial, 144, ...
 02729   380   NtSetEventBoostPriority  (288, ...
 02730   484   NtWaitForSingleObject  (288, 0, 0x0, ...
 02731   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02728  1248   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02694  1656   NtWaitForSingleObject  ... ) == 0x0
 02729   380   NtSetEventBoostPriority  ... ) == 0x0
 02731   760   NtCreateThread  ... 912, {1764, 1696}, ) == 0x0
 02732  1656   NtSetEventBoostPriority  (288, ...
 02733  1248   NtWaitForSingleObject  (288, 0, 0x0, ...
 02695   464   NtWaitForSingleObject  ... ) == 0x0
 02732  1656   NtSetEventBoostPriority  ... ) == 0x0
 02734   760   NtQueryInformationThread  (912, Basic, 28, ...
 02735   464   NtSetEventBoostPriority  (288, ...
 02736   380   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02700   860   NtWaitForSingleObject  ... ) == 0x0
 02735   464   NtSetEventBoostPriority  ... ) == 0x0
 02734   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1764,Tid=1696,}, 0x0, ) == 0x0
 02737   860   NtSetEventBoostPriority  (288, ...
 02736   380   NtWaitForSingleObject  ... ) == 0x102
 02738  1656   NtWaitForSingleObject  (288, 0, 0x0, ...
 02701  1792   NtWaitForSingleObject  ... ) == 0x0
 02737   860   NtSetEventBoostPriority  ... ) == 0x0
 02739   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58052, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0\344\6\0\0\240\6\0\0" ...  ...
 02740   380   NtWaitForSingleObject  (288, 0, 0x0, ...
 02741  1792   NtSetEventBoostPriority  (288, ...
 02742   464   NtWaitForSingleObject  (288, 0, 0x0, ...
 02739   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58053, 0}  ... {28, 56, reply, 0, 1764, 760, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0\344\6\0\0\240\6\0\0" )  ) == 0x0
 02704   928   NtWaitForSingleObject  ... ) == 0x0
 02741  1792   NtSetEventBoostPriority  ... ) == 0x0
 02743   860   NtWaitForSingleObject  (288, 0, 0x0, ...
 02744   928   NtSetEventBoostPriority  (288, ...
 02745  1792   NtWaitForSingleObject  (288, 0, 0x0, ...
 02710  1520   NtWaitForSingleObject  ... ) == 0x0
 02744   928   NtSetEventBoostPriority  ... ) == 0x0
 02746   760   NtResumeThread  (912, ...
 02747  1520   NtSetEventBoostPriority  (288, ...
 02748   928   NtWaitForSingleObject  (288, 0, 0x0, ...
 02716  1740   NtWaitForSingleObject  ... ) == 0x0
 02747  1520   NtSetEventBoostPriority  ... ) == 0x0
 02746   760   NtResumeThread  ... 1, ) == 0x0
 02749  1740   NtSetEventBoostPriority  (288, ...
 02750  1696   NtWaitForSingleObject  (92, 0, 0x0, ...
 02715  1692   NtWaitForSingleObject  ... ) == 0x0
 02749  1740   NtSetEventBoostPriority  ... ) == 0x0
 02751   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02752  1692   NtSetEventBoostPriority  (288, ...
 02753  1740   NtWaitForSingleObject  (288, 0, 0x0, ...
 02730   484   NtWaitForSingleObject  ... ) == 0x0
 02751   760   NtAllocateVirtualMemory  ... 101318656, 1048576, ) == 0x0
 02752  1692   NtSetEventBoostPriority  ... ) == 0x0
 02754  1520   NtSetEventBoostPriority  (92, ...
 02755   484   NtSetEventBoostPriority  (288, ...
 02756   760   NtAllocateVirtualMemory  (-1, 102359040, 0, 8192, 4096, 4, ...
 02757  1692   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02750  1696   NtWaitForSingleObject  ... ) == 0x0
 02754  1520   NtSetEventBoostPriority  ... ) == 0x0
 02726   784   NtWaitForSingleObject  ... ) == 0x0
 02755   484   NtSetEventBoostPriority  ... ) == 0x0
 02756   760   NtAllocateVirtualMemory  ... 102359040, 8192, ) == 0x0
 02758  1696   NtTestAlert  (...
 02759   784   NtSetEventBoostPriority  (288, ...
 02760  1520   NtTestAlert  (...
 02757  1692   NtWaitForSingleObject  ... ) == 0x102
 02761   484   NtWaitForSingleObject  (288, 0, 0x0, ...
 02758  1696   NtTestAlert  ... ) == 0x0
 02733  1248   NtWaitForSingleObject  ... ) == 0x0
 02760  1520   NtTestAlert  ... ) == 0x0
 02762  1692   NtWaitForSingleObject  (128, 0, 0x0, ...
 02759   784   NtSetEventBoostPriority  ... ) == 0x0
 02763   760   NtProtectVirtualMemory  (-1, (0x619e000), 4096, 260, ...
 02764  1248   NtSetEventBoostPriority  (288, ...
 02765  1520   NtContinue  (100269360, 1, ...
 02766   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02763   760   NtProtectVirtualMemory  ... (0x619e000), 4096, 4, ) == 0x0
 02738  1656   NtWaitForSingleObject  ... ) == 0x0
 02764  1248   NtSetEventBoostPriority  ... ) == 0x0
 02767  1520   NtRegisterThreadTerminatePort  (24, ...
 02766   784   NtDuplicateObject  ... 916, ) == 0x0
 02768  1656   NtSetEventBoostPriority  (288, ...
 02769   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02770  1248   NtQueryValueKey  (904,  (904, "Hostname", Partial, 144, ... , Partial, 144, ...
 02771  1696   NtContinue  (101317936, 1, ...
 02767  1520   NtRegisterThreadTerminatePort  ... ) == 0x0
 02740   380   NtWaitForSingleObject  ... ) == 0x0
 02768  1656   NtSetEventBoostPriority  ... ) == 0x0
 02769   760   NtCreateThread  ... 920, {1764, 1744}, ) == 0x0
 02772   784   NtWaitForSingleObject  (288, 0, 0x0, ...
 02773  1696   NtRegisterThreadTerminatePort  (24, ...
 02774   380   NtSetEventBoostPriority  (288, ...
 02775  1520   NtWaitForSingleObject  (288, 0, 0x0, ...
 02776  1656   NtWaitForSingleObject  (288, 0, 0x0, ...
 02777   760   NtQueryInformationThread  (920, Basic, 28, ...
 02742   464   NtWaitForSingleObject  ... ) == 0x0
 02774   380   NtSetEventBoostPriority  ... ) == 0x0
 02773  1696   NtRegisterThreadTerminatePort  ... ) == 0x0
 02770  1248   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02778   464   NtSetEventBoostPriority  (288, ...
 02777   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1764,Tid=1744,}, 0x0, ) == 0x0
 02779  1696   NtWaitForSingleObject  (288, 0, 0x0, ...
 02743   860   NtWaitForSingleObject  ... ) == 0x0
 02778   464   NtSetEventBoostPriority  ... ) == 0x0
 02780  1248   NtWaitForSingleObject  (288, 0, 0x0, ...
 02781   380   NtWaitForSingleObject  (128, 0, 0x0, ...
 02782   860   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ...
 02783   464   NtWaitForSingleObject  (288, 0, 0x0, ...
 02782   860   NtAllocateVirtualMemory  ... 1433600, 4096, ) == 0x0
 02784   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58053, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\344\6\0\0\320\6\0\0" ...  ...
 02785   860   NtSetEventBoostPriority  (288, ...
 02784   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58054, 0}  ... {28, 56, reply, 0, 1764, 760, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\344\6\0\0\320\6\0\0" )  ) == 0x0
 02786   760   NtResumeThread  (920, ... 1, ) == 0x0
 02787   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 102367232, 1048576, ) == 0x0
 02788   760   NtAllocateVirtualMemory  (-1, 103407616, 0, 8192, 4096, 4, ... 103407616, 8192, ) == 0x0
 02789   760   NtProtectVirtualMemory  (-1, (0x629e000), 4096, 260, ... (0x629e000), 4096, 4, ) == 0x0
 02790   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02745  1792   NtWaitForSingleObject  ... ) == 0x0
 02785   860   NtSetEventBoostPriority  ... ) == 0x0
 02791  1744   NtWaitForSingleObject  (288, 0, 0x0, ...
 02792  1792   NtSetEventBoostPriority  (288, ...
 02793   860   NtWaitForSingleObject  (288, 0, 0x0, ...
 02748   928   NtWaitForSingleObject  ... ) == 0x0
 02794   928   NtSetEventBoostPriority  (288, ...
 02753  1740   NtWaitForSingleObject  ... ) == 0x0
 02795  1740   NtSetEventBoostPriority  (288, ...
 02761   484   NtWaitForSingleObject  ... ) == 0x0
 02796   484   NtSetEventBoostPriority  (288, ...
 02772   784   NtWaitForSingleObject  ... ) == 0x0
 02797   784   NtSetEventBoostPriority  (288, ...
 02775  1520   NtWaitForSingleObject  ... ) == 0x0
 02798  1520   NtSetEventBoostPriority  (288, ...
 02776  1656   NtWaitForSingleObject  ... ) == 0x0
 02799  1656   NtSetEventBoostPriority  (288, ...
 02779  1696   NtWaitForSingleObject  ... ) == 0x0
 02800  1696   NtSetEventBoostPriority  (288, ...
 02780  1248   NtWaitForSingleObject  ... ) == 0x0
 02801  1248   NtSetEventBoostPriority  (288, ...
 02783   464   NtWaitForSingleObject  ... ) == 0x0
 02802   464   NtSetEventBoostPriority  (288, ...
 02791  1744   NtWaitForSingleObject  ... ) == 0x0
 02803  1744   NtSetEventBoostPriority  (288, ...
 02793   860   NtWaitForSingleObject  ... ) == 0x0
 02804   860   NtAllocateVirtualMemory  (-1, 18337792, 0, 4096, 4096, 260, ... 18337792, 4096, ) == 0x0
 02803  1744   NtSetEventBoostPriority  ... ) == 0x0
 02801  1248   NtSetEventBoostPriority  ... ) == 0x0
 02800  1696   NtSetEventBoostPriority  ... ) == 0x0
 02798  1520   NtSetEventBoostPriority  ... ) == 0x0
 02797   784   NtSetEventBoostPriority  ... ) == 0x0
 02796   484   NtSetEventBoostPriority  ... ) == 0x0
 02802   464   NtSetEventBoostPriority  ... ) == 0x0
 02799  1656   NtSetEventBoostPriority  ... ) == 0x0
 02795  1740   NtSetEventBoostPriority  ... ) == 0x0
 02794   928   NtSetEventBoostPriority  ... ) == 0x0
 02792  1792   NtSetEventBoostPriority  ... ) == 0x0
 02790   760   NtCreateThread  ... 924, {1764, 1124}, ) == 0x0
 02805   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02806  1744   NtTestAlert  (...
 02807  1248   NtClose  (904, ...
 02808  1696   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02809   784   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02810   484   NtAllocateVirtualMemory  (-1, 19386368, 0, 4096, 4096, 260, ...
 02811   464   NtSetEventBoostPriority  (128, ...
 02812  1656   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02813  1740   NtAllocateVirtualMemory  (-1, 13094912, 0, 4096, 4096, 260, ...
 02814   928   NtAllocateVirtualMemory  (-1, 12046336, 0, 4096, 4096, 260, ...
 02815  1792   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02816   760   NtQueryInformationThread  (924, Basic, 28, ...
 02805   860   NtCreateEvent  ... 928, ) == 0x0
 02806  1744   NtTestAlert  ... ) == 0x0
 02807  1248   NtClose  ... ) == 0x0
 02808  1696   NtDuplicateObject  ... 904, ) == 0x0
 02817  1520   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02809   784   NtWaitForSingleObject  ... ) == 0x102
 00858  1036   NtWaitForSingleObject  ... ) == 0x0
 02811   464   NtSetEventBoostPriority  ... ) == 0x0
 02812  1656   NtCreateEvent  ... 932, ) == 0x0
 02813  1740   NtAllocateVirtualMemory  ... 13094912, 4096, ) == 0x0
 02814   928   NtAllocateVirtualMemory  ... 12046336, 4096, ) == 0x0
 02816   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1764,Tid=1124,}, 0x0, ) == 0x0
 02818   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02819  1744   NtContinue  (102366512, 1, ...
 02820  1248   NtClose  (908, ...
 02821  1696   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02817  1520   NtDuplicateObject  ... 936, ) == 0x0
 02822  1036   NtSetEventBoostPriority  (128, ...
 02823   784   NtWaitForSingleObject  (128, 0, 0x0, ...
 02810   484   NtAllocateVirtualMemory  ... 19386368, 4096, ) == 0x0
 02815  1792   NtWaitForSingleObject  ... ) == 0x102
 02824   464   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02825  1656   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02826  1740   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02827   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58054, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\3\0\0\344\6\0\0d\4\0\0" ...  ...
 02818   860   NtDuplicateObject  ... 940, ) == 0x0
 02828  1744   NtRegisterThreadTerminatePort  (24, ...
 02820  1248   NtClose  ... ) == 0x0
 02821  1696   NtWaitForSingleObject  ... ) == 0x102
 01118  1596   NtWaitForSingleObject  ... ) == 0x0
 02822  1036   NtSetEventBoostPriority  ... ) == 0x0
 02829  1520   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 02830   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02831  1792   NtWaitForSingleObject  (128, 0, 0x0, ...
 02824   464   NtCreateEvent  ... 908, ) == 0x0
 02825  1656   NtDuplicateObject  ... 944, ) == 0x0
 02826  1740   NtCreateEvent  ... 948, ) == 0x0
 02827   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58055, 0}  ... {28, 56, reply, 0, 1764, 760, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\3\0\0\344\6\0\0d\4\0\0" )  ) == 0x0
 02832   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02828  1744   NtRegisterThreadTerminatePort  ... ) == 0x0
 02833  1248   NtWaitForSingleObject  (440, 0, 0x0, ...
 02834  1596   NtSetEventBoostPriority  (128, ...
 02835  1696   NtWaitForSingleObject  (128, 0, 0x0, ...
 02836   928   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02829  1520   NtWaitForSingleObject  ... ) == 0x102
 02830   484   NtCreateEvent  ... 952, ) == 0x0
 02837   464   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ...
 02838  1656   NtWaitForSingleObject  (288, 0, 0x0, ...
 02839  1740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02840  1036   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02832   860   NtCreateEvent  ... 956, ) == 0x0
 02841  1744   NtWaitForSingleObject  (288, 0, 0x0, ...
 01133  1856   NtWaitForSingleObject  ... ) == 0x0
 02834  1596   NtSetEventBoostPriority  ... ) == 0x0
 02842   760   NtResumeThread  (924, ...
 02836   928   NtCreateEvent  ... 960, ) == 0x0
 02843  1520   NtWaitForSingleObject  (288, 0, 0x0, ...
 02844   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02837   464   NtAllocateVirtualMemory  ... 1437696, 4096, ) == 0x0
 02839  1740   NtDuplicateObject  ... 964, ) == 0x0
 02840  1036   NtCreateEvent  ... 968, ) == 0x0
 02845   860   NtWaitForSingleObject  (288, 0, 0x0, ...
 02846  1856   NtWaitForSingleObject  (288, 0, 0x0, ...
 02842   760   NtResumeThread  ... 1, ) == 0x0
 02847   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02848  1596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02849  1124   NtWaitForSingleObject  (288, 0, 0x0, ...
 02844   484   NtDuplicateObject  ... 972, ) == 0x0
 02850   464   NtSetEventBoostPriority  (288, ...
 02851  1740   NtWaitForSingleObject  (288, 0, 0x0, ...
 02852  1036   NtWaitForSingleObject  (288, 0, 0x0, ...
 02853   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02847   928   NtDuplicateObject  ... 976, ) == 0x0
 02848  1596   NtCreateEvent  ... 980, ) == 0x0
 02854   484   NtWaitForSingleObject  (288, 0, 0x0, ...
 02838  1656   NtWaitForSingleObject  ... ) == 0x0
 02850   464   NtSetEventBoostPriority  ... ) == 0x0
 02853   760   NtAllocateVirtualMemory  ... 103415808, 1048576, ) == 0x0
 02855   928   NtWaitForSingleObject  (288, 0, 0x0, ...
 02856  1596   NtWaitForSingleObject  (288, 0, 0x0, ...
 02857  1656   NtSetEventBoostPriority  (288, ...
 02858   760   NtAllocateVirtualMemory  (-1, 104456192, 0, 8192, 4096, 4, ...
 02841  1744   NtWaitForSingleObject  ... ) == 0x0
 02857  1656   NtSetEventBoostPriority  ... ) == 0x0
 02859  1744   NtSetEventBoostPriority  (288, ...
 02858   760   NtAllocateVirtualMemory  ... 104456192, 8192, ) == 0x0
 02860   464   NtWaitForSingleObject  (288, 0, 0x0, ...
 02846  1856   NtWaitForSingleObject  ... ) == 0x0
 02859  1744   NtSetEventBoostPriority  ... ) == 0x0
 02861  1656   NtWaitForSingleObject  (232, 0, 0x0, ...
 02862  1856   NtSetEventBoostPriority  (288, ...
 02863  1744   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02845   860   NtWaitForSingleObject  ... ) == 0x0
 02862  1856   NtSetEventBoostPriority  ... ) == 0x0
 02864   860   NtSetEventBoostPriority  (288, ...
 02863  1744   NtDuplicateObject  ... 984, ) == 0x0
 02865   760   NtProtectVirtualMemory  (-1, (0x639e000), 4096, 260, ...
 02849  1124   NtWaitForSingleObject  ... ) == 0x0
 02864   860   NtSetEventBoostPriority  ... ) == 0x0
 02866  1856   NtWaitForSingleObject  (288, 0, 0x0, ...
 02867  1124   NtSetEventBoostPriority  (288, ...
 02865   760   NtProtectVirtualMemory  ... (0x639e000), 4096, 4, ) == 0x0
 02868   860   NtSetEventBoostPriority  (232, ...
 02851  1740   NtWaitForSingleObject  ... ) == 0x0
 02867  1124   NtSetEventBoostPriority  ... ) == 0x0
 02869   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02870  1744   NtWaitForSingleObject  (288, 0, 0x0, ...
 02871  1740   NtSetEventBoostPriority  (288, ...
 02861  1656   NtWaitForSingleObject  ... ) == 0x0
 02868   860   NtSetEventBoostPriority  ... ) == 0x0
 02869   760   NtCreateThread  ... 988, {1764, 1496}, ) == 0x0
 02852  1036   NtWaitForSingleObject  ... ) == 0x0
 02871  1740   NtSetEventBoostPriority  ... ) == 0x0
 02872  1656   NtWaitForSingleObject  (288, 0, 0x0, ...
 02873   860   NtSetEventBoostPriority  (440, ...
 02874  1036   NtSetEventBoostPriority  (288, ...
 02875   760   NtQueryInformationThread  (988, Basic, 28, ...
 02876  1124   NtTestAlert  (...
 02843  1520   NtWaitForSingleObject  ... ) == 0x0
 02874  1036   NtSetEventBoostPriority  ... ) == 0x0
 02833  1248   NtWaitForSingleObject  ... ) == 0x0
 02873   860   NtSetEventBoostPriority  ... ) == 0x0
 02875   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1764,Tid=1496,}, 0x0, ) == 0x0
 02877  1520   NtSetEventBoostPriority  (288, ...
 02876  1124   NtTestAlert  ... ) == 0x0
 02878  1740   NtWaitForSingleObject  (288, 0, 0x0, ...
 02879  1248   NtWaitForSingleObject  (288, 0, 0x0, ...
 02880   860   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02881  1036   NtWaitForSingleObject  (288, 0, 0x0, ...
 02854   484   NtWaitForSingleObject  ... ) == 0x0
 02882  1124   NtContinue  (103415088, 1, ...
 02880   860   NtCreateEvent  ... 992, ) == 0x0
 02883   484   NtSetEventBoostPriority  (288, ...
 02884  1124   NtRegisterThreadTerminatePort  (24, ...
 02885   860   NtWaitForSingleObject  (992, 0, 0x0, ...
 02855   928   NtWaitForSingleObject  ... ) == 0x0
 02884  1124   NtRegisterThreadTerminatePort  ... ) == 0x0
 02883   484   NtSetEventBoostPriority  ... ) == 0x0
 02877  1520   NtSetEventBoostPriority  ... ) == 0x0
 02886   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58055, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\3\0\0\344\6\0\0\330\5\0\0" ...  ...
 02887   928   NtSetEventBoostPriority  (288, ...
 02888  1124   NtWaitForSingleObject  (288, 0, 0x0, ...
 02889   484   NtWaitForSingleObject  (288, 0, 0x0, ...
 02890  1520   NtWaitForSingleObject  (128, 0, 0x0, ...
 02886   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58056, 0}  ... {28, 56, reply, 0, 1764, 760, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\3\0\0\344\6\0\0\330\5\0\0" )  ) == 0x0
 02856  1596   NtWaitForSingleObject  ... ) == 0x0
 02887   928   NtSetEventBoostPriority  ... ) == 0x0
 02891  1596   NtSetEventBoostPriority  (288, ...
 02892   760   NtResumeThread  (988, ...
 02860   464   NtWaitForSingleObject  ... ) == 0x0
 02891  1596   NtSetEventBoostPriority  ... ) == 0x0
 02893   464   NtSetEventBoostPriority  (288, ...
 02892   760   NtResumeThread  ... 1, ) == 0x0
 02894   928   NtWaitForSingleObject  (288, 0, 0x0, ...
 02866  1856   NtWaitForSingleObject  ... ) == 0x0
 02893   464   NtSetEventBoostPriority  ... ) == 0x0
 02895   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02896  1856   NtSetEventBoostPriority  (288, ...
 02897   464   NtWaitForSingleObject  (288, 0, 0x0, ...
 02898  1596   NtWaitForSingleObject  (288, 0, 0x0, ...
 02899  1496   NtTestAlert  (...
 02870  1744   NtWaitForSingleObject  ... ) == 0x0
 02896  1856   NtSetEventBoostPriority  ... ) == 0x0
 02895   760   NtAllocateVirtualMemory  ... 104464384, 1048576, ) == 0x0
 02900  1744   NtSetEventBoostPriority  (288, ...
 02899  1496   NtTestAlert  ... ) == 0x0
 02901  1856   NtWaitForSingleObject  (288, 0, 0x0, ...
 02872  1656   NtWaitForSingleObject  ... ) == 0x0
 02900  1744   NtSetEventBoostPriority  ... ) == 0x0
 02902   760   NtAllocateVirtualMemory  (-1, 105504768, 0, 8192, 4096, 4, ...
 02903  1496   NtContinue  (104463664, 1, ...
 02904  1656   NtSetEventBoostPriority  (288, ...
 02905  1744   NtWaitForSingleObject  (288, 0, 0x0, ...
 02902   760   NtAllocateVirtualMemory  ... 105504768, 8192, ) == 0x0
 02879  1248   NtWaitForSingleObject  ... ) == 0x0
 02904  1656   NtSetEventBoostPriority  ... ) == 0x0
 02906  1496   NtRegisterThreadTerminatePort  (24, ...
 02907  1248   NtSetEventBoostPriority  (288, ...
 02908   760   NtProtectVirtualMemory  (-1, (0x649e000), 4096, 260, ...
 02878  1740   NtWaitForSingleObject  ... ) == 0x0
 02907  1248   NtSetEventBoostPriority  ... ) == 0x0
 02906  1496   NtRegisterThreadTerminatePort  ... ) == 0x0
 02909  1740   NtSetEventBoostPriority  (288, ...
 02908   760   NtProtectVirtualMemory  ... (0x649e000), 4096, 4, ) == 0x0
 02910  1656   NtWaitForSingleObject  (992, 0, 0x0, ...
 02911  1248   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15199260, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15199260, 188, ...
 02881  1036   NtWaitForSingleObject  ... ) == 0x0
 02909  1740   NtSetEventBoostPriority  ... ) == 0x0
 02912   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02913  1036   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ...
 02914  1740   NtWaitForSingleObject  (288, 0, 0x0, ...
 02911  1248   NtConnectPort  ... 996, 0x0, 0x0, 0x0, 188, ) == 0x0
 02915  1496   NtWaitForSingleObject  (288, 0, 0x0, ...
 02913  1036   NtAllocateVirtualMemory  ... 1441792, 4096, ) == 0x0
 02912   760   NtCreateThread  ... 1000, {1764, 168}, ) == 0x0
 02916  1248   NtRequestWaitReplyPort  (996, {200, 224, new_msg, 0, 1380824, 12, 2, 1}  (996, {200, 224, new_msg, 0, 1380824, 12, 2, 1} "\0\25\221|\274\0\0\0\340\266\25\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\24\0\4\0\0\0x\1\24\0\0\0\0\0\0\0\0\0\310\327\25\0\0\0\0\0\0\0\25\0\0\245\25\0x\1\24\0(\0\0\0\220\371\25\0d\354\347\0\12\0\0\0\310\5\221|\0\0\0\00\355\347\0x\354\347\0\0\0\0\0\310\5\221|\210\371\25\0h\1\24\0\0\0\0\0\0\0\0\0\210\371\25\0P\0\0\0\220\371\25\0\0\0\0\0x\1\24\0P\0\0\0\360\353\0\0\0\0\24\0\234\352\347\0\30\356\220|0\362\347\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02917  1036   NtSetEventBoostPriority  (288, ...
 02918   760   NtQueryInformationThread  (1000, Basic, 28, ...
 02916  1248   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1764, 1248, 58058, 0}  ... {200, 224, reply, 0, 1764, 1248, 58058, 0} "\7\25\221|\274\0\0\0\340\266\25\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\0\0\0\0\310\327\25\0\0\0\0\0\0\0\25\0\0\245\25\0x\1\24\0(\0\0\0\220\371\25\0d\354\347\0\12\0\0\0\310\5\221|\0\0\0\00\355\347\0x\354\347\0\0\0\0\0\310\5\221|\210\371\25\0h\1\24\0\0\0\0\0\0\0\0\0\210\371\25\0P\0\0\0\220\371\25\0\0\0\0\0x\1\24\0P\0\0\0\360\353\0\0\0\0\24\0\234\352\347\0\30\356\220|0\362\347\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02918   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1764,Tid=168,}, 0x0, ) == 0x0
 02889   484   NtWaitForSingleObject  ... ) == 0x0
 02917  1036   NtSetEventBoostPriority  ... ) == 0x0
 02919   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58056, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0\344\6\0\0\250\0\0\0" ...  ...
 02920   484   NtSetEventBoostPriority  (288, ...
 02921  1036   NtWaitForSingleObject  (288, 0, 0x0, ...
 02919   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58059, 0}  ... {28, 56, reply, 0, 1764, 760, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0\344\6\0\0\250\0\0\0" )  ) == 0x0
 02888  1124   NtWaitForSingleObject  ... ) == 0x0
 02920   484   NtSetEventBoostPriority  ... ) == 0x0
 02922  1248   NtSetEventBoostPriority  (992, ...
 02923  1124   NtSetEventBoostPriority  (288, ...
 02924   760   NtResumeThread  (1000, ...
 02894   928   NtWaitForSingleObject  ... ) == 0x0
 02885   860   NtWaitForSingleObject  ... ) == 0x0
 02922  1248   NtSetEventBoostPriority  ... ) == 0x0
 02924   760   NtResumeThread  ... 1, ) == 0x0
 02925   860   NtWaitForSingleObject  (288, 0, 0x0, ...
 02926   928   NtSetEventBoostPriority  (288, ...
 02927  1248   NtRequestWaitReplyPort  (996, {44, 68, new_msg, 0, 1764, 1248, 58047, 0}  (996, {44, 68, new_msg, 0, 1764, 1248, 58047, 0} "\1\356\0\0A\2\4\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 02928   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02898  1596   NtWaitForSingleObject  ... ) == 0x0
 02926   928   NtSetEventBoostPriority  ... ) == 0x0
 02929  1596   NtSetEventBoostPriority  (288, ...
 02928   760   NtAllocateVirtualMemory  ... 105512960, 1048576, ) == 0x0
 02897   464   NtWaitForSingleObject  ... ) == 0x0
 02929  1596   NtSetEventBoostPriority  ... ) == 0x0
 02930   928   NtWaitForSingleObject  (288, 0, 0x0, ...
 02931   464   NtSetEventBoostPriority  (288, ...
 02932   760   NtAllocateVirtualMemory  (-1, 106553344, 0, 8192, 4096, 4, ...
 02933  1596   NtWaitForSingleObject  (288, 0, 0x0, ...
 02923  1124   NtSetEventBoostPriority  ... ) == 0x0
 02934   484   NtWaitForSingleObject  (992, 0, 0x0, ...
 02935   168   NtTestAlert  (...
 02927  1248   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1764, 1248, 58060, 0}  ... {40, 64, reply, 0, 1764, 1248, 58060, 0} "\2\356Q\200\4\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\320\1\0\0X-\12\0" )  ) == 0x0
 02901  1856   NtWaitForSingleObject  ... ) == 0x0
 02932   760   NtAllocateVirtualMemory  ... 106553344, 8192, ) == 0x0
 02931   464   NtSetEventBoostPriority  ... ) == 0x0
 02936  1124   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02935   168   NtTestAlert  ... ) == 0x0
 02937  1248   NtRequestWaitReplyPort  (996, {64, 88, new_msg, 56, 1396968, 15199772, 15199872, 0}  (996, {64, 88, new_msg, 56, 1396968, 15199772, 15199872, 0} "\10\356\347\0@\0\25\0\346\277\347w\200\356\347\0\34\356\347\0\20\0\0\0\250.\362v\Q\25\0\1\0\0\0\330[\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\0\272\25\0" ...  ...
 02938  1856   NtSetEventBoostPriority  (288, ...
 02939   464   NtWaitForSingleObject  (288, 0, 0x0, ...
 02936  1124   NtDuplicateObject  ... 1004, ) == 0x0
 02940   168   NtContinue  (105512240, 1, ...
 02941   760   NtProtectVirtualMemory  (-1, (0x659e000), 4096, 260, ...
 02905  1744   NtWaitForSingleObject  ... ) == 0x0
 02938  1856   NtSetEventBoostPriority  ... ) == 0x0
 02937  1248   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1764, 1248, 58061, 0}  ... {64, 88, reply, 56, 1764, 1248, 58061, 0} "\10\356\347\0@\0\25\0\346\277\347w\200\356\347\0\34\356\347\0\20\0\0\0\250.\362v\Q\25\0\1\0\0\0\330[\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\0\272\25\0" )  ) == 0x0
 02942   168   NtRegisterThreadTerminatePort  (24, ...
 02941   760   NtProtectVirtualMemory  ... (0x659e000), 4096, 4, ) == 0x0
 02943  1744   NtSetEventBoostPriority  (288, ...
 02944  1856   NtSetEventBoostPriority  (128, ...
 02945  1248   NtWaitForSingleObject  (288, 0, 0x0, ...
 02942   168   NtRegisterThreadTerminatePort  ... ) == 0x0
 02946   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02915  1496   NtWaitForSingleObject  ... ) == 0x0
 01179  1068   NtWaitForSingleObject  ... ) == 0x0
 02944  1856   NtSetEventBoostPriority  ... ) == 0x0
 02943  1744   NtSetEventBoostPriority  ... ) == 0x0
 02947  1124   NtWaitForSingleObject  (288, 0, 0x0, ...
 02946   760   NtCreateThread  ... 1008, {1764, 1284}, ) == 0x0
 02948  1068   NtWaitForSingleObject  (288, 0, 0x0, ...
 02949  1496   NtSetEventBoostPriority  (288, ...
 02950   168   NtWaitForSingleObject  (288, 0, 0x0, ...
 02951  1744   NtWaitForSingleObject  (288, 0, 0x0, ...
 02952   760   NtQueryInformationThread  (1008, Basic, 28, ...
 02914  1740   NtWaitForSingleObject  ... ) == 0x0
 02949  1496   NtSetEventBoostPriority  ... ) == 0x0
 02953  1740   NtSetEventBoostPriority  (288, ...
 02952   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1764,Tid=1284,}, 0x0, ) == 0x0
 02921  1036   NtWaitForSingleObject  ... ) == 0x0
 02954  1496   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02953  1740   NtSetEventBoostPriority  ... ) == 0x0
 02955  1856   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02956  1036   NtAllocateVirtualMemory  (-1, 1445888, 0, 4096, 4096, 4, ...
 02957   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58059, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\3\0\0\344\6\0\0\4\5\0\0" ...  ...
 02958  1740   NtWaitForSingleObject  (288, 0, 0x0, ...
 02955  1856   NtCreateEvent  ... 1012, ) == 0x0
 02956  1036   NtAllocateVirtualMemory  ... 1445888, 4096, ) == 0x0
 02957   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58062, 0}  ... {28, 56, reply, 0, 1764, 760, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\3\0\0\344\6\0\0\4\5\0\0" )  ) == 0x0
 02959  1856   NtWaitForSingleObject  (288, 0, 0x0, ...
 02954  1496   NtDuplicateObject  ... 1016, ) == 0x0
 02960   760   NtResumeThread  (1008, ...
 02961  1496   NtWaitForSingleObject  (288, 0, 0x0, ...
 02960   760   NtResumeThread  ... 1, ) == 0x0
 02962   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 106561536, 1048576, ) == 0x0
 02963   760   NtAllocateVirtualMemory  (-1, 107601920, 0, 8192, 4096, 4, ... 107601920, 8192, ) == 0x0
 02964   760   NtProtectVirtualMemory  (-1, (0x669e000), 4096, 260, ... (0x669e000), 4096, 4, ) == 0x0
 02965   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02966  1036   NtSetEventBoostPriority  (288, ...
 02967  1284   NtWaitForSingleObject  (288, 0, 0x0, ...
 02925   860   NtWaitForSingleObject  ... ) == 0x0
 02966  1036   NtSetEventBoostPriority  ... ) == 0x0
 02968   860   NtSetEventBoostPriority  (288, ...
 02930   928   NtWaitForSingleObject  ... ) == 0x0
 02969   928   NtSetEventBoostPriority  (288, ...
 02933  1596   NtWaitForSingleObject  ... ) == 0x0
 02970  1596   NtAllocateVirtualMemory  (-1, 1449984, 0, 4096, 4096, 4, ... 1449984, 4096, ) == 0x0
 02971  1596   NtSetEventBoostPriority  (288, ...
 02939   464   NtWaitForSingleObject  ... ) == 0x0
 02972   464   NtSetEventBoostPriority  (288, ...
 02945  1248   NtWaitForSingleObject  ... ) == 0x0
 02973  1248   NtSetEventBoostPriority  (288, ...
 02947  1124   NtWaitForSingleObject  ... ) == 0x0
 02974  1124   NtSetEventBoostPriority  (288, ...
 02948  1068   NtWaitForSingleObject  ... ) == 0x0
 02975  1068   NtSetEventBoostPriority  (288, ...
 02950   168   NtWaitForSingleObject  ... ) == 0x0
 02976   168   NtSetEventBoostPriority  (288, ...
 02951  1744   NtWaitForSingleObject  ... ) == 0x0
 02977  1744   NtSetEventBoostPriority  (288, ...
 02958  1740   NtWaitForSingleObject  ... ) == 0x0
 02978  1740   NtSetEventBoostPriority  (288, ...
 02959  1856   NtWaitForSingleObject  ... ) == 0x0
 02979  1856   NtSetEventBoostPriority  (288, ...
 02961  1496   NtWaitForSingleObject  ... ) == 0x0
 02980  1496   NtSetEventBoostPriority  (288, ...
 02967  1284   NtWaitForSingleObject  ... ) == 0x0
 02981  1284   NtTestAlert  (... ) == 0x0
 02980  1496   NtSetEventBoostPriority  ... ) == 0x0
 02979  1856   NtSetEventBoostPriority  ... ) == 0x0
 02978  1740   NtSetEventBoostPriority  ... ) == 0x0
 02977  1744   NtSetEventBoostPriority  ... ) == 0x0
 02976   168   NtSetEventBoostPriority  ... ) == 0x0
 02974  1124   NtSetEventBoostPriority  ... ) == 0x0
 02973  1248   NtSetEventBoostPriority  ... ) == 0x0
 02972   464   NtSetEventBoostPriority  ... ) == 0x0
 02982  1036   NtAllocateVirtualMemory  (-1, 16240640, 0, 4096, 4096, 260, ...
 02975  1068   NtSetEventBoostPriority  ... ) == 0x0
 02971  1596   NtSetEventBoostPriority  ... ) == 0x0
 02969   928   NtSetEventBoostPriority  ... ) == 0x0
 02968   860   NtSetEventBoostPriority  ... ) == 0x0
 02965   760   NtCreateThread  ... 1020, {1764, 1268}, ) == 0x0
 02983  1284   NtContinue  (106560816, 1, ...
 02984  1496   NtWaitForSingleObject  (232, 0, 0x0, ...
 02985  1856   NtAllocateVirtualMemory  (-1, 31969280, 0, 4096, 4096, 260, ...
 02986  1740   NtSetEventBoostPriority  (232, ...
 02987   168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02988  1124   NtWaitForSingleObject  (232, 0, 0x0, ...
 02989  1744   NtWaitForSingleObject  (232, 0, 0x0, ...
 02990  1248   NtWaitForSingleObject  (232, 0, 0x0, ...
 02982  1036   NtAllocateVirtualMemory  ... 16240640, 4096, ) == 0x0
 02991   464   NtAllocateVirtualMemory  (-1, 17289216, 0, 4096, 4096, 260, ...
 02992  1068   NtSetEventBoostPriority  (128, ...
 02993   928   NtWaitForSingleObject  (232, 0, 0x0, ...
 02994  1596   NtAllocateVirtualMemory  (-1, 33017856, 0, 4096, 4096, 260, ...
 02995   760   NtQueryInformationThread  (1020, Basic, 28, ...
 02996  1284   NtRegisterThreadTerminatePort  (24, ...
 02985  1856   NtAllocateVirtualMemory  ... 31969280, 4096, ) == 0x0
 02984  1496   NtWaitForSingleObject  ... ) == 0x0
 02986  1740   NtSetEventBoostPriority  ... ) == 0x0
 02997   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02987   168   NtDuplicateObject  ... 1024, ) == 0x0
 02998  1036   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02991   464   NtAllocateVirtualMemory  ... 17289216, 4096, ) == 0x0
 01188   460   NtWaitForSingleObject  ... ) == 0x0
 02992  1068   NtSetEventBoostPriority  ... ) == 0x0
 02994  1596   NtAllocateVirtualMemory  ... 33017856, 4096, ) == 0x0
 02995   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1764,Tid=1268,}, 0x0, ) == 0x0
 02996  1284   NtRegisterThreadTerminatePort  ... ) == 0x0
 02999  1496   NtSetEventBoostPriority  (232, ...
 03000  1856   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03001  1740   NtWaitForSingleObject  (992, 0, 0x0, ...
 02997   860   NtCreateEvent  ... 1028, ) == 0x0
 03002   168   NtWaitForSingleObject  (232, 0, 0x0, ...
 02998  1036   NtCreateEvent  ... 1032, ) == 0x0
 03003   460   NtSetEventBoostPriority  (128, ...
 03004   464   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03005  1068   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03006  1596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03007   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58062, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\3\0\0\344\6\0\0\364\4\0\0" ...  ...
 02989  1744   NtWaitForSingleObject  ... ) == 0x0
 02999  1496   NtSetEventBoostPriority  ... ) == 0x0
 03008  1284   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03000  1856   NtCreateEvent  ... 1036, ) == 0x0
 03009   860   NtWaitForSingleObject  (232, 0, 0x0, ...
 01189  1556   NtWaitForSingleObject  ... ) == 0x0
 03003   460   NtSetEventBoostPriority  ... ) == 0x0
 03004   464   NtCreateEvent  ... 1040, ) == 0x0
 03005  1068   NtCreateEvent  ... 1044, ) == 0x0
 03006  1596   NtCreateEvent  ... 1048, ) == 0x0
 03010  1744   NtSetEventBoostPriority  (232, ...
 03007   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58063, 0}  ... {28, 56, reply, 0, 1764, 760, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\3\0\0\344\6\0\0\364\4\0\0" )  ) == 0x0
 03011  1496   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 03008  1284   NtDuplicateObject  ... 1052, ) == 0x0
 03012  1856   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03013  1556   NtSetEventBoostPriority  (128, ...
 03014   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03015   464   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03016  1068   NtAllocateVirtualMemory  (-1, 1454080, 0, 4096, 4096, 4, ...
 02990  1248   NtWaitForSingleObject  ... ) == 0x0
 03010  1744   NtSetEventBoostPriority  ... ) == 0x0
 03017  1596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03018  1036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03019   760   NtResumeThread  (1020, ...
 03020  1284   NtWaitForSingleObject  (288, 0, 0x0, ...
 01193  1480   NtWaitForSingleObject  ... ) == 0x0
 03013  1556   NtSetEventBoostPriority  ... ) == 0x0
 03012  1856   NtDuplicateObject  ... 1056, ) == 0x0
 03011  1496   NtWaitForSingleObject  ... ) == 0x102
 03015   464   NtDuplicateObject  ... 1060, ) == 0x0
 03021  1248   NtSetEventBoostPriority  (232, ...
 03016  1068   NtAllocateVirtualMemory  ... 1454080, 4096, ) == 0x0
 03022  1744   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 03017  1596   NtDuplicateObject  ... 1064, ) == 0x0
 03018  1036   NtDuplicateObject  ... 1068, ) == 0x0
 03019   760   NtResumeThread  ... 1, ) == 0x0
 03014   460   NtCreateEvent  ... 1072, ) == 0x0
 03023  1480   NtWaitForSingleObject  (288, 0, 0x0, ...
 03024  1556   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03025  1268   NtTestAlert  (...
 03026  1496   NtWaitForSingleObject  (128, 0, 0x0, ...
 03027  1856   NtWaitForSingleObject  (288, 0, 0x0, ...
 02993   928   NtWaitForSingleObject  ... ) == 0x0
 03021  1248   NtSetEventBoostPriority  ... ) == 0x0
 03028   464   NtWaitForSingleObject  (288, 0, 0x0, ...
 03029  1068   NtSetEventBoostPriority  (288, ...
 03022  1744   NtWaitForSingleObject  ... ) == 0x102
 03030  1036   NtWaitForSingleObject  (288, 0, 0x0, ...
 03031   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03032   460   NtWaitForSingleObject  (288, 0, 0x0, ...
 03033  1596   NtWaitForSingleObject  (288, 0, 0x0, ...
 03025  1268   NtTestAlert  ... ) == 0x0
 03034   928   NtWaitForSingleObject  (288, 0, 0x0, ...
 03035  1248   NtWaitForSingleObject  (288, 0, 0x0, ...
 03020  1284   NtWaitForSingleObject  ... ) == 0x0
 03029  1068   NtSetEventBoostPriority  ... ) == 0x0
 03036  1744   NtWaitForSingleObject  (128, 0, 0x0, ...
 03031   760   NtAllocateVirtualMemory  ... 107610112, 1048576, ) == 0x0
 03037  1268   NtContinue  (107609392, 1, ...
 03024  1556   NtCreateEvent  ... 1076, ) == 0x0
 03038  1284   NtSetEventBoostPriority  (288, ...
 03039  1068   NtWaitForSingleObject  (288, 0, 0x0, ...
 03040   760   NtAllocateVirtualMemory  (-1, 108650496, 0, 8192, 4096, 4, ...
 03041  1268   NtRegisterThreadTerminatePort  (24, ...
 03023  1480   NtWaitForSingleObject  ... ) == 0x0
 03042  1556   NtWaitForSingleObject  (288, 0, 0x0, ...
 03040   760   NtAllocateVirtualMemory  ... 108650496, 8192, ) == 0x0
 03043  1480   NtSetEventBoostPriority  (288, ...
 03041  1268   NtRegisterThreadTerminatePort  ... ) == 0x0
 03038  1284   NtSetEventBoostPriority  ... ) == 0x0
 03027  1856   NtWaitForSingleObject  ... ) == 0x0
 03043  1480   NtSetEventBoostPriority  ... ) == 0x0
 03044   760   NtProtectVirtualMemory  (-1, (0x679e000), 4096, 260, ...
 03045  1856   NtSetEventBoostPriority  (288, ...
 03046  1284   NtWaitForSingleObject  (232, 0, 0x0, ...
 03047  1268   NtWaitForSingleObject  (288, 0, 0x0, ...
 03028   464   NtWaitForSingleObject  ... ) == 0x0
 03045  1856   NtSetEventBoostPriority  ... ) == 0x0
 03044   760   NtProtectVirtualMemory  ... (0x679e000), 4096, 4, ) == 0x0
 03048   464   NtSetEventBoostPriority  (288, ...
 03049  1856   NtWaitForSingleObject  (232, 0, 0x0, ...
 03030  1036   NtWaitForSingleObject  ... ) == 0x0
 03048   464   NtSetEventBoostPriority  ... ) == 0x0
 03050   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03051  1480   NtWaitForSingleObject  (288, 0, 0x0, ...
 03052  1036   NtSetEventBoostPriority  (288, ...
 03053   464   NtWaitForSingleObject  (288, 0, 0x0, ...
 03050   760   NtCreateThread  ... 1080, {1764, 840}, ) == 0x0
 03032   460   NtWaitForSingleObject  ... ) == 0x0
 03052  1036   NtSetEventBoostPriority  ... ) == 0x0
 03054   460   NtSetEventBoostPriority  (288, ...
 03055   760   NtQueryInformationThread  (1080, Basic, 28, ...
 03033  1596   NtWaitForSingleObject  ... ) == 0x0
 03054   460   NtSetEventBoostPriority  ... ) == 0x0
 03056  1596   NtSetEventBoostPriority  (288, ...
 03055   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1764,Tid=840,}, 0x0, ) == 0x0
 03057  1036   NtWaitForSingleObject  (288, 0, 0x0, ...
 03034   928   NtWaitForSingleObject  ... ) == 0x0
 03056  1596   NtSetEventBoostPriority  ... ) == 0x0
 03058   460   NtWaitForSingleObject  (288, 0, 0x0, ...
 03059   928   NtSetEventBoostPriority  (288, ...
 03060  1596   NtWaitForSingleObject  (288, 0, 0x0, ...
 03039  1068   NtWaitForSingleObject  ... ) == 0x0
 03059   928   NtSetEventBoostPriority  ... ) == 0x0
 03061   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58063, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\4\0\0\344\6\0\0H\3\0\0" ...  ...
 03062  1068   NtSetEventBoostPriority  (288, ...
 03042  1556   NtWaitForSingleObject  ... ) == 0x0
 03063  1556   NtSetEventBoostPriority  (288, ...
 03035  1248   NtWaitForSingleObject  ... ) == 0x0
 03064  1248   NtSetEventBoostPriority  (288, ...
 03047  1268   NtWaitForSingleObject  ... ) == 0x0
 03065  1268   NtSetEventBoostPriority  (288, ...
 03051  1480   NtWaitForSingleObject  ... ) == 0x0
 03066  1480   NtSetEventBoostPriority  (288, ...
 03053   464   NtWaitForSingleObject  ... ) == 0x0
 03067   464   NtSetEventBoostPriority  (288, ...
 03057  1036   NtWaitForSingleObject  ... ) == 0x0
 03068  1036   NtSetEventBoostPriority  (288, ...
 03058   460   NtWaitForSingleObject  ... ) == 0x0
 03069   460   NtAllocateVirtualMemory  (-1, 1458176, 0, 4096, 4096, 4, ... 1458176, 4096, ) == 0x0
 03070   460   NtSetEventBoostPriority  (288, ...
 03068  1036   NtSetEventBoostPriority  ... ) == 0x0
 03066  1480   NtSetEventBoostPriority  ... ) == 0x0
 03065  1268   NtSetEventBoostPriority  ... ) == 0x0
 03063  1556   NtSetEventBoostPriority  ... ) == 0x0
 03062  1068   NtSetEventBoostPriority  ... ) == 0x0
 03061   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58064, 0}  ... {28, 56, reply, 0, 1764, 760, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\4\0\0\344\6\0\0H\3\0\0" )  ) == 0x0
 03067   464   NtSetEventBoostPriority  ... ) == 0x0
 03064  1248   NtSetEventBoostPriority  ... ) == 0x0
 03071   928   NtSetEventBoostPriority  (232, ...
 03072  1036   NtWaitForSingleObject  (288, 0, 0x0, ...
 03073  1480   NtWaitForSingleObject  (288, 0, 0x0, ...
 03074  1268   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03060  1596   NtWaitForSingleObject  ... ) == 0x0
 03070   460   NtSetEventBoostPriority  ... ) == 0x0
 03075  1556   NtWaitForSingleObject  (288, 0, 0x0, ...
 03076   760   NtResumeThread  (1080, ...
 03077   464   NtWaitForSingleObject  (288, 0, 0x0, ...
 03078  1248   NtWaitForSingleObject  (288, 0, 0x0, ...
 03002   168   NtWaitForSingleObject  ... ) == 0x0
 03071   928   NtSetEventBoostPriority  ... ) == 0x0
 03079  1068   NtWaitForSingleObject  (288, 0, 0x0, ...
 03080  1596   NtSetEventBoostPriority  (288, ...
 03081   460   NtWaitForSingleObject  (288, 0, 0x0, ...
 03076   760   NtResumeThread  ... 1, ) == 0x0
 03082   168   NtWaitForSingleObject  (288, 0, 0x0, ...
 03083   928   NtWaitForSingleObject  (992, 0, 0x0, ...
 03072  1036   NtWaitForSingleObject  ... ) == 0x0
 03084   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03085  1036   NtSetEventBoostPriority  (288, ...
 03080  1596   NtSetEventBoostPriority  ... ) == 0x0
 03074  1268   NtDuplicateObject  ... 1084, ) == 0x0
 03086   840   NtTestAlert  (...
 03073  1480   NtWaitForSingleObject  ... ) == 0x0
 03087  1596   NtWaitForSingleObject  (288, 0, 0x0, ...
 03088  1268   NtWaitForSingleObject  (288, 0, 0x0, ...
 03086   840   NtTestAlert  ... ) == 0x0
 03089  1480   NtSetEventBoostPriority  (288, ...
 03090   840   NtContinue  (108657968, 1, ...
 03075  1556   NtWaitForSingleObject  ... ) == 0x0
 03091   840   NtRegisterThreadTerminatePort  (24, ...
 03092  1556   NtSetEventBoostPriority  (288, ...
 03091   840   NtRegisterThreadTerminatePort  ... ) == 0x0
 03077   464   NtWaitForSingleObject  ... ) == 0x0
 03092  1556   NtSetEventBoostPriority  ... ) == 0x0
 03089  1480   NtSetEventBoostPriority  ... ) == 0x0
 03085  1036   NtSetEventBoostPriority  ... ) == 0x0
 03084   760   NtAllocateVirtualMemory  ... 108658688, 1048576, ) == 0x0
 03093   464   NtSetEventBoostPriority  (288, ...
 03094  1556   NtWaitForSingleObject  (288, 0, 0x0, ...
 03095  1480   NtSetEventBoostPriority  (128, ...
 03096  1036   NtWaitForSingleObject  (288, 0, 0x0, ...
 03078  1248   NtWaitForSingleObject  ... ) == 0x0
 03093   464   NtSetEventBoostPriority  ... ) == 0x0
 03097   760   NtAllocateVirtualMemory  (-1, 109699072, 0, 8192, 4096, 4, ...
 03098   840   NtWaitForSingleObject  (288, 0, 0x0, ...
 01197  1784   NtWaitForSingleObject  ... ) == 0x0
 03095  1480   NtSetEventBoostPriority  ... ) == 0x0
 03099  1248   NtSetEventBoostPriority  (288, ...
 03097   760   NtAllocateVirtualMemory  ... 109699072, 8192, ) == 0x0
 03100  1784   NtWaitForSingleObject  (288, 0, 0x0, ...
 03101   464   NtWaitForSingleObject  (288, 0, 0x0, ...
 03079  1068   NtWaitForSingleObject  ... ) == 0x0
 03099  1248   NtSetEventBoostPriority  ... ) == 0x0
 03102   760   NtProtectVirtualMemory  (-1, (0x689e000), 4096, 260, ...
 03103  1068   NtSetEventBoostPriority  (288, ...
 03104  1480   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03081   460   NtWaitForSingleObject  ... ) == 0x0
 03103  1068   NtSetEventBoostPriority  ... ) == 0x0
 03102   760   NtProtectVirtualMemory  ... (0x689e000), 4096, 4, ) == 0x0
 03105   460   NtAllocateVirtualMemory  (-1, 1462272, 0, 4096, 4096, 4, ...
 03104  1480   NtCreateEvent  ... 1088, ) == 0x0
 03106  1068   NtWaitForSingleObject  (288, 0, 0x0, ...
 03105   460   NtAllocateVirtualMemory  ... 1462272, 4096, ) == 0x0
 03107   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03108  1480   NtWaitForSingleObject  (288, 0, 0x0, ...
 03109  1248   NtWaitForSingleObject  (288, 0, 0x0, ...
 03110   460   NtSetEventBoostPriority  (288, ...
 03082   168   NtWaitForSingleObject  ... ) == 0x0
 03111   168   NtSetEventBoostPriority  (288, ...
 03087  1596   NtWaitForSingleObject  ... ) == 0x0
 03112  1596   NtSetEventBoostPriority  (288, ...
 03088  1268   NtWaitForSingleObject  ... ) == 0x0
 03113  1268   NtSetEventBoostPriority  (288, ...
 03096  1036   NtWaitForSingleObject  ... ) == 0x0
 03114  1036   NtSetEventBoostPriority  (288, ...
 03094  1556   NtWaitForSingleObject  ... ) == 0x0
 03115  1556   NtSetEventBoostPriority  (288, ...
 03098   840   NtWaitForSingleObject  ... ) == 0x0
 03116   840   NtSetEventBoostPriority  (288, ...
 03100  1784   NtWaitForSingleObject  ... ) == 0x0
 03117  1784   NtSetEventBoostPriority  (288, ...
 03101   464   NtWaitForSingleObject  ... ) == 0x0
 03118   464   NtSetEventBoostPriority  (288, ...
 03106  1068   NtWaitForSingleObject  ... ) == 0x0
 03119  1068   NtSetEventBoostPriority  (288, ...
 03108  1480   NtWaitForSingleObject  ... ) == 0x0
 03120  1480   NtSetEventBoostPriority  (288, ...
 03109  1248   NtWaitForSingleObject  ... ) == 0x0
 03121  1248   NtCreateKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 1092, 2, ) }, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 1092, 2, ) , 0, ... 1092, 2, ) == 0x0
 03122  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 03120  1480   NtSetEventBoostPriority  ... ) == 0x0
 03118   464   NtSetEventBoostPriority  ... ) == 0x0
 03117  1784   NtSetEventBoostPriority  ... ) == 0x0
 03116   840   NtSetEventBoostPriority  ... ) == 0x0
 03114  1036   NtSetEventBoostPriority  ... ) == 0x0
 03113  1268   NtSetEventBoostPriority  ... ) == 0x0
 03112  1596   NtSetEventBoostPriority  ... ) == 0x0
 03111   168   NtSetEventBoostPriority  ... ) == 0x0
 03110   460   NtSetEventBoostPriority  ... ) == 0x0
 03119  1068   NtSetEventBoostPriority  ... ) == 0x0
 03115  1556   NtSetEventBoostPriority  ... ) == 0x0
 03107   760   NtCreateThread  ... 1096, {1764, 1336}, ) == 0x0
 03122  1248   NtOpenKey  ... 1100, ) == 0x0
 03123   464   NtWaitForSingleObject  (232, 0, 0x0, ...
 03124  1480   NtAllocateVirtualMemory  (-1, 1466368, 0, 4096, 4096, 4, ...
 03125   840   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03126  1784   NtWaitForSingleObject  (288, 0, 0x0, ...
 03127  1036   NtWaitForSingleObject  (232, 0, 0x0, ...
 03128  1268   NtWaitForSingleObject  (288, 0, 0x0, ...
 03129  1596   NtWaitForSingleObject  (232, 0, 0x0, ...
 03130   460   NtWaitForSingleObject  (288, 0, 0x0, ...
 03131  1068   NtWaitForSingleObject  (288, 0, 0x0, ...
 03132  1556   NtWaitForSingleObject  (288, 0, 0x0, ...
 03133   760   NtQueryInformationThread  (1096, Basic, 28, ...
 03134  1248   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 03135   168   NtSetEventBoostPriority  (232, ...
 03124  1480   NtAllocateVirtualMemory  ... 1466368, 4096, ) == 0x0
 03133   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=1764,Tid=1336,}, 0x0, ) == 0x0
 03134  1248   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02988  1124   NtWaitForSingleObject  ... ) == 0x0
 03135   168   NtSetEventBoostPriority  ... ) == 0x0
 03136  1480   NtSetEventBoostPriority  (288, ...
 03125   840   NtDuplicateObject  ... 1104, ) == 0x0
 03137  1124   NtSetEventBoostPriority  (232, ...
 03138  1248   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 03139   168   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 03126  1784   NtWaitForSingleObject  ... ) == 0x0
 03136  1480   NtSetEventBoostPriority  ... ) == 0x0
 03009   860   NtWaitForSingleObject  ... ) == 0x0
 03140   840   NtWaitForSingleObject  (288, 0, 0x0, ...
 03138  1248   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03141  1784   NtSetEventBoostPriority  (288, ...
 03139   168   NtWaitForSingleObject  ... ) == 0x102
 03142  1480   NtWaitForSingleObject  (288, 0, 0x0, ...
 03143   860   NtWaitForSingleObject  (288, 0, 0x0, ...
 03128  1268   NtWaitForSingleObject  ... ) == 0x0
 03141  1784   NtSetEventBoostPriority  ... ) == 0x0
 03144  1248   NtQueryValueKey  (1092,  (1092, "Domain", Partial, 144, ... , Partial, 144, ...
 03145   168   NtWaitForSingleObject  (288, 0, 0x0, ...
 03146  1268   NtSetEventBoostPriority  (288, ...
 03147  1784   NtSetEventBoostPriority  (128, ...
 03137  1124   NtSetEventBoostPriority  ... ) == 0x0
 03148   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58064, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\4\0\0\344\6\0\08\5\0\0" ...  ...
 03144  1248   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03130   460   NtWaitForSingleObject  ... ) == 0x0
 03146  1268   NtSetEventBoostPriority  ... ) == 0x0
 03149  1124   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 03148   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58065, 0}  ... {28, 56, reply, 0, 1764, 760, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\4\0\0\344\6\0\08\5\0\0" )  ) == 0x0
 03150   460   NtSetEventBoostPriority  (288, ...
 03151  1248   NtQueryValueKey  (1092,  (1092, "Domain", Partial, 144, ... , Partial, 144, ...
 03152  1268   NtWaitForSingleObject  (232, 0, 0x0, ...
 03131  1068   NtWaitForSingleObject  ... ) == 0x0
 03150   460   NtSetEventBoostPriority  ... ) == 0x0
 03153   760   NtResumeThread  (1096, ...
 03151  1248   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01199  1980   NtWaitForSingleObject  ... ) == 0x0
 03147  1784   NtSetEventBoostPriority  ... ) == 0x0
 03149  1124   NtWaitForSingleObject  ... ) == 0x102
 03154  1068   NtSetEventBoostPriority  (288, ...
 03153   760   NtResumeThread  ... 1, ) == 0x0
 03155  1248   NtClose  (1092, ...
 03156  1980   NtWaitForSingleObject  (288, 0, 0x0, ...
 03157  1784   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03132  1556   NtWaitForSingleObject  ... ) == 0x0
 03154  1068   NtSetEventBoostPriority  ... ) == 0x0
 03158  1124   NtWaitForSingleObject  (128, 0, 0x0, ...
 03159   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03155  1248   NtClose  ... ) == 0x0
 03160  1556   NtSetEventBoostPriority  (288, ...
 03157  1784   NtCreateEvent  ... 1092, ) == 0x0
 03161   460   NtWaitForSingleObject  (288, 0, 0x0, ...
 03162  1336   NtWaitForSingleObject  (288, 0, 0x0, ...
 03163  1068   NtWaitForSingleObject  (288, 0, 0x0, ...
 03140   840   NtWaitForSingleObject  ... ) == 0x0
 03160  1556   NtSetEventBoostPriority  ... ) == 0x0
 03164  1248   NtClose  (1100, ...
 03165  1784   NtWaitForSingleObject  (288, 0, 0x0, ...
 03166   840   NtSetEventBoostPriority  (288, ...
 03159   760   NtAllocateVirtualMemory  ... 109707264, 1048576, ) == 0x0
 03167  1556   NtWaitForSingleObject  (288, 0, 0x0, ...
 03142  1480   NtWaitForSingleObject  ... ) == 0x0
 03166   840   NtSetEventBoostPriority  ... ) == 0x0
 03168   760   NtAllocateVirtualMemory  (-1, 110747648, 0, 8192, 4096, 4, ...
 03169  1480   NtSetEventBoostPriority  (288, ...
 03164  1248   NtClose  ... ) == 0x0
 03143   860   NtWaitForSingleObject  ... ) == 0x0
 03169  1480   NtSetEventBoostPriority  ... ) == 0x0
 03168   760   NtAllocateVirtualMemory  ... 110747648, 8192, ) == 0x0
 03170   860   NtSetEventBoostPriority  (288, ...
 03171  1248   NtWaitForSingleObject  (288, 0, 0x0, ...
 03172   840   NtWaitForSingleObject  (288, 0, 0x0, ...
 03145   168   NtWaitForSingleObject  ... ) == 0x0
 03170   860   NtSetEventBoostPriority  ... ) == 0x0
 03173   760   NtProtectVirtualMemory  (-1, (0x699e000), 4096, 260, ...
 03174   168   NtSetEventBoostPriority  (288, ...
 03175  1480   NtWaitForSingleObject  (288, 0, 0x0, ...
 03156  1980   NtWaitForSingleObject  ... ) == 0x0
 03173   760   NtProtectVirtualMemory  ... (0x699e000), 4096, 4, ) == 0x0
 03176  1980   NtSetEventBoostPriority  (288, ...
 03177   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03161   460   NtWaitForSingleObject  ... ) == 0x0
 03176  1980   NtSetEventBoostPriority  ... ) == 0x0
 03174   168   NtSetEventBoostPriority  ... ) == 0x0
 03178   860   NtSetEventBoostPriority  (232, ...
 03179   460   NtSetEventBoostPriority  (288, ...
 03177   760   NtCreateThread  ... 1100, {1764, 1200}, ) == 0x0
 03180   168   NtWaitForSingleObject  (128, 0, 0x0, ...
 03162  1336   NtWaitForSingleObject  ... ) == 0x0
 03179   460   NtSetEventBoostPriority  ... ) == 0x0
 03046  1284   NtWaitForSingleObject  ... ) == 0x0
 03178   860   NtSetEventBoostPriority  ... ) == 0x0
 03181   760   NtQueryInformationThread  (1100, Basic, 28, ...
 03182  1336   NtSetEventBoostPriority  (288, ...
 03183  1284   NtSetEventBoostPriority  (232, ...
 03184   460   NtAllocateVirtualMemory  (-1, 29872128, 0, 4096, 4096, 260, ...
 03185   860   NtSetEventBoostPriority  (992, ...
 03163  1068   NtWaitForSingleObject  ... ) == 0x0
 03049  1856   NtWaitForSingleObject  ... ) == 0x0
 03183  1284   NtSetEventBoostPriority  ... ) == 0x0
 03182  1336   NtSetEventBoostPriority  ... ) == 0x0
 03181   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=1764,Tid=1200,}, 0x0, ) == 0x0
 03186  1980   NtSetEventBoostPriority  (128, ...
 03187  1068   NtSetEventBoostPriority  (288, ...
 03188  1856   NtWaitForSingleObject  (288, 0, 0x0, ...
 02910  1656   NtWaitForSingleObject  ... ) == 0x0
 03185   860   NtSetEventBoostPriority  ... ) == 0x0
 03184   460   NtAllocateVirtualMemory  ... 29872128, 4096, ) == 0x0
 03189  1284   NtWaitForSingleObject  (68, 0, {0, 0}, ...
 03190   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58065, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\4\0\0\344\6\0\0\260\4\0\0" ...  ...
 03165  1784   NtWaitForSingleObject  ... ) == 0x0
 03191  1656   NtSetEventBoostPriority  (992, ...
 03187  1068   NtSetEventBoostPriority  ... ) == 0x0
 01202  1956   NtWaitForSingleObject  ... ) == 0x0
 03186  1980   NtSetEventBoostPriority  ... ) == 0x0
 03192   860   NtWaitForSingleObject  (288, 0, 0x0, ...
 03193   460   NtWaitForSingleObject  (288, 0, 0x0, ...
 03189  1284   NtWaitForSingleObject  ... ) == 0x102
 03194  1784   NtSetEventBoostPriority  (288, ...
 02934   484   NtWaitForSingleObject  ... ) == 0x0
 03191  1656   NtSetEventBoostPriority  ... ) == 0x0
 03190   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58066, 0}  ... {28, 56, reply, 0, 1764, 760, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\4\0\0\344\6\0\0\260\4\0\0" )  ) == 0x0
 03195  1956   NtWaitForSingleObject  (288, 0, 0x0, ...
 03196  1068   NtAllocateVirtualMemory  (-1, 30920704, 0, 4096, 4096, 260, ...
 03197  1980   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03167  1556   NtWaitForSingleObject  ... ) == 0x0
 03198   484   NtWaitForSingleObject  (288, 0, 0x0, ...
 03194  1784   NtSetEventBoostPriority  ... ) == 0x0
 03199  1284   NtWaitForSingleObject  (128, 0, 0x0, ...
 03200  1656   NtRequestWaitReplyPort  (996, {64, 88, new_msg, 0, 1764, 1248, 58060, 0}  (996, {64, 88, new_msg, 0, 1764, 1248, 58060, 0} "\1\356\0\0A\2\10\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03201  1336   NtTestAlert  (...
 03202   760   NtResumeThread  (1100, ...
 03203  1556   NtSetEventBoostPriority  (288, ...
 03197  1980   NtCreateEvent  ... 1108, ) == 0x0
 03196  1068   NtAllocateVirtualMemory  ... 30920704, 4096, ) == 0x0
 03204  1784   NtWaitForSingleObject  (288, 0, 0x0, ...
 03201  1336   NtTestAlert  ... ) == 0x0
 03171  1248   NtWaitForSingleObject  ... ) == 0x0
 03203  1556   NtSetEventBoostPriority  ... ) == 0x0
 03202   760   NtResumeThread  ... 1, ) == 0x0
 03205  1980   NtWaitForSingleObject  (288, 0, 0x0, ...
 03206  1068   NtWaitForSingleObject  (288, 0, 0x0, ...
 03207  1248   NtSetEventBoostPriority  (288, ...
 03208  1336   NtContinue  (109706544, 1, ...
 03209  1556   NtWaitForSingleObject  (288, 0, 0x0, ...
 03210   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03172   840   NtWaitForSingleObject  ... ) == 0x0
 03207  1248   NtSetEventBoostPriority  ... ) == 0x0
 03211  1336   NtRegisterThreadTerminatePort  (24, ...
 03200  1656   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1764, 1656, 58067, 0}  ... {52, 76, reply, 0, 1764, 1656, 58067, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\230\37\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 03212  1200   NtWaitForSingleObject  (288, 0, 0x0, ...
 03213   840   NtSetEventBoostPriority  (288, ...
 03210   760   NtAllocateVirtualMemory  ... 110755840, 1048576, ) == 0x0
 03211  1336   NtRegisterThreadTerminatePort  ... ) == 0x0
 03214  1656   NtWaitForSingleObject  (288, 0, 0x0, ...
 03175  1480   NtWaitForSingleObject  ... ) == 0x0
 03213   840   NtSetEventBoostPriority  ... ) == 0x0
 03215   760   NtAllocateVirtualMemory  (-1, 111796224, 0, 8192, 4096, 4, ...
 03216  1336   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03217  1480   NtSetEventBoostPriority  (288, ...
 03218   840   NtWaitForSingleObject  (232, 0, 0x0, ...
 03215   760   NtAllocateVirtualMemory  ... 111796224, 8192, ) == 0x0
 03219  1248   NtWaitForSingleObject  (232, 0, 0x0, ...
 03188  1856   NtWaitForSingleObject  ... ) == 0x0
 03217  1480   NtSetEventBoostPriority  ... ) == 0x0
 03216  1336   NtDuplicateObject  ... 1112, ) == 0x0
 03220  1856   NtSetEventBoostPriority  (288, ...
 03221  1480   NtWaitForSingleObject  (288, 0, 0x0, ...
 03192   860   NtWaitForSingleObject  ... ) == 0x0
 03222  1336   NtWaitForSingleObject  (288, 0, 0x0, ...
 03220  1856   NtSetEventBoostPriority  ... ) == 0x0
 03223   760   NtProtectVirtualMemory  (-1, (0x6a9e000), 4096, 260, ...
 03224   860   NtSetEventBoostPriority  (288, ...
 03223   760   NtProtectVirtualMemory  ... (0x6a9e000), 4096, 4, ) == 0x0
 03193   460   NtWaitForSingleObject  ... ) == 0x0
 03224   860   NtSetEventBoostPriority  ... ) == 0x0
 03225   460   NtSetEventBoostPriority  (288, ...
 03226   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03227  1856   NtSetEventBoostPriority  (232, ...
 03195  1956   NtWaitForSingleObject  ... ) == 0x0
 03225   460   NtSetEventBoostPriority  ... ) == 0x0
 03226   760   NtCreateThread  ... 1116, {1764, 1920}, ) == 0x0
 03228  1956   NtSetEventBoostPriority  (288, ...
 03123   464   NtWaitForSingleObject  ... ) == 0x0
 03227  1856   NtSetEventBoostPriority  ... ) == 0x0
 03229   860   NtRequestWaitReplyPort  (996, {64, 88, new_msg, 0, 0, 0, 0, 0}  (996, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03198   484   NtWaitForSingleObject  ... ) == 0x0
 03230   464   NtWaitForSingleObject  (288, 0, 0x0, ...
 03228  1956   NtSetEventBoostPriority  ... ) == 0x0
 03231   760   NtQueryInformationThread  (1116, Basic, 28, ...
 03232  1856   NtWaitForSingleObject  (288, 0, 0x0, ...
 03233   484   NtSetEventBoostPriority  (288, ...
 03229   860   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1764, 860, 58068, 0}  ... {52, 76, reply, 0, 1764, 860, 58068, 0} "\2\356Q\200\1\0\0\0P\306\233\201\0\220\372\177\220\353\3\370\370\37`\300l\353\3\370X\353Q\200H\36\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 03234   460   NtWaitForSingleObject  (288, 0, 0x0, ...
 03231   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=1764,Tid=1920,}, 0x0, ) == 0x0
 03204  1784   NtWaitForSingleObject  ... ) == 0x0
 03233   484   NtSetEventBoostPriority  ... ) == 0x0
 03235   860   NtWaitForSingleObject  (288, 0, 0x0, ...
 03236  1956   NtSetEventBoostPriority  (128, ...
 03237  1784   NtSetEventBoostPriority  (288, ...
 03238   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58066, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\4\0\0\344\6\0\0\200\7\0\0" ...  ...
 03205  1980   NtWaitForSingleObject  ... ) == 0x0
 03237  1784   NtSetEventBoostPriority  ... ) == 0x0
 01204  1292   NtWaitForSingleObject  ... ) == 0x0
 03236  1956   NtSetEventBoostPriority  ... ) == 0x0
 03239  1980   NtAllocateVirtualMemory  (-1, 1470464, 0, 4096, 4096, 4, ...
 03238   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58069, 0}  ... {28, 56, reply, 0, 1764, 760, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\4\0\0\344\6\0\0\200\7\0\0" )  ) == 0x0
 03240  1292   NtWaitForSingleObject  (288, 0, 0x0, ...
 03241  1784   NtWaitForSingleObject  (288, 0, 0x0, ...
NtGdiCreateBitmap(>)	1	NtQueryDefaultUILanguage(>)	2	NtConnectPort(>)	9	NtFlushInstructionCache(>)	57
NtGdiInit(>)	1	NtQuerySystemTime(>)	2	NtSetInformationThread(>)	9	NtContinue(>)	100
NtGdiQueryFontAssocInfo(>)	1	NtUserGetObjectInformation(>)	2	NtUserFindExistingCursorIcon(>)	9	NtQuerySystemInformation(>)	119
NtGdiSelectBitmap(>)	1	NtFreeVirtualMemory(>)	3	NtOpenThreadToken(>)	10	NtCreateEvent(>)	131
NtOpenKeyedEvent(>)	1	NtGdiCreateCompatibleDC(>)	3	NtQueryVirtualMemory(>)	10	NtResumeThread(>)	134
NtOpenSymbolicLinkObject(>)	1	NtQueryDebugFilterState(>)	3	NtSetInformationFile(>)	10	NtOpenKey(>)	140
NtQueryInstallUILanguage(>)	1	NtQueryDefaultLocale(>)	3	NtUnmapViewOfSection(>)	11	NtQueryInformationThread(>)	140
NtQueryObject(>)	1	NtQueryVolumeInformationFile(>)	3	NtCreateFile(>)	12	NtCreateThread(>)	154
NtQueryPerformanceCounter(>)	1	NtSecureConnectPort(>)	3	NtQuerySection(>)	14	NtTestAlert(>)	184
NtQuerySymbolicLinkObject(>)	1	NtSetInformationObject(>)	3	NtUserRegisterClassExWOW(>)	14	NtRequestWaitReplyPort(>)	185
NtRaiseException(>)	1	NtCreateIoCompletion(>)	4	NtSetValueKey(>)	17	NtRegisterThreadTerminatePort(>)	188
NtSetInformationProcess(>)	1	NtOpenProcessTokenEx(>)	4	NtReadFile(>)	21	NtDuplicateObject(>)	214
NtUserCallNoParam(>)	1	NtOpenThreadTokenEx(>)	4	NtOpenSection(>)	22	NtClose(>)	243
NtUserGetProcessWindowStation(>)	1	NtCreateMutant(>)	5	NtWriteFile(>)	22	NtProtectVirtualMemory(>)	247
NtUserGetThreadDesktop(>)	1	NtGdiGetStockObject(>)	5	NtCreateKey(>)	23	NtQueryValueKey(>)	262
NtCallbackReturn(>)	2	NtQueryDirectoryFile(>)	6	NtCreateSection(>)	23	NtAllocateVirtualMemory(>)	402
NtGdiCreateSolidBrush(>)	2	NtFsControlFile(>)	7	NtOpenFile(>)	26	NtSetEventBoostPriority(>)	668
NtNotifyChangeKey(>)	2	NtQueryInformationFile(>)	7	NtDeviceIoControlFile(>)	35	NtWaitForSingleObject(>)	946
NtOpenDirectoryObject(>)	2	NtQueryInformationToken(>)	7	NtMapViewOfSection(>)	37
NtOpenProcessToken(>)	2	NtQueryInformationProcess(>)	8