Summary:


NtAdjustPrivilegesToken(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryInformationToken(>)  7 
NtFlushInstructionCache(>)  53 

NtDelayExecution(>)  1 
NtNotifyChangeKey(>)  2 
NtCreateFile(>)  8 
NtContinue(>)  86 

NtGdiCreateBitmap(>)  1 
NtOpenDirectoryObject(>)  2 
NtQueryInformationProcess(>)  8 
NtCreateEvent(>)  90 

NtGdiInit(>)  1 
NtQueryDefaultUILanguage(>)  2 
NtQueryVirtualMemory(>)  9 
NtMapViewOfSection(>)  102 

NtGdiQueryFontAssocInfo(>)  1 
NtSetInformationObject(>)  2 
NtUserFindExistingCursorIcon(>)  9 
NtWriteVirtualMemory(>)  116 

NtGdiSelectBitmap(>)  1 
NtUserGetObjectInformation(>)  2 
NtFsControlFile(>)  10 
NtQuerySystemInformation(>)  119 

NtOpenKeyedEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtSetInformationThread(>)  11 
NtOpenKey(>)  127 

NtOpenSymbolicLinkObject(>)  1 
NtOpenProcessToken(>)  3 
NtOpenThreadToken(>)  12 
NtCreateThread(>)  128 

NtQueryInstallUILanguage(>)  1 
NtOpenProcessTokenEx(>)  3 
NtSetInformationFile(>)  12 
NtQueryInformationThread(>)  130 

NtQueryObject(>)  1 
NtOpenThreadTokenEx(>)  3 
NtQuerySection(>)  13 
NtResumeThread(>)  135 

NtQueryPerformanceCounter(>)  1 
NtQueryDefaultLocale(>)  3 
NtUserRegisterClassExWOW(>)  14 
NtTestAlert(>)  160 

NtQuerySymbolicLinkObject(>)  1 
NtQueryVolumeInformationFile(>)  3 
NtSetValueKey(>)  17 
NtRegisterThreadTerminatePort(>)  165 

NtQuerySystemTime(>)  1 
NtReadFile(>)  3 
NtCreateKey(>)  23 
NtRequestWaitReplyPort(>)  177 

NtRaiseException(>)  1 
NtSecureConnectPort(>)  3 
NtCreateSection(>)  24 
NtDuplicateObject(>)  184 

NtSetInformationProcess(>)  1 
NtFreeVirtualMemory(>)  4 
NtOpenFile(>)  25 
NtQueryValueKey(>)  255 

NtUserCallNoParam(>)  1 
NtWriteFile(>)  4 
NtOpenProcess(>)  29 
NtClose(>)  269 

NtUserGetProcessWindowStation(>)  1 
NtGdiGetStockObject(>)  5 
NtDeviceIoControlFile(>)  36 
NtAllocateVirtualMemory(>)  338 

NtUserGetThreadDesktop(>)  1 
NtCreateMutant(>)  6 
NtQueryAttributesFile(>)  41 
NtProtectVirtualMemory(>)  362 

NtCallbackReturn(>)  2 
NtConnectPort(>)  7 
NtUnmapViewOfSection(>)  45 
NtSetEventBoostPriority(>)  652 

NtCreateIoCompletion(>)  2 
NtQueryInformationFile(>)  7 
NtOpenSection(>)  50 
NtWaitForSingleObject(>)  858 


Trace:
 00001   760   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003   760   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006   760   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007   760   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009   760   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010   760   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011   760   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012   760   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013   760   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014   760   NtClose  (12, ... ) == 0x0
 00015   760   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016   760   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   760   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   760   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020   760   NtClose  (16, ... ) == 0x0
 00021   760   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022   760   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023   760   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024   760   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025   760   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027   760   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028   760   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029   760   NtClose  (16, ... ) == 0x0
 00030   760   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031   760   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033   760   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034   760   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1764, 760, 57936, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57936, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1764, 760, 57936, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036   760   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037   760   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038   760   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039   760   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040   760   NtClose  (16, ... ) == 0x0
 00041   760   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042   760   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043   760   NtClose  (16, ... ) == 0x0
 00044   760   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045   760   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046   760   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047   760   NtClose  (16, ... ) == 0x0
 00048   760   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049   760   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050   760   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051   760   NtClose  (16, ... ) == 0x0
 00052   760   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053   760   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054   760   NtClose  (16, ... ) == 0x0
 00055   760   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056   760   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057   760   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058   760   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059   760   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1764, 760, 57937, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 1764, 760, 57937, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1764, 760, 57937, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57938, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57938, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1764, 760, 57938, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061   760   NtProtectVirtualMemory  (-1, (0x409000), 94224, 4, ... (0x409000), 98304, 128, ) == 0x0
 00062   760   NtProtectVirtualMemory  (-1, (0x409000), 98304, 128, ... (0x409000), 98304, 4, ) == 0x0
 00063   760   NtFlushInstructionCache  (-1, 4231168, 94224, ... ) == 0x0
 00064   760   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065   760   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066   760   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067   760   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068   760   NtClose  (16, ... ) == 0x0
 00069   760   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070   760   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071   760   NtClose  (16, ... ) == 0x0
 00072   760   NtTestAlert  (... ) == 0x0
 00073   760   NtContinue  (1244464, 1, ...
 00074   760   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x40283e,}, 4, ... ) == 0x0
 00075   760   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 16, ) }, ... 16, ) == 0x0
 00076   760   NtCreateEvent  (0x1f0003, {24, 16, 0x80, 1245092, 0,  (0x1f0003, {24, 16, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 28, ) }, 1, 0, ... 28, ) == 0x0
 00077   760   NtCreateSection  (0xe, {24, 0, 0x40, 1245092, 0,  (0xe, {24, 0, 0x40, 1245092, 0, "\BaseNamedObjects\W32_Virtu"}, {27086, 0}, 64, 134217728, 0, ... 32, ) }, {27086, 0}, 64, 134217728, 0, ... 32, ) == 0x0
 00078   760   NtMapViewOfSection  (32, -1, (0x0), 0, 27086, 0x0, 27086, 2, 0, 64, ... (0x320000), 0x0, 28672, ) == 0x0
 00079   760   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 36, ) }, ... 36, ) == 0x0
 00080   760   NtQueryValueKey  (36,  (36, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00081   760   NtClose  (36, ... ) == 0x0
 00082   760   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00083   760   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00084   760   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00085   760   NtClose  (36, ... ) == 0x0
 00086   760   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00087   760   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00088   760   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00089   760   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00090   760   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00091   760   NtClose  (36, ... ) == 0x0
 00092   760   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00093   760   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00094   760   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00095   760   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00096   760   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00097   760   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00098   760   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00099   760   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00100   760   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00101   760   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00102   760   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00103   760   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00104   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   760   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00106   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   760   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 36, ) }, ... 36, ) == 0x0
 00108   760   NtQueryValueKey  (36,  (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00109   760   NtQueryValueKey  (36,  (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00110   760   NtClose  (36, ... ) == 0x0
 00111   760   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 36, ) }, ... 36, ) == 0x0
 00112   760   NtQueryValueKey  (36,  (36, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00113   760   NtClose  (36, ... ) == 0x0
 00114   760   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 36, ) }, ... 36, ) == 0x0
 00115   760   NtSetInformationObject  (36, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00116   760   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00117   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00118   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00119   760   NtOpenProcessToken  (-1, 0x20, ... 40, ) == 0x0
 00120   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00121   760   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00122   760   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 44, ) }, ... 44, ) == 0x0
 00123   760   NtQueryValueKey  (44,  (44, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00124   760   NtClose  (44, ... ) == 0x0
 00125   760   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126   760   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 44, ) == 0x0
 00127   760   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 48, ) == 0x0
 00128   760   NtQuerySystemTime  (... {-840390012, 29915146}, ) == 0x0
 00129   760   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00130   760   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00131   760   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00132   760   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00133   760   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00134   760   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00135   760   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 60, ) == 0x0
 00136   760   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 64, ) }, ... 64, ) == 0x0
 00137   760   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "ActiveComputerName"}, ... 68, ) }, ... 68, ) == 0x0
 00138   760   NtQueryValueKey  (68,  (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00139   760   NtClose  (68, ... ) == 0x0
 00140   760   NtClose  (64, ... ) == 0x0
 00141   760   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 64, ) == 0x0
 00142   760   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 68, ) == 0x0
 00143   760   NtDuplicateObject  (-1, 64, -1, 0x0, 0, 2, ... 72, ) == 0x0
 00144   760   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00145   760   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00146   760   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 76, ) == 0x0
 00147   760   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00148   760   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00149   760   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243252,  (0xc0100080, {24, 0, 0x40, 0, 1243252, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 80, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 80, {status=0x0, info=1}, ) == 0x0
 00150   760   NtSetInformationFile  (80, 1243308, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00151   760   NtSetInformationFile  (80, 1243296, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00152   760   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00153   760   NtWriteFile  (80, 57, 0, 0,  (80, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00154   760   NtReadFile  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00155   760   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00156   760   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse \0"\0X@\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\0\0\0\0", ) \0X@\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse \0"\0X@\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\0\0\0\0", ) == 0x103
 00157   760   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00158   760   NtClose  (76, ... ) == 0x0
 00159   760   NtClose  (80, ... ) == 0x0
 00160   760   NtAdjustPrivilegesToken  (40, 0, 1245096, 0, 0, 0, ... ) == 0x0
 00161   760   NtClose  (40, ... ) == 0x0
 00162   760   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 3342336, 65536, ) == 0x0
 00163   760   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00164   760   NtCreateSection  (0xf0007, 0x0, {18400, 0}, 4, 134217728, 0, ... 40, ) == 0x0
 00165   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x340000), {0, 0}, 20480, ) == 0x0
 00166   760   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00167   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x340000), {0, 0}, 20480, ) == 0x0
 00168   760   NtFreeVirtualMemory  (-1, (0x330000), 0, 32768, ... (0x330000), 65536, ) == 0x0
 00169   760   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00170   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00171   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00172   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00173   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00174   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00175   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00176   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00177   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00178   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00179   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00180   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {580, 0}, ... 80, ) == 0x0
 00181   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 76, ) }, ... 76, ) == 0x0
 00182   760   NtMapViewOfSection  (76, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00183   760   NtClose  (76, ... ) == 0x0
 00184   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00185   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00186   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00187   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00188   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00189   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00190   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00191   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00192   760   NtAllocateVirtualMemory  (80, 0, 0, 1048576, 8192, 4, ... 27852800, 1048576, ) == 0x0
 00193   760   NtAllocateVirtualMemory  (80, 28893184, 0, 8192, 4096, 4, ... 28893184, 8192, ) == 0x0
 00194   760   NtProtectVirtualMemory  (80, (0x1b8e000), 4096, 260, ... (0x1b8e000), 4096, 4, ) == 0x0
 00195   760   NtCreateThread  (0x1f03ff, 0x0, 80, 1243840, 1243784, 1, ... 76, {580, 1928}, ) == 0x0
 00196   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\210\7\0\0" ... {28, 56, reply, 0, 1764, 760, 57939, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\210\7\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57939, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\210\7\0\0" ... {28, 56, reply, 0, 1764, 760, 57939, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\210\7\0\0" )  ) == 0x0
 00197   760   NtResumeThread  (76, ... 1, ) == 0x0
 00198   760   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00199   760   NtClose  (80, ... ) == 0x0
 00200   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00201   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00202   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {640, 0}, ... 80, ) == 0x0
 00203   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00204   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00205   760   NtClose  (84, ... ) == 0x0
 00206   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00207   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00208   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00209   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00210   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00211   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00212   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00213   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00214   760   NtClose  (80, ... ) == 0x0
 00215   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00216   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00217   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {652, 0}, ... 80, ) == 0x0
 00218   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00219   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00220   760   NtClose  (84, ... ) == 0x0
 00221   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00222   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00223   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00224   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00225   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00226   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00227   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00228   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00229   760   NtClose  (80, ... ) == 0x0
 00230   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00231   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00232   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {816, 0}, ... 80, ) == 0x0
 00233   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00234   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00235   760   NtClose  (84, ... ) == 0x0
 00236   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00237   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00238   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00239   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00240   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00241   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00242   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00243   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00244   760   NtClose  (80, ... ) == 0x0
 00245   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00246   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00247   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {904, 0}, ... 80, ) == 0x0
 00248   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00249   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00250   760   NtClose  (84, ... ) == 0x0
 00251   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00252   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00253   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00254   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00255   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00256   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00257   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00258   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00259   760   NtClose  (80, ... ) == 0x0
 00260   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00261   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00262   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1000, 0}, ... 80, ) == 0x0
 00263   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00264   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff50000), 0x0, 28672, ) == 0x0
 00265   760   NtClose  (84, ... ) == 0x0
 00266   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00267   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Md\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00268   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00269   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fd\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00270   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00271   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00272   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00273   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00274   760   NtClose  (80, ... ) == 0x0
 00275   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00276   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00277   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1044, 0}, ... 80, ) == 0x0
 00278   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00279   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00280   760   NtClose  (84, ... ) == 0x0
 00281   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00282   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00283   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00284   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00285   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00286   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00287   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00288   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00289   760   NtClose  (80, ... ) == 0x0
 00290   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00291   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00292   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1196, 0}, ... 80, ) == 0x0
 00293   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00294   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00295   760   NtClose  (84, ... ) == 0x0
 00296   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00297   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00298   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00299   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00300   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00301   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00302   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00303   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00304   760   NtClose  (80, ... ) == 0x0
 00305   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00306   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00307   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1468, 0}, ... 80, ) == 0x0
 00308   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00309   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00310   760   NtClose  (84, ... ) == 0x0
 00311   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00312   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00313   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00314   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00315   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00316   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00317   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00318   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00319   760   NtClose  (80, ... ) == 0x0
 00320   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00321   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00322   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1720, 0}, ... 80, ) == 0x0
 00323   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00324   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00325   760   NtClose  (84, ... ) == 0x0
 00326   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00327   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00328   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00329   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00330   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00331   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00332   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00333   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00334   760   NtClose  (80, ... ) == 0x0
 00335   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00336   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00337   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1888, 0}, ... 80, ) == 0x0
 00338   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00339   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00340   760   NtClose  (84, ... ) == 0x0
 00341   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00342   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00343   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00344   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00345   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00346   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00347   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00348   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00349   760   NtClose  (80, ... ) == 0x0
 00350   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00351   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00352   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 80, ) == 0x0
 00353   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00354   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00355   760   NtClose  (84, ... ) == 0x0
 00356   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00357   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00358   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00359   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00360   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00361   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00362   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00363   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00364   760   NtClose  (80, ... ) == 0x0
 00365   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00366   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00367   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {180, 0}, ... 80, ) == 0x0
 00368   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00369   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00370   760   NtClose  (84, ... ) == 0x0
 00371   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00372   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00373   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00374   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00375   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00376   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00377   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00378   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00379   760   NtClose  (80, ... ) == 0x0
 00380   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00381   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00382   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {196, 0}, ... 80, ) == 0x0
 00383   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00384   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00385   760   NtClose  (84, ... ) == 0x0
 00386   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00387   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00388   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00389   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00390   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00391   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00392   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00393   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00394   760   NtClose  (80, ... ) == 0x0
 00395   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00396   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00397   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {160, 0}, ... 80, ) == 0x0
 00398   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00399   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00400   760   NtClose  (84, ... ) == 0x0
 00401   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00402   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00403   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00404   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00405   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00406   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00407   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00408   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00409   760   NtClose  (80, ... ) == 0x0
 00410   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00411   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00412   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {260, 0}, ... 80, ) == 0x0
 00413   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00414   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00415   760   NtClose  (84, ... ) == 0x0
 00416   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00417   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00418   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00419   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00420   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00421   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00422   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00423   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00424   760   NtClose  (80, ... ) == 0x0
 00425   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00426   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00427   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {288, 0}, ... 80, ) == 0x0
 00428   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00429   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00430   760   NtClose  (84, ... ) == 0x0
 00431   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00432   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00433   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00434   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00435   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00436   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00437   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00438   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00439   760   NtClose  (80, ... ) == 0x0
 00440   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00441   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00442   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 80, ) == 0x0
 00443   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00444   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00445   760   NtClose  (84, ... ) == 0x0
 00446   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00447   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00448   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00449   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00450   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00451   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00452   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00453   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00454   760   NtClose  (80, ... ) == 0x0
 00455   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00456   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00457   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1408, 0}, ... 80, ) == 0x0
 00458   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00459   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00460   760   NtClose  (84, ... ) == 0x0
 00461   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00462   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00463   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00464   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00465   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00466   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00467   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00468   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00469   760   NtClose  (80, ... ) == 0x0
 00470   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00471   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00472   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {556, 0}, ... 80, ) == 0x0
 00473   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00474   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00475   760   NtClose  (84, ... ) == 0x0
 00476   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00477   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00478   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00479   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00480   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00481   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00482   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00483   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00484   760   NtClose  (80, ... ) == 0x0
 00485   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00486   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00487   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1204, 0}, ... 80, ) == 0x0
 00488   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00489   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00490   760   NtClose  (84, ... ) == 0x0
 00491   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00492   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00493   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00494   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00495   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00496   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00497   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00498   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00499   760   NtClose  (80, ... ) == 0x0
 00500   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00501   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00502   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1452, 0}, ... 80, ) == 0x0
 00503   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00504   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00505   760   NtClose  (84, ... ) == 0x0
 00506   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00507   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00508   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00509   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00510   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00511   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00512   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00513   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00514   760   NtClose  (80, ... ) == 0x0
 00515   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00516   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00517   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1708, 0}, ... 80, ) == 0x0
 00518   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00519   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00520   760   NtClose  (84, ... ) == 0x0
 00521   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00522   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00523   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00524   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00525   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00526   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00527   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00528   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00529   760   NtClose  (80, ... ) == 0x0
 00530   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00531   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00532   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1180, 0}, ... 80, ) == 0x0
 00533   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00534   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00535   760   NtClose  (84, ... ) == 0x0
 00536   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00537   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00538   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00539   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00540   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00541   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00542   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00543   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00544   760   NtClose  (80, ... ) == 0x0
 00545   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00546   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00547   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1512, 0}, ... 80, ) == 0x0
 00548   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00549   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00550   760   NtClose  (84, ... ) == 0x0
 00551   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00552   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00553   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00554   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00555   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00556   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00557   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00558   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00559   760   NtClose  (80, ... ) == 0x0
 00560   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00561   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00562   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1028, 0}, ... 80, ) == 0x0
 00563   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00564   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00565   760   NtClose  (84, ... ) == 0x0
 00566   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00567   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00568   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00569   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00570   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00571   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00572   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00573   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00574   760   NtClose  (80, ... ) == 0x0
 00575   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00576   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00577   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {212, 0}, ... 80, ) == 0x0
 00578   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00579   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00580   760   NtClose  (84, ... ) == 0x0
 00581   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00582   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00583   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00584   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00585   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00586   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00587   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00588   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00589   760   NtClose  (80, ... ) == 0x0
 00590   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00591   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00592   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1228, 0}, ... 80, ) == 0x0
 00593   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00594   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00595   760   NtClose  (84, ... ) == 0x0
 00596   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00597   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00598   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00599   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00600   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00601   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00602   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00603   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00604   760   NtClose  (80, ... ) == 0x0
 00605   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00606   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00607   760   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1764, 0}, ... 80, ) == 0x0
 00608   760   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00609   760   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00610   760   NtClose  (84, ... ) == 0x0
 00611   760   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00612   760   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00613   760   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00614   760   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00615   760   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00616   760   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00617   760   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00618   760   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00619   760   NtClose  (80, ... ) == 0x0
 00620   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00621   760   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00622   760   NtClose  (40, ... ) == 0x0
 00623   760   NtClose  (28, ... ) == 0x0
 00624   760   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x4000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00625   760   NtContinue  (1244400, 0, ...
 00626   760   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3342336, 4096, ) == 0x0
 00627   760   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00628   760   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00629   760   NtClose  (28, ... ) == 0x0
 00630   760   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00631   760   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00632   760   NtClose  (28, ... ) == 0x0
 00633   760   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00634   760   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00635   760   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00636   760   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00637   760   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00638   760   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00639   760   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00640   760   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00641   760   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00642   760   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00643   760   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00644   760   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00645   760   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00646   760   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00647   760   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00648   760   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00649   760   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00650   760   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00651   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00652   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00653   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00654   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1764, 760, 57999, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 1764, 760, 57999, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1764, 760, 57999, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00655   760   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00656   760   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00657   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00658   760   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00659   760   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 40, ) == 0x0
 00660   760   NtClose  (28, ... ) == 0x0
 00661   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00662   760   NtClose  (40, ... ) == 0x0
 00663   760   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00664   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00665   760   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00666   760   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 40, ... 28, ) == 0x0
 00667   760   NtClose  (40, ... ) == 0x0
 00668   760   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00669   760   NtClose  (28, ... ) == 0x0
 00670   760   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00671   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00672   760   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00673   760   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 40, ) == 0x0
 00674   760   NtQuerySection  (40, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00675   760   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00676   760   NtQueryInformationToken  (80, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00677   760   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00678   760   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 84, ) }, ... 84, ) == 0x0
 00679   760   NtQueryValueKey  (84,  (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00680   760   NtClose  (84, ... ) == 0x0
 00681   760   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00682   760   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00683   760   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00684   760   NtClose  (84, ... ) == 0x0
 00685   760   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00686   760   NtClose  (80, ... ) == 0x0
 00687   760   NtClose  (28, ... ) == 0x0
 00688   760   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00689   760   NtClose  (40, ... ) == 0x0
 00690   760   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00691   760   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00692   760   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00693   760   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00694   760   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00695   760   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00696   760   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00697   760   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00698   760   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00699   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00700   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00701   760   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00702   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00703   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00704   760   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00705   760   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 40, ) }, ... 40, ) == 0x0
 00706   760   NtQueryValueKey  (40,  (40, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00707   760   NtClose  (40, ... ) == 0x0
 00708   760   NtMapViewOfSection  (-2147482584, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x500000), 0x0, 1060864, ) == 0x0
 00709   760   NtClose  (-2147482584, ... ) == 0x0
 00710   760   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 40, ) == 0x0
 00711   760   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00712   760   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482584, ) == 0x0
 00713   760   NtQueryInformationToken  (-2147482584, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00714   760   NtQueryInformationToken  (-2147482584, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00715   760   NtClose  (-2147482584, ... ) == 0x0
 00716   760   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00717   760   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00718   760   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 84, ) == 0x0
 00719   760   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 00720   760   NtQueryValueKey  (-2147482584,  (-2147482584, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00721   760   NtClose  (-2147482584, ... ) == 0x0
 00722   760   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 00723   760   NtQueryValueKey  (-2147482584,  (-2147482584, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00724   760   NtClose  (-2147482584, ... ) == 0x0
 00725   760   NtQueryDefaultLocale  (0, -140494516, ... ) == 0x0
 00726   760   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00727   760   NtUserCallNoParam  (24, ... ) == 0x0
 00728   760   NtGdiCreateCompatibleDC  (0, ...
 00729   760   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00728   760   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00730   760   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00731   760   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00732   760   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00733   760   NtGdiCreateSolidBrush  (0, 0, ...
 00734   760   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00733   760   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00735   760   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00736   760   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00737   760   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00738   760   NtUserGetThreadDesktop  (760, 0, ... ) == 0x50
 00739   760   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 88, ) }, ... 88, ) == 0x0
 00740   760   NtQueryValueKey  (88,  (88, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (88, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00741   760   NtClose  (88, ... ) == 0x0
 00742   760   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00743   760   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8174c017
 00744   760   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00745   760   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8174c01c
 00746   760   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00747   760   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8174c01e
 00748   760   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00749   760   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81748002
 00750   760   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00751   760   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8174c018
 00752   760   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00753   760   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8174c01a
 00754   760   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00755   760   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8174c01d
 00756   760   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00757   760   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8174c026
 00758   760   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00759   760   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8174c019
 00760   760   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8174c020
 00761   760   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8174c022
 00762   760   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8174c023
 00763   760   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8174c024
 00764   760   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8174c025
 00765   760   NtCallbackReturn  (0, 0, 0, ...
 00766   760   NtGdiInit  (... ) == 0x1
 00767   760   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00768   760   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00769   760   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 3538944, 28672, ) == 0x0
 00770   760   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00771   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00772   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00773   760   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00774   760   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 92, ) == 0x0
 00775   760   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00776   760   NtClose  (88, ... ) == 0x0
 00777   760   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00778   760   NtClose  (92, ... ) == 0x0
 00779   760   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00780   760   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00781   760   NtClose  (92, ... ) == 0x0
 00782   760   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00783   760   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00784   760   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00785   760   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00786   760   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00787   760   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00788   760   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00789   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00790   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00791   760   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00792   760   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 88, ) == 0x0
 00793   760   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00794   760   NtClose  (92, ... ) == 0x0
 00795   760   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00796   760   NtClose  (88, ... ) == 0x0
 00797   760   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00798   760   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00799   760   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00800   760   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00801   760   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00802   760   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00803   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00804   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00805   760   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00806   760   NtAllocateVirtualMemory  (-1, 3604480, 0, 4096, 4096, 4, ... 3604480, 4096, ) == 0x0
 00807   760   NtAllocateVirtualMemory  (-1, 3608576, 0, 8192, 4096, 4, ... 3608576, 8192, ) == 0x0
 00808   760   NtAllocateVirtualMemory  (-1, 3616768, 0, 4096, 4096, 4, ... 3616768, 4096, ) == 0x0
 00809   760   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 88, ) }, ... 88, ) == 0x0
 00810   760   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x380000), 0x0, 12288, ) == 0x0
 00811   760   NtClose  (88, ... ) == 0x0
 00812   760   NtAllocateVirtualMemory  (-1, 3620864, 0, 4096, 4096, 4, ... 3620864, 4096, ) == 0x0
 00813   760   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00814   760   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00815   760   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00816   760   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00817   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00818   760   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00819   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00820   760   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00821   760   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 28672, ) == 0x0
 00822   760   NtFreeVirtualMemory  (-1, (0x330144), 0, 32768, ... (0x330000), 4096, ) == 0x0
 00823   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00824   760   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3342336, 65536, ) == 0x0
 00825   760   NtAllocateVirtualMemory  (-1, 3342336, 0, 4096, 4096, 4, ... 3342336, 4096, ) == 0x0
 00826   760   NtAllocateVirtualMemory  (-1, 3346432, 0, 20480, 4096, 4, ... 3346432, 20480, ) == 0x0
 00827   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9502720, 1048576, ) == 0x0
 00828   760   NtAllocateVirtualMemory  (-1, 9502720, 0, 32768, 4096, 4, ... 9502720, 32768, ) == 0x0
 00829   760   NtCreateMutant  (0x1f0001, {24, 16, 0x80, 0, 0,  (0x1f0001, {24, 16, 0x80, 0, 0, "Jobaka3"}, 0, ... 88, ) }, 0, ... 88, ) == 0x0
 00830   760   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 00831   760   NtQueryValueKey  (92,  (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00832   760   NtQueryValueKey  (92,  (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00833   760   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 96, ) == 0x0
 00834   760   NtOpenKey  (0x2000000, {24, 92, 0x40, 0, 0,  (0x2000000, {24, 92, 0x40, 0, 0, "Protocol_Catalog9"}, ... 100, ) }, ... 100, ) == 0x0
 00835   760   NtQueryValueKey  (100,  (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00836   760   NtNotifyChangeKey  (100, 96, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00837   760   NtQueryValueKey  (100,  (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00838   760   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00839   760   NtQueryValueKey  (100,  (100, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00840   760   NtQueryValueKey  (100,  (100, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00841   760   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Catalog_Entries"}, ... 104, ) }, ... 104, ) == 0x0
 00842   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000001"}, ... 108, ) }, ... 108, ) == 0x0
 00843   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00844   760   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00845   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00846   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0O\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0O\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0P\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0Q\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0O\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0O\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0P\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0Q\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0O\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0O\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0P\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0Q\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00847   760   NtClose  (108, ... ) == 0x0
 00848   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000002"}, ... 108, ) }, ... 108, ) == 0x0
 00849   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00850   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00851   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0T\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0T\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0U\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0V\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0T\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0T\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0U\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0V\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0T\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0T\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0U\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0V\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00852   760   NtClose  (108, ... ) == 0x0
 00853   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000003"}, ... 108, ) }, ... 108, ) == 0x0
 00854   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00855   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00856   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0Y\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0Y\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0Z\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0[\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0Y\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0Y\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0Z\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0[\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0Y\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0Y\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0Z\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0[\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00857   760   NtClose  (108, ... ) == 0x0
 00858   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000004"}, ... 108, ) }, ... 108, ) == 0x0
 00859   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00860   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00861   760   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00862   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0_\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0_\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0`\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0a\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0_\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0_\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0`\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0a\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0_\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0_\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0`\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0a\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00863   760   NtClose  (108, ... ) == 0x0
 00864   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000005"}, ... 108, ) }, ... 108, ) == 0x0
 00865   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00866   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00867   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0d\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0d\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0e\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0f\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0d\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0d\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0e\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0f\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0d\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0d\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0e\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0f\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00868   760   NtClose  (108, ... ) == 0x0
 00869   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000006"}, ... 108, ) }, ... 108, ) == 0x0
 00870   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00871   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00872   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0i\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0i\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0j\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0k\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0i\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0i\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0j\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0k\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0i\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0i\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0j\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0k\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00873   760   NtClose  (108, ... ) == 0x0
 00874   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000007"}, ... 108, ) }, ... 108, ) == 0x0
 00875   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00876   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00877   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0n\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0n\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0o\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0p\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0n\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0n\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0o\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0p\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0n\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0n\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0o\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0p\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00878   760   NtClose  (108, ... ) == 0x0
 00879   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000008"}, ... 108, ) }, ... 108, ) == 0x0
 00880   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00881   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00882   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0s\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0s\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0t\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0u\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0s\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0s\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0t\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0u\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0s\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0s\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0t\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0u\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00883   760   NtClose  (108, ... ) == 0x0
 00884   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000009"}, ... 108, ) }, ... 108, ) == 0x0
 00885   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00886   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00887   760   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00888   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0y\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0y\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0z\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0{\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0y\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0y\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0z\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0{\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0y\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0y\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0z\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0{\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00889   760   NtClose  (108, ... ) == 0x0
 00890   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000010"}, ... 108, ) }, ... 108, ) == 0x0
 00891   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00892   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00893   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0~\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0~\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\177\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\200\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0~\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0~\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\177\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\200\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0~\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0~\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\177\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\200\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00894   760   NtClose  (108, ... ) == 0x0
 00895   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000011"}, ... 108, ) }, ... 108, ) == 0x0
 00896   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00897   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00898   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\203\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\203\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\204\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\205\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\203\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\203\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\204\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\205\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\203\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\203\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\204\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\205\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00899   760   NtClose  (108, ... ) == 0x0
 00900   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000012"}, ... 108, ) }, ... 108, ) == 0x0
 00901   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00902   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00903   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\210\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\210\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\211\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\212\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\210\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\210\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\211\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\212\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\210\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\210\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\211\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\212\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00904   760   NtClose  (108, ... ) == 0x0
 00905   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000013"}, ... 108, ) }, ... 108, ) == 0x0
 00906   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00907   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00908   760   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00909   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\216\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\216\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\217\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\220\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\216\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\216\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\217\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\220\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\216\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\216\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\217\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\220\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00910   760   NtClose  (108, ... ) == 0x0
 00911   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000014"}, ... 108, ) }, ... 108, ) == 0x0
 00912   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00913   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00914   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\223\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\223\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\224\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\225\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\223\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\223\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\224\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\225\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\223\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\223\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\224\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\225\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00915   760   NtClose  (108, ... ) == 0x0
 00916   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000015"}, ... 108, ) }, ... 108, ) == 0x0
 00917   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00918   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00919   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\230\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\230\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\231\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\232\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\230\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\230\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\231\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\232\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\230\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\230\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\231\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\232\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00920   760   NtClose  (108, ... ) == 0x0
 00921   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000016"}, ... 108, ) }, ... 108, ) == 0x0
 00922   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00923   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00924   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\235\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\235\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\236\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\237\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\235\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\235\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\236\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\237\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\235\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\235\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\236\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\237\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00925   760   NtClose  (108, ... ) == 0x0
 00926   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000017"}, ... 108, ) }, ... 108, ) == 0x0
 00927   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00928   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00929   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\242\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\242\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\243\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\244\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\242\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\242\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\243\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\244\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\242\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\242\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\243\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\244\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00930   760   NtClose  (108, ... ) == 0x0
 00931   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000018"}, ... 108, ) }, ... 108, ) == 0x0
 00932   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00933   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00934   760   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00935   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\250\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\250\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\251\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\252\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\250\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\250\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\251\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\252\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\250\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\250\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\251\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\252\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00936   760   NtClose  (108, ... ) == 0x0
 00937   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000019"}, ... 108, ) }, ... 108, ) == 0x0
 00938   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00939   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00940   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\255\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\255\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\256\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\257\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\255\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\255\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\256\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\257\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\255\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\255\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\256\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\257\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00941   760   NtClose  (108, ... ) == 0x0
 00942   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000020"}, ... 108, ) }, ... 108, ) == 0x0
 00943   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00944   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00945   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\262\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\262\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\263\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\264\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\262\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\262\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\263\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\264\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\262\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\262\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\263\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\264\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00946   760   NtClose  (108, ... ) == 0x0
 00947   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000021"}, ... 108, ) }, ... 108, ) == 0x0
 00948   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00949   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00950   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\267\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\267\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\270\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\271\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\267\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\267\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\270\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\271\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\267\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\267\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240j\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\270\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\271\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\3\0\0\344\6\0\0\370\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00951   760   NtClose  (108, ... ) == 0x0
 00952   760   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000022"}, ... 108, ) }, ... 108, ) == 0x0
 00953   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00954   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00955   760   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00956   760   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\275\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\275\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\276\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\277\3\0\0\344\6\0\0\370\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\277\3\0\0\344\6\0\0\370\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\300\3\0\0\344\6\0\0\370\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\300\3\0\0\344\6\0\0\370\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\301\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0X@\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\275\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\275\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\276\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\277\3\0\0\344\6\0\0\370\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\277\3\0\0\344\6\0\0\370\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\300\3\0\0\344\6\0\0\370\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\300\3\0\0\344\6\0\0\370\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\301\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0X@\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\275\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\275\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\276\3\0\0\344\6\0\0\370\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\277\3\0\0\344\6\0\0\370\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\277\3\0\0\344\6\0\0\370\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\300\3\0\0\344\6\0\0\370\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\300\3\0\0\344\6\0\0\370\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\301\3\0\0\344\6\0\0\370\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0X@\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00957   760   NtClose  (108, ... ) == 0x0
 00958   760   NtClose  (104, ... ) == 0x0
 00959   760   NtWaitForSingleObject  (96, 0, {0, 0}, ... ) == 0x102
 00960   760   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 104, ) == 0x0
 00961   760   NtOpenKey  (0x2000000, {24, 92, 0x40, 0, 0,  (0x2000000, {24, 92, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 108, ) }, ... 108, ) == 0x0
 00962   760   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00963   760   NtNotifyChangeKey  (108, 104, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00964   760   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00965   760   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00966   760   NtQueryValueKey  (108,  (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00967   760   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "Catalog_Entries"}, ... 112, ) }, ... 112, ) == 0x0
 00968   760   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000001"}, ... 116, ) }, ... 116, ) == 0x0
 00969   760   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00970   760   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00971   760   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00972   760   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00973   760   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00974   760   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00975   760   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00976   760   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00977   760   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00978   760   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00979   760   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00980   760   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00981   760   NtClose  (116, ... ) == 0x0
 00982   760   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000002"}, ... 116, ) }, ... 116, ) == 0x0
 00983   760   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00984   760   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00985   760   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00986   760   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00987   760   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00988   760   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00989   760   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00990   760   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991   760   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00992   760   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00993   760   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00994   760   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00995   760   NtClose  (116, ... ) == 0x0
 00996   760   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000003"}, ... 116, ) }, ... 116, ) == 0x0
 00997   760   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00998   760   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00999   760   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01000   760   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01001   760   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01002   760   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01003   760   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01004   760   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01005   760   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01006   760   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01007   760   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01008   760   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01009   760   NtClose  (116, ... ) == 0x0
 01010   760   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000004"}, ... 116, ) }, ... 116, ) == 0x0
 01011   760   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01012   760   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01013   760   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01014   760   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01015   760   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01016   760   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01017   760   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 01018   760   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01019   760   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01020   760   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01021   760   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01022   760   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01023   760   NtClose  (116, ... ) == 0x0
 01024   760   NtClose  (112, ... ) == 0x0
 01025   760   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 01026   760   NtClose  (92, ... ) == 0x0
 01027   760   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01028   760   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01029   760   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 01030   760   NtQueryValueKey  (92,  (92, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01031   760   NtClose  (92, ... ) == 0x0
 01032   760   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 92, ) == 0x0
 01033   760   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01034   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1241400, ... ) }, 1241400, ... ) == 0x0
 01035   760   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 112, {status=0x0, info=1}, ) }, 7, 2113568, ... 112, {status=0x0, info=1}, ) == 0x0
 01036   760   NtSetInformationFile  (112, 1241376, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01037   760   NtClose  (112, ... ) == 0x0
 01038   760   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 01039   760   NtQueryInformationFile  (112, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01040   760   NtQueryInformationFile  (112, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01041   760   NtQueryInformationFile  (112, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01042   760   NtAllocateVirtualMemory  (-1, 1368064, 0, 8192, 4096, 4, ... 1368064, 8192, ) == 0x0
 01043   760   NtQueryInformationFile  (112, 1364040, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01044   760   NtQueryInformationFile  (112, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01045   760   NtQueryInformationFile  (112, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01046   760   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\AVSERVE2.EXE"}, 1239736, ... ) }, 1239736, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01047   760   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01048   760   NtClose  (-2147482584, ... ) == 0x0
 01047   760   NtCreateFile  ... 116, {status=0x0, info=2}, ) == 0x0
 01049   760   NtQueryVolumeInformationFile  (116, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01050   760   NtQueryInformationFile  (116, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01051   760   NtQueryVolumeInformationFile  (112, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01052   760   NtSetInformationFile  (116, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01053   760   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 112, ... 120, ) == 0x0
 01054   760   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x360000), {0, 0}, 28672, ) == 0x0
 01055   760   NtClose  (120, ... ) == 0x0
 01056   760   NtWriteFile  (116, 0, 0, 0,  (116, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\231\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\2\0d\347\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\20\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0`\0\0\340.rsr", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) \0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\20\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0`\0\0\340.rsr", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) == 0x0
 01057   760   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 01058   760   NtSetInformationFile  (116, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01059   760   NtClose  (112, ... ) == 0x0
 01060   760   NtClose  (116, ... ) == 0x0
 01061   760   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 116, ) }, ... 116, ) == 0x0
 01062   760   NtSetValueKey  (116,  (116, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (116, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 01063   760   NtSetInformationFile  (-2147482448, -140495056, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01064   760   NtSetInformationFile  (-2147482448, -140495148, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01065   760   NtSetInformationFile  (-2147482448, -140495456, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01062   760   NtSetValueKey  ... ) == 0x0
 01066   760   NtClose  (116, ... ) == 0x0
 01067   760   NtCreateMutant  (0x1f0001, {24, 16, 0x80, 0, 0,  (0x1f0001, {24, 16, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 116, ) }, 0, ... 116, ) == 0x0
 01068   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10551296, 1048576, ) == 0x0
 01069   760   NtAllocateVirtualMemory  (-1, 11591680, 0, 8192, 4096, 4, ... 11591680, 8192, ) == 0x0
 01070   760   NtProtectVirtualMemory  (-1, (0xb0e000), 4096, 260, ... (0xb0e000), 4096, 4, ) == 0x0
 01071   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 112, {1764, 1292}, ) == 0x0
 01072   760   NtQueryInformationThread  (112, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1764,Tid=1292,}, 0x0, ) == 0x0
 01073   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\344\6\0\0\14\5\0\0" ... {28, 56, reply, 0, 1764, 760, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\344\6\0\0\14\5\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58001, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\344\6\0\0\14\5\0\0" ... {28, 56, reply, 0, 1764, 760, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\344\6\0\0\14\5\0\0" )  ) == 0x0
 01074   760   NtResumeThread  (112, ... 1, ) == 0x0
 01075   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11599872, 1048576, ) == 0x0
 01076  1292   NtTestAlert  (... ) == 0x0
 01077  1292   NtContinue  (11599152, 1, ...
 01078  1292   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01079  1292   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 120, ) == 0x0
 01080  1292   NtWaitForSingleObject  (96, 0, {0, 0}, ... ) == 0x102
 01081  1292   NtAllocateVirtualMemory  (-1, 11587584, 0, 4096, 4096, 260, ...
 01082   760   NtAllocateVirtualMemory  (-1, 12640256, 0, 8192, 4096, 4, ... 12640256, 8192, ) == 0x0
 01083   760   NtProtectVirtualMemory  (-1, (0xc0e000), 4096, 260, ... (0xc0e000), 4096, 4, ) == 0x0
 01084   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 124, {1764, 1956}, ) == 0x0
 01085   760   NtQueryInformationThread  (124, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1764,Tid=1956,}, 0x0, ) == 0x0
 01086   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58001, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0\344\6\0\0\244\7\0\0" ... {28, 56, reply, 0, 1764, 760, 58002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0\344\6\0\0\244\7\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58002, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0\344\6\0\0\244\7\0\0" ... {28, 56, reply, 0, 1764, 760, 58002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0\344\6\0\0\244\7\0\0" )  ) == 0x0
 01087   760   NtResumeThread  (124, ...
 01081  1292   NtAllocateVirtualMemory  ... 11587584, 4096, ) == 0x0
 01088  1292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11596276, ... ) }, 11596276, ... ) == 0x0
 01089  1292   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01090  1292   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01091  1292   NtClose  (128, ... ) == 0x0
 01092  1292   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 245760, ) == 0x0
 01093  1292   NtClose  (132, ...
 01087   760   NtResumeThread  ... 1, ) == 0x0
 01094   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12648448, 1048576, ) == 0x0
 01095   760   NtAllocateVirtualMemory  (-1, 13688832, 0, 8192, 4096, 4, ... 13688832, 8192, ) == 0x0
 01096   760   NtProtectVirtualMemory  (-1, (0xd0e000), 4096, 260, ... (0xd0e000), 4096, 4, ) == 0x0
 01097   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 128, {1764, 1980}, ) == 0x0
 01098   760   NtQueryInformationThread  (128, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1764,Tid=1980,}, 0x0, ) == 0x0
 01099   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58002, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\0\0\0\344\6\0\0\274\7\0\0" ...  ...
 01093  1292   NtClose  ... ) == 0x0
 01100  1956   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01101  1292   NtUnmapViewOfSection  (-1, 0x390000, ...
 01100  1956   NtCreateEvent  ... 132, ) == 0x0
 01101  1292   NtUnmapViewOfSection  ... ) == 0x0
 01102  1956   NtWaitForSingleObject  (132, 0, 0x0, ...
 01103  1292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11596584, ... ) }, 11596584, ... ) == 0x0
 01104  1292   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 01105  1292   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 136, ... 140, ) == 0x0
 01106  1292   NtQuerySection  (140, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01107  1292   NtClose  (136, ...
 01099   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58003, 0}  ... {28, 56, reply, 0, 1764, 760, 58003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\0\0\0\344\6\0\0\274\7\0\0" )  ) == 0x0
 01108   760   NtResumeThread  (128, ... 1, ) == 0x0
 01109   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13697024, 1048576, ) == 0x0
 01110   760   NtAllocateVirtualMemory  (-1, 14737408, 0, 8192, 4096, 4, ... 14737408, 8192, ) == 0x0
 01111   760   NtProtectVirtualMemory  (-1, (0xe0e000), 4096, 260, ... (0xe0e000), 4096, 4, ) == 0x0
 01112   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 144, {1764, 1784}, ) == 0x0
 01107  1292   NtClose  ... ) == 0x0
 01113  1980   NtWaitForSingleObject  (132, 0, 0x0, ...
 01114  1292   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 01115  1292   NtClose  (140, ... ) == 0x0
 01116  1292   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01117  1292   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01118  1292   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01119  1292   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 01120   760   NtQueryInformationThread  (144, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1764,Tid=1784,}, 0x0, ) == 0x0
 01121   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58003, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\6\0\0\370\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\6\0\0\370\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58004, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\6\0\0\370\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\6\0\0\370\6\0\0" )  ) == 0x0
 01122   760   NtResumeThread  (144, ... 1, ) == 0x0
 01123   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14745600, 1048576, ) == 0x0
 01124   760   NtAllocateVirtualMemory  (-1, 15785984, 0, 8192, 4096, 4, ... 15785984, 8192, ) == 0x0
 01125   760   NtProtectVirtualMemory  (-1, (0xf0e000), 4096, 260, ...
 01119  1292   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 01126  1784   NtWaitForSingleObject  (132, 0, 0x0, ...
 01127  1292   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01128  1292   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01129  1292   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01130  1292   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01131  1292   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01132  1292   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... }, ...
 01125   760   NtProtectVirtualMemory  ... (0xf0e000), 4096, 4, ) == 0x0
 01133   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 140, {1764, 1480}, ) == 0x0
 01134   760   NtQueryInformationThread  (140, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1764,Tid=1480,}, 0x0, ) == 0x0
 01135   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58004, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\344\6\0\0\310\5\0\0" ... {28, 56, reply, 0, 1764, 760, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\344\6\0\0\310\5\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58005, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\344\6\0\0\310\5\0\0" ... {28, 56, reply, 0, 1764, 760, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\344\6\0\0\310\5\0\0" )  ) == 0x0
 01136   760   NtResumeThread  (140, ... 1, ) == 0x0
 01137   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15794176, 1048576, ) == 0x0
 01132  1292   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01138  1480   NtWaitForSingleObject  (132, 0, 0x0, ...
 01139  1292   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01140  1292   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01141  1292   NtSetEventBoostPriority  (132, ...
 01102  1956   NtWaitForSingleObject  ... ) == 0x0
 01142  1956   NtSetEventBoostPriority  (132, ...
 01113  1980   NtWaitForSingleObject  ... ) == 0x0
 01143  1980   NtSetEventBoostPriority  (132, ...
 01126  1784   NtWaitForSingleObject  ... ) == 0x0
 01144  1784   NtSetEventBoostPriority  (132, ...
 01138  1480   NtWaitForSingleObject  ... ) == 0x0
 01145  1480   NtTestAlert  (... ) == 0x0
 01144  1784   NtSetEventBoostPriority  ... ) == 0x0
 01143  1980   NtSetEventBoostPriority  ... ) == 0x0
 01142  1956   NtSetEventBoostPriority  ... ) == 0x0
 01141  1292   NtSetEventBoostPriority  ... ) == 0x0
 01146   760   NtAllocateVirtualMemory  (-1, 16834560, 0, 8192, 4096, 4, ...
 01147  1480   NtContinue  (15793456, 1, ...
 01148  1784   NtTestAlert  (...
 01149  1980   NtTestAlert  (...
 01150  1292   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01146   760   NtAllocateVirtualMemory  ... 16834560, 8192, ) == 0x0
 01151  1480   NtRegisterThreadTerminatePort  (24, ...
 01148  1784   NtTestAlert  ... ) == 0x0
 01149  1980   NtTestAlert  ... ) == 0x0
 01150  1292   NtCreateEvent  ... 136, ) == 0x0
 01152   760   NtProtectVirtualMemory  (-1, (0x100e000), 4096, 260, ...
 01151  1480   NtRegisterThreadTerminatePort  ... ) == 0x0
 01153  1784   NtContinue  (14744880, 1, ...
 01154  1980   NtContinue  (13696304, 1, ...
 01155  1292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 01152   760   NtProtectVirtualMemory  ... (0x100e000), 4096, 4, ) == 0x0
 01156  1480   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01157  1784   NtRegisterThreadTerminatePort  (24, ...
 01158  1980   NtRegisterThreadTerminatePort  (24, ...
 01155  1292   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01159   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01156  1480   NtDuplicateObject  ... 148, ) == 0x0
 01157  1784   NtRegisterThreadTerminatePort  ... ) == 0x0
 01158  1980   NtRegisterThreadTerminatePort  ... ) == 0x0
 01160  1292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11596196, ... }, 11596196, ...
 01159   760   NtCreateThread  ... 152, {1764, 1556}, ) == 0x0
 01161  1480   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01162  1784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01163  1980   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01164  1956   NtTestAlert  (...
 01165   760   NtQueryInformationThread  (152, Basic, 28, ...
 01161  1480   NtWaitForSingleObject  ... ) == 0x102
 01162  1784   NtDuplicateObject  ... 156, ) == 0x0
 01164  1956   NtTestAlert  ... ) == 0x0
 01165   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1764,Tid=1556,}, 0x0, ) == 0x0
 01166  1480   NtAllocateVirtualMemory  (-1, 15781888, 0, 4096, 4096, 260, ...
 01167  1784   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01168  1956   NtContinue  (12647728, 1, ...
 01169   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58005, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\344\6\0\0\24\6\0\0" ...  ...
 01166  1480   NtAllocateVirtualMemory  ... 15781888, 4096, ) == 0x0
 01167  1784   NtWaitForSingleObject  ... ) == 0x102
 01170  1956   NtRegisterThreadTerminatePort  (24, ...
 01169   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58006, 0}  ... {28, 56, reply, 0, 1764, 760, 58006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\344\6\0\0\24\6\0\0" )  ) == 0x0
 01171  1480   NtWaitForSingleObject  (132, 0, 0x0, ...
 01172  1784   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01170  1956   NtRegisterThreadTerminatePort  ... ) == 0x0
 01173   760   NtResumeThread  (152, ...
 01172  1784   NtCreateEvent  ... 160, ) == 0x0
 01174  1956   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01163  1980   NtDuplicateObject  ... 164, ) == 0x0
 01173   760   NtResumeThread  ... 1, ) == 0x0
 01175  1784   NtWaitForSingleObject  (160, 0, 0x0, ...
 01176  1556   NtWaitForSingleObject  (132, 0, 0x0, ...
 01160  1292   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01177  1980   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01178   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01179  1292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11596196, ... }, 11596196, ...
 01177  1980   NtWaitForSingleObject  ... ) == 0x102
 01178   760   NtAllocateVirtualMemory  ... 16842752, 1048576, ) == 0x0
 01179  1292   NtQueryAttributesFile  ... ) == 0x0
 01180  1980   NtWaitForSingleObject  (160, 0, 0x0, ...
 01181   760   NtAllocateVirtualMemory  (-1, 17883136, 0, 8192, 4096, 4, ...
 01174  1956   NtDuplicateObject  ... 168, ) == 0x0
 01181   760   NtAllocateVirtualMemory  ... 17883136, 8192, ) == 0x0
 01182  1956   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01183   760   NtProtectVirtualMemory  (-1, (0x110e000), 4096, 260, ...
 01182  1956   NtWaitForSingleObject  ... ) == 0x102
 01184  1292   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... }, 5, 96, ...
 01185  1956   NtWaitForSingleObject  (160, 0, 0x0, ...
 01184  1292   NtOpenFile  ... 172, {status=0x0, info=1}, ) == 0x0
 01186  1292   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 172, ... 176, ) == 0x0
 01187  1292   NtQuerySection  (176, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01188  1292   NtClose  (172, ... ) == 0x0
 01189  1292   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x662b0000), 0x0, 360448, ) == 0x0
 01190  1292   NtClose  (176, ... ) == 0x0
 01183   760   NtProtectVirtualMemory  ... (0x110e000), 4096, 4, ) == 0x0
 01191   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 176, {1764, 460}, ) == 0x0
 01192   760   NtQueryInformationThread  (176, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1764,Tid=460,}, 0x0, ) == 0x0
 01193   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58006, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\344\6\0\0\314\1\0\0" ... {28, 56, reply, 0, 1764, 760, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\344\6\0\0\314\1\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58007, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\344\6\0\0\314\1\0\0" ... {28, 56, reply, 0, 1764, 760, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\344\6\0\0\314\1\0\0" )  ) == 0x0
 01194   760   NtResumeThread  (176, ... 1, ) == 0x0
 01195   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17891328, 1048576, ) == 0x0
 01196  1292   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01197   460   NtWaitForSingleObject  (132, 0, 0x0, ...
 01196  1292   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01198  1292   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01199  1292   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01200  1292   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01201  1292   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01202  1292   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01203   760   NtAllocateVirtualMemory  (-1, 18931712, 0, 8192, 4096, 4, ... 18931712, 8192, ) == 0x0
 01204   760   NtProtectVirtualMemory  (-1, (0x120e000), 4096, 260, ... (0x120e000), 4096, 4, ) == 0x0
 01205   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 172, {1764, 1068}, ) == 0x0
 01206   760   NtQueryInformationThread  (172, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1764,Tid=1068,}, 0x0, ) == 0x0
 01207   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58007, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0\344\6\0\0,\4\0\0" ... {28, 56, reply, 0, 1764, 760, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0\344\6\0\0,\4\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58008, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0\344\6\0\0,\4\0\0" ... {28, 56, reply, 0, 1764, 760, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0\344\6\0\0,\4\0\0" )  ) == 0x0
 01208   760   NtResumeThread  (172, ...
 01209  1292   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01210  1292   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01211  1292   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01212  1292   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01213  1292   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01214  1292   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01208   760   NtResumeThread  ... 1, ) == 0x0
 01215   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18939904, 1048576, ) == 0x0
 01216   760   NtAllocateVirtualMemory  (-1, 19980288, 0, 8192, 4096, 4, ... 19980288, 8192, ) == 0x0
 01217   760   NtProtectVirtualMemory  (-1, (0x130e000), 4096, 260, ... (0x130e000), 4096, 4, ) == 0x0
 01218   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 180, {1764, 1856}, ) == 0x0
 01219   760   NtQueryInformationThread  (180, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1764,Tid=1856,}, 0x0, ) == 0x0
 01220   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58008, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\344\6\0\0@\7\0\0" ...  ...
 01221  1292   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01222  1068   NtWaitForSingleObject  (132, 0, 0x0, ...
 01221  1292   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01223  1292   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01224  1292   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01225  1292   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01226  1292   NtSetEventBoostPriority  (132, ...
 01171  1480   NtWaitForSingleObject  ... ) == 0x0
 01227  1480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15789008, ... ) }, 15789008, ... ) == 0x0
 01228  1480   NtSetEventBoostPriority  (132, ...
 01176  1556   NtWaitForSingleObject  ... ) == 0x0
 01229  1556   NtSetEventBoostPriority  (132, ...
 01197   460   NtWaitForSingleObject  ... ) == 0x0
 01230   460   NtSetEventBoostPriority  (132, ...
 01222  1068   NtWaitForSingleObject  ... ) == 0x0
 01231  1068   NtTestAlert  (... ) == 0x0
 01230   460   NtSetEventBoostPriority  ... ) == 0x0
 01229  1556   NtSetEventBoostPriority  ... ) == 0x0
 01228  1480   NtSetEventBoostPriority  ... ) == 0x0
 01226  1292   NtSetEventBoostPriority  ... ) == 0x0
 01220   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58009, 0}  ... {28, 56, reply, 0, 1764, 760, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\344\6\0\0@\7\0\0" )  ) == 0x0
 01232  1068   NtContinue  (18939184, 1, ...
 01233   460   NtTestAlert  (...
 01234  1480   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01235  1292   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01236   760   NtResumeThread  (180, ...
 01237  1068   NtRegisterThreadTerminatePort  (24, ...
 01233   460   NtTestAlert  ... ) == 0x0
 01234  1480   NtCreateEvent  ... 184, ) == 0x0
 01235  1292   NtCreateEvent  ... 188, ) == 0x0
 01236   760   NtResumeThread  ... 1, ) == 0x0
 01237  1068   NtRegisterThreadTerminatePort  ... ) == 0x0
 01238   460   NtContinue  (17890608, 1, ...
 01239  1480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 01240  1556   NtTestAlert  (...
 01241  1856   NtWaitForSingleObject  (132, 0, 0x0, ...
 01242   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01243  1068   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01244   460   NtRegisterThreadTerminatePort  (24, ...
 01239  1480   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01240  1556   NtTestAlert  ... ) == 0x0
 01242   760   NtAllocateVirtualMemory  ... 19988480, 1048576, ) == 0x0
 01243  1068   NtDuplicateObject  ... 192, ) == 0x0
 01244   460   NtRegisterThreadTerminatePort  ... ) == 0x0
 01245  1292   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01246  1556   NtContinue  (16842032, 1, ...
 01247  1480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 15789112, ... }, 15789112, ...
 01248  1068   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01249   460   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01245  1292   NtDuplicateObject  ... 196, ) == 0x0
 01250  1556   NtRegisterThreadTerminatePort  (24, ...
 01251   760   NtAllocateVirtualMemory  (-1, 21028864, 0, 8192, 4096, 4, ...
 01248  1068   NtWaitForSingleObject  ... ) == 0x102
 01252  1292   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01250  1556   NtRegisterThreadTerminatePort  ... ) == 0x0
 01251   760   NtAllocateVirtualMemory  ... 21028864, 8192, ) == 0x0
 01253  1068   NtWaitForSingleObject  (160, 0, 0x0, ...
 01252  1292   NtOpenKey  ... 200, ) == 0x0
 01254  1556   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01255   760   NtProtectVirtualMemory  (-1, (0x140e000), 4096, 260, ...
 01256  1292   NtQueryValueKey  (200,  (200, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01249   460   NtDuplicateObject  ... 204, ) == 0x0
 01255   760   NtProtectVirtualMemory  ... (0x140e000), 4096, 4, ) == 0x0
 01256  1292   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01257   460   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01258   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01254  1556   NtDuplicateObject  ... 208, ) == 0x0
 01257   460   NtWaitForSingleObject  ... ) == 0x102
 01258   760   NtCreateThread  ... 212, {1764, 1596}, ) == 0x0
 01259  1556   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01260   460   NtWaitForSingleObject  (160, 0, 0x0, ...
 01261  1292   NtClose  (200, ...
 01247  1480   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01259  1556   NtWaitForSingleObject  ... ) == 0x102
 01261  1292   NtClose  ... ) == 0x0
 01262  1480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 15789112, ... }, 15789112, ...
 01263  1556   NtWaitForSingleObject  (160, 0, 0x0, ...
 01264  1292   NtOpenThreadToken  (-2, 0xc, 1, ...
 01265   760   NtQueryInformationThread  (212, Basic, 28, ...
 01264  1292   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01265   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1764,Tid=1596,}, 0x0, ) == 0x0
 01266  1292   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01267   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58009, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\6\0\0<\6\0\0" ...  ...
 01266  1292   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01267   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58010, 0}  ... {28, 56, reply, 0, 1764, 760, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\6\0\0<\6\0\0" )  ) == 0x0
 01262  1480   NtQueryAttributesFile  ... ) == 0x0
 01268   760   NtResumeThread  (212, ...
 01269  1480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 01270  1292   NtWaitForSingleObject  (132, 0, 0x0, ...
 01269  1480   NtOpenFile  ... 200, {status=0x0, info=1}, ) == 0x0
 01271  1480   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 200, ... 216, ) == 0x0
 01272  1480   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01273  1480   NtClose  (200, ... ) == 0x0
 01274  1480   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 01275  1480   NtClose  (216, ...
 01268   760   NtResumeThread  ... 1, ) == 0x0
 01276   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21037056, 1048576, ) == 0x0
 01277   760   NtAllocateVirtualMemory  (-1, 22077440, 0, 8192, 4096, 4, ... 22077440, 8192, ) == 0x0
 01278   760   NtProtectVirtualMemory  (-1, (0x150e000), 4096, 260, ... (0x150e000), 4096, 4, ) == 0x0
 01279   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 200, {1764, 1128}, ) == 0x0
 01280   760   NtQueryInformationThread  (200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1764,Tid=1128,}, 0x0, ) == 0x0
 01281   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58010, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\344\6\0\0h\4\0\0" ...  ...
 01275  1480   NtClose  ... ) == 0x0
 01282  1596   NtWaitForSingleObject  (132, 0, 0x0, ...
 01283  1480   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01284  1480   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01285  1480   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01286  1480   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01287  1480   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01288  1480   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01281   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58011, 0}  ... {28, 56, reply, 0, 1764, 760, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\344\6\0\0h\4\0\0" )  ) == 0x0
 01289   760   NtResumeThread  (200, ... 1, ) == 0x0
 01290   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 22085632, 1048576, ) == 0x0
 01291   760   NtAllocateVirtualMemory  (-1, 23126016, 0, 8192, 4096, 4, ... 23126016, 8192, ) == 0x0
 01292   760   NtProtectVirtualMemory  (-1, (0x160e000), 4096, 260, ... (0x160e000), 4096, 4, ) == 0x0
 01293   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 216, {1764, 1256}, ) == 0x0
 01288  1480   NtFlushInstructionCache  ... ) == 0x0
 01294  1128   NtWaitForSingleObject  (132, 0, 0x0, ...
 01295  1480   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01296  1480   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01297  1480   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01298  1480   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01299  1480   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01300  1480   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01301   760   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1764,Tid=1256,}, 0x0, ) == 0x0
 01302   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58011, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\6\0\0\350\4\0\0" ... {28, 56, reply, 0, 1764, 760, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\6\0\0\350\4\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58012, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\6\0\0\350\4\0\0" ... {28, 56, reply, 0, 1764, 760, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\6\0\0\350\4\0\0" )  ) == 0x0
 01303   760   NtResumeThread  (216, ... 1, ) == 0x0
 01304   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23134208, 1048576, ) == 0x0
 01305   760   NtAllocateVirtualMemory  (-1, 24174592, 0, 8192, 4096, 4, ... 24174592, 8192, ) == 0x0
 01306   760   NtProtectVirtualMemory  (-1, (0x170e000), 4096, 260, ...
 01300  1480   NtFlushInstructionCache  ... ) == 0x0
 01307  1256   NtWaitForSingleObject  (132, 0, 0x0, ...
 01308  1480   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01309  1480   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01310  1480   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01311  1480   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01312  1480   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01313  1480   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01306   760   NtProtectVirtualMemory  ... (0x170e000), 4096, 4, ) == 0x0
 01314   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 220, {1764, 220}, ) == 0x0
 01315   760   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1764,Tid=220,}, 0x0, ) == 0x0
 01316   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58012, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\6\0\0\334\0\0\0" ... {28, 56, reply, 0, 1764, 760, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\6\0\0\334\0\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58013, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\6\0\0\334\0\0\0" ... {28, 56, reply, 0, 1764, 760, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\6\0\0\334\0\0\0" )  ) == 0x0
 01317   760   NtResumeThread  (220, ... 1, ) == 0x0
 01318   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24182784, 1048576, ) == 0x0
 01313  1480   NtFlushInstructionCache  ... ) == 0x0
 01319   220   NtWaitForSingleObject  (132, 0, 0x0, ...
 01320  1480   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01321  1480   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 224, 2, ) }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 224, 2, ) , 0, ... 224, 2, ) == 0x0
 01322  1480   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 228, ) }, ... 228, ) == 0x0
 01323  1480   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01324  1480   NtQueryValueKey  (228,  (228, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01325  1480   NtQueryValueKey  (224,  (224, "DisableAdapterDomainName", Partial, 144, ... , Partial, 144, ...
 01326   760   NtAllocateVirtualMemory  (-1, 25223168, 0, 8192, 4096, 4, ... 25223168, 8192, ) == 0x0
 01327   760   NtProtectVirtualMemory  (-1, (0x180e000), 4096, 260, ... (0x180e000), 4096, 4, ) == 0x0
 01328   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 232, {1764, 1800}, ) == 0x0
 01329   760   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1764,Tid=1800,}, 0x0, ) == 0x0
 01330   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58013, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\6\0\0\10\7\0\0" ... {28, 56, reply, 0, 1764, 760, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\6\0\0\10\7\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58014, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\6\0\0\10\7\0\0" ... {28, 56, reply, 0, 1764, 760, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\6\0\0\10\7\0\0" )  ) == 0x0
 01331   760   NtResumeThread  (232, ...
 01325  1480   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01332  1480   NtQueryValueKey  (228,  (228, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01333  1480   NtQueryValueKey  (224,  (224, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (224, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01334  1480   NtQueryValueKey  (228,  (228, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01335  1480   NtQueryValueKey  (224,  (224, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01336  1480   NtQueryValueKey  (228,  (228, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01337  1480   NtQueryValueKey  (224,  (224, "AllowUnqualifiedQuery", Partial, 144, ... , Partial, 144, ...
 01331   760   NtResumeThread  ... 1, ) == 0x0
 01338   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25231360, 1048576, ) == 0x0
 01339   760   NtAllocateVirtualMemory  (-1, 26271744, 0, 8192, 4096, 4, ... 26271744, 8192, ) == 0x0
 01340   760   NtProtectVirtualMemory  (-1, (0x190e000), 4096, 260, ... (0x190e000), 4096, 4, ) == 0x0
 01341   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {1764, 1796}, ) == 0x0
 01342   760   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1764,Tid=1796,}, 0x0, ) == 0x0
 01343   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58014, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\6\0\0\4\7\0\0" ...  ...
 01337  1480   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01344  1800   NtWaitForSingleObject  (132, 0, 0x0, ...
 01345  1480   NtQueryValueKey  (228,  (228, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01346  1480   NtQueryValueKey  (228,  (228, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01347  1480   NtQueryValueKey  (228,  (228, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01348  1480   NtQueryValueKey  (228,  (228, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01349  1480   NtQueryValueKey  (228,  (228, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01350  1480   NtQueryValueKey  (228,  (228, "UseEdns", Partial, 144, ... , Partial, 144, ...
 01343   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58015, 0}  ... {28, 56, reply, 0, 1764, 760, 58015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\6\0\0\4\7\0\0" )  ) == 0x0
 01351   760   NtResumeThread  (236, ... 1, ) == 0x0
 01352   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26279936, 1048576, ) == 0x0
 01353   760   NtAllocateVirtualMemory  (-1, 27320320, 0, 8192, 4096, 4, ... 27320320, 8192, ) == 0x0
 01354   760   NtProtectVirtualMemory  (-1, (0x1a0e000), 4096, 260, ... (0x1a0e000), 4096, 4, ) == 0x0
 01355   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 240, {1764, 1808}, ) == 0x0
 01350  1480   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01356  1796   NtWaitForSingleObject  (132, 0, 0x0, ...
 01357  1480   NtQueryValueKey  (228,  (228, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01358  1480   NtQueryValueKey  (228,  (228, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01359  1480   NtQueryValueKey  (228,  (228, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01360  1480   NtQueryValueKey  (224,  (224, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01361  1480   NtQueryValueKey  (228,  (228, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01362  1480   NtQueryValueKey  (228,  (228, "RegisterAdapterName", Partial, 144, ... , Partial, 144, ...
 01363   760   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1764,Tid=1808,}, 0x0, ) == 0x0
 01364   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58015, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\6\0\0\20\7\0\0" ... {28, 56, reply, 0, 1764, 760, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\6\0\0\20\7\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58016, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\6\0\0\20\7\0\0" ... {28, 56, reply, 0, 1764, 760, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\6\0\0\20\7\0\0" )  ) == 0x0
 01365   760   NtResumeThread  (240, ... 1, ) == 0x0
 01366   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27328512, 1048576, ) == 0x0
 01367   760   NtAllocateVirtualMemory  (-1, 28368896, 0, 8192, 4096, 4, ... 28368896, 8192, ) == 0x0
 01368   760   NtProtectVirtualMemory  (-1, (0x1b0e000), 4096, 260, ...
 01362  1480   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01369  1808   NtWaitForSingleObject  (132, 0, 0x0, ...
 01370  1480   NtQueryValueKey  (224,  (224, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01371  1480   NtQueryValueKey  (228,  (228, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01372  1480   NtQueryValueKey  (224,  (224, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01373  1480   NtQueryValueKey  (228,  (228, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01374  1480   NtQueryValueKey  (224,  (224, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01375  1480   NtQueryValueKey  (228,  (228, "RegistrationTtl", Partial, 144, ... , Partial, 144, ...
 01368   760   NtProtectVirtualMemory  ... (0x1b0e000), 4096, 4, ) == 0x0
 01376   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 244, {1764, 1700}, ) == 0x0
 01377   760   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1764,Tid=1700,}, 0x0, ) == 0x0
 01378   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58016, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\6\0\0\244\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\6\0\0\244\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58017, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\6\0\0\244\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\6\0\0\244\6\0\0" )  ) == 0x0
 01379   760   NtResumeThread  (244, ... 1, ) == 0x0
 01380   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28377088, 1048576, ) == 0x0
 01375  1480   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01381  1700   NtWaitForSingleObject  (132, 0, 0x0, ...
 01382  1480   NtQueryValueKey  (224,  (224, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01383  1480   NtQueryValueKey  (228,  (228, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01384  1480   NtQueryValueKey  (224,  (224, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01385  1480   NtQueryValueKey  (228,  (228, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01386  1480   NtQueryValueKey  (224,  (224, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01387  1480   NtQueryValueKey  (228,  (228, "UpdateSecurityLevel", Partial, 144, ... , Partial, 144, ...
 01388   760   NtAllocateVirtualMemory  (-1, 29417472, 0, 8192, 4096, 4, ... 29417472, 8192, ) == 0x0
 01389   760   NtProtectVirtualMemory  (-1, (0x1c0e000), 4096, 260, ... (0x1c0e000), 4096, 4, ) == 0x0
 01390   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 248, {1764, 1156}, ) == 0x0
 01391   760   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1764,Tid=1156,}, 0x0, ) == 0x0
 01392   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58017, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\6\0\0\204\4\0\0" ... {28, 56, reply, 0, 1764, 760, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\6\0\0\204\4\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58018, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\6\0\0\204\4\0\0" ... {28, 56, reply, 0, 1764, 760, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\6\0\0\204\4\0\0" )  ) == 0x0
 01393   760   NtResumeThread  (248, ...
 01387  1480   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01394  1480   NtQueryValueKey  (224,  (224, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01395  1480   NtQueryValueKey  (228,  (228, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01396  1480   NtQueryValueKey  (228,  (228, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01397  1480   NtQueryValueKey  (228,  (228, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01398  1480   NtQueryValueKey  (228,  (228, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01399  1480   NtQueryValueKey  (228,  (228, "MaxCacheTtl", Partial, 144, ... , Partial, 144, ...
 01393   760   NtResumeThread  ... 1, ) == 0x0
 01400   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29425664, 1048576, ) == 0x0
 01401   760   NtAllocateVirtualMemory  (-1, 30466048, 0, 8192, 4096, 4, ... 30466048, 8192, ) == 0x0
 01402   760   NtProtectVirtualMemory  (-1, (0x1d0e000), 4096, 260, ... (0x1d0e000), 4096, 4, ) == 0x0
 01403   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 252, {1764, 712}, ) == 0x0
 01404   760   NtQueryInformationThread  (252, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1764,Tid=712,}, 0x0, ) == 0x0
 01405   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58018, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\344\6\0\0\310\2\0\0" ...  ...
 01399  1480   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01406  1156   NtWaitForSingleObject  (132, 0, 0x0, ...
 01407  1480   NtQueryValueKey  (228,  (228, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01408  1480   NtQueryValueKey  (228,  (228, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01409  1480   NtQueryValueKey  (228,  (228, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01410  1480   NtQueryValueKey  (228,  (228, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01411  1480   NtQueryValueKey  (228,  (228, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01412  1480   NtQueryValueKey  (228,  (228, "MulticastSendLevel", Partial, 144, ... , Partial, 144, ...
 01405   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58019, 0}  ... {28, 56, reply, 0, 1764, 760, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\344\6\0\0\310\2\0\0" )  ) == 0x0
 01413   760   NtResumeThread  (252, ... 1, ) == 0x0
 01414   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30474240, 1048576, ) == 0x0
 01415   760   NtAllocateVirtualMemory  (-1, 31514624, 0, 8192, 4096, 4, ... 31514624, 8192, ) == 0x0
 01416   760   NtProtectVirtualMemory  (-1, (0x1e0e000), 4096, 260, ... (0x1e0e000), 4096, 4, ) == 0x0
 01417   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 256, {1764, 1728}, ) == 0x0
 01412  1480   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01418   712   NtWaitForSingleObject  (132, 0, 0x0, ...
 01419  1480   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\Setup"}, ... 260, ) }, ... 260, ) == 0x0
 01420  1480   NtQueryValueKey  (260,  (260, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (260, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01421  1480   NtClose  (260, ... ) == 0x0
 01422  1480   NtClose  (224, ... ) == 0x0
 01423  1480   NtClose  (228, ... ) == 0x0
 01424  1480   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 01425   760   NtQueryInformationThread  (256, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1764,Tid=1728,}, 0x0, ) == 0x0
 01426   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58019, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\344\6\0\0\300\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\344\6\0\0\300\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58020, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\344\6\0\0\300\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\344\6\0\0\300\6\0\0" )  ) == 0x0
 01427   760   NtResumeThread  (256, ... 1, ) == 0x0
 01428   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31522816, 1048576, ) == 0x0
 01429   760   NtAllocateVirtualMemory  (-1, 32563200, 0, 8192, 4096, 4, ... 32563200, 8192, ) == 0x0
 01430   760   NtProtectVirtualMemory  (-1, (0x1f0e000), 4096, 260, ...
 01424  1480   NtOpenKey  ... 228, ) == 0x0
 01431  1728   NtWaitForSingleObject  (132, 0, 0x0, ...
 01432  1480   NtQueryValueKey  (228,  (228, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01433  1480   NtQueryValueKey  (228,  (228, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01434  1480   NtQueryValueKey  (228,  (228, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01435  1480   NtClose  (228, ... ) == 0x0
 01436  1480   NtSetEventBoostPriority  (132, ...
 01241  1856   NtWaitForSingleObject  ... ) == 0x0
 01437  1856   NtSetEventBoostPriority  (132, ...
 01270  1292   NtWaitForSingleObject  ... ) == 0x0
 01438  1292   NtSetEventBoostPriority  (132, ...
 01282  1596   NtWaitForSingleObject  ... ) == 0x0
 01439  1596   NtSetEventBoostPriority  (132, ...
 01294  1128   NtWaitForSingleObject  ... ) == 0x0
 01440  1128   NtSetEventBoostPriority  (132, ...
 01307  1256   NtWaitForSingleObject  ... ) == 0x0
 01441  1256   NtSetEventBoostPriority  (132, ...
 01319   220   NtWaitForSingleObject  ... ) == 0x0
 01442   220   NtSetEventBoostPriority  (132, ...
 01344  1800   NtWaitForSingleObject  ... ) == 0x0
 01443  1800   NtSetEventBoostPriority  (132, ...
 01356  1796   NtWaitForSingleObject  ... ) == 0x0
 01444  1796   NtSetEventBoostPriority  (132, ...
 01369  1808   NtWaitForSingleObject  ... ) == 0x0
 01445  1808   NtSetEventBoostPriority  (132, ...
 01381  1700   NtWaitForSingleObject  ... ) == 0x0
 01446  1700   NtSetEventBoostPriority  (132, ...
 01406  1156   NtWaitForSingleObject  ... ) == 0x0
 01447  1156   NtSetEventBoostPriority  (132, ...
 01418   712   NtWaitForSingleObject  ... ) == 0x0
 01448   712   NtSetEventBoostPriority  (132, ...
 01431  1728   NtWaitForSingleObject  ... ) == 0x0
 01449  1728   NtTestAlert  (... ) == 0x0
 01448   712   NtSetEventBoostPriority  ... ) == 0x0
 01447  1156   NtSetEventBoostPriority  ... ) == 0x0
 01446  1700   NtSetEventBoostPriority  ... ) == 0x0
 01445  1808   NtSetEventBoostPriority  ... ) == 0x0
 01444  1796   NtSetEventBoostPriority  ... ) == 0x0
 01443  1800   NtSetEventBoostPriority  ... ) == 0x0
 01442   220   NtSetEventBoostPriority  ... ) == 0x0
 01441  1256   NtSetEventBoostPriority  ... ) == 0x0
 01440  1128   NtSetEventBoostPriority  ... ) == 0x0
 01439  1596   NtSetEventBoostPriority  ... ) == 0x0
 01438  1292   NtSetEventBoostPriority  ... ) == 0x0
 01437  1856   NtSetEventBoostPriority  ... ) == 0x0
 01436  1480   NtSetEventBoostPriority  ... ) == 0x0
 01430   760   NtProtectVirtualMemory  ... (0x1f0e000), 4096, 4, ) == 0x0
 01450  1728   NtContinue  (31522096, 1, ...
 01451   712   NtTestAlert  (...
 01452  1156   NtTestAlert  (...
 01453  1700   NtTestAlert  (...
 01454  1808   NtTestAlert  (...
 01455  1796   NtTestAlert  (...
 01456  1800   NtTestAlert  (...
 01457   220   NtTestAlert  (...
 01458  1256   NtTestAlert  (...
 01459  1128   NtTestAlert  (...
 01460  1292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11595888, ... }, 11595888, ...
 01461  1596   NtTestAlert  (...
 01462  1480   NtWaitForSingleObject  (132, 0, 0x0, ...
 01463   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01464  1728   NtRegisterThreadTerminatePort  (24, ...
 01451   712   NtTestAlert  ... ) == 0x0
 01452  1156   NtTestAlert  ... ) == 0x0
 01453  1700   NtTestAlert  ... ) == 0x0
 01454  1808   NtTestAlert  ... ) == 0x0
 01455  1796   NtTestAlert  ... ) == 0x0
 01456  1800   NtTestAlert  ... ) == 0x0
 01457   220   NtTestAlert  ... ) == 0x0
 01458  1256   NtTestAlert  ... ) == 0x0
 01459  1128   NtTestAlert  ... ) == 0x0
 01465  1856   NtTestAlert  (...
 01461  1596   NtTestAlert  ... ) == 0x0
 01460  1292   NtQueryAttributesFile  ... ) == 0x0
 01463   760   NtCreateThread  ... 228, {1764, 1356}, ) == 0x0
 01464  1728   NtRegisterThreadTerminatePort  ... ) == 0x0
 01466   712   NtContinue  (30473520, 1, ...
 01467  1156   NtContinue  (29424944, 1, ...
 01468  1700   NtContinue  (28376368, 1, ...
 01469  1808   NtContinue  (27327792, 1, ...
 01470  1796   NtContinue  (26279216, 1, ...
 01471  1800   NtContinue  (25230640, 1, ...
 01472   220   NtContinue  (24182064, 1, ...
 01473  1256   NtContinue  (23133488, 1, ...
 01474  1128   NtContinue  (22084912, 1, ...
 01465  1856   NtTestAlert  ... ) == 0x0
 01475  1596   NtContinue  (21036336, 1, ...
 01476  1292   NtSetEventBoostPriority  (132, ...
 01477   760   NtQueryInformationThread  (228, Basic, 28, ...
 01478  1728   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01479   712   NtRegisterThreadTerminatePort  (24, ...
 01480  1156   NtRegisterThreadTerminatePort  (24, ...
 01481  1700   NtRegisterThreadTerminatePort  (24, ...
 01482  1808   NtRegisterThreadTerminatePort  (24, ...
 01483  1796   NtRegisterThreadTerminatePort  (24, ...
 01484  1800   NtRegisterThreadTerminatePort  (24, ...
 01485   220   NtRegisterThreadTerminatePort  (24, ...
 01486  1256   NtRegisterThreadTerminatePort  (24, ...
 01487  1128   NtRegisterThreadTerminatePort  (24, ...
 01488  1856   NtContinue  (19987760, 1, ...
 01489  1596   NtRegisterThreadTerminatePort  (24, ...
 01476  1292   NtSetEventBoostPriority  ... ) == 0x0
 01477   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1764,Tid=1356,}, 0x0, ) == 0x0
 01478  1728   NtDuplicateObject  ... 224, ) == 0x0
 01479   712   NtRegisterThreadTerminatePort  ... ) == 0x0
 01480  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 01481  1700   NtRegisterThreadTerminatePort  ... ) == 0x0
 01482  1808   NtRegisterThreadTerminatePort  ... ) == 0x0
 01483  1796   NtRegisterThreadTerminatePort  ... ) == 0x0
 01484  1800   NtRegisterThreadTerminatePort  ... ) == 0x0
 01485   220   NtRegisterThreadTerminatePort  ... ) == 0x0
 01486  1256   NtRegisterThreadTerminatePort  ... ) == 0x0
 01487  1128   NtRegisterThreadTerminatePort  ... ) == 0x0
 01490  1856   NtRegisterThreadTerminatePort  (24, ...
 01489  1596   NtRegisterThreadTerminatePort  ... ) == 0x0
 01491  1292   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01492   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58020, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\6\0\0L\5\0\0" ...  ...
 01493  1728   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01494   712   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01495  1156   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01496  1700   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01497  1808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01498  1796   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01499  1800   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01500   220   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01501  1256   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01502  1128   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01490  1856   NtRegisterThreadTerminatePort  ... ) == 0x0
 01503  1596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01491  1292   NtOpenKey  ... 260, ) == 0x0
 01462  1480   NtWaitForSingleObject  ... ) == 0x0
 01492   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58021, 0}  ... {28, 56, reply, 0, 1764, 760, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\6\0\0L\5\0\0" )  ) == 0x0
 01493  1728   NtWaitForSingleObject  ... ) == 0x102
 01494   712   NtDuplicateObject  ... 264, ) == 0x0
 01495  1156   NtDuplicateObject  ... 268, ) == 0x0
 01496  1700   NtDuplicateObject  ... 272, ) == 0x0
 01497  1808   NtDuplicateObject  ... 276, ) == 0x0
 01498  1796   NtDuplicateObject  ... 280, ) == 0x0
 01499  1800   NtDuplicateObject  ... 284, ) == 0x0
 01500   220   NtDuplicateObject  ... 288, ) == 0x0
 01501  1256   NtDuplicateObject  ... 292, ) == 0x0
 01504  1856   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01502  1128   NtDuplicateObject  ... 296, ) == 0x0
 01505  1292   NtQueryValueKey  (260,  (260, "Transports", Partial, 144, ... , Partial, 144, ...
 01506  1480   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01507   760   NtResumeThread  (228, ...
 01508  1728   NtWaitForSingleObject  (160, 0, 0x0, ...
 01509   712   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01510  1156   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01511  1700   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01512  1808   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01513  1796   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01514  1800   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01515   220   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01516  1256   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01503  1596   NtDuplicateObject  ... 300, ) == 0x0
 01517  1128   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01504  1856   NtDuplicateObject  ... 304, ) == 0x0
 01506  1480   NtCreateEvent  ... 308, ) == 0x0
 01507   760   NtResumeThread  ... 1, ) == 0x0
 01509   712   NtWaitForSingleObject  ... ) == 0x102
 01510  1156   NtWaitForSingleObject  ... ) == 0x102
 01511  1700   NtWaitForSingleObject  ... ) == 0x102
 01512  1808   NtWaitForSingleObject  ... ) == 0x102
 01513  1796   NtWaitForSingleObject  ... ) == 0x102
 01514  1800   NtWaitForSingleObject  ... ) == 0x102
 01515   220   NtWaitForSingleObject  ... ) == 0x102
 01516  1256   NtWaitForSingleObject  ... ) == 0x102
 01518  1596   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01517  1128   NtWaitForSingleObject  ... ) == 0x102
 01519  1856   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01520  1480   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01521   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01522   712   NtWaitForSingleObject  (160, 0, 0x0, ...
 01523  1156   NtWaitForSingleObject  (160, 0, 0x0, ...
 01524  1700   NtWaitForSingleObject  (160, 0, 0x0, ...
 01525  1808   NtWaitForSingleObject  (160, 0, 0x0, ...
 01526  1796   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01527  1800   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01528   220   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01529  1256   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01518  1596   NtWaitForSingleObject  ... ) == 0x102
 01530  1128   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01519  1856   NtWaitForSingleObject  ... ) == 0x102
 01520  1480   NtDuplicateObject  ... 312, ) == 0x0
 01521   760   NtAllocateVirtualMemory  ... 32571392, 1048576, ) == 0x0
 01526  1796   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01527  1800   NtCreateEvent  ... 316, ) == 0x0
 01528   220   NtCreateEvent  ... 320, ) == 0x0
 01529  1256   NtCreateEvent  ... 324, ) == 0x0
 01531  1596   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01530  1128   NtCreateEvent  ... 328, ) == 0x0
 01532  1856   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01505  1292   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01533  1356   NtTestAlert  (...
 01534  1480   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01535   760   NtAllocateVirtualMemory  (-1, 33611776, 0, 8192, 4096, 4, ...
 01536  1796   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01537  1800   NtWaitForSingleObject  (316, 0, 0x0, ...
 01538   220   NtClose  (320, ...
 01531  1596   NtCreateEvent  ... 332, ) == 0x0
 01539  1256   NtClose  (324, ...
 01532  1856   NtCreateEvent  ... 336, ) == 0x0
 01540  1292   NtQueryValueKey  (260,  (260, "Transports", Partial, 144, ... , Partial, 144, ...
 01533  1356   NtTestAlert  ... ) == 0x0
 01534  1480   NtCreateEvent  ... 340, ) == 0x0
 01535   760   NtAllocateVirtualMemory  ... 33611776, 8192, ) == 0x0
 01536  1796   NtCreateEvent  ... 344, ) == 0x0
 01538   220   NtClose  ... ) == 0x0
 01541  1128   NtClose  (328, ...
 01539  1256   NtClose  ... ) == 0x0
 01542  1596   NtClose  (332, ...
 01540  1292   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01543  1356   NtContinue  (32570672, 1, ...
 01544  1480   NtClose  (340, ...
 01545   760   NtProtectVirtualMemory  (-1, (0x200e000), 4096, 260, ...
 01546  1796   NtClose  (344, ...
 01547   220   NtWaitForSingleObject  (316, 0, 0x0, ...
 01541  1128   NtClose  ... ) == 0x0
 01548  1256   NtWaitForSingleObject  (316, 0, 0x0, ...
 01542  1596   NtClose  ... ) == 0x0
 01549  1292   NtClose  (260, ...
 01550  1356   NtRegisterThreadTerminatePort  (24, ...
 01544  1480   NtClose  ... ) == 0x0
 01545   760   NtProtectVirtualMemory  ... (0x200e000), 4096, 4, ) == 0x0
 01546  1796   NtClose  ... ) == 0x0
 01551  1128   NtWaitForSingleObject  (316, 0, 0x0, ...
 01552  1596   NtWaitForSingleObject  (316, 0, 0x0, ...
 01549  1292   NtClose  ... ) == 0x0
 01550  1356   NtRegisterThreadTerminatePort  ... ) == 0x0
 01553  1480   NtWaitForSingleObject  (316, 0, 0x0, ...
 01554   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01555  1796   NtSetEventBoostPriority  (316, ...
 01556  1292   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01557  1856   NtClose  (336, ...
 01554   760   NtCreateThread  ... 260, {1764, 1536}, ) == 0x0
 01537  1800   NtWaitForSingleObject  ... ) == 0x0
 01555  1796   NtSetEventBoostPriority  ... ) == 0x0
 01558  1356   NtWaitForSingleObject  (316, 0, 0x0, ...
 01557  1856   NtClose  ... ) == 0x0
 01556  1292   NtOpenKey  ... 336, ) == 0x0
 01559  1800   NtSetEventBoostPriority  (316, ...
 01560   760   NtQueryInformationThread  (260, Basic, 28, ...
 01561  1856   NtWaitForSingleObject  (316, 0, 0x0, ...
 01547   220   NtWaitForSingleObject  ... ) == 0x0
 01559  1800   NtSetEventBoostPriority  ... ) == 0x0
 01562  1292   NtQueryValueKey  (336,  (336, "Mapping", Partial, 144, ... , Partial, 144, ...
 01560   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1764,Tid=1536,}, 0x0, ) == 0x0
 01563   220   NtSetEventBoostPriority  (316, ...
 01564  1800   NtWaitForSingleObject  (160, 0, 0x0, ...
 01562  1292   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01548  1256   NtWaitForSingleObject  ... ) == 0x0
 01563   220   NtSetEventBoostPriority  ... ) == 0x0
 01565   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58021, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\344\6\0\0\0\6\0\0" ...  ...
 01566  1796   NtWaitForSingleObject  (160, 0, 0x0, ...
 01567  1256   NtSetEventBoostPriority  (316, ...
 01568  1292   NtWaitForSingleObject  (316, 0, 0x0, ...
 01565   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58022, 0}  ... {28, 56, reply, 0, 1764, 760, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\344\6\0\0\0\6\0\0" )  ) == 0x0
 01551  1128   NtWaitForSingleObject  ... ) == 0x0
 01567  1256   NtSetEventBoostPriority  ... ) == 0x0
 01569  1128   NtSetEventBoostPriority  (316, ...
 01570   760   NtResumeThread  (260, ...
 01571   220   NtWaitForSingleObject  (160, 0, 0x0, ...
 01552  1596   NtWaitForSingleObject  ... ) == 0x0
 01569  1128   NtSetEventBoostPriority  ... ) == 0x0
 01572  1256   NtWaitForSingleObject  (160, 0, 0x0, ...
 01573  1596   NtSetEventBoostPriority  (316, ...
 01570   760   NtResumeThread  ... 1, ) == 0x0
 01553  1480   NtWaitForSingleObject  ... ) == 0x0
 01573  1596   NtSetEventBoostPriority  ... ) == 0x0
 01574  1480   NtSetEventBoostPriority  (316, ...
 01575   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01576  1128   NtWaitForSingleObject  (160, 0, 0x0, ...
 01577  1536   NtTestAlert  (...
 01558  1356   NtWaitForSingleObject  ... ) == 0x0
 01574  1480   NtSetEventBoostPriority  ... ) == 0x0
 01575   760   NtAllocateVirtualMemory  ... 33619968, 1048576, ) == 0x0
 01578  1356   NtSetEventBoostPriority  (316, ...
 01577  1536   NtTestAlert  ... ) == 0x0
 01579  1596   NtWaitForSingleObject  (160, 0, 0x0, ...
 01561  1856   NtWaitForSingleObject  ... ) == 0x0
 01578  1356   NtSetEventBoostPriority  ... ) == 0x0
 01580   760   NtAllocateVirtualMemory  (-1, 34660352, 0, 8192, 4096, 4, ...
 01581  1536   NtContinue  (33619248, 1, ...
 01582  1856   NtSetEventBoostPriority  (316, ...
 01583  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01580   760   NtAllocateVirtualMemory  ... 34660352, 8192, ) == 0x0
 01568  1292   NtWaitForSingleObject  ... ) == 0x0
 01582  1856   NtSetEventBoostPriority  ... ) == 0x0
 01584  1536   NtRegisterThreadTerminatePort  (24, ...
 01585  1480   NtWaitForSingleObject  (316, 0, 0x0, ...
 01586  1292   NtSetEventBoostPriority  (316, ...
 01587   760   NtProtectVirtualMemory  (-1, (0x210e000), 4096, 260, ...
 01583  1356   NtDuplicateObject  ... 344, ) == 0x0
 01584  1536   NtRegisterThreadTerminatePort  ... ) == 0x0
 01586  1292   NtSetEventBoostPriority  ... ) == 0x0
 01585  1480   NtWaitForSingleObject  ... ) == 0x0
 01588  1856   NtWaitForSingleObject  (160, 0, 0x0, ...
 01589  1356   NtWaitForSingleObject  (316, 0, 0x0, ...
 01587   760   NtProtectVirtualMemory  ... (0x210e000), 4096, 4, ) == 0x0
 01590  1536   NtWaitForSingleObject  (316, 0, 0x0, ...
 01591  1480   NtSetEventBoostPriority  (316, ...
 01592   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01589  1356   NtWaitForSingleObject  ... ) == 0x0
 01591  1480   NtSetEventBoostPriority  ... ) == 0x0
 01593  1356   NtSetEventBoostPriority  (316, ...
 01592   760   NtCreateThread  ... 340, {1764, 444}, ) == 0x0
 01590  1536   NtWaitForSingleObject  ... ) == 0x0
 01593  1356   NtSetEventBoostPriority  ... ) == 0x0
 01594  1480   NtWaitForSingleObject  (316, 0, 0x0, ...
 01595  1536   NtSetEventBoostPriority  (316, ...
 01596   760   NtQueryInformationThread  (340, Basic, 28, ...
 01597  1292   NtQueryValueKey  (336,  (336, "Mapping", Partial, 144, ... , Partial, 144, ...
 01598  1356   NtWaitForSingleObject  (316, 0, 0x0, ...
 01595  1536   NtSetEventBoostPriority  ... ) == 0x0
 01596   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1764,Tid=444,}, 0x0, ) == 0x0
 01597  1292   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01599  1536   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01598  1356   NtWaitForSingleObject  ... ) == 0x0
 01600   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58022, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\344\6\0\0\274\1\0\0" ...  ...
 01601  1292   NtWaitForSingleObject  (316, 0, 0x0, ...
 01602  1356   NtSetEventBoostPriority  (316, ...
 01599  1536   NtDuplicateObject  ... 332, ) == 0x0
 01594  1480   NtWaitForSingleObject  ... ) == 0x0
 01602  1356   NtSetEventBoostPriority  ... ) == 0x0
 01603  1480   NtSetEventBoostPriority  (316, ...
 01604  1536   NtWaitForSingleObject  (316, 0, 0x0, ...
 01601  1292   NtWaitForSingleObject  ... ) == 0x0
 01605  1356   NtWaitForSingleObject  (316, 0, 0x0, ...
 01606  1292   NtSetEventBoostPriority  (316, ...
 01603  1480   NtSetEventBoostPriority  ... ) == 0x0
 01600   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58023, 0}  ... {28, 56, reply, 0, 1764, 760, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\344\6\0\0\274\1\0\0" )  ) == 0x0
 01604  1536   NtWaitForSingleObject  ... ) == 0x0
 01606  1292   NtSetEventBoostPriority  ... ) == 0x0
 01607  1480   NtWaitForSingleObject  (316, 0, 0x0, ...
 01608  1536   NtSetEventBoostPriority  (316, ...
 01609   760   NtResumeThread  (340, ...
 01605  1356   NtWaitForSingleObject  ... ) == 0x0
 01608  1536   NtSetEventBoostPriority  ... ) == 0x0
 01610  1356   NtSetEventBoostPriority  (316, ...
 01609   760   NtResumeThread  ... 1, ) == 0x0
 01611  1292   NtQueryValueKey  (336,  (336, "Mapping", Partial, 152, ... , Partial, 152, ...
 01607  1480   NtWaitForSingleObject  ... ) == 0x0
 01612   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01611  1292   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01613  1480   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01612   760   NtAllocateVirtualMemory  ... 34668544, 1048576, ) == 0x0
 01614  1292   NtClose  (336, ...
 01613  1480   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01610  1356   NtSetEventBoostPriority  ... ) == 0x0
 01615  1536   NtWaitForSingleObject  (316, 0, 0x0, ...
 01616   444   NtTestAlert  (...
 01614  1292   NtClose  ... ) == 0x0
 01617   760   NtAllocateVirtualMemory  (-1, 35708928, 0, 8192, 4096, 4, ...
 01618  1356   NtWaitForSingleObject  (316, 0, 0x0, ...
 01616   444   NtTestAlert  ... ) == 0x0
 01619  1292   NtWaitForSingleObject  (316, 0, 0x0, ...
 01617   760   NtAllocateVirtualMemory  ... 35708928, 8192, ) == 0x0
 01620   444   NtContinue  (34667824, 1, ...
 01621   760   NtProtectVirtualMemory  (-1, (0x220e000), 4096, 260, ...
 01622   444   NtRegisterThreadTerminatePort  (24, ...
 01621   760   NtProtectVirtualMemory  ... (0x220e000), 4096, 4, ) == 0x0
 01622   444   NtRegisterThreadTerminatePort  ... ) == 0x0
 01623   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01624  1480   NtSetEventBoostPriority  (316, ...
 01623   760   NtCreateThread  ... 336, {1764, 1904}, ) == 0x0
 01615  1536   NtWaitForSingleObject  ... ) == 0x0
 01624  1480   NtSetEventBoostPriority  ... ) == 0x0
 01625   444   NtWaitForSingleObject  (316, 0, 0x0, ...
 01626  1536   NtSetEventBoostPriority  (316, ...
 01627  1480   NtWaitForSingleObject  (316, 0, 0x0, ...
 01618  1356   NtWaitForSingleObject  ... ) == 0x0
 01626  1536   NtSetEventBoostPriority  ... ) == 0x0
 01628  1356   NtSetEventBoostPriority  (316, ...
 01619  1292   NtWaitForSingleObject  ... ) == 0x0
 01629  1292   NtSetEventBoostPriority  (316, ...
 01625   444   NtWaitForSingleObject  ... ) == 0x0
 01630   444   NtSetEventBoostPriority  (316, ...
 01627  1480   NtWaitForSingleObject  ... ) == 0x0
 01631  1480   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 328, {status=0x0, info=0}, ) }, 7, 16, ... 328, {status=0x0, info=0}, ) == 0x0
 01630   444   NtSetEventBoostPriority  ... ) == 0x0
 01629  1292   NtSetEventBoostPriority  ... ) == 0x0
 01628  1356   NtSetEventBoostPriority  ... ) == 0x0
 01632  1536   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01633   760   NtQueryInformationThread  (336, Basic, 28, ...
 01634   444   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01635  1480   NtDeviceIoControlFile  (328, 0, 0x0, 0x0, 0x390008,  (328, 0, 0x0, 0x0, 0x390008, "\371\354\334\236\31$\31J+/\36\223\30\330'\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01636  1292   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01637  1356   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01633   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1764,Tid=1904,}, 0x0, ) == 0x0
 01632  1536   NtWaitForSingleObject  ... ) == 0x102
 01638  1480   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01636  1292   NtOpenKey  ... 324, ) == 0x0
 01637  1356   NtWaitForSingleObject  ... ) == 0x102
 01639   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58023, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\344\6\0\0p\7\0\0" ...  ...
 01640  1536   NtWaitForSingleObject  (160, 0, 0x0, ...
 01638  1480   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01641  1292   NtQueryValueKey  (324,  (324, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01642  1356   NtWaitForSingleObject  (160, 0, 0x0, ...
 01639   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58024, 0}  ... {28, 56, reply, 0, 1764, 760, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\344\6\0\0p\7\0\0" )  ) == 0x0
 01643  1480   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01641  1292   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01644   760   NtResumeThread  (336, ...
 01643  1480   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01645  1292   NtQueryValueKey  (324,  (324, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01634   444   NtDuplicateObject  ... 320, ) == 0x0
 01646  1480   NtQuerySystemInformation  (Performance, 312, ...
 01645  1292   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01647   444   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01644   760   NtResumeThread  ... 1, ) == 0x0
 01646  1480   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01648  1904   NtTestAlert  (...
 01647   444   NtWaitForSingleObject  ... ) == 0x102
 01649   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01650  1480   NtQuerySystemInformation  (Exception, 16, ...
 01648  1904   NtTestAlert  ... ) == 0x0
 01651   444   NtWaitForSingleObject  (160, 0, 0x0, ...
 01649   760   NtAllocateVirtualMemory  ... 35717120, 1048576, ) == 0x0
 01650  1480   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01652  1904   NtContinue  (35716400, 1, ...
 01653   760   NtAllocateVirtualMemory  (-1, 36757504, 0, 8192, 4096, 4, ...
 01654  1480   NtQuerySystemInformation  (Lookaside, 32, ...
 01655  1904   NtRegisterThreadTerminatePort  (24, ...
 01653   760   NtAllocateVirtualMemory  ... 36757504, 8192, ) == 0x0
 01654  1480   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01655  1904   NtRegisterThreadTerminatePort  ... ) == 0x0
 01656   760   NtProtectVirtualMemory  (-1, (0x230e000), 4096, 260, ...
 01657  1480   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01658  1292   NtQueryValueKey  (324,  (324, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01659  1904   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01656   760   NtProtectVirtualMemory  ... (0x230e000), 4096, 4, ) == 0x0
 01658  1292   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01659  1904   NtDuplicateObject  ... 348, ) == 0x0
 01660   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01661  1292   NtQueryValueKey  (324,  (324, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01662  1904   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01660   760   NtCreateThread  ... 352, {1764, 1936}, ) == 0x0
 01661  1292   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01662  1904   NtWaitForSingleObject  ... ) == 0x102
 01663   760   NtQueryInformationThread  (352, Basic, 28, ...
 01664  1292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11596844, ... }, 11596844, ...
 01665  1904   NtWaitForSingleObject  (160, 0, 0x0, ...
 01663   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1764,Tid=1936,}, 0x0, ) == 0x0
 01664  1292   NtQueryAttributesFile  ... ) == 0x0
 01657  1480   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01666   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58024, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\344\6\0\0\220\7\0\0" ...  ...
 01667  1480   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01668  1292   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01667  1480   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01668  1292   NtOpenFile  ... 356, {status=0x0, info=1}, ) == 0x0
 01666   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58025, 0}  ... {28, 56, reply, 0, 1764, 760, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\344\6\0\0\220\7\0\0" )  ) == 0x0
 01669  1292   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 356, ...
 01670   760   NtResumeThread  (352, ...
 01669  1292   NtCreateSection  ... 360, ) == 0x0
 01670   760   NtResumeThread  ... 1, ) == 0x0
 01671  1292   NtClose  (356, ...
 01672   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01671  1292   NtClose  ... ) == 0x0
 01672   760   NtAllocateVirtualMemory  ... 36765696, 1048576, ) == 0x0
 01673  1480   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01674  1936   NtWaitForSingleObject  (132, 0, 0x0, ...
 01675  1292   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01673  1480   NtCreateKey  ... -2147482584, 2, ) == 0x0
 01675  1292   NtMapViewOfSection  ... (0x360000), 0x0, 20480, ) == 0x0
 01676  1480   NtSetValueKey  (-2147482584,  (-2147482584, "Seed", 0, 3, "\264h\20k\305-z\2172oJ\213{\17\23\3379\22\240\353\203\225\342KN\251'\344\6\17\325\237\32;\376?1)\10\346\303$\17_\310\272B\254Mm\351\375\232\344n\272\347\21\227\234\27\310\217\336\246\304\325Zl\271\203\226\24n=GJ\307\250", 80, ... , 0, 3,  (-2147482584, "Seed", 0, 3, "\264h\20k\305-z\2172oJ\213{\17\23\3379\22\240\353\203\225\342KN\251'\344\6\17\325\237\32;\376?1)\10\346\303$\17_\310\272B\254Mm\351\375\232\344n\272\347\21\227\234\27\310\217\336\246\304\325Zl\271\203\226\24n=GJ\307\250", 80, ... , 80, ...
 01677  1292   NtClose  (360, ...
 01676  1480   NtSetValueKey  ... ) == 0x0
 01677  1292   NtClose  ... ) == 0x0
 01678  1480   NtClose  (-2147482584, ... ) == 0x0
 01679  1292   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 01680  1292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11597152, ... ) }, 11597152, ... ) == 0x0
 01681  1292   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01635  1480   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\16\254\215\301\223\2117+u\366\337\352\245o?\240Df\373\217^s\336-n\355L\363\263\353\350\215\231\265\274+b'KE\23C\341\362$pI\260\266\346\346[\2;\336\263\357\321\277v\354\27\33\376\217\7\274\353\346>\364\256h\37\360\272\326|\256\10J\1775,X\\335\232x3\302\177F\275\357\266'\317a\251\240\256\327x\177\313\22\25k\316\203A^\223\\362\200\357KOx\224'1\216\231\10\232\207t_R\367c\212SW\325+<)z\332\325\350\23<\351\241\230\25\55\246\25\372", ) , ) == 0x0
 01682   760   NtAllocateVirtualMemory  (-1, 37806080, 0, 8192, 4096, 4, ...
 01683  1480   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01682   760   NtAllocateVirtualMemory  ... 37806080, 8192, ) == 0x0
 01683  1480   NtCreateEvent  ... 356, ) == 0x0
 01684   760   NtProtectVirtualMemory  (-1, (0x240e000), 4096, 260, ...
 01685  1480   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15789572, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15789572, 188, ...
 01684   760   NtProtectVirtualMemory  ... (0x240e000), 4096, 4, ) == 0x0
 01686   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 364, {1764, 1648}, ) == 0x0
 01685  1480   NtConnectPort  ... 368, 0x0, 0x0, 0x0, 188, ) == 0x0
 01687  1292   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ...
 01688   760   NtQueryInformationThread  (364, Basic, 28, ...
 01687  1292   NtCreateSection  ... 372, ) == 0x0
 01688   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1764,Tid=1648,}, 0x0, ) == 0x0
 01689  1292   NtQuerySection  (372, Image, 48, ...
 01690   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58025, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\344\6\0\0p\6\0\0" ...  ...
 01689  1292   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01690   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58027, 0}  ... {28, 56, reply, 0, 1764, 760, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\344\6\0\0p\6\0\0" )  ) == 0x0
 01691  1292   NtClose  (360, ...
 01692   760   NtResumeThread  (364, ...
 01691  1292   NtClose  ... ) == 0x0
 01693  1480   NtRequestWaitReplyPort  (368, {200, 224, new_msg, 0, 1329576, 12, 2, 1}  (368, {200, 224, new_msg, 0, 1329576, 12, 2, 1} "\0\3\24\0\274\0\0\0l8\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\320\3\24\0\4\0\0\0\1\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\3704Bt\24\333&!\200\35\25\0d\1\24\0\12\0\0\0\0\0\0\0\0\10\0\0(\0\0\0\210\35\25\0,6\33\315\370\3\24\0\250\35\25\0d\1\24\0\0\0\0\0\0\0\0\0\250\35\25\0P\0\0\0\260\35\25\0\360\6\221|\320\3\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\360\0\372\31\221|\30\364\360\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01692   760   NtResumeThread  ... 1, ) == 0x0
 01694   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 37814272, 1048576, ) == 0x0
 01695   760   NtAllocateVirtualMemory  (-1, 38854656, 0, 8192, 4096, 4, ... 38854656, 8192, ) == 0x0
 01696   760   NtProtectVirtualMemory  (-1, (0x250e000), 4096, 260, ...
 01693  1480   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1764, 1480, 58028, 0}  ... {200, 224, reply, 0, 1764, 1480, 58028, 0} "\7\3\24\0\274\0\0\0l8\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\1\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\3704Bt\24\333&!\200\35\25\0d\1\24\0\12\0\0\0\0\0\0\0\0\10\0\0(\0\0\0\210\35\25\0,6\33\315\370\3\24\0\250\35\25\0d\1\24\0\0\0\0\0\0\0\0\0\250\35\25\0P\0\0\0\260\35\25\0\360\6\221|\320\3\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\360\0\372\31\221|\30\364\360\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01697  1292   NtMapViewOfSection  (372, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01698  1648   NtWaitForSingleObject  (132, 0, 0x0, ...
 01699  1480   NtRequestWaitReplyPort  (368, {64, 88, new_msg, 0, 0, 0, 0, 0}  (368, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01697  1292   NtMapViewOfSection  ... (0x71a90000), 0x0, 32768, ) == 0x0
 01700  1292   NtClose  (372, ... ) == 0x0
 01701  1292   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 01699  1480   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1764, 1480, 58029, 0}  ... {52, 76, reply, 0, 1764, 1480, 58029, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\260\37\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 01696   760   NtProtectVirtualMemory  ... (0x250e000), 4096, 4, ) == 0x0
 01702  1292   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ...
 01703   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01702  1292   NtProtectVirtualMemory  ... (0x71a91000), 4096, 4, ) == 0x0
 01703   760   NtCreateThread  ... 372, {1764, 148}, ) == 0x0
 01704  1292   NtFlushInstructionCache  (-1, 1906905088, 128, ...
 01705  1480   NtClose  (356, ...
 01704  1292   NtFlushInstructionCache  ... ) == 0x0
 01705  1480   NtClose  ... ) == 0x0
 01706   760   NtQueryInformationThread  (372, Basic, 28, ...
 01707  1480   NtClose  (368, ...
 01706   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1764,Tid=148,}, 0x0, ) == 0x0
 01707  1480   NtClose  ... ) == 0x0
 01708   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58027, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0\344\6\0\0\224\0\0\0" ...  ...
 01709  1480   NtWaitForSingleObject  (132, 0, 0x0, ...
 01708   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58031, 0}  ... {28, 56, reply, 0, 1764, 760, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0\344\6\0\0\224\0\0\0" )  ) == 0x0
 01710   760   NtResumeThread  (372, ... 1, ) == 0x0
 01711   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38862848, 1048576, ) == 0x0
 01712   760   NtAllocateVirtualMemory  (-1, 39903232, 0, 8192, 4096, 4, ... 39903232, 8192, ) == 0x0
 01713   760   NtProtectVirtualMemory  (-1, (0x260e000), 4096, 260, ...
 01714  1292   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... }, ...
 01715   148   NtWaitForSingleObject  (132, 0, 0x0, ...
 01714  1292   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01716  1292   NtSetEventBoostPriority  (132, ...
 01674  1936   NtWaitForSingleObject  ... ) == 0x0
 01717  1936   NtAllocateVirtualMemory  (-1, 3624960, 0, 4096, 4096, 4, ... 3624960, 4096, ) == 0x0
 01716  1292   NtSetEventBoostPriority  ... ) == 0x0
 01713   760   NtProtectVirtualMemory  ... (0x260e000), 4096, 4, ) == 0x0
 01718  1936   NtSetEventBoostPriority  (132, ...
 01719   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01698  1648   NtWaitForSingleObject  ... ) == 0x0
 01718  1936   NtSetEventBoostPriority  ... ) == 0x0
 01720  1648   NtSetEventBoostPriority  (132, ...
 01719   760   NtCreateThread  ... 368, {1764, 1828}, ) == 0x0
 01709  1480   NtWaitForSingleObject  ... ) == 0x0
 01720  1648   NtSetEventBoostPriority  ... ) == 0x0
 01721  1936   NtTestAlert  (...
 01722  1480   NtSetEventBoostPriority  (132, ...
 01723   760   NtQueryInformationThread  (368, Basic, 28, ...
 01724  1292   NtClose  (324, ...
 01715   148   NtWaitForSingleObject  ... ) == 0x0
 01722  1480   NtSetEventBoostPriority  ... ) == 0x0
 01721  1936   NtTestAlert  ... ) == 0x0
 01723   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1764,Tid=1828,}, 0x0, ) == 0x0
 01725   148   NtTestAlert  (...
 01724  1292   NtClose  ... ) == 0x0
 01726  1648   NtTestAlert  (...
 01727  1936   NtContinue  (36764976, 1, ...
 01725   148   NtTestAlert  ... ) == 0x0
 01728   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58031, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\344\6\0\0$\7\0\0" ...  ...
 01729  1292   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 01726  1648   NtTestAlert  ... ) == 0x0
 01730  1936   NtRegisterThreadTerminatePort  (24, ...
 01731  1480   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01732   148   NtContinue  (38862128, 1, ...
 01729  1292   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 01733  1648   NtContinue  (37813552, 1, ...
 01728   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58032, 0}  ... {28, 56, reply, 0, 1764, 760, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\344\6\0\0$\7\0\0" )  ) == 0x0
 01731  1480   NtCreateKey  ... 324, 2, ) == 0x0
 01734   148   NtRegisterThreadTerminatePort  (24, ...
 01735  1292   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11599488, 67, ... }, 0x0, 0, 3, 3, 0, 11599488, 67, ...
 01736  1648   NtRegisterThreadTerminatePort  (24, ...
 01737   760   NtResumeThread  (368, ...
 01738  1480   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01734   148   NtRegisterThreadTerminatePort  ... ) == 0x0
 01735  1292   NtCreateFile  ... 356, {status=0x0, info=0}, ) == 0x0
 01736  1648   NtRegisterThreadTerminatePort  ... ) == 0x0
 01737   760   NtResumeThread  ... 1, ) == 0x0
 01738  1480   NtOpenKey  ... 360, ) == 0x0
 01739   148   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01730  1936   NtRegisterThreadTerminatePort  ... ) == 0x0
 01740  1828   NtTestAlert  (...
 01741  1648   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01742   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01743  1480   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01739   148   NtDuplicateObject  ... 376, ) == 0x0
 01744  1936   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01740  1828   NtTestAlert  ... ) == 0x0
 01745  1292   NtDeviceIoControlFile  (356, 136, 0x0, 0x0, 0x1207b,  (356, 136, 0x0, 0x0, 0x1207b, "\7\0\0\0\250q\250q%\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 01742   760   NtAllocateVirtualMemory  ... 39911424, 1048576, ) == 0x0
 01743  1480   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01746   148   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01744  1936   NtDuplicateObject  ... 380, ) == 0x0
 01747  1828   NtContinue  (39910704, 1, ...
 01745  1292   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0\300\332\243\201", ) , ) == 0x0
 01741  1648   NtDuplicateObject  ... 384, ) == 0x0
 01748   760   NtAllocateVirtualMemory  (-1, 40951808, 0, 8192, 4096, 4, ...
 01749  1480   NtQueryValueKey  (324,  (324, "Hostname", Partial, 144, ... , Partial, 144, ...
 01750  1936   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01751  1828   NtRegisterThreadTerminatePort  (24, ...
 01752  1292   NtDeviceIoControlFile  (356, 136, 0x0, 0x0, 0x1207b,  (356, 136, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0\300\332\243\201", 16, 16, ... , 16, 16, ...
 01753  1648   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01748   760   NtAllocateVirtualMemory  ... 40951808, 8192, ) == 0x0
 01749  1480   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01750  1936   NtWaitForSingleObject  ... ) == 0x102
 01751  1828   NtRegisterThreadTerminatePort  ... ) == 0x0
 01752  1292   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0\300\332\243\201", ) , ) == 0x0
 01753  1648   NtWaitForSingleObject  ... ) == 0x102
 01754   760   NtProtectVirtualMemory  (-1, (0x270e000), 4096, 260, ...
 01755  1480   NtQueryValueKey  (324,  (324, "Hostname", Partial, 144, ... , Partial, 144, ...
 01746   148   NtWaitForSingleObject  ... ) == 0x102
 01756  1936   NtWaitForSingleObject  (160, 0, 0x0, ...
 01757  1292   NtDeviceIoControlFile  (356, 136, 0x0, 0x0, 0x12047,  (356, 136, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\224\375\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\32\0\5\0\0\20\0\0H\2\24\0H\2\24\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01758  1648   NtWaitForSingleObject  (160, 0, 0x0, ...
 01754   760   NtProtectVirtualMemory  ... (0x270e000), 4096, 4, ) == 0x0
 01755  1480   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01759   148   NtWaitForSingleObject  (160, 0, 0x0, ...
 01757  1292   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01760   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01761  1480   NtClose  (324, ...
 01762  1828   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01760   760   NtCreateThread  ... 388, {1764, 1864}, ) == 0x0
 01761  1480   NtClose  ... ) == 0x0
 01762  1828   NtDuplicateObject  ... 324, ) == 0x0
 01763  1292   NtWaitForSingleObject  (96, 0, {0, 0}, ...
 01764   760   NtQueryInformationThread  (388, Basic, 28, ...
 01765  1828   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01763  1292   NtWaitForSingleObject  ... ) == 0x102
 01764   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1764,Tid=1864,}, 0x0, ) == 0x0
 01765  1828   NtWaitForSingleObject  ... ) == 0x102
 01766  1292   NtDeviceIoControlFile  (356, 136, 0x0, 0x0, 0x12003,  (356, 136, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01767   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58032, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\6\0\0H\7\0\0" ...  ...
 01768  1828   NtWaitForSingleObject  (160, 0, 0x0, ...
 01766  1292   NtDeviceIoControlFile  ... {status=0x0, info=392},  ... {status=0x0, info=392}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01767   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58033, 0}  ... {28, 56, reply, 0, 1764, 760, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\6\0\0H\7\0\0" )  ) == 0x0
 01769  1480   NtClose  (360, ...
 01770   760   NtResumeThread  (388, ...
 01769  1480   NtClose  ... ) == 0x0
 01771  1292   NtDeviceIoControlFile  (356, 136, 0x0, 0x0, 0x12047,  (356, 136, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\32\0\5\0\0\20\0\0H\2\24\0H\2\24\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01772  1480   NtDeviceIoControlFile  (328, 0, 0x0, 0x0, 0x390008,  (328, 0, 0x0, 0x0, 0x390008, "\371\354\334\236\31$\31\240>[\27\236\314\362\10XTp`\342^\232\342\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01771  1292   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01773  1480   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01774  1292   NtDeviceIoControlFile  (356, 136, 0x0, 0x0, 0x12037,  (356, 136, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 01773  1480   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01774  1292   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01775  1480   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01776  1292   NtDeviceIoControlFile  (356, 136, 0x0, 0x0, 0x1200b,  (356, 136, 0x0, 0x0, 0x1200b, "\0\376\260\0\5\0\0\0\0\313\24\0", 12, 0, ... , 12, 0, ...
 01770   760   NtResumeThread  ... 1, ) == 0x0
 01776  1292   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01777   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01775  1480   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01778  1864   NtTestAlert  (...
 01777   760   NtAllocateVirtualMemory  ... 40960000, 1048576, ) == 0x0
 01779  1480   NtQuerySystemInformation  (Performance, 312, ...
 01778  1864   NtTestAlert  ... ) == 0x0
 01780   760   NtAllocateVirtualMemory  (-1, 42000384, 0, 8192, 4096, 4, ...
 01779  1480   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01781  1864   NtContinue  (40959280, 1, ...
 01780   760   NtAllocateVirtualMemory  ... 42000384, 8192, ) == 0x0
 01782  1480   NtQuerySystemInformation  (Exception, 16, ...
 01783  1864   NtRegisterThreadTerminatePort  (24, ...
 01784   760   NtProtectVirtualMemory  (-1, (0x280e000), 4096, 260, ...
 01782  1480   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01783  1864   NtRegisterThreadTerminatePort  ... ) == 0x0
 01785  1292   NtDeviceIoControlFile  (356, 136, 0x0, 0x0, 0x12047,  (356, 136, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\260\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\32\0\5\0\0\20\0\0H\2\24\0H\2\24\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01786  1480   NtQuerySystemInformation  (Lookaside, 32, ...
 01784   760   NtProtectVirtualMemory  ... (0x280e000), 4096, 4, ) == 0x0
 01785  1292   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01787  1864   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01788   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01789  1292   NtDeviceIoControlFile  (356, 136, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 01787  1864   NtDuplicateObject  ... 360, ) == 0x0
 01788   760   NtCreateThread  ... 396, {1764, 1896}, ) == 0x0
 01789  1292   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01790  1864   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01786  1480   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01791  1292   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01790  1864   NtWaitForSingleObject  ... ) == 0x102
 01792  1480   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01791  1292   NtCreateEvent  ... 400, ) == 0x0
 01793  1864   NtWaitForSingleObject  (160, 0, 0x0, ...
 01792  1480   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01794   760   NtQueryInformationThread  (396, Basic, 28, ...
 01795  1292   NtWaitForSingleObject  (400, 0, 0x0, ...
 01796  1480   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01794   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1764,Tid=1896,}, 0x0, ) == 0x0
 01796  1480   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01797   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58033, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\344\6\0\0h\7\0\0" ...  ...
 01798  1480   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01797   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58034, 0}  ... {28, 56, reply, 0, 1764, 760, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\344\6\0\0h\7\0\0" )  ) == 0x0
 01799   760   NtResumeThread  (396, ... 1, ) == 0x0
 01800   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 42008576, 1048576, ) == 0x0
 01801   760   NtAllocateVirtualMemory  (-1, 43048960, 0, 8192, 4096, 4, ... 43048960, 8192, ) == 0x0
 01802   760   NtProtectVirtualMemory  (-1, (0x290e000), 4096, 260, ...
 01798  1480   NtCreateKey  ... -2147482132, 2, ) == 0x0
 01803  1896   NtTestAlert  (...
 01804  1480   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "\263M\240\263\342\325\32\304] !\367P\366\256\370C4\265m8\275\254\341{g\204\354.G\374\363hc]\245\265\213 \267\255.\320\217XlD\12\377"\230\212\234Q\237\254y\314\353C\215\6\346\301u\263\343\36Y\3769\232\7\223\267\3455\210\302\217", 80, ... , 0, 3,  (-2147482132, "Seed", 0, 3, "\263M\240\263\342\325\32\304] !\367P\366\256\370C4\265m8\275\254\341{g\204\354.G\374\363hc]\245\265\213 \267\255.\320\217XlD\12\377"\230\212\234Q\237\254y\314\353C\215\6\346\301u\263\343\36Y\3769\232\7\223\267\3455\210\302\217", 80, ... \230\212\234Q\237\254y\314\353C\215\6\346\301u\263\343\36Y\3769\232\7\223\267\3455\210\302\217", 80, ...
 01803  1896   NtTestAlert  ... ) == 0x0
 01804  1480   NtSetValueKey  ... ) == 0x0
 01805  1896   NtContinue  (42007856, 1, ...
 01806  1480   NtClose  (-2147482132, ...
 01807  1896   NtRegisterThreadTerminatePort  (24, ...
 01806  1480   NtClose  ... ) == 0x0
 01807  1896   NtRegisterThreadTerminatePort  ... ) == 0x0
 01772  1480   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\320\376\203\25*\310\242?\335=5g\231\345jM\330\246\22,e.u\12\210\263\210\266+U\312\36c`\323\244\34\317!K\270&\261u\4sNp\204\200\241\316\250\306f\326\22\20e\246R\303\7"^Q\302z\326\34\333iX\275\312\370\7c\244\376cK\361`\324\213\224\323\312T \335RK\202\303\243\324j\264\240\301\2\2579\275\275\244\330\341\313\366\361\204$\373\13L\274\1\256\32\253N?\354Bvr\326\301)\360\321H\303]\336\240[B\3276#\376^A\215B\2743a`\230|\360\210\223\246}\271d\34\241L|\321\357\334\156[\257\371\204V\206\223\214;\5h\264\330\211\313\273\35\240^\244\245\245\340\231dq\\371S\347\16\2540F\214\347\321\5r\302\364\7B\274\212M\374 hyyn$\2462t?$l^\32\246G\370\333\14\234\210\253\205"!\206\215\277w\7Cb\226\0M\323sa", ) ^Q\302z\326\34\333iX\275\312\370\7c\244\376cK\361`\324\213\224\323\312T \335RK\202\303\243\324j\264\240\301\2\2579\275\275\244\330\341\313\366\361\204$\373\13L\274\1\256\32\253N?\354Bvr\326\301)\360\321H\303]\336\240[B\3276#\376^A\215B\2743a`\230|\360\210\223\246}\271d\34\241L|\321\357\334\156[\257\371\204V\206\223\214;\5h\264\330\211\313\273\35\240^\244\245\245\340\231dq\\371S\347\16\2540F\214\347\321\5r\302\364\7B\274\212M\374 hyyn$\2462t?$l^\32\246G\370\333\14\234\210\253\205 ... {status=0x0, info=256}, "\320\376\203\25*\310\242?\335=5g\231\345jM\330\246\22,e.u\12\210\263\210\266+U\312\36c`\323\244\34\317!K\270&\261u\4sNp\204\200\241\316\250\306f\326\22\20e\246R\303\7"^Q\302z\326\34\333iX\275\312\370\7c\244\376cK\361`\324\213\224\323\312T \335RK\202\303\243\324j\264\240\301\2\2579\275\275\244\330\341\313\366\361\204$\373\13L\274\1\256\32\253N?\354Bvr\326\301)\360\321H\303]\336\240[B\3276#\376^A\215B\2743a`\230|\360\210\223\246}\271d\34\241L|\321\357\334\156[\257\371\204V\206\223\214;\5h\264\330\211\313\273\35\240^\244\245\245\340\231dq\\371S\347\16\2540F\214\347\321\5r\302\364\7B\274\212M\374 hyyn$\2462t?$l^\32\246G\370\333\14\234\210\253\205"!\206\215\277w\7Cb\226\0M\323sa", ) , ) == 0x0
 01802   760   NtProtectVirtualMemory  ... (0x290e000), 4096, 4, ) == 0x0
 01808  1896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01809   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01808  1896   NtDuplicateObject  ... 404, ) == 0x0
 01809   760   NtCreateThread  ... 408, {1764, 1524}, ) == 0x0
 01810  1896   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01811   760   NtQueryInformationThread  (408, Basic, 28, ...
 01810  1896   NtWaitForSingleObject  ... ) == 0x102
 01811   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1764,Tid=1524,}, 0x0, ) == 0x0
 01812  1896   NtWaitForSingleObject  (160, 0, 0x0, ...
 01813   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58034, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\344\6\0\0\364\5\0\0" ...  ...
 01814  1480   NtDeviceIoControlFile  (328, 0, 0x0, 0x0, 0x390008,  (328, 0, 0x0, 0x0, 0x390008, "\371\354\334\236\31$\31\240>[\27\236\314\362\342M y\354\35\264J\235Tp`\342^\232\342\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01815  1480   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01816  1480   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01817  1480   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01818  1480   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01819  1480   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01820  1480   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01813   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58035, 0}  ... {28, 56, reply, 0, 1764, 760, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\344\6\0\0\364\5\0\0" )  ) == 0x0
 01821   760   NtResumeThread  (408, ... 1, ) == 0x0
 01822   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 43057152, 1048576, ) == 0x0
 01823   760   NtAllocateVirtualMemory  (-1, 44097536, 0, 8192, 4096, 4, ... 44097536, 8192, ) == 0x0
 01824   760   NtProtectVirtualMemory  (-1, (0x2a0e000), 4096, 260, ... (0x2a0e000), 4096, 4, ) == 0x0
 01825   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 412, {1764, 1944}, ) == 0x0
 01820  1480   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01826  1524   NtTestAlert  (...
 01827  1480   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01826  1524   NtTestAlert  ... ) == 0x0
 01827  1480   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01828  1524   NtContinue  (43056432, 1, ...
 01829  1480   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01830  1524   NtRegisterThreadTerminatePort  (24, ...
 01829  1480   NtCreateKey  ... -2147482132, 2, ) == 0x0
 01830  1524   NtRegisterThreadTerminatePort  ... ) == 0x0
 01831  1480   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "&\256\326\2047\3|?\2\331S\3+J\314x\205W\201P\340o\324\356\373\20E\342\32\217#\241N\305\237\203T\216\3526\13\372}Z[\372]\177\300\321D:\205B\231\372\305\17;\21\345\21}\324+\215\375\231\377\350\340A\335\263\214\260\225\33Dj", 80, ... , 0, 3,  (-2147482132, "Seed", 0, 3, "&\256\326\2047\3|?\2\331S\3+J\314x\205W\201P\340o\324\356\373\20E\342\32\217#\241N\305\237\203T\216\3526\13\372}Z[\372]\177\300\321D:\205B\231\372\305\17;\21\345\21}\324+\215\375\231\377\350\340A\335\263\214\260\225\33Dj", 80, ... , 80, ...
 01832   760   NtQueryInformationThread  (412, Basic, 28, ...
 01833  1524   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01832   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1764,Tid=1944,}, 0x0, ) == 0x0
 01833  1524   NtDuplicateObject  ... 416, ) == 0x0
 01834   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58035, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\344\6\0\0\230\7\0\0" ...  ...
 01835  1524   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01834   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58036, 0}  ... {28, 56, reply, 0, 1764, 760, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\344\6\0\0\230\7\0\0" )  ) == 0x0
 01835  1524   NtWaitForSingleObject  ... ) == 0x102
 01836   760   NtResumeThread  (412, ...
 01837  1524   NtWaitForSingleObject  (160, 0, 0x0, ...
 01831  1480   NtSetValueKey  ... ) == 0x0
 01836   760   NtResumeThread  ... 1, ) == 0x0
 01838  1480   NtClose  (-2147482132, ...
 01839   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01838  1480   NtClose  ... ) == 0x0
 01839   760   NtAllocateVirtualMemory  ... 44105728, 1048576, ) == 0x0
 01814  1480   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "f\206\235\200J\210F\300Wf\354\221\253\21\370\313+>3,3D\253\220?%U=(t\360^8\331\315\221\324\17\216\261|\244\177f\257\234\245\326)6M\361\264\227\337\316\374%\213?c\353=\352\320\354O\361\360\304\250\350\265\2\205\213\375zbA\256\36\370\4|\321\272!\205\201\30\10\217=.\5\261Q\327\350)\214ur\253\261&\31\254uS\344j\235n9\4\326\376e\2040Z\5\255\7\177\366\330\?\271\203\372G\304\246e\340\336\351\227\243[1=x\263)\251\332o>\5\0\315\375\250\370\264\231\365\27\364\177\277\263v\23m\301ah}\314\303\222H\232>\371\331#z*\37g\232\246OUf\232\210\277)*>\37\325l|\306\301\226h\243%\355\244D\375\33\256\6\32\374w\216\327\343$\301\364{\345\350{g,\7/a(\340\253\364*(\17\236\354\305l`q\243\302\234=\373\337\222\246\353", ) , ) == 0x0
 01840   760   NtAllocateVirtualMemory  (-1, 45146112, 0, 8192, 4096, 4, ...
 01841  1480   NtDeviceIoControlFile  (328, 0, 0x0, 0x0, 0x390008,  (328, 0, 0x0, 0x0, 0x390008, "\371\354\334\236\31$\31\240>[\27\236\314\362\342M y\354\35\264\240\210 y\354\35\264J\235Tp`\342^\232\342\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01840   760   NtAllocateVirtualMemory  ... 45146112, 8192, ) == 0x0
 01842  1480   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01843   760   NtProtectVirtualMemory  (-1, (0x2b0e000), 4096, 260, ...
 01844  1944   NtTestAlert  (...
 01842  1480   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01844  1944   NtTestAlert  ... ) == 0x0
 01845  1480   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01846  1944   NtContinue  (44105008, 1, ...
 01845  1480   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01847  1944   NtRegisterThreadTerminatePort  (24, ...
 01848  1480   NtQuerySystemInformation  (Performance, 312, ...
 01847  1944   NtRegisterThreadTerminatePort  ... ) == 0x0
 01848  1480   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01843   760   NtProtectVirtualMemory  ... (0x2b0e000), 4096, 4, ) == 0x0
 01849  1480   NtQuerySystemInformation  (Exception, 16, ...
 01850   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01851  1944   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01850   760   NtCreateThread  ... 420, {1764, 240}, ) == 0x0
 01851  1944   NtDuplicateObject  ... 424, ) == 0x0
 01852   760   NtQueryInformationThread  (420, Basic, 28, ...
 01853  1944   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01852   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1764,Tid=240,}, 0x0, ) == 0x0
 01853  1944   NtWaitForSingleObject  ... ) == 0x102
 01854   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58036, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\344\6\0\0\360\0\0\0" ...  ...
 01855  1944   NtWaitForSingleObject  (160, 0, 0x0, ...
 01849  1480   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01854   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58037, 0}  ... {28, 56, reply, 0, 1764, 760, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\344\6\0\0\360\0\0\0" )  ) == 0x0
 01856  1480   NtQuerySystemInformation  (Lookaside, 32, ...
 01857   760   NtResumeThread  (420, ...
 01856  1480   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01857   760   NtResumeThread  ... 1, ) == 0x0
 01858  1480   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01859   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01858  1480   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01859   760   NtAllocateVirtualMemory  ... 45154304, 1048576, ) == 0x0
 01860  1480   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01861   240   NtTestAlert  (...
 01862   760   NtAllocateVirtualMemory  (-1, 46194688, 0, 8192, 4096, 4, ...
 01861   240   NtTestAlert  ... ) == 0x0
 01862   760   NtAllocateVirtualMemory  ... 46194688, 8192, ) == 0x0
 01863   240   NtContinue  (45153584, 1, ...
 01864   760   NtProtectVirtualMemory  (-1, (0x2c0e000), 4096, 260, ...
 01865   240   NtRegisterThreadTerminatePort  (24, ...
 01864   760   NtProtectVirtualMemory  ... (0x2c0e000), 4096, 4, ) == 0x0
 01865   240   NtRegisterThreadTerminatePort  ... ) == 0x0
 01866   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01860  1480   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01866   760   NtCreateThread  ... 428, {1764, 968}, ) == 0x0
 01867  1480   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01868   240   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01867  1480   NtCreateKey  ... -2147482132, 2, ) == 0x0
 01868   240   NtDuplicateObject  ... 432, ) == 0x0
 01869  1480   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "\26\353o~\6*Xn\311\377\253\34\270%o\277gh\15\305\14\22\221IBHn.\342u\312\3\2016\256\205\7D9\12s\200z\267}?\262\361ZwN\353s0\16^UC\350\354\336\324\350mR\344o\334\263[a\305\205Wo\206h\333\16\3", 80, ... , 0, 3,  (-2147482132, "Seed", 0, 3, "\26\353o~\6*Xn\311\377\253\34\270%o\277gh\15\305\14\22\221IBHn.\342u\312\3\2016\256\205\7D9\12s\200z\267}?\262\361ZwN\353s0\16^UC\350\354\336\324\350mR\344o\334\263[a\305\205Wo\206h\333\16\3", 80, ... , 80, ...
 01870   240   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 01869  1480   NtSetValueKey  ... ) == 0x0
 01870   240   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 01871  1480   NtClose  (-2147482132, ...
 01872   240   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01873   760   NtQueryInformationThread  (428, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1764,Tid=968,}, 0x0, ) == 0x0
 01874   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58037, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\344\6\0\0\310\3\0\0" ... {28, 56, reply, 0, 1764, 760, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\344\6\0\0\310\3\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58038, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\344\6\0\0\310\3\0\0" ... {28, 56, reply, 0, 1764, 760, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\344\6\0\0\310\3\0\0" )  ) == 0x0
 01875   760   NtResumeThread  (428, ... 1, ) == 0x0
 01876   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 46202880, 1048576, ) == 0x0
 01877   760   NtAllocateVirtualMemory  (-1, 47243264, 0, 8192, 4096, 4, ... 47243264, 8192, ) == 0x0
 01878   760   NtProtectVirtualMemory  (-1, (0x2d0e000), 4096, 260, ...
 01871  1480   NtClose  ... ) == 0x0
 01872   240   NtWaitForSingleObject  ... ) == 0x102
 01879   968   NtTestAlert  (...
 01841  1480   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\332\353%\315\10\336\344R_\222.O8\352\301D\30\305`\232\313\265\363\34\335\202\330\242\35\230\230\304\1\222u\16WFE\355\251\200dT\363v\260w\3362\334\335\243\332\271\226p\257f\335\312\363\306W\32\250L\16\205\350\267\256\33=\267\220\2052\255\35\366z1r\301h\35I\236:\260\0\323\254\227\344q\37\356\315\257\302\252\367Sv\37~\216\310\24\20\320\34\240\247\36\317+\372H3\237\366\320\351\\217\254`\217\34\276\226j\224Z%&\15\364y\312\356\262\316\231:+\17?]\316T\231\34\227\270&y*\234\334g7k\276\241A\231\304\30<^\0!\227\342\316\5\2467\276iG\344\301\36\10\226\276;\301\377\307p\220\367&\323\210\15\253\336$T\230W{\340\3\231\310\1\3364\2\363+\15\267x#5M\214\21C\247nDs\356\310\217\26\374T\27,\257N7P\304\303g\247\370\361\325\10\3154", ) , ) == 0x0
 01880   240   NtWaitForSingleObject  (160, 0, 0x0, ...
 01879   968   NtTestAlert  ... ) == 0x0
 01881  1480   NtDeviceIoControlFile  (328, 0, 0x0, 0x0, 0x390008,  (328, 0, 0x0, 0x0, 0x390008, "\371\354\334\236\31$\31\240>[\27\236\314\362\342M y\354\35\264\240\210 y\354\35\264\240\210 y\354\35\264J\235Tp`\342^\232\342\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01882   968   NtContinue  (46202160, 1, ...
 01883  1480   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01884   968   NtRegisterThreadTerminatePort  (24, ...
 01883  1480   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01884   968   NtRegisterThreadTerminatePort  ... ) == 0x0
 01885  1480   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01878   760   NtProtectVirtualMemory  ... (0x2d0e000), 4096, 4, ) == 0x0
 01886   968   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01887   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01886   968   NtDuplicateObject  ... 436, ) == 0x0
 01887   760   NtCreateThread  ... 440, {1764, 308}, ) == 0x0
 01888   968   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01889   760   NtQueryInformationThread  (440, Basic, 28, ...
 01888   968   NtWaitForSingleObject  ... ) == 0x102
 01889   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1764,Tid=308,}, 0x0, ) == 0x0
 01890   968   NtWaitForSingleObject  (160, 0, 0x0, ...
 01891   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58038, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\6\0\04\1\0\0" ...  ...
 01885  1480   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01892  1480   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01893  1480   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01894  1480   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01895  1480   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01896  1480   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01897  1480   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01891   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58039, 0}  ... {28, 56, reply, 0, 1764, 760, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\6\0\04\1\0\0" )  ) == 0x0
 01898   760   NtResumeThread  (440, ... 1, ) == 0x0
 01899   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 47251456, 1048576, ) == 0x0
 01900   760   NtAllocateVirtualMemory  (-1, 48291840, 0, 8192, 4096, 4, ... 48291840, 8192, ) == 0x0
 01901   760   NtProtectVirtualMemory  (-1, (0x2e0e000), 4096, 260, ... (0x2e0e000), 4096, 4, ) == 0x0
 01902   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 444, {1764, 764}, ) == 0x0
 01897  1480   NtCreateKey  ... -2147482132, 2, ) == 0x0
 01903   308   NtTestAlert  (...
 01904  1480   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "\235\355\13\344\207)'^\242\207P\261\20\362|\2372\17~~9\206\35\230\326$n\322\17H\332\204\321Ua\233O0\351\20i\371u\336\33\243\211\302N\13\17\316\203C\334\277gS\226i\352\221S;_)\363\343\340cTe\263]\274B\337T\231\331", 80, ... , 0, 3,  (-2147482132, "Seed", 0, 3, "\235\355\13\344\207)'^\242\207P\261\20\362|\2372\17~~9\206\35\230\326$n\322\17H\332\204\321Ua\233O0\351\20i\371u\336\33\243\211\302N\13\17\316\203C\334\277gS\226i\352\221S;_)\363\343\340cTe\263]\274B\337T\231\331", 80, ... , 80, ...
 01903   308   NtTestAlert  ... ) == 0x0
 01904  1480   NtSetValueKey  ... ) == 0x0
 01905   308   NtContinue  (47250736, 1, ...
 01906  1480   NtClose  (-2147482132, ...
 01907   308   NtRegisterThreadTerminatePort  (24, ...
 01906  1480   NtClose  ... ) == 0x0
 01907   308   NtRegisterThreadTerminatePort  ... ) == 0x0
 01881  1480   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\271\330\346)\202\211`\230z\234\11\266\36\355\234\310\336\375\365)\315\211\303\2178\352\322/\264\305&\363@O\203Z;\337\2510\25\311q\264<\301y\245\242\231H\301\245\346\2043\275\376\351\13\23\242\302\322k\254\352\316+\210\334\376=\23\2376 \271\220\233$\345\220\333t\221\214\372\231/\224}\317\314\222\377\3554\31@\273oy\21I\270\11\232\237Q\2606?\313Z\362\223\232/\12\277\260 Q\6\274\216\263\235\325\242x!f$\227\15\251\2079\336\300\31f\305\211>\224\212!\351`\272\352\341\177O\5\374\15\360M\341|]\26tf\277\220\200\300?\260\322\324\320\24\331\220T\310\332\14f\34\314KU\247\212}s\363\245u%\30@!\24071vNh\357#\224\232\316\366\256F\227X\264\16\25\12z\250\26+\206#\230Tk\215\24\331\271rs\301\324p", ) \177O\5\374\15\360M\341|]\26tf\277\220\200\300?\260\322\324\320\24\331\220T\310\332\14f\34\314KU\247\212}s\363\245u%\30@!\24071vNh\357#\224\232\316\366\256F\227X\264\16\25\12z\250\26+\206#\230Tk\215\24\331\271rs\301\324p", ) == 0x0
 01908   760   NtQueryInformationThread  (444, Basic, 28, ...
 01909   308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01908   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1764,Tid=764,}, 0x0, ) == 0x0
 01909   308   NtDuplicateObject  ... 448, ) == 0x0
 01910   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58039, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\6\0\0\374\2\0\0" ...  ...
 01911   308   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01910   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58040, 0}  ... {28, 56, reply, 0, 1764, 760, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\6\0\0\374\2\0\0" )  ) == 0x0
 01911   308   NtWaitForSingleObject  ... ) == 0x102
 01912   760   NtResumeThread  (444, ...
 01913   308   NtWaitForSingleObject  (160, 0, 0x0, ...
 01914  1480   NtDeviceIoControlFile  (328, 0, 0x0, 0x0, 0x390008,  (328, 0, 0x0, 0x0, 0x390008, "\371\354\334\236\31$\31\240>[\27\236\314\362\342M y\354\35\264\240\210 y\354\35\264\240\210 y\354\35\264\240\210 y\354\35\264J\235Tp`\342^\232\342\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01912   760   NtResumeThread  ... 1, ) == 0x0
 01915  1480   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01916   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01915  1480   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01916   760   NtAllocateVirtualMemory  ... 48300032, 1048576, ) == 0x0
 01917  1480   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01918   760   NtAllocateVirtualMemory  (-1, 49340416, 0, 8192, 4096, 4, ...
 01917  1480   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01918   760   NtAllocateVirtualMemory  ... 49340416, 8192, ) == 0x0
 01919  1480   NtQuerySystemInformation  (Performance, 312, ...
 01920   760   NtProtectVirtualMemory  (-1, (0x2f0e000), 4096, 260, ...
 01921   764   NtTestAlert  (...
 01919  1480   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01921   764   NtTestAlert  ... ) == 0x0
 01922  1480   NtQuerySystemInformation  (Exception, 16, ...
 01923   764   NtContinue  (48299312, 1, ...
 01922  1480   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01924   764   NtRegisterThreadTerminatePort  (24, ...
 01925  1480   NtQuerySystemInformation  (Lookaside, 32, ...
 01924   764   NtRegisterThreadTerminatePort  ... ) == 0x0
 01925  1480   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01920   760   NtProtectVirtualMemory  ... (0x2f0e000), 4096, 4, ) == 0x0
 01926  1480   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01927   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01928   764   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01927   760   NtCreateThread  ... 452, {1764, 2000}, ) == 0x0
 01928   764   NtDuplicateObject  ... 456, ) == 0x0
 01929   760   NtQueryInformationThread  (452, Basic, 28, ...
 01930   764   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01929   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1764,Tid=2000,}, 0x0, ) == 0x0
 01930   764   NtWaitForSingleObject  ... ) == 0x102
 01931   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58040, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\344\6\0\0\320\7\0\0" ...  ...
 01932   764   NtWaitForSingleObject  (160, 0, 0x0, ...
 01926  1480   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01931   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58041, 0}  ... {28, 56, reply, 0, 1764, 760, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\344\6\0\0\320\7\0\0" )  ) == 0x0
 01933  1480   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01934   760   NtResumeThread  (452, ...
 01933  1480   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01934   760   NtResumeThread  ... 1, ) == 0x0
 01935  1480   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01936   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01935  1480   NtCreateKey  ... -2147482132, 2, ) == 0x0
 01936   760   NtAllocateVirtualMemory  ... 49348608, 1048576, ) == 0x0
 01937  1480   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "\27\322\303\262\5\314\225\362\377bQ\271\273@\270\261s3\262\244EV\235\200\330\236\214\263\277\20\306\24\343m\354\267f\21\276{c\37<\242\244{+\314K/A\365\354\17`\251\23\263\265\263?J~s\244\220>\226\234\211eO\315\363\320k\6w\214\267", 80, ... , 0, 3,  (-2147482132, "Seed", 0, 3, "\27\322\303\262\5\314\225\362\377bQ\271\273@\270\261s3\262\244EV\235\200\330\236\214\263\277\20\306\24\343m\354\267f\21\276{c\37<\242\244{+\314K/A\365\354\17`\251\23\263\265\263?J~s\244\220>\226\234\211eO\315\363\320k\6w\214\267", 80, ... , 80, ...
 01938  2000   NtTestAlert  (...
 01939   760   NtAllocateVirtualMemory  (-1, 50388992, 0, 8192, 4096, 4, ...
 01938  2000   NtTestAlert  ... ) == 0x0
 01939   760   NtAllocateVirtualMemory  ... 50388992, 8192, ) == 0x0
 01940  2000   NtContinue  (49347888, 1, ...
 01941   760   NtProtectVirtualMemory  (-1, (0x300e000), 4096, 260, ...
 01942  2000   NtRegisterThreadTerminatePort  (24, ...
 01941   760   NtProtectVirtualMemory  ... (0x300e000), 4096, 4, ) == 0x0
 01942  2000   NtRegisterThreadTerminatePort  ... ) == 0x0
 01943   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01937  1480   NtSetValueKey  ... ) == 0x0
 01943   760   NtCreateThread  ... 460, {1764, 1852}, ) == 0x0
 01944  1480   NtClose  (-2147482132, ...
 01945  2000   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01944  1480   NtClose  ... ) == 0x0
 01945  2000   NtDuplicateObject  ... 464, ) == 0x0
 01914  1480   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\300|\33\266\370\337v\343\252\244Vf?\332>\35\236D\264\21\242\301\207#m\301U\232s\360\16|!\11\216\277\201\340\363\277\356\266\313\23\211\17\11Z\227\10~\220#\240iN\373\324\234lQ\336X>\240\371\262NZ\200\233'\216\332\217\322C\205n\327\216\373\360k\13\303\215s"M\241\13\207\320\213\376o\355\32\234=\323~\215a\267\37\255\226\265\35\256P$"\355l^\224\267W;%ycr\24\274Z^&\300\355\343}lf\322\224\265\325c_\26!\13X\200i\357\251\323\331\314\2237@\265\322#w0\261\305\370\323j\272b\2763\257\254\357c\12\372\244\331\362O\245c\253\352\353X\251\266_\353\2325\256\25\16\225\263\240v\237\240\253\333\15\271.5gM(\303h\2172\263M\372\217:\204n\337\36Z\277\364\12\264\361\262(=\224\342\262\216\326\256\263\325\224\203v\315'\320mvBGi~", ) M\241\13\207\320\213\376o\355\32\234=\323~\215a\267\37\255\226\265\35\256P$ ... {status=0x0, info=256}, "\300|\33\266\370\337v\343\252\244Vf?\332>\35\236D\264\21\242\301\207#m\301U\232s\360\16|!\11\216\277\201\340\363\277\356\266\313\23\211\17\11Z\227\10~\220#\240iN\373\324\234lQ\336X>\240\371\262NZ\200\233'\216\332\217\322C\205n\327\216\373\360k\13\303\215s"M\241\13\207\320\213\376o\355\32\234=\323~\215a\267\37\255\226\265\35\256P$"\355l^\224\267W;%ycr\24\274Z^&\300\355\343}lf\322\224\265\325c_\26!\13X\200i\357\251\323\331\314\2237@\265\322#w0\261\305\370\323j\272b\2763\257\254\357c\12\372\244\331\362O\245c\253\352\353X\251\266_\353\2325\256\25\16\225\263\240v\237\240\253\333\15\271.5gM(\303h\2172\263M\372\217:\204n\337\36Z\277\364\12\264\361\262(=\224\342\262\216\326\256\263\325\224\203v\315'\320mvBGi~", ) , ) == 0x0
 01946  2000   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01947  1480   NtDeviceIoControlFile  (328, 0, 0x0, 0x0, 0x390008,  (328, 0, 0x0, 0x0, 0x390008, "\371\354\334\236\31$\31\240>[\27\236\314\362\342M y\354\35\264\240\210 y\354\35\264\240\210 y\354\35\264\240\210 y\354\35\264\240\210 y\354\35\264J\235Tp`\342^\232\342\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01946  2000   NtWaitForSingleObject  ... ) == 0x102
 01948  1480   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01949  2000   NtWaitForSingleObject  (160, 0, 0x0, ...
 01950   760   NtQueryInformationThread  (460, Basic, 28, ...
 01948  1480   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01950   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1764,Tid=1852,}, 0x0, ) == 0x0
 01951  1480   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01952   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58041, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\344\6\0\0<\7\0\0" ...  ...
 01951  1480   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01952   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58042, 0}  ... {28, 56, reply, 0, 1764, 760, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\344\6\0\0<\7\0\0" )  ) == 0x0
 01953  1480   NtQuerySystemInformation  (Performance, 312, ...
 01954   760   NtResumeThread  (460, ...
 01953  1480   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01955  1480   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01956  1480   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01957  1480   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01958  1480   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01954   760   NtResumeThread  ... 1, ) == 0x0
 01959   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 50397184, 1048576, ) == 0x0
 01960   760   NtAllocateVirtualMemory  (-1, 51437568, 0, 8192, 4096, 4, ... 51437568, 8192, ) == 0x0
 01961   760   NtProtectVirtualMemory  (-1, (0x310e000), 4096, 260, ... (0x310e000), 4096, 4, ) == 0x0
 01962   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 468, {1764, 1420}, ) == 0x0
 01963   760   NtQueryInformationThread  (468, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1764,Tid=1420,}, 0x0, ) == 0x0
 01964   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58042, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\344\6\0\0\214\5\0\0" ...  ...
 01958  1480   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01965  1852   NtTestAlert  (...
 01966  1480   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01965  1852   NtTestAlert  ... ) == 0x0
 01966  1480   NtCreateKey  ... -2147482132, 2, ) == 0x0
 01967  1852   NtContinue  (50396464, 1, ...
 01968  1480   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "Z\11\3424\312W4c\5\277l\119J\241f\215,\305'J\225\12\220\354\316E\2324\360U%>\27R\230\232\205\10\347V\361\30^P\13\3246p\323\2\202\217)\23Y\313\1mx\202s\246\27\246\330\371\370g\27\215\232O\3361by\352\24\230", 80, ... , 0, 3,  (-2147482132, "Seed", 0, 3, "Z\11\3424\312W4c\5\277l\119J\241f\215,\305'J\225\12\220\354\316E\2324\360U%>\27R\230\232\205\10\347V\361\30^P\13\3246p\323\2\202\217)\23Y\313\1mx\202s\246\27\246\330\371\370g\27\215\232O\3361by\352\24\230", 80, ... , 80, ...
 01969  1852   NtRegisterThreadTerminatePort  (24, ...
 01968  1480   NtSetValueKey  ... ) == 0x0
 01969  1852   NtRegisterThreadTerminatePort  ... ) == 0x0
 01970  1480   NtClose  (-2147482132, ...
 01964   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58043, 0}  ... {28, 56, reply, 0, 1764, 760, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\344\6\0\0\214\5\0\0" )  ) == 0x0
 01971  1852   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01972   760   NtResumeThread  (468, ...
 01971  1852   NtDuplicateObject  ... 472, ) == 0x0
 01972   760   NtResumeThread  ... 1, ) == 0x0
 01973  1852   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01974   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01973  1852   NtWaitForSingleObject  ... ) == 0x102
 01974   760   NtAllocateVirtualMemory  ... 51445760, 1048576, ) == 0x0
 01975  1852   NtWaitForSingleObject  (160, 0, 0x0, ...
 01970  1480   NtClose  ... ) == 0x0
 01976  1420   NtTestAlert  (...
 01977   760   NtAllocateVirtualMemory  (-1, 52486144, 0, 8192, 4096, 4, ...
 01947  1480   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "-\272C\357x\36\315j\272\333\362\271"\351\334\33\370\367\2512\33$\247\253\260<\311\300\16\21\359o\335Z=\35\305bXV\203\301\372\201\267g\242\360\222\22\367\362"bEP\336\364P\10\375\314[$g\24\262\202\343t\364\31#\207h\317\231f\351\337\330\343)\3570\10\363\363\231\300\254h\250\327\u\24\233\273>\20\32\362\10\344\271\341{\207\353\227\17\365\357\250\21\4 \264e\374\252\5P\3441\335}z)e\305\32\\305\201\330D\267\311\361\374\377M\362\360\243\232\255\222DX\326\313\200\2\317\221\313\215\6\267\377\243KX5\2147\263\251\343\3664:\353\240\342\300\262\11\204o\245\250&\200B\225\321\332([\17\270V\340\25,\302\344\366\235H/\345h", ) \351\334\33\370\367\2512\33$\247\253\260<\311\300\16\21\359o\335Z=\35\305bXV\203\301\372\201\267g\242\360\222\22\367\362332\370\332\267\356p\252\\273&M\202\334\266\10Fp\13~yI;\332\355\252\14\236\236\254\22;5\16\236\350EybiE\276o\205\2426J ... {status=0x0, info=256}, "-\272C\357x\36\315j\272\333\362\271"\351\334\33\370\367\2512\33$\247\253\260<\311\300\16\21\359o\335Z=\35\305bXV\203\301\372\201\267g\242\360\222\22\367\362"bEP\336\364P\10\375\314[$g\24\262\202\343t\364\31#\207h\317\231f\351\337\330\343)\3570\10\363\363\231\300\254h\250\327\u\24\233\273>\20\32\362\10\344\271\341{\207\353\227\17\365\357\250\21\4 \264e\374\252\5P\3441\335}z)e\305\32\\305\201\330D\267\311\361\374\377M\362\360\243\232\255\222DX\326\313\200\2\317\221\313\215\6\267\377\243KX5\2147\263\251\343\3664:\353\240\342\300\262\11\204o\245\250&\200B\225\321\332([\17\270V\340\25,\302\344\366\235H/\345h", ) , ) == 0x0
 01976  1420   NtTestAlert  ... ) == 0x0
 01977   760   NtAllocateVirtualMemory  ... 52486144, 8192, ) == 0x0
 01978  1480   NtDeviceIoControlFile  (328, 0, 0x0, 0x0, 0x390008,  (328, 0, 0x0, 0x0, 0x390008, "\371\354\334\236\31$\31\240>[\27\236\314\362\342M y\354\35\264\240\210 y\354\35\264\240\210 y\354\35\264\240\210 y\354\35\264\240\210 y\354\35\264\240\210 y\354\35\264J\235Tp`\342^\232\342\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01979  1420   NtContinue  (51445040, 1, ...
 01980   760   NtProtectVirtualMemory  (-1, (0x320e000), 4096, 260, ...
 01981  1480   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01982  1420   NtRegisterThreadTerminatePort  (24, ...
 01980   760   NtProtectVirtualMemory  ... (0x320e000), 4096, 4, ) == 0x0
 01981  1480   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01982  1420   NtRegisterThreadTerminatePort  ... ) == 0x0
 01983   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01984  1480   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01983   760   NtCreateThread  ... 476, {1764, 164}, ) == 0x0
 01985  1420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01984  1480   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01985  1420   NtDuplicateObject  ... 480, ) == 0x0
 01986  1480   NtQuerySystemInformation  (Performance, 312, ...
 01987  1420   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01986  1480   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01987  1420   NtWaitForSingleObject  ... ) == 0x102
 01988  1480   NtQuerySystemInformation  (Exception, 16, ...
 01989  1420   NtWaitForSingleObject  (160, 0, 0x0, ...
 01988  1480   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01990   760   NtQueryInformationThread  (476, Basic, 28, ...
 01991  1480   NtQuerySystemInformation  (Lookaside, 32, ...
 01990   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1764,Tid=164,}, 0x0, ) == 0x0
 01992   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58043, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\6\0\0\244\0\0\0" ... {28, 56, reply, 0, 1764, 760, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\6\0\0\244\0\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58044, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\6\0\0\244\0\0\0" ... {28, 56, reply, 0, 1764, 760, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\6\0\0\244\0\0\0" )  ) == 0x0
 01993   760   NtResumeThread  (476, ... 1, ) == 0x0
 01994   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 52494336, 1048576, ) == 0x0
 01995   760   NtAllocateVirtualMemory  (-1, 53534720, 0, 8192, 4096, 4, ... 53534720, 8192, ) == 0x0
 01996   760   NtProtectVirtualMemory  (-1, (0x330e000), 4096, 260, ...
 01991  1480   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01997   164   NtTestAlert  (...
 01998  1480   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01997   164   NtTestAlert  ... ) == 0x0
 01998  1480   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01999   164   NtContinue  (52493616, 1, ...
 02000  1480   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02001   164   NtRegisterThreadTerminatePort  (24, ...
 02000  1480   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02001   164   NtRegisterThreadTerminatePort  ... ) == 0x0
 02002  1480   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01996   760   NtProtectVirtualMemory  ... (0x330e000), 4096, 4, ) == 0x0
 02003   164   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02004   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02003   164   NtDuplicateObject  ... 484, ) == 0x0
 02004   760   NtCreateThread  ... 488, {1764, 1564}, ) == 0x0
 02005   164   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02006   760   NtQueryInformationThread  (488, Basic, 28, ...
 02005   164   NtWaitForSingleObject  ... ) == 0x102
 02006   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1764,Tid=1564,}, 0x0, ) == 0x0
 02007   164   NtWaitForSingleObject  (160, 0, 0x0, ...
 02008   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58044, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\6\0\0\34\6\0\0" ...  ...
 02002  1480   NtCreateKey  ... -2147482132, 2, ) == 0x0
 02009  1480   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "\365\212\207\205\203\221|"5!\11\354l\16Vj\247IK\252\230\21\342`z\313v\334\346(\370C\222B\337}k\255\301+\220\302\227!\353E\246V\332wnK\250\213W\271\264\201ID8\312*68\270\375\335L\3214F\345\267\23IT\332n ", 80, ... ) , 0, 3,  (-2147482132, "Seed", 0, 3, "\365\212\207\205\203\221|"5!\11\354l\16Vj\247IK\252\230\21\342`z\313v\334\346(\370C\222B\337}k\255\301+\220\302\227!\353E\246V\332wnK\250\213W\271\264\201ID8\312*68\270\375\335L\3214F\345\267\23IT\332n ", 80, ... ) 5!\11\354l\16Vj\247IK\252\230\21\342`z\313v\334\346(\370C\222B\337}k\255\301+\220\302\227!\353E\246V\332wnK\250\213W\271\264\201ID8\312*68\270\375\335L\3214F\345\267\23IT\332n ", 80, ... ) == 0x0
 02010  1480   NtClose  (-2147482132, ... ) == 0x0
 01978  1480   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "i\30\351\332?\30\353\1<\356\225A\356\303L\273\252\316\1\302\337d\t\22\251\325?\32y\21{ok\314b\315\375y\354Uv\306\301\245(\231f\354\326%\265F\234\304\3514R?!1\250\312\323@\31\237Nw\216\207\325\361\3112\360uR\216\335\340\22\2\375^:\371;D\244\241\12\354`\275\13\360\220\215h<)J\36\310\303\371\21%x,\316\317\371\301'a\212\234\306\23_\245\304\206rpJ\365\220\271\300\223\335\266:\330i\314\205\360\361\215\200\326\370i& \256\253\211\310C\217\365\335\335\265\246\\224__\355\316\13\372\221\202\270\245\320\221\336@y\270\272\2\3431\26\347\16\242\343\3552\301p\213\276T\317t\0\247\25\321\325\303H\300\315\12\304NP\342\20\24}\333\336)G\6\377~\272\243A\332\270\213\6#W\202@\20\3701\203Di\223\312\31Z\254\364c8\324\230\206P\265"ifm", ) ifm", ) == 0x0
 02011  1480   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 492, ) == 0x0
 02012  1480   NtSetEventBoostPriority  (400, ...
 01795  1292   NtWaitForSingleObject  ... ) == 0x0
 02013  1292   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 02014  1292   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 02015  1292   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 496, ) == 0x0
 02016  1292   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 11596408, 188, ... 500, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 1}, 0x0, 0x0, 11596408, 188, ... 500, 0x0, 0x0, 0x0, 188, ) == 0x0
 02012  1480   NtSetEventBoostPriority  ... ) == 0x0
 02008   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58046, 0}  ... {28, 56, reply, 0, 1764, 760, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\6\0\0\34\6\0\0" )  ) == 0x0
 02017  1480   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15789420, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15789420, 188, ...
 02018   760   NtResumeThread  (488, ... 1, ) == 0x0
 02019   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 53542912, 1048576, ) == 0x0
 02020   760   NtAllocateVirtualMemory  (-1, 54583296, 0, 8192, 4096, 4, ... 54583296, 8192, ) == 0x0
 02021   760   NtProtectVirtualMemory  (-1, (0x340e000), 4096, 260, ... (0x340e000), 4096, 4, ) == 0x0
 02022   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 504, {1764, 1592}, ) == 0x0
 02023  1292   NtRequestWaitReplyPort  (500, {200, 224, new_msg, 0, 2883626, 1363432, 12, 2}  (500, {200, 224, new_msg, 0, 2883626, 1363432, 12, 2} "\0\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\1\0\4\0\4\0\0\0\107\24\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0"\320\340}Mg\302\354PR\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0(R\25\0a\22\225\20x\1\24\0HR\25\0h\1\24\0\0\0\0\0\0\0\0\0HR\25\0P\0\0\0PR\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\260\0\372\31\221|\214\370\260\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... \320\340}Mg\302\354PR\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0(R\25\0a\22\225\20x\1\24\0HR\25\0h\1\24\0\0\0\0\0\0\0\0\0HR\25\0P\0\0\0PR\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\260\0\372\31\221|\214\370\260\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...
 02024  1564   NtTestAlert  (... ) == 0x0
 02025  1564   NtContinue  (53542192, 1, ...
 02026  1564   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02023  1292   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1764, 1292, 58048, 0}  ... {200, 224, reply, 0, 1764, 1292, 58048, 0} "\7\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\107\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0"\320\340}Mg\302\354PR\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0(R\25\0a\22\225\20x\1\24\0HR\25\0h\1\24\0\0\0\0\0\0\0\0\0HR\25\0P\0\0\0PR\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\260\0\372\31\221|\214\370\260\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \320\340}Mg\302\354PR\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0(R\25\0a\22\225\20x\1\24\0HR\25\0h\1\24\0\0\0\0\0\0\0\0\0HR\25\0P\0\0\0PR\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\260\0\372\31\221|\214\370\260\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) == 0x0
 02027   760   NtQueryInformationThread  (504, Basic, 28, ...
 02017  1480   NtConnectPort  ... 508, 0x0, 0x0, 0x0, 188, ) == 0x0
 02028  1292   NtRequestWaitReplyPort  (500, {44, 68, new_msg, 56, 0, 0, 0, 0}  (500, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\0T\25\0\322\0\0\0" ...  ...
 02027   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1764,Tid=1592,}, 0x0, ) == 0x0
 02029  1480   NtRequestWaitReplyPort  (508, {200, 224, new_msg, 0, 1329576, 12, 2, 1310721}  (508, {200, 224, new_msg, 0, 1329576, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0%<\347\240\353\356c\376\240R\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\270;\25\0\340\300\266+x\1\24\0\230R\25\0h\1\24\0\0\0\0\0\0\0\0\0\230R\25\0P\0\0\0\240R\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\360\0\372\31\221|\200\363\360\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02030   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58046, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\6\0\08\6\0\0" ...  ...
 02028  1292   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1764, 1292, 58049, 0}  ... {40, 64, reply, 0, 1764, 1292, 58049, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\362\367\370\37`\300l\353\362\367X\353Q\200\323\1\0\0\350\370\14\0" )  ) == 0x0
 02030   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58051, 0}  ... {28, 56, reply, 0, 1764, 760, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\6\0\08\6\0\0" )  ) == 0x0
 02031  1564   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02029  1480   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1764, 1480, 58050, 0}  ... {200, 224, reply, 0, 1764, 1480, 58050, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0%<\347\240\353\356c\376\240R\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\270;\25\0\340\300\266+x\1\24\0\230R\25\0h\1\24\0\0\0\0\0\0\0\0\0\230R\25\0P\0\0\0\240R\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\360\0\372\31\221|\200\363\360\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02032   760   NtResumeThread  (504, ...
 02031  1564   NtDuplicateObject  ... 512, ) == 0x0
 02033  1480   NtRequestWaitReplyPort  (508, {44, 68, new_msg, 0, 1764, 1480, 58029, 0}  (508, {44, 68, new_msg, 0, 1764, 1480, 58029, 0} "\1\356\0\0A\2\4\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 02034  1292   NtRequestWaitReplyPort  (500, {64, 88, new_msg, 56, 1310720, 11596276, 1397752, 0}  (500, {64, 88, new_msg, 56, 1310720, 11596276, 1397752, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0XU\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02035  1564   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 02036  1564   NtWaitForSingleObject  (160, 0, 0x0, ...
 02034  1292   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1764, 1292, 58053, 0}  ... {64, 88, reply, 56, 1764, 1292, 58053, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0XU\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02032   760   NtResumeThread  ... 1, ) == 0x0
 02033  1480   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1764, 1480, 58052, 0}  ... {40, 64, reply, 0, 1764, 1480, 58052, 0} "\2\356Q\200\4\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\320\1\0\0X-\12\0" )  ) == 0x0
 02037  1292   NtRequestWaitReplyPort  (500, {44, 68, new_msg, 56, 1764, 1292, 58049, 0}  (500, {44, 68, new_msg, 56, 1764, 1292, 58049, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\362\367\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\0T\25\0\322\0\0\0" ...  ...
 02038   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02039  1480   NtRequestWaitReplyPort  (508, {64, 88, new_msg, 56, 1377928, 15789932, 15790032, 0}  (508, {64, 88, new_msg, 56, 1377928, 15789932, 15790032, 0} "\10\357\360\0@\0\25\0\346\277\347w\320\357\360\0l\357\360\0\20\0\0\0\250.\362v\374\6\25\0\1\0\0\0\330]\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\320\363\24\0" ...  ...
 02038   760   NtAllocateVirtualMemory  ... 54591488, 1048576, ) == 0x0
 02040   760   NtAllocateVirtualMemory  (-1, 55631872, 0, 8192, 4096, 4, ... 55631872, 8192, ) == 0x0
 02041   760   NtProtectVirtualMemory  (-1, (0x350e000), 4096, 260, ...
 02039  1480   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1764, 1480, 58055, 0}  ... {64, 88, reply, 56, 1764, 1480, 58055, 0} "\10\357\360\0@\0\25\0\346\277\347w\320\357\360\0l\357\360\0\20\0\0\0\250.\362v\374\6\25\0\1\0\0\0\330]\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\320\363\24\0" )  ) == 0x0
 02042  1592   NtTestAlert  (...
 02037  1292   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1764, 1292, 58054, 0}  ... {40, 64, reply, 0, 1764, 1292, 58054, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\351\1\0\0\350\232\14\0" )  ) == 0x0
 02043  1480   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ...
 02042  1592   NtTestAlert  ... ) == 0x0
 02041   760   NtProtectVirtualMemory  ... (0x350e000), 4096, 4, ) == 0x0
 02043  1480   NtAllocateVirtualMemory  ... 1400832, 4096, ) == 0x0
 02044  1592   NtContinue  (54590768, 1, ...
 02045   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02046  1292   NtWaitForSingleObject  (316, 0, 0x0, ...
 02047  1592   NtRegisterThreadTerminatePort  (24, ...
 02045   760   NtCreateThread  ... 516, {1764, 1500}, ) == 0x0
 02047  1592   NtRegisterThreadTerminatePort  ... ) == 0x0
 02048   760   NtQueryInformationThread  (516, Basic, 28, ...
 02049  1480   NtSetEventBoostPriority  (316, ...
 02048   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1764,Tid=1500,}, 0x0, ) == 0x0
 02046  1292   NtWaitForSingleObject  ... ) == 0x0
 02049  1480   NtSetEventBoostPriority  ... ) == 0x0
 02050  1292   NtRequestWaitReplyPort  (500, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0}  (500, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\00`\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02051   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58051, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\344\6\0\0\334\5\0\0" ...  ...
 02052  1480   NtClose  (492, ...
 02050  1292   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1764, 1292, 58056, 0}  ... {64, 88, reply, 56, 1764, 1292, 58056, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\00`\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02053  1592   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02052  1480   NtClose  ... ) == 0x0
 02051   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58057, 0}  ... {28, 56, reply, 0, 1764, 760, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\344\6\0\0\334\5\0\0" )  ) == 0x0
 02053  1592   NtDuplicateObject  ... 492, ) == 0x0
 02054  1480   NtClose  (508, ...
 02055   760   NtResumeThread  (516, ...
 02056  1592   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02054  1480   NtClose  ... ) == 0x0
 02055   760   NtResumeThread  ... 1, ) == 0x0
 02056  1592   NtWaitForSingleObject  ... ) == 0x102
 02057  1292   NtRequestWaitReplyPort  (500, {44, 68, new_msg, 56, 1764, 1292, 58054, 0}  (500, {44, 68, new_msg, 56, 1764, 1292, 58054, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0\0T\25\0\322\0\0\0" ...  ...
 02058  1500   NtTestAlert  (...
 02059   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02060  1592   NtWaitForSingleObject  (160, 0, 0x0, ...
 02058  1500   NtTestAlert  ... ) == 0x0
 02059   760   NtAllocateVirtualMemory  ... 55640064, 1048576, ) == 0x0
 02057  1292   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1764, 1292, 58059, 0}  ... {40, 64, reply, 0, 1764, 1292, 58059, 0} "\2V`\217\4\0zB\253\16\314\351|\34K\232T\246\347\263coB\3019x\21\332\337E\21v|\1\0\0h\236\14\0" )  ) == 0x0
 02061  1480   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02062  1500   NtContinue  (55639344, 1, ...
 02063  1292   NtRequestWaitReplyPort  (500, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0}  (500, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\30m\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02061  1480   NtCreateKey  ... 508, 2, ) == 0x0
 02064  1500   NtRegisterThreadTerminatePort  (24, ...
 02065  1480   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02064  1500   NtRegisterThreadTerminatePort  ... ) == 0x0
 02063  1292   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1764, 1292, 58060, 0}  ... {64, 88, reply, 56, 1764, 1292, 58060, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\30m\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02065  1480   NtOpenKey  ... 520, ) == 0x0
 02066   760   NtAllocateVirtualMemory  (-1, 56680448, 0, 8192, 4096, 4, ...
 02067  1500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02068  1480   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02066   760   NtAllocateVirtualMemory  ... 56680448, 8192, ) == 0x0
 02067  1500   NtDuplicateObject  ... 524, ) == 0x0
 02068  1480   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02069   760   NtProtectVirtualMemory  (-1, (0x360e000), 4096, 260, ...
 02070  1500   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02071  1292   NtClose  (496, ...
 02069   760   NtProtectVirtualMemory  ... (0x360e000), 4096, 4, ) == 0x0
 02070  1500   NtWaitForSingleObject  ... ) == 0x102
 02071  1292   NtClose  ... ) == 0x0
 02072   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02073  1500   NtWaitForSingleObject  (160, 0, 0x0, ...
 02074  1292   NtClose  (500, ...
 02072   760   NtCreateThread  ... 496, {1764, 932}, ) == 0x0
 02075  1480   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 02074  1292   NtClose  ... ) == 0x0
 02075  1480   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02076  1292   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02077  1480   NtQueryValueKey  (508,  (508, "Domain", Partial, 144, ... , Partial, 144, ...
 02076  1292   NtCreateEvent  ... 500, ) == 0x0
 02077  1480   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02078   760   NtQueryInformationThread  (496, Basic, 28, ...
 02079  1480   NtQueryValueKey  (508,  (508, "Domain", Partial, 144, ... , Partial, 144, ...
 02078   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1764,Tid=932,}, 0x0, ) == 0x0
 02079  1480   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02080   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58057, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\344\6\0\0\244\3\0\0" ...  ...
 02081  1292   NtOpenThreadToken  (-2, 0xc, 1, ...
 02080   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58062, 0}  ... {28, 56, reply, 0, 1764, 760, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\344\6\0\0\244\3\0\0" )  ) == 0x0
 02081  1292   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02082   760   NtResumeThread  (496, ...
 02083  1292   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02084  1480   NtClose  (508, ...
 02083  1292   NtCreateEvent  ... 528, ) == 0x0
 02084  1480   NtClose  ... ) == 0x0
 02085  1292   NtOpenThreadToken  (-2, 0xc, 1, ...
 02086  1480   NtClose  (520, ...
 02085  1292   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02086  1480   NtClose  ... ) == 0x0
 02082   760   NtResumeThread  ... 1, ) == 0x0
 02087  1480   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 02088   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02087  1480   NtOpenKey  ... 520, ) == 0x0
 02088   760   NtAllocateVirtualMemory  ... 56688640, 1048576, ) == 0x0
 02089  1292   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02090   932   NtTestAlert  (...
 02091   760   NtAllocateVirtualMemory  (-1, 57729024, 0, 8192, 4096, 4, ...
 02089  1292   NtSetInformationThread  ... ) == 0x0
 02090   932   NtTestAlert  ... ) == 0x0
 02091   760   NtAllocateVirtualMemory  ... 57729024, 8192, ) == 0x0
 02092  1292   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11595968,  (0xc0100080, {24, 0, 0x40, 0, 11595968, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 02093   932   NtContinue  (56687920, 1, ...
 02094   760   NtProtectVirtualMemory  (-1, (0x370e000), 4096, 260, ...
 02092  1292   NtCreateFile  ... 508, {status=0x0, info=1}, ) == 0x0
 02095   932   NtRegisterThreadTerminatePort  (24, ...
 02096  1480   NtQueryValueKey  (520,  (520, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 02097  1292   NtSetInformationFile  (508, 11596024, 8, Pipe, ...
 02095   932   NtRegisterThreadTerminatePort  ... ) == 0x0
 02096  1480   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02097  1292   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02094   760   NtProtectVirtualMemory  ... (0x370e000), 4096, 4, ) == 0x0
 02098  1480   NtClose  (520, ...
 02099   932   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02100   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02098  1480   NtClose  ... ) == 0x0
 02099   932   NtDuplicateObject  ... 520, ) == 0x0
 02100   760   NtCreateThread  ... 532, {1764, 1780}, ) == 0x0
 02101  1480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15789008, ... }, 15789008, ...
 02102   932   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02103   760   NtQueryInformationThread  (532, Basic, 28, ...
 02101  1480   NtQueryAttributesFile  ... ) == 0x0
 02102   932   NtWaitForSingleObject  ... ) == 0x102
 02103   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1764,Tid=1780,}, 0x0, ) == 0x0
 02104  1292   NtSetInformationFile  (508, 11596012, 8, Completion, ...
 02105   932   NtWaitForSingleObject  (160, 0, 0x0, ...
 02106   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58062, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\344\6\0\0\364\6\0\0" ...  ...
 02104  1292   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02107  1480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02108  1292   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02107  1480   NtOpenFile  ... 536, {status=0x0, info=1}, ) == 0x0
 02108  1292   NtSetInformationThread  ... ) == 0x0
 02109  1480   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 536, ...
 02110  1292   NtWriteFile  (508, 189, 0, 0,  (508, 189, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 02109  1480   NtCreateSection  ... 540, ) == 0x0
 02110  1292   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 02111  1480   NtClose  (536, ...
 02106   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58063, 0}  ... {28, 56, reply, 0, 1764, 760, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\344\6\0\0\364\6\0\0" )  ) == 0x0
 02111  1480   NtClose  ... ) == 0x0
 02112   760   NtResumeThread  (532, ...
 02113  1292   NtReadFile  (508, 189, 0, 0, 1024, {0, 0}, 0, ...
 02112   760   NtResumeThread  ... 1, ) == 0x0
 02113  1292   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02114   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02115  1292   NtFsControlFile  (508, 189, 0x0, 0x0, 0x11c017,  (508, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\260\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 02114   760   NtAllocateVirtualMemory  ... 57737216, 1048576, ) == 0x0
 02115  1292   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02116  1480   NtMapViewOfSection  (540, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02117  1780   NtWaitForSingleObject  (132, 0, 0x0, ...
 02118  1292   NtFsControlFile  (508, 189, 0x0, 0x0, 0x11c017,  (508, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\315\15\336=\343\232\6H\216[cS\333\362\3\321\1\0\0\0\1\0\0\0&\0(\0\320o\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 02116  1480   NtMapViewOfSection  ... (0x360000), 0x0, 20480, ) == 0x0
 02118  1292   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\315\15\336=\343\232\6H\216[cS\333\362\3\321\0\0\0\0", ) , ) == 0x103
 02119  1480   NtClose  (540, ...
 02120   760   NtAllocateVirtualMemory  (-1, 58777600, 0, 8192, 4096, 4, ...
 02119  1480   NtClose  ... ) == 0x0
 02120   760   NtAllocateVirtualMemory  ... 58777600, 8192, ) == 0x0
 02121  1480   NtUnmapViewOfSection  (-1, 0x360000, ...
 02122   760   NtProtectVirtualMemory  (-1, (0x380e000), 4096, 260, ...
 02121  1480   NtUnmapViewOfSection  ... ) == 0x0
 02122   760   NtProtectVirtualMemory  ... (0x380e000), 4096, 4, ) == 0x0
 02123  1292   NtFsControlFile  (508, 189, 0x0, 0x0, 0x11c017,  (508, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\315\15\336=\343\232\6H\216[cS\333\362\3\321", 44, 1024, ... , 44, 1024, ...
 02124   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02123  1292   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\330k\25\0\1\0\0\0\344k\25\0 \0\0\0\1\0\0\0\30\0\32\0\360k\25\0\14l\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0(?\25\0\1\0\0\0\5\0i\08?\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02124   760   NtCreateThread  ... 540, {1764, 1804}, ) == 0x0
 02125  1292   NtClose  (528, ...
 02126  1480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15789316, ... }, 15789316, ...
 02125  1292   NtClose  ... ) == 0x0
 02126  1480   NtQueryAttributesFile  ... ) == 0x0
 02127  1292   NtClose  (508, ...
 02128  1480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02127  1292   NtClose  ... ) == 0x0
 02128  1480   NtOpenFile  ... 508, {status=0x0, info=1}, ) == 0x0
 02129   760   NtQueryInformationThread  (540, Basic, 28, ...
 02130  1480   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 508, ...
 02129   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1764,Tid=1804,}, 0x0, ) == 0x0
 02130  1480   NtCreateSection  ... 528, ) == 0x0
 02131   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58063, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\344\6\0\0\14\7\0\0" ...  ...
 02132  1292   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1329576, 0x0, 11597892, 188, ... , {12, 2, 1, 1}, 0x0, 1329576, 0x0, 11597892, 188, ...
 02131   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58064, 0}  ... {28, 56, reply, 0, 1764, 760, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\344\6\0\0\14\7\0\0" )  ) == 0x0
 02133   760   NtResumeThread  (540, ...
 02132  1292   NtSecureConnectPort  ... 536, 0x0, 0x0, 0x0, 188, ) == 0x0
 02134  1480   NtQuerySection  (528, Image, 48, ...
 02135  1292   NtOpenThreadToken  (-2, 0xc, 1, ...
 02134  1480   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02135  1292   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02136  1480   NtClose  (508, ...
 02137  1292   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02136  1480   NtClose  ... ) == 0x0
 02133   760   NtResumeThread  ... 1, ) == 0x0
 02138  1480   NtMapViewOfSection  (528, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02139   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02138  1480   NtMapViewOfSection  ... (0x76fb0000), 0x0, 32768, ) == 0x0
 02139   760   NtAllocateVirtualMemory  ... 58785792, 1048576, ) == 0x0
 02137  1292   NtSetInformationThread  ... ) == 0x0
 02140  1804   NtWaitForSingleObject  (132, 0, 0x0, ...
 02141   760   NtAllocateVirtualMemory  (-1, 59826176, 0, 8192, 4096, 4, ...
 02142  1292   NtRequestWaitReplyPort  (536, {200, 224, new_msg, 0, 1363432, 12, 2, 1310977}  (536, {200, 224, new_msg, 0, 1363432, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0K\1\335\5\15~\2144c`\334\311\343\260y\12\0\0\0\366\255|\177\213tm\14\0\0\0\0\240[\25\0\243RBT\303\227\4\345(\0\0\0\342\274\0!\0\0\24\0\240\366\260\0\15\15\330,\0\0\0\0PR\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\260\0\372\31\221|X\376\260\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02141   760   NtAllocateVirtualMemory  ... 59826176, 8192, ) == 0x0
 02143   760   NtProtectVirtualMemory  (-1, (0x390e000), 4096, 260, ...
 02142  1292   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1764, 1292, 58066, 0}  ... {200, 224, reply, 0, 1764, 1292, 58066, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0K\1\335\5\15~\2144c`\334\311\343\260y\12\0\0\0\366\255|\177\213tm\14\0\0\0\0\240[\25\0\243RBT\303\227\4\345(\0\0\0\342\274\0!\0\0\24\0\240\366\260\0\15\15\330,\0\0\0\0PR\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\260\0\372\31\221|X\376\260\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02144  1480   NtClose  (528, ...
 02145  1292   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02144  1480   NtClose  ... ) == 0x0
 02145  1292   NtSetInformationThread  ... ) == 0x0
 02146  1480   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02143   760   NtProtectVirtualMemory  ... (0x390e000), 4096, 4, ) == 0x0
 02146  1480   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02147   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02148  1480   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02147   760   NtCreateThread  ... 528, {1764, 1644}, ) == 0x0
 02148  1480   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02149   760   NtQueryInformationThread  (528, Basic, 28, ...
 02150  1292   NtRequestWaitReplyPort  (536, {56, 80, new_msg, 0, 44, 3, 20, 0}  (536, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0\343\232\6H\216[cS\333\362\3\321\1\0\0\0\0\0\0\0&\0(\0d\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 02149   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1764,Tid=1644,}, 0x0, ) == 0x0
 02151   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58064, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\6\0\0l\6\0\0" ...  ...
 02152  1480   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 02153  1480   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 02154  1480   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 02155  1480   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 02156  1480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 508, ) }, ... 508, ) == 0x0
 02157  1480   NtMapViewOfSection  (508, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 02151   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58068, 0}  ... {28, 56, reply, 0, 1764, 760, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\6\0\0l\6\0\0" )  ) == 0x0
 02158   760   NtResumeThread  (528, ... 1, ) == 0x0
 02159   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 59834368, 1048576, ) == 0x0
 02160   760   NtAllocateVirtualMemory  (-1, 60874752, 0, 8192, 4096, 4, ... 60874752, 8192, ) == 0x0
 02161   760   NtProtectVirtualMemory  (-1, (0x3a0e000), 4096, 260, ... (0x3a0e000), 4096, 4, ) == 0x0
 02162   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 544, {1764, 800}, ) == 0x0
 02163  1480   NtClose  (508, ...
 02164  1644   NtWaitForSingleObject  (132, 0, 0x0, ...
 02150  1292   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 1764, 1292, 58067, 0}  ... {44, 68, reply, 0, 1764, 1292, 58067, 0} "\4\31\221|\0\0\221|\200\300\227|p\31\221|\0\276\21\0\330\0\0\0\204-|\2\0\220\366\177\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02163  1480   NtClose  ... ) == 0x0
 02165  1292   NtRaiseException  (11598352, 11597612, 1, ...
 02166  1480   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ...
 02167  1292   NtQueryVirtualMemory  (-1, 0x77ea0470, BasicVlm, 16, ...
 02166  1480   NtProtectVirtualMemory  ... (0x76f61000), 4096, 32, ) == 0x0
 02167  1292   NtQueryVirtualMemory  ... {memory info, class 3, size 16}, 0x0, ) == 0x0
 02168  1480   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 02169   760   NtQueryInformationThread  (544, Basic, 28, ...
 02168  1480   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 02169   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1764,Tid=800,}, 0x0, ) == 0x0
 02170  1292   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 02171   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58068, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\344\6\0\0 \3\0\0" ...  ...
 02170  1292   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02171   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58069, 0}  ... {28, 56, reply, 0, 1764, 760, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\344\6\0\0 \3\0\0" )  ) == 0x0
 02172  1292   NtContinue  (11596580, 0, ...
 02173   760   NtResumeThread  (544, ...
 02174  1480   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 02175  1480   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02176  1480   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 02173   760   NtResumeThread  ... 1, ) == 0x0
 02177   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 60882944, 1048576, ) == 0x0
 02178   760   NtAllocateVirtualMemory  (-1, 61923328, 0, 8192, 4096, 4, ... 61923328, 8192, ) == 0x0
 02179   760   NtProtectVirtualMemory  (-1, (0x3b0e000), 4096, 260, ... (0x3b0e000), 4096, 4, ) == 0x0
 02180   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 508, {1764, 504}, ) == 0x0
 02181   760   NtQueryInformationThread  (508, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1764,Tid=504,}, 0x0, ) == 0x0
 02182   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58069, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\344\6\0\0\370\1\0\0" ...  ...
 02183  1480   NtFlushInstructionCache  (-1, 1995837440, 228, ...
 02184   800   NtWaitForSingleObject  (132, 0, 0x0, ...
 02185  1292   NtDeviceIoControlFile  (356, 136, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 02183  1480   NtFlushInstructionCache  ... ) == 0x0
 02185  1292   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 02186  1480   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02187  1292   NtWaitForSingleObject  (136, 1, {-5000000, -1}, ...
 02186  1480   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02188  1480   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 02189  1480   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 02190  1480   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02191  1480   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 548, ) == 0x0
 02182   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58070, 0}  ... {28, 56, reply, 0, 1764, 760, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\344\6\0\0\370\1\0\0" )  ) == 0x0
 02192   760   NtResumeThread  (508, ... 1, ) == 0x0
 02193   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 61931520, 1048576, ) == 0x0
 02194   760   NtAllocateVirtualMemory  (-1, 62971904, 0, 8192, 4096, 4, ... 62971904, 8192, ) == 0x0
 02195   760   NtProtectVirtualMemory  (-1, (0x3c0e000), 4096, 260, ... (0x3c0e000), 4096, 4, ) == 0x0
 02196   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 552, {1764, 888}, ) == 0x0
 02197  1480   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... }, ...
 02198   504   NtWaitForSingleObject  (132, 0, 0x0, ...
 02197  1480   NtOpenKey  ... 556, ) == 0x0
 02199  1480   NtQueryValueKey  (556,  (556, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (556, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02200  1480   NtClose  (556, ... ) == 0x0
 02201  1480   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02202  1480   NtQueryPerformanceCounter  (... {937021793, 10}, {3579545, 0}, ) == 0x0
 02203  1480   NtSetEventBoostPriority  (132, ...
 02117  1780   NtWaitForSingleObject  ... ) == 0x0
 02204  1780   NtSetEventBoostPriority  (132, ...
 02140  1804   NtWaitForSingleObject  ... ) == 0x0
 02205  1804   NtSetEventBoostPriority  (132, ...
 02164  1644   NtWaitForSingleObject  ... ) == 0x0
 02206  1644   NtSetEventBoostPriority  (132, ...
 02184   800   NtWaitForSingleObject  ... ) == 0x0
 02207   800   NtSetEventBoostPriority  (132, ...
 02198   504   NtWaitForSingleObject  ... ) == 0x0
 02208   504   NtTestAlert  (... ) == 0x0
 02207   800   NtSetEventBoostPriority  ... ) == 0x0
 02206  1644   NtSetEventBoostPriority  ... ) == 0x0
 02205  1804   NtSetEventBoostPriority  ... ) == 0x0
 02204  1780   NtSetEventBoostPriority  ... ) == 0x0
 02203  1480   NtSetEventBoostPriority  ... ) == 0x0
 02209   760   NtQueryInformationThread  (552, Basic, 28, ...
 02210   504   NtContinue  (61930800, 1, ...
 02211   800   NtTestAlert  (...
 02212  1644   NtTestAlert  (...
 02213  1804   NtTestAlert  (...
 02214  1780   NtTestAlert  (...
 02209   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1764,Tid=888,}, 0x0, ) == 0x0
 02215   504   NtRegisterThreadTerminatePort  (24, ...
 02211   800   NtTestAlert  ... ) == 0x0
 02212  1644   NtTestAlert  ... ) == 0x0
 02213  1804   NtTestAlert  ... ) == 0x0
 02214  1780   NtTestAlert  ... ) == 0x0
 02216   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58070, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\344\6\0\0x\3\0\0" ...  ...
 02215   504   NtRegisterThreadTerminatePort  ... ) == 0x0
 02217   800   NtContinue  (60882224, 1, ...
 02218  1644   NtContinue  (59833648, 1, ...
 02219  1804   NtContinue  (58785072, 1, ...
 02220  1780   NtContinue  (57736496, 1, ...
 02216   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58071, 0}  ... {28, 56, reply, 0, 1764, 760, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\344\6\0\0x\3\0\0" )  ) == 0x0
 02221   504   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02222   800   NtRegisterThreadTerminatePort  (24, ...
 02223  1644   NtRegisterThreadTerminatePort  (24, ...
 02224  1804   NtRegisterThreadTerminatePort  (24, ...
 02225  1780   NtRegisterThreadTerminatePort  (24, ...
 02226   760   NtResumeThread  (552, ...
 02221   504   NtDuplicateObject  ... 556, ) == 0x0
 02222   800   NtRegisterThreadTerminatePort  ... ) == 0x0
 02223  1644   NtRegisterThreadTerminatePort  ... ) == 0x0
 02224  1804   NtRegisterThreadTerminatePort  ... ) == 0x0
 02225  1780   NtRegisterThreadTerminatePort  ... ) == 0x0
 02227  1480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15789008, ... }, 15789008, ...
 02228   504   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02229   800   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02230  1644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02231  1804   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02232  1780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02227  1480   NtQueryAttributesFile  ... ) == 0x0
 02226   760   NtResumeThread  ... 1, ) == 0x0
 02228   504   NtWaitForSingleObject  ... ) == 0x102
 02233   888   NtWaitForSingleObject  (132, 0, 0x0, ...
 02229   800   NtDuplicateObject  ... 560, ) == 0x0
 02230  1644   NtDuplicateObject  ... 564, ) == 0x0
 02231  1804   NtDuplicateObject  ... 568, ) == 0x0
 02234  1480   NtSetEventBoostPriority  (132, ...
 02235   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02236   504   NtWaitForSingleObject  (160, 0, 0x0, ...
 02237   800   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02238  1644   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02239  1804   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02233   888   NtWaitForSingleObject  ... ) == 0x0
 02234  1480   NtSetEventBoostPriority  ... ) == 0x0
 02235   760   NtAllocateVirtualMemory  ... 62980096, 1048576, ) == 0x0
 02237   800   NtWaitForSingleObject  ... ) == 0x102
 02238  1644   NtWaitForSingleObject  ... ) == 0x102
 02240   888   NtTestAlert  (...
 02239  1804   NtWaitForSingleObject  ... ) == 0x102
 02241  1480   NtQuerySystemInformation  (Basic, 44, ...
 02242   760   NtAllocateVirtualMemory  (-1, 64020480, 0, 8192, 4096, 4, ...
 02243   800   NtWaitForSingleObject  (160, 0, 0x0, ...
 02240   888   NtTestAlert  ... ) == 0x0
 02244  1644   NtWaitForSingleObject  (160, 0, 0x0, ...
 02245  1804   NtWaitForSingleObject  (160, 0, 0x0, ...
 02241  1480   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02242   760   NtAllocateVirtualMemory  ... 64020480, 8192, ) == 0x0
 02232  1780   NtDuplicateObject  ... 572, ) == 0x0
 02246   888   NtContinue  (62979376, 1, ...
 02247   760   NtProtectVirtualMemory  (-1, (0x3d0e000), 4096, 260, ...
 02248  1780   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02249   888   NtRegisterThreadTerminatePort  (24, ...
 02250  1480   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 02248  1780   NtWaitForSingleObject  ... ) == 0x102
 02249   888   NtRegisterThreadTerminatePort  ... ) == 0x0
 02250  1480   NtAllocateVirtualMemory  ... 3538944, 65536, ) == 0x0
 02251  1780   NtWaitForSingleObject  (160, 0, 0x0, ...
 02252   888   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02253  1480   NtAllocateVirtualMemory  (-1, 3538944, 0, 4096, 4096, 4, ...
 02252   888   NtDuplicateObject  ... 576, ) == 0x0
 02253  1480   NtAllocateVirtualMemory  ... 3538944, 4096, ) == 0x0
 02254   888   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02255  1480   NtAllocateVirtualMemory  (-1, 3543040, 0, 8192, 4096, 4, ...
 02247   760   NtProtectVirtualMemory  ... (0x3d0e000), 4096, 4, ) == 0x0
 02255  1480   NtAllocateVirtualMemory  ... 3543040, 8192, ) == 0x0
 02256   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02254   888   NtWaitForSingleObject  ... ) == 0x102
 02256   760   NtCreateThread  ... 580, {1764, 1392}, ) == 0x0
 02257   888   NtWaitForSingleObject  (160, 0, 0x0, ...
 02258   760   NtQueryInformationThread  (580, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1764,Tid=1392,}, 0x0, ) == 0x0
 02259   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58071, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\344\6\0\0p\5\0\0" ... {28, 56, reply, 0, 1764, 760, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\344\6\0\0p\5\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58072, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\344\6\0\0p\5\0\0" ... {28, 56, reply, 0, 1764, 760, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\344\6\0\0p\5\0\0" )  ) == 0x0
 02260   760   NtResumeThread  (580, ... 1, ) == 0x0
 02261   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 64028672, 1048576, ) == 0x0
 02262  1480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 15789008, ... }, 15789008, ...
 02263  1392   NtWaitForSingleObject  (132, 0, 0x0, ...
 02262  1480   NtQueryAttributesFile  ... ) == 0x0
 02264  1480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 584, {status=0x0, info=1}, ) }, 5, 96, ... 584, {status=0x0, info=1}, ) == 0x0
 02265  1480   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 584, ... 588, ) == 0x0
 02266  1480   NtClose  (584, ... ) == 0x0
 02267  1480   NtMapViewOfSection  (588, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 110592, ) == 0x0
 02268  1480   NtClose  (588, ... ) == 0x0
 02269   760   NtAllocateVirtualMemory  (-1, 65069056, 0, 8192, 4096, 4, ... 65069056, 8192, ) == 0x0
 02270   760   NtProtectVirtualMemory  (-1, (0x3e0e000), 4096, 260, ... (0x3e0e000), 4096, 4, ) == 0x0
 02271   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 588, {1764, 2020}, ) == 0x0
 02272   760   NtQueryInformationThread  (588, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1764,Tid=2020,}, 0x0, ) == 0x0
 02273   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58072, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\344\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1764, 760, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\344\6\0\0\344\7\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58073, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\344\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1764, 760, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\344\6\0\0\344\7\0\0" )  ) == 0x0
 02274   760   NtResumeThread  (588, ...
 02275  1480   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 02276  1480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 15789316, ... ) }, 15789316, ... ) == 0x0
 02277  1480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 584, {status=0x0, info=1}, ) }, 5, 96, ... 584, {status=0x0, info=1}, ) == 0x0
 02278  1480   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 584, ... 592, ) == 0x0
 02279  1480   NtQuerySection  (592, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02280  1480   NtClose  (584, ... ) == 0x0
 02274   760   NtResumeThread  ... 1, ) == 0x0
 02281   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 65077248, 1048576, ) == 0x0
 02282   760   NtAllocateVirtualMemory  (-1, 66117632, 0, 8192, 4096, 4, ... 66117632, 8192, ) == 0x0
 02283   760   NtProtectVirtualMemory  (-1, (0x3f0e000), 4096, 260, ... (0x3f0e000), 4096, 4, ) == 0x0
 02284   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 584, {1764, 740}, ) == 0x0
 02285   760   NtQueryInformationThread  (584, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1764,Tid=740,}, 0x0, ) == 0x0
 02286   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58073, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\6\0\0\344\2\0\0" ...  ...
 02287  1480   NtMapViewOfSection  (592, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02288  2020   NtWaitForSingleObject  (132, 0, 0x0, ...
 02287  1480   NtMapViewOfSection  ... (0x751d0000), 0x0, 122880, ) == 0x0
 02289  1480   NtClose  (592, ... ) == 0x0
 02290  1480   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02291  1480   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02292  1480   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02293  1480   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02286   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58074, 0}  ... {28, 56, reply, 0, 1764, 760, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\6\0\0\344\2\0\0" )  ) == 0x0
 02294   760   NtResumeThread  (584, ... 1, ) == 0x0
 02295   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 66125824, 1048576, ) == 0x0
 02296   760   NtAllocateVirtualMemory  (-1, 67166208, 0, 8192, 4096, 4, ... 67166208, 8192, ) == 0x0
 02297   760   NtProtectVirtualMemory  (-1, (0x400e000), 4096, 260, ... (0x400e000), 4096, 4, ) == 0x0
 02298   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 592, {1764, 1676}, ) == 0x0
 02299  1480   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ...
 02300   740   NtWaitForSingleObject  (132, 0, 0x0, ...
 02299  1480   NtProtectVirtualMemory  ... (0x751d1000), 4096, 4, ) == 0x0
 02301  1480   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02302  1480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02303  1480   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 02304  1480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 15788492, ... }, 15788492, ...
 02305   760   NtQueryInformationThread  (592, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1764,Tid=1676,}, 0x0, ) == 0x0
 02306   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58074, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\6\0\0\214\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\6\0\0\214\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58075, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\6\0\0\214\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\6\0\0\214\6\0\0" )  ) == 0x0
 02307   760   NtResumeThread  (592, ... 1, ) == 0x0
 02308   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 67174400, 1048576, ) == 0x0
 02309   760   NtAllocateVirtualMemory  (-1, 68214784, 0, 8192, 4096, 4, ... 68214784, 8192, ) == 0x0
 02310   760   NtProtectVirtualMemory  (-1, (0x410e000), 4096, 260, ...
 02311  1676   NtWaitForSingleObject  (132, 0, 0x0, ...
 02310   760   NtProtectVirtualMemory  ... (0x410e000), 4096, 4, ) == 0x0
 02312   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 596, {1764, 496}, ) == 0x0
 02313   760   NtQueryInformationThread  (596, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1764,Tid=496,}, 0x0, ) == 0x0
 02314   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58075, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\6\0\0\360\1\0\0" ... {28, 56, reply, 0, 1764, 760, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\6\0\0\360\1\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58076, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\6\0\0\360\1\0\0" ... {28, 56, reply, 0, 1764, 760, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\6\0\0\360\1\0\0" )  ) == 0x0
 02315   760   NtResumeThread  (596, ... 1, ) == 0x0
 02316   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 68222976, 1048576, ) == 0x0
 02304  1480   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02317   496   NtWaitForSingleObject  (132, 0, 0x0, ...
 02318  1480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 15788492, ... ) }, 15788492, ... ) == 0x0
 02319  1480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 600, {status=0x0, info=1}, ) }, 5, 96, ... 600, {status=0x0, info=1}, ) == 0x0
 02320  1480   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 600, ... 604, ) == 0x0
 02321  1480   NtQuerySection  (604, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02322  1480   NtClose  (600, ... ) == 0x0
 02323  1480   NtMapViewOfSection  (604, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02324   760   NtAllocateVirtualMemory  (-1, 69263360, 0, 8192, 4096, 4, ... 69263360, 8192, ) == 0x0
 02325   760   NtProtectVirtualMemory  (-1, (0x420e000), 4096, 260, ... (0x420e000), 4096, 4, ) == 0x0
 02326   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 600, {1764, 432}, ) == 0x0
 02327   760   NtQueryInformationThread  (600, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1764,Tid=432,}, 0x0, ) == 0x0
 02328   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58076, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\6\0\0\260\1\0\0" ... {28, 56, reply, 0, 1764, 760, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\6\0\0\260\1\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58077, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\6\0\0\260\1\0\0" ... {28, 56, reply, 0, 1764, 760, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\6\0\0\260\1\0\0" )  ) == 0x0
 02329   760   NtResumeThread  (600, ...
 02323  1480   NtMapViewOfSection  ... (0x77920000), 0x0, 995328, ) == 0x0
 02330  1480   NtClose  (604, ... ) == 0x0
 02331  1480   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02332  1480   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02333  1480   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02334  1480   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02335  1480   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ...
 02329   760   NtResumeThread  ... 1, ) == 0x0
 02336   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 69271552, 1048576, ) == 0x0
 02337   760   NtAllocateVirtualMemory  (-1, 70311936, 0, 8192, 4096, 4, ... 70311936, 8192, ) == 0x0
 02338   760   NtProtectVirtualMemory  (-1, (0x430e000), 4096, 260, ... (0x430e000), 4096, 4, ) == 0x0
 02339   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 604, {1764, 1332}, ) == 0x0
 02340   760   NtQueryInformationThread  (604, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1764,Tid=1332,}, 0x0, ) == 0x0
 02341   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58077, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\6\0\04\5\0\0" ...  ...
 02335  1480   NtProtectVirtualMemory  ... (0x77921000), 4096, 4, ) == 0x0
 02342   432   NtWaitForSingleObject  (132, 0, 0x0, ...
 02343  1480   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02344  1480   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02345  1480   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02346  1480   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02347  1480   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02348  1480   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ...
 02341   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58078, 0}  ... {28, 56, reply, 0, 1764, 760, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\6\0\04\5\0\0" )  ) == 0x0
 02349   760   NtResumeThread  (604, ... 1, ) == 0x0
 02350   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 70320128, 1048576, ) == 0x0
 02351   760   NtAllocateVirtualMemory  (-1, 71360512, 0, 8192, 4096, 4, ... 71360512, 8192, ) == 0x0
 02352   760   NtProtectVirtualMemory  (-1, (0x440e000), 4096, 260, ... (0x440e000), 4096, 4, ) == 0x0
 02353   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 608, {1764, 1328}, ) == 0x0
 02348  1480   NtProtectVirtualMemory  ... (0x77921000), 4096, 4, ) == 0x0
 02354  1332   NtWaitForSingleObject  (132, 0, 0x0, ...
 02355  1480   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02356  1480   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02357  1480   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02358  1480   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02359  1480   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02360  1480   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ...
 02361   760   NtQueryInformationThread  (608, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1764,Tid=1328,}, 0x0, ) == 0x0
 02362   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58078, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\6\0\00\5\0\0" ... {28, 56, reply, 0, 1764, 760, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\6\0\00\5\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58079, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\6\0\00\5\0\0" ... {28, 56, reply, 0, 1764, 760, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\6\0\00\5\0\0" )  ) == 0x0
 02363   760   NtResumeThread  (608, ... 1, ) == 0x0
 02364   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 71368704, 1048576, ) == 0x0
 02365   760   NtAllocateVirtualMemory  (-1, 72409088, 0, 8192, 4096, 4, ... 72409088, 8192, ) == 0x0
 02366   760   NtProtectVirtualMemory  (-1, (0x450e000), 4096, 260, ...
 02360  1480   NtProtectVirtualMemory  ... (0x751d1000), 4096, 4, ) == 0x0
 02367  1328   NtWaitForSingleObject  (132, 0, 0x0, ...
 02368  1480   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02369  1480   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02370  1480   NtAllocateVirtualMemory  (-1, 3629056, 0, 4096, 4096, 4, ... 3629056, 4096, ) == 0x0
 02371  1480   NtQueryDefaultUILanguage  (2090319928, ...
 02372  1480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02373  1480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482132, ) == 0x0
 02366   760   NtProtectVirtualMemory  ... (0x450e000), 4096, 4, ) == 0x0
 02374   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 612, {1764, 752}, ) == 0x0
 02375   760   NtQueryInformationThread  (612, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1764,Tid=752,}, 0x0, ) == 0x0
 02376   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58079, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1764, 760, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\6\0\0\360\2\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58080, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1764, 760, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\6\0\0\360\2\0\0" )  ) == 0x0
 02377   760   NtResumeThread  (612, ... 1, ) == 0x0
 02378   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 72417280, 1048576, ) == 0x0
 02379  1480   NtQueryInformationToken  (-2147482132, User, 80, ...
 02380   752   NtWaitForSingleObject  (132, 0, 0x0, ...
 02379  1480   NtQueryInformationToken  ... {token info, class 1, size 36}, 36, ) == 0x0
 02381  1480   NtClose  (-2147482132, ... ) == 0x0
 02382  1480   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482132, ) }, ... -2147482132, ) == 0x0
 02383  1480   NtOpenKey  (0x80000000, {24, -2147482132, 0x240, 0, 0,  (0x80000000, {24, -2147482132, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02384  1480   NtOpenKey  (0x80000000, {24, -2147482132, 0x640, 0, 0,  (0x80000000, {24, -2147482132, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481468, ) }, ... -2147481468, ) == 0x0
 02385  1480   NtQueryValueKey  (-2147481468,  (-2147481468, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02386   760   NtAllocateVirtualMemory  (-1, 73457664, 0, 8192, 4096, 4, ... 73457664, 8192, ) == 0x0
 02387   760   NtProtectVirtualMemory  (-1, (0x460e000), 4096, 260, ... (0x460e000), 4096, 4, ) == 0x0
 02388   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 616, {1764, 120}, ) == 0x0
 02389   760   NtQueryInformationThread  (616, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1764,Tid=120,}, 0x0, ) == 0x0
 02390   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58080, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1764, 760, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\6\0\0x\0\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58081, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1764, 760, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\6\0\0x\0\0\0" )  ) == 0x0
 02391   760   NtResumeThread  (616, ...
 02392  1480   NtClose  (-2147481468, ... ) == 0x0
 02393  1480   NtClose  (-2147482132, ... ) == 0x0
 02371  1480   NtQueryDefaultUILanguage  ... ) == 0x0
 02394  1480   NtAllocateVirtualMemory  (-1, 15777792, 0, 4096, 4096, 260, ... 15777792, 4096, ) == 0x0
 02395  1480   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 02396  1480   NtQueryDefaultLocale  (1, 15789212, ... ) == 0x0
 02397  1480   NtQueryInformationProcess  (-1, Wow64, 4, ...
 02391   760   NtResumeThread  ... 1, ) == 0x0
 02398   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 73465856, 1048576, ) == 0x0
 02399   760   NtAllocateVirtualMemory  (-1, 74506240, 0, 8192, 4096, 4, ... 74506240, 8192, ) == 0x0
 02400   760   NtProtectVirtualMemory  (-1, (0x470e000), 4096, 260, ... (0x470e000), 4096, 4, ) == 0x0
 02401   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 620, {1764, 1732}, ) == 0x0
 02402   760   NtQueryInformationThread  (620, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1764,Tid=1732,}, 0x0, ) == 0x0
 02403   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58081, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\344\6\0\0\304\6\0\0" ...  ...
 02397  1480   NtQueryInformationProcess  ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02404   120   NtWaitForSingleObject  (132, 0, 0x0, ...
 02405  1480   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\Setup"}, ... 624, ) }, ... 624, ) == 0x0
 02406  1480   NtQueryValueKey  (624,  (624, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (624, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02407  1480   NtClose  (624, ... ) == 0x0
 02408  1480   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 624, ) == 0x0
 02409  1480   NtCallbackReturn  (0, 0, 0, ...
 02410  1480   NtUserGetProcessWindowStation  (... ) == 0x1c
 02403   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58082, 0}  ... {28, 56, reply, 0, 1764, 760, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\344\6\0\0\304\6\0\0" )  ) == 0x0
 02411   760   NtResumeThread  (620, ... 1, ) == 0x0
 02412   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 74514432, 1048576, ) == 0x0
 02413   760   NtAllocateVirtualMemory  (-1, 75554816, 0, 8192, 4096, 4, ... 75554816, 8192, ) == 0x0
 02414   760   NtProtectVirtualMemory  (-1, (0x480e000), 4096, 260, ... (0x480e000), 4096, 4, ) == 0x0
 02415   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 628, {1764, 188}, ) == 0x0
 02416  1480   NtUserGetObjectInformation  (28, 1, 15788808, 12, 15788820, ...
 02417  1732   NtWaitForSingleObject  (132, 0, 0x0, ...
 02416  1480   NtUserGetObjectInformation  ... ) == 0x1
 02418  1480   NtOpenKey  (0xf003f, {24, 36, 0x40, 0, 0,  (0xf003f, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02419  1480   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\WPA\PnP"}, ... 632, ) }, ... 632, ) == 0x0
 02420  1480   NtQueryValueKey  (632,  (632, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (632, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 02421  1480   NtClose  (632, ... ) == 0x0
 02422  1480   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\Setup"}, ... 632, ) }, ... 632, ) == 0x0
 02423   760   NtQueryInformationThread  (628, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1764,Tid=188,}, 0x0, ) == 0x0
 02424   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58082, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\344\6\0\0\274\0\0\0" ... {28, 56, reply, 0, 1764, 760, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\344\6\0\0\274\0\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58083, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\344\6\0\0\274\0\0\0" ... {28, 56, reply, 0, 1764, 760, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\344\6\0\0\274\0\0\0" )  ) == 0x0
 02425   760   NtResumeThread  (628, ... 1, ) == 0x0
 02426   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 75563008, 1048576, ) == 0x0
 02427   760   NtAllocateVirtualMemory  (-1, 76603392, 0, 8192, 4096, 4, ... 76603392, 8192, ) == 0x0
 02428   760   NtProtectVirtualMemory  (-1, (0x490e000), 4096, 260, ...
 02429  1480   NtQueryValueKey  (632,  (632, "OsLoaderPath", Partial, 144, ... , Partial, 144, ...
 02430   188   NtWaitForSingleObject  (132, 0, 0x0, ...
 02429  1480   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02431  1480   NtQueryValueKey  (632,  (632, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (632, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02432  1480   NtClose  (632, ... ) == 0x0
 02433  1480   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\Setup"}, ... 632, ) }, ... 632, ) == 0x0
 02434  1480   NtQueryValueKey  (632,  (632, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (632, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02435  1480   NtQueryValueKey  (632,  (632, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (632, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02428   760   NtProtectVirtualMemory  ... (0x490e000), 4096, 4, ) == 0x0
 02436   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 636, {1764, 1636}, ) == 0x0
 02437   760   NtQueryInformationThread  (636, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1764,Tid=1636,}, 0x0, ) == 0x0
 02438   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58083, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\6\0\0d\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\6\0\0d\6\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58084, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\6\0\0d\6\0\0" ... {28, 56, reply, 0, 1764, 760, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\6\0\0d\6\0\0" )  ) == 0x0
 02439   760   NtResumeThread  (636, ... 1, ) == 0x0
 02440   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 76611584, 1048576, ) == 0x0
 02441  1480   NtClose  (632, ...
 02442  1636   NtWaitForSingleObject  (132, 0, 0x0, ...
 02441  1480   NtClose  ... ) == 0x0
 02443  1480   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 632, ) }, ... 632, ) == 0x0
 02444  1480   NtQueryValueKey  (632,  (632, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (632, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02445  1480   NtQueryValueKey  (632,  (632, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (632, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02446  1480   NtClose  (632, ... ) == 0x0
 02447  1480   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 632, ) }, ... 632, ) == 0x0
 02448   760   NtAllocateVirtualMemory  (-1, 77651968, 0, 8192, 4096, 4, ... 77651968, 8192, ) == 0x0
 02449   760   NtProtectVirtualMemory  (-1, (0x4a0e000), 4096, 260, ... (0x4a0e000), 4096, 4, ) == 0x0
 02450   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 640, {1764, 624}, ) == 0x0
 02451   760   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1764,Tid=624,}, 0x0, ) == 0x0
 02452   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58084, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\6\0\0p\2\0\0" ... {28, 56, reply, 0, 1764, 760, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\6\0\0p\2\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58085, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\6\0\0p\2\0\0" ... {28, 56, reply, 0, 1764, 760, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\6\0\0p\2\0\0" )  ) == 0x0
 02453   760   NtResumeThread  (640, ...
 02454  1480   NtQueryValueKey  (632,  (632, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (632, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02455  1480   NtQueryValueKey  (632,  (632, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (632, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02456  1480   NtClose  (632, ... ) == 0x0
 02457  1480   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 632, ) }, ... 632, ) == 0x0
 02458  1480   NtQueryValueKey  (632,  (632, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (632, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02459  1480   NtQueryValueKey  (632,  (632, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (632, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02453   760   NtResumeThread  ... 1, ) == 0x0
 02460   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 77660160, 1048576, ) == 0x0
 02461   760   NtAllocateVirtualMemory  (-1, 78700544, 0, 8192, 4096, 4, ... 78700544, 8192, ) == 0x0
 02462   760   NtProtectVirtualMemory  (-1, (0x4b0e000), 4096, 260, ... (0x4b0e000), 4096, 4, ) == 0x0
 02463   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 644, {1764, 1948}, ) == 0x0
 02464   760   NtQueryInformationThread  (644, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1764,Tid=1948,}, 0x0, ) == 0x0
 02465   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58085, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\6\0\0\234\7\0\0" ...  ...
 02466  1480   NtClose  (632, ...
 02467   624   NtWaitForSingleObject  (132, 0, 0x0, ...
 02466  1480   NtClose  ... ) == 0x0
 02468  1480   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 632, ) }, ... 632, ) == 0x0
 02469  1480   NtQueryValueKey  (632,  (632, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (632, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02470  1480   NtQueryValueKey  (632,  (632, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (632, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02471  1480   NtClose  (632, ... ) == 0x0
 02472  1480   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 632, ) }, ... 632, ) == 0x0
 02465   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58086, 0}  ... {28, 56, reply, 0, 1764, 760, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\6\0\0\234\7\0\0" )  ) == 0x0
 02473   760   NtResumeThread  (644, ... 1, ) == 0x0
 02474   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 78708736, 1048576, ) == 0x0
 02475   760   NtAllocateVirtualMemory  (-1, 79749120, 0, 8192, 4096, 4, ... 79749120, 8192, ) == 0x0
 02476   760   NtProtectVirtualMemory  (-1, (0x4c0e000), 4096, 260, ... (0x4c0e000), 4096, 4, ) == 0x0
 02477   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 648, {1764, 468}, ) == 0x0
 02478  1480   NtQueryValueKey  (632,  (632, "DevicePath", Partial, 144, ... , Partial, 144, ...
 02479  1948   NtWaitForSingleObject  (132, 0, 0x0, ...
 02478  1480   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 02480  1480   NtQueryValueKey  (632,  (632, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (632, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 02481  1480   NtClose  (632, ... ) == 0x0
 02482  1480   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 632, ) == 0x0
 02483  1480   NtCreateMutant  (0x1f0001, 0x0, 0, ... 652, ) == 0x0
 02484  1480   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 656, ) == 0x0
 02485   760   NtQueryInformationThread  (648, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1764,Tid=468,}, 0x0, ) == 0x0
 02486   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58086, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\6\0\0\324\1\0\0" ... {28, 56, reply, 0, 1764, 760, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\6\0\0\324\1\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58087, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\6\0\0\324\1\0\0" ... {28, 56, reply, 0, 1764, 760, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\6\0\0\324\1\0\0" )  ) == 0x0
 02487   760   NtResumeThread  (648, ... 1, ) == 0x0
 02488   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 79757312, 1048576, ) == 0x0
 02489   760   NtAllocateVirtualMemory  (-1, 80797696, 0, 8192, 4096, 4, ... 80797696, 8192, ) == 0x0
 02490   760   NtProtectVirtualMemory  (-1, (0x4d0e000), 4096, 260, ...
 02491  1480   NtCreateMutant  (0x1f0001, 0x0, 0, ...
 02492   468   NtWaitForSingleObject  (132, 0, 0x0, ...
 02491  1480   NtCreateMutant  ... 660, ) == 0x0
 02493  1480   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 664, ) == 0x0
 02494  1480   NtCreateMutant  (0x1f0001, 0x0, 0, ... 668, ) == 0x0
 02495  1480   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 672, ) }, ... 672, ) == 0x0
 02496  1480   NtQueryValueKey  (672,  (672, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (672, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02497  1480   NtQueryValueKey  (672,  (672, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (672, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02490   760   NtProtectVirtualMemory  ... (0x4d0e000), 4096, 4, ) == 0x0
 02498   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 676, {1764, 380}, ) == 0x0
 02499   760   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1764,Tid=380,}, 0x0, ) == 0x0
 02500   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58087, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\6\0\0|\1\0\0" ... {28, 56, reply, 0, 1764, 760, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\6\0\0|\1\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58088, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\6\0\0|\1\0\0" ... {28, 56, reply, 0, 1764, 760, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\6\0\0|\1\0\0" )  ) == 0x0
 02501   760   NtResumeThread  (676, ... 1, ) == 0x0
 02502   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 80805888, 1048576, ) == 0x0
 02503  1480   NtQueryValueKey  (672,  (672, "LogPath", Partial, 144, ... , Partial, 144, ...
 02504   380   NtWaitForSingleObject  (132, 0, 0x0, ...
 02503  1480   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02505  1480   NtOpenKey  (0x1, {24, 672, 0x40, 0, 0,  (0x1, {24, 672, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02506  1480   NtClose  (672, ... ) == 0x0
 02507  1480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 15788724, ... ) }, 15788724, ... ) == 0x0
 02508  1480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 672, ) }, ... 672, ) == 0x0
 02509  1480   NtQueryValueKey  (672,  (672, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (672, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (672, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02510   760   NtAllocateVirtualMemory  (-1, 81846272, 0, 8192, 4096, 4, ... 81846272, 8192, ) == 0x0
 02511   760   NtProtectVirtualMemory  (-1, (0x4e0e000), 4096, 260, ... (0x4e0e000), 4096, 4, ) == 0x0
 02512   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {1764, 1792}, ) == 0x0
 02513   760   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1764,Tid=1792,}, 0x0, ) == 0x0
 02514   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58088, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\6\0\0\0\7\0\0" ... {28, 56, reply, 0, 1764, 760, 58089, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\6\0\0\0\7\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58089, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\6\0\0\0\7\0\0" ... {28, 56, reply, 0, 1764, 760, 58089, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\6\0\0\0\7\0\0" )  ) == 0x0
 02515   760   NtResumeThread  (680, ...
 02516  1480   NtClose  (672, ... ) == 0x0
 02517  1480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 672, ) }, ... 672, ) == 0x0
 02518  1480   NtQueryValueKey  (672,  (672, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (672, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (672, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 02519  1480   NtClose  (672, ... ) == 0x0
 02520  1480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02521  1480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 672, ) }, ... 672, ) == 0x0
 02515   760   NtResumeThread  ... 1, ) == 0x0
 02522   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 81854464, 1048576, ) == 0x0
 02523   760   NtAllocateVirtualMemory  (-1, 82894848, 0, 8192, 4096, 4, ... 82894848, 8192, ) == 0x0
 02524   760   NtProtectVirtualMemory  (-1, (0x4f0e000), 4096, 260, ... (0x4f0e000), 4096, 4, ) == 0x0
 02525   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {1764, 784}, ) == 0x0
 02526   760   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1764,Tid=784,}, 0x0, ) == 0x0
 02527   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58089, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58089, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\6\0\0\20\3\0\0" ...  ...
 02528  1480   NtQueryValueKey  (672,  (672, "Domain", Full, 128, ... , Full, 128, ...
 02529  1792   NtWaitForSingleObject  (132, 0, 0x0, ...
 02528  1480   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02530  1480   NtClose  (672, ... ) == 0x0
 02531  1480   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshbth.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02532  1480   NtSetEventBoostPriority  (132, ...
 02263  1392   NtWaitForSingleObject  ... ) == 0x0
 02533  1392   NtSetEventBoostPriority  (132, ...
 02288  2020   NtWaitForSingleObject  ... ) == 0x0
 02534  2020   NtSetEventBoostPriority  (132, ...
 02300   740   NtWaitForSingleObject  ... ) == 0x0
 02535   740   NtSetEventBoostPriority  (132, ...
 02311  1676   NtWaitForSingleObject  ... ) == 0x0
 02536  1676   NtSetEventBoostPriority  (132, ...
 02317   496   NtWaitForSingleObject  ... ) == 0x0
 02537   496   NtSetEventBoostPriority  (132, ...
 02342   432   NtWaitForSingleObject  ... ) == 0x0
 02538   432   NtSetEventBoostPriority  (132, ...
 02354  1332   NtWaitForSingleObject  ... ) == 0x0
 02539  1332   NtSetEventBoostPriority  (132, ...
 02367  1328   NtWaitForSingleObject  ... ) == 0x0
 02540  1328   NtSetEventBoostPriority  (132, ...
 02380   752   NtWaitForSingleObject  ... ) == 0x0
 02541   752   NtSetEventBoostPriority  (132, ...
 02404   120   NtWaitForSingleObject  ... ) == 0x0
 02542   120   NtSetEventBoostPriority  (132, ...
 02417  1732   NtWaitForSingleObject  ... ) == 0x0
 02543  1732   NtSetEventBoostPriority  (132, ...
 02430   188   NtWaitForSingleObject  ... ) == 0x0
 02544   188   NtSetEventBoostPriority  (132, ...
 02442  1636   NtWaitForSingleObject  ... ) == 0x0
 02545  1636   NtSetEventBoostPriority  (132, ...
 02467   624   NtWaitForSingleObject  ... ) == 0x0
 02546   624   NtSetEventBoostPriority  (132, ...
 02479  1948   NtWaitForSingleObject  ... ) == 0x0
 02547  1948   NtSetEventBoostPriority  (132, ...
 02492   468   NtWaitForSingleObject  ... ) == 0x0
 02548   468   NtSetEventBoostPriority  (132, ...
 02504   380   NtWaitForSingleObject  ... ) == 0x0
 02549   380   NtSetEventBoostPriority  (132, ...
 02529  1792   NtWaitForSingleObject  ... ) == 0x0
 02550  1792   NtTestAlert  (... ) == 0x0
 02549   380   NtSetEventBoostPriority  ... ) == 0x0
 02548   468   NtSetEventBoostPriority  ... ) == 0x0
 02547  1948   NtSetEventBoostPriority  ... ) == 0x0
 02546   624   NtSetEventBoostPriority  ... ) == 0x0
 02545  1636   NtSetEventBoostPriority  ... ) == 0x0
 02544   188   NtSetEventBoostPriority  ... ) == 0x0
 02543  1732   NtSetEventBoostPriority  ... ) == 0x0
 02542   120   NtSetEventBoostPriority  ... ) == 0x0
 02541   752   NtSetEventBoostPriority  ... ) == 0x0
 02540  1328   NtSetEventBoostPriority  ... ) == 0x0
 02539  1332   NtSetEventBoostPriority  ... ) == 0x0
 02538   432   NtSetEventBoostPriority  ... ) == 0x0
 02537   496   NtSetEventBoostPriority  ... ) == 0x0
 02536  1676   NtSetEventBoostPriority  ... ) == 0x0
 02535   740   NtSetEventBoostPriority  ... ) == 0x0
 02534  2020   NtSetEventBoostPriority  ... ) == 0x0
 02533  1392   NtSetEventBoostPriority  ... ) == 0x0
 02532  1480   NtSetEventBoostPriority  ... ) == 0x0
 02527   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58090, 0}  ... {28, 56, reply, 0, 1764, 760, 58090, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\6\0\0\20\3\0\0" )  ) == 0x0
 02551  1792   NtContinue  (81853744, 1, ...
 02552   380   NtTestAlert  (...
 02553   468   NtTestAlert  (...
 02554  1948   NtTestAlert  (...
 02555   624   NtTestAlert  (...
 02556  1636   NtTestAlert  (...
 02557   188   NtTestAlert  (...
 02558  1732   NtTestAlert  (...
 02559   120   NtTestAlert  (...
 02560   752   NtTestAlert  (...
 02561  1328   NtTestAlert  (...
 02562  1332   NtTestAlert  (...
 02563   432   NtTestAlert  (...
 02564   496   NtTestAlert  (...
 02565  1676   NtTestAlert  (...
 02566   740   NtTestAlert  (...
 02567  2020   NtTestAlert  (...
 02568  1480   NtSetEventBoostPriority  (160, ...
 02569   760   NtResumeThread  (684, ...
 02570  1792   NtRegisterThreadTerminatePort  (24, ...
 02552   380   NtTestAlert  ... ) == 0x0
 02553   468   NtTestAlert  ... ) == 0x0
 02554  1948   NtTestAlert  ... ) == 0x0
 02555   624   NtTestAlert  ... ) == 0x0
 02556  1636   NtTestAlert  ... ) == 0x0
 02557   188   NtTestAlert  ... ) == 0x0
 02558  1732   NtTestAlert  ... ) == 0x0
 02559   120   NtTestAlert  ... ) == 0x0
 02560   752   NtTestAlert  ... ) == 0x0
 02561  1328   NtTestAlert  ... ) == 0x0
 02562  1332   NtTestAlert  ... ) == 0x0
 02563   432   NtTestAlert  ... ) == 0x0
 02564   496   NtTestAlert  ... ) == 0x0
 02565  1676   NtTestAlert  ... ) == 0x0
 02566   740   NtTestAlert  ... ) == 0x0
 02567  2020   NtTestAlert  ... ) == 0x0
 01175  1784   NtWaitForSingleObject  ... ) == 0x0
 02568  1480   NtSetEventBoostPriority  ... ) == 0x0
 02569   760   NtResumeThread  ... 1, ) == 0x0
 02570  1792   NtRegisterThreadTerminatePort  ... ) == 0x0
 02571   380   NtContinue  (80805168, 1, ...
 02572   468   NtContinue  (79756592, 1, ...
 02573  1948   NtContinue  (78708016, 1, ...
 02574   624   NtContinue  (77659440, 1, ...
 02575  1636   NtContinue  (76610864, 1, ...
 02576   188   NtContinue  (75562288, 1, ...
 02577  1732   NtContinue  (74513712, 1, ...
 02578   120   NtContinue  (73465136, 1, ...
 02579   752   NtContinue  (72416560, 1, ...
 02580  1328   NtContinue  (71367984, 1, ...
 02581  1332   NtContinue  (70319408, 1, ...
 02582   432   NtContinue  (69270832, 1, ...
 02583   496   NtContinue  (68222256, 1, ...
 02584  1676   NtContinue  (67173680, 1, ...
 02585   740   NtContinue  (66125104, 1, ...
 02586  1784   NtSetEventBoostPriority  (160, ...
 02587  2020   NtContinue  (65076528, 1, ...
 02588  1480   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02589   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02590  1792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02591   380   NtRegisterThreadTerminatePort  (24, ...
 02592   468   NtRegisterThreadTerminatePort  (24, ...
 02593  1948   NtRegisterThreadTerminatePort  (24, ...
 02594   624   NtRegisterThreadTerminatePort  (24, ...
 02595  1636   NtRegisterThreadTerminatePort  (24, ...
 02596   188   NtRegisterThreadTerminatePort  (24, ...
 02597  1732   NtRegisterThreadTerminatePort  (24, ...
 02598   120   NtRegisterThreadTerminatePort  (24, ...
 02599   752   NtRegisterThreadTerminatePort  (24, ...
 02600  1328   NtRegisterThreadTerminatePort  (24, ...
 02601  1332   NtRegisterThreadTerminatePort  (24, ...
 02602   432   NtRegisterThreadTerminatePort  (24, ...
 02603   496   NtRegisterThreadTerminatePort  (24, ...
 02604  1676   NtRegisterThreadTerminatePort  (24, ...
 01180  1980   NtWaitForSingleObject  ... ) == 0x0
 02586  1784   NtSetEventBoostPriority  ... ) == 0x0
 02605   740   NtRegisterThreadTerminatePort  (24, ...
 02606  2020   NtRegisterThreadTerminatePort  (24, ...
 02588  1480   NtCreateEvent  ... 672, ) == 0x0
 02589   760   NtAllocateVirtualMemory  ... 82903040, 1048576, ) == 0x0
 02590  1792   NtDuplicateObject  ... 688, ) == 0x0
 02591   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 02592   468   NtRegisterThreadTerminatePort  ... ) == 0x0
 02593  1948   NtRegisterThreadTerminatePort  ... ) == 0x0
 02594   624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02595  1636   NtRegisterThreadTerminatePort  ... ) == 0x0
 02596   188   NtRegisterThreadTerminatePort  ... ) == 0x0
 02597  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 02598   120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02599   752   NtRegisterThreadTerminatePort  ... ) == 0x0
 02600  1328   NtRegisterThreadTerminatePort  ... ) == 0x0
 02601  1332   NtRegisterThreadTerminatePort  ... ) == 0x0
 02602   432   NtRegisterThreadTerminatePort  ... ) == 0x0
 02603   496   NtRegisterThreadTerminatePort  ... ) == 0x0
 02607  1980   NtSetEventBoostPriority  (160, ...
 02604  1676   NtRegisterThreadTerminatePort  ... ) == 0x0
 02608  1784   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02605   740   NtRegisterThreadTerminatePort  ... ) == 0x0
 02606  2020   NtRegisterThreadTerminatePort  ... ) == 0x0
 02609  1392   NtTestAlert  (...
 02610   784   NtTestAlert  (...
 02611  1480   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15789236, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15789236, 188, ...
 02612  1792   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02613   380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02614   468   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02615  1948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02616   624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02617  1636   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02618   188   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02619  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02620   120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02621   752   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02622  1328   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02623  1332   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02624   432   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01185  1956   NtWaitForSingleObject  ... ) == 0x0
 02607  1980   NtSetEventBoostPriority  ... ) == 0x0
 02625   496   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02626  1676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02627   760   NtAllocateVirtualMemory  (-1, 83943424, 0, 8192, 4096, 4, ...
 02628   740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02629  2020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02609  1392   NtTestAlert  ... ) == 0x0
 02610   784   NtTestAlert  ... ) == 0x0
 02611  1480   NtConnectPort  ... 692, 0x0, 0x0, 0x0, 188, ) == 0x0
 02608  1784   NtCreateEvent  ... 696, ) == 0x0
 02612  1792   NtWaitForSingleObject  ... ) == 0x102
 02613   380   NtDuplicateObject  ... 700, ) == 0x0
 02614   468   NtDuplicateObject  ... 704, ) == 0x0
 02615  1948   NtDuplicateObject  ... 708, ) == 0x0
 02616   624   NtDuplicateObject  ... 712, ) == 0x0
 02617  1636   NtDuplicateObject  ... 716, ) == 0x0
 02618   188   NtDuplicateObject  ... 720, ) == 0x0
 02619  1732   NtDuplicateObject  ... 724, ) == 0x0
 02620   120   NtDuplicateObject  ... 728, ) == 0x0
 02621   752   NtDuplicateObject  ... 732, ) == 0x0
 02622  1328   NtDuplicateObject  ... 736, ) == 0x0
 02623  1332   NtDuplicateObject  ... 740, ) == 0x0
 02630  1956   NtSetEventBoostPriority  (160, ...
 02624   432   NtDuplicateObject  ... 744, ) == 0x0
 02631  1980   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02625   496   NtDuplicateObject  ... 748, ) == 0x0
 02627   760   NtAllocateVirtualMemory  ... 83943424, 8192, ) == 0x0
 02626  1676   NtDuplicateObject  ... 752, ) == 0x0
 02628   740   NtDuplicateObject  ... 756, ) == 0x0
 02632  1392   NtContinue  (64027952, 1, ...
 02633   784   NtContinue  (82902320, 1, ...
 02634  1480   NtRequestWaitReplyPort  (692, {200, 224, new_msg, 0, 1381496, 12, 2, 1310721}  (692, {200, 224, new_msg, 0, 1381496, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0@v\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\251\34\327\360\26\264\317e8v\25\0h\1\24\0\12\0\0\0\0\0\0\08v\25\0(\0\0\0@v\25\0\337P\356\352x\1\24\0(\0\0\0\327\273\0\0\0\0\24\0\20\353\360\0\263\330\200\242\0\0\0\0XK\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\04\353\360\0\372\31\221|\310\362\360\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02635  1784   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ...
 02636  1792   NtWaitForSingleObject  (160, 0, 0x0, ...
 02637   380   NtWaitForSingleObject  (316, 0, 0x0, ...
 02638   468   NtWaitForSingleObject  (316, 0, 0x0, ...
 02639  1948   NtWaitForSingleObject  (316, 0, 0x0, ...
 02640   624   NtWaitForSingleObject  (316, 0, 0x0, ...
 02641  1636   NtWaitForSingleObject  (316, 0, 0x0, ...
 02642   188   NtWaitForSingleObject  (316, 0, 0x0, ...
 02643  1732   NtWaitForSingleObject  (316, 0, 0x0, ...
 02644   120   NtWaitForSingleObject  (316, 0, 0x0, ...
 02645   752   NtWaitForSingleObject  (316, 0, 0x0, ...
 02646  1328   NtWaitForSingleObject  (316, 0, 0x0, ...
 01253  1068   NtWaitForSingleObject  ... ) == 0x0
 02630  1956   NtSetEventBoostPriority  ... ) == 0x0
 02647  1332   NtWaitForSingleObject  (316, 0, 0x0, ...
 02648   432   NtWaitForSingleObject  (316, 0, 0x0, ...
 02631  1980   NtCreateEvent  ... 760, ) == 0x0
 02649   496   NtWaitForSingleObject  (316, 0, 0x0, ...
 02650   760   NtProtectVirtualMemory  (-1, (0x500e000), 4096, 260, ...
 02651  1676   NtWaitForSingleObject  (316, 0, 0x0, ...
 02652   740   NtWaitForSingleObject  (316, 0, 0x0, ...
 02653  1392   NtRegisterThreadTerminatePort  (24, ...
 02654   784   NtRegisterThreadTerminatePort  (24, ...
 02635  1784   NtAllocateVirtualMemory  ... 1409024, 4096, ) == 0x0
 02634  1480   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1764, 1480, 58092, 0}  ... {200, 224, reply, 0, 1764, 1480, 58092, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0@v\25\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\251\34\327\360\26\264\317e8v\25\0h\1\24\0\12\0\0\0\0\0\0\08v\25\0(\0\0\0@v\25\0\337P\356\352x\1\24\0(\0\0\0\327\273\0\0\0\0\24\0\20\353\360\0\263\330\200\242\0\0\0\0XK\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\04\353\360\0\372\31\221|\310\362\360\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02655  1068   NtWaitForSingleObject  (316, 0, 0x0, ...
 02629  2020   NtDuplicateObject  ... 764, ) == 0x0
 02656  1980   NtWaitForSingleObject  (316, 0, 0x0, ...
 02650   760   NtProtectVirtualMemory  ... (0x500e000), 4096, 4, ) == 0x0
 02653  1392   NtRegisterThreadTerminatePort  ... ) == 0x0
 02654   784   NtRegisterThreadTerminatePort  ... ) == 0x0
 02657  1784   NtSetEventBoostPriority  (316, ...
 02658  1956   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02659  2020   NtWaitForSingleObject  (316, 0, 0x0, ...
 02660   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02661  1392   NtWaitForSingleObject  (316, 0, 0x0, ...
 02662  1480   NtRequestWaitReplyPort  (692, {64, 88, new_msg, 0, 1764, 1480, 58052, 0}  (692, {64, 88, new_msg, 0, 1764, 1480, 58052, 0} "\1\356\0\0A\2\10\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02637   380   NtWaitForSingleObject  ... ) == 0x0
 02657  1784   NtSetEventBoostPriority  ... ) == 0x0
 02658  1956   NtCreateEvent  ... 768, ) == 0x0
 02660   760   NtCreateThread  ... 772, {1764, 1520}, ) == 0x0
 02663   784   NtWaitForSingleObject  (316, 0, 0x0, ...
 02664   380   NtSetEventBoostPriority  (316, ...
 02665  1784   NtWaitForSingleObject  (316, 0, 0x0, ...
 02666  1956   NtWaitForSingleObject  (316, 0, 0x0, ...
 02662  1480   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1764, 1480, 58093, 0}  ... {52, 76, reply, 0, 1764, 1480, 58093, 0} "\2\356Q\200\1\0\0\0P\306\233\201\0\220\372\177\220\353\3\370\370\37`\300l\353\3\370X\353Q\200\360\317\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 02638   468   NtWaitForSingleObject  ... ) == 0x0
 02664   380   NtSetEventBoostPriority  ... ) == 0x0
 02667   760   NtQueryInformationThread  (772, Basic, 28, ...
 02668   468   NtSetEventBoostPriority  (316, ...
 02669  1480   NtWaitForSingleObject  (316, 0, 0x0, ...
 02639  1948   NtWaitForSingleObject  ... ) == 0x0
 02668   468   NtSetEventBoostPriority  ... ) == 0x0
 02667   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1764,Tid=1520,}, 0x0, ) == 0x0
 02670  1948   NtSetEventBoostPriority  (316, ...
 02671   380   NtWaitForSingleObject  (316, 0, 0x0, ...
 02640   624   NtWaitForSingleObject  ... ) == 0x0
 02670  1948   NtSetEventBoostPriority  ... ) == 0x0
 02672   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58090, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58090, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\344\6\0\0\360\5\0\0" ...  ...
 02673   624   NtSetEventBoostPriority  (316, ...
 02674   468   NtWaitForSingleObject  (316, 0, 0x0, ...
 02641  1636   NtWaitForSingleObject  ... ) == 0x0
 02673   624   NtSetEventBoostPriority  ... ) == 0x0
 02672   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58094, 0}  ... {28, 56, reply, 0, 1764, 760, 58094, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\344\6\0\0\360\5\0\0" )  ) == 0x0
 02675  1636   NtSetEventBoostPriority  (316, ...
 02676  1948   NtWaitForSingleObject  (316, 0, 0x0, ...
 02642   188   NtWaitForSingleObject  ... ) == 0x0
 02675  1636   NtSetEventBoostPriority  ... ) == 0x0
 02677   760   NtResumeThread  (772, ...
 02678   188   NtSetEventBoostPriority  (316, ...
 02679   624   NtWaitForSingleObject  (316, 0, 0x0, ...
 02680  1636   NtWaitForSingleObject  (316, 0, 0x0, ...
 02643  1732   NtWaitForSingleObject  ... ) == 0x0
 02678   188   NtSetEventBoostPriority  ... ) == 0x0
 02681  1732   NtSetEventBoostPriority  (316, ...
 02677   760   NtResumeThread  ... 1, ) == 0x0
 02644   120   NtWaitForSingleObject  ... ) == 0x0
 02681  1732   NtSetEventBoostPriority  ... ) == 0x0
 02682   120   NtSetEventBoostPriority  (316, ...
 02683   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02684   188   NtWaitForSingleObject  (316, 0, 0x0, ...
 02685  1520   NtWaitForSingleObject  (316, 0, 0x0, ...
 02645   752   NtWaitForSingleObject  ... ) == 0x0
 02682   120   NtSetEventBoostPriority  ... ) == 0x0
 02683   760   NtAllocateVirtualMemory  ... 83951616, 1048576, ) == 0x0
 02686   752   NtSetEventBoostPriority  (316, ...
 02687  1732   NtWaitForSingleObject  (316, 0, 0x0, ...
 02646  1328   NtWaitForSingleObject  ... ) == 0x0
 02686   752   NtSetEventBoostPriority  ... ) == 0x0
 02688   760   NtAllocateVirtualMemory  (-1, 84992000, 0, 8192, 4096, 4, ...
 02689  1328   NtSetEventBoostPriority  (316, ...
 02690   120   NtWaitForSingleObject  (316, 0, 0x0, ...
 02647  1332   NtWaitForSingleObject  ... ) == 0x0
 02689  1328   NtSetEventBoostPriority  ... ) == 0x0
 02688   760   NtAllocateVirtualMemory  ... 84992000, 8192, ) == 0x0
 02691  1332   NtSetEventBoostPriority  (316, ...
 02692   752   NtWaitForSingleObject  (316, 0, 0x0, ...
 02648   432   NtWaitForSingleObject  ... ) == 0x0
 02691  1332   NtSetEventBoostPriority  ... ) == 0x0
 02693   760   NtProtectVirtualMemory  (-1, (0x510e000), 4096, 260, ...
 02694   432   NtSetEventBoostPriority  (316, ...
 02695  1328   NtWaitForSingleObject  (316, 0, 0x0, ...
 02696  1332   NtWaitForSingleObject  (316, 0, 0x0, ...
 02649   496   NtWaitForSingleObject  ... ) == 0x0
 02694   432   NtSetEventBoostPriority  ... ) == 0x0
 02697   496   NtSetEventBoostPriority  (316, ...
 02693   760   NtProtectVirtualMemory  ... (0x510e000), 4096, 4, ) == 0x0
 02651  1676   NtWaitForSingleObject  ... ) == 0x0
 02697   496   NtSetEventBoostPriority  ... ) == 0x0
 02698  1676   NtSetEventBoostPriority  (316, ...
 02699   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02700   432   NtWaitForSingleObject  (316, 0, 0x0, ...
 02652   740   NtWaitForSingleObject  ... ) == 0x0
 02698  1676   NtSetEventBoostPriority  ... ) == 0x0
 02699   760   NtCreateThread  ... 776, {1764, 1696}, ) == 0x0
 02701   740   NtSetEventBoostPriority  (316, ...
 02702   496   NtWaitForSingleObject  (316, 0, 0x0, ...
 02655  1068   NtWaitForSingleObject  ... ) == 0x0
 02701   740   NtSetEventBoostPriority  ... ) == 0x0
 02703   760   NtQueryInformationThread  (776, Basic, 28, ...
 02704  1068   NtSetEventBoostPriority  (316, ...
 02705  1676   NtWaitForSingleObject  (316, 0, 0x0, ...
 02656  1980   NtWaitForSingleObject  ... ) == 0x0
 02704  1068   NtSetEventBoostPriority  ... ) == 0x0
 02703   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1764,Tid=1696,}, 0x0, ) == 0x0
 02706  1980   NtSetEventBoostPriority  (316, ...
 02707   740   NtWaitForSingleObject  (316, 0, 0x0, ...
 02659  2020   NtWaitForSingleObject  ... ) == 0x0
 02706  1980   NtSetEventBoostPriority  ... ) == 0x0
 02708   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58094, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58094, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\344\6\0\0\240\6\0\0" ...  ...
 02709  2020   NtSetEventBoostPriority  (316, ...
 02710  1068   NtWaitForSingleObject  (316, 0, 0x0, ...
 02711  1980   NtWaitForSingleObject  (316, 0, 0x0, ...
 02661  1392   NtWaitForSingleObject  ... ) == 0x0
 02709  2020   NtSetEventBoostPriority  ... ) == 0x0
 02712  1392   NtSetEventBoostPriority  (316, ...
 02708   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58095, 0}  ... {28, 56, reply, 0, 1764, 760, 58095, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\344\6\0\0\240\6\0\0" )  ) == 0x0
 02663   784   NtWaitForSingleObject  ... ) == 0x0
 02713   760   NtResumeThread  (776, ...
 02714   784   NtSetEventBoostPriority  (316, ...
 02713   760   NtResumeThread  ... 1, ) == 0x0
 02666  1956   NtWaitForSingleObject  ... ) == 0x0
 02714   784   NtSetEventBoostPriority  ... ) == 0x0
 02715  1956   NtSetEventBoostPriority  (316, ...
 02716   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02665  1784   NtWaitForSingleObject  ... ) == 0x0
 02715  1956   NtSetEventBoostPriority  ... ) == 0x0
 02717   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02718  1784   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ...
 02716   760   NtAllocateVirtualMemory  ... 85000192, 1048576, ) == 0x0
 02712  1392   NtSetEventBoostPriority  ... ) == 0x0
 02719  2020   NtWaitForSingleObject  (316, 0, 0x0, ...
 02720  1696   NtWaitForSingleObject  (132, 0, 0x0, ...
 02721  1956   NtWaitForSingleObject  (316, 0, 0x0, ...
 02718  1784   NtAllocateVirtualMemory  ... 1413120, 4096, ) == 0x0
 02717   784   NtDuplicateObject  ... 780, ) == 0x0
 02722  1392   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02723  1784   NtSetEventBoostPriority  (316, ...
 02724   784   NtWaitForSingleObject  (316, 0, 0x0, ...
 02669  1480   NtWaitForSingleObject  ... ) == 0x0
 02722  1392   NtDuplicateObject  ... 784, ) == 0x0
 02725  1480   NtSetEventBoostPriority  (316, ...
 02723  1784   NtSetEventBoostPriority  ... ) == 0x0
 02726   760   NtAllocateVirtualMemory  (-1, 86040576, 0, 8192, 4096, 4, ...
 02671   380   NtWaitForSingleObject  ... ) == 0x0
 02725  1480   NtSetEventBoostPriority  ... ) == 0x0
 02727  1392   NtWaitForSingleObject  (316, 0, 0x0, ...
 02728   380   NtSetEventBoostPriority  (316, ...
 02726   760   NtAllocateVirtualMemory  ... 86040576, 8192, ) == 0x0
 02729  1784   NtWaitForSingleObject  (316, 0, 0x0, ...
 02674   468   NtWaitForSingleObject  ... ) == 0x0
 02728   380   NtSetEventBoostPriority  ... ) == 0x0
 02730   760   NtProtectVirtualMemory  (-1, (0x520e000), 4096, 260, ...
 02731   468   NtSetEventBoostPriority  (316, ...
 02732   380   NtWaitForSingleObject  (316, 0, 0x0, ...
 02676  1948   NtWaitForSingleObject  ... ) == 0x0
 02731   468   NtSetEventBoostPriority  ... ) == 0x0
 02730   760   NtProtectVirtualMemory  ... (0x520e000), 4096, 4, ) == 0x0
 02733  1480   NtClose  (672, ...
 02734  1948   NtSetEventBoostPriority  (316, ...
 02735   468   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02736   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02679   624   NtWaitForSingleObject  ... ) == 0x0
 02734  1948   NtSetEventBoostPriority  ... ) == 0x0
 02733  1480   NtClose  ... ) == 0x0
 02737   624   NtSetEventBoostPriority  (316, ...
 02736   760   NtCreateThread  ... 672, {1764, 1744}, ) == 0x0
 02738  1948   NtWaitForSingleObject  (316, 0, 0x0, ...
 02680  1636   NtWaitForSingleObject  ... ) == 0x0
 02737   624   NtSetEventBoostPriority  ... ) == 0x0
 02739  1480   NtClose  (692, ...
 02735   468   NtWaitForSingleObject  ... ) == 0x102
 02740   760   NtQueryInformationThread  (672, Basic, 28, ...
 02741  1636   NtSetEventBoostPriority  (316, ...
 02742   624   NtWaitForSingleObject  (316, 0, 0x0, ...
 02739  1480   NtClose  ... ) == 0x0
 02743   468   NtWaitForSingleObject  (160, 0, 0x0, ...
 02684   188   NtWaitForSingleObject  ... ) == 0x0
 02741  1636   NtSetEventBoostPriority  ... ) == 0x0
 02740   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1764,Tid=1744,}, 0x0, ) == 0x0
 02744  1480   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02745   188   NtSetEventBoostPriority  (316, ...
 02746  1636   NtWaitForSingleObject  (316, 0, 0x0, ...
 02747   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58095, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58095, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\6\0\0\320\6\0\0" ...  ...
 02685  1520   NtWaitForSingleObject  ... ) == 0x0
 02745   188   NtSetEventBoostPriority  ... ) == 0x0
 02744  1480   NtCreateKey  ... 692, 2, ) == 0x0
 02748  1520   NtSetEventBoostPriority  (316, ...
 02747   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58097, 0}  ... {28, 56, reply, 0, 1764, 760, 58097, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\6\0\0\320\6\0\0" )  ) == 0x0
 02749   188   NtWaitForSingleObject  (316, 0, 0x0, ...
 02687  1732   NtWaitForSingleObject  ... ) == 0x0
 02748  1520   NtSetEventBoostPriority  ... ) == 0x0
 02750   760   NtResumeThread  (672, ...
 02751  1480   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02752  1732   NtSetEventBoostPriority  (316, ...
 02753  1520   NtSetEventBoostPriority  (132, ...
 02690   120   NtWaitForSingleObject  ... ) == 0x0
 02752  1732   NtSetEventBoostPriority  ... ) == 0x0
 02751  1480   NtOpenKey  ... 788, ) == 0x0
 02754   120   NtSetEventBoostPriority  (316, ...
 02720  1696   NtWaitForSingleObject  ... ) == 0x0
 02753  1520   NtSetEventBoostPriority  ... ) == 0x0
 02755  1732   NtWaitForSingleObject  (316, 0, 0x0, ...
 02692   752   NtWaitForSingleObject  ... ) == 0x0
 02756  1696   NtTestAlert  (...
 02754   120   NtSetEventBoostPriority  ... ) == 0x0
 02757  1480   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02758  1520   NtTestAlert  (...
 02750   760   NtResumeThread  ... 1, ) == 0x0
 02759   752   NtSetEventBoostPriority  (316, ...
 02756  1696   NtTestAlert  ... ) == 0x0
 02760   120   NtWaitForSingleObject  (316, 0, 0x0, ...
 02757  1480   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02758  1520   NtTestAlert  ... ) == 0x0
 02695  1328   NtWaitForSingleObject  ... ) == 0x0
 02759   752   NtSetEventBoostPriority  ... ) == 0x0
 02761   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02762  1744   NtTestAlert  (...
 02763  1696   NtContinue  (84999472, 1, ...
 02764  1480   NtQueryValueKey  (692,  (692, "Hostname", Partial, 144, ... , Partial, 144, ...
 02765  1328   NtSetEventBoostPriority  (316, ...
 02766  1520   NtContinue  (83950896, 1, ...
 02767   752   NtWaitForSingleObject  (316, 0, 0x0, ...
 02761   760   NtAllocateVirtualMemory  ... 86048768, 1048576, ) == 0x0
 02762  1744   NtTestAlert  ... ) == 0x0
 02768  1696   NtRegisterThreadTerminatePort  (24, ...
 02696  1332   NtWaitForSingleObject  ... ) == 0x0
 02765  1328   NtSetEventBoostPriority  ... ) == 0x0
 02764  1480   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02769  1520   NtRegisterThreadTerminatePort  (24, ...
 02770   760   NtAllocateVirtualMemory  (-1, 87089152, 0, 8192, 4096, 4, ...
 02771  1744   NtContinue  (86048048, 1, ...
 02772  1332   NtSetEventBoostPriority  (316, ...
 02768  1696   NtRegisterThreadTerminatePort  ... ) == 0x0
 02773  1328   NtWaitForSingleObject  (316, 0, 0x0, ...
 02774  1480   NtQueryValueKey  (692,  (692, "Hostname", Partial, 144, ... , Partial, 144, ...
 02770   760   NtAllocateVirtualMemory  ... 87089152, 8192, ) == 0x0
 02700   432   NtWaitForSingleObject  ... ) == 0x0
 02772  1332   NtSetEventBoostPriority  ... ) == 0x0
 02775  1744   NtRegisterThreadTerminatePort  (24, ...
 02776  1696   NtWaitForSingleObject  (316, 0, 0x0, ...
 02769  1520   NtRegisterThreadTerminatePort  ... ) == 0x0
 02774  1480   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02777   432   NtSetEventBoostPriority  (316, ...
 02778   760   NtProtectVirtualMemory  (-1, (0x530e000), 4096, 260, ...
 02779  1332   NtWaitForSingleObject  (316, 0, 0x0, ...
 02775  1744   NtRegisterThreadTerminatePort  ... ) == 0x0
 02780  1520   NtWaitForSingleObject  (316, 0, 0x0, ...
 02702   496   NtWaitForSingleObject  ... ) == 0x0
 02777   432   NtSetEventBoostPriority  ... ) == 0x0
 02781  1480   NtClose  (692, ...
 02778   760   NtProtectVirtualMemory  ... (0x530e000), 4096, 4, ) == 0x0
 02782   496   NtSetEventBoostPriority  (316, ...
 02783   432   NtWaitForSingleObject  (316, 0, 0x0, ...
 02781  1480   NtClose  ... ) == 0x0
 02705  1676   NtWaitForSingleObject  ... ) == 0x0
 02782   496   NtSetEventBoostPriority  ... ) == 0x0
 02784   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02785  1744   NtWaitForSingleObject  (316, 0, 0x0, ...
 02786  1676   NtSetEventBoostPriority  (316, ...
 02787  1480   NtClose  (788, ...
 02788   496   NtWaitForSingleObject  (316, 0, 0x0, ...
 02784   760   NtCreateThread  ... 692, {1764, 1124}, ) == 0x0
 02707   740   NtWaitForSingleObject  ... ) == 0x0
 02786  1676   NtSetEventBoostPriority  ... ) == 0x0
 02787  1480   NtClose  ... ) == 0x0
 02789   740   NtSetEventBoostPriority  (316, ...
 02790   760   NtQueryInformationThread  (692, Basic, 28, ...
 02791  1676   NtWaitForSingleObject  (316, 0, 0x0, ...
 02710  1068   NtWaitForSingleObject  ... ) == 0x0
 02789   740   NtSetEventBoostPriority  ... ) == 0x0
 02790   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1764,Tid=1124,}, 0x0, ) == 0x0
 02792  1480   NtWaitForSingleObject  (316, 0, 0x0, ...
 02793  1068   NtSetEventBoostPriority  (316, ...
 02794   740   NtWaitForSingleObject  (316, 0, 0x0, ...
 02795   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58097, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58097, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\6\0\0d\4\0\0" ...  ...
 02711  1980   NtWaitForSingleObject  ... ) == 0x0
 02793  1068   NtSetEventBoostPriority  ... ) == 0x0
 02796  1980   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ... 1417216, 4096, ) == 0x0
 02797  1980   NtSetEventBoostPriority  (316, ...
 02798  1068   NtWaitForSingleObject  (316, 0, 0x0, ...
 02795   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58098, 0}  ... {28, 56, reply, 0, 1764, 760, 58098, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\6\0\0d\4\0\0" )  ) == 0x0
 02719  2020   NtWaitForSingleObject  ... ) == 0x0
 02797  1980   NtSetEventBoostPriority  ... ) == 0x0
 02799   760   NtResumeThread  (692, ...
 02800  2020   NtSetEventBoostPriority  (316, ...
 02801  1980   NtWaitForSingleObject  (316, 0, 0x0, ...
 02799   760   NtResumeThread  ... 1, ) == 0x0
 02721  1956   NtWaitForSingleObject  ... ) == 0x0
 02800  2020   NtSetEventBoostPriority  ... ) == 0x0
 02802  1956   NtSetEventBoostPriority  (316, ...
 02803   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02724   784   NtWaitForSingleObject  ... ) == 0x0
 02802  1956   NtSetEventBoostPriority  ... ) == 0x0
 02804  2020   NtWaitForSingleObject  (316, 0, 0x0, ...
 02805   784   NtSetEventBoostPriority  (316, ...
 02803   760   NtAllocateVirtualMemory  ... 87097344, 1048576, ) == 0x0
 02806  1956   NtWaitForSingleObject  (316, 0, 0x0, ...
 02807  1124   NtTestAlert  (...
 02727  1392   NtWaitForSingleObject  ... ) == 0x0
 02805   784   NtSetEventBoostPriority  ... ) == 0x0
 02808   760   NtAllocateVirtualMemory  (-1, 88137728, 0, 8192, 4096, 4, ...
 02809  1392   NtSetEventBoostPriority  (316, ...
 02807  1124   NtTestAlert  ... ) == 0x0
 02729  1784   NtWaitForSingleObject  ... ) == 0x0
 02809  1392   NtSetEventBoostPriority  ... ) == 0x0
 02808   760   NtAllocateVirtualMemory  ... 88137728, 8192, ) == 0x0
 02810  1784   NtSetEventBoostPriority  (316, ...
 02811  1124   NtContinue  (87096624, 1, ...
 02812  1392   NtWaitForSingleObject  (316, 0, 0x0, ...
 02732   380   NtWaitForSingleObject  ... ) == 0x0
 02810  1784   NtSetEventBoostPriority  ... ) == 0x0
 02813   760   NtProtectVirtualMemory  (-1, (0x540e000), 4096, 260, ...
 02814  1124   NtRegisterThreadTerminatePort  (24, ...
 02815   784   NtWaitForSingleObject  (316, 0, 0x0, ...
 02816   380   NtSetEventBoostPriority  (316, ...
 02817  1784   NtWaitForSingleObject  (316, 0, 0x0, ...
 02813   760   NtProtectVirtualMemory  ... (0x540e000), 4096, 4, ) == 0x0
 02814  1124   NtRegisterThreadTerminatePort  ... ) == 0x0
 02738  1948   NtWaitForSingleObject  ... ) == 0x0
 02816   380   NtSetEventBoostPriority  ... ) == 0x0
 02818   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02819  1948   NtSetEventBoostPriority  (316, ...
 02820   380   NtWaitForSingleObject  (316, 0, 0x0, ...
 02818   760   NtCreateThread  ... 788, {1764, 1496}, ) == 0x0
 02742   624   NtWaitForSingleObject  ... ) == 0x0
 02819  1948   NtSetEventBoostPriority  ... ) == 0x0
 02821  1124   NtWaitForSingleObject  (316, 0, 0x0, ...
 02822   624   NtSetEventBoostPriority  (316, ...
 02823  1948   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02746  1636   NtWaitForSingleObject  ... ) == 0x0
 02823  1948   NtCreateEvent  ... 792, ) == 0x0
 02824  1636   NtSetEventBoostPriority  (316, ...
 02822   624   NtSetEventBoostPriority  ... ) == 0x0
 02825   760   NtQueryInformationThread  (788, Basic, 28, ...
 02749   188   NtWaitForSingleObject  ... ) == 0x0
 02826   624   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02825   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1764,Tid=1496,}, 0x0, ) == 0x0
 02827   188   NtSetEventBoostPriority  (316, ...
 02826   624   NtCreateEvent  ... 796, ) == 0x0
 02828   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58098, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58098, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0\344\6\0\0\330\5\0\0" ...  ...
 02755  1732   NtWaitForSingleObject  ... ) == 0x0
 02827   188   NtSetEventBoostPriority  ... ) == 0x0
 02824  1636   NtSetEventBoostPriority  ... ) == 0x0
 02829  1948   NtWaitForSingleObject  (792, 0, 0x0, ...
 02828   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58099, 0}  ... {28, 56, reply, 0, 1764, 760, 58099, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0\344\6\0\0\330\5\0\0" )  ) == 0x0
 02830  1732   NtSetEventBoostPriority  (316, ...
 02831   188   NtWaitForSingleObject  (316, 0, 0x0, ...
 02832  1636   NtWaitForSingleObject  (792, 0, 0x0, ...
 02833   760   NtResumeThread  (788, ...
 02760   120   NtWaitForSingleObject  ... ) == 0x0
 02830  1732   NtSetEventBoostPriority  ... ) == 0x0
 02834   624   NtClose  (796, ...
 02835   120   NtSetEventBoostPriority  (316, ...
 02836  1732   NtWaitForSingleObject  (316, 0, 0x0, ...
 02834   624   NtClose  ... ) == 0x0
 02767   752   NtWaitForSingleObject  ... ) == 0x0
 02837   624   NtWaitForSingleObject  (792, 0, 0x0, ...
 02838   752   NtSetEventBoostPriority  (316, ...
 02776  1696   NtWaitForSingleObject  ... ) == 0x0
 02839  1696   NtSetEventBoostPriority  (316, ...
 02773  1328   NtWaitForSingleObject  ... ) == 0x0
 02840  1328   NtSetEventBoostPriority  (316, ...
 02779  1332   NtWaitForSingleObject  ... ) == 0x0
 02841  1332   NtSetEventBoostPriority  (316, ...
 02780  1520   NtWaitForSingleObject  ... ) == 0x0
 02842  1520   NtSetEventBoostPriority  (316, ...
 02785  1744   NtWaitForSingleObject  ... ) == 0x0
 02843  1744   NtSetEventBoostPriority  (316, ...
 02783   432   NtWaitForSingleObject  ... ) == 0x0
 02844   432   NtSetEventBoostPriority  (316, ...
 02788   496   NtWaitForSingleObject  ... ) == 0x0
 02845   496   NtSetEventBoostPriority  (316, ...
 02792  1480   NtWaitForSingleObject  ... ) == 0x0
 02846  1480   NtSetEventBoostPriority  (316, ...
 02791  1676   NtWaitForSingleObject  ... ) == 0x0
 02847  1676   NtSetEventBoostPriority  (316, ...
 02794   740   NtWaitForSingleObject  ... ) == 0x0
 02848   740   NtSetEventBoostPriority  (316, ...
 02801  1980   NtWaitForSingleObject  ... ) == 0x0
 02849  1980   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ... 1421312, 4096, ) == 0x0
 02846  1480   NtSetEventBoostPriority  ... ) == 0x0
 02843  1744   NtSetEventBoostPriority  ... ) == 0x0
 02842  1520   NtSetEventBoostPriority  ... ) == 0x0
 02839  1696   NtSetEventBoostPriority  ... ) == 0x0
 02848   740   NtSetEventBoostPriority  ... ) == 0x0
 02847  1676   NtSetEventBoostPriority  ... ) == 0x0
 02845   496   NtSetEventBoostPriority  ... ) == 0x0
 02844   432   NtSetEventBoostPriority  ... ) == 0x0
 02841  1332   NtSetEventBoostPriority  ... ) == 0x0
 02840  1328   NtSetEventBoostPriority  ... ) == 0x0
 02838   752   NtSetEventBoostPriority  ... ) == 0x0
 02835   120   NtSetEventBoostPriority  ... ) == 0x0
 02833   760   NtResumeThread  ... 1, ) == 0x0
 02850  1480   NtWaitForSingleObject  (316, 0, 0x0, ...
 02851  1744   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02852  1980   NtSetEventBoostPriority  (316, ...
 02853  1496   NtWaitForSingleObject  (316, 0, 0x0, ...
 02854  1520   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02855   740   NtWaitForSingleObject  (316, 0, 0x0, ...
 02856  1676   NtWaitForSingleObject  (316, 0, 0x0, ...
 02857   496   NtWaitForSingleObject  (316, 0, 0x0, ...
 02858   432   NtWaitForSingleObject  (316, 0, 0x0, ...
 02859  1332   NtWaitForSingleObject  (316, 0, 0x0, ...
 02860  1328   NtWaitForSingleObject  (316, 0, 0x0, ...
 02861   752   NtWaitForSingleObject  (316, 0, 0x0, ...
 02862   120   NtWaitForSingleObject  (316, 0, 0x0, ...
 02863   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02864  1696   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02798  1068   NtWaitForSingleObject  ... ) == 0x0
 02852  1980   NtSetEventBoostPriority  ... ) == 0x0
 02854  1520   NtDuplicateObject  ... 796, ) == 0x0
 02863   760   NtAllocateVirtualMemory  ... 88145920, 1048576, ) == 0x0
 02865  1068   NtSetEventBoostPriority  (316, ...
 02864  1696   NtDuplicateObject  ... 800, ) == 0x0
 02866  1980   NtWaitForSingleObject  (316, 0, 0x0, ...
 02867  1520   NtWaitForSingleObject  (316, 0, 0x0, ...
 02804  2020   NtWaitForSingleObject  ... ) == 0x0
 02868   760   NtAllocateVirtualMemory  (-1, 89186304, 0, 8192, 4096, 4, ...
 02869  1696   NtWaitForSingleObject  (316, 0, 0x0, ...
 02870  2020   NtSetEventBoostPriority  (316, ...
 02868   760   NtAllocateVirtualMemory  ... 89186304, 8192, ) == 0x0
 02806  1956   NtWaitForSingleObject  ... ) == 0x0
 02871   760   NtProtectVirtualMemory  (-1, (0x550e000), 4096, 260, ...
 02872  1956   NtSetEventBoostPriority  (316, ...
 02870  2020   NtSetEventBoostPriority  ... ) == 0x0
 02865  1068   NtSetEventBoostPriority  ... ) == 0x0
 02851  1744   NtDuplicateObject  ... 804, ) == 0x0
 02815   784   NtWaitForSingleObject  ... ) == 0x0
 02873  2020   NtWaitForSingleObject  (316, 0, 0x0, ...
 02874  1068   NtSetEventBoostPriority  (160, ...
 02875  1744   NtWaitForSingleObject  (316, 0, 0x0, ...
 02876   784   NtSetEventBoostPriority  (316, ...
 01260   460   NtWaitForSingleObject  ... ) == 0x0
 02874  1068   NtSetEventBoostPriority  ... ) == 0x0
 02877   460   NtWaitForSingleObject  (316, 0, 0x0, ...
 02812  1392   NtWaitForSingleObject  ... ) == 0x0
 02876   784   NtSetEventBoostPriority  ... ) == 0x0
 02872  1956   NtSetEventBoostPriority  ... ) == 0x0
 02871   760   NtProtectVirtualMemory  ... (0x550e000), 4096, 4, ) == 0x0
 02878  1392   NtSetEventBoostPriority  (316, ...
 02879   784   NtWaitForSingleObject  (316, 0, 0x0, ...
 02880  1956   NtWaitForSingleObject  (316, 0, 0x0, ...
 02817  1784   NtWaitForSingleObject  ... ) == 0x0
 02881   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02878  1392   NtSetEventBoostPriority  ... ) == 0x0
 02882  1068   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02883  1784   NtSetEventBoostPriority  (316, ...
 02881   760   NtCreateThread  ... 808, {1764, 168}, ) == 0x0
 02884  1392   NtWaitForSingleObject  (316, 0, 0x0, ...
 02882  1068   NtCreateEvent  ... 812, ) == 0x0
 02820   380   NtWaitForSingleObject  ... ) == 0x0
 02885   760   NtQueryInformationThread  (808, Basic, 28, ...
 02886  1068   NtWaitForSingleObject  (316, 0, 0x0, ...
 02887   380   NtSetEventBoostPriority  (316, ...
 02885   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1764,Tid=168,}, 0x0, ) == 0x0
 02821  1124   NtWaitForSingleObject  ... ) == 0x0
 02887   380   NtSetEventBoostPriority  ... ) == 0x0
 02888  1124   NtSetEventBoostPriority  (316, ...
 02889   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58099, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58099, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0\344\6\0\0\250\0\0\0" ...  ...
 02883  1784   NtSetEventBoostPriority  ... ) == 0x0
 02831   188   NtWaitForSingleObject  ... ) == 0x0
 02888  1124   NtSetEventBoostPriority  ... ) == 0x0
 02890   380   NtSetEventBoostPriority  (792, ...
 02891   188   NtSetEventBoostPriority  (316, ...
 02892  1784   NtWaitForSingleObject  (316, 0, 0x0, ...
 02893  1124   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02836  1732   NtWaitForSingleObject  ... ) == 0x0
 02891   188   NtSetEventBoostPriority  ... ) == 0x0
 02829  1948   NtWaitForSingleObject  ... ) == 0x0
 02890   380   NtSetEventBoostPriority  ... ) == 0x0
 02889   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58100, 0}  ... {28, 56, reply, 0, 1764, 760, 58100, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0\344\6\0\0\250\0\0\0" )  ) == 0x0
 02894  1732   NtSetEventBoostPriority  (316, ...
 02893  1124   NtDuplicateObject  ... 816, ) == 0x0
 02895  1948   NtWaitForSingleObject  (316, 0, 0x0, ...
 02896   380   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02850  1480   NtWaitForSingleObject  ... ) == 0x0
 02894  1732   NtSetEventBoostPriority  ... ) == 0x0
 02897   760   NtResumeThread  (808, ...
 02898  1124   NtWaitForSingleObject  (316, 0, 0x0, ...
 02899  1480   NtSetEventBoostPriority  (316, ...
 02896   380   NtWaitForSingleObject  ... ) == 0x102
 02900   188   NtWaitForSingleObject  (792, 0, 0x0, ...
 02897   760   NtResumeThread  ... 1, ) == 0x0
 02853  1496   NtWaitForSingleObject  ... ) == 0x0
 02901   380   NtWaitForSingleObject  (316, 0, 0x0, ...
 02902   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02903  1496   NtSetEventBoostPriority  (316, ...
 02899  1480   NtSetEventBoostPriority  ... ) == 0x0
 02904  1732   NtWaitForSingleObject  (792, 0, 0x0, ...
 02905   168   NtWaitForSingleObject  (132, 0, 0x0, ...
 02902   760   NtAllocateVirtualMemory  ... 89194496, 1048576, ) == 0x0
 02855   740   NtWaitForSingleObject  ... ) == 0x0
 02903  1496   NtSetEventBoostPriority  ... ) == 0x0
 02906  1480   NtWaitForSingleObject  (792, 0, 0x0, ...
 02907   740   NtSetEventBoostPriority  (316, ...
 02908   760   NtAllocateVirtualMemory  (-1, 90234880, 0, 8192, 4096, 4, ...
 02856  1676   NtWaitForSingleObject  ... ) == 0x0
 02907   740   NtSetEventBoostPriority  ... ) == 0x0
 02909  1676   NtSetEventBoostPriority  (316, ...
 02908   760   NtAllocateVirtualMemory  ... 90234880, 8192, ) == 0x0
 02910  1496   NtSetEventBoostPriority  (132, ...
 02857   496   NtWaitForSingleObject  ... ) == 0x0
 02909  1676   NtSetEventBoostPriority  ... ) == 0x0
 02911   760   NtProtectVirtualMemory  (-1, (0x560e000), 4096, 260, ...
 02912   496   NtSetEventBoostPriority  (316, ...
 02905   168   NtWaitForSingleObject  ... ) == 0x0
 02910  1496   NtSetEventBoostPriority  ... ) == 0x0
 02913   740   NtWaitForSingleObject  (792, 0, 0x0, ...
 02858   432   NtWaitForSingleObject  ... ) == 0x0
 02914   168   NtWaitForSingleObject  (316, 0, 0x0, ...
 02912   496   NtSetEventBoostPriority  ... ) == 0x0
 02911   760   NtProtectVirtualMemory  ... (0x560e000), 4096, 4, ) == 0x0
 02915  1496   NtTestAlert  (...
 02916   432   NtSetEventBoostPriority  (316, ...
 02917  1676   NtWaitForSingleObject  (792, 0, 0x0, ...
 02918   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02859  1332   NtWaitForSingleObject  ... ) == 0x0
 02916   432   NtSetEventBoostPriority  ... ) == 0x0
 02915  1496   NtTestAlert  ... ) == 0x0
 02919  1332   NtSetEventBoostPriority  (316, ...
 02918   760   NtCreateThread  ... 820, {1764, 1284}, ) == 0x0
 02920   496   NtWaitForSingleObject  (792, 0, 0x0, ...
 02860  1328   NtWaitForSingleObject  ... ) == 0x0
 02919  1332   NtSetEventBoostPriority  ... ) == 0x0
 02921  1496   NtContinue  (88145200, 1, ...
 02922   432   NtWaitForSingleObject  (792, 0, 0x0, ...
 02923  1328   NtSetEventBoostPriority  (316, ...
 02924   760   NtQueryInformationThread  (820, Basic, 28, ...
 02925  1496   NtRegisterThreadTerminatePort  (24, ...
 02861   752   NtWaitForSingleObject  ... ) == 0x0
 02923  1328   NtSetEventBoostPriority  ... ) == 0x0
 02924   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1764,Tid=1284,}, 0x0, ) == 0x0
 02926  1332   NtWaitForSingleObject  (792, 0, 0x0, ...
 02927   752   NtSetEventBoostPriority  (316, ...
 02925  1496   NtRegisterThreadTerminatePort  ... ) == 0x0
 02928   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58100, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58100, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\3\0\0\344\6\0\0\4\5\0\0" ...  ...
 02862   120   NtWaitForSingleObject  ... ) == 0x0
 02927   752   NtSetEventBoostPriority  ... ) == 0x0
 02929  1496   NtWaitForSingleObject  (316, 0, 0x0, ...
 02930   120   NtSetEventBoostPriority  (316, ...
 02928   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58101, 0}  ... {28, 56, reply, 0, 1764, 760, 58101, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\3\0\0\344\6\0\0\4\5\0\0" )  ) == 0x0
 02931  1328   NtWaitForSingleObject  (792, 0, 0x0, ...
 02866  1980   NtWaitForSingleObject  ... ) == 0x0
 02930   120   NtSetEventBoostPriority  ... ) == 0x0
 02932   760   NtResumeThread  (820, ...
 02933  1980   NtSetEventBoostPriority  (316, ...
 02934   752   NtWaitForSingleObject  (792, 0, 0x0, ...
 02935   120   NtWaitForSingleObject  (792, 0, 0x0, ...
 02867  1520   NtWaitForSingleObject  ... ) == 0x0
 02933  1980   NtSetEventBoostPriority  ... ) == 0x0
 02936  1520   NtSetEventBoostPriority  (316, ...
 02932   760   NtResumeThread  ... 1, ) == 0x0
 02869  1696   NtWaitForSingleObject  ... ) == 0x0
 02936  1520   NtSetEventBoostPriority  ... ) == 0x0
 02937  1696   NtSetEventBoostPriority  (316, ...
 02938   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02939  1980   NtWaitForSingleObject  (316, 0, 0x0, ...
 02940  1284   NtWaitForSingleObject  (132, 0, 0x0, ...
 02873  2020   NtWaitForSingleObject  ... ) == 0x0
 02937  1696   NtSetEventBoostPriority  ... ) == 0x0
 02938   760   NtAllocateVirtualMemory  ... 90243072, 1048576, ) == 0x0
 02941  2020   NtSetEventBoostPriority  (316, ...
 02942  1520   NtWaitForSingleObject  (792, 0, 0x0, ...
 02875  1744   NtWaitForSingleObject  ... ) == 0x0
 02941  2020   NtSetEventBoostPriority  ... ) == 0x0
 02943   760   NtAllocateVirtualMemory  (-1, 91283456, 0, 8192, 4096, 4, ...
 02944  1744   NtSetEventBoostPriority  (316, ...
 02945  1696   NtWaitForSingleObject  (792, 0, 0x0, ...
 02877   460   NtWaitForSingleObject  ... ) == 0x0
 02944  1744   NtSetEventBoostPriority  ... ) == 0x0
 02943   760   NtAllocateVirtualMemory  ... 91283456, 8192, ) == 0x0
 02946   460   NtSetEventBoostPriority  (316, ...
 02947  2020   NtWaitForSingleObject  (792, 0, 0x0, ...
 02880  1956   NtWaitForSingleObject  ... ) == 0x0
 02946   460   NtSetEventBoostPriority  ... ) == 0x0
 02948   760   NtProtectVirtualMemory  (-1, (0x570e000), 4096, 260, ...
 02949  1956   NtSetEventBoostPriority  (316, ...
 02950  1744   NtWaitForSingleObject  (792, 0, 0x0, ...
 02951   460   NtWaitForSingleObject  (316, 0, 0x0, ...
 02884  1392   NtWaitForSingleObject  ... ) == 0x0
 02949  1956   NtSetEventBoostPriority  ... ) == 0x0
 02952  1392   NtSetEventBoostPriority  (316, ...
 02948   760   NtProtectVirtualMemory  ... (0x570e000), 4096, 4, ) == 0x0
 02886  1068   NtWaitForSingleObject  ... ) == 0x0
 02952  1392   NtSetEventBoostPriority  ... ) == 0x0
 02953  1068   NtSetEventBoostPriority  (316, ...
 02954   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02955  1956   NtWaitForSingleObject  (316, 0, 0x0, ...
 02879   784   NtWaitForSingleObject  ... ) == 0x0
 02953  1068   NtSetEventBoostPriority  ... ) == 0x0
 02954   760   NtCreateThread  ... 824, {1764, 1268}, ) == 0x0
 02956   784   NtSetEventBoostPriority  (316, ...
 02957  1392   NtWaitForSingleObject  (316, 0, 0x0, ...
 02892  1784   NtWaitForSingleObject  ... ) == 0x0
 02958   760   NtQueryInformationThread  (824, Basic, 28, ...
 02959  1784   NtSetEventBoostPriority  (316, ...
 02958   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1764,Tid=1268,}, 0x0, ) == 0x0
 02895  1948   NtWaitForSingleObject  ... ) == 0x0
 02959  1784   NtSetEventBoostPriority  ... ) == 0x0
 02960  1948   NtSetEventBoostPriority  (316, ...
 02961   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58101, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58101, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\3\0\0\344\6\0\0\364\4\0\0" ...  ...
 02956   784   NtSetEventBoostPriority  ... ) == 0x0
 02962  1068   NtWaitForSingleObject  (316, 0, 0x0, ...
 02898  1124   NtWaitForSingleObject  ... ) == 0x0
 02960  1948   NtSetEventBoostPriority  ... ) == 0x0
 02963  1784   NtWaitForSingleObject  (316, 0, 0x0, ...
 02964   784   NtWaitForSingleObject  (316, 0, 0x0, ...
 02965  1124   NtSetEventBoostPriority  (316, ...
 02961   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58102, 0}  ... {28, 56, reply, 0, 1764, 760, 58102, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\3\0\0\344\6\0\0\364\4\0\0" )  ) == 0x0
 02901   380   NtWaitForSingleObject  ... ) == 0x0
 02965  1124   NtSetEventBoostPriority  ... ) == 0x0
 02966   380   NtSetEventBoostPriority  (316, ...
 02967   760   NtResumeThread  (824, ...
 02968  1948   NtSetEventBoostPriority  (792, ...
 02914   168   NtWaitForSingleObject  ... ) == 0x0
 02967   760   NtResumeThread  ... 1, ) == 0x0
 02969   168   NtSetEventBoostPriority  (316, ...
 02832  1636   NtWaitForSingleObject  ... ) == 0x0
 02968  1948   NtSetEventBoostPriority  ... ) == 0x0
 02929  1496   NtWaitForSingleObject  ... ) == 0x0
 02970  1636   NtWaitForSingleObject  (316, 0, 0x0, ...
 02969   168   NtSetEventBoostPriority  ... ) == 0x0
 02971   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02972  1496   NtSetEventBoostPriority  (316, ...
 02973  1948   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02966   380   NtSetEventBoostPriority  ... ) == 0x0
 02974  1124   NtWaitForSingleObject  (316, 0, 0x0, ...
 02975  1268   NtWaitForSingleObject  (132, 0, 0x0, ...
 02939  1980   NtWaitForSingleObject  ... ) == 0x0
 02972  1496   NtSetEventBoostPriority  ... ) == 0x0
 02971   760   NtAllocateVirtualMemory  ... 91291648, 1048576, ) == 0x0
 02973  1948   NtWaitForSingleObject  ... ) == 0x102
 02976   380   NtWaitForSingleObject  (160, 0, 0x0, ...
 02977  1980   NtSetEventBoostPriority  (316, ...
 02978   168   NtSetEventBoostPriority  (132, ...
 02979  1496   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02980  1948   NtWaitForSingleObject  (160, 0, 0x0, ...
 02951   460   NtWaitForSingleObject  ... ) == 0x0
 02977  1980   NtSetEventBoostPriority  ... ) == 0x0
 02940  1284   NtWaitForSingleObject  ... ) == 0x0
 02978   168   NtSetEventBoostPriority  ... ) == 0x0
 02979  1496   NtDuplicateObject  ... 828, ) == 0x0
 02981   760   NtAllocateVirtualMemory  (-1, 92332032, 0, 8192, 4096, 4, ...
 02982   460   NtSetEventBoostPriority  (316, ...
 02983  1284   NtWaitForSingleObject  (316, 0, 0x0, ...
 02984  1980   NtWaitForSingleObject  (316, 0, 0x0, ...
 02985   168   NtTestAlert  (...
 02986  1496   NtWaitForSingleObject  (316, 0, 0x0, ...
 02955  1956   NtWaitForSingleObject  ... ) == 0x0
 02982   460   NtSetEventBoostPriority  ... ) == 0x0
 02981   760   NtAllocateVirtualMemory  ... 92332032, 8192, ) == 0x0
 02985   168   NtTestAlert  ... ) == 0x0
 02987  1956   NtSetEventBoostPriority  (316, ...
 02988   460   NtSetEventBoostPriority  (160, ...
 02989   760   NtProtectVirtualMemory  (-1, (0x580e000), 4096, 260, ...
 02957  1392   NtWaitForSingleObject  ... ) == 0x0
 02987  1956   NtSetEventBoostPriority  ... ) == 0x0
 02990   168   NtContinue  (89193776, 1, ...
 02991  1392   NtSetEventBoostPriority  (316, ...
 02989   760   NtProtectVirtualMemory  ... (0x580e000), 4096, 4, ) == 0x0
 02992  1956   NtWaitForSingleObject  (316, 0, 0x0, ...
 02962  1068   NtWaitForSingleObject  ... ) == 0x0
 02991  1392   NtSetEventBoostPriority  ... ) == 0x0
 02993   168   NtRegisterThreadTerminatePort  (24, ...
 02994   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01263  1556   NtWaitForSingleObject  ... ) == 0x0
 02988   460   NtSetEventBoostPriority  ... ) == 0x0
 02995  1068   NtSetEventBoostPriority  (316, ...
 02996  1392   NtWaitForSingleObject  (316, 0, 0x0, ...
 02994   760   NtCreateThread  ... 832, {1764, 840}, ) == 0x0
 02997  1556   NtSetEventBoostPriority  (160, ...
 02963  1784   NtWaitForSingleObject  ... ) == 0x0
 02995  1068   NtSetEventBoostPriority  ... ) == 0x0
 02998   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02993   168   NtRegisterThreadTerminatePort  ... ) == 0x0
 02999  1784   NtSetEventBoostPriority  (316, ...
 01508  1728   NtWaitForSingleObject  ... ) == 0x0
 02997  1556   NtSetEventBoostPriority  ... ) == 0x0
 03000  1068   NtWaitForSingleObject  (316, 0, 0x0, ...
 02998   460   NtCreateEvent  ... 836, ) == 0x0
 02964   784   NtWaitForSingleObject  ... ) == 0x0
 03001  1728   NtWaitForSingleObject  (316, 0, 0x0, ...
 02999  1784   NtSetEventBoostPriority  ... ) == 0x0
 03002   168   NtWaitForSingleObject  (316, 0, 0x0, ...
 03003   760   NtQueryInformationThread  (832, Basic, 28, ...
 03004  1556   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03005   784   NtSetEventBoostPriority  (316, ...
 03006   460   NtWaitForSingleObject  (316, 0, 0x0, ...
 03007  1784   NtWaitForSingleObject  (316, 0, 0x0, ...
 03003   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1764,Tid=840,}, 0x0, ) == 0x0
 02970  1636   NtWaitForSingleObject  ... ) == 0x0
 03005   784   NtSetEventBoostPriority  ... ) == 0x0
 03004  1556   NtCreateEvent  ... 840, ) == 0x0
 03008  1636   NtSetEventBoostPriority  (316, ...
 03009   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58102, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58102, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0\344\6\0\0H\3\0\0" ...  ...
 02974  1124   NtWaitForSingleObject  ... ) == 0x0
 03008  1636   NtSetEventBoostPriority  ... ) == 0x0
 03010  1556   NtWaitForSingleObject  (316, 0, 0x0, ...
 03011  1124   NtSetEventBoostPriority  (316, ...
 03009   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58103, 0}  ... {28, 56, reply, 0, 1764, 760, 58103, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0\344\6\0\0H\3\0\0" )  ) == 0x0
 03012   784   NtWaitForSingleObject  (792, 0, 0x0, ...
 02983  1284   NtWaitForSingleObject  ... ) == 0x0
 03011  1124   NtSetEventBoostPriority  ... ) == 0x0
 03013   760   NtResumeThread  (832, ...
 03014  1284   NtSetEventBoostPriority  (316, ...
 03015  1124   NtWaitForSingleObject  (792, 0, 0x0, ...
 03016  1636   NtSetEventBoostPriority  (792, ...
 02986  1496   NtWaitForSingleObject  ... ) == 0x0
 03014  1284   NtSetEventBoostPriority  ... ) == 0x0
 03013   760   NtResumeThread  ... 1, ) == 0x0
 03017  1496   NtSetEventBoostPriority  (316, ...
 02837   624   NtWaitForSingleObject  ... ) == 0x0
 03016  1636   NtSetEventBoostPriority  ... ) == 0x0
 03018   840   NtWaitForSingleObject  (132, 0, 0x0, ...
 02984  1980   NtWaitForSingleObject  ... ) == 0x0
 03019   624   NtWaitForSingleObject  (316, 0, 0x0, ...
 03017  1496   NtSetEventBoostPriority  ... ) == 0x0
 03020   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03021  1636   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03022  1980   NtSetEventBoostPriority  (316, ...
 03023  1284   NtSetEventBoostPriority  (132, ...
 03020   760   NtAllocateVirtualMemory  ... 92340224, 1048576, ) == 0x0
 02992  1956   NtWaitForSingleObject  ... ) == 0x0
 03021  1636   NtWaitForSingleObject  ... ) == 0x102
 02975  1268   NtWaitForSingleObject  ... ) == 0x0
 03023  1284   NtSetEventBoostPriority  ... ) == 0x0
 03024   760   NtAllocateVirtualMemory  (-1, 93380608, 0, 8192, 4096, 4, ...
 03025  1956   NtSetEventBoostPriority  (316, ...
 03026  1268   NtWaitForSingleObject  (316, 0, 0x0, ...
 03027  1636   NtWaitForSingleObject  (160, 0, 0x0, ...
 03028  1284   NtTestAlert  (...
 03024   760   NtAllocateVirtualMemory  ... 93380608, 8192, ) == 0x0
 02996  1392   NtWaitForSingleObject  ... ) == 0x0
 03025  1956   NtSetEventBoostPriority  ... ) == 0x0
 03022  1980   NtSetEventBoostPriority  ... ) == 0x0
 03029  1496   NtWaitForSingleObject  (316, 0, 0x0, ...
 03028  1284   NtTestAlert  ... ) == 0x0
 03030   760   NtProtectVirtualMemory  (-1, (0x590e000), 4096, 260, ...
 03031  1392   NtSetEventBoostPriority  (316, ...
 03032  1956   NtWaitForSingleObject  (316, 0, 0x0, ...
 03033  1980   NtWaitForSingleObject  (316, 0, 0x0, ...
 03034  1284   NtContinue  (90242352, 1, ...
 03001  1728   NtWaitForSingleObject  ... ) == 0x0
 03035  1728   NtSetEventBoostPriority  (316, ...
 03002   168   NtWaitForSingleObject  ... ) == 0x0
 03036   168   NtSetEventBoostPriority  (316, ...
 03006   460   NtWaitForSingleObject  ... ) == 0x0
 03037   460   NtSetEventBoostPriority  (316, ...
 03000  1068   NtWaitForSingleObject  ... ) == 0x0
 03038  1068   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 03039  1068   NtSetEventBoostPriority  (316, ...
 03007  1784   NtWaitForSingleObject  ... ) == 0x0
 03040  1784   NtSetEventBoostPriority  (316, ...
 03010  1556   NtWaitForSingleObject  ... ) == 0x0
 03041  1556   NtSetEventBoostPriority  (316, ...
 03019   624   NtWaitForSingleObject  ... ) == 0x0
 03042   624   NtSetEventBoostPriority  (316, ...
 03026  1268   NtWaitForSingleObject  ... ) == 0x0
 03043  1268   NtSetEventBoostPriority  (316, ...
 03029  1496   NtWaitForSingleObject  ... ) == 0x0
 03044  1496   NtSetEventBoostPriority  (316, ...
 03032  1956   NtWaitForSingleObject  ... ) == 0x0
 03045  1956   NtSetEventBoostPriority  (316, ...
 03033  1980   NtWaitForSingleObject  ... ) == 0x0
 03046  1980   NtAllocateVirtualMemory  (-1, 13684736, 0, 4096, 4096, 260, ... 13684736, 4096, ) == 0x0
 03045  1956   NtSetEventBoostPriority  ... ) == 0x0
 03044  1496   NtSetEventBoostPriority  ... ) == 0x0
 03043  1268   NtSetEventBoostPriority  ... ) == 0x0
 03042   624   NtSetEventBoostPriority  ... ) == 0x0
 03041  1556   NtSetEventBoostPriority  ... ) == 0x0
 03037   460   NtSetEventBoostPriority  ... ) == 0x0
 03036   168   NtSetEventBoostPriority  ... ) == 0x0
 03035  1728   NtSetEventBoostPriority  ... ) == 0x0
 03047  1284   NtRegisterThreadTerminatePort  (24, ...
 03040  1784   NtSetEventBoostPriority  ... ) == 0x0
 03039  1068   NtSetEventBoostPriority  ... ) == 0x0
 03031  1392   NtSetEventBoostPriority  ... ) == 0x0
 03030   760   NtProtectVirtualMemory  ... (0x590e000), 4096, 4, ) == 0x0
 03048  1980   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03049  1496   NtWaitForSingleObject  (792, 0, 0x0, ...
 03050  1956   NtAllocateVirtualMemory  (-1, 12636160, 0, 4096, 4096, 260, ...
 03051  1268   NtSetEventBoostPriority  (132, ...
 03052   624   NtSetEventBoostPriority  (792, ...
 03053  1556   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ...
 03054   460   NtWaitForSingleObject  (316, 0, 0x0, ...
 03055   168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03056  1728   NtWaitForSingleObject  (316, 0, 0x0, ...
 03057  1784   NtAllocateVirtualMemory  (-1, 14733312, 0, 4096, 4096, 260, ...
 03047  1284   NtRegisterThreadTerminatePort  ... ) == 0x0
 03058  1392   NtWaitForSingleObject  (792, 0, 0x0, ...
 03059   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03048  1980   NtCreateEvent  ... 844, ) == 0x0
 03060  1068   NtWaitForSingleObject  (316, 0, 0x0, ...
 03050  1956   NtAllocateVirtualMemory  ... 12636160, 4096, ) == 0x0
 03018   840   NtWaitForSingleObject  ... ) == 0x0
 03051  1268   NtSetEventBoostPriority  ... ) == 0x0
 02900   188   NtWaitForSingleObject  ... ) == 0x0
 03052   624   NtSetEventBoostPriority  ... ) == 0x0
 03053  1556   NtAllocateVirtualMemory  ... 1429504, 4096, ) == 0x0
 03055   168   NtDuplicateObject  ... 848, ) == 0x0
 03057  1784   NtAllocateVirtualMemory  ... 14733312, 4096, ) == 0x0
 03061  1284   NtWaitForSingleObject  (316, 0, 0x0, ...
 03059   760   NtCreateThread  ... 852, {1764, 1336}, ) == 0x0
 03062  1980   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03063   840   NtTestAlert  (...
 03064  1956   NtWaitForSingleObject  (316, 0, 0x0, ...
 03065   188   NtWaitForSingleObject  (316, 0, 0x0, ...
 03066  1268   NtTestAlert  (...
 03067   624   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03068  1556   NtSetEventBoostPriority  (316, ...
 03069   168   NtWaitForSingleObject  (316, 0, 0x0, ...
 03070   760   NtQueryInformationThread  (852, Basic, 28, ...
 03063   840   NtTestAlert  ... ) == 0x0
 03062  1980   NtDuplicateObject  ... 856, ) == 0x0
 03066  1268   NtTestAlert  ... ) == 0x0
 03067   624   NtWaitForSingleObject  ... ) == 0x102
 03054   460   NtWaitForSingleObject  ... ) == 0x0
 03068  1556   NtSetEventBoostPriority  ... ) == 0x0
 03070   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1764,Tid=1336,}, 0x0, ) == 0x0
 03071  1784   NtWaitForSingleObject  (316, 0, 0x0, ...
 03072  1980   NtWaitForSingleObject  (316, 0, 0x0, ...
 03073  1268   NtContinue  (91290928, 1, ...
 03074   460   NtSetEventBoostPriority  (316, ...
 03075   624   NtWaitForSingleObject  (160, 0, 0x0, ...
 03076  1556   NtWaitForSingleObject  (316, 0, 0x0, ...
 03077   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58103, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58103, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\3\0\0\344\6\0\08\5\0\0" ...  ...
 03056  1728   NtWaitForSingleObject  ... ) == 0x0
 03074   460   NtSetEventBoostPriority  ... ) == 0x0
 03078  1268   NtRegisterThreadTerminatePort  (24, ...
 03079   840   NtContinue  (92339504, 1, ...
 03080  1728   NtSetEventBoostPriority  (316, ...
 03081   460   NtWaitForSingleObject  (316, 0, 0x0, ...
 03077   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58104, 0}  ... {28, 56, reply, 0, 1764, 760, 58104, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\3\0\0\344\6\0\08\5\0\0" )  ) == 0x0
 03060  1068   NtWaitForSingleObject  ... ) == 0x0
 03080  1728   NtSetEventBoostPriority  ... ) == 0x0
 03082   840   NtRegisterThreadTerminatePort  (24, ...
 03078  1268   NtRegisterThreadTerminatePort  ... ) == 0x0
 03083  1068   NtSetEventBoostPriority  (316, ...
 03084   760   NtResumeThread  (852, ...
 03085  1728   NtWaitForSingleObject  (316, 0, 0x0, ...
 03082   840   NtRegisterThreadTerminatePort  ... ) == 0x0
 03061  1284   NtWaitForSingleObject  ... ) == 0x0
 03083  1068   NtSetEventBoostPriority  ... ) == 0x0
 03086  1268   NtWaitForSingleObject  (316, 0, 0x0, ...
 03084   760   NtResumeThread  ... 1, ) == 0x0
 03087  1284   NtSetEventBoostPriority  (316, ...
 03088   840   NtWaitForSingleObject  (316, 0, 0x0, ...
 03089  1068   NtWaitForSingleObject  (316, 0, 0x0, ...
 03065   188   NtWaitForSingleObject  ... ) == 0x0
 03087  1284   NtSetEventBoostPriority  ... ) == 0x0
 03090   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03091  1336   NtAllocateVirtualMemory  (-1, 3633152, 0, 4096, 4096, 4, ...
 03092   188   NtSetEventBoostPriority  (316, ...
 03090   760   NtAllocateVirtualMemory  ... 93388800, 1048576, ) == 0x0
 03064  1956   NtWaitForSingleObject  ... ) == 0x0
 03092   188   NtSetEventBoostPriority  ... ) == 0x0
 03091  1336   NtAllocateVirtualMemory  ... 3633152, 4096, ) == 0x0
 03093  1284   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03094  1956   NtSetEventBoostPriority  (316, ...
 03095   760   NtAllocateVirtualMemory  (-1, 94429184, 0, 8192, 4096, 4, ...
 03096  1336   NtWaitForSingleObject  (316, 0, 0x0, ...
 03069   168   NtWaitForSingleObject  ... ) == 0x0
 03094  1956   NtSetEventBoostPriority  ... ) == 0x0
 03093  1284   NtDuplicateObject  ... 860, ) == 0x0
 03095   760   NtAllocateVirtualMemory  ... 94429184, 8192, ) == 0x0
 03097   168   NtSetEventBoostPriority  (316, ...
 03098   188   NtSetEventBoostPriority  (792, ...
 03099  1284   NtWaitForSingleObject  (316, 0, 0x0, ...
 03071  1784   NtWaitForSingleObject  ... ) == 0x0
 03097   168   NtSetEventBoostPriority  ... ) == 0x0
 03100   760   NtProtectVirtualMemory  (-1, (0x5a0e000), 4096, 260, ...
 02904  1732   NtWaitForSingleObject  ... ) == 0x0
 03098   188   NtSetEventBoostPriority  ... ) == 0x0
 03101  1784   NtSetEventBoostPriority  (316, ...
 03102  1956   NtWaitForSingleObject  (316, 0, 0x0, ...
 03103  1732   NtWaitForSingleObject  (316, 0, 0x0, ...
 03100   760   NtProtectVirtualMemory  ... (0x5a0e000), 4096, 4, ) == 0x0
 03072  1980   NtWaitForSingleObject  ... ) == 0x0
 03101  1784   NtSetEventBoostPriority  ... ) == 0x0
 03104   188   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03105  1980   NtSetEventBoostPriority  (316, ...
 03106   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03107  1784   NtWaitForSingleObject  (316, 0, 0x0, ...
 03076  1556   NtWaitForSingleObject  ... ) == 0x0
 03105  1980   NtSetEventBoostPriority  ... ) == 0x0
 03104   188   NtWaitForSingleObject  ... ) == 0x102
 03106   760   NtCreateThread  ... 864, {1764, 1200}, ) == 0x0
 03108   168   NtWaitForSingleObject  (792, 0, 0x0, ...
 03109  1556   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ...
 03110   188   NtWaitForSingleObject  (316, 0, 0x0, ...
 03111  1980   NtWaitForSingleObject  (316, 0, 0x0, ...
 03109  1556   NtAllocateVirtualMemory  ... 1433600, 4096, ) == 0x0
 03112   760   NtQueryInformationThread  (864, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1764,Tid=1200,}, 0x0, ) == 0x0
 03113   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58104, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58104, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\344\6\0\0\260\4\0\0" ... {28, 56, reply, 0, 1764, 760, 58105, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\344\6\0\0\260\4\0\0" )  ... {28, 56, reply, 0, 1764, 760, 58105, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58104, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\344\6\0\0\260\4\0\0" ... {28, 56, reply, 0, 1764, 760, 58105, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\344\6\0\0\260\4\0\0" )  ) == 0x0
 03114   760   NtResumeThread  (864, ... 1, ) == 0x0
 03115   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 94437376, 1048576, ) == 0x0
 03116   760   NtAllocateVirtualMemory  (-1, 95477760, 0, 8192, 4096, 4, ... 95477760, 8192, ) == 0x0
 03117   760   NtProtectVirtualMemory  (-1, (0x5b0e000), 4096, 260, ...
 03118  1556   NtSetEventBoostPriority  (316, ...
 03119  1200   NtWaitForSingleObject  (132, 0, 0x0, ...
 03081   460   NtWaitForSingleObject  ... ) == 0x0
 03118  1556   NtSetEventBoostPriority  ... ) == 0x0
 03120   460   NtSetEventBoostPriority  (316, ...
 03086  1268   NtWaitForSingleObject  ... ) == 0x0
 03121  1268   NtSetEventBoostPriority  (316, ...
 03088   840   NtWaitForSingleObject  ... ) == 0x0
 03122   840   NtSetEventBoostPriority  (316, ...
 03085  1728   NtWaitForSingleObject  ... ) == 0x0
 03123  1728   NtSetEventBoostPriority  (316, ...
 03089  1068   NtWaitForSingleObject  ... ) == 0x0
 03124  1068   NtSetEventBoostPriority  (316, ...
 03096  1336   NtWaitForSingleObject  ... ) == 0x0
 03125  1336   NtSetEventBoostPriority  (316, ...
 03099  1284   NtWaitForSingleObject  ... ) == 0x0
 03126  1284   NtSetEventBoostPriority  (316, ...
 03103  1732   NtWaitForSingleObject  ... ) == 0x0
 03127  1732   NtSetEventBoostPriority  (316, ...
 03102  1956   NtWaitForSingleObject  ... ) == 0x0
 03128  1956   NtSetEventBoostPriority  (316, ...
 03107  1784   NtWaitForSingleObject  ... ) == 0x0
 03129  1784   NtSetEventBoostPriority  (316, ...
 03111  1980   NtWaitForSingleObject  ... ) == 0x0
 03130  1980   NtSetEventBoostPriority  (316, ...
 03110   188   NtWaitForSingleObject  ... ) == 0x0
 03131   188   NtWaitForSingleObject  (160, 0, 0x0, ...
 03130  1980   NtSetEventBoostPriority  ... ) == 0x0
 03132  1980   NtWaitForSingleObject  (792, 0, 0x0, ...
 03128  1956   NtSetEventBoostPriority  ... ) == 0x0
 03127  1732   NtSetEventBoostPriority  ... ) == 0x0
 03126  1284   NtSetEventBoostPriority  ... ) == 0x0
 03125  1336   NtSetEventBoostPriority  ... ) == 0x0
 03122   840   NtSetEventBoostPriority  ... ) == 0x0
 03121  1268   NtSetEventBoostPriority  ... ) == 0x0
 03133  1556   NtAllocateVirtualMemory  (-1, 16830464, 0, 4096, 4096, 260, ...
 03129  1784   NtSetEventBoostPriority  ... ) == 0x0
 03124  1068   NtSetEventBoostPriority  ... ) == 0x0
 03123  1728   NtSetEventBoostPriority  ... ) == 0x0
 03120   460   NtSetEventBoostPriority  ... ) == 0x0
 03117   760   NtProtectVirtualMemory  ... (0x5b0e000), 4096, 4, ) == 0x0
 03134  1956   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03135  1732   NtSetEventBoostPriority  (792, ...
 03136  1284   NtWaitForSingleObject  (792, 0, 0x0, ...
 03137  1336   NtSetEventBoostPriority  (132, ...
 03138   840   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03133  1556   NtAllocateVirtualMemory  ... 16830464, 4096, ) == 0x0
 03139  1784   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03140  1068   NtAllocateVirtualMemory  (-1, 18927616, 0, 4096, 4096, 260, ...
 03141  1728   NtSetEventBoostPriority  (160, ...
 03142   460   NtAllocateVirtualMemory  (-1, 17879040, 0, 4096, 4096, 260, ...
 03143   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03144  1268   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02906  1480   NtWaitForSingleObject  ... ) == 0x0
 03135  1732   NtSetEventBoostPriority  ... ) == 0x0
 03119  1200   NtWaitForSingleObject  ... ) == 0x0
 03137  1336   NtSetEventBoostPriority  ... ) == 0x0
 03138   840   NtDuplicateObject  ... 868, ) == 0x0
 03145  1556   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03139  1784   NtCreateEvent  ... 872, ) == 0x0
 03140  1068   NtAllocateVirtualMemory  ... 18927616, 4096, ) == 0x0
 01522   712   NtWaitForSingleObject  ... ) == 0x0
 03141  1728   NtSetEventBoostPriority  ... ) == 0x0
 03142   460   NtAllocateVirtualMemory  ... 17879040, 4096, ) == 0x0
 03143   760   NtCreateThread  ... 876, {1764, 1920}, ) == 0x0
 03146  1480   NtSetEventBoostPriority  (792, ...
 03144  1268   NtDuplicateObject  ... 880, ) == 0x0
 03147  1200   NtTestAlert  (...
 03148  1732   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03149  1336   NtTestAlert  (...
 03150   840   NtWaitForSingleObject  (792, 0, 0x0, ...
 03145  1556   NtCreateEvent  ... 884, ) == 0x0
 03134  1956   NtCreateEvent  ... 888, ) == 0x0
 03151  1784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03152   712   NtSetEventBoostPriority  (160, ...
 03153  1068   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03154  1728   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02913   740   NtWaitForSingleObject  ... ) == 0x0
 03146  1480   NtSetEventBoostPriority  ... ) == 0x0
 03155   760   NtQueryInformationThread  (876, Basic, 28, ...
 03147  1200   NtTestAlert  ... ) == 0x0
 03156  1268   NtWaitForSingleObject  (792, 0, 0x0, ...
 03148  1732   NtWaitForSingleObject  ... ) == 0x102
 03149  1336   NtTestAlert  ... ) == 0x0
 03157   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03158  1956   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01523  1156   NtWaitForSingleObject  ... ) == 0x0
 03152   712   NtSetEventBoostPriority  ... ) == 0x0
 03151  1784   NtDuplicateObject  ... 892, ) == 0x0
 03153  1068   NtCreateEvent  ... 896, ) == 0x0
 03159   740   NtSetEventBoostPriority  (792, ...
 03154  1728   NtCreateEvent  ... 900, ) == 0x0
 03160  1556   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03155   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1764,Tid=1920,}, 0x0, ) == 0x0
 03161  1480   NtWaitForSingleObject  (792, 0, 0x0, ...
 03162  1732   NtWaitForSingleObject  (160, 0, 0x0, ...
 03163  1336   NtContinue  (93388080, 1, ...
 03157   460   NtCreateEvent  ... 904, ) == 0x0
 03164  1156   NtSetEventBoostPriority  (160, ...
 03158  1956   NtDuplicateObject  ... 908, ) == 0x0
 03165  1200   NtContinue  (94436656, 1, ...
 03166  1784   NtWaitForSingleObject  (792, 0, 0x0, ...
 02917  1676   NtWaitForSingleObject  ... ) == 0x0
 03159   740   NtSetEventBoostPriority  ... ) == 0x0
 03167  1068   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03168  1728   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ...
 03160  1556   NtDuplicateObject  ... 912, ) == 0x0
 03169   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58105, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58105, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\344\6\0\0\200\7\0\0" ...  ...
 03170   712   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03171  1336   NtRegisterThreadTerminatePort  (24, ...
 01524  1700   NtWaitForSingleObject  ... ) == 0x0
 03164  1156   NtSetEventBoostPriority  ... ) == 0x0
 03172   460   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03173  1956   NtWaitForSingleObject  (316, 0, 0x0, ...
 03174  1200   NtRegisterThreadTerminatePort  (24, ...
 03175  1676   NtWaitForSingleObject  (316, 0, 0x0, ...
 03176   740   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03167  1068   NtDuplicateObject  ... 916, ) == 0x0
 03168  1728   NtAllocateVirtualMemory  ... 1437696, 4096, ) == 0x0
 03177  1556   NtWaitForSingleObject  (316, 0, 0x0, ...
 03170   712   NtCreateEvent  ... 920, ) == 0x0
 03169   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58106, 0}  ... {28, 56, reply, 0, 1764, 760, 58106, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\344\6\0\0\200\7\0\0" )  ) == 0x0
 03178  1700   NtWaitForSingleObject  (316, 0, 0x0, ...
 03171  1336   NtRegisterThreadTerminatePort  ... ) == 0x0
 03172   460   NtDuplicateObject  ... 924, ) == 0x0
 03174  1200   NtRegisterThreadTerminatePort  ... ) == 0x0
 03179  1156   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03180  1068   NtWaitForSingleObject  (316, 0, 0x0, ...
 03181  1728   NtSetEventBoostPriority  (316, ...
 03182   712   NtWaitForSingleObject  (316, 0, 0x0, ...
 03183   760   NtResumeThread  (876, ...
 03184  1336   NtWaitForSingleObject  (316, 0, 0x0, ...
 03185   460   NtWaitForSingleObject  (316, 0, 0x0, ...
 03186  1200   NtWaitForSingleObject  (316, 0, 0x0, ...
 03179  1156   NtCreateEvent  ... 928, ) == 0x0
 03173  1956   NtWaitForSingleObject  ... ) == 0x0
 03181  1728   NtSetEventBoostPriority  ... ) == 0x0
 03183   760   NtResumeThread  ... 1, ) == 0x0
 03187  1956   NtSetEventBoostPriority  (316, ...
 03188  1156   NtWaitForSingleObject  (316, 0, 0x0, ...
 03176   740   NtWaitForSingleObject  ... ) == 0x102
 03189  1920   NtWaitForSingleObject  (316, 0, 0x0, ...
 03175  1676   NtWaitForSingleObject  ... ) == 0x0
 03187  1956   NtSetEventBoostPriority  ... ) == 0x0
 03190   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03191   740   NtWaitForSingleObject  (316, 0, 0x0, ...
 03192  1676   NtSetEventBoostPriority  (316, ...
 03193  1728   NtWaitForSingleObject  (316, 0, 0x0, ...
 03190   760   NtAllocateVirtualMemory  ... 95485952, 1048576, ) == 0x0
 03177  1556   NtWaitForSingleObject  ... ) == 0x0
 03192  1676   NtSetEventBoostPriority  ... ) == 0x0
 03194  1956   NtWaitForSingleObject  (316, 0, 0x0, ...
 03195  1556   NtSetEventBoostPriority  (316, ...
 03196   760   NtAllocateVirtualMemory  (-1, 96526336, 0, 8192, 4096, 4, ...
 03178  1700   NtWaitForSingleObject  ... ) == 0x0
 03195  1556   NtSetEventBoostPriority  ... ) == 0x0
 03197  1700   NtSetEventBoostPriority  (316, ...
 03196   760   NtAllocateVirtualMemory  ... 96526336, 8192, ) == 0x0
 03198  1676   NtSetEventBoostPriority  (792, ...
 03180  1068   NtWaitForSingleObject  ... ) == 0x0
 03197  1700   NtSetEventBoostPriority  ... ) == 0x0
 03199   760   NtProtectVirtualMemory  (-1, (0x5c0e000), 4096, 260, ...
 03200  1068   NtSetEventBoostPriority  (316, ...
 02920   496   NtWaitForSingleObject  ... ) == 0x0
 03198  1676   NtSetEventBoostPriority  ... ) == 0x0
 03201  1556   NtWaitForSingleObject  (316, 0, 0x0, ...
 03182   712   NtWaitForSingleObject  ... ) == 0x0
 03202   496   NtWaitForSingleObject  (316, 0, 0x0, ...
 03200  1068   NtSetEventBoostPriority  ... ) == 0x0
 03199   760   NtProtectVirtualMemory  ... (0x5c0e000), 4096, 4, ) == 0x0
 03203  1676   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03204   712   NtSetEventBoostPriority  (316, ...
 03205  1700   NtWaitForSingleObject  (316, 0, 0x0, ...
 03206   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03184  1336   NtWaitForSingleObject  ... ) == 0x0
 03204   712   NtSetEventBoostPriority  ... ) == 0x0
 03203  1676   NtWaitForSingleObject  ... ) == 0x102
 03207  1336   NtSetEventBoostPriority  (316, ...
 03206   760   NtCreateThread  ... 932, {1764, 896}, ) == 0x0
 03208  1068   NtWaitForSingleObject  (316, 0, 0x0, ...
 03185   460   NtWaitForSingleObject  ... ) == 0x0
 03207  1336   NtSetEventBoostPriority  ... ) == 0x0
 03209  1676   NtWaitForSingleObject  (316, 0, 0x0, ...
 03210   712   NtWaitForSingleObject  (316, 0, 0x0, ...
 03211   460   NtSetEventBoostPriority  (316, ...
 03212   760   NtQueryInformationThread  (932, Basic, 28, ...
 03213  1336   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03186  1200   NtWaitForSingleObject  ... ) == 0x0
 03211   460   NtSetEventBoostPriority  ... ) == 0x0
 03212   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1764,Tid=896,}, 0x0, ) == 0x0
 03214  1200   NtSetEventBoostPriority  (316, ...
 03213  1336   NtDuplicateObject  ... 936, ) == 0x0
 03188  1156   NtWaitForSingleObject  ... ) == 0x0
 03214  1200   NtSetEventBoostPriority  ... ) == 0x0
 03215   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58106, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58106, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\3\0\0\344\6\0\0\200\3\0\0" ...  ...
 03216  1156   NtSetEventBoostPriority  (316, ...
 03217  1336   NtWaitForSingleObject  (316, 0, 0x0, ...
 03218   460   NtWaitForSingleObject  (316, 0, 0x0, ...
 03189  1920   NtWaitForSingleObject  ... ) == 0x0
 03216  1156   NtSetEventBoostPriority  ... ) == 0x0
 03215   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58107, 0}  ... {28, 56, reply, 0, 1764, 760, 58107, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\3\0\0\344\6\0\0\200\3\0\0" )  ) == 0x0
 03219  1920   NtSetEventBoostPriority  (316, ...
 03220  1200   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03191   740   NtWaitForSingleObject  ... ) == 0x0
 03219  1920   NtSetEventBoostPriority  ... ) == 0x0
 03221   760   NtResumeThread  (932, ...
 03222   740   NtSetEventBoostPriority  (316, ...
 03220  1200   NtDuplicateObject  ... 940, ) == 0x0
 03223  1156   NtWaitForSingleObject  (316, 0, 0x0, ...
 03224  1920   NtTestAlert  (...
 03193  1728   NtWaitForSingleObject  ... ) == 0x0
 03222   740   NtSetEventBoostPriority  ... ) == 0x0
 03225  1200   NtWaitForSingleObject  (316, 0, 0x0, ...
 03226  1728   NtSetEventBoostPriority  (316, ...
 03224  1920   NtTestAlert  ... ) == 0x0
 03221   760   NtResumeThread  ... 1, ) == 0x0
 03194  1956   NtWaitForSingleObject  ... ) == 0x0
 03226  1728   NtSetEventBoostPriority  ... ) == 0x0
 03227  1920   NtContinue  (95485232, 1, ...
 03228  1956   NtSetEventBoostPriority  (316, ...
 03229   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03230  1728   NtWaitForSingleObject  (316, 0, 0x0, ...
 03202   496   NtWaitForSingleObject  ... ) == 0x0
 03228  1956   NtSetEventBoostPriority  ... ) == 0x0
 03231  1920   NtRegisterThreadTerminatePort  (24, ...
 03229   760   NtAllocateVirtualMemory  ... 96534528, 1048576, ) == 0x0
 03232   740   NtWaitForSingleObject  (160, 0, 0x0, ...
 03233   896   NtWaitForSingleObject  (316, 0, 0x0, ...
 03234   496   NtSetEventBoostPriority  (316, ...
 03235  1956   NtWaitForSingleObject  (316, 0, 0x0, ...
 03231  1920   NtRegisterThreadTerminatePort  ... ) == 0x0
 03236   760   NtAllocateVirtualMemory  (-1, 97574912, 0, 8192, 4096, 4, ...
 03201  1556   NtWaitForSingleObject  ... ) == 0x0
 03234   496   NtSetEventBoostPriority  ... ) == 0x0
 03237  1920   NtWaitForSingleObject  (316, 0, 0x0, ...
 03238  1556   NtSetEventBoostPriority  (316, ...
 03236   760   NtAllocateVirtualMemory  ... 97574912, 8192, ) == 0x0
 03239   496   NtSetEventBoostPriority  (792, ...
 03205  1700   NtWaitForSingleObject  ... ) == 0x0
 03238  1556   NtSetEventBoostPriority  ... ) == 0x0
 03240   760   NtProtectVirtualMemory  (-1, (0x5d0e000), 4096, 260, ...
 03241  1700   NtSetEventBoostPriority  (316, ...
 02922   432   NtWaitForSingleObject  ... ) == 0x0
 03239   496   NtSetEventBoostPriority  ... ) == 0x0
 03242  1556   NtWaitForSingleObject  (316, 0, 0x0, ...
 03208  1068   NtWaitForSingleObject  ... ) == 0x0
 03243   432   NtWaitForSingleObject  (316, 0, 0x0, ...
 03241  1700   NtSetEventBoostPriority  ... ) == 0x0
 03244   496   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03240   760   NtProtectVirtualMemory  ... (0x5d0e000), 4096, 4, ) == 0x0
 03245  1068   NtSetEventBoostPriority  (316, ...
 03246  1700   NtSetEventBoostPriority  (160, ...
 03244   496   NtWaitForSingleObject  ... ) == 0x102
 03210   712   NtWaitForSingleObject  ... ) == 0x0
 03245  1068   NtSetEventBoostPriority  ... ) == 0x0
 03247   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03248   712   NtSetEventBoostPriority  (316, ...
 03249   496   NtWaitForSingleObject  (160, 0, 0x0, ...
 03250  1068   NtWaitForSingleObject  (316, 0, 0x0, ...
 03209  1676   NtWaitForSingleObject  ... ) == 0x0
 03248   712   NtSetEventBoostPriority  ... ) == 0x0
 03247   760   NtCreateThread  ... 944, {1764, 2016}, ) == 0x0
 01525  1808   NtWaitForSingleObject  ... ) == 0x0
 03246  1700   NtSetEventBoostPriority  ... ) == 0x0
 03251  1676   NtSetEventBoostPriority  (316, ...
 03252   712   NtWaitForSingleObject  (316, 0, 0x0, ...
 03253   760   NtQueryInformationThread  (944, Basic, 28, ...
 03254  1808   NtWaitForSingleObject  (316, 0, 0x0, ...
 03217  1336   NtWaitForSingleObject  ... ) == 0x0
 03255  1700   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03251  1676   NtSetEventBoostPriority  ... ) == 0x0
 03253   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1764,Tid=2016,}, 0x0, ) == 0x0
 03256  1336   NtSetEventBoostPriority  (316, ...
 03255  1700   NtCreateEvent  ... 948, ) == 0x0
 03257  1676   NtWaitForSingleObject  (160, 0, 0x0, ...
 03258   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58107, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58107, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\3\0\0\344\6\0\0\340\7\0\0" ...  ...
 03218   460   NtWaitForSingleObject  ... ) == 0x0
 03256  1336   NtSetEventBoostPriority  ... ) == 0x0
 03259  1700   NtWaitForSingleObject  (316, 0, 0x0, ...
 03260   460   NtSetEventBoostPriority  (316, ...
 03258   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58108, 0}  ... {28, 56, reply, 0, 1764, 760, 58108, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\3\0\0\344\6\0\0\340\7\0\0" )  ) == 0x0
 03223  1156   NtWaitForSingleObject  ... ) == 0x0
 03260   460   NtSetEventBoostPriority  ... ) == 0x0
 03261  1156   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ...
 03262   760   NtResumeThread  (944, ...
 03261  1156   NtAllocateVirtualMemory  ... 1441792, 4096, ) == 0x0
 03263   460   NtWaitForSingleObject  (316, 0, 0x0, ...
 03264  1156   NtSetEventBoostPriority  (316, ...
 03262   760   NtResumeThread  ... 1, ) == 0x0
 03265  1336   NtWaitForSingleObject  (316, 0, 0x0, ...
 03266  2016   NtWaitForSingleObject  (132, 0, 0x0, ...
 03267   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 97583104, 1048576, ) == 0x0
 03268   760   NtAllocateVirtualMemory  (-1, 98623488, 0, 8192, 4096, 4, ... 98623488, 8192, ) == 0x0
 03269   760   NtProtectVirtualMemory  (-1, (0x5e0e000), 4096, 260, ... (0x5e0e000), 4096, 4, ) == 0x0
 03270   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 952, {1764, 2012}, ) == 0x0
 03225  1200   NtWaitForSingleObject  ... ) == 0x0
 03264  1156   NtSetEventBoostPriority  ... ) == 0x0
 03271  1200   NtSetEventBoostPriority  (316, ...
 03272  1156   NtWaitForSingleObject  (316, 0, 0x0, ...
 03233   896   NtWaitForSingleObject  ... ) == 0x0
 03271  1200   NtSetEventBoostPriority  ... ) == 0x0
 03273   896   NtSetEventBoostPriority  (316, ...
 03274   760   NtQueryInformationThread  (952, Basic, 28, ...
 03230  1728   NtWaitForSingleObject  ... ) == 0x0
 03273   896   NtSetEventBoostPriority  ... ) == 0x0
 03275  1728   NtSetEventBoostPriority  (316, ...
 03274   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1764,Tid=2012,}, 0x0, ) == 0x0
 03276  1200   NtWaitForSingleObject  (316, 0, 0x0, ...
 03235  1956   NtWaitForSingleObject  ... ) == 0x0
 03277   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58108, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58108, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\344\6\0\0\334\7\0\0" ...  ...
 03278  1956   NtSetEventBoostPriority  (316, ...
 03277   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58109, 0}  ... {28, 56, reply, 0, 1764, 760, 58109, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\344\6\0\0\334\7\0\0" )  ) == 0x0
 03237  1920   NtWaitForSingleObject  ... ) == 0x0
 03279   760   NtResumeThread  (952, ...
 03280  1920   NtSetEventBoostPriority  (316, ...
 03278  1956   NtSetEventBoostPriority  ... ) == 0x0
 03275  1728   NtSetEventBoostPriority  ... ) == 0x0
 03281   896   NtSetEventBoostPriority  (132, ...
 03243   432   NtWaitForSingleObject  ... ) == 0x0
 03282  1956   NtWaitForSingleObject  (316, 0, 0x0, ...
 03283  1728   NtWaitForSingleObject  (316, 0, 0x0, ...
 03284   432   NtSetEventBoostPriority  (316, ...
 03266  2016   NtWaitForSingleObject  ... ) == 0x0
 03281   896   NtSetEventBoostPriority  ... ) == 0x0
 03242  1556   NtWaitForSingleObject  ... ) == 0x0
 03285  2016   NtWaitForSingleObject  (316, 0, 0x0, ...
 03284   432   NtSetEventBoostPriority  ... ) == 0x0
 03286  1556   NtSetEventBoostPriority  (316, ...
 03287   896   NtTestAlert  (...
 03280  1920   NtSetEventBoostPriority  ... ) == 0x0
 03279   760   NtResumeThread  ... 1, ) == 0x0
 03250  1068   NtWaitForSingleObject  ... ) == 0x0
 03287   896   NtTestAlert  ... ) == 0x0
 03288  1920   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03289   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03290  1068   NtSetEventBoostPriority  (316, ...
 03291   896   NtContinue  (96533808, 1, ...
 03288  1920   NtDuplicateObject  ... 956, ) == 0x0
 03289   760   NtAllocateVirtualMemory  ... 98631680, 1048576, ) == 0x0
 03254  1808   NtWaitForSingleObject  ... ) == 0x0
 03292   896   NtRegisterThreadTerminatePort  (24, ...
 03290  1068   NtSetEventBoostPriority  ... ) == 0x0
 03286  1556   NtSetEventBoostPriority  ... ) == 0x0
 03293   432   NtSetEventBoostPriority  (792, ...
 03294  2012   NtWaitForSingleObject  (132, 0, 0x0, ...
 03295   760   NtAllocateVirtualMemory  (-1, 99672064, 0, 8192, 4096, 4, ...
 03296  1808   NtSetEventBoostPriority  (316, ...
 03297  1920   NtWaitForSingleObject  (316, 0, 0x0, ...
 03298  1068   NtWaitForSingleObject  (316, 0, 0x0, ...
 03299  1556   NtWaitForSingleObject  (316, 0, 0x0, ...
 02926  1332   NtWaitForSingleObject  ... ) == 0x0
 03293   432   NtSetEventBoostPriority  ... ) == 0x0
 03295   760   NtAllocateVirtualMemory  ... 99672064, 8192, ) == 0x0
 03252   712   NtWaitForSingleObject  ... ) == 0x0
 03296  1808   NtSetEventBoostPriority  ... ) == 0x0
 03300  1332   NtWaitForSingleObject  (316, 0, 0x0, ...
 03301   432   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03302   712   NtSetEventBoostPriority  (316, ...
 03303   760   NtProtectVirtualMemory  (-1, (0x5f0e000), 4096, 260, ...
 03292   896   NtRegisterThreadTerminatePort  ... ) == 0x0
 03259  1700   NtWaitForSingleObject  ... ) == 0x0
 03301   432   NtWaitForSingleObject  ... ) == 0x102
 03302   712   NtSetEventBoostPriority  ... ) == 0x0
 03304  1808   NtWaitForSingleObject  (316, 0, 0x0, ...
 03305   896   NtWaitForSingleObject  (316, 0, 0x0, ...
 03306  1700   NtSetEventBoostPriority  (316, ...
 03307   432   NtWaitForSingleObject  (316, 0, 0x0, ...
 03308   712   NtWaitForSingleObject  (316, 0, 0x0, ...
 03263   460   NtWaitForSingleObject  ... ) == 0x0
 03306  1700   NtSetEventBoostPriority  ... ) == 0x0
 03303   760   NtProtectVirtualMemory  ... (0x5f0e000), 4096, 4, ) == 0x0
 03309   460   NtSetEventBoostPriority  (316, ...
 03265  1336   NtWaitForSingleObject  ... ) == 0x0
 03310  1336   NtSetEventBoostPriority  (316, ...
 03272  1156   NtWaitForSingleObject  ... ) == 0x0
 03311  1156   NtAllocateVirtualMemory  (-1, 1445888, 0, 4096, 4096, 4, ... 1445888, 4096, ) == 0x0
 03310  1336   NtSetEventBoostPriority  ... ) == 0x0
 03312   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03309   460   NtSetEventBoostPriority  ... ) == 0x0
 03313  1700   NtWaitForSingleObject  (316, 0, 0x0, ...
 03314  1336   NtWaitForSingleObject  (316, 0, 0x0, ...
 03312   760   NtCreateThread  ... 960, {1764, 1604}, ) == 0x0
 03315   460   NtWaitForSingleObject  (316, 0, 0x0, ...
 03316  1156   NtSetEventBoostPriority  (316, ...
 03317   760   NtQueryInformationThread  (960, Basic, 28, ...
 03276  1200   NtWaitForSingleObject  ... ) == 0x0
 03316  1156   NtSetEventBoostPriority  ... ) == 0x0
 03318  1200   NtSetEventBoostPriority  (316, ...
 03317   760   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1764,Tid=1604,}, 0x0, ) == 0x0
 03282  1956   NtWaitForSingleObject  ... ) == 0x0
 03318  1200   NtSetEventBoostPriority  ... ) == 0x0
 03319  1156   NtWaitForSingleObject  (316, 0, 0x0, ...
 03320  1956   NtSetEventBoostPriority  (316, ...
 03321   760   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1764, 760, 58109, 0}  (24, {28, 56, new_msg, 0, 1764, 760, 58109, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0\344\6\0\0D\6\0\0" ...  ...
 03322  1200   NtWaitForSingleObject  (316, 0, 0x0, ...
 03283  1728   NtWaitForSingleObject  ... ) == 0x0
 03320  1956   NtSetEventBoostPriority  ... ) == 0x0
 03321   760   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1764, 760, 58110, 0}  ... {28, 56, reply, 0, 1764, 760, 58110, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0\344\6\0\0D\6\0\0" )  ) == 0x0
 03323  1728   NtSetEventBoostPriority  (316, ...
 03285  2016   NtWaitForSingleObject  ... ) == 0x0
 03324  2016   NtSetEventBoostPriority  (316, ...
 03297  1920   NtWaitForSingleObject  ... ) == 0x0
 03325  1920   NtSetEventBoostPriority  (316, ...
 03298  1068   NtWaitForSingleObject  ... ) == 0x0
 03326  1068   NtSetEventBoostPriority  (316, ...
 03299  1556   NtWaitForSingleObject  ... ) == 0x0
 03327  1556   NtSetEventBoostPriority  (316, ...
 03300  1332   NtWaitForSingleObject  ... ) == 0x0
 03328  1332   NtSetEventBoostPriority  (316, ...
 03304  1808   NtWaitForSingleObject  ... ) == 0x0
 03329  1808   NtSetEventBoostPriority  (316, ...
 03305   896   NtWaitForSingleObject  ... ) == 0x0
 03330   896   NtSetEventBoostPriority  (316, ...
 03308   712   NtWaitForSingleObject  ... ) == 0x0
 03331   712   NtSetEventBoostPriority  (316, ...
 03307   432   NtWaitForSingleObject  ... ) == 0x0
 03332   432   NtSetEventBoostPriority  (316, ...
 03313  1700   NtWaitForSingleObject  ... ) == 0x0
 03333  1700   NtSetEventBoostPriority  (316, ...
 03315   460   NtWaitForSingleObject  ... ) == 0x0
 03334   460   NtSetEventBoostPriority  (316, ...
 03319  1156   NtWaitForSingleObject  ... ) == 0x0
 03335  1156   NtSetEventBoostPriority  (316, ...
 03314  1336   NtWaitForSingleObject  ... ) == 0x0
 03336  1336   NtSetEventBoostPriority  (316, ...
 03322  1200   NtWaitForSingleObject  ... ) == 0x0
 03337  1200   NtWaitForSingleObject  (792, 0, 0x0, ...
 03335  1156   NtSetEventBoostPriority  ... ) == 0x0
 03334   460   NtSetEventBoostPriority  ... ) == 0x0
 03333  1700   NtSetEventBoostPriority  ... ) == 0x0
 03331   712   NtSetEventBoostPriority  ... ) == 0x0
 03330   896   NtSetEventBoostPriority  ... ) == 0x0
 03329  1808   NtSetEventBoostPriority  ... ) == 0x0
 03328  1332   NtSetEventBoostPriority  ... ) == 0x0
 03327  1556   NtSetEventBoostPriority  ... ) == 0x0
 03326  1068   NtSetEventBoostPriority  ... ) == 0x0
 03325  1920   NtSetEventBoostPriority  ... ) == 0x0
 03324  2016   NtSetEventBoostPriority  ... ) == 0x0
 03323  1728   NtSetEventBoostPriority  ... ) == 0x0
 03338   760   NtResumeThread  (960, ...
 03336  1336   NtSetEventBoostPriority  ... ) == 0x0
 03332   432   NtSetEventBoostPriority  ... ) == 0x0
 03339  1956   NtAllocateVirtualMemory  (-1, 1449984, 0, 4096, 4096, 4, ...
 03340  1156   NtWaitForSingleObject  (316, 0, 0x0, ...
 03341  1700   NtWaitForSingleObject  (316, 0, 0x0, ...
 03342   460   NtWaitForSingleObject  (316, 0, 0x0, ...
 03343   712   NtWaitForSingleObject  (316, 0, 0x0, ...
 03344  1808   NtWaitForSingleObject  (316, 0, 0x0, ...
 03345   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03346  1332   NtSetEventBoostPriority  (792, ...
 03347  1556   NtWaitForSingleObject  (316, 0, 0x0, ...
 03348  1920   NtWaitForSingleObject  (316, 0, 0x0, ...
 03349  1068   NtWaitForSingleObject  (316, 0, 0x0, ...
 03350  2016   NtSetEventBoostPriority  (132, ...
 03338   760   NtResumeThread  ... 1, ) == 0x0
 03351  1336   NtWaitForSingleObject  (792, 0, 0x0, ...
 03352   432   NtWaitForSingleObject  (160, 0, 0x0, ...
 03339  1956   NtAllocateVirtualMemory  ... 1449984, 4096, ) == 0x0
 03353  1728   NtWaitForSingleObject  (316, 0, 0x0, ...
 03354  1604   NtWaitForSingleObject  (132, 0, 0x0, ...
 03345   896   NtDuplicateObject  ... 964, ) == 0x0
 02931  1328   NtWaitForSingleObject  ... ) == 0x0
 03346  1332   NtSetEventBoostPriority  ... ) == 0x0
 03294  2012   NtWaitForSingleObject  ... ) == 0x0
 03350  2016   NtSetEventBoostPriority  ... ) == 0x0
 03355   760   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03356  1956   NtSetEventBoostPriority  (316, ...
 03357  1328   NtWaitForSingleObject  (316, 0, 0x0, ...
 03358   896   NtWaitForSingleObject  (316, 0, 0x0, ...
 03359  2012   NtWaitForSingleObject  (316, 0, 0x0, ...
 03360  1332   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 03361  2016   NtTestAlert  (...
 03355   760   NtAllocateVirtualMemory  ... 99680256, 1048576, ) == 0x0
 03340  1156   NtWaitForSingleObject  ... ) == 0x0
 03356  1956   NtSetEventBoostPriority  ... ) == 0x0
 03360  1332   NtWaitForSingleObject  ... ) == 0x102
 03361  2016   NtTestAlert  ... ) == 0x0
 03362  1156   NtSetEventBoostPriority  (316, ...
 03363  1956   NtWaitForSingleObject  (792, 0, 0x0, ...
 03364  1332   NtWaitForSingleObject  (160, 0, 0x0, ...
 03342   460   NtWaitForSingleObject  ... ) == 0x0
 03362  1156   NtSetEventBoostPriority  ... ) == 0x0
 03365  2016   NtContinue  (97582384, 1, ...
 03366   760   NtAllocateVirtualMemory  (-1, 100720640, 0, 8192, 4096, 4, ...
 03367   460   NtSetEventBoostPriority  (316, ...
 03368  1156   NtWaitForSingleObject  (316, 0, 0x0, ...
 03369  2016   NtRegisterThreadTerminatePort  (24, ...
 03343   712   NtWaitForSingleObject  ... ) == 0x0
 03367   460   NtSetEventBoostPriority  ... ) == 0x0
 03366   760   NtAllocateVirtualMemory  ... 100720640, 8192, ) == 0x0
 03370   712   NtSetEventBoostPriority  (316, ...
 03371   460   NtWaitForSingleObject  (316, 0, 0x0, ...
 03341  1700   NtWaitForSingleObject  ... ) == 0x0
 03370   712   NtSetEventBoostPriority  ... ) == 0x0
 03372   760   NtProtectVirtualMemory  (-1, (0x600e000), 4096, 260, ...
 03369  2016   NtRegisterThreadTerminatePort  ... ) == 0x0
 03373  1700   NtSetEventBoostPriority  (316, ...
 03374   712   NtWaitForSingleObject  (316, 0, 0x0, ...
 03372   760   NtProtectVirtualMemory  ... (0x600e000), 4096, 4, ) == 0x0
 03347  1556   NtWaitForSingleObject  ... ) == 0x0
 03375  2016   NtWaitForSingleObject  (316, 0, 0x0, ...
 03373  1700   NtSetEventBoostPriority  ... ) == 0x0
 03376   760   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03377  1556   NtSetEventBoostPriority  (316, ...
 03378  1700   NtWaitForSingleObject  (316, 0, 0x0, ...
 03344  1808   NtWaitForSingleObject  ... ) == 0x0
 03377  1556   NtSetEventBoostPriority  ... ) == 0x0
 03379  1808   NtSetEventBoostPriority  (316, ...
 03349  1068   NtWaitForSingleObject  ... ) == 0x0
 03380  1068   NtSetEventBoostPriority  (316, ...
 03353  1728   NtWaitForSingleObject  ... ) == 0x0
 03381  1728   NtSetEventBoostPriority  (316, ...
 03357  1328   NtWaitForSingleObject  ... ) == 0x0
 03382  1328   NtSetEventBoostPriority  (316, ...
 03359  2012   NtWaitForSingleObject  ... ) == 0x0
 03383  2012   NtSetEventBoostPriority  (316, ...
 03358   896   NtWaitForSingleObject  ... ) == 0x0
 03384   896   NtSetEventBoostPriority  (316, ...
 03348  1920   NtWaitForSingleObject  ... ) == 0x0
 03385  1920   NtSetEventBoostPriority  (316, ...
 03368  1156   NtWaitForSingleObject  ... ) == 0x0
 03386  1156   NtSetEventBoostPriority  (316, ...
 03371   460   NtWaitForSingleObject  ... ) == 0x0
 03387   460   NtSetEventBoostPriority  (316, ...
 03375  2016   NtWaitForSingleObject  ... ) == 0x0
 03388  2016   NtSetEventBoostPriority  (316, ...
 03378  1700   NtWaitForSingleObject  ... ) == 0x0
 03389  1700   NtSetEventBoostPriority  (316, ... ) == 0x0
 03388  2016   NtSetEventBoostPriority  ... ) == 0x0
 03384   896   NtSetEventBoostPriority  ... ) == 0x0
 03383  2012   NtSetEventBoostPriority  ... ) == 0x0
 03382  1328   NtSetEventBoostPriority  ... ) == 0x0
 03381  1728   NtSetEventBoostPriority  ... ) == 0x0
 03380  1068   NtSetEventBoostPriority  ... ) == 0x0
 03390  1556   NtWaitForSingleObject  (316, 0, 0x0, ...
 03387   460   NtSetEventBoostPriority  ... ) == 0x0
 03386  1156   NtSetEventBoostPriority  ... ) == 0x0
 03385  1920   NtSetEventBoostPriority  ... ) == 0x0
 03379  1808   NtSetEventBoostPriority  ... ) == 0x0
 03376   760   NtCreateThread  ... 968, {1764, 1572}, ) == 0x0
 03374   712   NtWaitForSingleObject  ... ) == 0x0
 03391  1700   NtWaitForSingleObject  (316, 0, 0x0, ...
 03392  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03393   896   NtWaitForSingleObject  (792, 0, 0x0, ...
 03394  2012   NtSetEventBoostPriority  (132, ...
 03395  1728   NtWaitForSingleObject  (316, 0, 0x0, ...
 03396  1068   NtWaitForSingleObject  (316, 0, 0x0, ...
 03397  1328   NtSetEventBoostPriority  (792, ...
 03398   460   NtWaitForSingleObject  (792, 0, 0x0, ...
 03399  1156   NtWaitForSingleObject  (316, 0, 0x0, ...
 03400  1920   NtWaitForSingleObject  (792, 0, 0x0, ...
 03401  1808   NtSetEventBoostPriority  (160, ...
 03402   760   NtQueryInformationThread  (968, Basic, 28, ...
NtAdjustPrivilegesToken(>)	1	NtGdiCreateSolidBrush(>)	2	NtQueryInformationToken(>)	7	NtFlushInstructionCache(>)	53
NtDelayExecution(>)	1	NtNotifyChangeKey(>)	2	NtCreateFile(>)	8	NtContinue(>)	86
NtGdiCreateBitmap(>)	1	NtOpenDirectoryObject(>)	2	NtQueryInformationProcess(>)	8	NtCreateEvent(>)	90
NtGdiInit(>)	1	NtQueryDefaultUILanguage(>)	2	NtQueryVirtualMemory(>)	9	NtMapViewOfSection(>)	102
NtGdiQueryFontAssocInfo(>)	1	NtSetInformationObject(>)	2	NtUserFindExistingCursorIcon(>)	9	NtWriteVirtualMemory(>)	116
NtGdiSelectBitmap(>)	1	NtUserGetObjectInformation(>)	2	NtFsControlFile(>)	10	NtQuerySystemInformation(>)	119
NtOpenKeyedEvent(>)	1	NtGdiCreateCompatibleDC(>)	3	NtSetInformationThread(>)	11	NtOpenKey(>)	127
NtOpenSymbolicLinkObject(>)	1	NtOpenProcessToken(>)	3	NtOpenThreadToken(>)	12	NtCreateThread(>)	128
NtQueryInstallUILanguage(>)	1	NtOpenProcessTokenEx(>)	3	NtSetInformationFile(>)	12	NtQueryInformationThread(>)	130
NtQueryObject(>)	1	NtOpenThreadTokenEx(>)	3	NtQuerySection(>)	13	NtResumeThread(>)	135
NtQueryPerformanceCounter(>)	1	NtQueryDefaultLocale(>)	3	NtUserRegisterClassExWOW(>)	14	NtTestAlert(>)	160
NtQuerySymbolicLinkObject(>)	1	NtQueryVolumeInformationFile(>)	3	NtSetValueKey(>)	17	NtRegisterThreadTerminatePort(>)	165
NtQuerySystemTime(>)	1	NtReadFile(>)	3	NtCreateKey(>)	23	NtRequestWaitReplyPort(>)	177
NtRaiseException(>)	1	NtSecureConnectPort(>)	3	NtCreateSection(>)	24	NtDuplicateObject(>)	184
NtSetInformationProcess(>)	1	NtFreeVirtualMemory(>)	4	NtOpenFile(>)	25	NtQueryValueKey(>)	255
NtUserCallNoParam(>)	1	NtWriteFile(>)	4	NtOpenProcess(>)	29	NtClose(>)	269
NtUserGetProcessWindowStation(>)	1	NtGdiGetStockObject(>)	5	NtDeviceIoControlFile(>)	36	NtAllocateVirtualMemory(>)	338
NtUserGetThreadDesktop(>)	1	NtCreateMutant(>)	6	NtQueryAttributesFile(>)	41	NtProtectVirtualMemory(>)	362
NtCallbackReturn(>)	2	NtConnectPort(>)	7	NtUnmapViewOfSection(>)	45	NtSetEventBoostPriority(>)	652
NtCreateIoCompletion(>)	2	NtQueryInformationFile(>)	7	NtOpenSection(>)	50	NtWaitForSingleObject(>)	858