Summary:





NtCallbackReturn(>)  1 
NtOpenDirectoryObject(>)  2 
NtFsControlFile(>)  7 
NtCreateEvent(>)  63 


NtGdiCreateBitmap(>)  1 
NtOpenProcessToken(>)  2 
NtQueryInformationFile(>)  7 
NtQueryAttributesFile(>)  65 


NtGdiInit(>)  1 
NtOpenProcessTokenEx(>)  2 
NtUnmapViewOfSection(>)  7 
NtContinue(>)  99 


NtGdiQueryFontAssocInfo(>)  1 
NtOpenThreadTokenEx(>)  2 
NtSetInformationThread(>)  8 
NtOpenKey(>)  103 


NtGdiSelectBitmap(>)  1 
NtQueryDefaultLocale(>)  2 
NtOpenThreadToken(>)  9 
NtQuerySystemInformation(>)  119 


NtOpenKeyedEvent(>)  1 
NtReadFile(>)  2 
NtQueryVirtualMemory(>)  9 
NtResumeThread(>)  164 


NtOpenSymbolicLinkObject(>)  1 
NtSetInformationObject(>)  2 
NtSetInformationFile(>)  9 
NtCreateThread(>)  167 


NtQueryObject(>)  1 
NtFreeVirtualMemory(>)  3 
NtUserFindExistingCursorIcon(>)  9 
NtQueryInformationThread(>)  176 


NtQueryPerformanceCounter(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQuerySection(>)  11 
NtClose(>)  182 


NtQuerySymbolicLinkObject(>)  1 
NtSecureConnectPort(>)  3 
NtSetValueKey(>)  14 
NtTestAlert(>)  190 


NtQuerySystemTime(>)  1 
NtCreateIoCompletion(>)  4 
NtUserRegisterClassExWOW(>)  14 
NtRegisterThreadTerminatePort(>)  191 


NtRaiseException(>)  1 
NtQueryVolumeInformationFile(>)  4 
NtCreateSection(>)  18 
NtDuplicateObject(>)  196 


NtSetInformationProcess(>)  1 
NtWriteFile(>)  4 
NtCreateKey(>)  19 
NtRequestWaitReplyPort(>)  206 


NtUserCallNoParam(>)  1 
NtGdiGetStockObject(>)  5 
NtOpenFile(>)  19 
NtQueryValueKey(>)  224 


NtUserGetThreadDesktop(>)  1 
NtQueryInformationToken(>)  5 
NtOpenSection(>)  23 
NtProtectVirtualMemory(>)  263 


NtCreateMutant(>)  2 
NtConnectPort(>)  6 
NtMapViewOfSection(>)  32 
NtAllocateVirtualMemory(>)  426 


NtGdiCreateSolidBrush(>)  2 
NtQueryInformationProcess(>)  6 
NtDeviceIoControlFile(>)  36 
NtSetEventBoostPriority(>)  745 


NtNotifyChangeKey(>)  2 
NtCreateFile(>)  7 
NtFlushInstructionCache(>)  44 
NtWaitForSingleObject(>)  1041 





Trace:

 00001  1736   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1736   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1736   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1736   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1736   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1736   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1736   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1736   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1736   NtClose  (12, ... ) == 0x0
 00015  1736   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1736   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1736   NtClose  (16, ... ) == 0x0
 00021  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1736   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1736   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1736   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1736   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1736   NtClose  (16, ... ) == 0x0
 00030  1736   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1736   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1736   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1736   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75469, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ) == 0x0
 00036  1736   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1736   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1736   NtClose  (16, ... ) == 0x0
 00041  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1736   NtClose  (16, ... ) == 0x0
 00044  1736   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1736   NtClose  (16, ... ) == 0x0
 00048  1736   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1736   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1736   NtClose  (16, ... ) == 0x0
 00052  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1736   NtClose  (16, ... ) == 0x0
 00055  1736   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1736   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1736   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ... {24, 52, reply, 0, 1636, 1736, 75470, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ) == 0x0
 00060  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75471, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ) == 0x0
 00061  1736   NtProtectVirtualMemory  (-1, (0x409000), 98320, 4, ... (0x409000), 102400, 128, ) == 0x0
 00062  1736   NtProtectVirtualMemory  (-1, (0x409000), 102400, 128, ... (0x409000), 102400, 4, ) == 0x0
 00063  1736   NtFlushInstructionCache  (-1, 4231168, 98320, ... ) == 0x0
 00064  1736   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065  1736   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066  1736   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067  1736   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068  1736   NtClose  (16, ... ) == 0x0
 00069  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071  1736   NtClose  (16, ... ) == 0x0
 00072  1736   NtTestAlert  (... ) == 0x0
 00073  1736   NtContinue  (1244464, 1, ...
 00074  1736   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x40283e,}, 4, ... ) == 0x0
 00075  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00076  1736   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00077  1736   NtClose  (16, ... ) == 0x0
 00078  1736   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00079  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, ".dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00081  1736   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00082  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00083  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00084  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00085  1736   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, ".dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00086  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\x86\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00088  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\x86\drvfast\scripts\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00089  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Perl\site\bin\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00090  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Perl\bin\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00092  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00093  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kktools\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00095  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00096  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00097  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\Tools\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\VC98\bin\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00099  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, ".dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00100  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\.dll"}, 1242948, ... ) }, 1242948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00101  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\.dll"}, 1242948, ... ) }, 1242948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00102  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\.dll"}, 1242948, ... ) }, 1242948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00103  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1242948, ... ) }, 1242948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00104  1736   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, ".dll"}, 1242948, ... ) }, 1242948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\x86\.dll"}, 1242948, ... ) }, 1242948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\.dll"}, 1242948, ... ) }, 1242948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\x86\drvfast\scripts\.dll"}, 1242948, ... ) }, 1242948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Perl\site\bin\.dll"}, 1242948, ... ) }, 1242948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Perl\bin\.dll"}, 1242948, ... ) }, 1242948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00110  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\.dll"}, 1242948, ... ) }, 1242948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00111  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1242948, ... ) }, 1242948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00112  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\.dll"}, 1242948, ... ) }, 1242948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00113  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kktools\.dll"}, 1242948, ... ) }, 1242948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00114  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT\.dll"}, 1242948, ... ) }, 1242948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\.dll"}, 1242948, ... ) }, 1242948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00116  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\Tools\.dll"}, 1242948, ... ) }, 1242948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00117  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\VC98\bin\.dll"}, 1242948, ... ) }, 1242948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00118  1736   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00119  1736   NtContinue  (1244400, 0, ...
 00120  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00121  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00122  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00123  1736   NtClose  (16, ... ) == 0x0
 00124  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00125  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00126  1736   NtClose  (16, ... ) == 0x0
 00127  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00128  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00129  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00130  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00131  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00132  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00133  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00134  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00135  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00136  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00137  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00138  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00139  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00140  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00141  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00142  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00143  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00144  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00145  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00146  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00147  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00148  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75472, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ) == 0x0
 00149  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00150  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00151  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 28, ) == 0x0
 00152  1736   NtClose  (16, ... ) == 0x0
 00153  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x430000), 0x0, 110592, ) == 0x0
 00154  1736   NtClose  (28, ... ) == 0x0
 00155  1736   NtUnmapViewOfSection  (-1, 0x430000, ... ) == 0x0
 00156  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00157  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00158  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 16, ) == 0x0
 00159  1736   NtClose  (28, ... ) == 0x0
 00160  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x430000), 0x0, 110592, ) == 0x0
 00161  1736   NtClose  (16, ... ) == 0x0
 00162  1736   NtUnmapViewOfSection  (-1, 0x430000, ... ) == 0x0
 00163  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00164  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00165  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00166  1736   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00167  1736   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00168  1736   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00169  1736   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00170  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00171  1736   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00172  1736   NtClose  (36, ... ) == 0x0
 00173  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00174  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00175  1736   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00176  1736   NtClose  (36, ... ) == 0x0
 00177  1736   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00178  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179  1736   NtClose  (32, ... ) == 0x0
 00180  1736   NtClose  (16, ... ) == 0x0
 00181  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00182  1736   NtClose  (28, ... ) == 0x0
 00183  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00184  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00185  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00186  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00187  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00188  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00189  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00190  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00191  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00192  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00193  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00194  1736   NtClose  (28, ... ) == 0x0
 00195  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00196  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00197  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00198  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00199  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00200  1736   NtClose  (28, ... ) == 0x0
 00201  1736   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00202  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00203  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00204  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00205  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00206  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00207  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00208  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00209  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00210  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00211  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00212  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00213  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00214  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00215  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00216  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00217  1736   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00218  1736   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00219  1736   NtClose  (28, ... ) == 0x0
 00220  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00221  1736   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00222  1736   NtClose  (28, ... ) == 0x0
 00223  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00224  1736   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00225  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00226  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00227  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00228  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00229  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00231  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00232  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 16, ) }, ... 16, ) == 0x0
 00234  1736   NtQueryValueKey  (16,  (16, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00235  1736   NtClose  (16, ... ) == 0x0
 00236  1736   NtMapViewOfSection  (-2147481380, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x430000), 0x0, 1060864, ) == 0x0
 00237  1736   NtClose  (-2147481380, ... ) == 0x0
 00238  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 16, ) == 0x0
 00239  1736   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00240  1736   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147481380, ) == 0x0
 00241  1736   NtQueryInformationToken  (-2147481380, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00242  1736   NtQueryInformationToken  (-2147481380, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00243  1736   NtClose  (-2147481380, ... ) == 0x0
 00244  1736   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5505024, 4096, ) == 0x0
 00245  1736   NtFreeVirtualMemory  (-1, (0x540000), 4096, 32768, ... (0x540000), 4096, ) == 0x0
 00246  1736   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00247  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147481380, ) }, ... -2147481380, ) == 0x0
 00248  1736   NtQueryValueKey  (-2147481380,  (-2147481380, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00249  1736   NtClose  (-2147481380, ... ) == 0x0
 00250  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147481380, ) }, ... -2147481380, ) == 0x0
 00251  1736   NtQueryValueKey  (-2147481380,  (-2147481380, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00252  1736   NtClose  (-2147481380, ... ) == 0x0
 00253  1736   NtQueryDefaultLocale  (0, -139347636, ... ) == 0x0
 00254  1736   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00255  1736   NtUserCallNoParam  (24, ... ) == 0x0
 00256  1736   NtGdiCreateCompatibleDC  (0, ...
 00257  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5505024, 4096, ) == 0x0
 00256  1736   NtGdiCreateCompatibleDC  ... ) == 0xf2010663
 00258  1736   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00259  1736   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00260  1736   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0xfd0505f7
 00261  1736   NtGdiCreateSolidBrush  (0, 0, ...
 00262  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8716288, 4096, ) == 0x0
 00261  1736   NtGdiCreateSolidBrush  ... ) == 0x4210057d
 00263  1736   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00264  1736   NtGdiCreateCompatibleDC  (0, ... ) == 0x69010363
 00265  1736   NtGdiSelectBitmap  (1761674083, -50002441, ... ) == 0x185000f
 00266  1736   NtUserGetThreadDesktop  (1736, 0, ... ) == 0x24
 00267  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00268  1736   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00269  1736   NtClose  (44, ... ) == 0x0
 00270  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00271  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8173c017
 00272  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00273  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8173c01c
 00274  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00275  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8173c01e
 00276  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00277  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81738002
 00278  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00279  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8173c018
 00280  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00281  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8173c01a
 00282  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00283  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8173c01d
 00284  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00285  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8173c026
 00286  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00287  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8173c019
 00288  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c020
 00289  1736   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8173c022
 00290  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c023
 00291  1736   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8173c024
 00292  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c025
 00293  1736   NtCallbackReturn  (0, 0, 0, ...
 00294  1736   NtGdiInit  (... ) == 0x1
 00295  1736   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00296  1736   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00297  1736   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 8781824, 28672, ) == 0x0
 00298  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299  1736   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00300  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00301  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00302  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00303  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 48, ) == 0x0
 00304  1736   NtQuerySection  (48, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00305  1736   NtClose  (44, ... ) == 0x0
 00306  1736   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00307  1736   NtClose  (48, ... ) == 0x0
 00308  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 48, ) }, ... 48, ) == 0x0
 00309  1736   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00310  1736   NtClose  (48, ... ) == 0x0
 00311  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00312  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00313  1736   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00314  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00315  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00316  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00317  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00319  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00320  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00321  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 44, ) == 0x0
 00322  1736   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00323  1736   NtClose  (48, ... ) == 0x0
 00324  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00325  1736   NtClose  (44, ... ) == 0x0
 00326  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00327  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00328  1736   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00329  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00330  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00331  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00332  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00333  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00334  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8847360, 65536, ) == 0x0
 00335  1736   NtAllocateVirtualMemory  (-1, 8847360, 0, 4096, 4096, 4, ... 8847360, 4096, ) == 0x0
 00336  1736   NtAllocateVirtualMemory  (-1, 8851456, 0, 8192, 4096, 4, ... 8851456, 8192, ) == 0x0
 00337  1736   NtAllocateVirtualMemory  (-1, 8859648, 0, 4096, 4096, 4, ... 8859648, 4096, ) == 0x0
 00338  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00339  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x880000), 0x0, 12288, ) == 0x0
 00340  1736   NtClose  (44, ... ) == 0x0
 00341  1736   NtAllocateVirtualMemory  (-1, 8863744, 0, 4096, 4096, 4, ... 8863744, 4096, ) == 0x0
 00342  1736   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00343  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00344  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00345  1736   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00346  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00347  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00348  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00349  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00350  1736   NtFreeVirtualMemory  (-1, (0x860000), 0, 32768, ... (0x860000), 28672, ) == 0x0
 00351  1736   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00352  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00353  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00354  1736   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00355  1736   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00356  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 8978432, 1048576, ) == 0x0
 00357  1736   NtAllocateVirtualMemory  (-1, 8978432, 0, 32768, 4096, 4, ... 8978432, 32768, ) == 0x0
 00358  1736   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00359  1736   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "Jobaka3"}, 0, ... 48, ) }, 0, ... 48, ) == 0x0
 00360  1736   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00361  1736   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00362  1736   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00363  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00364  1736   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Protocol_Catalog9"}, ... 60, ) }, ... 60, ) == 0x0
 00365  1736   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00366  1736   NtNotifyChangeKey  (60, 56, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00367  1736   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00368  1736   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00369  1736   NtQueryValueKey  (60,  (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00370  1736   NtQueryValueKey  (60,  (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00371  1736   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Catalog_Entries"}, ... 64, ) }, ... 64, ) == 0x0
 00372  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000001"}, ... 68, ) }, ... 68, ) == 0x0
 00373  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00374  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00375  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0x\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0x\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0y\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0y\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0x\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0x\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0y\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0y\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0x\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0x\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0y\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0y\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00376  1736   NtClose  (68, ... ) == 0x0
 00377  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000002"}, ... 68, ) }, ... 68, ) == 0x0
 00378  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00379  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00380  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0}\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0}\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0~\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0~\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\200\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0}\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0}\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0~\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0~\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\200\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\200\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0}\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0}\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0~\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0~\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\200\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00381  1736   NtClose  (68, ... ) == 0x0
 00382  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000003"}, ... 68, ) }, ... 68, ) == 0x0
 00383  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00384  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00385  1736   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00386  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\203\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\204\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\205\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\203\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\204\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\205\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\203\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\204\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\205\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00387  1736   NtClose  (68, ... ) == 0x0
 00388  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000004"}, ... 68, ) }, ... 68, ) == 0x0
 00389  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00390  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00391  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\210\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\211\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\212\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\210\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\211\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\212\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\210\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\211\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\212\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00392  1736   NtClose  (68, ... ) == 0x0
 00393  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000005"}, ... 68, ) }, ... 68, ) == 0x0
 00394  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00395  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00396  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\215\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\216\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\217\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\215\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\216\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\217\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\215\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\216\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\217\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00397  1736   NtClose  (68, ... ) == 0x0
 00398  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000006"}, ... 68, ) }, ... 68, ) == 0x0
 00399  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00400  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00401  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\222\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\222\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\223\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\223\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\222\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\222\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\223\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\223\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\222\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\222\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\223\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\223\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00402  1736   NtClose  (68, ... ) == 0x0
 00403  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000007"}, ... 68, ) }, ... 68, ) == 0x0
 00404  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00405  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00406  1736   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00407  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\230\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\231\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\232\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\230\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\231\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\232\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\230\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\231\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\232\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00408  1736   NtClose  (68, ... ) == 0x0
 00409  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000008"}, ... 68, ) }, ... 68, ) == 0x0
 00410  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00411  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00412  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\235\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\236\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\237\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\235\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\236\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\237\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\235\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\236\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\237\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00413  1736   NtClose  (68, ... ) == 0x0
 00414  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000009"}, ... 68, ) }, ... 68, ) == 0x0
 00415  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00416  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00417  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\242\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\243\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\244\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\242\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\243\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\244\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\242\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\243\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\244\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00418  1736   NtClose  (68, ... ) == 0x0
 00419  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000010"}, ... 68, ) }, ... 68, ) == 0x0
 00420  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00421  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00422  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\247\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\247\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\250\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\250\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\252\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\247\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\247\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\250\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\250\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\252\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\252\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\247\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\247\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\250\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\250\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\252\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00423  1736   NtClose  (68, ... ) == 0x0
 00424  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000011"}, ... 68, ) }, ... 68, ) == 0x0
 00425  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00426  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00427  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\254\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\254\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\255\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\255\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\257\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\254\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\254\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\255\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\255\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\257\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\257\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\254\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\254\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\255\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\255\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\257\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00428  1736   NtClose  (68, ... ) == 0x0
 00429  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000012"}, ... 68, ) }, ... 68, ) == 0x0
 00430  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00431  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00432  1736   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00433  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\262\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\263\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\264\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\262\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\263\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\264\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\262\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\263\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\264\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00434  1736   NtClose  (68, ... ) == 0x0
 00435  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000013"}, ... 68, ) }, ... 68, ) == 0x0
 00436  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00437  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00438  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\267\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\270\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\271\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\267\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\270\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\271\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\267\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\270\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\271\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00439  1736   NtClose  (68, ... ) == 0x0
 00440  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000014"}, ... 68, ) }, ... 68, ) == 0x0
 00441  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00442  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00443  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\274\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\275\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\276\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\276\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\277\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\274\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\275\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\276\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\276\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\277\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\276\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\277\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\274\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\275\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\276\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\276\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\277\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00444  1736   NtClose  (68, ... ) == 0x0
 00445  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000015"}, ... 68, ) }, ... 68, ) == 0x0
 00446  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00447  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00448  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\302\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\304\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\302\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\304\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\304\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\302\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\304\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00449  1736   NtClose  (68, ... ) == 0x0
 00450  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000016"}, ... 68, ) }, ... 68, ) == 0x0
 00451  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00452  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00453  1736   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00454  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\307\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\307\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\310\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\310\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\311\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\311\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\312\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\307\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\307\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\310\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\310\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\311\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\311\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\312\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\311\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\312\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\307\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\307\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\310\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\310\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\311\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\311\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\312\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00455  1736   NtClose  (68, ... ) == 0x0
 00456  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000017"}, ... 68, ) }, ... 68, ) == 0x0
 00457  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00458  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00459  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\314\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\314\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\315\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\315\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\316\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\316\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\317\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\314\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\314\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\315\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\315\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\316\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\316\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\317\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\316\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\317\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\314\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\314\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\315\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\315\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\316\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\316\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\317\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00460  1736   NtClose  (68, ... ) == 0x0
 00461  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000018"}, ... 68, ) }, ... 68, ) == 0x0
 00462  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00463  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00464  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\321\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\321\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\322\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\322\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\323\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\323\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\240\375\177\211e@\0\0\2\0\0\4\0\0\0\0\0\0\08\275D\0\12D@\0:n@\0\2\0\0\0\240\16\210\0@\15\210\0\24\0\0\0\0\0\0\0\0\240\375\177\6\0\0\0\4-\201\367\224\377\22\0\1\0\0\0\340\377\22\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\321\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\321\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\322\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\322\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\323\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\323\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\240\375\177\211e@\0\0\2\0\0\4\0\0\0\0\0\0\08\275D\0\12D@\0:n@\0\2\0\0\0\240\16\210\0@\15\210\0\24\0\0\0\0\0\0\0\0\240\375\177\6\0\0\0\4-\201\367\224\377\22\0\1\0\0\0\340\377\22\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\323\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\240\375\177\211e@\0\0\2\0\0\4\0\0\0\0\0\0\08\275D\0\12D@\0:n@\0\2\0\0\0\240\16\210\0@\15\210\0\24\0\0\0\0\0\0\0\0\240\375\177\6\0\0\0\4-\201\367\224\377\22\0\1\0\0\0\340\377\22\0"}, 900, ) == 0x0
 00465  1736   NtClose  (68, ... ) == 0x0
 00466  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000019"}, ... 68, ) }, ... 68, ) == 0x0
 00467  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00468  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00469  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\326\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\326\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\327\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\327\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\330\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\330\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\331\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\326\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\326\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\327\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\327\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\330\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\330\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\331\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\330\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\331\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\326\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\326\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\327\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\327\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\330\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\330\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\331\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00470  1736   NtClose  (68, ... ) == 0x0
 00471  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000020"}, ... 68, ) }, ... 68, ) == 0x0
 00472  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00473  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00474  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\333\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\333\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\334\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\335\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\333\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\333\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\334\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\335\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\333\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\333\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\334\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\335\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00475  1736   NtClose  (68, ... ) == 0x0
 00476  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000021"}, ... 68, ) }, ... 68, ) == 0x0
 00477  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00478  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00479  1736   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00480  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\341\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\341\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\342\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\342\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\343\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\343\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\344\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\341\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\341\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\342\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\342\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\343\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\343\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\344\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\343\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\344\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\341\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\341\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\342\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\342\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\343\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\343\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\344\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00481  1736   NtClose  (68, ... ) == 0x0
 00482  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000022"}, ... 68, ) }, ... 68, ) == 0x0
 00483  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00484  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00485  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\346\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\346\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\347\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\347\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\350\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\351\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\351\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\352\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\300P\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\346\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\346\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\347\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\347\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\350\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\351\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\351\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\352\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\300P\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\346\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\346\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\347\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\347\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\350\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\351\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\351\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\352\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\300P\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00486  1736   NtClose  (68, ... ) == 0x0
 00487  1736   NtClose  (64, ... ) == 0x0
 00488  1736   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00489  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00490  1736   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 68, ) }, ... 68, ) == 0x0
 00491  1736   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00492  1736   NtNotifyChangeKey  (68, 64, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00493  1736   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00494  1736   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00495  1736   NtQueryValueKey  (68,  (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00496  1736   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Catalog_Entries"}, ... 72, ) }, ... 72, ) == 0x0
 00497  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000001"}, ... 76, ) }, ... 76, ) == 0x0
 00498  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00499  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00500  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00501  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00502  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00503  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00504  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00505  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00506  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00507  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00508  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00509  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00510  1736   NtClose  (76, ... ) == 0x0
 00511  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000002"}, ... 76, ) }, ... 76, ) == 0x0
 00512  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00513  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00514  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00515  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00516  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00517  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00518  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00519  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00520  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00521  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00522  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00523  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00524  1736   NtClose  (76, ... ) == 0x0
 00525  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000003"}, ... 76, ) }, ... 76, ) == 0x0
 00526  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00527  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00528  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00529  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00530  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00531  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00532  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00533  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00534  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00535  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00536  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00537  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00538  1736   NtClose  (76, ... ) == 0x0
 00539  1736   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00540  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000004"}, ... 76, ) }, ... 76, ) == 0x0
 00541  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00542  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00543  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00544  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00545  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00546  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00547  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 00548  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00549  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00550  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00551  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00552  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00553  1736   NtClose  (76, ... ) == 0x0
 00554  1736   NtClose  (72, ... ) == 0x0
 00555  1736   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 00556  1736   NtClose  (52, ... ) == 0x0
 00557  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00558  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00559  1736   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00560  1736   NtQueryValueKey  (52,  (52, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00561  1736   NtClose  (52, ... ) == 0x0
 00562  1736   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00563  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00564  1736   NtQueryInformationFile  (72, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00565  1736   NtQueryInformationFile  (72, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00566  1736   NtQueryInformationFile  (72, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00567  1736   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 00568  1736   NtQueryInformationFile  (72, 1356912, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00569  1736   NtQueryInformationFile  (72, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00570  1736   NtQueryInformationFile  (72, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00571  1736   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00572  1736   NtClose  (-2147481380, ... ) == 0x0
 00571  1736   NtCreateFile  ... 76, {status=0x0, info=2}, ) == 0x0
 00573  1736   NtQueryVolumeInformationFile  (76, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00574  1736   NtQueryInformationFile  (76, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00575  1736   NtQueryVolumeInformationFile  (72, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00576  1736   NtQueryVolumeInformationFile  (72, 1239912, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00577  1736   NtSetInformationFile  (76, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00578  1736   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 72, ... 80, ) == 0x0
 00579  1736   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x990000), {0, 0}, 90112, ) == 0x0
 00580  1736   NtClose  (80, ... ) == 0x0
 00581  1736   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\2\0\240\240\240\240\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0`\0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0`\0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00582  1736   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 28176, 0x0, 0, ... {status=0x0, info=28176}, ) , 28176, 0x0, 0, ... {status=0x0, info=28176}, ) == 0x0
 00583  1736   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 00584  1736   NtSetInformationFile  (76, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00585  1736   NtClose  (72, ... ) == 0x0
 00586  1736   NtClose  (76, ... ) == 0x0
 00587  1736   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 76, ) }, ... 76, ) == 0x0
 00588  1736   NtSetValueKey  (76,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 00589  1736   NtSetInformationFile  (-2147482448, -139348176, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00590  1736   NtSetInformationFile  (-2147482448, -139348268, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00591  1736   NtSetInformationFile  (-2147482448, -139348576, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00588  1736   NtSetValueKey  ... ) == 0x0
 00592  1736   NtClose  (76, ... ) == 0x0
 00593  1736   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 76, ) }, 0, ... 76, ) == 0x0
 00594  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10027008, 1048576, ) == 0x0
 00595  1736   NtAllocateVirtualMemory  (-1, 11067392, 0, 8192, 4096, 4, ... 11067392, 8192, ) == 0x0
 00596  1736   NtProtectVirtualMemory  (-1, (0xa8e000), 4096, 260, ... (0xa8e000), 4096, 4, ) == 0x0
 00597  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 72, {1636, 1356}, ) == 0x0
 00598  1736   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=1636,Tid=1356,}, 0x0, ) == 0x0
 00599  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75480, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75480, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75480, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" )  ) == 0x0
 00600  1736   NtResumeThread  (72, ... 1, ) == 0x0
 00601  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11075584, 1048576, ) == 0x0
 00602  1736   NtAllocateVirtualMemory  (-1, 12115968, 0, 8192, 4096, 4, ...
 00603  1356   NtTestAlert  (... ) == 0x0
 00604  1356   NtContinue  (11074864, 1, ...
 00605  1356   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00606  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 80, ) == 0x0
 00607  1356   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00608  1356   NtAllocateVirtualMemory  (-1, 11063296, 0, 4096, 4096, 260, ...
 00602  1736   NtAllocateVirtualMemory  ... 12115968, 8192, ) == 0x0
 00609  1736   NtProtectVirtualMemory  (-1, (0xb8e000), 4096, 260, ... (0xb8e000), 4096, 4, ) == 0x0
 00610  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 84, {1636, 868}, ) == 0x0
 00611  1736   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1636,Tid=868,}, 0x0, ) == 0x0
 00612  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75480, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75480, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75481, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0d\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75481, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75480, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75481, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0d\3\0\0" )  ) == 0x0
 00613  1736   NtResumeThread  (84, ... 1, ) == 0x0
 00608  1356   NtAllocateVirtualMemory  ... 11063296, 4096, ) == 0x0
 00614   868   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00615  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11071988, ... }, 11071988, ...
 00614   868   NtCreateEvent  ... 88, ) == 0x0
 00615  1356   NtQueryAttributesFile  ... ) == 0x0
 00616   868   NtWaitForSingleObject  (88, 0, 0x0, ...
 00617  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12124160, 1048576, ) == 0x0
 00618  1736   NtAllocateVirtualMemory  (-1, 13164544, 0, 8192, 4096, 4, ... 13164544, 8192, ) == 0x0
 00619  1736   NtProtectVirtualMemory  (-1, (0xc8e000), 4096, 260, ... (0xc8e000), 4096, 4, ) == 0x0
 00620  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 92, {1636, 808}, ) == 0x0
 00621  1736   NtQueryInformationThread  (92, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1636,Tid=808,}, 0x0, ) == 0x0
 00622  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75481, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75481, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0(\3\0\0" ...  ...
 00623  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00624  1356   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 96, ... 100, ) == 0x0
 00625  1356   NtClose  (96, ... ) == 0x0
 00622  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75482, 0}  ... {28, 56, reply, 0, 1636, 1736, 75482, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0(\3\0\0" )  ) == 0x0
 00626  1736   NtResumeThread  (92, ... 1, ) == 0x0
 00627  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13172736, 1048576, ) == 0x0
 00628  1736   NtAllocateVirtualMemory  (-1, 14213120, 0, 8192, 4096, 4, ... 14213120, 8192, ) == 0x0
 00629  1736   NtProtectVirtualMemory  (-1, (0xd8e000), 4096, 260, ... (0xd8e000), 4096, 4, ) == 0x0
 00630  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 96, {1636, 2020}, ) == 0x0
 00631  1736   NtQueryInformationThread  (96, Basic, 28, ...
 00632  1356   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 00633   808   NtWaitForSingleObject  (88, 0, 0x0, ...
 00632  1356   NtMapViewOfSection  ... (0xd90000), 0x0, 245760, ) == 0x0
 00634  1356   NtClose  (100, ... ) == 0x0
 00631  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1636,Tid=2020,}, 0x0, ) == 0x0
 00635  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75482, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75482, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0d\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75483, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0d\6\0\0\344\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75483, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75482, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0d\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75483, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0d\6\0\0\344\7\0\0" )  ) == 0x0
 00636  1736   NtResumeThread  (96, ... 1, ) == 0x0
 00637  1356   NtUnmapViewOfSection  (-1, 0xd90000, ...
 00638  2020   NtWaitForSingleObject  (88, 0, 0x0, ...
 00637  1356   NtUnmapViewOfSection  ... ) == 0x0
 00639  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11072296, ... ) }, 11072296, ... ) == 0x0
 00640  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00641  1356   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 104, ) == 0x0
 00642  1356   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00643  1356   NtClose  (100, ... ) == 0x0
 00644  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14221312, 1048576, ) == 0x0
 00645  1736   NtAllocateVirtualMemory  (-1, 15261696, 0, 8192, 4096, 4, ... 15261696, 8192, ) == 0x0
 00646  1736   NtProtectVirtualMemory  (-1, (0xe8e000), 4096, 260, ... (0xe8e000), 4096, 4, ) == 0x0
 00647  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 100, {1636, 896}, ) == 0x0
 00648  1736   NtQueryInformationThread  (100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1636,Tid=896,}, 0x0, ) == 0x0
 00649  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75483, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75483, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\200\3\0\0" ...  ...
 00650  1356   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 00651  1356   NtClose  (104, ... ) == 0x0
 00652  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00649  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75484, 0}  ... {28, 56, reply, 0, 1636, 1736, 75484, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\200\3\0\0" )  ) == 0x0
 00653  1736   NtResumeThread  (100, ... 1, ) == 0x0
 00654  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15269888, 1048576, ) == 0x0
 00655  1736   NtAllocateVirtualMemory  (-1, 16310272, 0, 8192, 4096, 4, ... 16310272, 8192, ) == 0x0
 00656  1736   NtProtectVirtualMemory  (-1, (0xf8e000), 4096, 260, ... (0xf8e000), 4096, 4, ) == 0x0
 00657  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 104, {1636, 1252}, ) == 0x0
 00658  1736   NtQueryInformationThread  (104, Basic, 28, ...
 00659  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 00660   896   NtWaitForSingleObject  (88, 0, 0x0, ...
 00659  1356   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 00661  1356   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00662  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00663  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00664  1356   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00658  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1636,Tid=1252,}, 0x0, ) == 0x0
 00665  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75484, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75484, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\344\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75485, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\344\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75485, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75484, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\344\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75485, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\344\4\0\0" )  ) == 0x0
 00666  1736   NtResumeThread  (104, ... 1, ) == 0x0
 00667  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16318464, 1048576, ) == 0x0
 00668  1736   NtAllocateVirtualMemory  (-1, 17358848, 0, 8192, 4096, 4, ... 17358848, 8192, ) == 0x0
 00669  1736   NtProtectVirtualMemory  (-1, (0x108e000), 4096, 260, ... (0x108e000), 4096, 4, ) == 0x0
 00670  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 00671  1252   NtWaitForSingleObject  (88, 0, 0x0, ...
 00670  1356   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 00672  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00673  1356   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00674  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 108, {1636, 2016}, ) == 0x0
 00675  1736   NtQueryInformationThread  (108, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1636,Tid=2016,}, 0x0, ) == 0x0
 00676  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75485, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75485, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0d\6\0\0\340\7\0\0" ...  ...
 00677  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00678  1356   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00676  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75486, 0}  ... {28, 56, reply, 0, 1636, 1736, 75486, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0d\6\0\0\340\7\0\0" )  ) == 0x0
 00679  1736   NtResumeThread  (108, ... 1, ) == 0x0
 00680  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17367040, 1048576, ) == 0x0
 00681  1736   NtAllocateVirtualMemory  (-1, 18407424, 0, 8192, 4096, 4, ... 18407424, 8192, ) == 0x0
 00682  1736   NtProtectVirtualMemory  (-1, (0x118e000), 4096, 260, ... (0x118e000), 4096, 4, ) == 0x0
 00683  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 112, {1636, 2012}, ) == 0x0
 00684  1736   NtQueryInformationThread  (112, Basic, 28, ...
 00685  1356   NtQuerySystemInformation  (Processor, 12, ...
 00686  2016   NtWaitForSingleObject  (88, 0, 0x0, ...
 00685  1356   NtQuerySystemInformation  ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00687  1356   NtSetEventBoostPriority  (88, ...
 00616   868   NtWaitForSingleObject  ... ) == 0x0
 00688   868   NtSetEventBoostPriority  (88, ...
 00633   808   NtWaitForSingleObject  ... ) == 0x0
 00689   808   NtSetEventBoostPriority  (88, ...
 00638  2020   NtWaitForSingleObject  ... ) == 0x0
 00690  2020   NtSetEventBoostPriority  (88, ...
 00660   896   NtWaitForSingleObject  ... ) == 0x0
 00691   896   NtSetEventBoostPriority  (88, ...
 00671  1252   NtWaitForSingleObject  ... ) == 0x0
 00692  1252   NtSetEventBoostPriority  (88, ...
 00686  2016   NtWaitForSingleObject  ... ) == 0x0
 00693  2016   NtTestAlert  (... ) == 0x0
 00692  1252   NtSetEventBoostPriority  ... ) == 0x0
 00691   896   NtSetEventBoostPriority  ... ) == 0x0
 00690  2020   NtSetEventBoostPriority  ... ) == 0x0
 00689   808   NtSetEventBoostPriority  ... ) == 0x0
 00688   868   NtSetEventBoostPriority  ... ) == 0x0
 00687  1356   NtSetEventBoostPriority  ... ) == 0x0
 00684  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1636,Tid=2012,}, 0x0, ) == 0x0
 00694  2016   NtContinue  (17366320, 1, ...
 00695  1252   NtTestAlert  (...
 00696   896   NtTestAlert  (...
 00697  2020   NtTestAlert  (...
 00698   808   NtTestAlert  (...
 00699  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00700  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75486, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75486, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0d\6\0\0\334\7\0\0" ...  ...
 00701  2016   NtRegisterThreadTerminatePort  (24, ...
 00695  1252   NtTestAlert  ... ) == 0x0
 00696   896   NtTestAlert  ... ) == 0x0
 00697  2020   NtTestAlert  ... ) == 0x0
 00698   808   NtTestAlert  ... ) == 0x0
 00699  1356   NtCreateEvent  ... 116, ) == 0x0
 00700  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75487, 0}  ... {28, 56, reply, 0, 1636, 1736, 75487, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0d\6\0\0\334\7\0\0" )  ) == 0x0
 00701  2016   NtRegisterThreadTerminatePort  ... ) == 0x0
 00702  1252   NtContinue  (16317744, 1, ...
 00703   896   NtContinue  (15269168, 1, ...
 00704  2020   NtContinue  (14220592, 1, ...
 00705   808   NtContinue  (13172016, 1, ...
 00706   868   NtTestAlert  (...
 00707  1736   NtResumeThread  (112, ...
 00708  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00709  1252   NtRegisterThreadTerminatePort  (24, ...
 00710   896   NtRegisterThreadTerminatePort  (24, ...
 00711  2020   NtRegisterThreadTerminatePort  (24, ...
 00712   808   NtRegisterThreadTerminatePort  (24, ...
 00706   868   NtTestAlert  ... ) == 0x0
 00707  1736   NtResumeThread  ... 1, ) == 0x0
 00708  2016   NtDuplicateObject  ... 120, ) == 0x0
 00709  1252   NtRegisterThreadTerminatePort  ... ) == 0x0
 00710   896   NtRegisterThreadTerminatePort  ... ) == 0x0
 00711  2020   NtRegisterThreadTerminatePort  ... ) == 0x0
 00712   808   NtRegisterThreadTerminatePort  ... ) == 0x0
 00713   868   NtContinue  (12123440, 1, ...
 00714  1356   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 00715  2012   NtWaitForSingleObject  (88, 0, 0x0, ...
 00716  2016   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00717  1252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00718   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00719  2020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00720   808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00721   868   NtRegisterThreadTerminatePort  (24, ...
 00714  1356   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00722  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00716  2016   NtWaitForSingleObject  ... ) == 0x102
 00717  1252   NtDuplicateObject  ... 124, ) == 0x0
 00718   896   NtDuplicateObject  ... 128, ) == 0x0
 00719  2020   NtDuplicateObject  ... 132, ) == 0x0
 00721   868   NtRegisterThreadTerminatePort  ... ) == 0x0
 00723  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11071908, ... }, 11071908, ...
 00722  1736   NtAllocateVirtualMemory  ... 18415616, 1048576, ) == 0x0
 00724  2016   NtAllocateVirtualMemory  (-1, 17354752, 0, 4096, 4096, 260, ...
 00725  1252   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00726   896   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00727  2020   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00728   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00729  1736   NtAllocateVirtualMemory  (-1, 19456000, 0, 8192, 4096, 4, ...
 00724  2016   NtAllocateVirtualMemory  ... 17354752, 4096, ) == 0x0
 00725  1252   NtWaitForSingleObject  ... ) == 0x102
 00726   896   NtWaitForSingleObject  ... ) == 0x102
 00727  2020   NtWaitForSingleObject  ... ) == 0x102
 00720   808   NtDuplicateObject  ... 136, ) == 0x0
 00729  1736   NtAllocateVirtualMemory  ... 19456000, 8192, ) == 0x0
 00730  2016   NtWaitForSingleObject  (88, 0, 0x0, ...
 00731  1252   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00732   896   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00733  2020   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00734   808   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00735  1736   NtProtectVirtualMemory  (-1, (0x128e000), 4096, 260, ...
 00731  1252   NtCreateEvent  ... 140, ) == 0x0
 00732   896   NtCreateEvent  ... 144, ) == 0x0
 00733  2020   NtCreateEvent  ... 148, ) == 0x0
 00734   808   NtWaitForSingleObject  ... ) == 0x102
 00735  1736   NtProtectVirtualMemory  ... (0x128e000), 4096, 4, ) == 0x0
 00728   868   NtDuplicateObject  ... 152, ) == 0x0
 00736  1252   NtWaitForSingleObject  (140, 0, 0x0, ...
 00737   896   NtClose  (144, ...
 00738   808   NtWaitForSingleObject  (140, 0, 0x0, ...
 00739  2020   NtClose  (148, ...
 00723  1356   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00740   868   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00737   896   NtClose  ... ) == 0x0
 00739  2020   NtClose  ... ) == 0x0
 00741  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11071908, ... }, 11071908, ...
 00740   868   NtWaitForSingleObject  ... ) == 0x102
 00742   896   NtWaitForSingleObject  (140, 0, 0x0, ...
 00743  2020   NtWaitForSingleObject  (140, 0, 0x0, ...
 00741  1356   NtQueryAttributesFile  ... ) == 0x0
 00744   868   NtWaitForSingleObject  (140, 0, 0x0, ...
 00745  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 00746  1356   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 148, ... 144, ) == 0x0
 00747  1356   NtQuerySection  (144, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00748  1356   NtClose  (148, ... ) == 0x0
 00749  1356   NtMapViewOfSection  (144, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 00750  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 148, {1636, 1028}, ) == 0x0
 00751  1736   NtQueryInformationThread  (148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1636,Tid=1028,}, 0x0, ) == 0x0
 00752  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75487, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75487, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\4\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75488, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75487, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\4\4\0\0" )  ) == 0x0
 00753  1736   NtResumeThread  (148, ... 1, ) == 0x0
 00754  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19464192, 1048576, ) == 0x0
 00755  1736   NtAllocateVirtualMemory  (-1, 20504576, 0, 8192, 4096, 4, ...
 00749  1356   NtMapViewOfSection  ... (0x662b0000), 0x0, 360448, ) == 0x0
 00756  1028   NtWaitForSingleObject  (88, 0, 0x0, ...
 00757  1356   NtClose  (144, ... ) == 0x0
 00758  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00759  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00760  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00761  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00762  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 00755  1736   NtAllocateVirtualMemory  ... 20504576, 8192, ) == 0x0
 00763  1736   NtProtectVirtualMemory  (-1, (0x138e000), 4096, 260, ... (0x138e000), 4096, 4, ) == 0x0
 00764  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 144, {1636, 384}, ) == 0x0
 00765  1736   NtQueryInformationThread  (144, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1636,Tid=384,}, 0x0, ) == 0x0
 00766  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75488, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\200\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\200\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75489, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\200\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\200\1\0\0" )  ) == 0x0
 00767  1736   NtResumeThread  (144, ... 1, ) == 0x0
 00762  1356   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 00768   384   NtWaitForSingleObject  (88, 0, 0x0, ...
 00769  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00770  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00771  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00772  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00773  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00774  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 00775  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20512768, 1048576, ) == 0x0
 00776  1736   NtAllocateVirtualMemory  (-1, 21553152, 0, 8192, 4096, 4, ... 21553152, 8192, ) == 0x0
 00777  1736   NtProtectVirtualMemory  (-1, (0x148e000), 4096, 260, ... (0x148e000), 4096, 4, ) == 0x0
 00778  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 156, {1636, 1180}, ) == 0x0
 00779  1736   NtQueryInformationThread  (156, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1636,Tid=1180,}, 0x0, ) == 0x0
 00780  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75489, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0d\6\0\0\234\4\0\0" ...  ...
 00774  1356   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 00781  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00782  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00783  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 00780  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75490, 0}  ... {28, 56, reply, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0d\6\0\0\234\4\0\0" )  ) == 0x0
 00784  1736   NtResumeThread  (156, ... 1, ) == 0x0
 00785  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21561344, 1048576, ) == 0x0
 00786  1736   NtAllocateVirtualMemory  (-1, 22601728, 0, 8192, 4096, 4, ... 22601728, 8192, ) == 0x0
 00787  1736   NtProtectVirtualMemory  (-1, (0x158e000), 4096, 260, ... (0x158e000), 4096, 4, ) == 0x0
 00788  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 160, {1636, 420}, ) == 0x0
 00789  1736   NtQueryInformationThread  (160, Basic, 28, ...
 00783  1356   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 00790  1180   NtWaitForSingleObject  (88, 0, 0x0, ...
 00791  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00792  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00793  1356   NtSetEventBoostPriority  (88, ...
 00715  2012   NtWaitForSingleObject  ... ) == 0x0
 00794  2012   NtSetEventBoostPriority  (88, ...
 00730  2016   NtWaitForSingleObject  ... ) == 0x0
 00795  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 17361872, ... ) }, 17361872, ... ) == 0x0
 00794  2012   NtSetEventBoostPriority  ... ) == 0x0
 00793  1356   NtSetEventBoostPriority  ... ) == 0x0
 00789  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1636,Tid=420,}, 0x0, ) == 0x0
 00796  2016   NtSetEventBoostPriority  (88, ...
 00797  1356   NtWaitForSingleObject  (88, 0, 0x0, ...
 00798  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\0\0\0d\6\0\0\244\1\0\0" ...  ...
 00756  1028   NtWaitForSingleObject  ... ) == 0x0
 00796  2016   NtSetEventBoostPriority  ... ) == 0x0
 00799  1028   NtSetEventBoostPriority  (88, ...
 00798  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75491, 0}  ... {28, 56, reply, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\0\0\0d\6\0\0\244\1\0\0" )  ) == 0x0
 00768   384   NtWaitForSingleObject  ... ) == 0x0
 00799  1028   NtSetEventBoostPriority  ... ) == 0x0
 00800  2016   NtWaitForSingleObject  (88, 0, 0x0, ...
 00801   384   NtSetEventBoostPriority  (88, ...
 00802  1736   NtResumeThread  (160, ...
 00803  2012   NtTestAlert  (...
 00790  1180   NtWaitForSingleObject  ... ) == 0x0
 00801   384   NtSetEventBoostPriority  ... ) == 0x0
 00802  1736   NtResumeThread  ... 1, ) == 0x0
 00804  1180   NtSetEventBoostPriority  (88, ...
 00803  2012   NtTestAlert  ... ) == 0x0
 00805  1028   NtTestAlert  (...
 00806   420   NtWaitForSingleObject  (88, 0, 0x0, ...
 00807   384   NtTestAlert  (...
 00797  1356   NtWaitForSingleObject  ... ) == 0x0
 00804  1180   NtSetEventBoostPriority  ... ) == 0x0
 00808  2012   NtContinue  (18414896, 1, ...
 00805  1028   NtTestAlert  ... ) == 0x0
 00809  1356   NtSetEventBoostPriority  (88, ...
 00807   384   NtTestAlert  ... ) == 0x0
 00810  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00811  2012   NtRegisterThreadTerminatePort  (24, ...
 00800  2016   NtWaitForSingleObject  ... ) == 0x0
 00809  1356   NtSetEventBoostPriority  ... ) == 0x0
 00812  1028   NtContinue  (19463472, 1, ...
 00813   384   NtContinue  (20512048, 1, ...
 00810  1736   NtAllocateVirtualMemory  ... 22609920, 1048576, ) == 0x0
 00814  2016   NtSetEventBoostPriority  (88, ...
 00811  2012   NtRegisterThreadTerminatePort  ... ) == 0x0
 00815  1180   NtTestAlert  (...
 00816  1028   NtRegisterThreadTerminatePort  (24, ...
 00817   384   NtRegisterThreadTerminatePort  (24, ...
 00806   420   NtWaitForSingleObject  ... ) == 0x0
 00814  2016   NtSetEventBoostPriority  ... ) == 0x0
 00818  1736   NtAllocateVirtualMemory  (-1, 23650304, 0, 8192, 4096, 4, ...
 00819  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00815  1180   NtTestAlert  ... ) == 0x0
 00816  1028   NtRegisterThreadTerminatePort  ... ) == 0x0
 00820   420   NtTestAlert  (...
 00817   384   NtRegisterThreadTerminatePort  ... ) == 0x0
 00821  1356   NtQuerySystemInformation  (Basic, 44, ...
 00818  1736   NtAllocateVirtualMemory  ... 23650304, 8192, ) == 0x0
 00822  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00823  1180   NtContinue  (21560624, 1, ...
 00820   420   NtTestAlert  ... ) == 0x0
 00824  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00825   384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00821  1356   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00826  1736   NtProtectVirtualMemory  (-1, (0x168e000), 4096, 260, ...
 00822  2016   NtCreateEvent  ... 164, ) == 0x0
 00827  1180   NtRegisterThreadTerminatePort  (24, ...
 00819  2012   NtDuplicateObject  ... 168, ) == 0x0
 00828   420   NtContinue  (22609200, 1, ...
 00824  1028   NtDuplicateObject  ... 172, ) == 0x0
 00829  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 00826  1736   NtProtectVirtualMemory  ... (0x168e000), 4096, 4, ) == 0x0
 00830  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 00827  1180   NtRegisterThreadTerminatePort  ... ) == 0x0
 00831  2012   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00832   420   NtRegisterThreadTerminatePort  (24, ...
 00833  1028   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00829  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00825   384   NtDuplicateObject  ... 176, ) == 0x0
 00830  2016   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00834  1180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00831  2012   NtWaitForSingleObject  ... ) == 0x102
 00832   420   NtRegisterThreadTerminatePort  ... ) == 0x0
 00833  1028   NtWaitForSingleObject  ... ) == 0x102
 00835  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 00836   384   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00837  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 17361976, ... }, 17361976, ...
 00838  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00839  2012   NtWaitForSingleObject  (140, 0, 0x0, ...
 00840   420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00841  1028   NtWaitForSingleObject  (140, 0, 0x0, ...
 00835  1356   NtOpenKey  ... 180, ) == 0x0
 00836   384   NtWaitForSingleObject  ... ) == 0x102
 00838  1736   NtCreateThread  ... 184, {1636, 596}, ) == 0x0
 00840   420   NtDuplicateObject  ... 188, ) == 0x0
 00834  1180   NtDuplicateObject  ... 192, ) == 0x0
 00842   384   NtWaitForSingleObject  (140, 0, 0x0, ...
 00843  1736   NtQueryInformationThread  (184, Basic, 28, ...
 00844   420   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00845  1180   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00843  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1636,Tid=596,}, 0x0, ) == 0x0
 00846  1356   NtQueryValueKey  (180,  (180, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 00845  1180   NtWaitForSingleObject  ... ) == 0x102
 00847  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0d\6\0\0T\2\0\0" ...  ...
 00846  1356   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00848  1180   NtWaitForSingleObject  (140, 0, 0x0, ...
 00849  1356   NtClose  (180, ... ) == 0x0
 00850  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 180, ) == 0x0
 00852  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 196, ) == 0x0
 00853  1356   NtQuerySystemTime  (... {-1231530648, 29926687}, ) == 0x0
 00844   420   NtWaitForSingleObject  ... ) == 0x102
 00847  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75492, 0}  ... {28, 56, reply, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0d\6\0\0T\2\0\0" )  ) == 0x0
 00854   420   NtWaitForSingleObject  (140, 0, 0x0, ...
 00855  1736   NtResumeThread  (184, ... 1, ) == 0x0
 00856  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23658496, 1048576, ) == 0x0
 00857  1736   NtAllocateVirtualMemory  (-1, 24698880, 0, 8192, 4096, 4, ... 24698880, 8192, ) == 0x0
 00858  1736   NtProtectVirtualMemory  (-1, (0x178e000), 4096, 260, ... (0x178e000), 4096, 4, ) == 0x0
 00859  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 200, {1636, 376}, ) == 0x0
 00860  1736   NtQueryInformationThread  (200, Basic, 28, ...
 00861  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00862   596   NtWaitForSingleObject  (88, 0, 0x0, ...
 00861  1356   NtCreateEvent  ... 204, ) == 0x0
 00863  1356   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 00864  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00865  1356   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00866  1356   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00867  1356   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00860  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1636,Tid=376,}, 0x0, ) == 0x0
 00837  2016   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00868  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0d\6\0\0x\1\0\0" ...  ...
 00869  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 17361976, ... }, 17361976, ...
 00868  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75493, 0}  ... {28, 56, reply, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0d\6\0\0x\1\0\0" )  ) == 0x0
 00869  2016   NtQueryAttributesFile  ... ) == 0x0
 00870  1736   NtResumeThread  (200, ...
 00871  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 00870  1736   NtResumeThread  ... 1, ) == 0x0
 00872  1356   NtWaitForSingleObject  (88, 0, 0x0, ...
 00871  2016   NtOpenFile  ... 208, {status=0x0, info=1}, ) == 0x0
 00873   376   NtWaitForSingleObject  (88, 0, 0x0, ...
 00874  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 212, ) == 0x0
 00875  2016   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00876  2016   NtClose  (208, ... ) == 0x0
 00877  2016   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 00878  2016   NtClose  (212, ... ) == 0x0
 00879  2016   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 00880  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24707072, 1048576, ) == 0x0
 00881  1736   NtAllocateVirtualMemory  (-1, 25747456, 0, 8192, 4096, 4, ... 25747456, 8192, ) == 0x0
 00882  1736   NtProtectVirtualMemory  (-1, (0x188e000), 4096, 260, ... (0x188e000), 4096, 4, ) == 0x0
 00883  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 212, {1636, 1168}, ) == 0x0
 00884  1736   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1636,Tid=1168,}, 0x0, ) == 0x0
 00885  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0\220\4\0\0" ...  ...
 00879  2016   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 00886  2016   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00887  2016   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00888  2016   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 00885  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75494, 0}  ... {28, 56, reply, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0\220\4\0\0" )  ) == 0x0
 00889  1736   NtResumeThread  (212, ... 1, ) == 0x0
 00890  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25755648, 1048576, ) == 0x0
 00891  1736   NtAllocateVirtualMemory  (-1, 26796032, 0, 8192, 4096, 4, ... 26796032, 8192, ) == 0x0
 00892  1736   NtProtectVirtualMemory  (-1, (0x198e000), 4096, 260, ... (0x198e000), 4096, 4, ) == 0x0
 00888  2016   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 00893  1168   NtWaitForSingleObject  (88, 0, 0x0, ...
 00894  2016   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00895  2016   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00896  2016   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00897  2016   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00898  2016   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00899  2016   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 00900  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 208, {1636, 120}, ) == 0x0
 00901  1736   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1636,Tid=120,}, 0x0, ) == 0x0
 00902  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0x\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75495, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0x\0\0\0" )  ) == 0x0
 00903  1736   NtResumeThread  (208, ... 1, ) == 0x0
 00904  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26804224, 1048576, ) == 0x0
 00905  1736   NtAllocateVirtualMemory  (-1, 27844608, 0, 8192, 4096, 4, ...
 00899  2016   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 00906   120   NtWaitForSingleObject  (88, 0, 0x0, ...
 00907  2016   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00908  2016   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00909  2016   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00910  2016   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00911  2016   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00912  2016   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 00905  1736   NtAllocateVirtualMemory  ... 27844608, 8192, ) == 0x0
 00913  1736   NtProtectVirtualMemory  (-1, (0x1a8e000), 4096, 260, ... (0x1a8e000), 4096, 4, ) == 0x0
 00914  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 216, {1636, 928}, ) == 0x0
 00915  1736   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1636,Tid=928,}, 0x0, ) == 0x0
 00916  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\240\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\240\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75496, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\240\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\240\3\0\0" )  ) == 0x0
 00917  1736   NtResumeThread  (216, ... 1, ) == 0x0
 00912  2016   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 00918   928   NtWaitForSingleObject  (88, 0, 0x0, ...
 00919  2016   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00920  2016   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00921  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00922  2016   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 220, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 220, 2, ) , 0, ... 220, 2, ) == 0x0
 00923  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 224, ) }, ... 224, ) == 0x0
 00924  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 00925  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27852800, 1048576, ) == 0x0
 00926  1736   NtAllocateVirtualMemory  (-1, 28893184, 0, 8192, 4096, 4, ... 28893184, 8192, ) == 0x0
 00927  1736   NtProtectVirtualMemory  (-1, (0x1b8e000), 4096, 260, ... (0x1b8e000), 4096, 4, ) == 0x0
 00928  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {1636, 1732}, ) == 0x0
 00929  1736   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1636,Tid=1732,}, 0x0, ) == 0x0
 00930  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\304\6\0\0" ...  ...
 00924  2016   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931  2016   NtQueryValueKey  (224,  (224, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00932  2016   NtQueryValueKey  (220,  (220, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933  2016   NtQueryValueKey  (224,  (224, "UseDomainNameDevolution", Partial, 144, ... , Partial, 144, ...
 00930  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75497, 0}  ... {28, 56, reply, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\304\6\0\0" )  ) == 0x0
 00934  1736   NtResumeThread  (228, ... 1, ) == 0x0
 00935  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28901376, 1048576, ) == 0x0
 00936  1736   NtAllocateVirtualMemory  (-1, 29941760, 0, 8192, 4096, 4, ... 29941760, 8192, ) == 0x0
 00937  1736   NtProtectVirtualMemory  (-1, (0x1c8e000), 4096, 260, ... (0x1c8e000), 4096, 4, ) == 0x0
 00938  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 232, {1636, 428}, ) == 0x0
 00939  1736   NtQueryInformationThread  (232, Basic, 28, ...
 00933  2016   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940  1732   NtWaitForSingleObject  (88, 0, 0x0, ...
 00941  2016   NtQueryValueKey  (220,  (220, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (220, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00942  2016   NtQueryValueKey  (224,  (224, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00943  2016   NtQueryValueKey  (220,  (220, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944  2016   NtQueryValueKey  (224,  (224, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945  2016   NtQueryValueKey  (220,  (220, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946  2016   NtQueryValueKey  (224,  (224, "AppendToMultiLabelName", Partial, 144, ... , Partial, 144, ...
 00939  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1636,Tid=428,}, 0x0, ) == 0x0
 00947  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\254\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\254\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75498, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\254\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\254\1\0\0" )  ) == 0x0
 00948  1736   NtResumeThread  (232, ... 1, ) == 0x0
 00949  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29949952, 1048576, ) == 0x0
 00950  1736   NtAllocateVirtualMemory  (-1, 30990336, 0, 8192, 4096, 4, ... 30990336, 8192, ) == 0x0
 00951  1736   NtProtectVirtualMemory  (-1, (0x1d8e000), 4096, 260, ... (0x1d8e000), 4096, 4, ) == 0x0
 00946  2016   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952   428   NtWaitForSingleObject  (88, 0, 0x0, ...
 00953  2016   NtQueryValueKey  (224,  (224, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00954  2016   NtQueryValueKey  (224,  (224, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955  2016   NtQueryValueKey  (224,  (224, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00956  2016   NtQueryValueKey  (224,  (224, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00957  2016   NtQueryValueKey  (224,  (224, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958  2016   NtQueryValueKey  (224,  (224, "QueryIpMatching", Partial, 144, ... , Partial, 144, ...
 00959  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {1636, 748}, ) == 0x0
 00960  1736   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=1636,Tid=748,}, 0x0, ) == 0x0
 00961  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0\354\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0\354\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75499, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0\354\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0\354\2\0\0" )  ) == 0x0
 00962  1736   NtResumeThread  (236, ... 1, ) == 0x0
 00963  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30998528, 1048576, ) == 0x0
 00964  1736   NtAllocateVirtualMemory  (-1, 32038912, 0, 8192, 4096, 4, ...
 00958  2016   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965   748   NtWaitForSingleObject  (88, 0, 0x0, ...
 00966  2016   NtQueryValueKey  (224,  (224, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967  2016   NtQueryValueKey  (224,  (224, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00968  2016   NtQueryValueKey  (220,  (220, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969  2016   NtQueryValueKey  (224,  (224, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00970  2016   NtQueryValueKey  (224,  (224, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971  2016   NtQueryValueKey  (220,  (220, "EnableAdapterDomainNameRegistration", Partial, 144, ... , Partial, 144, ...
 00964  1736   NtAllocateVirtualMemory  ... 32038912, 8192, ) == 0x0
 00972  1736   NtProtectVirtualMemory  (-1, (0x1e8e000), 4096, 260, ... (0x1e8e000), 4096, 4, ) == 0x0
 00973  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 240, {1636, 1300}, ) == 0x0
 00974  1736   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=1636,Tid=1300,}, 0x0, ) == 0x0
 00975  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0\24\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0\24\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75500, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0\24\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0\24\5\0\0" )  ) == 0x0
 00976  1736   NtResumeThread  (240, ... 1, ) == 0x0
 00971  2016   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00977  1300   NtWaitForSingleObject  (88, 0, 0x0, ...
 00978  2016   NtQueryValueKey  (224,  (224, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00979  2016   NtQueryValueKey  (220,  (220, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00980  2016   NtQueryValueKey  (224,  (224, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981  2016   NtQueryValueKey  (220,  (220, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00982  2016   NtQueryValueKey  (224,  (224, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00983  2016   NtQueryValueKey  (220,  (220, "DefaultRegistrationTTL", Partial, 144, ... , Partial, 144, ...
 00984  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32047104, 1048576, ) == 0x0
 00985  1736   NtAllocateVirtualMemory  (-1, 33087488, 0, 8192, 4096, 4, ... 33087488, 8192, ) == 0x0
 00986  1736   NtProtectVirtualMemory  (-1, (0x1f8e000), 4096, 260, ... (0x1f8e000), 4096, 4, ) == 0x0
 00987  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 244, {1636, 1096}, ) == 0x0
 00988  1736   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=1636,Tid=1096,}, 0x0, ) == 0x0
 00989  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0H\4\0\0" ...  ...
 00983  2016   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00990  2016   NtQueryValueKey  (224,  (224, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991  2016   NtQueryValueKey  (220,  (220, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00992  2016   NtQueryValueKey  (224,  (224, "RegistrationMaxAddressCount", Partial, 144, ... , Partial, 144, ...
 00989  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75501, 0}  ... {28, 56, reply, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0H\4\0\0" )  ) == 0x0
 00993  1736   NtResumeThread  (244, ... 1, ) == 0x0
 00994  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33095680, 1048576, ) == 0x0
 00995  1736   NtAllocateVirtualMemory  (-1, 34136064, 0, 8192, 4096, 4, ... 34136064, 8192, ) == 0x0
 00996  1736   NtProtectVirtualMemory  (-1, (0x208e000), 4096, 260, ... (0x208e000), 4096, 4, ) == 0x0
 00997  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 248, {1636, 252}, ) == 0x0
 00998  1736   NtQueryInformationThread  (248, Basic, 28, ...
 00992  2016   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00999  1096   NtWaitForSingleObject  (88, 0, 0x0, ...
 01000  2016   NtQueryValueKey  (220,  (220, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01001  2016   NtQueryValueKey  (224,  (224, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01002  2016   NtQueryValueKey  (220,  (220, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01003  2016   NtQueryValueKey  (224,  (224, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01004  2016   NtQueryValueKey  (224,  (224, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01005  2016   NtQueryValueKey  (224,  (224, "DnsTest", Partial, 144, ... , Partial, 144, ...
 00998  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=1636,Tid=252,}, 0x0, ) == 0x0
 01006  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0\374\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0\374\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75502, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0\374\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0\374\0\0\0" )  ) == 0x0
 01007  1736   NtResumeThread  (248, ... 1, ) == 0x0
 01008  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34144256, 1048576, ) == 0x0
 01009  1736   NtAllocateVirtualMemory  (-1, 35184640, 0, 8192, 4096, 4, ... 35184640, 8192, ) == 0x0
 01010  1736   NtProtectVirtualMemory  (-1, (0x218e000), 4096, 260, ... (0x218e000), 4096, 4, ) == 0x0
 01005  2016   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01011   252   NtWaitForSingleObject  (88, 0, 0x0, ...
 01012  2016   NtQueryValueKey  (224,  (224, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01013  2016   NtQueryValueKey  (224,  (224, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01014  2016   NtQueryValueKey  (224,  (224, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01015  2016   NtQueryValueKey  (224,  (224, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01016  2016   NtQueryValueKey  (224,  (224, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01017  2016   NtQueryValueKey  (224,  (224, "MaxCachedSockets", Partial, 144, ... , Partial, 144, ...
 01018  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 252, {1636, 500}, ) == 0x0
 01019  1736   NtQueryInformationThread  (252, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=1636,Tid=500,}, 0x0, ) == 0x0
 01020  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0d\6\0\0\364\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0d\6\0\0\364\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75503, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0d\6\0\0\364\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0d\6\0\0\364\1\0\0" )  ) == 0x0
 01021  1736   NtResumeThread  (252, ... 1, ) == 0x0
 01022  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35192832, 1048576, ) == 0x0
 01023  1736   NtAllocateVirtualMemory  (-1, 36233216, 0, 8192, 4096, 4, ...
 01017  2016   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024   500   NtWaitForSingleObject  (88, 0, 0x0, ...
 01025  2016   NtQueryValueKey  (224,  (224, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026  2016   NtQueryValueKey  (224,  (224, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01027  2016   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 256, ) }, ... 256, ) == 0x0
 01028  2016   NtQueryValueKey  (256,  (256, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01029  2016   NtClose  (256, ... ) == 0x0
 01030  2016   NtClose  (220, ...
 01023  1736   NtAllocateVirtualMemory  ... 36233216, 8192, ) == 0x0
 01031  1736   NtProtectVirtualMemory  (-1, (0x228e000), 4096, 260, ... (0x228e000), 4096, 4, ) == 0x0
 01032  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 256, {1636, 1132}, ) == 0x0
 01033  1736   NtQueryInformationThread  (256, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=1636,Tid=1132,}, 0x0, ) == 0x0
 01034  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0d\6\0\0l\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0d\6\0\0l\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75504, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0d\6\0\0l\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0d\6\0\0l\4\0\0" )  ) == 0x0
 01035  1736   NtResumeThread  (256, ... 1, ) == 0x0
 01030  2016   NtClose  ... ) == 0x0
 01036  1132   NtWaitForSingleObject  (88, 0, 0x0, ...
 01037  2016   NtClose  (224, ... ) == 0x0
 01038  2016   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 224, ) }, ... 224, ) == 0x0
 01039  2016   NtQueryValueKey  (224,  (224, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01040  2016   NtQueryValueKey  (224,  (224, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041  2016   NtQueryValueKey  (224,  (224, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01042  2016   NtClose  (224, ...
 01043  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36241408, 1048576, ) == 0x0
 01044  1736   NtAllocateVirtualMemory  (-1, 37281792, 0, 8192, 4096, 4, ... 37281792, 8192, ) == 0x0
 01045  1736   NtProtectVirtualMemory  (-1, (0x238e000), 4096, 260, ... (0x238e000), 4096, 4, ) == 0x0
 01046  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 220, {1636, 1024}, ) == 0x0
 01047  1736   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=1636,Tid=1024,}, 0x0, ) == 0x0
 01048  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0\0\4\0\0" ...  ...
 01042  2016   NtClose  ... ) == 0x0
 01049  2016   NtSetEventBoostPriority  (88, ...
 00862   596   NtWaitForSingleObject  ... ) == 0x0
 01050   596   NtSetEventBoostPriority  (88, ...
 00872  1356   NtWaitForSingleObject  ... ) == 0x0
 01051  1356   NtSetEventBoostPriority  (88, ...
 00873   376   NtWaitForSingleObject  ... ) == 0x0
 01052   376   NtSetEventBoostPriority  (88, ...
 00893  1168   NtWaitForSingleObject  ... ) == 0x0
 01053  1168   NtSetEventBoostPriority  (88, ...
 00906   120   NtWaitForSingleObject  ... ) == 0x0
 01054   120   NtSetEventBoostPriority  (88, ...
 00918   928   NtWaitForSingleObject  ... ) == 0x0
 01055   928   NtSetEventBoostPriority  (88, ...
 00940  1732   NtWaitForSingleObject  ... ) == 0x0
 01056  1732   NtSetEventBoostPriority  (88, ...
 00952   428   NtWaitForSingleObject  ... ) == 0x0
 01057   428   NtSetEventBoostPriority  (88, ...
 00965   748   NtWaitForSingleObject  ... ) == 0x0
 01058   748   NtSetEventBoostPriority  (88, ...
 00977  1300   NtWaitForSingleObject  ... ) == 0x0
 01059  1300   NtSetEventBoostPriority  (88, ...
 00999  1096   NtWaitForSingleObject  ... ) == 0x0
 01060  1096   NtSetEventBoostPriority  (88, ...
 01011   252   NtWaitForSingleObject  ... ) == 0x0
 01061   252   NtSetEventBoostPriority  (88, ...
 01024   500   NtWaitForSingleObject  ... ) == 0x0
 01062   500   NtSetEventBoostPriority  (88, ...
 01036  1132   NtWaitForSingleObject  ... ) == 0x0
 01063  1132   NtAllocateVirtualMemory  (-1, 8867840, 0, 4096, 4096, 4, ... 8867840, 4096, ) == 0x0
 01062   500   NtSetEventBoostPriority  ... ) == 0x0
 01061   252   NtSetEventBoostPriority  ... ) == 0x0
 01060  1096   NtSetEventBoostPriority  ... ) == 0x0
 01059  1300   NtSetEventBoostPriority  ... ) == 0x0
 01058   748   NtSetEventBoostPriority  ... ) == 0x0
 01057   428   NtSetEventBoostPriority  ... ) == 0x0
 01056  1732   NtSetEventBoostPriority  ... ) == 0x0
 01055   928   NtSetEventBoostPriority  ... ) == 0x0
 01054   120   NtSetEventBoostPriority  ... ) == 0x0
 01053  1168   NtSetEventBoostPriority  ... ) == 0x0
 01052   376   NtSetEventBoostPriority  ... ) == 0x0
 01051  1356   NtSetEventBoostPriority  ... ) == 0x0
 01050   596   NtSetEventBoostPriority  ... ) == 0x0
 01049  2016   NtSetEventBoostPriority  ... ) == 0x0
 01048  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75505, 0}  ... {28, 56, reply, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0\0\4\0\0" )  ) == 0x0
 01064  1132   NtTestAlert  (...
 01065   500   NtTestAlert  (...
 01066   252   NtTestAlert  (...
 01067  1096   NtTestAlert  (...
 01068  1300   NtTestAlert  (...
 01069   748   NtTestAlert  (...
 01070   428   NtTestAlert  (...
 01071  1732   NtTestAlert  (...
 01072   928   NtTestAlert  (...
 01073   120   NtTestAlert  (...
 01074  1168   NtTestAlert  (...
 01075  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01076   376   NtTestAlert  (...
 01077  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01078  1736   NtResumeThread  (220, ...
 01064  1132   NtTestAlert  ... ) == 0x0
 01065   500   NtTestAlert  ... ) == 0x0
 01066   252   NtTestAlert  ... ) == 0x0
 01067  1096   NtTestAlert  ... ) == 0x0
 01068  1300   NtTestAlert  ... ) == 0x0
 01069   748   NtTestAlert  ... ) == 0x0
 01070   428   NtTestAlert  ... ) == 0x0
 01071  1732   NtTestAlert  ... ) == 0x0
 01072   928   NtTestAlert  ... ) == 0x0
 01073   120   NtTestAlert  ... ) == 0x0
 01074  1168   NtTestAlert  ... ) == 0x0
 01079   596   NtTestAlert  (...
 01076   376   NtTestAlert  ... ) == 0x0
 01077  2016   NtCreateEvent  ... 224, ) == 0x0
 01078  1736   NtResumeThread  ... 1, ) == 0x0
 01080  1132   NtContinue  (36240688, 1, ...
 01081   500   NtContinue  (35192112, 1, ...
 01082   252   NtContinue  (34143536, 1, ...
 01083  1096   NtContinue  (33094960, 1, ...
 01084  1300   NtContinue  (32046384, 1, ...
 01085   748   NtContinue  (30997808, 1, ...
 01086   428   NtContinue  (29949232, 1, ...
 01087  1732   NtContinue  (28900656, 1, ...
 01088   928   NtContinue  (27852080, 1, ...
 01089   120   NtContinue  (26803504, 1, ...
 01090  1168   NtContinue  (25754928, 1, ...
 01079   596   NtTestAlert  ... ) == 0x0
 01091   376   NtContinue  (24706352, 1, ...
 01092  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01093  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01094  1132   NtRegisterThreadTerminatePort  (24, ...
 01095   500   NtRegisterThreadTerminatePort  (24, ...
 01096   252   NtRegisterThreadTerminatePort  (24, ...
 01097  1096   NtRegisterThreadTerminatePort  (24, ...
 01098  1300   NtRegisterThreadTerminatePort  (24, ...
 01099   748   NtRegisterThreadTerminatePort  (24, ...
 01100   428   NtRegisterThreadTerminatePort  (24, ...
 01101  1732   NtRegisterThreadTerminatePort  (24, ...
 01102   928   NtRegisterThreadTerminatePort  (24, ...
 01103   120   NtRegisterThreadTerminatePort  (24, ...
 01104  1168   NtRegisterThreadTerminatePort  (24, ...
 01105   596   NtContinue  (23657776, 1, ...
 01106   376   NtRegisterThreadTerminatePort  (24, ...
 01075  1356   NtCreateEvent  ... 260, ) == 0x0
 01107  1024   NtTestAlert  (...
 01093  1736   NtAllocateVirtualMemory  ... 37289984, 1048576, ) == 0x0
 01094  1132   NtRegisterThreadTerminatePort  ... ) == 0x0
 01095   500   NtRegisterThreadTerminatePort  ... ) == 0x0
 01096   252   NtRegisterThreadTerminatePort  ... ) == 0x0
 01097  1096   NtRegisterThreadTerminatePort  ... ) == 0x0
 01098  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 01099   748   NtRegisterThreadTerminatePort  ... ) == 0x0
 01100   428   NtRegisterThreadTerminatePort  ... ) == 0x0
 01101  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 01102   928   NtRegisterThreadTerminatePort  ... ) == 0x0
 01103   120   NtRegisterThreadTerminatePort  ... ) == 0x0
 01104  1168   NtRegisterThreadTerminatePort  ... ) == 0x0
 01108   596   NtRegisterThreadTerminatePort  (24, ...
 01106   376   NtRegisterThreadTerminatePort  ... ) == 0x0
 01109  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01107  1024   NtTestAlert  ... ) == 0x0
 01110  1736   NtAllocateVirtualMemory  (-1, 38330368, 0, 8192, 4096, 4, ...
 01111  1132   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01112   500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01113   252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01114  1096   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01115  1300   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01116   748   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01117   428   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01118  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01119   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01120   120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01121  1168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01108   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 01122   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01109  1356   NtDuplicateObject  ... 264, ) == 0x0
 01123  1024   NtContinue  (37289264, 1, ...
 01092  2016   NtDuplicateObject  ... 268, ) == 0x0
 01110  1736   NtAllocateVirtualMemory  ... 38330368, 8192, ) == 0x0
 01111  1132   NtDuplicateObject  ... 272, ) == 0x0
 01112   500   NtDuplicateObject  ... 276, ) == 0x0
 01113   252   NtDuplicateObject  ... 280, ) == 0x0
 01114  1096   NtDuplicateObject  ... 284, ) == 0x0
 01115  1300   NtDuplicateObject  ... 288, ) == 0x0
 01116   748   NtDuplicateObject  ... 292, ) == 0x0
 01117   428   NtDuplicateObject  ... 296, ) == 0x0
 01118  1732   NtDuplicateObject  ... 300, ) == 0x0
 01119   928   NtDuplicateObject  ... 304, ) == 0x0
 01120   120   NtDuplicateObject  ... 308, ) == 0x0
 01124   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01121  1168   NtDuplicateObject  ... 312, ) == 0x0
 01125  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01126  1024   NtRegisterThreadTerminatePort  (24, ...
 01127  2016   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ...
 01128  1736   NtProtectVirtualMemory  (-1, (0x248e000), 4096, 260, ...
 01129  1132   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01130   500   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01131   252   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01132  1096   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01133  1300   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01134   748   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01135   428   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01136  1732   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01137   928   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01138   120   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01122   376   NtDuplicateObject  ... 316, ) == 0x0
 01139  1168   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01125  1356   NtOpenKey  ... 320, ) == 0x0
 01126  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 01127  2016   NtAllocateVirtualMemory  ... 1372160, 4096, ) == 0x0
 01128  1736   NtProtectVirtualMemory  ... (0x248e000), 4096, 4, ) == 0x0
 01129  1132   NtCreateEvent  ... 324, ) == 0x0
 01130   500   NtCreateEvent  ... 328, ) == 0x0
 01131   252   NtCreateEvent  ... 332, ) == 0x0
 01132  1096   NtCreateEvent  ... 336, ) == 0x0
 01133  1300   NtCreateEvent  ... 340, ) == 0x0
 01134   748   NtCreateEvent  ... 344, ) == 0x0
 01135   428   NtCreateEvent  ... 348, ) == 0x0
 01136  1732   NtCreateEvent  ... 352, ) == 0x0
 01137   928   NtCreateEvent  ... 356, ) == 0x0
 01138   120   NtCreateEvent  ... 360, ) == 0x0
 01140   376   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01139  1168   NtCreateEvent  ... 364, ) == 0x0
 01141  1356   NtQueryValueKey  (320,  (320, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01124   596   NtDuplicateObject  ... 368, ) == 0x0
 01142  2016   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01143  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01144  1132   NtWaitForSingleObject  (324, 0, 0x0, ...
 01145   500   NtClose  (328, ...
 01146   252   NtClose  (332, ...
 01147  1096   NtClose  (336, ...
 01148  1300   NtClose  (340, ...
 01149   748   NtClose  (344, ...
 01150   428   NtClose  (348, ...
 01151  1732   NtClose  (352, ...
 01152   928   NtClose  (356, ...
 01153   120   NtClose  (360, ...
 01140   376   NtCreateEvent  ... 372, ) == 0x0
 01154  1168   NtClose  (364, ...
 01155  1024   NtWaitForSingleObject  (324, 0, 0x0, ...
 01156   596   NtWaitForSingleObject  (324, 0, 0x0, ...
 01142  2016   NtCreateEvent  ... 376, ) == 0x0
 01143  1736   NtCreateThread  ... 380, {1636, 948}, ) == 0x0
 01145   500   NtClose  ... ) == 0x0
 01146   252   NtClose  ... ) == 0x0
 01147  1096   NtClose  ... ) == 0x0
 01148  1300   NtClose  ... ) == 0x0
 01149   748   NtClose  ... ) == 0x0
 01150   428   NtClose  ... ) == 0x0
 01151  1732   NtClose  ... ) == 0x0
 01152   928   NtClose  ... ) == 0x0
 01153   120   NtClose  ... ) == 0x0
 01157   376   NtClose  (372, ...
 01154  1168   NtClose  ... ) == 0x0
 01158  2016   NtClose  (376, ...
 01159  1736   NtQueryInformationThread  (380, Basic, 28, ...
 01160   500   NtWaitForSingleObject  (324, 0, 0x0, ...
 01161   252   NtWaitForSingleObject  (324, 0, 0x0, ...
 01162  1096   NtWaitForSingleObject  (324, 0, 0x0, ...
 01163  1300   NtWaitForSingleObject  (324, 0, 0x0, ...
 01164   748   NtWaitForSingleObject  (324, 0, 0x0, ...
 01165   428   NtWaitForSingleObject  (324, 0, 0x0, ...
 01166  1732   NtWaitForSingleObject  (324, 0, 0x0, ...
 01167   928   NtWaitForSingleObject  (324, 0, 0x0, ...
 01168   120   NtWaitForSingleObject  (324, 0, 0x0, ...
 01157   376   NtClose  ... ) == 0x0
 01169  1168   NtWaitForSingleObject  (324, 0, 0x0, ...
 01141  1356   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01158  2016   NtClose  ... ) == 0x0
 01159  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1636,Tid=948,}, 0x0, ) == 0x0
 01170   376   NtWaitForSingleObject  (324, 0, 0x0, ...
 01171  1356   NtClose  (320, ...
 01172  2016   NtSetEventBoostPriority  (324, ...
 01173  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0d\6\0\0\264\3\0\0" ...  ...
 01171  1356   NtClose  ... ) == 0x0
 01144  1132   NtWaitForSingleObject  ... ) == 0x0
 01172  2016   NtSetEventBoostPriority  ... ) == 0x0
 01173  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75506, 0}  ... {28, 56, reply, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0d\6\0\0\264\3\0\0" )  ) == 0x0
 01174  1132   NtSetEventBoostPriority  (324, ...
 01175  1356   NtWaitForSingleObject  (324, 0, 0x0, ...
 01176  2016   NtWaitForSingleObject  (324, 0, 0x0, ...
 01155  1024   NtWaitForSingleObject  ... ) == 0x0
 01174  1132   NtSetEventBoostPriority  ... ) == 0x0
 01177  1736   NtResumeThread  (380, ...
 01178  1024   NtSetEventBoostPriority  (324, ...
 01156   596   NtWaitForSingleObject  ... ) == 0x0
 01179   596   NtSetEventBoostPriority  (324, ...
 01160   500   NtWaitForSingleObject  ... ) == 0x0
 01180   500   NtSetEventBoostPriority  (324, ...
 01161   252   NtWaitForSingleObject  ... ) == 0x0
 01181   252   NtSetEventBoostPriority  (324, ...
 01162  1096   NtWaitForSingleObject  ... ) == 0x0
 01182  1096   NtSetEventBoostPriority  (324, ...
 01163  1300   NtWaitForSingleObject  ... ) == 0x0
 01183  1300   NtSetEventBoostPriority  (324, ...
 01164   748   NtWaitForSingleObject  ... ) == 0x0
 01184   748   NtSetEventBoostPriority  (324, ...
 01165   428   NtWaitForSingleObject  ... ) == 0x0
 01185   428   NtSetEventBoostPriority  (324, ...
 01166  1732   NtWaitForSingleObject  ... ) == 0x0
 01186  1732   NtSetEventBoostPriority  (324, ...
 01167   928   NtWaitForSingleObject  ... ) == 0x0
 01187   928   NtSetEventBoostPriority  (324, ...
 01168   120   NtWaitForSingleObject  ... ) == 0x0
 01188   120   NtSetEventBoostPriority  (324, ...
 01169  1168   NtWaitForSingleObject  ... ) == 0x0
 01189  1168   NtSetEventBoostPriority  (324, ...
 01175  1356   NtWaitForSingleObject  ... ) == 0x0
 01190  1356   NtSetEventBoostPriority  (324, ...
 01176  2016   NtWaitForSingleObject  ... ) == 0x0
 01191  2016   NtSetEventBoostPriority  (324, ...
 01170   376   NtWaitForSingleObject  ... ) == 0x0
 01192   376   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 320, ) == 0x0
 01193   376   NtWaitForSingleObject  (320, 0, 0x0, ...
 01191  2016   NtSetEventBoostPriority  ... ) == 0x0
 01190  1356   NtSetEventBoostPriority  ... ) == 0x0
 01179   596   NtSetEventBoostPriority  ... ) == 0x0
 01178  1024   NtSetEventBoostPriority  ... ) == 0x0
 01177  1736   NtResumeThread  ... 1, ) == 0x0
 01189  1168   NtSetEventBoostPriority  ... ) == 0x0
 01188   120   NtSetEventBoostPriority  ... ) == 0x0
 01187   928   NtSetEventBoostPriority  ... ) == 0x0
 01186  1732   NtSetEventBoostPriority  ... ) == 0x0
 01185   428   NtSetEventBoostPriority  ... ) == 0x0
 01184   748   NtSetEventBoostPriority  ... ) == 0x0
 01183  1300   NtSetEventBoostPriority  ... ) == 0x0
 01182  1096   NtSetEventBoostPriority  ... ) == 0x0
 01181   252   NtSetEventBoostPriority  ... ) == 0x0
 01180   500   NtSetEventBoostPriority  ... ) == 0x0
 01194  1132   NtWaitForSingleObject  (320, 0, 0x0, ...
 01195  2016   NtSetEventBoostPriority  (320, ...
 01196   948   NtTestAlert  (...
 01197  1356   NtOpenThreadToken  (-2, 0xc, 1, ...
 01198  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01199   596   NtWaitForSingleObject  (320, 0, 0x0, ...
 01200  1168   NtWaitForSingleObject  (320, 0, 0x0, ...
 01201   120   NtWaitForSingleObject  (320, 0, 0x0, ...
 01202   928   NtWaitForSingleObject  (320, 0, 0x0, ...
 01203  1732   NtWaitForSingleObject  (320, 0, 0x0, ...
 01204   428   NtWaitForSingleObject  (320, 0, 0x0, ...
 01205   748   NtWaitForSingleObject  (320, 0, 0x0, ...
 01206  1300   NtWaitForSingleObject  (320, 0, 0x0, ...
 01207  1096   NtWaitForSingleObject  (320, 0, 0x0, ...
 01208   252   NtWaitForSingleObject  (320, 0, 0x0, ...
 01209   500   NtWaitForSingleObject  (320, 0, 0x0, ...
 01193   376   NtWaitForSingleObject  ... ) == 0x0
 01195  2016   NtSetEventBoostPriority  ... ) == 0x0
 01196   948   NtTestAlert  ... ) == 0x0
 01197  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01210  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01211   376   NtSetEventBoostPriority  (320, ...
 01212  2016   NtWaitForSingleObject  (320, 0, 0x0, ...
 01213   948   NtContinue  (38337840, 1, ...
 01214  1356   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01194  1132   NtWaitForSingleObject  ... ) == 0x0
 01210  1736   NtAllocateVirtualMemory  ... 38338560, 1048576, ) == 0x0
 01215   948   NtRegisterThreadTerminatePort  (24, ...
 01214  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01216  1132   NtSetEventBoostPriority  (320, ...
 01217  1736   NtAllocateVirtualMemory  (-1, 39378944, 0, 8192, 4096, 4, ...
 01215   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 01218  1356   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01199   596   NtWaitForSingleObject  ... ) == 0x0
 01216  1132   NtSetEventBoostPriority  ... ) == 0x0
 01217  1736   NtAllocateVirtualMemory  ... 39378944, 8192, ) == 0x0
 01211   376   NtSetEventBoostPriority  ... ) == 0x0
 01198  1024   NtDuplicateObject  ... 376, ) == 0x0
 01219   596   NtWaitForSingleObject  (324, 0, 0x0, ...
 01218  1356   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01220  1132   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01221  1736   NtProtectVirtualMemory  (-1, (0x258e000), 4096, 260, ...
 01222   948   NtWaitForSingleObject  (324, 0, 0x0, ...
 01223  1024   NtWaitForSingleObject  (324, 0, 0x0, ...
 01224   376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01225  1356   NtSetEventBoostPriority  (324, ...
 01221  1736   NtProtectVirtualMemory  ... (0x258e000), 4096, 4, ) == 0x0
 01224   376   NtWaitForSingleObject  ... ) == 0x102
 01219   596   NtWaitForSingleObject  ... ) == 0x0
 01225  1356   NtSetEventBoostPriority  ... ) == 0x0
 01220  1132   NtWaitForSingleObject  ... ) == 0x102
 01226   596   NtSetEventBoostPriority  (324, ...
 01227   376   NtWaitForSingleObject  (324, 0, 0x0, ...
 01228  1356   NtWaitForSingleObject  (320, 0, 0x0, ...
 01222   948   NtWaitForSingleObject  ... ) == 0x0
 01226   596   NtSetEventBoostPriority  ... ) == 0x0
 01229  1132   NtWaitForSingleObject  (324, 0, 0x0, ...
 01230   948   NtSetEventBoostPriority  (324, ...
 01231  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01223  1024   NtWaitForSingleObject  ... ) == 0x0
 01230   948   NtSetEventBoostPriority  ... ) == 0x0
 01232  1024   NtSetEventBoostPriority  (324, ...
 01231  1736   NtCreateThread  ... 372, {1636, 1064}, ) == 0x0
 01227   376   NtWaitForSingleObject  ... ) == 0x0
 01232  1024   NtSetEventBoostPriority  ... ) == 0x0
 01233   948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01234   376   NtSetEventBoostPriority  (324, ...
 01235  1736   NtQueryInformationThread  (372, Basic, 28, ...
 01236   596   NtSetEventBoostPriority  (320, ...
 01237  1024   NtWaitForSingleObject  (324, 0, 0x0, ...
 01229  1132   NtWaitForSingleObject  ... ) == 0x0
 01234   376   NtSetEventBoostPriority  ... ) == 0x0
 01235  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1636,Tid=1064,}, 0x0, ) == 0x0
 01200  1168   NtWaitForSingleObject  ... ) == 0x0
 01236   596   NtSetEventBoostPriority  ... ) == 0x0
 01238  1132   NtSetEventBoostPriority  (324, ...
 01233   948   NtDuplicateObject  ... 364, ) == 0x0
 01239  1168   NtWaitForSingleObject  (324, 0, 0x0, ...
 01240  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0d\6\0\0(\4\0\0" ...  ...
 01237  1024   NtWaitForSingleObject  ... ) == 0x0
 01238  1132   NtSetEventBoostPriority  ... ) == 0x0
 01241   596   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01242   948   NtWaitForSingleObject  (324, 0, 0x0, ...
 01243  1024   NtSetEventBoostPriority  (324, ...
 01240  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75507, 0}  ... {28, 56, reply, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0d\6\0\0(\4\0\0" )  ) == 0x0
 01244   376   NtWaitForSingleObject  (140, 0, 0x0, ...
 01241   596   NtWaitForSingleObject  ... ) == 0x102
 01239  1168   NtWaitForSingleObject  ... ) == 0x0
 01243  1024   NtSetEventBoostPriority  ... ) == 0x0
 01245  1736   NtResumeThread  (372, ...
 01246  1168   NtSetEventBoostPriority  (324, ...
 01247   596   NtWaitForSingleObject  (324, 0, 0x0, ...
 01248  1024   NtWaitForSingleObject  (320, 0, 0x0, ...
 01242   948   NtWaitForSingleObject  ... ) == 0x0
 01246  1168   NtSetEventBoostPriority  ... ) == 0x0
 01245  1736   NtResumeThread  ... 1, ) == 0x0
 01249  1132   NtWaitForSingleObject  (140, 0, 0x0, ...
 01250  1064   NtTestAlert  (...
 01251   948   NtSetEventBoostPriority  (324, ...
 01252  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01247   596   NtWaitForSingleObject  ... ) == 0x0
 01251   948   NtSetEventBoostPriority  ... ) == 0x0
 01250  1064   NtTestAlert  ... ) == 0x0
 01253   596   NtWaitForSingleObject  (140, 0, 0x0, ...
 01252  1736   NtAllocateVirtualMemory  ... 39387136, 1048576, ) == 0x0
 01254  1168   NtSetEventBoostPriority  (320, ...
 01255  1064   NtContinue  (39386416, 1, ...
 01256  1736   NtAllocateVirtualMemory  (-1, 40427520, 0, 8192, 4096, 4, ...
 01201   120   NtWaitForSingleObject  ... ) == 0x0
 01254  1168   NtSetEventBoostPriority  ... ) == 0x0
 01257  1064   NtRegisterThreadTerminatePort  (24, ...
 01258   948   NtWaitForSingleObject  (320, 0, 0x0, ...
 01259   120   NtSetEventBoostPriority  (320, ...
 01260  1168   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01257  1064   NtRegisterThreadTerminatePort  ... ) == 0x0
 01202   928   NtWaitForSingleObject  ... ) == 0x0
 01259   120   NtSetEventBoostPriority  ... ) == 0x0
 01260  1168   NtWaitForSingleObject  ... ) == 0x102
 01256  1736   NtAllocateVirtualMemory  ... 40427520, 8192, ) == 0x0
 01261   928   NtSetEventBoostPriority  (320, ...
 01262  1064   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01263  1168   NtWaitForSingleObject  (140, 0, 0x0, ...
 01203  1732   NtWaitForSingleObject  ... ) == 0x0
 01261   928   NtSetEventBoostPriority  ... ) == 0x0
 01264  1736   NtProtectVirtualMemory  (-1, (0x268e000), 4096, 260, ...
 01262  1064   NtDuplicateObject  ... 360, ) == 0x0
 01265   120   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01266  1732   NtSetEventBoostPriority  (320, ...
 01264  1736   NtProtectVirtualMemory  ... (0x268e000), 4096, 4, ) == 0x0
 01267  1064   NtWaitForSingleObject  (320, 0, 0x0, ...
 01204   428   NtWaitForSingleObject  ... ) == 0x0
 01266  1732   NtSetEventBoostPriority  ... ) == 0x0
 01265   120   NtWaitForSingleObject  ... ) == 0x102
 01268  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01269   428   NtSetEventBoostPriority  (320, ...
 01270   928   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01271   120   NtWaitForSingleObject  (140, 0, 0x0, ...
 01205   748   NtWaitForSingleObject  ... ) == 0x0
 01269   428   NtSetEventBoostPriority  ... ) == 0x0
 01268  1736   NtCreateThread  ... 356, {1636, 1384}, ) == 0x0
 01270   928   NtWaitForSingleObject  ... ) == 0x102
 01272   748   NtSetEventBoostPriority  (320, ...
 01273  1732   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01274  1736   NtQueryInformationThread  (356, Basic, 28, ...
 01206  1300   NtWaitForSingleObject  ... ) == 0x0
 01272   748   NtSetEventBoostPriority  ... ) == 0x0
 01275   928   NtWaitForSingleObject  (140, 0, 0x0, ...
 01273  1732   NtWaitForSingleObject  ... ) == 0x102
 01276   428   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01277  1300   NtSetEventBoostPriority  (320, ...
 01274  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1636,Tid=1384,}, 0x0, ) == 0x0
 01278  1732   NtWaitForSingleObject  (140, 0, 0x0, ...
 01207  1096   NtWaitForSingleObject  ... ) == 0x0
 01277  1300   NtSetEventBoostPriority  ... ) == 0x0
 01276   428   NtWaitForSingleObject  ... ) == 0x102
 01279  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0d\6\0\0h\5\0\0" ...  ...
 01280  1096   NtSetEventBoostPriority  (320, ...
 01281   748   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01282   428   NtWaitForSingleObject  (140, 0, 0x0, ...
 01208   252   NtWaitForSingleObject  ... ) == 0x0
 01280  1096   NtSetEventBoostPriority  ... ) == 0x0
 01279  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75508, 0}  ... {28, 56, reply, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0d\6\0\0h\5\0\0" )  ) == 0x0
 01281   748   NtWaitForSingleObject  ... ) == 0x102
 01283   252   NtSetEventBoostPriority  (320, ...
 01284  1300   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01285  1736   NtResumeThread  (356, ...
 01209   500   NtWaitForSingleObject  ... ) == 0x0
 01283   252   NtSetEventBoostPriority  ... ) == 0x0
 01286   748   NtWaitForSingleObject  (140, 0, 0x0, ...
 01284  1300   NtWaitForSingleObject  ... ) == 0x102
 01287   500   NtSetEventBoostPriority  (320, ...
 01285  1736   NtResumeThread  ... 1, ) == 0x0
 01288  1096   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01212  2016   NtWaitForSingleObject  ... ) == 0x0
 01287   500   NtSetEventBoostPriority  ... ) == 0x0
 01289  1300   NtWaitForSingleObject  (140, 0, 0x0, ...
 01290   252   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01291  1384   NtTestAlert  (...
 01292  2016   NtSetEventBoostPriority  (320, ...
 01288  1096   NtWaitForSingleObject  ... ) == 0x102
 01293  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01290   252   NtWaitForSingleObject  ... ) == 0x102
 01228  1356   NtWaitForSingleObject  ... ) == 0x0
 01292  2016   NtSetEventBoostPriority  ... ) == 0x0
 01291  1384   NtTestAlert  ... ) == 0x0
 01294  1096   NtWaitForSingleObject  (140, 0, 0x0, ...
 01293  1736   NtAllocateVirtualMemory  ... 40435712, 1048576, ) == 0x0
 01295  1356   NtSetEventBoostPriority  (320, ...
 01296   252   NtWaitForSingleObject  (140, 0, 0x0, ...
 01297   500   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01298  1384   NtContinue  (40434992, 1, ...
 01248  1024   NtWaitForSingleObject  ... ) == 0x0
 01295  1356   NtSetEventBoostPriority  ... ) == 0x0
 01299  1736   NtAllocateVirtualMemory  (-1, 41476096, 0, 8192, 4096, 4, ...
 01297   500   NtWaitForSingleObject  ... ) == 0x102
 01300  1024   NtSetEventBoostPriority  (320, ...
 01301  1384   NtRegisterThreadTerminatePort  (24, ...
 01302  2016   NtWaitForSingleObject  (320, 0, 0x0, ...
 01299  1736   NtAllocateVirtualMemory  ... 41476096, 8192, ) == 0x0
 01258   948   NtWaitForSingleObject  ... ) == 0x0
 01303   500   NtWaitForSingleObject  (140, 0, 0x0, ...
 01301  1384   NtRegisterThreadTerminatePort  ... ) == 0x0
 01304  1736   NtProtectVirtualMemory  (-1, (0x278e000), 4096, 260, ...
 01305   948   NtSetEventBoostPriority  (320, ...
 01300  1024   NtSetEventBoostPriority  ... ) == 0x0
 01306  1356   NtWaitForSingleObject  (320, 0, 0x0, ...
 01304  1736   NtProtectVirtualMemory  ... (0x278e000), 4096, 4, ) == 0x0
 01267  1064   NtWaitForSingleObject  ... ) == 0x0
 01305   948   NtSetEventBoostPriority  ... ) == 0x0
 01307  1024   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01308  1384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01309  1064   NtSetEventBoostPriority  (320, ...
 01310   948   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01302  2016   NtWaitForSingleObject  ... ) == 0x0
 01309  1064   NtSetEventBoostPriority  ... ) == 0x0
 01308  1384   NtDuplicateObject  ... 352, ) == 0x0
 01311  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01307  1024   NtWaitForSingleObject  ... ) == 0x102
 01312  2016   NtSetEventBoostPriority  (320, ...
 01310   948   NtWaitForSingleObject  ... ) == 0x102
 01313  1384   NtWaitForSingleObject  (320, 0, 0x0, ...
 01311  1736   NtCreateThread  ... 348, {1636, 188}, ) == 0x0
 01306  1356   NtWaitForSingleObject  ... ) == 0x0
 01312  2016   NtSetEventBoostPriority  ... ) == 0x0
 01314  1024   NtWaitForSingleObject  (140, 0, 0x0, ...
 01315   948   NtWaitForSingleObject  (140, 0, 0x0, ...
 01316  1356   NtSetEventBoostPriority  (320, ...
 01317  1736   NtQueryInformationThread  (348, Basic, 28, ...
 01318  2016   NtWaitForSingleObject  (320, 0, 0x0, ...
 01313  1384   NtWaitForSingleObject  ... ) == 0x0
 01316  1356   NtSetEventBoostPriority  ... ) == 0x0
 01317  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1636,Tid=188,}, 0x0, ) == 0x0
 01319  1064   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01320  1384   NtSetEventBoostPriority  (320, ...
 01321  1356   NtWaitForSingleObject  (320, 0, 0x0, ...
 01322  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0d\6\0\0\274\0\0\0" ...  ...
 01320  1384   NtSetEventBoostPriority  ... ) == 0x0
 01319  1064   NtWaitForSingleObject  ... ) == 0x102
 01318  2016   NtWaitForSingleObject  ... ) == 0x0
 01322  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75509, 0}  ... {28, 56, reply, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0d\6\0\0\274\0\0\0" )  ) == 0x0
 01323  1064   NtWaitForSingleObject  (140, 0, 0x0, ...
 01324  2016   NtSetEventBoostPriority  (320, ...
 01325  1736   NtResumeThread  (348, ...
 01321  1356   NtWaitForSingleObject  ... ) == 0x0
 01324  2016   NtSetEventBoostPriority  ... ) == 0x0
 01326  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11071600, ... }, 11071600, ...
 01325  1736   NtResumeThread  ... 1, ) == 0x0
 01326  1356   NtQueryAttributesFile  ... ) == 0x0
 01327  2016   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 01328  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01329  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01328  1356   NtOpenKey  ... 344, ) == 0x0
 01327  2016   NtOpenFile  ... 340, {status=0x0, info=0}, ) == 0x0
 01329  1736   NtAllocateVirtualMemory  ... 41484288, 1048576, ) == 0x0
 01330  1384   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01331   188   NtTestAlert  (...
 01332  1356   NtQueryValueKey  (344,  (344, "Transports", Partial, 144, ... , Partial, 144, ...
 01333  1736   NtAllocateVirtualMemory  (-1, 42524672, 0, 8192, 4096, 4, ...
 01330  1384   NtWaitForSingleObject  ... ) == 0x102
 01331   188   NtTestAlert  ... ) == 0x0
 01332  1356   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01334  2016   NtDeviceIoControlFile  (340, 0, 0x0, 0x0, 0x390008,  (340, 0, 0x0, 0x0, 0x390008, "\253VTN\37\320\331\223\205\32\226}\230\16\212a\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01335  1384   NtWaitForSingleObject  (140, 0, 0x0, ...
 01336   188   NtContinue  (41483568, 1, ...
 01337  1356   NtQueryValueKey  (344,  (344, "Transports", Partial, 144, ... , Partial, 144, ...
 01338  2016   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01339   188   NtRegisterThreadTerminatePort  (24, ...
 01337  1356   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01338  2016   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01339   188   NtRegisterThreadTerminatePort  ... ) == 0x0
 01340  1356   NtClose  (344, ...
 01333  1736   NtAllocateVirtualMemory  ... 42524672, 8192, ) == 0x0
 01341  2016   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01340  1356   NtClose  ... ) == 0x0
 01342  1736   NtProtectVirtualMemory  (-1, (0x288e000), 4096, 260, ...
 01341  2016   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01343   188   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01342  1736   NtProtectVirtualMemory  ... (0x288e000), 4096, 4, ) == 0x0
 01344  2016   NtQuerySystemInformation  (Performance, 312, ...
 01343   188   NtDuplicateObject  ... 344, ) == 0x0
 01345  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01344  2016   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01346   188   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01345  1736   NtCreateThread  ... 336, {1636, 1600}, ) == 0x0
 01347  2016   NtQuerySystemInformation  (Exception, 16, ...
 01346   188   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01348  1736   NtQueryInformationThread  (336, Basic, 28, ...
 01347  2016   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01349   188   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01350  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01348  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1636,Tid=1600,}, 0x0, ) == 0x0
 01350  1356   NtOpenKey  ... 332, ) == 0x0
 01351  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0d\6\0\0@\6\0\0" ...  ...
 01352  1356   NtQueryValueKey  (332,  (332, "Mapping", Partial, 144, ... , Partial, 144, ...
 01351  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75510, 0}  ... {28, 56, reply, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0d\6\0\0@\6\0\0" )  ) == 0x0
 01352  1356   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01353  1736   NtResumeThread  (336, ...
 01354  1356   NtQueryValueKey  (332,  (332, "Mapping", Partial, 144, ... , Partial, 144, ...
 01353  1736   NtResumeThread  ... 1, ) == 0x0
 01354  1356   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01355  2016   NtQuerySystemInformation  (Lookaside, 32, ...
 01349   188   NtWaitForSingleObject  ... ) == 0x102
 01356  1600   NtTestAlert  (...
 01357  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01355  2016   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01358   188   NtWaitForSingleObject  (140, 0, 0x0, ...
 01356  1600   NtTestAlert  ... ) == 0x0
 01357  1736   NtAllocateVirtualMemory  ... 42532864, 1048576, ) == 0x0
 01359  2016   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01360  1600   NtContinue  (42532144, 1, ...
 01361  1736   NtAllocateVirtualMemory  (-1, 43573248, 0, 8192, 4096, 4, ...
 01359  2016   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01362  1600   NtRegisterThreadTerminatePort  (24, ...
 01361  1736   NtAllocateVirtualMemory  ... 43573248, 8192, ) == 0x0
 01363  2016   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01362  1600   NtRegisterThreadTerminatePort  ... ) == 0x0
 01364  1736   NtProtectVirtualMemory  (-1, (0x298e000), 4096, 260, ...
 01363  2016   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01365  1356   NtQueryValueKey  (332,  (332, "Mapping", Partial, 152, ... , Partial, 152, ...
 01364  1736   NtProtectVirtualMemory  ... (0x298e000), 4096, 4, ) == 0x0
 01366  1600   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01365  1356   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01367  2016   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01366  1600   NtDuplicateObject  ... 328, ) == 0x0
 01368  1356   NtClose  (332, ...
 01367  2016   NtCreateKey  ... -2147481380, 2, ) == 0x0
 01369  1600   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01368  1356   NtClose  ... ) == 0x0
 01370  2016   NtSetValueKey  (-2147481380,  (-2147481380, "Seed", 0, 3, "B\22q~c\211\200\375_rR\324e\341%\5\235@X\335\3719\373\322B\266/\347\277%\331\273b\302\5\26I\302\375l\3708\312\215I\2667\377\271\305V\351\247\356\7\10,\213\2\375\24~\26\225\317\276=\353\276\20\322\274\224\206\247\274\252\243\16\276", 80, ... , 0, 3,  (-2147481380, "Seed", 0, 3, "B\22q~c\211\200\375_rR\324e\341%\5\235@X\335\3719\373\322B\266/\347\277%\331\273b\302\5\26I\302\375l\3708\312\215I\2667\377\271\305V\351\247\356\7\10,\213\2\375\24~\26\225\317\276=\353\276\20\322\274\224\206\247\274\252\243\16\276", 80, ... , 80, ...
 01369  1600   NtWaitForSingleObject  ... ) == 0x102
 01371  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01370  2016   NtSetValueKey  ... ) == 0x0
 01372  1600   NtWaitForSingleObject  (140, 0, 0x0, ...
 01371  1356   NtOpenKey  ... 332, ) == 0x0
 01373  2016   NtClose  (-2147481380, ...
 01374  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01373  2016   NtClose  ... ) == 0x0
 01374  1736   NtCreateThread  ... 384, {1636, 1372}, ) == 0x0
 01375  1356   NtQueryValueKey  (332,  (332, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01376  1736   NtQueryInformationThread  (384, Basic, 28, ...
 01375  1356   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01376  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1636,Tid=1372,}, 0x0, ) == 0x0
 01377  1356   NtQueryValueKey  (332,  (332, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01378  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0d\6\0\0\\5\0\0" ...  ...
 01377  1356   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01379  1356   NtQueryValueKey  (332,  (332, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (332, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01380  1356   NtQueryValueKey  (332,  (332, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (332, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01381  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11072556, ... ) }, 11072556, ... ) == 0x0
 01382  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 01334  2016   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\2016Ao\362~X\231\213\333\361\240\340\305%\357*IK\261\232\330C\361M\27\351\365\241rj\231F\227\367\216\365\220\214\346i\301\1\231a\315\222I\20?\20M\14p<\232\367f\36\224}\366\254\22W\275\333\360\20\336\211\10M\350\224r&I\337\364\305\360\3333\3O;\210 \276\202;/\275\365\24\301\344\4#\15\265\317\306p\322y\241\31X\316\350\30Y\240\323*P\33\344\306\323\273\32t\275\201\335\320\235\23\201\265j\36oM\321\22z\313#\340\35\177\374\244BH\202\324\27\35\36P\315\326_=\362\22\225<7\3010\206R}d\264\252\224\321.\2678\314\169/\253\303Z&\32H\313H\4a\232\233\227}\322\317=\200p\7\23ek\362X\261}\357\250o\337\217d\345#f(\322\260\362\3\221'\221\200\304\234\366\0\21\221\\204\315m\341\334Y\362\14\221\31\325\20b\224C\26/\372!\32\6\17%", ) , ) == 0x0
 01378  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75511, 0}  ... {28, 56, reply, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0d\6\0\0\\5\0\0" )  ) == 0x0
 01383  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01384  1736   NtResumeThread  (384, ...
 01383  2016   NtCreateEvent  ... 392, ) == 0x0
 01384  1736   NtResumeThread  ... 1, ) == 0x0
 01385  2016   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 17362436, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 17362436, 188, ...
 01386  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 43581440, 1048576, ) == 0x0
 01387  1736   NtAllocateVirtualMemory  (-1, 44621824, 0, 8192, 4096, 4, ...
 01385  2016   NtConnectPort  ... 396, 0x0, 0x0, 0x0, 188, ) == 0x0
 01388  1356   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 388, ...
 01389  1372   NtWaitForSingleObject  (88, 0, 0x0, ...
 01390  2016   NtRequestWaitReplyPort  (396, {200, 224, new_msg, 0, 1382904, 12, 2, 1310721}  (396, {200, 224, new_msg, 0, 1382904, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0(\30\25\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\3\354\237[+\252\234\236\250\31\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\200\31\25\0S\377N\7x\1\24\0\240\31\25\0h\1\24\0\0\0\0\0\0\0\0\0\240\31\25\0P\0\0\0\250\31\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\10\1\372\31\221|\30\364\10\1\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01388  1356   NtCreateSection  ... 400, ) == 0x0
 01391  1356   NtClose  (388, ... ) == 0x0
 01392  1356   NtMapViewOfSection  (400, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 20480, ) == 0x0
 01390  2016   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 2016, 75513, 0}  ... {200, 224, reply, 0, 1636, 2016, 75513, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\3\354\237[+\252\234\236\250\31\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\200\31\25\0S\377N\7x\1\24\0\240\31\25\0h\1\24\0\0\0\0\0\0\0\0\0\240\31\25\0P\0\0\0\250\31\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\10\1\372\31\221|\30\364\10\1\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01387  1736   NtAllocateVirtualMemory  ... 44621824, 8192, ) == 0x0
 01393  2016   NtRequestWaitReplyPort  (396, {64, 88, new_msg, 0, 0, 0, 0, 0}  (396, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01394  1736   NtProtectVirtualMemory  (-1, (0x2a8e000), 4096, 260, ... (0x2a8e000), 4096, 4, ) == 0x0
 01395  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 388, {1636, 2040}, ) == 0x0
 01396  1736   NtQueryInformationThread  (388, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1636,Tid=2040,}, 0x0, ) == 0x0
 01397  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0d\6\0\0\370\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0d\6\0\0\370\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75515, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0d\6\0\0\370\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0d\6\0\0\370\7\0\0" )  ) == 0x0
 01398  1736   NtResumeThread  (388, ... 1, ) == 0x0
 01399  1356   NtClose  (400, ...
 01400  2040   NtWaitForSingleObject  (88, 0, 0x0, ...
 01399  1356   NtClose  ... ) == 0x0
 01401  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 44630016, 1048576, ) == 0x0
 01402  1736   NtAllocateVirtualMemory  (-1, 45670400, 0, 8192, 4096, 4, ... 45670400, 8192, ) == 0x0
 01403  1736   NtProtectVirtualMemory  (-1, (0x2b8e000), 4096, 260, ... (0x2b8e000), 4096, 4, ) == 0x0
 01404  1356   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 01405  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11072864, ... ) }, 11072864, ... ) == 0x0
 01406  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 400, {status=0x0, info=1}, ) }, 5, 96, ... 400, {status=0x0, info=1}, ) == 0x0
 01407  1356   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 400, ... 404, ) == 0x0
 01408  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 408, {1636, 152}, ) == 0x0
 01409  1736   NtQueryInformationThread  (408, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1636,Tid=152,}, 0x0, ) == 0x0
 01410  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75515, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0d\6\0\0\230\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0d\6\0\0\230\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75516, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0d\6\0\0\230\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0d\6\0\0\230\0\0\0" )  ) == 0x0
 01411  1736   NtResumeThread  (408, ... 1, ) == 0x0
 01412  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 45678592, 1048576, ) == 0x0
 01413  1736   NtAllocateVirtualMemory  (-1, 46718976, 0, 8192, 4096, 4, ...
 01414  1356   NtQuerySection  (404, Image, 48, ...
 01415   152   NtWaitForSingleObject  (88, 0, 0x0, ...
 01414  1356   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01416  1356   NtClose  (400, ... ) == 0x0
 01417  1356   NtMapViewOfSection  (404, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 01418  1356   NtClose  (404, ... ) == 0x0
 01419  1356   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 01413  1736   NtAllocateVirtualMemory  ... 46718976, 8192, ) == 0x0
 01420  1736   NtProtectVirtualMemory  (-1, (0x2c8e000), 4096, 260, ... (0x2c8e000), 4096, 4, ) == 0x0
 01421  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 404, {1636, 1388}, ) == 0x0
 01422  1736   NtQueryInformationThread  (404, Basic, 28, ...
 01423  1356   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ... (0x71a91000), 4096, 4, ) == 0x0
 01424  1356   NtFlushInstructionCache  (-1, 1906905088, 128, ... ) == 0x0
 01425  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426  1356   NtSetEventBoostPriority  (88, ...
 01389  1372   NtWaitForSingleObject  ... ) == 0x0
 01427  1372   NtSetEventBoostPriority  (88, ...
 01400  2040   NtWaitForSingleObject  ... ) == 0x0
 01428  2040   NtSetEventBoostPriority  (88, ...
 01415   152   NtWaitForSingleObject  ... ) == 0x0
 01429   152   NtTestAlert  (... ) == 0x0
 01428  2040   NtSetEventBoostPriority  ... ) == 0x0
 01427  1372   NtSetEventBoostPriority  ... ) == 0x0
 01426  1356   NtSetEventBoostPriority  ... ) == 0x0
 01422  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1636,Tid=1388,}, 0x0, ) == 0x0
 01430   152   NtContinue  (45677872, 1, ...
 01393  2016   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1636, 2016, 75514, 0}  ... {52, 76, reply, 0, 1636, 2016, 75514, 0} "\2\332\243\201\1\0\0\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200X\373`\371t\333\243\201\270+\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 01431  2040   NtTestAlert  (...
 01432  1356   NtClose  (332, ...
 01433  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75516, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0d\6\0\0l\5\0\0" ...  ...
 01434   152   NtRegisterThreadTerminatePort  (24, ...
 01435  2016   NtClose  (392, ...
 01431  2040   NtTestAlert  ... ) == 0x0
 01432  1356   NtClose  ... ) == 0x0
 01433  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75517, 0}  ... {28, 56, reply, 0, 1636, 1736, 75517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0d\6\0\0l\5\0\0" )  ) == 0x0
 01434   152   NtRegisterThreadTerminatePort  ... ) == 0x0
 01435  2016   NtClose  ... ) == 0x0
 01436  2040   NtContinue  (44629296, 1, ...
 01437  1372   NtTestAlert  (...
 01438  1736   NtResumeThread  (404, ...
 01439  1356   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11075200, 67, ... }, 0x0, 0, 3, 3, 0, 11075200, 67, ...
 01440  2016   NtClose  (396, ...
 01441  2040   NtRegisterThreadTerminatePort  (24, ...
 01437  1372   NtTestAlert  ... ) == 0x0
 01438  1736   NtResumeThread  ... 1, ) == 0x0
 01439  1356   NtCreateFile  ... 392, {status=0x0, info=0}, ) == 0x0
 01440  2016   NtClose  ... ) == 0x0
 01441  2040   NtRegisterThreadTerminatePort  ... ) == 0x0
 01442  1372   NtContinue  (43580720, 1, ...
 01443   152   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01444  1388   NtTestAlert  (...
 01445  1356   NtDeviceIoControlFile  (392, 116, 0x0, 0x0, 0x1207b,  (392, 116, 0x0, 0x0, 0x1207b, "\7\0\0\0x\1\24\0\340\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 01446  2016   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01447  2040   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01448  1372   NtRegisterThreadTerminatePort  (24, ...
 01443   152   NtDuplicateObject  ... 396, ) == 0x0
 01444  1388   NtTestAlert  ... ) == 0x0
 01445  1356   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0\300\332\243\201", ) , ) == 0x0
 01449  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01446  2016   NtCreateKey  ... 332, 2, ) == 0x0
 01448  1372   NtRegisterThreadTerminatePort  ... ) == 0x0
 01450   152   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01451  1388   NtContinue  (46726448, 1, ...
 01452  1356   NtDeviceIoControlFile  (392, 116, 0x0, 0x0, 0x1207b,  (392, 116, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0\300\332\243\201", 16, 16, ... , 16, 16, ...
 01449  1736   NtAllocateVirtualMemory  ... 46727168, 1048576, ) == 0x0
 01453  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01454  1372   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01450   152   NtWaitForSingleObject  ... ) == 0x102
 01455  1388   NtRegisterThreadTerminatePort  (24, ...
 01452  1356   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0\300\332\243\201", ) , ) == 0x0
 01456  1736   NtAllocateVirtualMemory  (-1, 47767552, 0, 8192, 4096, 4, ...
 01453  2016   NtOpenKey  ... 400, ) == 0x0
 01447  2040   NtDuplicateObject  ... 412, ) == 0x0
 01457   152   NtWaitForSingleObject  (140, 0, 0x0, ...
 01455  1388   NtRegisterThreadTerminatePort  ... ) == 0x0
 01454  1372   NtDuplicateObject  ... 416, ) == 0x0
 01456  1736   NtAllocateVirtualMemory  ... 47767552, 8192, ) == 0x0
 01458  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01459  2040   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01460  1356   NtDeviceIoControlFile  (392, 116, 0x0, 0x0, 0x12047,  (392, 116, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01461  1372   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 01462  1736   NtProtectVirtualMemory  (-1, (0x2d8e000), 4096, 260, ...
 01458  2016   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01459  2040   NtWaitForSingleObject  ... ) == 0x102
 01460  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01461  1372   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 01462  1736   NtProtectVirtualMemory  ... (0x2d8e000), 4096, 4, ) == 0x0
 01463  2016   NtQueryValueKey  (332,  (332, "Hostname", Partial, 144, ... , Partial, 144, ...
 01464  2040   NtWaitForSingleObject  (324, 0, 0x0, ...
 01465  1356   NtWaitForSingleObject  (324, 0, 0x0, ...
 01466  1372   NtSetEventBoostPriority  (324, ...
 01467  1388   NtWaitForSingleObject  (324, 0, 0x0, ...
 01468  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01464  2040   NtWaitForSingleObject  ... ) == 0x0
 01466  1372   NtSetEventBoostPriority  ... ) == 0x0
 01469  2040   NtSetEventBoostPriority  (324, ...
 01468  1736   NtCreateThread  ... 420, {1636, 2036}, ) == 0x0
 01465  1356   NtWaitForSingleObject  ... ) == 0x0
 01469  2040   NtSetEventBoostPriority  ... ) == 0x0
 01470  1372   NtWaitForSingleObject  (324, 0, 0x0, ...
 01471  1356   NtSetEventBoostPriority  (324, ...
 01472  1736   NtQueryInformationThread  (420, Basic, 28, ...
 01463  2016   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01473  2040   NtWaitForSingleObject  (140, 0, 0x0, ...
 01467  1388   NtWaitForSingleObject  ... ) == 0x0
 01471  1356   NtSetEventBoostPriority  ... ) == 0x0
 01472  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1636,Tid=2036,}, 0x0, ) == 0x0
 01474  2016   NtQueryValueKey  (332,  (332, "Hostname", Partial, 144, ... , Partial, 144, ...
 01475  1388   NtSetEventBoostPriority  (324, ...
 01476  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75517, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0d\6\0\0\364\7\0\0" ...  ...
 01470  1372   NtWaitForSingleObject  ... ) == 0x0
 01475  1388   NtSetEventBoostPriority  ... ) == 0x0
 01474  2016   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01477  1372   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01478  1388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01477  1372   NtWaitForSingleObject  ... ) == 0x102
 01479  2016   NtClose  (332, ...
 01480  1356   NtWaitForSingleObject  (56, 0, {0, 0}, ...
 01476  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75519, 0}  ... {28, 56, reply, 0, 1636, 1736, 75519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0d\6\0\0\364\7\0\0" )  ) == 0x0
 01481  1372   NtWaitForSingleObject  (140, 0, 0x0, ...
 01479  2016   NtClose  ... ) == 0x0
 01480  1356   NtWaitForSingleObject  ... ) == 0x102
 01482  1736   NtResumeThread  (420, ...
 01478  1388   NtDuplicateObject  ... 332, ) == 0x0
 01483  2016   NtClose  (400, ...
 01484  1356   NtDeviceIoControlFile  (392, 116, 0x0, 0x0, 0x12003,  (392, 116, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01482  1736   NtResumeThread  ... 1, ) == 0x0
 01485  1388   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01486  2036   NtTestAlert  (...
 01484  1356   NtDeviceIoControlFile  ... {status=0x0, info=424},  ... {status=0x0, info=424}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01487  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01485  1388   NtWaitForSingleObject  ... ) == 0x102
 01486  2036   NtTestAlert  ... ) == 0x0
 01483  2016   NtClose  ... ) == 0x0
 01487  1736   NtAllocateVirtualMemory  ... 47775744, 1048576, ) == 0x0
 01488  1388   NtWaitForSingleObject  (140, 0, 0x0, ...
 01489  2036   NtContinue  (47775024, 1, ...
 01490  2016   NtDeviceIoControlFile  (340, 0, 0x0, 0x0, 0x390008,  (340, 0, 0x0, 0x0, 0x390008, "\253VTN\37\320\331\33\321\313yP\3362\213\225\1E$r2\373\315\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01491  1736   NtAllocateVirtualMemory  (-1, 48816128, 0, 8192, 4096, 4, ...
 01492  2036   NtRegisterThreadTerminatePort  (24, ...
 01493  2016   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01494  1356   NtDeviceIoControlFile  (392, 116, 0x0, 0x0, 0x12047,  (392, 116, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01492  2036   NtRegisterThreadTerminatePort  ... ) == 0x0
 01493  2016   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01494  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01491  1736   NtAllocateVirtualMemory  ... 48816128, 8192, ) == 0x0
 01495  2016   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01496  1356   NtDeviceIoControlFile  (392, 116, 0x0, 0x0, 0x12037,  (392, 116, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 01497  1736   NtProtectVirtualMemory  (-1, (0x2e8e000), 4096, 260, ...
 01495  2016   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01496  1356   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01497  1736   NtProtectVirtualMemory  ... (0x2e8e000), 4096, 4, ) == 0x0
 01498  2036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01499  1356   NtDeviceIoControlFile  (392, 116, 0x0, 0x0, 0x1200b,  (392, 116, 0x0, 0x0, 0x1200b, "\0\376\250\0\5\0\0\0\0\262\24\0", 12, 0, ... , 12, 0, ...
 01500  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01498  2036   NtDuplicateObject  ... 400, ) == 0x0
 01499  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01500  1736   NtCreateThread  ... 428, {1636, 1708}, ) == 0x0
 01501  2036   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01502  2016   NtQuerySystemInformation  (Performance, 312, ...
 01503  1736   NtQueryInformationThread  (428, Basic, 28, ...
 01501  2036   NtWaitForSingleObject  ... ) == 0x102
 01502  2016   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01504  1356   NtDeviceIoControlFile  (392, 116, 0x0, 0x0, 0x12047,  (392, 116, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\250\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01505  2036   NtWaitForSingleObject  (140, 0, 0x0, ...
 01506  2016   NtQuerySystemInformation  (Exception, 16, ...
 01504  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01503  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1636,Tid=1708,}, 0x0, ) == 0x0
 01506  2016   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01507  1356   NtDeviceIoControlFile  (392, 116, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 01508  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75519, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0d\6\0\0\254\6\0\0" ...  ...
 01509  2016   NtQuerySystemInformation  (Lookaside, 32, ...
 01507  1356   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01508  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75520, 0}  ... {28, 56, reply, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0d\6\0\0\254\6\0\0" )  ) == 0x0
 01509  2016   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01510  1356   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01511  1736   NtResumeThread  (428, ...
 01510  1356   NtCreateEvent  ... 432, ) == 0x0
 01511  1736   NtResumeThread  ... 1, ) == 0x0
 01512  2016   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01513  1356   NtWaitForSingleObject  (432, 0, 0x0, ...
 01514  1708   NtTestAlert  (...
 01512  2016   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01514  1708   NtTestAlert  ... ) == 0x0
 01515  2016   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01516  1708   NtContinue  (48823600, 1, ...
 01515  2016   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01517  1708   NtRegisterThreadTerminatePort  (24, ...
 01518  2016   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01517  1708   NtRegisterThreadTerminatePort  ... ) == 0x0
 01518  2016   NtCreateKey  ... -2147481440, 2, ) == 0x0
 01519  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01520  1708   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01519  1736   NtAllocateVirtualMemory  ... 48824320, 1048576, ) == 0x0
 01520  1708   NtDuplicateObject  ... 436, ) == 0x0
 01521  1736   NtAllocateVirtualMemory  (-1, 49864704, 0, 8192, 4096, 4, ...
 01522  1708   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01521  1736   NtAllocateVirtualMemory  ... 49864704, 8192, ) == 0x0
 01522  1708   NtWaitForSingleObject  ... ) == 0x102
 01523  1736   NtProtectVirtualMemory  (-1, (0x2f8e000), 4096, 260, ...
 01524  1708   NtWaitForSingleObject  (140, 0, 0x0, ...
 01523  1736   NtProtectVirtualMemory  ... (0x2f8e000), 4096, 4, ) == 0x0
 01525  2016   NtSetValueKey  (-2147481440,  (-2147481440, "Seed", 0, 3, "\370M\252\301\342\337\237\274\215 \3036\21\373\274]&_%\210\243\15O\375\17\373\255\337\253|\257\346;\327\261\341\20\12(P\336Ec\370i\275V\206\6\355\314\6\25rgq\260\336\\253~\250\25\363\231\277\246\343\235\321\224o\346k"\375\347%\236@", 80, ... ) , 0, 3,  (-2147481440, "Seed", 0, 3, "\370M\252\301\342\337\237\274\215 \3036\21\373\274]&_%\210\243\15O\375\17\373\255\337\253|\257\346;\327\261\341\20\12(P\336Ec\370i\275V\206\6\355\314\6\25rgq\260\336\\253~\250\25\363\231\277\246\343\235\321\224o\346k"\375\347%\236@", 80, ... ) \375\347%\236@", 80, ... ) == 0x0
 01526  2016   NtClose  (-2147481440, ... ) == 0x0
 01490  2016   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\343'\221\273\34h\346\33\266\370\32jm\271\241'\211<\214\10:<\307D\275\312g\13\141\254\344v\305\200\11o5\361\301Ji>\326co\327\255fr\26o\234\234\331\327\213m0z\13)u\265"\240H\215\273?\303\5\250\305\276=\320\317\312\272~\264\326\365b9df\240\233X\5\207\214\335d\366\301\346\277I3b\2724\212\247\363\244\244\324\260\254n\254\354\325\2\270\11\220\260}\257\224\255\326\304\255\305\Q]\202_\1\3742-pmi\32\323\204M\264\333\247&>\265ot\20x-\342Ds\200\252{\35[\260\314\333\343]\323Z\22mm\355\12\234X'\372\306\241\205\11\211\321/\14\246[\314\216|\252\201\346\360\5\354\374_p\317\264?Il\261\336c\57\232\244?umzF;\371\204\262\262\20\254\3039\202L\253\220*\33\257\332\16\273{Y\227\233\310\212\265Gw\25\321\351\213>)s\347", ) \240H\215\273?\303\5\250\305\276=\320\317\312\272~\264\326\365b9df\240\233X\5\207\214\335d\366\301\346\277I3b\2724\212\247\363\244\244\324\260\254n\254\354\325\2\270\11\220\260}\257\224\255\326\304\255\305\Q]\202_\1\3742-pmi\32\323\204M\264\333\247&>\265ot\20x-\342Ds\200\252{\35[\260\314\333\343]\323Z\22mm\355\12\234X'\372\306\241\205\11\211\321/\14\246[\314\216|\252\201\346\360\5\354\374_p\317\264?Il\261\336c\57\232\244?umzF;\371\204\262\262\20\254\3039\202L\253\220*\33\257\332\16\273{Y\227\233\310\212\265Gw\25\321\351\213>)s\347", ) == 0x0
 01527  2016   NtDeviceIoControlFile  (340, 0, 0x0, 0x0, 0x390008,  (340, 0, 0x0, 0x0, 0x390008, "\253VTN\37\320\331\33\321\313yP\3362\3\301\320\252\114\16\3729\1E$r2\373\315\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01528  2016   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01529  2016   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01530  2016   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01531  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 440, {1636, 1776}, ) == 0x0
 01532  1736   NtQueryInformationThread  (440, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1636,Tid=1776,}, 0x0, ) == 0x0
 01533  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75520, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0d\6\0\0\360\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0d\6\0\0\360\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75521, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0d\6\0\0\360\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0d\6\0\0\360\6\0\0" )  ) == 0x0
 01534  1736   NtResumeThread  (440, ... 1, ) == 0x0
 01535  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 49872896, 1048576, ) == 0x0
 01536  1736   NtAllocateVirtualMemory  (-1, 50913280, 0, 8192, 4096, 4, ...
 01537  2016   NtQuerySystemInformation  (Exception, 16, ...
 01538  1776   NtTestAlert  (...
 01537  2016   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01538  1776   NtTestAlert  ... ) == 0x0
 01539  2016   NtQuerySystemInformation  (Lookaside, 32, ...
 01540  1776   NtContinue  (49872176, 1, ...
 01539  2016   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01541  1776   NtRegisterThreadTerminatePort  (24, ...
 01542  2016   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01541  1776   NtRegisterThreadTerminatePort  ... ) == 0x0
 01542  2016   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01536  1736   NtAllocateVirtualMemory  ... 50913280, 8192, ) == 0x0
 01543  1776   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01544  1736   NtProtectVirtualMemory  (-1, (0x308e000), 4096, 260, ...
 01543  1776   NtDuplicateObject  ... 444, ) == 0x0
 01544  1736   NtProtectVirtualMemory  ... (0x308e000), 4096, 4, ) == 0x0
 01545  1776   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01546  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01545  1776   NtWaitForSingleObject  ... ) == 0x102
 01546  1736   NtCreateThread  ... 448, {1636, 1324}, ) == 0x0
 01547  1776   NtWaitForSingleObject  (140, 0, 0x0, ...
 01548  1736   NtQueryInformationThread  (448, Basic, 28, ...
 01549  2016   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01550  2016   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481440, 2, ) }, 0, 0x0, 0, ... -2147481440, 2, ) == 0x0
 01551  2016   NtSetValueKey  (-2147481440,  (-2147481440, "Seed", 0, 3, "\5Rw\342\334\317\326g\303Pp+]\32\234\376\354\3\15\236\262\310\322\27\3\22\260\11\302NF-*<_, 80, ... ) , 0, 3,  (-2147481440, "Seed", 0, 3, "\5Rw\342\334\317\326g\303Pp+]\32\234\376\354\3\15\236\262\310\322\27\3\22\260\11\302NF-*<_, 80, ... ) , 80, ... ) == 0x0
 01552  2016   NtClose  (-2147481440, ... ) == 0x0
 01527  2016   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\227\345\177\361\372\322c\325\214\220k=\371\200)]\270\252\336\265\244\0\227\222\301\201\264\30\360ex\207d\271\32f\311\252\3338*7\235\315\30\30\316\373\276\2325\353V\2205]\246\240\275\34b\27.\300\370\357I\220\356\231"\177"$b\244[P%cnt,\250K?\261\23\233\260\316\217\223\236\232\324\222\375\32\335\267C\333KS\25\6c\370Hy\353\353\207\261\4lWT\224c\322\343Y\36\360\333"9\\305\15\301\373\253B}\177\341\324\300\350T\267?\6d\357\327N,y\326\342\223z1\5\345\215\217\376\351\305\0U\301\3716m\311\326\356\233\326\217\230A\20\211\257\13\211b\333\274Y=\1\4\233?\256[\213\326\337n\10E \301:;t\31\216f\351\267x\252\16\225\256l-\12Y\236\36\340\201\371\226MA\242>\17\273q\333\35\254\365\267\321Z\337K\230\4\301.\14\333\267YF\324\314%\275%)", ) \177 ... {status=0x0, info=256}, "\227\345\177\361\372\322c\325\214\220k=\371\200)]\270\252\336\265\244\0\227\222\301\201\264\30\360ex\207d\271\32f\311\252\3338*7\235\315\30\30\316\373\276\2325\353V\2205]\246\240\275\34b\27.\300\370\357I\220\356\231"\177"$b\244[P%cnt,\250K?\261\23\233\260\316\217\223\236\232\324\222\375\32\335\267C\333KS\25\6c\370Hy\353\353\207\261\4lWT\224c\322\343Y\36\360\333"9\\305\15\301\373\253B}\177\341\324\300\350T\267?\6d\357\327N,y\326\342\223z1\5\345\215\217\376\351\305\0U\301\3716m\311\326\356\233\326\217\230A\20\211\257\13\211b\333\274Y=\1\4\233?\256[\213\326\337n\10E \301:;t\31\216f\351\267x\252\16\225\256l-\12Y\236\36\340\201\371\226MA\242>\17\273q\333\35\254\365\267\321Z\337K\230\4\301.\14\333\267YF\324\314%\275%)", ) 9\\305\15\301\373\253B}\177\341\324\300\350T\267?\6d\357\327N,y\326\342\223z1\5\345\215\217\376\351\305\0U\301\3716m\311\326\356\233\326\217\230A\20\211\257\13\211b\333\274Y=\1\4\233?\256[\213\326\337n\10E \301:;t\31\216f\351\267x\252\16\225\256l-\12Y\236\36\340\201\371\226MA\242>\17\273q\333\35\254\365\267\321Z\337K\230\4\301.\14\333\267YF\324\314%\275%)", ) == 0x0
 01553  2016   NtDeviceIoControlFile  (340, 0, 0x0, 0x0, 0x390008,  (340, 0, 0x0, 0x0, 0x390008, "\253VTN\37\320\331\33\321\313yP\3362\3\301\320\252\114\16rm\320\252\114\16\3729\1E$r2\373\315\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01554  2016   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01548  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1636,Tid=1324,}, 0x0, ) == 0x0
 01555  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75521, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0d\6\0\0,\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0d\6\0\0,\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75522, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0d\6\0\0,\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0d\6\0\0,\5\0\0" )  ) == 0x0
 01556  1736   NtResumeThread  (448, ... 1, ) == 0x0
 01557  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 50921472, 1048576, ) == 0x0
 01558  1736   NtAllocateVirtualMemory  (-1, 51961856, 0, 8192, 4096, 4, ... 51961856, 8192, ) == 0x0
 01559  1736   NtProtectVirtualMemory  (-1, (0x318e000), 4096, 260, ... (0x318e000), 4096, 4, ) == 0x0
 01560  2016   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01561  1324   NtTestAlert  (...
 01560  2016   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01561  1324   NtTestAlert  ... ) == 0x0
 01562  2016   NtQuerySystemInformation  (Performance, 312, ...
 01563  1324   NtContinue  (50920752, 1, ...
 01562  2016   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01564  1324   NtRegisterThreadTerminatePort  (24, ...
 01565  2016   NtQuerySystemInformation  (Exception, 16, ...
 01564  1324   NtRegisterThreadTerminatePort  ... ) == 0x0
 01565  2016   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01566  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01567  1324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01566  1736   NtCreateThread  ... 452, {1636, 1884}, ) == 0x0
 01567  1324   NtDuplicateObject  ... 456, ) == 0x0
 01568  1736   NtQueryInformationThread  (452, Basic, 28, ...
 01569  1324   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01568  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1636,Tid=1884,}, 0x0, ) == 0x0
 01569  1324   NtWaitForSingleObject  ... ) == 0x102
 01570  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75522, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0d\6\0\0\\7\0\0" ...  ...
 01571  1324   NtWaitForSingleObject  (140, 0, 0x0, ...
 01570  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75523, 0}  ... {28, 56, reply, 0, 1636, 1736, 75523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0d\6\0\0\\7\0\0" )  ) == 0x0
 01572  2016   NtQuerySystemInformation  (Lookaside, 32, ...
 01573  1736   NtResumeThread  (452, ...
 01572  2016   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01573  1736   NtResumeThread  ... 1, ) == 0x0
 01574  2016   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01575  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01574  2016   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01575  1736   NtAllocateVirtualMemory  ... 51970048, 1048576, ) == 0x0
 01576  2016   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01577  1736   NtAllocateVirtualMemory  (-1, 53010432, 0, 8192, 4096, 4, ...
 01576  2016   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01578  1884   NtTestAlert  (...
 01577  1736   NtAllocateVirtualMemory  ... 53010432, 8192, ) == 0x0
 01578  1884   NtTestAlert  ... ) == 0x0
 01579  1736   NtProtectVirtualMemory  (-1, (0x328e000), 4096, 260, ...
 01580  1884   NtContinue  (51969328, 1, ...
 01579  1736   NtProtectVirtualMemory  ... (0x328e000), 4096, 4, ) == 0x0
 01581  1884   NtRegisterThreadTerminatePort  (24, ...
 01582  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01581  1884   NtRegisterThreadTerminatePort  ... ) == 0x0
 01582  1736   NtCreateThread  ... 460, {1636, 248}, ) == 0x0
 01583  2016   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01584  1736   NtQueryInformationThread  (460, Basic, 28, ...
 01583  2016   NtCreateKey  ... -2147481440, 2, ) == 0x0
 01585  1884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01586  2016   NtSetValueKey  (-2147481440,  (-2147481440, "Seed", 0, 3, "\214\200\262f\331\332\350B`->\6(\5\301\2v\204K\325\314\232H}Ms\17\354\362\372\326:\35\2646\346\26o\231<\33\250\37\342\333\211\231\325\322\305%\3051\23\374Qm$\241:\205\27C\236\206~2e(\245\266\12\201\225\\313\205\374\347L", 80, ... , 0, 3,  (-2147481440, "Seed", 0, 3, "\214\200\262f\331\332\350B`->\6(\5\301\2v\204K\325\314\232H}Ms\17\354\362\372\326:\35\2646\346\26o\231<\33\250\37\342\333\211\231\325\322\305%\3051\23\374Qm$\241:\205\27C\236\206~2e(\245\266\12\201\225\\313\205\374\347L", 80, ... , 80, ...
 01585  1884   NtDuplicateObject  ... 464, ) == 0x0
 01586  2016   NtSetValueKey  ... ) == 0x0
 01587  1884   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01588  2016   NtClose  (-2147481440, ...
 01587  1884   NtWaitForSingleObject  ... ) == 0x102
 01588  2016   NtClose  ... ) == 0x0
 01589  1884   NtWaitForSingleObject  (140, 0, 0x0, ...
 01584  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1636,Tid=248,}, 0x0, ) == 0x0
 01553  2016   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "(?\216I\265\305\325\35]\0,]\270\206\216m\361\321\10\241\352(\2418m\12\370\334\335\265\201\5\370\340\206 \270yj\4.j\234\256]\36^\270\233\367H\265\\250\353\331x\275\267\207_\273!\177Yf\356|S\374\366\273\313\215\15)d=\215\271\220R|\3444\360\341\374xc>\313|\363]\274)RV\17\236\311\205\33\374\270\221\246\251\324vb\26\6\277\354C\247\277l\214\367\17\0\373=\354\323\327\22\271\243\3672\227\34W\22S\2605\214\36Zu"3\214\214J\10\334_\34\266\312M\347*\326\0\275\37\364\322\327B`\207\325IqV[\306\310\335;@\250ey`/R\262p\343\313a\316M\10t\345\14\350\22\21s\214-\277\250\203\6a\245\210\0\333\211\323b\255\215m\320\301?\342\374\374\233\3661\330Ay\16\266<\260\6\317\345\2007&\222\344(%\320\225\270\271\30G\3108\347PI\354(", ) 3\214\214J\10\334_\34\266\312M\347*\326\0\275\37\364\322\327B`\207\325IqV[\306\310\335;@\250ey`/R\262p\343\313a\316M\10t\345\14\350\22\21s\214-\277\250\203\6a\245\210\0\333\211\323b\255\215m\320\301?\342\374\374\233\3661\330Ay\16\266<\260\6\317\345\2007&\222\344(%\320\225\270\271\30G\3108\347PI\354(", ) == 0x0
 01590  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75523, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0d\6\0\0\370\0\0\0" ...  ...
 01591  2016   NtDeviceIoControlFile  (340, 0, 0x0, 0x0, 0x390008,  (340, 0, 0x0, 0x0, 0x390008, "\253VTN\37\320\331\33\321\313yP\3362\3\301\320\252\114\16rm\320\252\114\16rm\320\252\114\16\3729\1E$r2\373\315\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01590  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75524, 0}  ... {28, 56, reply, 0, 1636, 1736, 75524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0d\6\0\0\370\0\0\0" )  ) == 0x0
 01592  2016   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01593  1736   NtResumeThread  (460, ...
 01592  2016   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01593  1736   NtResumeThread  ... 1, ) == 0x0
 01594  2016   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01595   248   NtTestAlert  (...
 01594  2016   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01595   248   NtTestAlert  ... ) == 0x0
 01596  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01597   248   NtContinue  (53017904, 1, ...
 01596  1736   NtAllocateVirtualMemory  ... 53018624, 1048576, ) == 0x0
 01598   248   NtRegisterThreadTerminatePort  (24, ...
 01599  1736   NtAllocateVirtualMemory  (-1, 54059008, 0, 8192, 4096, 4, ...
 01598   248   NtRegisterThreadTerminatePort  ... ) == 0x0
 01599  1736   NtAllocateVirtualMemory  ... 54059008, 8192, ) == 0x0
 01600  2016   NtQuerySystemInformation  (Performance, 312, ...
 01601  1736   NtProtectVirtualMemory  (-1, (0x338e000), 4096, 260, ...
 01600  2016   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01601  1736   NtProtectVirtualMemory  ... (0x338e000), 4096, 4, ) == 0x0
 01602  2016   NtQuerySystemInformation  (Exception, 16, ...
 01603   248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01602  2016   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01603   248   NtDuplicateObject  ... 468, ) == 0x0
 01604  2016   NtQuerySystemInformation  (Lookaside, 32, ...
 01605   248   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01604  2016   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01605   248   NtWaitForSingleObject  ... ) == 0x102
 01606  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01607   248   NtWaitForSingleObject  (140, 0, 0x0, ...
 01606  1736   NtCreateThread  ... 472, {1636, 1652}, ) == 0x0
 01608  2016   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01609  1736   NtQueryInformationThread  (472, Basic, 28, ...
 01608  2016   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01609  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1636,Tid=1652,}, 0x0, ) == 0x0
 01610  2016   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01611  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75524, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0d\6\0\0t\6\0\0" ...  ...
 01610  2016   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01612  2016   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481440, 2, ) }, 0, 0x0, 0, ... -2147481440, 2, ) == 0x0
 01613  2016   NtSetValueKey  (-2147481440,  (-2147481440, "Seed", 0, 3, "L'\324\330\253\211\13\37\274\207\32\320`\12\3241^\202\275\223\3\365\32/d\5\270\317y\304o!\345}\64A!\7\3374agop\245\244`\3607\337\311\363\305\356tI2\31\374\373-'\316\13\302\272Ez\242\22R\213?\313o\315\35\200%", 80, ... ) , 0, 3,  (-2147481440, "Seed", 0, 3, "L'\324\330\253\211\13\37\274\207\32\320`\12\3241^\202\275\223\3\365\32/d\5\270\317y\304o!\345}\64A!\7\3374agop\245\244`\3607\337\311\363\305\356tI2\31\374\373-'\316\13\302\272Ez\242\22R\213?\313o\315\35\200%", 80, ... ) , 80, ... ) == 0x0
 01614  2016   NtClose  (-2147481440, ... ) == 0x0
 01591  2016   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\304h\344#\13\12\316\367\31\327\253\326\22\357\257m\302V\311L\10\333U\20\301\253\23\31+\32\312\316\274\5E\240L\332V\12\336IA\321:\372\346\252\365\27Q\260\7V\316K,N\241\331\245\342\234\20\375}\260\263\12\321\223f\231%*\2349m\224\304\6\236\357\3364\200\304\263\273\376\227@N`\7\33\216\344;}\361\34\372\235\225\233\360o\12\233`\341\24\340\204l%7}\22 )dD\201*4\220\32l\331\237\234B\320\364v\303\3\33\260\354\265CS\371\263\247\16F\20W\243\240x6\343\376m.\225\202\25\2\254\266\365^GyX\253\307\350U\357.\276\355/8\316\364y\246{n\237nD6S22\356\24\331\342\13\307g\206\7a\135{\325\263\312\31\300\321\214\310\275qE\345Y1\273`\204\37\241)}\240M\323\334\315\345\201?\270\373\32Y\247z~3\363\270\374@\342m\312\334\253T\30\4", ) , ) == 0x0
 01615  2016   NtDeviceIoControlFile  (340, 0, 0x0, 0x0, 0x390008,  (340, 0, 0x0, 0x0, 0x390008, "\253VTN\37\320\331\33\321\313yP\3362\3\301\320\252\114\16rm\320\252\114\16rm\320\252\114\16rm\320\252\114\16\3729\1E$r2\373\315\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01611  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75525, 0}  ... {28, 56, reply, 0, 1636, 1736, 75525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0d\6\0\0t\6\0\0" )  ) == 0x0
 01616  1736   NtResumeThread  (472, ... 1, ) == 0x0
 01617  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 54067200, 1048576, ) == 0x0
 01618  1736   NtAllocateVirtualMemory  (-1, 55107584, 0, 8192, 4096, 4, ... 55107584, 8192, ) == 0x0
 01619  1736   NtProtectVirtualMemory  (-1, (0x348e000), 4096, 260, ... (0x348e000), 4096, 4, ) == 0x0
 01620  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 476, {1636, 588}, ) == 0x0
 01621  1736   NtQueryInformationThread  (476, Basic, 28, ...
 01622  2016   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01623  1652   NtTestAlert  (...
 01622  2016   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01623  1652   NtTestAlert  ... ) == 0x0
 01624  2016   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01625  1652   NtContinue  (54066480, 1, ...
 01624  2016   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01626  1652   NtRegisterThreadTerminatePort  (24, ...
 01627  2016   NtQuerySystemInformation  (Performance, 312, ...
 01626  1652   NtRegisterThreadTerminatePort  ... ) == 0x0
 01627  2016   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01621  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1636,Tid=588,}, 0x0, ) == 0x0
 01628  1652   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01629  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75525, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0d\6\0\0L\2\0\0" ...  ...
 01628  1652   NtDuplicateObject  ... 480, ) == 0x0
 01629  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75526, 0}  ... {28, 56, reply, 0, 1636, 1736, 75526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0d\6\0\0L\2\0\0" )  ) == 0x0
 01630  1652   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01631  1736   NtResumeThread  (476, ...
 01630  1652   NtWaitForSingleObject  ... ) == 0x102
 01631  1736   NtResumeThread  ... 1, ) == 0x0
 01632  1652   NtWaitForSingleObject  (140, 0, 0x0, ...
 01633  2016   NtQuerySystemInformation  (Exception, 16, ...
 01634   588   NtTestAlert  (...
 01635  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01633  2016   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01634   588   NtTestAlert  ... ) == 0x0
 01635  1736   NtAllocateVirtualMemory  ... 55115776, 1048576, ) == 0x0
 01636  2016   NtQuerySystemInformation  (Lookaside, 32, ...
 01637   588   NtContinue  (55115056, 1, ...
 01638  1736   NtAllocateVirtualMemory  (-1, 56156160, 0, 8192, 4096, 4, ...
 01636  2016   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01639   588   NtRegisterThreadTerminatePort  (24, ...
 01638  1736   NtAllocateVirtualMemory  ... 56156160, 8192, ) == 0x0
 01640  2016   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01639   588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01641  1736   NtProtectVirtualMemory  (-1, (0x358e000), 4096, 260, ...
 01640  2016   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01641  1736   NtProtectVirtualMemory  ... (0x358e000), 4096, 4, ) == 0x0
 01642   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01643  2016   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01642   588   NtDuplicateObject  ... 484, ) == 0x0
 01643  2016   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01644   588   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 01645  2016   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01644   588   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 01645  2016   NtCreateKey  ... -2147481440, 2, ) == 0x0
 01646   588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01647  2016   NtSetValueKey  (-2147481440,  (-2147481440, "Seed", 0, 3, "\266K9\14\15\377\3016p\361@\347%as\342N\202u\230\366\31\2653\26\211\5\14Q\312C~`\17LP\210~\2316\331\320.\337\202\231\12\267\360,\306\236\330\313\342\2\0-\215\10\342\304\325uP\7M{\352hB\247\340\377}\332\212nhf", 80, ... ) , 0, 3,  (-2147481440, "Seed", 0, 3, "\266K9\14\15\377\3016p\361@\347%as\342N\202u\230\366\31\2653\26\211\5\14Q\312C~`\17LP\210~\2316\331\320.\337\202\231\12\267\360,\306\236\330\313\342\2\0-\215\10\342\304\325uP\7M{\352hB\247\340\377}\332\212nhf", 80, ... ) , 80, ... ) == 0x0
 01648  2016   NtClose  (-2147481440, ... ) == 0x0
 01615  2016   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\360~\273[>\205\350s>\366\377p_\244\256\266]\276\304\340\332\301j\330\260\376P\241"\342\261\325\327?\23;\320<\216|\221kb\333\27\316\7\256f&\27\306\344\367\226\201n\3k\326\217\5\236E\37+\10\214\6\241\257|bd\32su\223\17\256\272\207C\303\21\342\276t\221gB\276\245O7\\330\331=\253\205C\303\255\\270\222M\375:\334'\326\213\241I\4\11+\355\235\360d*?r\353\325\237\1\364\14\231\256H,\33*\236t\223\235\312\243c\30E\273\251\373P\200\207\220n\217\213\330B\245-%\232\12(\3654\234\311\213\337O\232\33\17\232E\210\337\344\26\221\244CT]\233n\236z\272\234C\20\375\10Q1\300\355\366\242\2077\177\327[0\30\36((>! \36Q\227wK\323~\275\376\34)k \177\233\f\301\15;2\305\333p\277\315\363E\277\264\262\370\371\363=\277\254\213\274\25", ) \342\261\325\327?\23;\320<\216|\221kb\333\27\316\7\256f&\27\306\344\367\226\201n\3k\326\217\5\236E\37+\10\214\6\241\257|bd\32su\223\17\256\272\207C\303\21\342\276t\221gB\276\245O7\\330\331=\253\205C\303\255\\270\222M\375:\334'\326\213\241I\4\11+\355\235\360d*?r\353\325\237\1\364\14\231\256H,\33*\236t\223\235\312\243c\30E\273\251\373P\200\207\220n\217\213\330B\245-%\232\12(\3654\234\311\213\337O\232\33\17\232E\210\337\344\26\221\244CT]\233n\236z\272\234C\20\375\10Q1\300\355\366\242\2077\177\327[0\30\36((>! \36Q\227wK\323~\275\376\34)k \177\233\f\301\15;2\305\333p\277\315\363E\277\264\262\370\371\363=\277\254\213\274\25", ) == 0x0
 01649  2016   NtDeviceIoControlFile  (340, 0, 0x0, 0x0, 0x390008,  (340, 0, 0x0, 0x0, 0x390008, "\253VTN\37\320\331\33\321\313yP\3362\3\301\320\252\114\16rm\320\252\114\16rm\320\252\114\16rm\320\252\114\16rm\320\252\114\16\3729\1E$r2\373\315\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01650  2016   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01651  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01646   588   NtWaitForSingleObject  ... ) == 0x102
 01651  1736   NtCreateThread  ... 488, {1636, 440}, ) == 0x0
 01652   588   NtWaitForSingleObject  (140, 0, 0x0, ...
 01653  1736   NtQueryInformationThread  (488, Basic, 28, ...
 01654  2016   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01655  2016   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01656  2016   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01657  2016   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01658  2016   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01659  2016   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01653  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1636,Tid=440,}, 0x0, ) == 0x0
 01660  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75526, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0d\6\0\0\270\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0d\6\0\0\270\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75527, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0d\6\0\0\270\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0d\6\0\0\270\1\0\0" )  ) == 0x0
 01661  1736   NtResumeThread  (488, ... 1, ) == 0x0
 01662  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 56164352, 1048576, ) == 0x0
 01663  1736   NtAllocateVirtualMemory  (-1, 57204736, 0, 8192, 4096, 4, ... 57204736, 8192, ) == 0x0
 01664  1736   NtProtectVirtualMemory  (-1, (0x368e000), 4096, 260, ... (0x368e000), 4096, 4, ) == 0x0
 01665  2016   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01666   440   NtTestAlert  (...
 01665  2016   NtCreateKey  ... -2147481440, 2, ) == 0x0
 01666   440   NtTestAlert  ... ) == 0x0
 01667  2016   NtSetValueKey  (-2147481440,  (-2147481440, "Seed", 0, 3, "\235\10\216\373I\25\267*\335Bq\361\207]\306\373t\2z\341\240\321\260\344\34q\217\363\33c\365T\13Q\15\205\254j\361B\246)\323\300'\230O\3\255\271\352$\374\3565\251r\231\377\200\241iaKM\272\16f|B1\376;T!\230\373>\\35", 80, ... , 0, 3,  (-2147481440, "Seed", 0, 3, "\235\10\216\373I\25\267*\335Bq\361\207]\306\373t\2z\341\240\321\260\344\34q\217\363\33c\365T\13Q\15\205\254j\361B\246)\323\300'\230O\3\255\271\352$\374\3565\251r\231\377\200\241iaKM\272\16f|B1\376;T!\230\373>\\35", 80, ... , 80, ...
 01668   440   NtContinue  (56163632, 1, ...
 01667  2016   NtSetValueKey  ... ) == 0x0
 01669   440   NtRegisterThreadTerminatePort  (24, ...
 01670  2016   NtClose  (-2147481440, ...
 01669   440   NtRegisterThreadTerminatePort  ... ) == 0x0
 01670  2016   NtClose  ... ) == 0x0
 01671  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01672   440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01671  1736   NtCreateThread  ... 492, {1636, 1296}, ) == 0x0
 01672   440   NtDuplicateObject  ... 496, ) == 0x0
 01673  1736   NtQueryInformationThread  (492, Basic, 28, ...
 01674   440   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01673  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1636,Tid=1296,}, 0x0, ) == 0x0
 01674   440   NtWaitForSingleObject  ... ) == 0x102
 01675  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75527, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0d\6\0\0\20\5\0\0" ...  ...
 01676   440   NtWaitForSingleObject  (140, 0, 0x0, ...
 01675  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75528, 0}  ... {28, 56, reply, 0, 1636, 1736, 75528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0d\6\0\0\20\5\0\0" )  ) == 0x0
 01649  2016   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\273\10b\3120B\7@b\34\2451\261]\15\355S\11\310jl\4\231\11\365\1\20\360\326/t\206o\202\304\234\333JS\356\266\23\305[\350\372\340On\327sp\320\31\36\334\371}\230\1779><\177'\376\234w\254Db\357xW\30\230\202Yx\271\367\220\25BP\30\374\332\211\32E\25\356\365\330hl\200\213\308\254\240Y\323\17o\207\311\203\251\360\26\357cSp\237m\220`0\266sC\203R\177g\320\370\365|\356\362\255\337\234\370\355\266\205\324\334\311\203r\322\315\257\7g~81g\36E\16B\20\341\12\24g\313\216\10\320\27,\331\221\204&YF\375\345E\271\337\377\374\3177|\321\255\355\25\224\300\324\356F\275\235{\274*\317*/\344-\202Wv"Mk\324\2i}\316\216\3601\220\220q\35\276\3\2711\316\374\263kB\325\243>\226\306\315;GH\256\240\366_\10\265\2D\321\245\6\243m!", ) Mk\324\2i}\316\216\3601\220\220q\35\276\3\2711\316\374\263kB\325\243>\226\306\315;GH\256\240\366_\10\265\2D\321\245\6\243m!", ) == 0x0
 01677  1736   NtResumeThread  (492, ...
 01678  2016   NtDeviceIoControlFile  (340, 0, 0x0, 0x0, 0x390008,  (340, 0, 0x0, 0x0, 0x390008, "\253VTN\37\320\331\33\321\313yP\3362\3\301\320\252\114\16rm\320\252\114\16rm\320\252\114\16rm\320\252\114\16rm\320\252\114\16rm\320\252\114\16\3729\1E$r2\373\315\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01677  1736   NtResumeThread  ... 1, ) == 0x0
 01679  2016   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01680  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01679  2016   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01680  1736   NtAllocateVirtualMemory  ... 57212928, 1048576, ) == 0x0
 01681  2016   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01682  1736   NtAllocateVirtualMemory  (-1, 58253312, 0, 8192, 4096, 4, ...
 01681  2016   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01683  1296   NtTestAlert  (...
 01682  1736   NtAllocateVirtualMemory  ... 58253312, 8192, ) == 0x0
 01683  1296   NtTestAlert  ... ) == 0x0
 01684  1736   NtProtectVirtualMemory  (-1, (0x378e000), 4096, 260, ...
 01685  1296   NtContinue  (57212208, 1, ...
 01684  1736   NtProtectVirtualMemory  ... (0x378e000), 4096, 4, ) == 0x0
 01686  1296   NtRegisterThreadTerminatePort  (24, ...
 01687  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01686  1296   NtRegisterThreadTerminatePort  ... ) == 0x0
 01687  1736   NtCreateThread  ... 500, {1636, 1620}, ) == 0x0
 01688  2016   NtQuerySystemInformation  (Performance, 312, ...
 01689  1736   NtQueryInformationThread  (500, Basic, 28, ...
 01688  2016   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01690  1296   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01691  2016   NtQuerySystemInformation  (Exception, 16, ...
 01690  1296   NtDuplicateObject  ... 504, ) == 0x0
 01691  2016   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01692  1296   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01693  2016   NtQuerySystemInformation  (Lookaside, 32, ...
 01692  1296   NtWaitForSingleObject  ... ) == 0x102
 01693  2016   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01694  1296   NtWaitForSingleObject  (140, 0, 0x0, ...
 01689  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1636,Tid=1620,}, 0x0, ) == 0x0
 01695  2016   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01696  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75528, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0d\6\0\0T\6\0\0" ...  ...
 01695  2016   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01696  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75529, 0}  ... {28, 56, reply, 0, 1636, 1736, 75529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0d\6\0\0T\6\0\0" )  ) == 0x0
 01697  2016   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01698  1736   NtResumeThread  (500, ...
 01697  2016   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01698  1736   NtResumeThread  ... 1, ) == 0x0
 01699  2016   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01700  1620   NtTestAlert  (...
 01699  2016   NtCreateKey  ... -2147481440, 2, ) == 0x0
 01700  1620   NtTestAlert  ... ) == 0x0
 01701  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01702  1620   NtContinue  (58260784, 1, ...
 01701  1736   NtAllocateVirtualMemory  ... 58261504, 1048576, ) == 0x0
 01703  1620   NtRegisterThreadTerminatePort  (24, ...
 01704  1736   NtAllocateVirtualMemory  (-1, 59301888, 0, 8192, 4096, 4, ...
 01703  1620   NtRegisterThreadTerminatePort  ... ) == 0x0
 01704  1736   NtAllocateVirtualMemory  ... 59301888, 8192, ) == 0x0
 01705  2016   NtSetValueKey  (-2147481440,  (-2147481440, "Seed", 0, 3, "\221(;\26h\325\17\230\365\363\323\34\236\351\364\240A\272\354r\14\337-\334N\311\23\362I\253_\324\326\\350\344\3316\362\233a\325\337y\21U\254\270!\375\336\334\16##\355^\365\243q\3055\344\5\327\1\256m\22\322@j,Qf.\343\316o\4", 80, ... , 0, 3,  (-2147481440, "Seed", 0, 3, "\221(;\26h\325\17\230\365\363\323\34\236\351\364\240A\272\354r\14\337-\334N\311\23\362I\253_\324\326\\350\344\3316\362\233a\325\337y\21U\254\270!\375\336\334\16##\355^\365\243q\3055\344\5\327\1\256m\22\322@j,Qf.\343\316o\4", 80, ... , 80, ...
 01706  1736   NtProtectVirtualMemory  (-1, (0x388e000), 4096, 260, ...
 01705  2016   NtSetValueKey  ... ) == 0x0
 01706  1736   NtProtectVirtualMemory  ... (0x388e000), 4096, 4, ) == 0x0
 01707  2016   NtClose  (-2147481440, ...
 01708  1620   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01707  2016   NtClose  ... ) == 0x0
 01708  1620   NtDuplicateObject  ... 508, ) == 0x0
 01678  2016   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\233\12s\341W\205\12\365\223\277\347d\372s\336\204\323m\203\362&\33\271\221\340oi\10\5\252R?\350\220v\343J{&x\342L\14\312W\223p^i\212\274\267\257\211F~\302J\6%\352\307.\253\177\301\245\213\266\251G_\213\343e\0\374\327{\357\222\177e\377\365:>\302Z\2537r\257\305\351VA\202U\207\2424<8L\32;\352\233\341F\4\2411\306;\247\10\37\17\14u\226", ) , ) == 0x0
 01709  1620   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01710  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01709  1620   NtWaitForSingleObject  ... ) == 0x102
 01711  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01712  1620   NtWaitForSingleObject  (140, 0, 0x0, ...
 01711  1736   NtCreateThread  ... 512, {1636, 1588}, ) == 0x0
 01710  2016   NtCreateEvent  ... 516, ) == 0x0
 01713  1736   NtQueryInformationThread  (512, Basic, 28, ...
 01714  2016   NtSetEventBoostPriority  (432, ...
 01713  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1636,Tid=1588,}, 0x0, ) == 0x0
 01513  1356   NtWaitForSingleObject  ... ) == 0x0
 01714  2016   NtSetEventBoostPriority  ... ) == 0x0
 01715  1356   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 01716  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75529, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0d\6\0\04\6\0\0" ...  ...
 01715  1356   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 01717  2016   NtWaitForSingleObject  (324, 0, 0x0, ...
 01718  1356   NtSetEventBoostPriority  (324, ...
 01716  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75530, 0}  ... {28, 56, reply, 0, 1636, 1736, 75530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0d\6\0\04\6\0\0" )  ) == 0x0
 01719  1736   NtResumeThread  (512, ... 1, ) == 0x0
 01720  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 59310080, 1048576, ) == 0x0
 01721  1736   NtAllocateVirtualMemory  (-1, 60350464, 0, 8192, 4096, 4, ... 60350464, 8192, ) == 0x0
 01722  1736   NtProtectVirtualMemory  (-1, (0x398e000), 4096, 260, ... (0x398e000), 4096, 4, ) == 0x0
 01723  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 520, {1636, 2044}, ) == 0x0
 01724  1736   NtQueryInformationThread  (520, Basic, 28, ...
 01717  2016   NtWaitForSingleObject  ... ) == 0x0
 01718  1356   NtSetEventBoostPriority  ... ) == 0x0
 01725  1588   NtTestAlert  (...
 01726  2016   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 17362284, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 17362284, 188, ...
 01727  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01725  1588   NtTestAlert  ... ) == 0x0
 01727  1356   NtCreateEvent  ... 524, ) == 0x0
 01728  1588   NtContinue  (59309360, 1, ...
 01729  1356   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 11072120, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 11072120, 188, ...
 01730  1588   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01731  1588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 528, ) == 0x0
 01732  1588   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 01733  1588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01724  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1636,Tid=2044,}, 0x0, ) == 0x0
 01734  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75530, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0d\6\0\0\374\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0d\6\0\0\374\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75533, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0d\6\0\0\374\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0d\6\0\0\374\7\0\0" )  ) == 0x0
 01735  1736   NtResumeThread  (520, ... 1, ) == 0x0
 01726  2016   NtConnectPort  ... 532, 0x0, 0x0, 0x0, 188, ) == 0x0
 01729  1356   NtConnectPort  ... 536, 0x0, 0x0, 0x0, 188, ) == 0x0
 01733  1588   NtWaitForSingleObject  ... ) == 0x102
 01736  2044   NtTestAlert  (...
 01737  2016   NtRequestWaitReplyPort  (532, {200, 224, new_msg, 0, 1382904, 12, 2, 1310721}  (532, {200, 224, new_msg, 0, 1382904, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\262bB&\375J ?\350A\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0H6\25\0\334\230/Sx\1\24\0\340A\25\0h\1\24\0\0\0\0\0\0\0\0\0\340A\25\0P\0\0\0\350A\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\10\1\372\31\221|\200\363\10\1\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01738  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01739  1588   NtWaitForSingleObject  (140, 0, 0x0, ...
 01736  2044   NtTestAlert  ... ) == 0x0
 01738  1736   NtAllocateVirtualMemory  ... 60358656, 1048576, ) == 0x0
 01737  2016   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 2016, 75534, 0}  ... {200, 224, reply, 0, 1636, 2016, 75534, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\262bB&\375J ?\350A\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0H6\25\0\334\230/Sx\1\24\0\340A\25\0h\1\24\0\0\0\0\0\0\0\0\0\340A\25\0P\0\0\0\350A\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\10\1\372\31\221|\200\363\10\1\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01740  2044   NtContinue  (60357936, 1, ...
 01741  1736   NtAllocateVirtualMemory  (-1, 61399040, 0, 8192, 4096, 4, ...
 01742  2016   NtRequestWaitReplyPort  (532, {44, 68, new_msg, 0, 1636, 2016, 75514, 0}  (532, {44, 68, new_msg, 0, 1636, 2016, 75514, 0} "\1\332\0\0A\2\4\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200\377\377\377\377t\333\243\201\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 01743  2044   NtRegisterThreadTerminatePort  (24, ...
 01741  1736   NtAllocateVirtualMemory  ... 61399040, 8192, ) == 0x0
 01743  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 01744  1736   NtProtectVirtualMemory  (-1, (0x3a8e000), 4096, 260, ...
 01745  1356   NtRequestWaitReplyPort  (536, {200, 224, new_msg, 0, 2883626, 1356856, 12, 2}  (536, {200, 224, new_msg, 0, 2883626, 1356856, 12, 2} "\0\1\0\0x\4\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\1\0\4\0\4\0\0\0\230@\24\0\3\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0\213\15\211ao\264\25\374\0M\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\10(\0\0\0\10M\25\0A\35\230\355x\4\24\0(M\25\0d\1\24\0\0\0\0\0\0\0\0\0(M\25\0P\0\0\00M\25\0\360\6\221|P\4\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\250\0\372\31\221|\214\370\250\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 01742  2016   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 2016, 75535, 0}  ... {40, 64, reply, 0, 1636, 2016, 75535, 0} "\2\332\243\201\4\0\0\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200X\373`\371t\333\243\201\320\1\0\0X-\12\0" )  ) == 0x0
 01744  1736   NtProtectVirtualMemory  ... (0x3a8e000), 4096, 4, ) == 0x0
 01746  2016   NtRequestWaitReplyPort  (532, {64, 88, new_msg, 56, 1370200, 17362796, 17362896, 0}  (532, {64, 88, new_msg, 56, 1370200, 17362796, 17362896, 0} "\10\357\10\1@\0\24\0\346\277\347w\320\357\10\1l\357\10\1\20\0\0\0\250.\362v\314\350\24\0\1\0\0\00Q\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\230\340\24\0" ...  ...
 01745  1356   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1356, 75536, 0}  ... {200, 224, reply, 0, 1636, 1356, 75536, 0} "\7\1\0\0x\4\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\230@\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0\213\15\211ao\264\25\374\0M\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\10(\0\0\0\10M\25\0A\35\230\355x\4\24\0(M\25\0d\1\24\0\0\0\0\0\0\0\0\0(M\25\0P\0\0\00M\25\0\360\6\221|P\4\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\250\0\372\31\221|\214\370\250\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 01747  2044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01748  1356   NtRequestWaitReplyPort  (536, {44, 68, new_msg, 56, 0, 0, 0, 0}  (536, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0xT\25\0\322\0\0\0" ...  ...
 01747  2044   NtDuplicateObject  ... 540, ) == 0x0
 01746  2016   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 2016, 75537, 0}  ... {64, 88, reply, 56, 1636, 2016, 75537, 0} "\10\357\10\1@\0\24\0\346\277\347w\320\357\10\1l\357\10\1\20\0\0\0\250.\362v\314\350\24\0\1\0\0\00Q\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\230\340\24\0" )  ) == 0x0
 01749  2044   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01750  2016   NtClose  (516, ...
 01748  1356   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1356, 75538, 0}  ... {40, 64, reply, 0, 1636, 1356, 75538, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\323\1\0\0\350\370\14\0" )  ) == 0x0
 01749  2044   NtWaitForSingleObject  ... ) == 0x102
 01750  2016   NtClose  ... ) == 0x0
 01751  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01752  2044   NtWaitForSingleObject  (140, 0, 0x0, ...
 01753  1356   NtRequestWaitReplyPort  (536, {64, 88, new_msg, 56, 1310720, 11071988, 1397872, 0}  (536, {64, 88, new_msg, 56, 1310720, 11071988, 1397872, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\240X\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01751  1736   NtCreateThread  ... 516, {1636, 1308}, ) == 0x0
 01754  2016   NtClose  (532, ...
 01755  1736   NtQueryInformationThread  (516, Basic, 28, ...
 01754  2016   NtClose  ... ) == 0x0
 01753  1356   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1356, 75539, 0}  ... {64, 88, reply, 56, 1636, 1356, 75539, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\240X\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01755  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1636,Tid=1308,}, 0x0, ) == 0x0
 01756  2016   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01757  1356   NtRequestWaitReplyPort  (536, {44, 68, new_msg, 56, 1636, 1356, 75538, 0}  (536, {44, 68, new_msg, 56, 1636, 1356, 75538, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0xT\25\0\322\0\0\0" ...  ...
 01758  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75533, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0d\6\0\0\34\5\0\0" ...  ...
 01756  2016   NtCreateKey  ... 532, 2, ) == 0x0
 01759  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 544, ) }, ... 544, ) == 0x0
 01757  1356   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1356, 75541, 0}  ... {40, 64, reply, 0, 1636, 1356, 75541, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300l\353\10\370X\353Q\200\351\1\0\0\350\232\14\0" )  ) == 0x0
 01758  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75542, 0}  ... {28, 56, reply, 0, 1636, 1736, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0d\6\0\0\34\5\0\0" )  ) == 0x0
 01760  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01761  1736   NtResumeThread  (516, ...
 01760  2016   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01761  1736   NtResumeThread  ... 1, ) == 0x0
 01762  2016   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 01763  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01762  2016   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01763  1736   NtAllocateVirtualMemory  ... 61407232, 1048576, ) == 0x0
 01764  2016   NtQueryValueKey  (532,  (532, "Domain", Partial, 144, ... , Partial, 144, ...
 01765  1736   NtAllocateVirtualMemory  (-1, 62447616, 0, 8192, 4096, 4, ...
 01764  2016   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01766  1356   NtRequestWaitReplyPort  (536, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0}  (536, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\260\\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01767  1308   NtTestAlert  (...
 01765  1736   NtAllocateVirtualMemory  ... 62447616, 8192, ) == 0x0
 01767  1308   NtTestAlert  ... ) == 0x0
 01768  1736   NtProtectVirtualMemory  (-1, (0x3b8e000), 4096, 260, ...
 01766  1356   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1356, 75543, 0}  ... {64, 88, reply, 56, 1636, 1356, 75543, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\260\\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01769  1308   NtContinue  (61406512, 1, ...
 01768  1736   NtProtectVirtualMemory  ... (0x3b8e000), 4096, 4, ) == 0x0
 01770  1356   NtRequestWaitReplyPort  (536, {44, 68, new_msg, 56, 1636, 1356, 75541, 0}  (536, {44, 68, new_msg, 56, 1636, 1356, 75541, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0xT\25\0\322\0\0\0" ...  ...
 01771  1308   NtRegisterThreadTerminatePort  (24, ...
 01772  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01771  1308   NtRegisterThreadTerminatePort  ... ) == 0x0
 01772  1736   NtCreateThread  ... 548, {1636, 1676}, ) == 0x0
 01770  1356   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1356, 75544, 0}  ... {40, 64, reply, 0, 1636, 1356, 75544, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300l\253S\371X\353Q\200|\1\0\0h\236\14\0" )  ) == 0x0
 01773  2016   NtQueryValueKey  (532,  (532, "Domain", Partial, 144, ... , Partial, 144, ...
 01774  1736   NtQueryInformationThread  (548, Basic, 28, ...
 01775  1308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01773  2016   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01776  1356   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ...
 01775  1308   NtDuplicateObject  ... 552, ) == 0x0
 01777  2016   NtWaitForSingleObject  (324, 0, 0x0, ...
 01776  1356   NtAllocateVirtualMemory  ... 1400832, 4096, ) == 0x0
 01778  1308   NtWaitForSingleObject  (324, 0, 0x0, ...
 01779  1356   NtSetEventBoostPriority  (324, ...
 01777  2016   NtWaitForSingleObject  ... ) == 0x0
 01780  2016   NtSetEventBoostPriority  (324, ...
 01778  1308   NtWaitForSingleObject  ... ) == 0x0
 01781  1308   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01780  2016   NtSetEventBoostPriority  ... ) == 0x0
 01779  1356   NtSetEventBoostPriority  ... ) == 0x0
 01774  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1636,Tid=1676,}, 0x0, ) == 0x0
 01781  1308   NtWaitForSingleObject  ... ) == 0x102
 01782  1356   NtRequestWaitReplyPort  (536, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0}  (536, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\10_\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01783  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75542, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0d\6\0\0\214\6\0\0" ...  ...
 01784  1308   NtWaitForSingleObject  (140, 0, 0x0, ...
 01783  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75546, 0}  ... {28, 56, reply, 0, 1636, 1736, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0d\6\0\0\214\6\0\0" )  ) == 0x0
 01785  1736   NtResumeThread  (548, ... 1, ) == 0x0
 01786  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 62455808, 1048576, ) == 0x0
 01787  1736   NtAllocateVirtualMemory  (-1, 63496192, 0, 8192, 4096, 4, ... 63496192, 8192, ) == 0x0
 01788  1736   NtProtectVirtualMemory  (-1, (0x3c8e000), 4096, 260, ... (0x3c8e000), 4096, 4, ) == 0x0
 01789  2016   NtClose  (532, ...
 01782  1356   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1356, 75545, 0}  ... {64, 88, reply, 56, 1636, 1356, 75545, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\10_\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01790  1676   NtTestAlert  (...
 01789  2016   NtClose  ... ) == 0x0
 01791  1356   NtClose  (524, ...
 01790  1676   NtTestAlert  ... ) == 0x0
 01792  2016   NtClose  (544, ...
 01791  1356   NtClose  ... ) == 0x0
 01793  1676   NtContinue  (62455088, 1, ...
 01792  2016   NtClose  ... ) == 0x0
 01794  1356   NtClose  (536, ...
 01795  1676   NtRegisterThreadTerminatePort  (24, ...
 01796  2016   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 01794  1356   NtClose  ... ) == 0x0
 01795  1676   NtRegisterThreadTerminatePort  ... ) == 0x0
 01796  2016   NtOpenKey  ... 536, ) == 0x0
 01797  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01798  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01799  1676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01800  2016   NtQueryValueKey  (536,  (536, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 01798  1736   NtCreateThread  ... 544, {1636, 1376}, ) == 0x0
 01799  1676   NtDuplicateObject  ... 524, ) == 0x0
 01800  2016   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01801  1736   NtQueryInformationThread  (544, Basic, 28, ...
 01802  1676   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01803  2016   NtClose  (536, ...
 01801  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1636,Tid=1376,}, 0x0, ) == 0x0
 01802  1676   NtWaitForSingleObject  ... ) == 0x102
 01803  2016   NtClose  ... ) == 0x0
 01804  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75546, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0`\5\0\0" ...  ...
 01805  1676   NtWaitForSingleObject  (140, 0, 0x0, ...
 01806  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 17361872, ... }, 17361872, ...
 01804  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75548, 0}  ... {28, 56, reply, 0, 1636, 1736, 75548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0`\5\0\0" )  ) == 0x0
 01797  1356   NtCreateEvent  ... 536, ) == 0x0
 01806  2016   NtQueryAttributesFile  ... ) == 0x0
 01807  1736   NtResumeThread  (544, ...
 01808  1356   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 01807  1736   NtResumeThread  ... 1, ) == 0x0
 01808  1356   NtOpenKey  ... 532, ) == 0x0
 01809  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01810  1356   NtOpenKey  (0x20019, {24, 532, 0x40, 0, 0,  (0x20019, {24, 532, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 01809  1736   NtAllocateVirtualMemory  ... 63504384, 1048576, ) == 0x0
 01810  1356   NtOpenKey  ... 556, ) == 0x0
 01811  1736   NtAllocateVirtualMemory  (-1, 64544768, 0, 8192, 4096, 4, ...
 01812  1356   NtQueryValueKey  (556,  (556, "ComputerName", Full, 108, ... , Full, 108, ...
 01813  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 01814  1376   NtWaitForSingleObject  (88, 0, 0x0, ...
 01811  1736   NtAllocateVirtualMemory  ... 64544768, 8192, ) == 0x0
 01813  2016   NtOpenFile  ... 560, {status=0x0, info=1}, ) == 0x0
 01815  1736   NtProtectVirtualMemory  (-1, (0x3d8e000), 4096, 260, ...
 01816  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 560, ...
 01815  1736   NtProtectVirtualMemory  ... (0x3d8e000), 4096, 4, ) == 0x0
 01816  2016   NtCreateSection  ... 564, ) == 0x0
 01817  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01818  2016   NtClose  (560, ...
 01817  1736   NtCreateThread  ... 568, {1636, 1436}, ) == 0x0
 01818  2016   NtClose  ... ) == 0x0
 01819  1736   NtQueryInformationThread  (568, Basic, 28, ...
 01812  1356   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01820  2016   NtMapViewOfSection  (564, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01821  1356   NtClose  (556, ...
 01820  2016   NtMapViewOfSection  ... (0x860000), 0x0, 20480, ) == 0x0
 01821  1356   NtClose  ... ) == 0x0
 01822  2016   NtClose  (564, ...
 01823  1356   NtClose  (532, ...
 01822  2016   NtClose  ... ) == 0x0
 01823  1356   NtClose  ... ) == 0x0
 01824  1356   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ...
 01825  2016   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 01826  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 17362180, ... ) }, 17362180, ... ) == 0x0
 01827  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 532, {status=0x0, info=1}, ) }, 5, 96, ... 532, {status=0x0, info=1}, ) == 0x0
 01824  1356   NtCreateIoCompletion  ... 564, ) == 0x0
 01819  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1636,Tid=1436,}, 0x0, ) == 0x0
 01828  1356   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ...
 01829  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75548, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0d\6\0\0\234\5\0\0" ...  ...
 01828  1356   NtCreateIoCompletion  ... 556, ) == 0x0
 01829  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75549, 0}  ... {28, 56, reply, 0, 1636, 1736, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0d\6\0\0\234\5\0\0" )  ) == 0x0
 01830  1356   NtDuplicateObject  (-1, 564, -1, 0x0, 0, 2, ...
 01831  1736   NtResumeThread  (568, ...
 01830  1356   NtDuplicateObject  ... 560, ) == 0x0
 01831  1736   NtResumeThread  ... 1, ) == 0x0
 01832  1356   NtOpenThreadToken  (-2, 0xc, 1, ...
 01833  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 532, ...
 01834  1436   NtWaitForSingleObject  (88, 0, 0x0, ...
 01835  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01833  2016   NtCreateSection  ... 572, ) == 0x0
 01835  1736   NtAllocateVirtualMemory  ... 64552960, 1048576, ) == 0x0
 01836  2016   NtQuerySection  (572, Image, 48, ...
 01837  1736   NtAllocateVirtualMemory  (-1, 65593344, 0, 8192, 4096, 4, ...
 01836  2016   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01837  1736   NtAllocateVirtualMemory  ... 65593344, 8192, ) == 0x0
 01838  2016   NtClose  (532, ...
 01839  1736   NtProtectVirtualMemory  (-1, (0x3e8e000), 4096, 260, ...
 01838  2016   NtClose  ... ) == 0x0
 01839  1736   NtProtectVirtualMemory  ... (0x3e8e000), 4096, 4, ) == 0x0
 01832  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01840  2016   NtMapViewOfSection  (572, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01841  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01840  2016   NtMapViewOfSection  ... (0x76fb0000), 0x0, 32768, ) == 0x0
 01841  1356   NtCreateEvent  ... 532, ) == 0x0
 01842  2016   NtClose  (572, ...
 01843  1356   NtOpenThreadToken  (-2, 0xc, 1, ...
 01842  2016   NtClose  ... ) == 0x0
 01843  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01844  2016   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 01845  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01844  2016   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 01846  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01845  1356   NtSetInformationThread  ... ) == 0x0
 01846  1736   NtCreateThread  ... 572, {1636, 724}, ) == 0x0
 01847  1356   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11071680,  (0xc0100080, {24, 0, 0x40, 0, 11071680, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 01848  1736   NtQueryInformationThread  (572, Basic, 28, ...
 01847  1356   NtCreateFile  ... 576, {status=0x0, info=1}, ) == 0x0
 01848  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1636,Tid=724,}, 0x0, ) == 0x0
 01849  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75549, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0d\6\0\0\324\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0d\6\0\0\324\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75550, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0d\6\0\0\324\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0d\6\0\0\324\2\0\0" )  ) == 0x0
 01850  1736   NtResumeThread  (572, ... 1, ) == 0x0
 01851  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 65601536, 1048576, ) == 0x0
 01852  1736   NtAllocateVirtualMemory  (-1, 66641920, 0, 8192, 4096, 4, ...
 01853  1356   NtSetInformationFile  (576, 11071736, 8, Pipe, ...
 01854  2016   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 01855   724   NtWaitForSingleObject  (88, 0, 0x0, ...
 01853  1356   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01854  2016   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 01856  1356   NtSetInformationFile  (576, 11071724, 8, Completion, ...
 01857  2016   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 01856  1356   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01857  2016   NtFlushInstructionCache  ... ) == 0x0
 01858  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01852  1736   NtAllocateVirtualMemory  ... 66641920, 8192, ) == 0x0
 01858  1356   NtSetInformationThread  ... ) == 0x0
 01859  1736   NtProtectVirtualMemory  (-1, (0x3f8e000), 4096, 260, ...
 01860  2016   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 01859  1736   NtProtectVirtualMemory  ... (0x3f8e000), 4096, 4, ) == 0x0
 01860  2016   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 01861  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01862  2016   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 01861  1736   NtCreateThread  ... 580, {1636, 1276}, ) == 0x0
 01862  2016   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 01863  1736   NtQueryInformationThread  (580, Basic, 28, ...
 01864  2016   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 01865  1356   NtWriteFile  (576, 261, 0, 0,  (576, 261, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 01864  2016   NtFlushInstructionCache  ... ) == 0x0
 01865  1356   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 01863  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1636,Tid=1276,}, 0x0, ) == 0x0
 01866  1356   NtReadFile  (576, 261, 0, 0, 1024, {0, 0}, 0, ...
 01867  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75550, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0d\6\0\0\374\4\0\0" ...  ...
 01866  1356   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01867  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75551, 0}  ... {28, 56, reply, 0, 1636, 1736, 75551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0d\6\0\0\374\4\0\0" )  ) == 0x0
 01868  1356   NtFsControlFile  (576, 261, 0x0, 0x0, 0x11c017,  (576, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\250\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 01869  1736   NtResumeThread  (580, ...
 01868  1356   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01869  1736   NtResumeThread  ... 1, ) == 0x0
 01870  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... }, ...
 01871  1356   NtFsControlFile  (576, 261, 0x0, 0x0, 0x11c017,  (576, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\1\0\0\0\1\0\0\0&\0(\0\2207\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 01872  1276   NtWaitForSingleObject  (88, 0, 0x0, ...
 01870  2016   NtOpenSection  ... 584, ) == 0x0
 01871  1356   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) , ) == 0x103
 01873  2016   NtMapViewOfSection  (584, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01874  1356   NtFsControlFile  (576, 261, 0x0, 0x0, 0x11c017,  (576, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340", 44, 1024, ... , 44, 1024, ...
 01873  2016   NtMapViewOfSection  ... (0x76f60000), 0x0, 180224, ) == 0x0
 01874  1356   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\10\\25\0\1\0\0\0\24\\25\0 \0\0\0\1\0\0\0\30\0\32\0 \\25\0<\\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0\30?\25\0\1\0\0\0\5\0\15\0(?\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01875  2016   NtClose  (584, ...
 01876  1356   NtClose  (532, ...
 01875  2016   NtClose  ... ) == 0x0
 01876  1356   NtClose  ... ) == 0x0
 01877  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01878  2016   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ...
 01877  1736   NtAllocateVirtualMemory  ... 66650112, 1048576, ) == 0x0
 01878  2016   NtProtectVirtualMemory  ... (0x76f61000), 4096, 32, ) == 0x0
 01879  1736   NtAllocateVirtualMemory  (-1, 67690496, 0, 8192, 4096, 4, ...
 01880  2016   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 01879  1736   NtAllocateVirtualMemory  ... 67690496, 8192, ) == 0x0
 01880  2016   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 01881  1736   NtProtectVirtualMemory  (-1, (0x408e000), 4096, 260, ...
 01882  2016   NtFlushInstructionCache  (-1, 1995837440, 228, ...
 01881  1736   NtProtectVirtualMemory  ... (0x408e000), 4096, 4, ) == 0x0
 01882  2016   NtFlushInstructionCache  ... ) == 0x0
 01883  1356   NtClose  (576, ...
 01884  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01883  1356   NtClose  ... ) == 0x0
 01884  1736   NtCreateThread  ... 576, {1636, 1368}, ) == 0x0
 01885  1356   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1382904, 0x0, 11073604, 188, ... , {12, 2, 1, 1}, 0x0, 1382904, 0x0, 11073604, 188, ...
 01886  1736   NtQueryInformationThread  (576, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1636,Tid=1368,}, 0x0, ) == 0x0
 01887  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75551, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0d\6\0\0X\5\0\0" ...  ...
 01885  1356   NtSecureConnectPort  ... 532, 0x0, 0x0, 0x0, 188, ) == 0x0
 01888  1356   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01889  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01890  1356   NtRequestWaitReplyPort  (532, {200, 224, new_msg, 0, 1356856, 12, 2, 1310977}  (532, {200, 224, new_msg, 0, 1356856, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0yD\16\224\4\246}x\323\217~-\242(%\247\12\0\0\0\302\370\236B\34\257\3379\0\0\0\0\350#\25\0\201\256\233z\364V\300[(\0\0\0\341\252\0b\0\0\24\0\240\366\250\0\2134\340\252\0\0\0\0h9\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\250\0\372\31\221|X\376\250\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1636, 1356, 75554, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0yD\16\224\4\246}x\323\217~-\242(%\247\12\0\0\0\302\370\236B\34\257\3379\0\0\0\0\350#\25\0\201\256\233z\364V\300[(\0\0\0\341\252\0b\0\0\24\0\240\366\250\0\2134\340\252\0\0\0\0h9\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\250\0\372\31\221|X\376\250\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ... {200, 224, reply, 0, 1636, 1356, 75554, 0}  (532, {200, 224, new_msg, 0, 1356856, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0yD\16\224\4\246}x\323\217~-\242(%\247\12\0\0\0\302\370\236B\34\257\3379\0\0\0\0\350#\25\0\201\256\233z\364V\300[(\0\0\0\341\252\0b\0\0\24\0\240\366\250\0\2134\340\252\0\0\0\0h9\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\250\0\372\31\221|X\376\250\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1636, 1356, 75554, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0yD\16\224\4\246}x\323\217~-\242(%\247\12\0\0\0\302\370\236B\34\257\3379\0\0\0\0\350#\25\0\201\256\233z\364V\300[(\0\0\0\341\252\0b\0\0\24\0\240\366\250\0\2134\340\252\0\0\0\0h9\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\250\0\372\31\221|X\376\250\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01891  2016   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ...
 01887  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75553, 0}  ... {28, 56, reply, 0, 1636, 1736, 75553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0d\6\0\0X\5\0\0" )  ) == 0x0
 01891  2016   NtProtectVirtualMemory  ... (0x76f61000), 4096, 32, ) == 0x0
 01892  1736   NtResumeThread  (576, ...
 01893  2016   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 01892  1736   NtResumeThread  ... 1, ) == 0x0
 01893  2016   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 01894  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01895  2016   NtFlushInstructionCache  (-1, 1995837440, 228, ...
 01894  1736   NtAllocateVirtualMemory  ... 67698688, 1048576, ) == 0x0
 01895  2016   NtFlushInstructionCache  ... ) == 0x0
 01896  1736   NtAllocateVirtualMemory  (-1, 68739072, 0, 8192, 4096, 4, ...
 01897  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01898  1368   NtWaitForSingleObject  (88, 0, 0x0, ...
 01899  2016   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 01897  1356   NtSetInformationThread  ... ) == 0x0
 01899  2016   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 01900  1356   NtRequestWaitReplyPort  (532, {56, 80, new_msg, 0, 44, 3, 20, 0}  (532, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0b\363\222I\243j\304#\242z\321\340\1\0\0\0\0\0\0\0&\0(\0\210\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 01901  2016   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 01902  2016   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 01896  1736   NtAllocateVirtualMemory  ... 68739072, 8192, ) == 0x0
 01903  1736   NtProtectVirtualMemory  (-1, (0x418e000), 4096, 260, ... (0x418e000), 4096, 4, ) == 0x0
 01904  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 584, {1636, 704}, ) == 0x0
 01905  1736   NtQueryInformationThread  (584, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1636,Tid=704,}, 0x0, ) == 0x0
 01906  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75553, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0d\6\0\0\300\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0d\6\0\0\300\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75556, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0d\6\0\0\300\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0d\6\0\0\300\2\0\0" )  ) == 0x0
 01907  1736   NtResumeThread  (584, ... 1, ) == 0x0
 01908  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... }, ...
 01909   704   NtWaitForSingleObject  (88, 0, 0x0, ...
 01908  2016   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01910  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 588, ) == 0x0
 01911  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 592, ) }, ... 592, ) == 0x0
 01912  2016   NtQueryValueKey  (592,  (592, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (592, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01913  2016   NtClose  (592, ... ) == 0x0
 01914  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01915  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 68747264, 1048576, ) == 0x0
 01916  1736   NtAllocateVirtualMemory  (-1, 69787648, 0, 8192, 4096, 4, ... 69787648, 8192, ) == 0x0
 01917  1736   NtProtectVirtualMemory  (-1, (0x428e000), 4096, 260, ... (0x428e000), 4096, 4, ) == 0x0
 01918  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 592, {1636, 1568}, ) == 0x0
 01919  1736   NtQueryInformationThread  (592, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1636,Tid=1568,}, 0x0, ) == 0x0
 01920  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75556, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0 \6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0 \6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75557, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0 \6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0 \6\0\0" )  ) == 0x0
 01921  1736   NtResumeThread  (592, ... 1, ) == 0x0
 01922  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 69795840, 1048576, ) == 0x0
 01923  1736   NtAllocateVirtualMemory  (-1, 70836224, 0, 8192, 4096, 4, ...
 01924  1568   NtWaitForSingleObject  (88, 0, 0x0, ...
 01923  1736   NtAllocateVirtualMemory  ... 70836224, 8192, ) == 0x0
 01925  1736   NtProtectVirtualMemory  (-1, (0x438e000), 4096, 260, ... (0x438e000), 4096, 4, ) == 0x0
 01926  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 596, {1636, 1104}, ) == 0x0
 01927  1736   NtQueryInformationThread  (596, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1636,Tid=1104,}, 0x0, ) == 0x0
 01928  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75557, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0d\6\0\0P\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0d\6\0\0P\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75558, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0d\6\0\0P\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0d\6\0\0P\4\0\0" )  ) == 0x0
 01929  1736   NtResumeThread  (596, ... 1, ) == 0x0
 01930  1104   NtWaitForSingleObject  (88, 0, 0x0, ...
 01931  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 70844416, 1048576, ) == 0x0
 01932  1736   NtAllocateVirtualMemory  (-1, 71884800, 0, 8192, 4096, 4, ... 71884800, 8192, ) == 0x0
 01933  1736   NtProtectVirtualMemory  (-1, (0x448e000), 4096, 260, ... (0x448e000), 4096, 4, ) == 0x0
 01934  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 600, {1636, 784}, ) == 0x0
 01935  1736   NtQueryInformationThread  (600, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1636,Tid=784,}, 0x0, ) == 0x0
 01936  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75558, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0d\6\0\0\20\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0d\6\0\0\20\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75559, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0d\6\0\0\20\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0d\6\0\0\20\3\0\0" )  ) == 0x0
 01937  1736   NtResumeThread  (600, ... 1, ) == 0x0
 01938  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 71892992, 1048576, ) == 0x0
 01939  1736   NtAllocateVirtualMemory  (-1, 72933376, 0, 8192, 4096, 4, ...
 01940   784   NtWaitForSingleObject  (88, 0, 0x0, ...
 01939  1736   NtAllocateVirtualMemory  ... 72933376, 8192, ) == 0x0
 01941  1736   NtProtectVirtualMemory  (-1, (0x458e000), 4096, 260, ... (0x458e000), 4096, 4, ) == 0x0
 01942  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 604, {1636, 1792}, ) == 0x0
 01943  1736   NtQueryInformationThread  (604, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1636,Tid=1792,}, 0x0, ) == 0x0
 01944  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75559, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\0\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\0\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75560, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\0\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\0\7\0\0" )  ) == 0x0
 01945  1736   NtResumeThread  (604, ... 1, ) == 0x0
 01946  1792   NtWaitForSingleObject  (88, 0, 0x0, ...
 01947  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 72941568, 1048576, ) == 0x0
 01948  1736   NtAllocateVirtualMemory  (-1, 73981952, 0, 8192, 4096, 4, ... 73981952, 8192, ) == 0x0
 01949  1736   NtProtectVirtualMemory  (-1, (0x468e000), 4096, 260, ... (0x468e000), 4096, 4, ) == 0x0
 01950  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 608, {1636, 192}, ) == 0x0
 01951  1736   NtQueryInformationThread  (608, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1636,Tid=192,}, 0x0, ) == 0x0
 01952  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75560, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0d\6\0\0\300\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0d\6\0\0\300\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75561, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0d\6\0\0\300\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0d\6\0\0\300\0\0\0" )  ) == 0x0
 01953  1736   NtResumeThread  (608, ... 1, ) == 0x0
 01954  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 73990144, 1048576, ) == 0x0
 01955  1736   NtAllocateVirtualMemory  (-1, 75030528, 0, 8192, 4096, 4, ...
 01956   192   NtWaitForSingleObject  (88, 0, 0x0, ...
 01955  1736   NtAllocateVirtualMemory  ... 75030528, 8192, ) == 0x0
 01957  1736   NtProtectVirtualMemory  (-1, (0x478e000), 4096, 260, ... (0x478e000), 4096, 4, ) == 0x0
 01958  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 612, {1636, 1484}, ) == 0x0
 01959  1736   NtQueryInformationThread  (612, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1636,Tid=1484,}, 0x0, ) == 0x0
 01960  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75561, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0d\6\0\0\314\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0d\6\0\0\314\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75562, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0d\6\0\0\314\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0d\6\0\0\314\5\0\0" )  ) == 0x0
 01961  1736   NtResumeThread  (612, ... 1, ) == 0x0
 01962  1484   NtWaitForSingleObject  (88, 0, 0x0, ...
 01963  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 75038720, 1048576, ) == 0x0
 01964  1736   NtAllocateVirtualMemory  (-1, 76079104, 0, 8192, 4096, 4, ... 76079104, 8192, ) == 0x0
 01965  1736   NtProtectVirtualMemory  (-1, (0x488e000), 4096, 260, ... (0x488e000), 4096, 4, ) == 0x0
 01966  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 616, {1636, 1120}, ) == 0x0
 01967  1736   NtQueryInformationThread  (616, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1636,Tid=1120,}, 0x0, ) == 0x0
 01968  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75562, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0d\6\0\0`\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0d\6\0\0`\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75563, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0d\6\0\0`\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0d\6\0\0`\4\0\0" )  ) == 0x0
 01969  1736   NtResumeThread  (616, ... 1, ) == 0x0
 01970  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 76087296, 1048576, ) == 0x0
 01971  1736   NtAllocateVirtualMemory  (-1, 77127680, 0, 8192, 4096, 4, ...
 01972  1120   NtWaitForSingleObject  (88, 0, 0x0, ...
 01971  1736   NtAllocateVirtualMemory  ... 77127680, 8192, ) == 0x0
 01973  1736   NtProtectVirtualMemory  (-1, (0x498e000), 4096, 260, ... (0x498e000), 4096, 4, ) == 0x0
 01974  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 620, {1636, 520}, ) == 0x0
 01975  1736   NtQueryInformationThread  (620, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1636,Tid=520,}, 0x0, ) == 0x0
 01976  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75563, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0d\6\0\0\10\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0d\6\0\0\10\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75564, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0d\6\0\0\10\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0d\6\0\0\10\2\0\0" )  ) == 0x0
 01977  1736   NtResumeThread  (620, ... 1, ) == 0x0
 01978   520   NtWaitForSingleObject  (88, 0, 0x0, ...
 01979  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 77135872, 1048576, ) == 0x0
 01980  1736   NtAllocateVirtualMemory  (-1, 78176256, 0, 8192, 4096, 4, ... 78176256, 8192, ) == 0x0
 01981  1736   NtProtectVirtualMemory  (-1, (0x4a8e000), 4096, 260, ... (0x4a8e000), 4096, 4, ) == 0x0
 01982  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 624, {1636, 1612}, ) == 0x0
 01983  1736   NtQueryInformationThread  (624, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1636,Tid=1612,}, 0x0, ) == 0x0
 01984  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75564, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0d\6\0\0L\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0d\6\0\0L\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75565, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0d\6\0\0L\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0d\6\0\0L\6\0\0" )  ) == 0x0
 01985  1736   NtResumeThread  (624, ... 1, ) == 0x0
 01986  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 78184448, 1048576, ) == 0x0
 01987  1736   NtAllocateVirtualMemory  (-1, 79224832, 0, 8192, 4096, 4, ...
 01988  1612   NtWaitForSingleObject  (88, 0, 0x0, ...
 01987  1736   NtAllocateVirtualMemory  ... 79224832, 8192, ) == 0x0
 01989  1736   NtProtectVirtualMemory  (-1, (0x4b8e000), 4096, 260, ... (0x4b8e000), 4096, 4, ) == 0x0
 01990  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 628, {1636, 876}, ) == 0x0
 01991  1736   NtQueryInformationThread  (628, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1636,Tid=876,}, 0x0, ) == 0x0
 01992  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75565, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0d\6\0\0l\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0d\6\0\0l\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75566, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0d\6\0\0l\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0d\6\0\0l\3\0\0" )  ) == 0x0
 01993  1736   NtResumeThread  (628, ... 1, ) == 0x0
 01994   876   NtWaitForSingleObject  (88, 0, 0x0, ...
 01995  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 79233024, 1048576, ) == 0x0
 01996  1736   NtAllocateVirtualMemory  (-1, 80273408, 0, 8192, 4096, 4, ... 80273408, 8192, ) == 0x0
 01997  1736   NtProtectVirtualMemory  (-1, (0x4c8e000), 4096, 260, ... (0x4c8e000), 4096, 4, ) == 0x0
 01998  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 632, {1636, 1628}, ) == 0x0
 01999  1736   NtQueryInformationThread  (632, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1636,Tid=1628,}, 0x0, ) == 0x0
 02000  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75566, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0d\6\0\0\\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0d\6\0\0\\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75567, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0d\6\0\0\\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0d\6\0\0\\6\0\0" )  ) == 0x0
 02001  1736   NtResumeThread  (632, ... 1, ) == 0x0
 02002  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 80281600, 1048576, ) == 0x0
 02003  1736   NtAllocateVirtualMemory  (-1, 81321984, 0, 8192, 4096, 4, ...
 02004  1628   NtWaitForSingleObject  (88, 0, 0x0, ...
 02003  1736   NtAllocateVirtualMemory  ... 81321984, 8192, ) == 0x0
 02005  1736   NtProtectVirtualMemory  (-1, (0x4d8e000), 4096, 260, ... (0x4d8e000), 4096, 4, ) == 0x0
 02006  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 636, {1636, 940}, ) == 0x0
 02007  1736   NtQueryInformationThread  (636, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1636,Tid=940,}, 0x0, ) == 0x0
 02008  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75567, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\0\254\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\0\254\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75568, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\0\254\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\0\254\3\0\0" )  ) == 0x0
 02009  1736   NtResumeThread  (636, ... 1, ) == 0x0
 02010   940   NtWaitForSingleObject  (88, 0, 0x0, ...
 02011  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 81330176, 1048576, ) == 0x0
 02012  1736   NtAllocateVirtualMemory  (-1, 82370560, 0, 8192, 4096, 4, ... 82370560, 8192, ) == 0x0
 02013  1736   NtProtectVirtualMemory  (-1, (0x4e8e000), 4096, 260, ... (0x4e8e000), 4096, 4, ) == 0x0
 02014  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 640, {1636, 1316}, ) == 0x0
 02015  1736   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1636,Tid=1316,}, 0x0, ) == 0x0
 02016  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75568, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0d\6\0\0$\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0d\6\0\0$\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75569, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0d\6\0\0$\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0d\6\0\0$\5\0\0" )  ) == 0x0
 02017  1736   NtResumeThread  (640, ... 1, ) == 0x0
 02018  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 82378752, 1048576, ) == 0x0
 02019  1736   NtAllocateVirtualMemory  (-1, 83419136, 0, 8192, 4096, 4, ...
 02020  1316   NtWaitForSingleObject  (88, 0, 0x0, ...
 02019  1736   NtAllocateVirtualMemory  ... 83419136, 8192, ) == 0x0
 02021  1736   NtProtectVirtualMemory  (-1, (0x4f8e000), 4096, 260, ... (0x4f8e000), 4096, 4, ) == 0x0
 02022  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 644, {1636, 1924}, ) == 0x0
 02023  1736   NtQueryInformationThread  (644, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1636,Tid=1924,}, 0x0, ) == 0x0
 02024  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0d\6\0\0\204\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0d\6\0\0\204\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75570, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0d\6\0\0\204\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0d\6\0\0\204\7\0\0" )  ) == 0x0
 02025  1736   NtResumeThread  (644, ... 1, ) == 0x0
 02026  1924   NtWaitForSingleObject  (88, 0, 0x0, ...
 02027  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 83427328, 1048576, ) == 0x0
 02028  1736   NtAllocateVirtualMemory  (-1, 84467712, 0, 8192, 4096, 4, ... 84467712, 8192, ) == 0x0
 02029  1736   NtProtectVirtualMemory  (-1, (0x508e000), 4096, 260, ... (0x508e000), 4096, 4, ) == 0x0
 02030  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 648, {1636, 644}, ) == 0x0
 02031  1736   NtQueryInformationThread  (648, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1636,Tid=644,}, 0x0, ) == 0x0
 02032  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0d\6\0\0\204\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0d\6\0\0\204\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75571, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0d\6\0\0\204\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0d\6\0\0\204\2\0\0" )  ) == 0x0
 02033  1736   NtResumeThread  (648, ... 1, ) == 0x0
 02034  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 84475904, 1048576, ) == 0x0
 02035  1736   NtAllocateVirtualMemory  (-1, 85516288, 0, 8192, 4096, 4, ...
 02036   644   NtWaitForSingleObject  (88, 0, 0x0, ...
 02035  1736   NtAllocateVirtualMemory  ... 85516288, 8192, ) == 0x0
 02037  1736   NtProtectVirtualMemory  (-1, (0x518e000), 4096, 260, ... (0x518e000), 4096, 4, ) == 0x0
 02038  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 652, {1636, 1288}, ) == 0x0
 02039  1736   NtQueryInformationThread  (652, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1636,Tid=1288,}, 0x0, ) == 0x0
 02040  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0d\6\0\0\10\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0d\6\0\0\10\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75572, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0d\6\0\0\10\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0d\6\0\0\10\5\0\0" )  ) == 0x0
 02041  1736   NtResumeThread  (652, ... 1, ) == 0x0
 02042  1288   NtWaitForSingleObject  (88, 0, 0x0, ...
 02043  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 85524480, 1048576, ) == 0x0
 02044  1736   NtAllocateVirtualMemory  (-1, 86564864, 0, 8192, 4096, 4, ... 86564864, 8192, ) == 0x0
 02045  1736   NtProtectVirtualMemory  (-1, (0x528e000), 4096, 260, ... (0x528e000), 4096, 4, ) == 0x0
 02046  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 656, {1636, 752}, ) == 0x0
 02047  1736   NtQueryInformationThread  (656, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1636,Tid=752,}, 0x0, ) == 0x0
 02048  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0d\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0d\6\0\0\360\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75573, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0d\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0d\6\0\0\360\2\0\0" )  ) == 0x0
 02049  1736   NtResumeThread  (656, ... 1, ) == 0x0
 02050  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 86573056, 1048576, ) == 0x0
 02051  1736   NtAllocateVirtualMemory  (-1, 87613440, 0, 8192, 4096, 4, ...
 02052   752   NtWaitForSingleObject  (88, 0, 0x0, ...
 02051  1736   NtAllocateVirtualMemory  ... 87613440, 8192, ) == 0x0
 02053  1736   NtProtectVirtualMemory  (-1, (0x538e000), 4096, 260, ... (0x538e000), 4096, 4, ) == 0x0
 02054  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 660, {1636, 624}, ) == 0x0
 02055  1736   NtQueryInformationThread  (660, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1636,Tid=624,}, 0x0, ) == 0x0
 02056  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0d\6\0\0p\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0d\6\0\0p\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75574, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0d\6\0\0p\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0d\6\0\0p\2\0\0" )  ) == 0x0
 02057  1736   NtResumeThread  (660, ... 1, ) == 0x0
 02058   624   NtWaitForSingleObject  (88, 0, 0x0, ...
 02059  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 87621632, 1048576, ) == 0x0
 02060  1736   NtAllocateVirtualMemory  (-1, 88662016, 0, 8192, 4096, 4, ... 88662016, 8192, ) == 0x0
 02061  1736   NtProtectVirtualMemory  (-1, (0x548e000), 4096, 260, ... (0x548e000), 4096, 4, ) == 0x0
 02062  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 664, {1636, 380}, ) == 0x0
 02063  1736   NtQueryInformationThread  (664, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1636,Tid=380,}, 0x0, ) == 0x0
 02064  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0d\6\0\0|\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0d\6\0\0|\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75575, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0d\6\0\0|\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0d\6\0\0|\1\0\0" )  ) == 0x0
 02065  1736   NtResumeThread  (664, ... 1, ) == 0x0
 02066  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 88670208, 1048576, ) == 0x0
 02067  1736   NtAllocateVirtualMemory  (-1, 89710592, 0, 8192, 4096, 4, ...
 02068   380   NtWaitForSingleObject  (88, 0, 0x0, ...
 02067  1736   NtAllocateVirtualMemory  ... 89710592, 8192, ) == 0x0
 02069  1736   NtProtectVirtualMemory  (-1, (0x558e000), 4096, 260, ... (0x558e000), 4096, 4, ) == 0x0
 02070  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 668, {1636, 776}, ) == 0x0
 02071  1736   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1636,Tid=776,}, 0x0, ) == 0x0
 02072  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0\10\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0\10\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75576, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0\10\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0\10\3\0\0" )  ) == 0x0
 02073  1736   NtResumeThread  (668, ... 1, ) == 0x0
 02074   776   NtWaitForSingleObject  (88, 0, 0x0, ...
 02075  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 89718784, 1048576, ) == 0x0
 02076  1736   NtAllocateVirtualMemory  (-1, 90759168, 0, 8192, 4096, 4, ... 90759168, 8192, ) == 0x0
 02077  1736   NtProtectVirtualMemory  (-1, (0x568e000), 4096, 260, ... (0x568e000), 4096, 4, ) == 0x0
 02078  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {1636, 312}, ) == 0x0
 02079  1736   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1636,Tid=312,}, 0x0, ) == 0x0
 02080  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\08\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\08\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75577, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\08\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\08\1\0\0" )  ) == 0x0
 02081  1736   NtResumeThread  (672, ... 1, ) == 0x0
 02082  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 90767360, 1048576, ) == 0x0
 02083  1736   NtAllocateVirtualMemory  (-1, 91807744, 0, 8192, 4096, 4, ...
 02084   312   NtWaitForSingleObject  (88, 0, 0x0, ...
 02083  1736   NtAllocateVirtualMemory  ... 91807744, 8192, ) == 0x0
 02085  1736   NtProtectVirtualMemory  (-1, (0x578e000), 4096, 260, ... (0x578e000), 4096, 4, ) == 0x0
 02086  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 676, {1636, 1124}, ) == 0x0
 02087  1736   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1636,Tid=1124,}, 0x0, ) == 0x0
 02088  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0d\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0d\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75578, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0d\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0d\4\0\0" )  ) == 0x0
 02089  1736   NtResumeThread  (676, ... 1, ) == 0x0
 02090  1124   NtWaitForSingleObject  (88, 0, 0x0, ...
 02091  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 91815936, 1048576, ) == 0x0
 02092  1736   NtAllocateVirtualMemory  (-1, 92856320, 0, 8192, 4096, 4, ... 92856320, 8192, ) == 0x0
 02093  1736   NtProtectVirtualMemory  (-1, (0x588e000), 4096, 260, ... (0x588e000), 4096, 4, ) == 0x0
 02094  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {1636, 1404}, ) == 0x0
 02095  1736   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1636,Tid=1404,}, 0x0, ) == 0x0
 02096  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0|\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0|\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75579, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0|\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0|\5\0\0" )  ) == 0x0
 02097  1736   NtResumeThread  (680, ... 1, ) == 0x0
 02098  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 92864512, 1048576, ) == 0x0
 02099  1736   NtAllocateVirtualMemory  (-1, 93904896, 0, 8192, 4096, 4, ...
 02100  1404   NtWaitForSingleObject  (88, 0, 0x0, ...
 02099  1736   NtAllocateVirtualMemory  ... 93904896, 8192, ) == 0x0
 02101  1736   NtProtectVirtualMemory  (-1, (0x598e000), 4096, 260, ... (0x598e000), 4096, 4, ) == 0x0
 02102  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {1636, 476}, ) == 0x0
 02103  1736   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1636,Tid=476,}, 0x0, ) == 0x0
 02104  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\334\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\334\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75580, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\334\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\334\1\0\0" )  ) == 0x0
 02105  1736   NtResumeThread  (684, ... 1, ) == 0x0
 02106  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 93913088, 1048576, ) == 0x0
 02107  1736   NtAllocateVirtualMemory  (-1, 94953472, 0, 8192, 4096, 4, ... 94953472, 8192, ) == 0x0
 02108   476   NtWaitForSingleObject  (88, 0, 0x0, ...
 02109  1736   NtProtectVirtualMemory  (-1, (0x5a8e000), 4096, 260, ... (0x5a8e000), 4096, 4, ) == 0x0
 02110  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 688, {1636, 1964}, ) == 0x0
 02111  1736   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1636,Tid=1964,}, 0x0, ) == 0x0
 02112  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0\254\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0\254\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75581, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0\254\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0\254\7\0\0" )  ) == 0x0
 02113  1736   NtResumeThread  (688, ... 1, ) == 0x0
 02114  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02115  1964   NtWaitForSingleObject  (88, 0, 0x0, ...
 02114  1736   NtAllocateVirtualMemory  ... 94961664, 1048576, ) == 0x0
 02116  1736   NtAllocateVirtualMemory  (-1, 96002048, 0, 8192, 4096, 4, ... 96002048, 8192, ) == 0x0
 02117  1736   NtProtectVirtualMemory  (-1, (0x5b8e000), 4096, 260, ... (0x5b8e000), 4096, 4, ) == 0x0
 02118  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 692, {1636, 740}, ) == 0x0
 02119  1736   NtQueryInformationThread  (692, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1636,Tid=740,}, 0x0, ) == 0x0
 02120  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0\344\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0\344\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75582, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0\344\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0\344\2\0\0" )  ) == 0x0
 02121  1736   NtResumeThread  (692, ... 1, ) == 0x0
 02122  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 96010240, 1048576, ) == 0x0
 02123  1736   NtAllocateVirtualMemory  (-1, 97050624, 0, 8192, 4096, 4, ... 97050624, 8192, ) == 0x0
 02124   740   NtWaitForSingleObject  (88, 0, 0x0, ...
 02125  1736   NtProtectVirtualMemory  (-1, (0x5c8e000), 4096, 260, ... (0x5c8e000), 4096, 4, ) == 0x0
 02126  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 696, {1636, 1624}, ) == 0x0
 02127  1736   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1636,Tid=1624,}, 0x0, ) == 0x0
 02128  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0X\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0X\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75583, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0X\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0X\6\0\0" )  ) == 0x0
 02129  1736   NtResumeThread  (696, ... 1, ) == 0x0
 02130  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02131  1624   NtWaitForSingleObject  (88, 0, 0x0, ...
 02130  1736   NtAllocateVirtualMemory  ... 97058816, 1048576, ) == 0x0
 02132  1736   NtAllocateVirtualMemory  (-1, 98099200, 0, 8192, 4096, 4, ... 98099200, 8192, ) == 0x0
 02133  1736   NtProtectVirtualMemory  (-1, (0x5d8e000), 4096, 260, ... (0x5d8e000), 4096, 4, ) == 0x0
 02134  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 700, {1636, 1716}, ) == 0x0
 02135  1736   NtQueryInformationThread  (700, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1636,Tid=1716,}, 0x0, ) == 0x0
 02136  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0d\6\0\0\264\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0d\6\0\0\264\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75584, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0d\6\0\0\264\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0d\6\0\0\264\6\0\0" )  ) == 0x0
 02137  1736   NtResumeThread  (700, ... 1, ) == 0x0
 02138  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 98107392, 1048576, ) == 0x0
 02139  1736   NtAllocateVirtualMemory  (-1, 99147776, 0, 8192, 4096, 4, ... 99147776, 8192, ) == 0x0
 02140  1716   NtWaitForSingleObject  (88, 0, 0x0, ...
 02141  1736   NtProtectVirtualMemory  (-1, (0x5e8e000), 4096, 260, ... (0x5e8e000), 4096, 4, ) == 0x0
 02142  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 704, {1636, 1440}, ) == 0x0
 02143  1736   NtQueryInformationThread  (704, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1636,Tid=1440,}, 0x0, ) == 0x0
 02144  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\240\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\240\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75585, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\240\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\240\5\0\0" )  ) == 0x0
 02145  1736   NtResumeThread  (704, ... 1, ) == 0x0
 02146  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02147  1440   NtWaitForSingleObject  (88, 0, 0x0, ...
 02146  1736   NtAllocateVirtualMemory  ... 99155968, 1048576, ) == 0x0
 02148  1736   NtAllocateVirtualMemory  (-1, 100196352, 0, 8192, 4096, 4, ... 100196352, 8192, ) == 0x0
 02149  1736   NtProtectVirtualMemory  (-1, (0x5f8e000), 4096, 260, ... (0x5f8e000), 4096, 4, ) == 0x0
 02150  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 708, {1636, 1516}, ) == 0x0
 02151  1736   NtQueryInformationThread  (708, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1636,Tid=1516,}, 0x0, ) == 0x0
 02152  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75585, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0d\6\0\0\354\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0d\6\0\0\354\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75586, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0d\6\0\0\354\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0d\6\0\0\354\5\0\0" )  ) == 0x0
 02153  1736   NtResumeThread  (708, ... 1, ) == 0x0
 02154  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 100204544, 1048576, ) == 0x0
 02155  1736   NtAllocateVirtualMemory  (-1, 101244928, 0, 8192, 4096, 4, ... 101244928, 8192, ) == 0x0
 02156  1516   NtWaitForSingleObject  (88, 0, 0x0, ...
 02157  1736   NtProtectVirtualMemory  (-1, (0x608e000), 4096, 260, ... (0x608e000), 4096, 4, ) == 0x0
 02158  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 712, {1636, 1664}, ) == 0x0
 02159  1736   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1636,Tid=1664,}, 0x0, ) == 0x0
 02160  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75586, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0\200\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0\200\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75587, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0\200\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0\200\6\0\0" )  ) == 0x0
 02161  1736   NtResumeThread  (712, ... 1, ) == 0x0
 02162  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02163  1664   NtWaitForSingleObject  (88, 0, 0x0, ...
 02162  1736   NtAllocateVirtualMemory  ... 101253120, 1048576, ) == 0x0
 02164  1736   NtAllocateVirtualMemory  (-1, 102293504, 0, 8192, 4096, 4, ... 102293504, 8192, ) == 0x0
 02165  1736   NtProtectVirtualMemory  (-1, (0x618e000), 4096, 260, ... (0x618e000), 4096, 4, ) == 0x0
 02166  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 716, {1636, 1972}, ) == 0x0
 02167  1736   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1636,Tid=1972,}, 0x0, ) == 0x0
 02168  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75587, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0\264\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0\264\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75588, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0\264\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0\264\7\0\0" )  ) == 0x0
 02169  1736   NtResumeThread  (716, ... 1, ) == 0x0
 02170  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 102301696, 1048576, ) == 0x0
 02171  1736   NtAllocateVirtualMemory  (-1, 103342080, 0, 8192, 4096, 4, ... 103342080, 8192, ) == 0x0
 02172  1972   NtWaitForSingleObject  (88, 0, 0x0, ...
 02173  1736   NtProtectVirtualMemory  (-1, (0x628e000), 4096, 260, ... (0x628e000), 4096, 4, ) == 0x0
 02174  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 720, {1636, 780}, ) == 0x0
 02175  1736   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1636,Tid=780,}, 0x0, ) == 0x0
 02176  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75588, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0\14\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0\14\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75589, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0\14\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0\14\3\0\0" )  ) == 0x0
 02177  1736   NtResumeThread  (720, ... 1, ) == 0x0
 02178  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02179   780   NtWaitForSingleObject  (88, 0, 0x0, ...
 02178  1736   NtAllocateVirtualMemory  ... 103350272, 1048576, ) == 0x0
 02180  1736   NtAllocateVirtualMemory  (-1, 104390656, 0, 8192, 4096, 4, ... 104390656, 8192, ) == 0x0
 02181  1736   NtProtectVirtualMemory  (-1, (0x638e000), 4096, 260, ... (0x638e000), 4096, 4, ) == 0x0
 02182  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 724, {1636, 1656}, ) == 0x0
 02183  1736   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1636,Tid=1656,}, 0x0, ) == 0x0
 02184  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75589, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0d\6\0\0x\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0d\6\0\0x\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75590, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0d\6\0\0x\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0d\6\0\0x\6\0\0" )  ) == 0x0
 02185  1736   NtResumeThread  (724, ... 1, ) == 0x0
 02186  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 104398848, 1048576, ) == 0x0
 02187  1736   NtAllocateVirtualMemory  (-1, 105439232, 0, 8192, 4096, 4, ... 105439232, 8192, ) == 0x0
 02188  1656   NtWaitForSingleObject  (88, 0, 0x0, ...
 02189  1736   NtProtectVirtualMemory  (-1, (0x648e000), 4096, 260, ... (0x648e000), 4096, 4, ) == 0x0
 02190  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 728, {1636, 1248}, ) == 0x0
 02191  1736   NtQueryInformationThread  (728, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1636,Tid=1248,}, 0x0, ) == 0x0
 02192  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75590, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0d\6\0\0\340\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0d\6\0\0\340\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75591, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0d\6\0\0\340\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0d\6\0\0\340\4\0\0" )  ) == 0x0
 02193  1736   NtResumeThread  (728, ... 1, ) == 0x0
 02194  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02195  1248   NtWaitForSingleObject  (88, 0, 0x0, ...
 02194  1736   NtAllocateVirtualMemory  ... 105447424, 1048576, ) == 0x0
 02196  1736   NtAllocateVirtualMemory  (-1, 106487808, 0, 8192, 4096, 4, ... 106487808, 8192, ) == 0x0
 02197  1736   NtProtectVirtualMemory  (-1, (0x658e000), 4096, 260, ... (0x658e000), 4096, 4, ) == 0x0
 02198  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 732, {1636, 1036}, ) == 0x0
 02199  1736   NtQueryInformationThread  (732, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1636,Tid=1036,}, 0x0, ) == 0x0
 02200  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75591, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0d\6\0\0\14\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0d\6\0\0\14\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75592, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0d\6\0\0\14\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0d\6\0\0\14\4\0\0" )  ) == 0x0
 02201  1736   NtResumeThread  (732, ... 1, ) == 0x0
 02202  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 106496000, 1048576, ) == 0x0
 02203  1736   NtAllocateVirtualMemory  (-1, 107536384, 0, 8192, 4096, 4, ... 107536384, 8192, ) == 0x0
 02204  1036   NtWaitForSingleObject  (88, 0, 0x0, ...
 02205  1736   NtProtectVirtualMemory  (-1, (0x668e000), 4096, 260, ... (0x668e000), 4096, 4, ) == 0x0
 02206  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 736, {1636, 760}, ) == 0x0
 02207  1736   NtQueryInformationThread  (736, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1636,Tid=760,}, 0x0, ) == 0x0
 02208  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75592, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0d\6\0\0\370\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0d\6\0\0\370\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75593, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0d\6\0\0\370\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0d\6\0\0\370\2\0\0" )  ) == 0x0
 02209  1736   NtResumeThread  (736, ... 1, ) == 0x0
 02210  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02211   760   NtWaitForSingleObject  (88, 0, 0x0, ...
 02210  1736   NtAllocateVirtualMemory  ... 107544576, 1048576, ) == 0x0
 02212  1736   NtAllocateVirtualMemory  (-1, 108584960, 0, 8192, 4096, 4, ... 108584960, 8192, ) == 0x0
 02213  1736   NtProtectVirtualMemory  (-1, (0x678e000), 4096, 260, ... (0x678e000), 4096, 4, ) == 0x0
 02214  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 740, {1636, 860}, ) == 0x0
 02215  1736   NtQueryInformationThread  (740, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1636,Tid=860,}, 0x0, ) == 0x0
 02216  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75593, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0d\6\0\0\\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0d\6\0\0\\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75594, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0d\6\0\0\\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0d\6\0\0\\3\0\0" )  ) == 0x0
 02217  1736   NtResumeThread  (740, ... 1, ) == 0x0
 02218  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 108593152, 1048576, ) == 0x0
 02219  1736   NtAllocateVirtualMemory  (-1, 109633536, 0, 8192, 4096, 4, ... 109633536, 8192, ) == 0x0
 02220   860   NtWaitForSingleObject  (88, 0, 0x0, ...
 02221  1736   NtProtectVirtualMemory  (-1, (0x688e000), 4096, 260, ... (0x688e000), 4096, 4, ) == 0x0
 02222  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 744, {1636, 484}, ) == 0x0
 02223  1736   NtQueryInformationThread  (744, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=1636,Tid=484,}, 0x0, ) == 0x0
 02224  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75594, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0d\6\0\0\344\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0d\6\0\0\344\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75595, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0d\6\0\0\344\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0d\6\0\0\344\1\0\0" )  ) == 0x0
 02225  1736   NtResumeThread  (744, ... 1, ) == 0x0
 02226  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02227   484   NtWaitForSingleObject  (88, 0, 0x0, ...
 02226  1736   NtAllocateVirtualMemory  ... 109641728, 1048576, ) == 0x0
 02228  1736   NtAllocateVirtualMemory  (-1, 110682112, 0, 8192, 4096, 4, ... 110682112, 8192, ) == 0x0
 02229  1736   NtProtectVirtualMemory  (-1, (0x698e000), 4096, 260, ... (0x698e000), 4096, 4, ) == 0x0
 02230  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 748, {1636, 1580}, ) == 0x0
 02231  1736   NtQueryInformationThread  (748, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=1636,Tid=1580,}, 0x0, ) == 0x0
 02232  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75595, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0d\6\0\0,\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0d\6\0\0,\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75596, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0d\6\0\0,\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0d\6\0\0,\6\0\0" )  ) == 0x0
 02233  1736   NtResumeThread  (748, ... 1, ) == 0x0
 02234  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 110690304, 1048576, ) == 0x0
 02235  1736   NtAllocateVirtualMemory  (-1, 111730688, 0, 8192, 4096, 4, ... 111730688, 8192, ) == 0x0
 02236  1580   NtWaitForSingleObject  (88, 0, 0x0, ...
 02237  1736   NtProtectVirtualMemory  (-1, (0x6a8e000), 4096, 260, ... (0x6a8e000), 4096, 4, ) == 0x0
 02238  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 752, {1636, 1756}, ) == 0x0
 02239  1736   NtQueryInformationThread  (752, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=1636,Tid=1756,}, 0x0, ) == 0x0
 02240  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75596, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0d\6\0\0\334\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0d\6\0\0\334\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75597, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0d\6\0\0\334\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0d\6\0\0\334\6\0\0" )  ) == 0x0
 02241  1736   NtResumeThread  (752, ... 1, ) == 0x0
 02242  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02243  1756   NtWaitForSingleObject  (88, 0, 0x0, ...
 02242  1736   NtAllocateVirtualMemory  ... 111738880, 1048576, ) == 0x0
 02244  1736   NtAllocateVirtualMemory  (-1, 112779264, 0, 8192, 4096, 4, ... 112779264, 8192, ) == 0x0
 02245  1736   NtProtectVirtualMemory  (-1, (0x6b8e000), 4096, 260, ... (0x6b8e000), 4096, 4, ) == 0x0
 02246  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 756, {1636, 1304}, ) == 0x0
 02247  1736   NtQueryInformationThread  (756, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff58000,Pid=1636,Tid=1304,}, 0x0, ) == 0x0
 02248  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75597, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0\30\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0\30\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75598, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0\30\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0\30\5\0\0" )  ) == 0x0
 02249  1736   NtResumeThread  (756, ... 1, ) == 0x0
 02250  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 112787456, 1048576, ) == 0x0
 02251  1736   NtAllocateVirtualMemory  (-1, 113827840, 0, 8192, 4096, 4, ... 113827840, 8192, ) == 0x0
 02252  1304   NtWaitForSingleObject  (88, 0, 0x0, ...
 02253  1736   NtProtectVirtualMemory  (-1, (0x6c8e000), 4096, 260, ... (0x6c8e000), 4096, 4, ) == 0x0
 02254  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 760, {1636, 1292}, ) == 0x0
 02255  1736   NtQueryInformationThread  (760, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff57000,Pid=1636,Tid=1292,}, 0x0, ) == 0x0
 02256  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75598, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0d\6\0\0\14\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0d\6\0\0\14\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75599, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0d\6\0\0\14\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0d\6\0\0\14\5\0\0" )  ) == 0x0
 02257  1736   NtResumeThread  (760, ... 1, ) == 0x0
 02258  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02259  1292   NtWaitForSingleObject  (88, 0, 0x0, ...
 02258  1736   NtAllocateVirtualMemory  ... 113836032, 1048576, ) == 0x0
 02260  1736   NtAllocateVirtualMemory  (-1, 114876416, 0, 8192, 4096, 4, ... 114876416, 8192, ) == 0x0
 02261  1736   NtProtectVirtualMemory  (-1, (0x6d8e000), 4096, 260, ... (0x6d8e000), 4096, 4, ) == 0x0
 02262  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 764, {1636, 540}, ) == 0x0
 02263  1736   NtQueryInformationThread  (764, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff56000,Pid=1636,Tid=540,}, 0x0, ) == 0x0
 02264  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75599, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0d\6\0\0\34\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0d\6\0\0\34\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75600, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0d\6\0\0\34\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0d\6\0\0\34\2\0\0" )  ) == 0x0
 02265  1736   NtResumeThread  (764, ... 1, ) == 0x0
 02266  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 114884608, 1048576, ) == 0x0
 02267  1736   NtAllocateVirtualMemory  (-1, 115924992, 0, 8192, 4096, 4, ... 115924992, 8192, ) == 0x0
 02268   540   NtWaitForSingleObject  (88, 0, 0x0, ...
 02269  1736   NtProtectVirtualMemory  (-1, (0x6e8e000), 4096, 260, ... (0x6e8e000), 4096, 4, ) == 0x0
 02270  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 768, {1636, 1956}, ) == 0x0
 02271  1736   NtQueryInformationThread  (768, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff55000,Pid=1636,Tid=1956,}, 0x0, ) == 0x0
 02272  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75600, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0d\6\0\0\244\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0d\6\0\0\244\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75601, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0d\6\0\0\244\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0d\6\0\0\244\7\0\0" )  ) == 0x0
 02273  1736   NtResumeThread  (768, ... 1, ) == 0x0
 02274  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02275  1956   NtWaitForSingleObject  (88, 0, 0x0, ...
 02274  1736   NtAllocateVirtualMemory  ... 115933184, 1048576, ) == 0x0
 02276  1736   NtAllocateVirtualMemory  (-1, 116973568, 0, 8192, 4096, 4, ... 116973568, 8192, ) == 0x0
 02277  1736   NtProtectVirtualMemory  (-1, (0x6f8e000), 4096, 260, ... (0x6f8e000), 4096, 4, ) == 0x0
 02278  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02279  2016   NtQueryPerformanceCounter  (... {1105965024, 16}, {3579545, 0}, ) == 0x0
 02280  2016   NtSetEventBoostPriority  (88, ...
 01814  1376   NtWaitForSingleObject  ... ) == 0x0
 02281  1376   NtAllocateVirtualMemory  (-1, 8871936, 0, 4096, 4096, 4, ... 8871936, 4096, ) == 0x0
 02280  2016   NtSetEventBoostPriority  ... ) == 0x0
 02278  1736   NtCreateThread  ... 772, {1636, 1980}, ) == 0x0
 02282  1376   NtSetEventBoostPriority  (88, ...
 02283  1736   NtQueryInformationThread  (772, Basic, 28, ...
 01834  1436   NtWaitForSingleObject  ... ) == 0x0
 02282  1376   NtSetEventBoostPriority  ... ) == 0x0
 02284  1436   NtSetEventBoostPriority  (88, ...
 02283  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff54000,Pid=1636,Tid=1980,}, 0x0, ) == 0x0
 01855   724   NtWaitForSingleObject  ... ) == 0x0
 02284  1436   NtSetEventBoostPriority  ... ) == 0x0
 02285  1376   NtTestAlert  (...
 02286   724   NtSetEventBoostPriority  (88, ...
 02287  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75601, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0d\6\0\0\274\7\0\0" ...  ...
 02288  2016   NtWaitForSingleObject  (88, 0, 0x0, ...
 01872  1276   NtWaitForSingleObject  ... ) == 0x0
 02286   724   NtSetEventBoostPriority  ... ) == 0x0
 02285  1376   NtTestAlert  ... ) == 0x0
 02287  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75602, 0}  ... {28, 56, reply, 0, 1636, 1736, 75602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0d\6\0\0\274\7\0\0" )  ) == 0x0
 02289  1276   NtSetEventBoostPriority  (88, ...
 02290  1436   NtTestAlert  (...
 02291  1376   NtContinue  (63503664, 1, ...
 02292   724   NtTestAlert  (...
 01898  1368   NtWaitForSingleObject  ... ) == 0x0
 02289  1276   NtSetEventBoostPriority  ... ) == 0x0
 02290  1436   NtTestAlert  ... ) == 0x0
 02293  1376   NtRegisterThreadTerminatePort  (24, ...
 02294  1368   NtSetEventBoostPriority  (88, ...
 02292   724   NtTestAlert  ... ) == 0x0
 02295  1736   NtResumeThread  (772, ...
 02296  1436   NtContinue  (64552240, 1, ...
 02297  1276   NtTestAlert  (...
 01909   704   NtWaitForSingleObject  ... ) == 0x0
 02294  1368   NtSetEventBoostPriority  ... ) == 0x0
 02298   724   NtContinue  (65600816, 1, ...
 02295  1736   NtResumeThread  ... 1, ) == 0x0
 02299  1436   NtRegisterThreadTerminatePort  (24, ...
 02300   704   NtSetEventBoostPriority  (88, ...
 02297  1276   NtTestAlert  ... ) == 0x0
 02293  1376   NtRegisterThreadTerminatePort  ... ) == 0x0
 02301  1980   NtWaitForSingleObject  (88, 0, 0x0, ...
 02302   724   NtRegisterThreadTerminatePort  (24, ...
 02303  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01924  1568   NtWaitForSingleObject  ... ) == 0x0
 02300   704   NtSetEventBoostPriority  ... ) == 0x0
 02299  1436   NtRegisterThreadTerminatePort  ... ) == 0x0
 02304  1276   NtContinue  (66649392, 1, ...
 02305  1376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02302   724   NtRegisterThreadTerminatePort  ... ) == 0x0
 02306  1568   NtSetEventBoostPriority  (88, ...
 02303  1736   NtAllocateVirtualMemory  ... 116981760, 1048576, ) == 0x0
 02307  1368   NtTestAlert  (...
 02308  1436   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02309  1276   NtRegisterThreadTerminatePort  (24, ...
 02305  1376   NtDuplicateObject  ... 776, ) == 0x0
 01930  1104   NtWaitForSingleObject  ... ) == 0x0
 02306  1568   NtSetEventBoostPriority  ... ) == 0x0
 02310   724   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02311  1736   NtAllocateVirtualMemory  (-1, 118022144, 0, 8192, 4096, 4, ...
 02307  1368   NtTestAlert  ... ) == 0x0
 02312   704   NtTestAlert  (...
 02309  1276   NtRegisterThreadTerminatePort  ... ) == 0x0
 02313  1104   NtSetEventBoostPriority  (88, ...
 02314  1376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02308  1436   NtDuplicateObject  ... 780, ) == 0x0
 02315  1568   NtTestAlert  (...
 02311  1736   NtAllocateVirtualMemory  ... 118022144, 8192, ) == 0x0
 02316  1368   NtContinue  (67697968, 1, ...
 02312   704   NtTestAlert  ... ) == 0x0
 01940   784   NtWaitForSingleObject  ... ) == 0x0
 02313  1104   NtSetEventBoostPriority  ... ) == 0x0
 02317  1276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02314  1376   NtWaitForSingleObject  ... ) == 0x102
 02318  1436   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02315  1568   NtTestAlert  ... ) == 0x0
 02310   724   NtDuplicateObject  ... 784, ) == 0x0
 02319  1368   NtRegisterThreadTerminatePort  (24, ...
 02320   784   NtSetEventBoostPriority  (88, ...
 02321   704   NtContinue  (68746544, 1, ...
 02322  1736   NtProtectVirtualMemory  (-1, (0x708e000), 4096, 260, ...
 02323  1104   NtTestAlert  (...
 02317  1276   NtDuplicateObject  ... 788, ) == 0x0
 02318  1436   NtWaitForSingleObject  ... ) == 0x102
 02324  1568   NtContinue  (69795120, 1, ...
 02325   724   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01946  1792   NtWaitForSingleObject  ... ) == 0x0
 02320   784   NtSetEventBoostPriority  ... ) == 0x0
 02319  1368   NtRegisterThreadTerminatePort  ... ) == 0x0
 02326   704   NtRegisterThreadTerminatePort  (24, ...
 02322  1736   NtProtectVirtualMemory  ... (0x708e000), 4096, 4, ) == 0x0
 02323  1104   NtTestAlert  ... ) == 0x0
 02327  1276   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02328  1436   NtWaitForSingleObject  (140, 0, 0x0, ...
 02329  1568   NtRegisterThreadTerminatePort  (24, ...
 02330  1792   NtSetEventBoostPriority  (88, ...
 02325   724   NtWaitForSingleObject  ... ) == 0x102
 02331  1376   NtWaitForSingleObject  (140, 0, 0x0, ...
 02332  1368   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02326   704   NtRegisterThreadTerminatePort  ... ) == 0x0
 02333  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02334  1104   NtContinue  (70843696, 1, ...
 02327  1276   NtWaitForSingleObject  ... ) == 0x102
 01956   192   NtWaitForSingleObject  ... ) == 0x0
 02330  1792   NtSetEventBoostPriority  ... ) == 0x0
 02329  1568   NtRegisterThreadTerminatePort  ... ) == 0x0
 02335   724   NtWaitForSingleObject  (140, 0, 0x0, ...
 02336   784   NtTestAlert  (...
 02337   704   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02333  1736   NtCreateThread  ... 792, {1636, 1784}, ) == 0x0
 02338  1104   NtRegisterThreadTerminatePort  (24, ...
 02339   192   NtSetEventBoostPriority  (88, ...
 02340  1276   NtWaitForSingleObject  (140, 0, 0x0, ...
 02332  1368   NtDuplicateObject  ... 796, ) == 0x0
 02341  1568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02336   784   NtTestAlert  ... ) == 0x0
 02342  1792   NtTestAlert  (...
 02343  1736   NtQueryInformationThread  (792, Basic, 28, ...
 01962  1484   NtWaitForSingleObject  ... ) == 0x0
 02339   192   NtSetEventBoostPriority  ... ) == 0x0
 02338  1104   NtRegisterThreadTerminatePort  ... ) == 0x0
 02344  1368   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02337   704   NtDuplicateObject  ... 800, ) == 0x0
 02345   784   NtContinue  (71892272, 1, ...
 02342  1792   NtTestAlert  ... ) == 0x0
 02346  1484   NtSetEventBoostPriority  (88, ...
 02343  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff53000,Pid=1636,Tid=1784,}, 0x0, ) == 0x0
 02341  1568   NtDuplicateObject  ... 804, ) == 0x0
 02347  1104   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02344  1368   NtWaitForSingleObject  ... ) == 0x102
 02348   704   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02349   784   NtRegisterThreadTerminatePort  (24, ...
 01972  1120   NtWaitForSingleObject  ... ) == 0x0
 02346  1484   NtSetEventBoostPriority  ... ) == 0x0
 02350  1792   NtContinue  (72940848, 1, ...
 02351   192   NtTestAlert  (...
 02352  1568   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02353  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75602, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0d\6\0\0\370\6\0\0" ...  ...
 02354  1368   NtWaitForSingleObject  (140, 0, 0x0, ...
 02348   704   NtWaitForSingleObject  ... ) == 0x102
 02355  1120   NtSetEventBoostPriority  (88, ...
 02349   784   NtRegisterThreadTerminatePort  ... ) == 0x0
 02347  1104   NtDuplicateObject  ... 808, ) == 0x0
 02356  1792   NtRegisterThreadTerminatePort  (24, ...
 02351   192   NtTestAlert  ... ) == 0x0
 02352  1568   NtWaitForSingleObject  ... ) == 0x102
 02353  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75603, 0}  ... {28, 56, reply, 0, 1636, 1736, 75603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0d\6\0\0\370\6\0\0" )  ) == 0x0
 01978   520   NtWaitForSingleObject  ... ) == 0x0
 02355  1120   NtSetEventBoostPriority  ... ) == 0x0
 02357   704   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ...
 02358   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 02359  1104   NtWaitForSingleObject  (324, 0, 0x0, ...
 02356  1792   NtRegisterThreadTerminatePort  ... ) == 0x0
 02360   192   NtContinue  (73989424, 1, ...
 02361  1568   NtWaitForSingleObject  (324, 0, 0x0, ...
 02362   520   NtWaitForSingleObject  (324, 0, 0x0, ...
 02363  1736   NtResumeThread  (792, ...
 02364  1484   NtTestAlert  (...
 02357   704   NtAllocateVirtualMemory  ... 1404928, 4096, ) == 0x0
 02365  1120   NtTestAlert  (...
 02366  1792   NtWaitForSingleObject  (324, 0, 0x0, ...
 02367   192   NtRegisterThreadTerminatePort  (24, ...
 02363  1736   NtResumeThread  ... 1, ) == 0x0
 02364  1484   NtTestAlert  ... ) == 0x0
 02368  1784   NtWaitForSingleObject  (88, 0, 0x0, ...
 02365  1120   NtTestAlert  ... ) == 0x0
 02369   704   NtSetEventBoostPriority  (324, ...
 02367   192   NtRegisterThreadTerminatePort  ... ) == 0x0
 02370  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02371  1484   NtContinue  (75038000, 1, ...
 02372  1120   NtContinue  (76086576, 1, ...
 02359  1104   NtWaitForSingleObject  ... ) == 0x0
 02369   704   NtSetEventBoostPriority  ... ) == 0x0
 02373   192   NtWaitForSingleObject  (324, 0, 0x0, ...
 02374  1484   NtRegisterThreadTerminatePort  (24, ...
 02375  1104   NtSetEventBoostPriority  (324, ...
 02376  1120   NtRegisterThreadTerminatePort  (24, ...
 02377   704   NtWaitForSingleObject  (140, 0, 0x0, ...
 02370  1736   NtAllocateVirtualMemory  ... 118030336, 1048576, ) == 0x0
 02362   520   NtWaitForSingleObject  ... ) == 0x0
 02375  1104   NtSetEventBoostPriority  ... ) == 0x0
 02374  1484   NtRegisterThreadTerminatePort  ... ) == 0x0
 02376  1120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02378   520   NtSetEventBoostPriority  (324, ...
 02379  1736   NtAllocateVirtualMemory  (-1, 119070720, 0, 8192, 4096, 4, ...
 02380  1484   NtWaitForSingleObject  (324, 0, 0x0, ...
 02361  1568   NtWaitForSingleObject  ... ) == 0x0
 02378   520   NtSetEventBoostPriority  ... ) == 0x0
 02381  1120   NtWaitForSingleObject  (324, 0, 0x0, ...
 02379  1736   NtAllocateVirtualMemory  ... 119070720, 8192, ) == 0x0
 02382  1104   NtWaitForSingleObject  (324, 0, 0x0, ...
 02383  1568   NtSetEventBoostPriority  (324, ...
 02384   520   NtSetEventBoostPriority  (88, ...
 02358   784   NtWaitForSingleObject  ... ) == 0x0
 02383  1568   NtSetEventBoostPriority  ... ) == 0x0
 02385   784   NtSetEventBoostPriority  (324, ...
 01988  1612   NtWaitForSingleObject  ... ) == 0x0
 02384   520   NtSetEventBoostPriority  ... ) == 0x0
 02386  1736   NtProtectVirtualMemory  (-1, (0x718e000), 4096, 260, ...
 02366  1792   NtWaitForSingleObject  ... ) == 0x0
 02387  1612   NtWaitForSingleObject  (324, 0, 0x0, ...
 02388   520   NtTestAlert  (...
 02386  1736   NtProtectVirtualMemory  ... (0x718e000), 4096, 4, ) == 0x0
 02389  1792   NtSetEventBoostPriority  (324, ...
 02388   520   NtTestAlert  ... ) == 0x0
 02390  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02373   192   NtWaitForSingleObject  ... ) == 0x0
 02391   520   NtContinue  (77135152, 1, ...
 02390  1736   NtCreateThread  ... 812, {1636, 1480}, ) == 0x0
 02392   192   NtSetEventBoostPriority  (324, ...
 02393   520   NtRegisterThreadTerminatePort  (24, ...
 02394  1736   NtQueryInformationThread  (812, Basic, 28, ...
 02380  1484   NtWaitForSingleObject  ... ) == 0x0
 02392   192   NtSetEventBoostPriority  ... ) == 0x0
 02389  1792   NtSetEventBoostPriority  ... ) == 0x0
 02385   784   NtSetEventBoostPriority  ... ) == 0x0
 02395  1568   NtWaitForSingleObject  (140, 0, 0x0, ...
 02394  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff52000,Pid=1636,Tid=1480,}, 0x0, ) == 0x0
 02396  1484   NtSetEventBoostPriority  (324, ...
 02397   192   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02398  1792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02399   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02393   520   NtRegisterThreadTerminatePort  ... ) == 0x0
 02382  1104   NtWaitForSingleObject  ... ) == 0x0
 02397   192   NtDuplicateObject  ... 816, ) == 0x0
 02398  1792   NtDuplicateObject  ... 820, ) == 0x0
 02399   784   NtDuplicateObject  ... 824, ) == 0x0
 02400   520   NtWaitForSingleObject  (324, 0, 0x0, ...
 02401  1104   NtSetEventBoostPriority  (324, ...
 02396  1484   NtSetEventBoostPriority  ... ) == 0x0
 02402  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75603, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\3\0\0d\6\0\0\310\5\0\0" ...  ...
 02403   192   NtWaitForSingleObject  (324, 0, 0x0, ...
 02404  1792   NtWaitForSingleObject  (324, 0, 0x0, ...
 02381  1120   NtWaitForSingleObject  ... ) == 0x0
 02401  1104   NtSetEventBoostPriority  ... ) == 0x0
 02405  1484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02402  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75604, 0}  ... {28, 56, reply, 0, 1636, 1736, 75604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\3\0\0d\6\0\0\310\5\0\0" )  ) == 0x0
 02406  1120   NtSetEventBoostPriority  (324, ...
 02407  1104   NtWaitForSingleObject  (324, 0, 0x0, ...
 02405  1484   NtDuplicateObject  ... 828, ) == 0x0
 02387  1612   NtWaitForSingleObject  ... ) == 0x0
 02408  1736   NtResumeThread  (812, ...
 02406  1120   NtSetEventBoostPriority  ... ) == 0x0
 02409   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 02410  1612   NtSetEventBoostPriority  (324, ...
 02408  1736   NtResumeThread  ... 1, ) == 0x0
 02411  1120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02400   520   NtWaitForSingleObject  ... ) == 0x0
 02410  1612   NtSetEventBoostPriority  ... ) == 0x0
 02412  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02413   520   NtSetEventBoostPriority  (324, ...
 02411  1120   NtDuplicateObject  ... 832, ) == 0x0
 02414  1484   NtWaitForSingleObject  (324, 0, 0x0, ...
 02415  1480   NtWaitForSingleObject  (88, 0, 0x0, ...
 02416  1612   NtSetEventBoostPriority  (88, ...
 02403   192   NtWaitForSingleObject  ... ) == 0x0
 02413   520   NtSetEventBoostPriority  ... ) == 0x0
 02412  1736   NtAllocateVirtualMemory  ... 119078912, 1048576, ) == 0x0
 02417   192   NtSetEventBoostPriority  (324, ...
 01994   876   NtWaitForSingleObject  ... ) == 0x0
 02416  1612   NtSetEventBoostPriority  ... ) == 0x0
 02418  1120   NtWaitForSingleObject  (324, 0, 0x0, ...
 02404  1792   NtWaitForSingleObject  ... ) == 0x0
 02419   876   NtWaitForSingleObject  (324, 0, 0x0, ...
 02417   192   NtSetEventBoostPriority  ... ) == 0x0
 02420  1736   NtAllocateVirtualMemory  (-1, 120119296, 0, 8192, 4096, 4, ...
 02421  1612   NtTestAlert  (...
 02422  1792   NtSetEventBoostPriority  (324, ...
 02423   192   NtWaitForSingleObject  (324, 0, 0x0, ...
 02420  1736   NtAllocateVirtualMemory  ... 120119296, 8192, ) == 0x0
 02407  1104   NtWaitForSingleObject  ... ) == 0x0
 02422  1792   NtSetEventBoostPriority  ... ) == 0x0
 02421  1612   NtTestAlert  ... ) == 0x0
 02424   520   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02425  1104   NtSetEventBoostPriority  (324, ...
 02426  1736   NtProtectVirtualMemory  (-1, (0x728e000), 4096, 260, ...
 02427  1792   NtWaitForSingleObject  (324, 0, 0x0, ...
 02428  1612   NtContinue  (78183728, 1, ...
 02409   784   NtWaitForSingleObject  ... ) == 0x0
 02424   520   NtDuplicateObject  ... 836, ) == 0x0
 02426  1736   NtProtectVirtualMemory  ... (0x728e000), 4096, 4, ) == 0x0
 02425  1104   NtSetEventBoostPriority  ... ) == 0x0
 02429  1612   NtRegisterThreadTerminatePort  (24, ...
 02430   784   NtSetEventBoostPriority  (324, ...
 02431   520   NtWaitForSingleObject  (324, 0, 0x0, ...
 02432  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02433  1104   NtWaitForSingleObject  (324, 0, 0x0, ...
 02414  1484   NtWaitForSingleObject  ... ) == 0x0
 02430   784   NtSetEventBoostPriority  ... ) == 0x0
 02429  1612   NtRegisterThreadTerminatePort  ... ) == 0x0
 02434  1484   NtSetEventBoostPriority  (324, ...
 02435   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 02419   876   NtWaitForSingleObject  ... ) == 0x0
 02434  1484   NtSetEventBoostPriority  ... ) == 0x0
 02436  1612   NtWaitForSingleObject  (324, 0, 0x0, ...
 02432  1736   NtCreateThread  ... 840, {1636, 1556}, ) == 0x0
 02437   876   NtSetEventBoostPriority  (324, ...
 02438  1484   NtWaitForSingleObject  (324, 0, 0x0, ...
 02418  1120   NtWaitForSingleObject  ... ) == 0x0
 02437   876   NtSetEventBoostPriority  ... ) == 0x0
 02439  1736   NtQueryInformationThread  (840, Basic, 28, ...
 01900  1356   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 1636, 1356, 75555, 0}  ... {44, 68, reply, 0, 1636, 1356, 75555, 0} "\4\376\255\201\0\0\0\0\200Y\274\201\356\12$\342\264\311\275\201:\332R\200X\253v\367\324\376\255\201\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02440  1120   NtSetEventBoostPriority  (324, ...
 02439  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff51000,Pid=1636,Tid=1556,}, 0x0, ) == 0x0
 02423   192   NtWaitForSingleObject  ... ) == 0x0
 02440  1120   NtSetEventBoostPriority  ... ) == 0x0
 02441  1356   NtRaiseException  (11074064, 11073324, 1, ...
 02442   192   NtSetEventBoostPriority  (324, ...
 02443  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75604, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0d\6\0\0\24\6\0\0" ...  ...
 02444  1120   NtWaitForSingleObject  (324, 0, 0x0, ...
 02445   876   NtSetEventBoostPriority  (88, ...
 02427  1792   NtWaitForSingleObject  ... ) == 0x0
 02443  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75605, 0}  ... {28, 56, reply, 0, 1636, 1736, 75605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0d\6\0\0\24\6\0\0" )  ) == 0x0
 02442   192   NtSetEventBoostPriority  ... ) == 0x0
 02446  1356   NtQueryVirtualMemory  (-1, 0x77ea0470, BasicVlm, 16, ...
 02004  1628   NtWaitForSingleObject  ... ) == 0x0
 02445   876   NtSetEventBoostPriority  ... ) == 0x0
 02447  1792   NtSetEventBoostPriority  (324, ...
 02448   192   NtWaitForSingleObject  (324, 0, 0x0, ...
 02449  1628   NtWaitForSingleObject  (324, 0, 0x0, ...
 02446  1356   NtQueryVirtualMemory  ... {memory info, class 3, size 16}, 0x0, ) == 0x0
 02450   876   NtTestAlert  (...
 02431   520   NtWaitForSingleObject  ... ) == 0x0
 02451  1356   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 02450   876   NtTestAlert  ... ) == 0x0
 02452   520   NtSetEventBoostPriority  (324, ...
 02451  1356   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02453   876   NtContinue  (79232304, 1, ...
 02433  1104   NtWaitForSingleObject  ... ) == 0x0
 02452   520   NtSetEventBoostPriority  ... ) == 0x0
 02454  1356   NtContinue  (11072292, 0, ...
 02455  1104   NtSetEventBoostPriority  (324, ...
 02456   876   NtRegisterThreadTerminatePort  (24, ...
 02447  1792   NtSetEventBoostPriority  ... ) == 0x0
 02457  1736   NtResumeThread  (840, ...
 02436  1612   NtWaitForSingleObject  ... ) == 0x0
 02455  1104   NtSetEventBoostPriority  ... ) == 0x0
 02458   520   NtWaitForSingleObject  (324, 0, 0x0, ...
 02459  1792   NtWaitForSingleObject  (324, 0, 0x0, ...
 02460  1612   NtSetEventBoostPriority  (324, ...
 02457  1736   NtResumeThread  ... 1, ) == 0x0
 02456   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 02435   784   NtWaitForSingleObject  ... ) == 0x0
 02460  1612   NtSetEventBoostPriority  ... ) == 0x0
 02461  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02462   784   NtSetEventBoostPriority  (324, ...
 02463   876   NtWaitForSingleObject  (324, 0, 0x0, ...
 02464  1104   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02465  1556   NtWaitForSingleObject  (88, 0, 0x0, ...
 02438  1484   NtWaitForSingleObject  ... ) == 0x0
 02461  1736   NtAllocateVirtualMemory  ... 120127488, 1048576, ) == 0x0
 02464  1104   NtWaitForSingleObject  ... ) == 0x102
 02466  1484   NtSetEventBoostPriority  (324, ...
 02467  1736   NtAllocateVirtualMemory  (-1, 121167872, 0, 8192, 4096, 4, ...
 02468  1104   NtWaitForSingleObject  (140, 0, 0x0, ...
 02444  1120   NtWaitForSingleObject  ... ) == 0x0
 02467  1736   NtAllocateVirtualMemory  ... 121167872, 8192, ) == 0x0
 02469  1120   NtSetEventBoostPriority  (324, ...
 02466  1484   NtSetEventBoostPriority  ... ) == 0x0
 02462   784   NtSetEventBoostPriority  ... ) == 0x0
 02470  1612   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02471  1356   NtDeviceIoControlFile  (392, 116, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 02449  1628   NtWaitForSingleObject  ... ) == 0x0
 02472  1484   NtWaitForSingleObject  (324, 0, 0x0, ...
 02473   784   NtWaitForSingleObject  (320, 0, 0x0, ...
 02470  1612   NtDuplicateObject  ... 844, ) == 0x0
 02474  1628   NtSetEventBoostPriority  (324, ...
 02471  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 02448   192   NtWaitForSingleObject  ... ) == 0x0
 02474  1628   NtSetEventBoostPriority  ... ) == 0x0
 02475  1612   NtWaitForSingleObject  (324, 0, 0x0, ...
 02476   192   NtSetEventBoostPriority  (324, ...
 02477  1356   NtWaitForSingleObject  (116, 1, {-5000000, -1}, ...
 02469  1120   NtSetEventBoostPriority  ... ) == 0x0
 02478  1736   NtProtectVirtualMemory  (-1, (0x738e000), 4096, 260, ...
 02458   520   NtWaitForSingleObject  ... ) == 0x0
 02476   192   NtSetEventBoostPriority  ... ) == 0x0
 02479  1628   NtSetEventBoostPriority  (88, ...
 02480  1120   NtWaitForSingleObject  (320, 0, 0x0, ...
 02481   520   NtSetEventBoostPriority  (324, ...
 02478  1736   NtProtectVirtualMemory  ... (0x738e000), 4096, 4, ) == 0x0
 02010   940   NtWaitForSingleObject  ... ) == 0x0
 02479  1628   NtSetEventBoostPriority  ... ) == 0x0
 02459  1792   NtWaitForSingleObject  ... ) == 0x0
 02481   520   NtSetEventBoostPriority  ... ) == 0x0
 02482   940   NtWaitForSingleObject  (324, 0, 0x0, ...
 02483  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02484  1792   NtSetEventBoostPriority  (324, ...
 02485  1628   NtTestAlert  (...
 02486   520   NtWaitForSingleObject  (320, 0, 0x0, ...
 02463   876   NtWaitForSingleObject  ... ) == 0x0
 02484  1792   NtSetEventBoostPriority  ... ) == 0x0
 02483  1736   NtCreateThread  ... 848, {1636, 460}, ) == 0x0
 02485  1628   NtTestAlert  ... ) == 0x0
 02487   192   NtWaitForSingleObject  (320, 0, 0x0, ...
 02488   876   NtSetEventBoostPriority  (324, ...
 02489  1736   NtQueryInformationThread  (848, Basic, 28, ...
 02490  1628   NtContinue  (80280880, 1, ...
 02472  1484   NtWaitForSingleObject  ... ) == 0x0
 02488   876   NtSetEventBoostPriority  ... ) == 0x0
 02489  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff50000,Pid=1636,Tid=460,}, 0x0, ) == 0x0
 02491  1484   NtSetEventBoostPriority  (324, ...
 02492  1628   NtRegisterThreadTerminatePort  (24, ...
 02493  1792   NtWaitForSingleObject  (320, 0, 0x0, ...
 02494   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02475  1612   NtWaitForSingleObject  ... ) == 0x0
 02491  1484   NtSetEventBoostPriority  ... ) == 0x0
 02495  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75605, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0d\6\0\0\314\1\0\0" ...  ...
 02496  1612   NtSetEventBoostPriority  (324, ...
 02494   876   NtDuplicateObject  ... 852, ) == 0x0
 02492  1628   NtRegisterThreadTerminatePort  ... ) == 0x0
 02482   940   NtWaitForSingleObject  ... ) == 0x0
 02496  1612   NtSetEventBoostPriority  ... ) == 0x0
 02495  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75606, 0}  ... {28, 56, reply, 0, 1636, 1736, 75606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0d\6\0\0\314\1\0\0" )  ) == 0x0
 02497   876   NtWaitForSingleObject  (324, 0, 0x0, ...
 02498   940   NtSetEventBoostPriority  (324, ...
 02499  1628   NtWaitForSingleObject  (324, 0, 0x0, ...
 02500  1484   NtSetEventBoostPriority  (320, ...
 02501  1736   NtResumeThread  (848, ...
 02498   940   NtSetEventBoostPriority  ... ) == 0x0
 02497   876   NtWaitForSingleObject  ... ) == 0x0
 02473   784   NtWaitForSingleObject  ... ) == 0x0
 02500  1484   NtSetEventBoostPriority  ... ) == 0x0
 02501  1736   NtResumeThread  ... 1, ) == 0x0
 02502  1612   NtWaitForSingleObject  (320, 0, 0x0, ...
 02503   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 02504   876   NtSetEventBoostPriority  (324, ...
 02505  1484   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02506  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02507   940   NtSetEventBoostPriority  (88, ...
 02508   460   NtWaitForSingleObject  (88, 0, 0x0, ...
 02505  1484   NtWaitForSingleObject  ... ) == 0x102
 02499  1628   NtWaitForSingleObject  ... ) == 0x0
 02504   876   NtSetEventBoostPriority  ... ) == 0x0
 02020  1316   NtWaitForSingleObject  ... ) == 0x0
 02507   940   NtSetEventBoostPriority  ... ) == 0x0
 02509  1484   NtWaitForSingleObject  (324, 0, 0x0, ...
 02510  1628   NtSetEventBoostPriority  (324, ...
 02511  1316   NtWaitForSingleObject  (324, 0, 0x0, ...
 02512   876   NtWaitForSingleObject  (324, 0, 0x0, ...
 02513   940   NtTestAlert  (...
 02506  1736   NtAllocateVirtualMemory  ... 121176064, 1048576, ) == 0x0
 02503   784   NtWaitForSingleObject  ... ) == 0x0
 02510  1628   NtSetEventBoostPriority  ... ) == 0x0
 02513   940   NtTestAlert  ... ) == 0x0
 02514   784   NtSetEventBoostPriority  (324, ...
 02515  1736   NtAllocateVirtualMemory  (-1, 122216448, 0, 8192, 4096, 4, ...
 02511  1316   NtWaitForSingleObject  ... ) == 0x0
 02514   784   NtSetEventBoostPriority  ... ) == 0x0
 02516   940   NtContinue  (81329456, 1, ...
 02517  1316   NtSetEventBoostPriority  (324, ...
 02515  1736   NtAllocateVirtualMemory  ... 122216448, 8192, ) == 0x0
 02518  1628   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02512   876   NtWaitForSingleObject  ... ) == 0x0
 02517  1316   NtSetEventBoostPriority  ... ) == 0x0
 02519   940   NtRegisterThreadTerminatePort  (24, ...
 02520  1736   NtProtectVirtualMemory  (-1, (0x748e000), 4096, 260, ...
 02521   876   NtSetEventBoostPriority  (324, ...
 02518  1628   NtDuplicateObject  ... 856, ) == 0x0
 02522   784   NtSetEventBoostPriority  (320, ...
 02523  1316   NtSetEventBoostPriority  (88, ...
 02509  1484   NtWaitForSingleObject  ... ) == 0x0
 02521   876   NtSetEventBoostPriority  ... ) == 0x0
 02520  1736   NtProtectVirtualMemory  ... (0x748e000), 4096, 4, ) == 0x0
 02524  1628   NtWaitForSingleObject  (324, 0, 0x0, ...
 02480  1120   NtWaitForSingleObject  ... ) == 0x0
 02522   784   NtSetEventBoostPriority  ... ) == 0x0
 02525  1484   NtSetEventBoostPriority  (324, ...
 02026  1924   NtWaitForSingleObject  ... ) == 0x0
 02523  1316   NtSetEventBoostPriority  ... ) == 0x0
 02519   940   NtRegisterThreadTerminatePort  ... ) == 0x0
 02526  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02527  1120   NtWaitForSingleObject  (324, 0, 0x0, ...
 02524  1628   NtWaitForSingleObject  ... ) == 0x0
 02528  1924   NtWaitForSingleObject  (324, 0, 0x0, ...
 02529   784   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02530  1316   NtTestAlert  (...
 02531   940   NtWaitForSingleObject  (324, 0, 0x0, ...
 02525  1484   NtSetEventBoostPriority  ... ) == 0x0
 02532   876   NtWaitForSingleObject  (320, 0, 0x0, ...
 02533  1628   NtSetEventBoostPriority  (324, ...
 02529   784   NtWaitForSingleObject  ... ) == 0x102
 02530  1316   NtTestAlert  ... ) == 0x0
 02534  1484   NtWaitForSingleObject  (140, 0, 0x0, ...
 02527  1120   NtWaitForSingleObject  ... ) == 0x0
 02533  1628   NtSetEventBoostPriority  ... ) == 0x0
 02535   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 02536  1316   NtContinue  (82378032, 1, ...
 02537  1120   NtSetEventBoostPriority  (324, ...
 02526  1736   NtCreateThread  ... 860, {1636, 1068}, ) == 0x0
 02538  1628   NtWaitForSingleObject  (324, 0, 0x0, ...
 02528  1924   NtWaitForSingleObject  ... ) == 0x0
 02537  1120   NtSetEventBoostPriority  ... ) == 0x0
 02539  1316   NtRegisterThreadTerminatePort  (24, ...
 02540  1736   NtQueryInformationThread  (860, Basic, 28, ...
 02541  1924   NtSetEventBoostPriority  (324, ...
 02542  1120   NtSetEventBoostPriority  (320, ...
 02531   940   NtWaitForSingleObject  ... ) == 0x0
 02541  1924   NtSetEventBoostPriority  ... ) == 0x0
 02540  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff4f000,Pid=1636,Tid=1068,}, 0x0, ) == 0x0
 02543   940   NtSetEventBoostPriority  (324, ...
 02486   520   NtWaitForSingleObject  ... ) == 0x0
 02542  1120   NtSetEventBoostPriority  ... ) == 0x0
 02539  1316   NtRegisterThreadTerminatePort  ... ) == 0x0
 02538  1628   NtWaitForSingleObject  ... ) == 0x0
 02544   520   NtWaitForSingleObject  (324, 0, 0x0, ...
 02543   940   NtSetEventBoostPriority  ... ) == 0x0
 02545  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75606, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\3\0\0d\6\0\0,\4\0\0" ...  ...
 02546  1120   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02547  1628   NtSetEventBoostPriority  (324, ...
 02548  1316   NtWaitForSingleObject  (324, 0, 0x0, ...
 02549  1924   NtSetEventBoostPriority  (88, ...
 02545  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75607, 0}  ... {28, 56, reply, 0, 1636, 1736, 75607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\3\0\0d\6\0\0,\4\0\0" )  ) == 0x0
 02535   784   NtWaitForSingleObject  ... ) == 0x0
 02547  1628   NtSetEventBoostPriority  ... ) == 0x0
 02546  1120   NtWaitForSingleObject  ... ) == 0x102
 02036   644   NtWaitForSingleObject  ... ) == 0x0
 02549  1924   NtSetEventBoostPriority  ... ) == 0x0
 02550   940   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02551   784   NtSetEventBoostPriority  (324, ...
 02552  1628   NtWaitForSingleObject  (320, 0, 0x0, ...
 02553   644   NtWaitForSingleObject  (324, 0, 0x0, ...
 02554  1120   NtWaitForSingleObject  (140, 0, 0x0, ...
 02555  1924   NtTestAlert  (...
 02544   520   NtWaitForSingleObject  ... ) == 0x0
 02550   940   NtDuplicateObject  ... 864, ) == 0x0
 02551   784   NtSetEventBoostPriority  ... ) == 0x0
 02556  1736   NtResumeThread  (860, ...
 02557   520   NtSetEventBoostPriority  (324, ...
 02555  1924   NtTestAlert  ... ) == 0x0
 02558   940   NtWaitForSingleObject  (324, 0, 0x0, ...
 02559   784   NtWaitForSingleObject  (140, 0, 0x0, ...
 02548  1316   NtWaitForSingleObject  ... ) == 0x0
 02556  1736   NtResumeThread  ... 1, ) == 0x0
 02560  1924   NtContinue  (83426608, 1, ...
 02561  1316   NtSetEventBoostPriority  (324, ...
 02562  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02563  1924   NtRegisterThreadTerminatePort  (24, ...
 02553   644   NtWaitForSingleObject  ... ) == 0x0
 02561  1316   NtSetEventBoostPriority  ... ) == 0x0
 02562  1736   NtAllocateVirtualMemory  ... 122224640, 1048576, ) == 0x0
 02557   520   NtSetEventBoostPriority  ... ) == 0x0
 02564  1068   NtWaitForSingleObject  (88, 0, 0x0, ...
 02565   644   NtSetEventBoostPriority  (324, ...
 02563  1924   NtRegisterThreadTerminatePort  ... ) == 0x0
 02566  1736   NtAllocateVirtualMemory  (-1, 123265024, 0, 8192, 4096, 4, ...
 02567  1316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02558   940   NtWaitForSingleObject  ... ) == 0x0
 02565   644   NtSetEventBoostPriority  ... ) == 0x0
 02568  1924   NtWaitForSingleObject  (324, 0, 0x0, ...
 02566  1736   NtAllocateVirtualMemory  ... 123265024, 8192, ) == 0x0
 02569   940   NtSetEventBoostPriority  (324, ...
 02567  1316   NtDuplicateObject  ... 868, ) == 0x0
 02570   520   NtSetEventBoostPriority  (320, ...
 02571   644   NtSetEventBoostPriority  (88, ...
 02568  1924   NtWaitForSingleObject  ... ) == 0x0
 02569   940   NtSetEventBoostPriority  ... ) == 0x0
 02572  1316   NtWaitForSingleObject  (324, 0, 0x0, ...
 02487   192   NtWaitForSingleObject  ... ) == 0x0
 02570   520   NtSetEventBoostPriority  ... ) == 0x0
 02573  1924   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ...
 02042  1288   NtWaitForSingleObject  ... ) == 0x0
 02571   644   NtSetEventBoostPriority  ... ) == 0x0
 02574  1736   NtProtectVirtualMemory  (-1, (0x758e000), 4096, 260, ...
 02575   192   NtWaitForSingleObject  (324, 0, 0x0, ...
 02573  1924   NtAllocateVirtualMemory  ... 1409024, 4096, ) == 0x0
 02576  1288   NtWaitForSingleObject  (324, 0, 0x0, ...
 02577   520   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02578   644   NtTestAlert  (...
 02574  1736   NtProtectVirtualMemory  ... (0x758e000), 4096, 4, ) == 0x0
 02579   940   NtWaitForSingleObject  (324, 0, 0x0, ...
 02577   520   NtWaitForSingleObject  ... ) == 0x102
 02578   644   NtTestAlert  ... ) == 0x0
 02580  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02581   520   NtWaitForSingleObject  (324, 0, 0x0, ...
 02582   644   NtContinue  (84475184, 1, ...
 02580  1736   NtCreateThread  ... 872, {1636, 1856}, ) == 0x0
 02583  1924   NtSetEventBoostPriority  (324, ...
 02584   644   NtRegisterThreadTerminatePort  (24, ...
 02585  1736   NtQueryInformationThread  (872, Basic, 28, ...
 02572  1316   NtWaitForSingleObject  ... ) == 0x0
 02583  1924   NtSetEventBoostPriority  ... ) == 0x0
 02586  1316   NtSetEventBoostPriority  (324, ...
 02585  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff4e000,Pid=1636,Tid=1856,}, 0x0, ) == 0x0
 02575   192   NtWaitForSingleObject  ... ) == 0x0
 02586  1316   NtSetEventBoostPriority  ... ) == 0x0
 02587  1924   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02584   644   NtRegisterThreadTerminatePort  ... ) == 0x0
 02588   192   NtSetEventBoostPriority  (324, ...
 02589  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75607, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0d\6\0\0@\7\0\0" ...  ...
 02587  1924   NtDuplicateObject  ... 876, ) == 0x0
 02576  1288   NtWaitForSingleObject  ... ) == 0x0
 02588   192   NtSetEventBoostPriority  ... ) == 0x0
 02590   644   NtWaitForSingleObject  (324, 0, 0x0, ...
 02589  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75608, 0}  ... {28, 56, reply, 0, 1636, 1736, 75608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0d\6\0\0@\7\0\0" )  ) == 0x0
 02591  1288   NtSetEventBoostPriority  (324, ...
 02592  1924   NtWaitForSingleObject  (324, 0, 0x0, ...
 02593  1316   NtWaitForSingleObject  (324, 0, 0x0, ...
 02579   940   NtWaitForSingleObject  ... ) == 0x0
 02591  1288   NtSetEventBoostPriority  ... ) == 0x0
 02594  1736   NtResumeThread  (872, ...
 02595   940   NtSetEventBoostPriority  (324, ...
 02596   192   NtSetEventBoostPriority  (320, ...
 02581   520   NtWaitForSingleObject  ... ) == 0x0
 02595   940   NtSetEventBoostPriority  ... ) == 0x0
 02594  1736   NtResumeThread  ... 1, ) == 0x0
 02597   520   NtSetEventBoostPriority  (324, ...
 02493  1792   NtWaitForSingleObject  ... ) == 0x0
 02596   192   NtSetEventBoostPriority  ... ) == 0x0
 02598   940   NtWaitForSingleObject  (324, 0, 0x0, ...
 02590   644   NtWaitForSingleObject  ... ) == 0x0
 02599  1792   NtWaitForSingleObject  (324, 0, 0x0, ...
 02600  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02601   192   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02597   520   NtSetEventBoostPriority  ... ) == 0x0
 02602  1288   NtSetEventBoostPriority  (88, ...
 02603  1856   NtWaitForSingleObject  (88, 0, 0x0, ...
 02604   644   NtSetEventBoostPriority  (324, ...
 02601   192   NtWaitForSingleObject  ... ) == 0x102
 02605   520   NtWaitForSingleObject  (140, 0, 0x0, ...
 02052   752   NtWaitForSingleObject  ... ) == 0x0
 02602  1288   NtSetEventBoostPriority  ... ) == 0x0
 02592  1924   NtWaitForSingleObject  ... ) == 0x0
 02604   644   NtSetEventBoostPriority  ... ) == 0x0
 02606   192   NtWaitForSingleObject  (140, 0, 0x0, ...
 02607   752   NtWaitForSingleObject  (324, 0, 0x0, ...
 02608  1924   NtSetEventBoostPriority  (324, ...
 02609  1288   NtTestAlert  (...
 02600  1736   NtAllocateVirtualMemory  ... 123273216, 1048576, ) == 0x0
 02610   644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02593  1316   NtWaitForSingleObject  ... ) == 0x0
 02608  1924   NtSetEventBoostPriority  ... ) == 0x0
 02609  1288   NtTestAlert  ... ) == 0x0
 02611  1736   NtAllocateVirtualMemory  (-1, 124313600, 0, 8192, 4096, 4, ...
 02612  1316   NtSetEventBoostPriority  (324, ...
 02610   644   NtDuplicateObject  ... 880, ) == 0x0
 02613  1288   NtContinue  (85523760, 1, ...
 02599  1792   NtWaitForSingleObject  ... ) == 0x0
 02612  1316   NtSetEventBoostPriority  ... ) == 0x0
 02611  1736   NtAllocateVirtualMemory  ... 124313600, 8192, ) == 0x0
 02614   644   NtWaitForSingleObject  (324, 0, 0x0, ...
 02615  1792   NtSetEventBoostPriority  (324, ...
 02616  1288   NtRegisterThreadTerminatePort  (24, ...
 02617  1316   NtWaitForSingleObject  (324, 0, 0x0, ...
 02618  1736   NtProtectVirtualMemory  (-1, (0x768e000), 4096, 260, ...
 02598   940   NtWaitForSingleObject  ... ) == 0x0
 02615  1792   NtSetEventBoostPriority  ... ) == 0x0
 02619  1924   NtWaitForSingleObject  (324, 0, 0x0, ...
 02616  1288   NtRegisterThreadTerminatePort  ... ) == 0x0
 02620   940   NtSetEventBoostPriority  (324, ...
 02618  1736   NtProtectVirtualMemory  ... (0x768e000), 4096, 4, ) == 0x0
 02607   752   NtWaitForSingleObject  ... ) == 0x0
 02621  1288   NtWaitForSingleObject  (324, 0, 0x0, ...
 02622   752   NtSetEventBoostPriority  (324, ...
 02623  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02614   644   NtWaitForSingleObject  ... ) == 0x0
 02622   752   NtSetEventBoostPriority  ... ) == 0x0
 02620   940   NtSetEventBoostPriority  ... ) == 0x0
 02624  1792   NtSetEventBoostPriority  (320, ...
 02625   644   NtSetEventBoostPriority  (324, ...
 02623  1736   NtCreateThread  ... 884, {1636, 1572}, ) == 0x0
 02626   940   NtWaitForSingleObject  (320, 0, 0x0, ...
 02617  1316   NtWaitForSingleObject  ... ) == 0x0
 02625   644   NtSetEventBoostPriority  ... ) == 0x0
 02502  1612   NtWaitForSingleObject  ... ) == 0x0
 02624  1792   NtSetEventBoostPriority  ... ) == 0x0
 02627  1736   NtQueryInformationThread  (884, Basic, 28, ...
 02628  1316   NtSetEventBoostPriority  (324, ...
 02629   752   NtSetEventBoostPriority  (88, ...
 02630  1612   NtWaitForSingleObject  (324, 0, 0x0, ...
 02631  1792   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02619  1924   NtWaitForSingleObject  ... ) == 0x0
 02627  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff4d000,Pid=1636,Tid=1572,}, 0x0, ) == 0x0
 02058   624   NtWaitForSingleObject  ... ) == 0x0
 02629   752   NtSetEventBoostPriority  ... ) == 0x0
 02631  1792   NtWaitForSingleObject  ... ) == 0x102
 02632  1924   NtSetEventBoostPriority  (324, ...
 02633   624   NtWaitForSingleObject  (324, 0, 0x0, ...
 02634  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75608, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0d\6\0\0$\6\0\0" ...  ...
 02635   752   NtTestAlert  (...
 02636  1792   NtWaitForSingleObject  (140, 0, 0x0, ...
 02621  1288   NtWaitForSingleObject  ... ) == 0x0
 02632  1924   NtSetEventBoostPriority  ... ) == 0x0
 02634  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75609, 0}  ... {28, 56, reply, 0, 1636, 1736, 75609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0d\6\0\0$\6\0\0" )  ) == 0x0
 02635   752   NtTestAlert  ... ) == 0x0
 02628  1316   NtSetEventBoostPriority  ... ) == 0x0
 02637   644   NtWaitForSingleObject  (324, 0, 0x0, ...
 02638  1288   NtSetEventBoostPriority  (324, ...
 02639  1924   NtWaitForSingleObject  (320, 0, 0x0, ...
 02640   752   NtContinue  (86572336, 1, ...
 02641  1316   NtWaitForSingleObject  (320, 0, 0x0, ...
 02630  1612   NtWaitForSingleObject  ... ) == 0x0
 02638  1288   NtSetEventBoostPriority  ... ) == 0x0
 02642  1736   NtResumeThread  (884, ...
 02643   752   NtRegisterThreadTerminatePort  (24, ...
 02644  1612   NtSetEventBoostPriority  (324, ...
 02642  1736   NtResumeThread  ... 1, ) == 0x0
 02645  1288   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02633   624   NtWaitForSingleObject  ... ) == 0x0
 02644  1612   NtSetEventBoostPriority  ... ) == 0x0
 02646  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02647   624   NtSetEventBoostPriority  (324, ...
 02645  1288   NtDuplicateObject  ... 888, ) == 0x0
 02643   752   NtRegisterThreadTerminatePort  ... ) == 0x0
 02648  1572   NtWaitForSingleObject  (88, 0, 0x0, ...
 02637   644   NtWaitForSingleObject  ... ) == 0x0
 02647   624   NtSetEventBoostPriority  ... ) == 0x0
 02646  1736   NtAllocateVirtualMemory  ... 124321792, 1048576, ) == 0x0
 02649  1288   NtWaitForSingleObject  (324, 0, 0x0, ...
 02650   752   NtWaitForSingleObject  (324, 0, 0x0, ...
 02651   644   NtSetEventBoostPriority  (324, ...
 02652  1612   NtSetEventBoostPriority  (320, ...
 02653  1736   NtAllocateVirtualMemory  (-1, 125362176, 0, 8192, 4096, 4, ...
 02649  1288   NtWaitForSingleObject  ... ) == 0x0
 02651   644   NtSetEventBoostPriority  ... ) == 0x0
 02532   876   NtWaitForSingleObject  ... ) == 0x0
 02652  1612   NtSetEventBoostPriority  ... ) == 0x0
 02654  1288   NtSetEventBoostPriority  (324, ...
 02653  1736   NtAllocateVirtualMemory  ... 125362176, 8192, ) == 0x0
 02655   876   NtWaitForSingleObject  (324, 0, 0x0, ...
 02656   644   NtWaitForSingleObject  (324, 0, 0x0, ...
 02650   752   NtWaitForSingleObject  ... ) == 0x0
 02654  1288   NtSetEventBoostPriority  ... ) == 0x0
 02657  1612   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02658   624   NtSetEventBoostPriority  (88, ...
 02659  1736   NtProtectVirtualMemory  (-1, (0x778e000), 4096, 260, ...
 02660   752   NtSetEventBoostPriority  (324, ...
 02657  1612   NtWaitForSingleObject  ... ) == 0x102
 02068   380   NtWaitForSingleObject  ... ) == 0x0
 02658   624   NtSetEventBoostPriority  ... ) == 0x0
 02655   876   NtWaitForSingleObject  ... ) == 0x0
 02660   752   NtSetEventBoostPriority  ... ) == 0x0
 02659  1736   NtProtectVirtualMemory  ... (0x778e000), 4096, 4, ) == 0x0
 02661   380   NtWaitForSingleObject  (324, 0, 0x0, ...
 02662  1612   NtWaitForSingleObject  (140, 0, 0x0, ...
 02663   876   NtSetEventBoostPriority  (324, ...
 02664   624   NtTestAlert  (...
 02665  1288   NtWaitForSingleObject  (324, 0, 0x0, ...
 02666  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02667   752   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02656   644   NtWaitForSingleObject  ... ) == 0x0
 02663   876   NtSetEventBoostPriority  ... ) == 0x0
 02664   624   NtTestAlert  ... ) == 0x0
 02666  1736   NtCreateThread  ... 892, {1636, 1604}, ) == 0x0
 02668   644   NtSetEventBoostPriority  (324, ...
 02667   752   NtDuplicateObject  ... 896, ) == 0x0
 02669   624   NtContinue  (87620912, 1, ...
 02661   380   NtWaitForSingleObject  ... ) == 0x0
 02670  1736   NtQueryInformationThread  (892, Basic, 28, ...
 02671   752   NtWaitForSingleObject  (324, 0, 0x0, ...
 02672   380   NtSetEventBoostPriority  (324, ...
 02673   624   NtRegisterThreadTerminatePort  (24, ...
 02670  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff4c000,Pid=1636,Tid=1604,}, 0x0, ) == 0x0
 02665  1288   NtWaitForSingleObject  ... ) == 0x0
 02672   380   NtSetEventBoostPriority  ... ) == 0x0
 02668   644   NtSetEventBoostPriority  ... ) == 0x0
 02674   876   NtSetEventBoostPriority  (320, ...
 02673   624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02675  1288   NtSetEventBoostPriority  (324, ...
 02676  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75609, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0d\6\0\0D\6\0\0" ...  ...
 02677   644   NtWaitForSingleObject  (320, 0, 0x0, ...
 02552  1628   NtWaitForSingleObject  ... ) == 0x0
 02674   876   NtSetEventBoostPriority  ... ) == 0x0
 02671   752   NtWaitForSingleObject  ... ) == 0x0
 02675  1288   NtSetEventBoostPriority  ... ) == 0x0
 02678   624   NtWaitForSingleObject  (324, 0, 0x0, ...
 02676  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75610, 0}  ... {28, 56, reply, 0, 1636, 1736, 75610, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0d\6\0\0D\6\0\0" )  ) == 0x0
 02679  1628   NtWaitForSingleObject  (324, 0, 0x0, ...
 02680   752   NtSetEventBoostPriority  (324, ...
 02681   876   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02682  1288   NtWaitForSingleObject  (324, 0, 0x0, ...
 02678   624   NtWaitForSingleObject  ... ) == 0x0
 02680   752   NtSetEventBoostPriority  ... ) == 0x0
 02683  1736   NtResumeThread  (892, ...
 02681   876   NtWaitForSingleObject  ... ) == 0x102
 02684   380   NtSetEventBoostPriority  (88, ...
 02685   624   NtSetEventBoostPriority  (324, ...
 02683  1736   NtResumeThread  ... 1, ) == 0x0
 02686   876   NtWaitForSingleObject  (140, 0, 0x0, ...
 02679  1628   NtWaitForSingleObject  ... ) == 0x0
 02685   624   NtSetEventBoostPriority  ... ) == 0x0
 02074   776   NtWaitForSingleObject  ... ) == 0x0
 02684   380   NtSetEventBoostPriority  ... ) == 0x0
 02687  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02688   752   NtWaitForSingleObject  (324, 0, 0x0, ...
 02689  1604   NtWaitForSingleObject  (88, 0, 0x0, ...
 02690  1628   NtSetEventBoostPriority  (324, ...
 02691   776   NtWaitForSingleObject  (324, 0, 0x0, ...
 02692   380   NtTestAlert  (...
 02693   624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02682  1288   NtWaitForSingleObject  ... ) == 0x0
 02692   380   NtTestAlert  ... ) == 0x0
 02693   624   NtDuplicateObject  ... 900, ) == 0x0
 02694  1288   NtSetEventBoostPriority  (324, ...
 02695   380   NtContinue  (88669488, 1, ...
 02696   624   NtWaitForSingleObject  (324, 0, 0x0, ...
 02688   752   NtWaitForSingleObject  ... ) == 0x0
 02697   380   NtRegisterThreadTerminatePort  (24, ...
 02698   752   NtSetEventBoostPriority  (324, ...
 02694  1288   NtSetEventBoostPriority  ... ) == 0x0
 02690  1628   NtSetEventBoostPriority  ... ) == 0x0
 02687  1736   NtAllocateVirtualMemory  ... 125370368, 1048576, ) == 0x0
 02691   776   NtWaitForSingleObject  ... ) == 0x0
 02698   752   NtSetEventBoostPriority  ... ) == 0x0
 02699  1288   NtWaitForSingleObject  (320, 0, 0x0, ...
 02697   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 02700   776   NtSetEventBoostPriority  (324, ...
 02701  1736   NtAllocateVirtualMemory  (-1, 126410752, 0, 8192, 4096, 4, ...
 02702   752   NtWaitForSingleObject  (324, 0, 0x0, ...
 02696   624   NtWaitForSingleObject  ... ) == 0x0
 02700   776   NtSetEventBoostPriority  ... ) == 0x0
 02703   380   NtWaitForSingleObject  (324, 0, 0x0, ...
 02701  1736   NtAllocateVirtualMemory  ... 126410752, 8192, ) == 0x0
 02704  1628   NtSetEventBoostPriority  (320, ...
 02705   624   NtSetEventBoostPriority  (324, ...
 02706  1736   NtProtectVirtualMemory  (-1, (0x788e000), 4096, 260, ...
 02702   752   NtWaitForSingleObject  ... ) == 0x0
 02705   624   NtSetEventBoostPriority  ... ) == 0x0
 02626   940   NtWaitForSingleObject  ... ) == 0x0
 02704  1628   NtSetEventBoostPriority  ... ) == 0x0
 02707   752   NtSetEventBoostPriority  (324, ...
 02706  1736   NtProtectVirtualMemory  ... (0x788e000), 4096, 4, ) == 0x0
 02708   776   NtSetEventBoostPriority  (88, ...
 02709   940   NtWaitForSingleObject  (324, 0, 0x0, ...
 02703   380   NtWaitForSingleObject  ... ) == 0x0
 02710  1628   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02711  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02084   312   NtWaitForSingleObject  ... ) == 0x0
 02708   776   NtSetEventBoostPriority  ... ) == 0x0
 02712   380   NtSetEventBoostPriority  (324, ...
 02710  1628   NtWaitForSingleObject  ... ) == 0x102
 02707   752   NtSetEventBoostPriority  ... ) == 0x0
 02713   624   NtWaitForSingleObject  (324, 0, 0x0, ...
 02714   312   NtWaitForSingleObject  (324, 0, 0x0, ...
 02715   776   NtTestAlert  (...
 02709   940   NtWaitForSingleObject  ... ) == 0x0
 02712   380   NtSetEventBoostPriority  ... ) == 0x0
 02716  1628   NtWaitForSingleObject  (140, 0, 0x0, ...
 02717   752   NtWaitForSingleObject  (320, 0, 0x0, ...
 02718   940   NtSetEventBoostPriority  (324, ...
 02715   776   NtTestAlert  ... ) == 0x0
 02711  1736   NtCreateThread  ... 904, {1636, 1596}, ) == 0x0
 02719   380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02714   312   NtWaitForSingleObject  ... ) == 0x0
 02718   940   NtSetEventBoostPriority  ... ) == 0x0
 02720   776   NtContinue  (89718064, 1, ...
 02721  1736   NtQueryInformationThread  (904, Basic, 28, ...
 02722   312   NtSetEventBoostPriority  (324, ...
 02719   380   NtDuplicateObject  ... 908, ) == 0x0
 02723   776   NtRegisterThreadTerminatePort  (24, ...
 02713   624   NtWaitForSingleObject  ... ) == 0x0
 02722   312   NtSetEventBoostPriority  ... ) == 0x0
 02721  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff4b000,Pid=1636,Tid=1596,}, 0x0, ) == 0x0
 02724   380   NtWaitForSingleObject  (324, 0, 0x0, ...
 02725   940   NtSetEventBoostPriority  (320, ...
 02726   624   NtSetEventBoostPriority  (324, ...
 02723   776   NtRegisterThreadTerminatePort  ... ) == 0x0
 02727  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75610, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75610, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0d\6\0\0<\6\0\0" ...  ...
 02724   380   NtWaitForSingleObject  ... ) == 0x0
 02726   624   NtSetEventBoostPriority  ... ) == 0x0
 02641  1316   NtWaitForSingleObject  ... ) == 0x0
 02725   940   NtSetEventBoostPriority  ... ) == 0x0
 02728   776   NtWaitForSingleObject  (324, 0, 0x0, ...
 02729   380   NtSetEventBoostPriority  (324, ...
 02727  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75611, 0}  ... {28, 56, reply, 0, 1636, 1736, 75611, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0d\6\0\0<\6\0\0" )  ) == 0x0
 02730  1316   NtWaitForSingleObject  (324, 0, 0x0, ...
 02731   624   NtWaitForSingleObject  (320, 0, 0x0, ...
 02732   940   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02729   380   NtSetEventBoostPriority  ... ) == 0x0
 02728   776   NtWaitForSingleObject  ... ) == 0x0
 02733   312   NtSetEventBoostPriority  (88, ...
 02734  1736   NtResumeThread  (904, ...
 02732   940   NtWaitForSingleObject  ... ) == 0x102
 02735   776   NtSetEventBoostPriority  (324, ...
 02090  1124   NtWaitForSingleObject  ... ) == 0x0
 02733   312   NtSetEventBoostPriority  ... ) == 0x0
 02734  1736   NtResumeThread  ... 1, ) == 0x0
 02736   940   NtWaitForSingleObject  (324, 0, 0x0, ...
 02737  1124   NtWaitForSingleObject  (324, 0, 0x0, ...
 02730  1316   NtWaitForSingleObject  ... ) == 0x0
 02735   776   NtSetEventBoostPriority  ... ) == 0x0
 02738   312   NtTestAlert  (...
 02739  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02740   380   NtWaitForSingleObject  (324, 0, 0x0, ...
 02741  1596   NtWaitForSingleObject  (88, 0, 0x0, ...
 02742  1316   NtSetEventBoostPriority  (324, ...
 02738   312   NtTestAlert  ... ) == 0x0
 02739  1736   NtAllocateVirtualMemory  ... 126418944, 1048576, ) == 0x0
 02737  1124   NtWaitForSingleObject  ... ) == 0x0
 02742  1316   NtSetEventBoostPriority  ... ) == 0x0
 02743   312   NtContinue  (90766640, 1, ...
 02744  1124   NtSetEventBoostPriority  (324, ...
 02745  1736   NtAllocateVirtualMemory  (-1, 127459328, 0, 8192, 4096, 4, ...
 02746   776   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02736   940   NtWaitForSingleObject  ... ) == 0x0
 02744  1124   NtSetEventBoostPriority  ... ) == 0x0
 02747   312   NtRegisterThreadTerminatePort  (24, ...
 02745  1736   NtAllocateVirtualMemory  ... 127459328, 8192, ) == 0x0
 02748   940   NtSetEventBoostPriority  (324, ...
 02746   776   NtDuplicateObject  ... 912, ) == 0x0
 02749  1316   NtSetEventBoostPriority  (320, ...
 02750  1124   NtSetEventBoostPriority  (88, ...
 02747   312   NtRegisterThreadTerminatePort  ... ) == 0x0
 02740   380   NtWaitForSingleObject  ... ) == 0x0
 02751   776   NtWaitForSingleObject  (324, 0, 0x0, ...
 02639  1924   NtWaitForSingleObject  ... ) == 0x0
 02749  1316   NtSetEventBoostPriority  ... ) == 0x0
 02100  1404   NtWaitForSingleObject  ... ) == 0x0
 02750  1124   NtSetEventBoostPriority  ... ) == 0x0
 02752   312   NtWaitForSingleObject  (324, 0, 0x0, ...
 02753   380   NtSetEventBoostPriority  (324, ...
 02754  1924   NtWaitForSingleObject  (324, 0, 0x0, ...
 02755  1404   NtWaitForSingleObject  (324, 0, 0x0, ...
 02756  1316   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02757  1124   NtTestAlert  (...
 02751   776   NtWaitForSingleObject  ... ) == 0x0
 02753   380   NtSetEventBoostPriority  ... ) == 0x0
 02756  1316   NtWaitForSingleObject  ... ) == 0x102
 02758   776   NtSetEventBoostPriority  (324, ...
 02757  1124   NtTestAlert  ... ) == 0x0
 02759   380   NtWaitForSingleObject  (324, 0, 0x0, ...
 02752   312   NtWaitForSingleObject  ... ) == 0x0
 02758   776   NtSetEventBoostPriority  ... ) == 0x0
 02760  1316   NtWaitForSingleObject  (140, 0, 0x0, ...
 02761  1124   NtContinue  (91815216, 1, ...
 02748   940   NtSetEventBoostPriority  ... ) == 0x0
 02762  1736   NtProtectVirtualMemory  (-1, (0x798e000), 4096, 260, ...
 02763   312   NtSetEventBoostPriority  (324, ...
 02764   776   NtWaitForSingleObject  (324, 0, 0x0, ...
 02765  1124   NtRegisterThreadTerminatePort  (24, ...
 02766   940   NtWaitForSingleObject  (140, 0, 0x0, ...
 02754  1924   NtWaitForSingleObject  ... ) == 0x0
 02763   312   NtSetEventBoostPriority  ... ) == 0x0
 02762  1736   NtProtectVirtualMemory  ... (0x798e000), 4096, 4, ) == 0x0
 02767  1924   NtSetEventBoostPriority  (324, ...
 02765  1124   NtRegisterThreadTerminatePort  ... ) == 0x0
 02755  1404   NtWaitForSingleObject  ... ) == 0x0
 02768  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02769  1404   NtSetEventBoostPriority  (324, ...
 02770  1124   NtWaitForSingleObject  (324, 0, 0x0, ...
 02759   380   NtWaitForSingleObject  ... ) == 0x0
 02769  1404   NtSetEventBoostPriority  ... ) == 0x0
 02771   380   NtSetEventBoostPriority  (324, ...
 02768  1736   NtCreateThread  ... 916, {1636, 2052}, ) == 0x0
 02767  1924   NtSetEventBoostPriority  ... ) == 0x0
 02772   312   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02764   776   NtWaitForSingleObject  ... ) == 0x0
 02773  1736   NtQueryInformationThread  (916, Basic, 28, ...
 02771   380   NtSetEventBoostPriority  ... ) == 0x0
 02774  1404   NtSetEventBoostPriority  (88, ...
 02772   312   NtDuplicateObject  ... 920, ) == 0x0
 02775   776   NtSetEventBoostPriority  (324, ...
 02773  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff4a000,Pid=1636,Tid=2052,}, 0x0, ) == 0x0
 02776   380   NtWaitForSingleObject  (320, 0, 0x0, ...
 02108   476   NtWaitForSingleObject  ... ) == 0x0
 02774  1404   NtSetEventBoostPriority  ... ) == 0x0
 02777   312   NtWaitForSingleObject  (324, 0, 0x0, ...
 02770  1124   NtWaitForSingleObject  ... ) == 0x0
 02775   776   NtSetEventBoostPriority  ... ) == 0x0
 02778  1924   NtSetEventBoostPriority  (320, ...
 02779   476   NtAllocateVirtualMemory  (-1, 8876032, 0, 4096, 4096, 4, ...
 02780  1404   NtTestAlert  (...
 02781  1124   NtSetEventBoostPriority  (324, ...
 02782   776   NtWaitForSingleObject  (324, 0, 0x0, ...
 02779   476   NtAllocateVirtualMemory  ... 8876032, 4096, ) == 0x0
 02677   644   NtWaitForSingleObject  ... ) == 0x0
 02778  1924   NtSetEventBoostPriority  ... ) == 0x0
 02777   312   NtWaitForSingleObject  ... ) == 0x0
 02781  1124   NtSetEventBoostPriority  ... ) == 0x0
 02780  1404   NtTestAlert  ... ) == 0x0
 02783  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75611, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75611, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0d\6\0\0\4\10\0\0" ...  ...
 02784   644   NtWaitForSingleObject  (324, 0, 0x0, ...
 02785   312   NtSetEventBoostPriority  (324, ...
 02786  1924   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02787   476   NtWaitForSingleObject  (324, 0, 0x0, ...
 02788  1404   NtContinue  (92863792, 1, ...
 02782   776   NtWaitForSingleObject  ... ) == 0x0
 02785   312   NtSetEventBoostPriority  ... ) == 0x0
 02783  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75612, 0}  ... {28, 56, reply, 0, 1636, 1736, 75612, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0d\6\0\0\4\10\0\0" )  ) == 0x0
 02786  1924   NtWaitForSingleObject  ... ) == 0x102
 02789   776   NtSetEventBoostPriority  (324, ...
 02790  1404   NtRegisterThreadTerminatePort  (24, ...
 02791  1124   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02792  1736   NtResumeThread  (916, ...
 02784   644   NtWaitForSingleObject  ... ) == 0x0
 02793  1924   NtWaitForSingleObject  (140, 0, 0x0, ...
 02789   776   NtSetEventBoostPriority  ... ) == 0x0
 02794   312   NtWaitForSingleObject  (324, 0, 0x0, ...
 02791  1124   NtDuplicateObject  ... 924, ) == 0x0
 02795   644   NtSetEventBoostPriority  (324, ...
 02792  1736   NtResumeThread  ... 1, ) == 0x0
 02790  1404   NtRegisterThreadTerminatePort  ... ) == 0x0
 02796   776   NtWaitForSingleObject  (320, 0, 0x0, ...
 02787   476   NtWaitForSingleObject  ... ) == 0x0
 02795   644   NtSetEventBoostPriority  ... ) == 0x0
 02797  1124   NtWaitForSingleObject  (324, 0, 0x0, ...
 02798  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02799  1404   NtWaitForSingleObject  (324, 0, 0x0, ...
 02800   476   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ...
 02801  2052   NtWaitForSingleObject  (88, 0, 0x0, ...
 02802   644   NtSetEventBoostPriority  (320, ...
 02800   476   NtAllocateVirtualMemory  ... 1413120, 4096, ) == 0x0
 02803   476   NtSetEventBoostPriority  (324, ...
 02699  1288   NtWaitForSingleObject  ... ) == 0x0
 02802   644   NtSetEventBoostPriority  ... ) == 0x0
 02798  1736   NtAllocateVirtualMemory  ... 127467520, 1048576, ) == 0x0
 02804  1288   NtWaitForSingleObject  (324, 0, 0x0, ...
 02805   644   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02806  1736   NtAllocateVirtualMemory  (-1, 128507904, 0, 8192, 4096, 4, ...
 02805   644   NtWaitForSingleObject  ... ) == 0x102
 02806  1736   NtAllocateVirtualMemory  ... 128507904, 8192, ) == 0x0
 02807   644   NtWaitForSingleObject  (324, 0, 0x0, ...
 02808  1736   NtProtectVirtualMemory  (-1, (0x7a8e000), 4096, 260, ...
 02794   312   NtWaitForSingleObject  ... ) == 0x0
 02803   476   NtSetEventBoostPriority  ... ) == 0x0
 02808  1736   NtProtectVirtualMemory  ... (0x7a8e000), 4096, 4, ) == 0x0
 02809   312   NtSetEventBoostPriority  (324, ...
 02810   476   NtSetEventBoostPriority  (88, ...
 02811  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02797  1124   NtWaitForSingleObject  ... ) == 0x0
 02809   312   NtSetEventBoostPriority  ... ) == 0x0
 02115  1964   NtWaitForSingleObject  ... ) == 0x0
 02810   476   NtSetEventBoostPriority  ... ) == 0x0
 02812  1124   NtSetEventBoostPriority  (324, ...
 02813  1964   NtWaitForSingleObject  (324, 0, 0x0, ...
 02814   312   NtWaitForSingleObject  (324, 0, 0x0, ...
 02799  1404   NtWaitForSingleObject  ... ) == 0x0
 02815   476   NtTestAlert  (...
 02812  1124   NtSetEventBoostPriority  ... ) == 0x0
 02811  1736   NtCreateThread  ... 928, {1636, 2056}, ) == 0x0
 02816  1404   NtSetEventBoostPriority  (324, ...
 02815   476   NtTestAlert  ... ) == 0x0
 02817  1124   NtWaitForSingleObject  (324, 0, 0x0, ...
 02818  1736   NtQueryInformationThread  (928, Basic, 28, ...
 02804  1288   NtWaitForSingleObject  ... ) == 0x0
 02816  1404   NtSetEventBoostPriority  ... ) == 0x0
 02819   476   NtContinue  (93912368, 1, ...
 02820  1288   NtSetEventBoostPriority  (324, ...
 02818  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff49000,Pid=1636,Tid=2056,}, 0x0, ) == 0x0
 02821  1404   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02807   644   NtWaitForSingleObject  ... ) == 0x0
 02820  1288   NtSetEventBoostPriority  ... ) == 0x0
 02822   476   NtRegisterThreadTerminatePort  (24, ...
 02823   644   NtSetEventBoostPriority  (324, ...
 02821  1404   NtDuplicateObject  ... 932, ) == 0x0
 02824  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75612, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75612, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0d\6\0\0\10\10\0\0" ...  ...
 02813  1964   NtWaitForSingleObject  ... ) == 0x0
 02822   476   NtRegisterThreadTerminatePort  ... ) == 0x0
 02825  1404   NtWaitForSingleObject  (324, 0, 0x0, ...
 02826  1964   NtSetEventBoostPriority  (324, ...
 02824  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75613, 0}  ... {28, 56, reply, 0, 1636, 1736, 75613, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0d\6\0\0\10\10\0\0" )  ) == 0x0
 02827   476   NtWaitForSingleObject  (324, 0, 0x0, ...
 02817  1124   NtWaitForSingleObject  ... ) == 0x0
 02826  1964   NtSetEventBoostPriority  ... ) == 0x0
 02828  1736   NtResumeThread  (928, ...
 02829  1124   NtSetEventBoostPriority  (324, ...
 02823   644   NtSetEventBoostPriority  ... ) == 0x0
 02830  1288   NtSetEventBoostPriority  (320, ...
 02814   312   NtWaitForSingleObject  ... ) == 0x0
 02829  1124   NtSetEventBoostPriority  ... ) == 0x0
 02828  1736   NtResumeThread  ... 1, ) == 0x0
 02831   644   NtWaitForSingleObject  (140, 0, 0x0, ...
 02832   312   NtSetEventBoostPriority  (324, ...
 02717   752   NtWaitForSingleObject  ... ) == 0x0
 02830  1288   NtSetEventBoostPriority  ... ) == 0x0
 02833  1964   NtSetEventBoostPriority  (88, ...
 02834  2056   NtWaitForSingleObject  (88, 0, 0x0, ...
 02835  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02825  1404   NtWaitForSingleObject  ... ) == 0x0
 02836   752   NtWaitForSingleObject  (324, 0, 0x0, ...
 02837  1288   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02124   740   NtWaitForSingleObject  ... ) == 0x0
 02833  1964   NtSetEventBoostPriority  ... ) == 0x0
 02832   312   NtSetEventBoostPriority  ... ) == 0x0
 02838  1124   NtWaitForSingleObject  (320, 0, 0x0, ...
 02839  1404   NtSetEventBoostPriority  (324, ...
 02840   740   NtWaitForSingleObject  (324, 0, 0x0, ...
 02837  1288   NtWaitForSingleObject  ... ) == 0x102
 02841  1964   NtTestAlert  (...
 02842   312   NtWaitForSingleObject  (320, 0, 0x0, ...
 02827   476   NtWaitForSingleObject  ... ) == 0x0
 02839  1404   NtSetEventBoostPriority  ... ) == 0x0
 02843  1288   NtWaitForSingleObject  (324, 0, 0x0, ...
 02841  1964   NtTestAlert  ... ) == 0x0
 02844   476   NtSetEventBoostPriority  (324, ...
 02835  1736   NtAllocateVirtualMemory  ... 128516096, 1048576, ) == 0x0
 02845  1404   NtWaitForSingleObject  (324, 0, 0x0, ...
 02836   752   NtWaitForSingleObject  ... ) == 0x0
 02844   476   NtSetEventBoostPriority  ... ) == 0x0
 02846  1964   NtContinue  (94960944, 1, ...
 02847  1736   NtAllocateVirtualMemory  (-1, 129556480, 0, 8192, 4096, 4, ...
 02848   752   NtSetEventBoostPriority  (324, ...
 02849  1964   NtRegisterThreadTerminatePort  (24, ...
 02840   740   NtWaitForSingleObject  ... ) == 0x0
 02848   752   NtSetEventBoostPriority  ... ) == 0x0
 02847  1736   NtAllocateVirtualMemory  ... 129556480, 8192, ) == 0x0
 02850   476   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02851   740   NtSetEventBoostPriority  (324, ...
 02849  1964   NtRegisterThreadTerminatePort  ... ) == 0x0
 02852  1736   NtProtectVirtualMemory  (-1, (0x7b8e000), 4096, 260, ...
 02845  1404   NtWaitForSingleObject  ... ) == 0x0
 02851   740   NtSetEventBoostPriority  ... ) == 0x0
 02850   476   NtDuplicateObject  ... 936, ) == 0x0
 02853  1964   NtWaitForSingleObject  (324, 0, 0x0, ...
 02854  1404   NtSetEventBoostPriority  (324, ...
 02852  1736   NtProtectVirtualMemory  ... (0x7b8e000), 4096, 4, ) == 0x0
 02855   752   NtSetEventBoostPriority  (320, ...
 02856   476   NtWaitForSingleObject  (324, 0, 0x0, ...
 02843  1288   NtWaitForSingleObject  ... ) == 0x0
 02854  1404   NtSetEventBoostPriority  ... ) == 0x0
 02857  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02731   624   NtWaitForSingleObject  ... ) == 0x0
 02855   752   NtSetEventBoostPriority  ... ) == 0x0
 02858   740   NtSetEventBoostPriority  (88, ...
 02859  1288   NtSetEventBoostPriority  (324, ...
 02860  1404   NtWaitForSingleObject  (320, 0, 0x0, ...
 02861   624   NtWaitForSingleObject  (324, 0, 0x0, ...
 02862   752   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02853  1964   NtWaitForSingleObject  ... ) == 0x0
 02131  1624   NtWaitForSingleObject  ... ) == 0x0
 02858   740   NtSetEventBoostPriority  ... ) == 0x0
 02859  1288   NtSetEventBoostPriority  ... ) == 0x0
 02857  1736   NtCreateThread  ... 940, {1636, 2060}, ) == 0x0
 02862   752   NtWaitForSingleObject  ... ) == 0x102
 02863  1624   NtWaitForSingleObject  (324, 0, 0x0, ...
 02864  1964   NtSetEventBoostPriority  (324, ...
 02865   740   NtTestAlert  (...
 02866  1288   NtWaitForSingleObject  (140, 0, 0x0, ...
 02867  1736   NtQueryInformationThread  (940, Basic, 28, ...
 02868   752   NtWaitForSingleObject  (324, 0, 0x0, ...
 02856   476   NtWaitForSingleObject  ... ) == 0x0
 02864  1964   NtSetEventBoostPriority  ... ) == 0x0
 02865   740   NtTestAlert  ... ) == 0x0
 02867  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff48000,Pid=1636,Tid=2060,}, 0x0, ) == 0x0
 02869   476   NtSetEventBoostPriority  (324, ...
 02870   740   NtContinue  (96009520, 1, ...
 02861   624   NtWaitForSingleObject  ... ) == 0x0
 02871  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75613, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75613, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\3\0\0d\6\0\0\14\10\0\0" ...  ...
 02872   624   NtSetEventBoostPriority  (324, ...
 02873   740   NtRegisterThreadTerminatePort  (24, ...
 02863  1624   NtWaitForSingleObject  ... ) == 0x0
 02871  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75614, 0}  ... {28, 56, reply, 0, 1636, 1736, 75614, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\3\0\0d\6\0\0\14\10\0\0" )  ) == 0x0
 02872   624   NtSetEventBoostPriority  ... ) == 0x0
 02869   476   NtSetEventBoostPriority  ... ) == 0x0
 02874  1964   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02875  1624   NtSetEventBoostPriority  (324, ...
 02873   740   NtRegisterThreadTerminatePort  ... ) == 0x0
 02876  1736   NtResumeThread  (940, ...
 02877   476   NtWaitForSingleObject  (324, 0, 0x0, ...
 02868   752   NtWaitForSingleObject  ... ) == 0x0
 02875  1624   NtSetEventBoostPriority  ... ) == 0x0
 02874  1964   NtDuplicateObject  ... 944, ) == 0x0
 02878   740   NtWaitForSingleObject  (324, 0, 0x0, ...
 02876  1736   NtResumeThread  ... 1, ) == 0x0
 02879   752   NtSetEventBoostPriority  (324, ...
 02880   624   NtSetEventBoostPriority  (320, ...
 02881  2060   NtWaitForSingleObject  (88, 0, 0x0, ...
 02882  1964   NtWaitForSingleObject  (324, 0, 0x0, ...
 02877   476   NtWaitForSingleObject  ... ) == 0x0
 02883  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02776   380   NtWaitForSingleObject  ... ) == 0x0
 02880   624   NtSetEventBoostPriority  ... ) == 0x0
 02884   476   NtSetEventBoostPriority  (324, ...
 02885   380   NtWaitForSingleObject  (324, 0, 0x0, ...
 02883  1736   NtAllocateVirtualMemory  ... 129564672, 1048576, ) == 0x0
 02886   624   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02878   740   NtWaitForSingleObject  ... ) == 0x0
 02884   476   NtSetEventBoostPriority  ... ) == 0x0
 02887  1736   NtAllocateVirtualMemory  (-1, 130605056, 0, 8192, 4096, 4, ...
 02879   752   NtSetEventBoostPriority  ... ) == 0x0
 02888  1624   NtSetEventBoostPriority  (88, ...
 02889   740   NtSetEventBoostPriority  (324, ...
 02886   624   NtWaitForSingleObject  ... ) == 0x102
 02887  1736   NtAllocateVirtualMemory  ... 130605056, 8192, ) == 0x0
 02890   752   NtWaitForSingleObject  (140, 0, 0x0, ...
 02882  1964   NtWaitForSingleObject  ... ) == 0x0
 02889   740   NtSetEventBoostPriority  ... ) == 0x0
 02140  1716   NtWaitForSingleObject  ... ) == 0x0
 02888  1624   NtSetEventBoostPriority  ... ) == 0x0
 02891   624   NtWaitForSingleObject  (324, 0, 0x0, ...
 02892   476   NtWaitForSingleObject  (320, 0, 0x0, ...
 02893  1964   NtSetEventBoostPriority  (324, ...
 02894  1736   NtProtectVirtualMemory  (-1, (0x7c8e000), 4096, 260, ...
 02895  1716   NtWaitForSingleObject  (324, 0, 0x0, ...
 02896  1624   NtTestAlert  (...
 02885   380   NtWaitForSingleObject  ... ) == 0x0
 02893  1964   NtSetEventBoostPriority  ... ) == 0x0
 02894  1736   NtProtectVirtualMemory  ... (0x7c8e000), 4096, 4, ) == 0x0
 02897   380   NtSetEventBoostPriority  (324, ...
 02896  1624   NtTestAlert  ... ) == 0x0
 02898   740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02891   624   NtWaitForSingleObject  ... ) == 0x0
 02897   380   NtSetEventBoostPriority  ... ) == 0x0
 02899  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02900  1624   NtContinue  (97058096, 1, ...
 02901   624   NtSetEventBoostPriority  (324, ...
 02898   740   NtDuplicateObject  ... 948, ) == 0x0
 02902  1964   NtWaitForSingleObject  (324, 0, 0x0, ...
 02899  1736   NtCreateThread  ... 952, {1636, 2064}, ) == 0x0
 02895  1716   NtWaitForSingleObject  ... ) == 0x0
 02901   624   NtSetEventBoostPriority  ... ) == 0x0
 02903  1624   NtRegisterThreadTerminatePort  (24, ...
 02904   740   NtWaitForSingleObject  (324, 0, 0x0, ...
 02905  1716   NtSetEventBoostPriority  (324, ...
 02906  1736   NtQueryInformationThread  (952, Basic, 28, ...
 02907   380   NtSetEventBoostPriority  (320, ...
 02908   624   NtWaitForSingleObject  (140, 0, 0x0, ...
 02902  1964   NtWaitForSingleObject  ... ) == 0x0
 02905  1716   NtSetEventBoostPriority  ... ) == 0x0
 02906  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff47000,Pid=1636,Tid=2064,}, 0x0, ) == 0x0
 02796   776   NtWaitForSingleObject  ... ) == 0x0
 02907   380   NtSetEventBoostPriority  ... ) == 0x0
 02909  1964   NtSetEventBoostPriority  (324, ...
 02903  1624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02910  1716   NtSetEventBoostPriority  (88, ...
 02911   776   NtWaitForSingleObject  (324, 0, 0x0, ...
 02904   740   NtWaitForSingleObject  ... ) == 0x0
 02909  1964   NtSetEventBoostPriority  ... ) == 0x0
 02912   380   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02913  1624   NtWaitForSingleObject  (324, 0, 0x0, ...
 02914   740   NtSetEventBoostPriority  (324, ...
 02147  1440   NtWaitForSingleObject  ... ) == 0x0
 02910  1716   NtSetEventBoostPriority  ... ) == 0x0
 02915  1964   NtWaitForSingleObject  (320, 0, 0x0, ...
 02912   380   NtWaitForSingleObject  ... ) == 0x102
 02911   776   NtWaitForSingleObject  ... ) == 0x0
 02916  1440   NtWaitForSingleObject  (324, 0, 0x0, ...
 02914   740   NtSetEventBoostPriority  ... ) == 0x0
 02917  1716   NtTestAlert  (...
 02918  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75614, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75614, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0d\6\0\0\20\10\0\0" ...  ...
 02919   776   NtSetEventBoostPriority  (324, ...
 02920   380   NtWaitForSingleObject  (324, 0, 0x0, ...
 02917  1716   NtTestAlert  ... ) == 0x0
 02913  1624   NtWaitForSingleObject  ... ) == 0x0
 02919   776   NtSetEventBoostPriority  ... ) == 0x0
 02918  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75625, 0}  ... {28, 56, reply, 0, 1636, 1736, 75625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0d\6\0\0\20\10\0\0" )  ) == 0x0
 02921   740   NtWaitForSingleObject  (324, 0, 0x0, ...
 02922  1624   NtSetEventBoostPriority  (324, ...
 02923  1716   NtContinue  (98106672, 1, ...
 02924  1736   NtResumeThread  (952, ...
 02916  1440   NtWaitForSingleObject  ... ) == 0x0
 02922  1624   NtSetEventBoostPriority  ... ) == 0x0
 02925  1716   NtRegisterThreadTerminatePort  (24, ...
 02926  1440   NtSetEventBoostPriority  (324, ...
 02924  1736   NtResumeThread  ... 1, ) == 0x0
 02927   776   NtSetEventBoostPriority  (320, ...
 02928  1624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02929  2064   NtWaitForSingleObject  (88, 0, 0x0, ...
 02920   380   NtWaitForSingleObject  ... ) == 0x0
 02926  1440   NtSetEventBoostPriority  ... ) == 0x0
 02930  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02838  1124   NtWaitForSingleObject  ... ) == 0x0
 02927   776   NtSetEventBoostPriority  ... ) == 0x0
 02928  1624   NtDuplicateObject  ... 956, ) == 0x0
 02931   380   NtSetEventBoostPriority  (324, ...
 02925  1716   NtRegisterThreadTerminatePort  ... ) == 0x0
 02932  1440   NtSetEventBoostPriority  (88, ...
 02933  1124   NtWaitForSingleObject  (324, 0, 0x0, ...
 02934   776   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02921   740   NtWaitForSingleObject  ... ) == 0x0
 02935  1624   NtWaitForSingleObject  (324, 0, 0x0, ...
 02936  1716   NtWaitForSingleObject  (324, 0, 0x0, ...
 02156  1516   NtWaitForSingleObject  ... ) == 0x0
 02932  1440   NtSetEventBoostPriority  ... ) == 0x0
 02934   776   NtWaitForSingleObject  ... ) == 0x102
 02937   740   NtSetEventBoostPriority  (324, ...
 02938  1516   NtWaitForSingleObject  (324, 0, 0x0, ...
 02939  1440   NtTestAlert  (...
 02940   776   NtWaitForSingleObject  (324, 0, 0x0, ...
 02933  1124   NtWaitForSingleObject  ... ) == 0x0
 02937   740   NtSetEventBoostPriority  ... ) == 0x0
 02939  1440   NtTestAlert  ... ) == 0x0
 02931   380   NtSetEventBoostPriority  ... ) == 0x0
 02930  1736   NtAllocateVirtualMemory  ... 130613248, 1048576, ) == 0x0
 02941  1124   NtSetEventBoostPriority  (324, ...
 02942   740   NtWaitForSingleObject  (320, 0, 0x0, ...
 02943  1440   NtContinue  (99155248, 1, ...
 02944   380   NtWaitForSingleObject  (140, 0, 0x0, ...
 02935  1624   NtWaitForSingleObject  ... ) == 0x0
 02941  1124   NtSetEventBoostPriority  ... ) == 0x0
 02945  1736   NtAllocateVirtualMemory  (-1, 131653632, 0, 8192, 4096, 4, ...
 02946  1440   NtRegisterThreadTerminatePort  (24, ...
 02947  1624   NtSetEventBoostPriority  (324, ...
 02945  1736   NtAllocateVirtualMemory  ... 131653632, 8192, ) == 0x0
 02948  1124   NtSetEventBoostPriority  (320, ...
 02936  1716   NtWaitForSingleObject  ... ) == 0x0
 02947  1624   NtSetEventBoostPriority  ... ) == 0x0
 02949  1736   NtProtectVirtualMemory  (-1, (0x7d8e000), 4096, 260, ...
 02950  1716   NtSetEventBoostPriority  (324, ...
 02842   312   NtWaitForSingleObject  ... ) == 0x0
 02948  1124   NtSetEventBoostPriority  ... ) == 0x0
 02946  1440   NtRegisterThreadTerminatePort  ... ) == 0x0
 02938  1516   NtWaitForSingleObject  ... ) == 0x0
 02951   312   NtWaitForSingleObject  (324, 0, 0x0, ...
 02950  1716   NtSetEventBoostPriority  ... ) == 0x0
 02949  1736   NtProtectVirtualMemory  ... (0x7d8e000), 4096, 4, ) == 0x0
 02952  1124   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02953  1516   NtSetEventBoostPriority  (324, ...
 02954  1440   NtWaitForSingleObject  (324, 0, 0x0, ...
 02955  1624   NtWaitForSingleObject  (324, 0, 0x0, ...
 02956  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02940   776   NtWaitForSingleObject  ... ) == 0x0
 02953  1516   NtSetEventBoostPriority  ... ) == 0x0
 02952  1124   NtWaitForSingleObject  ... ) == 0x102
 02957  1716   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02958   776   NtSetEventBoostPriority  (324, ...
 02956  1736   NtCreateThread  ... 960, {1636, 2076}, ) == 0x0
 02959  1124   NtWaitForSingleObject  (140, 0, 0x0, ...
 02951   312   NtWaitForSingleObject  ... ) == 0x0
 02957  1716   NtDuplicateObject  ... 964, ) == 0x0
 02960  1736   NtQueryInformationThread  (960, Basic, 28, ...
 02958   776   NtSetEventBoostPriority  ... ) == 0x0
 02961  1516   NtSetEventBoostPriority  (88, ...
 02962   312   NtSetEventBoostPriority  (324, ...
 02963  1716   NtWaitForSingleObject  (324, 0, 0x0, ...
 02960  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff46000,Pid=1636,Tid=2076,}, 0x0, ) == 0x0
 02964   776   NtWaitForSingleObject  (140, 0, 0x0, ...
 02954  1440   NtWaitForSingleObject  ... ) == 0x0
 02962   312   NtSetEventBoostPriority  ... ) == 0x0
 02163  1664   NtWaitForSingleObject  ... ) == 0x0
 02961  1516   NtSetEventBoostPriority  ... ) == 0x0
 02965  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75625, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0d\6\0\0\34\10\0\0" ...  ...
 02966  1440   NtSetEventBoostPriority  (324, ...
 02967  1664   NtWaitForSingleObject  (324, 0, 0x0, ...
 02968  1516   NtTestAlert  (...
 02955  1624   NtWaitForSingleObject  ... ) == 0x0
 02966  1440   NtSetEventBoostPriority  ... ) == 0x0
 02965  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75626, 0}  ... {28, 56, reply, 0, 1636, 1736, 75626, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0d\6\0\0\34\10\0\0" )  ) == 0x0
 02969  1624   NtSetEventBoostPriority  (324, ...
 02968  1516   NtTestAlert  ... ) == 0x0
 02970   312   NtSetEventBoostPriority  (320, ...
 02971  1440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02963  1716   NtWaitForSingleObject  ... ) == 0x0
 02969  1624   NtSetEventBoostPriority  ... ) == 0x0
 02972  1516   NtContinue  (100203824, 1, ...
 02860  1404   NtWaitForSingleObject  ... ) == 0x0
 02970   312   NtSetEventBoostPriority  ... ) == 0x0
 02973  1716   NtSetEventBoostPriority  (324, ...
 02971  1440   NtDuplicateObject  ... 968, ) == 0x0
 02974  1624   NtWaitForSingleObject  (320, 0, 0x0, ...
 02975  1404   NtWaitForSingleObject  (324, 0, 0x0, ...
 02976  1516   NtRegisterThreadTerminatePort  (24, ...
 02967  1664   NtWaitForSingleObject  ... ) == 0x0
 02973  1716   NtSetEventBoostPriority  ... ) == 0x0
 02977   312   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02978  1440   NtWaitForSingleObject  (324, 0, 0x0, ...
 02979  1736   NtResumeThread  (960, ...
 02980  1664   NtSetEventBoostPriority  (324, ...
 02976  1516   NtRegisterThreadTerminatePort  ... ) == 0x0
 02977   312   NtWaitForSingleObject  ... ) == 0x102
 02975  1404   NtWaitForSingleObject  ... ) == 0x0
 02980  1664   NtSetEventBoostPriority  ... ) == 0x0
 02979  1736   NtResumeThread  ... 1, ) == 0x0
 02981  1516   NtWaitForSingleObject  (324, 0, 0x0, ...
 02982  1404   NtSetEventBoostPriority  (324, ...
 02983   312   NtWaitForSingleObject  (324, 0, 0x0, ...
 02984  1716   NtWaitForSingleObject  (324, 0, 0x0, ...
 02985  2076   NtWaitForSingleObject  (88, 0, 0x0, ...
 02986  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02978  1440   NtWaitForSingleObject  ... ) == 0x0
 02982  1404   NtSetEventBoostPriority  ... ) == 0x0
 02987  1664   NtSetEventBoostPriority  (88, ...
 02986  1736   NtAllocateVirtualMemory  ... 131661824, 1048576, ) == 0x0
 02988  1440   NtSetEventBoostPriority  (324, ...
 02172  1972   NtWaitForSingleObject  ... ) == 0x0
 02987  1664   NtSetEventBoostPriority  ... ) == 0x0
 02989  1736   NtAllocateVirtualMemory  (-1, 132702208, 0, 8192, 4096, 4, ...
 02990  1972   NtWaitForSingleObject  (324, 0, 0x0, ...
 02981  1516   NtWaitForSingleObject  ... ) == 0x0
 02988  1440   NtSetEventBoostPriority  ... ) == 0x0
 02991  1664   NtTestAlert  (...
 02992  1516   NtSetEventBoostPriority  (324, ...
 02989  1736   NtAllocateVirtualMemory  ... 132702208, 8192, ) == 0x0
 02993  1404   NtSetEventBoostPriority  (320, ...
 02984  1716   NtWaitForSingleObject  ... ) == 0x0
 02992  1516   NtSetEventBoostPriority  ... ) == 0x0
 02991  1664   NtTestAlert  ... ) == 0x0
 02994  1440   NtWaitForSingleObject  (324, 0, 0x0, ...
 02995  1716   NtSetEventBoostPriority  (324, ...
 02892   476   NtWaitForSingleObject  ... ) == 0x0
 02993  1404   NtSetEventBoostPriority  ... ) == 0x0
 02996  1736   NtProtectVirtualMemory  (-1, (0x7e8e000), 4096, 260, ...
 02997  1664   NtContinue  (101252400, 1, ...
 02983   312   NtWaitForSingleObject  ... ) == 0x0
 02998   476   NtWaitForSingleObject  (324, 0, 0x0, ...
 02995  1716   NtSetEventBoostPriority  ... ) == 0x0
 02999  1404   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02996  1736   NtProtectVirtualMemory  ... (0x7e8e000), 4096, 4, ) == 0x0
 03000   312   NtSetEventBoostPriority  (324, ...
 03001  1664   NtRegisterThreadTerminatePort  (24, ...
 03002  1716   NtWaitForSingleObject  (324, 0, 0x0, ...
 02999  1404   NtWaitForSingleObject  ... ) == 0x102
 02990  1972   NtWaitForSingleObject  ... ) == 0x0
 03003  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03000   312   NtSetEventBoostPriority  ... ) == 0x0
 03004  1516   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03001  1664   NtRegisterThreadTerminatePort  ... ) == 0x0
 03005  1972   NtSetEventBoostPriority  (324, ...
 03006  1404   NtWaitForSingleObject  (140, 0, 0x0, ...
 03003  1736   NtCreateThread  ... 972, {1636, 2080}, ) == 0x0
 03007   312   NtWaitForSingleObject  (140, 0, 0x0, ...
 03004  1516   NtDuplicateObject  ... 976, ) == 0x0
 02994  1440   NtWaitForSingleObject  ... ) == 0x0
 03005  1972   NtSetEventBoostPriority  ... ) == 0x0
 03008  1664   NtWaitForSingleObject  (324, 0, 0x0, ...
 03009  1736   NtQueryInformationThread  (972, Basic, 28, ...
 03010  1440   NtSetEventBoostPriority  (324, ...
 03011  1516   NtWaitForSingleObject  (324, 0, 0x0, ...
 02998   476   NtWaitForSingleObject  ... ) == 0x0
 03010  1440   NtSetEventBoostPriority  ... ) == 0x0
 03009  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff45000,Pid=1636,Tid=2080,}, 0x0, ) == 0x0
 03012   476   NtSetEventBoostPriority  (324, ...
 03013  1440   NtWaitForSingleObject  (324, 0, 0x0, ...
 03014  1972   NtSetEventBoostPriority  (88, ...
 03002  1716   NtWaitForSingleObject  ... ) == 0x0
 03012   476   NtSetEventBoostPriority  ... ) == 0x0
 03015  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75626, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75626, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\3\0\0d\6\0\0 \10\0\0" ...  ...
 03016  1716   NtSetEventBoostPriority  (324, ...
 02179   780   NtWaitForSingleObject  ... ) == 0x0
 03014  1972   NtSetEventBoostPriority  ... ) == 0x0
 03008  1664   NtWaitForSingleObject  ... ) == 0x0
 03017   780   NtWaitForSingleObject  (324, 0, 0x0, ...
 03015  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75627, 0}  ... {28, 56, reply, 0, 1636, 1736, 75627, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\3\0\0d\6\0\0 \10\0\0" )  ) == 0x0
 03018  1972   NtTestAlert  (...
 03019  1664   NtSetEventBoostPriority  (324, ...
 03020  1736   NtResumeThread  (972, ...
 03018  1972   NtTestAlert  ... ) == 0x0
 03011  1516   NtWaitForSingleObject  ... ) == 0x0
 03019  1664   NtSetEventBoostPriority  ... ) == 0x0
 03020  1736   NtResumeThread  ... 1, ) == 0x0
 03021  1516   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ...
 03022  1972   NtContinue  (102300976, 1, ...
 03016  1716   NtSetEventBoostPriority  ... ) == 0x0
 03023   476   NtSetEventBoostPriority  (320, ...
 03024  2080   NtWaitForSingleObject  (88, 0, 0x0, ...
 03021  1516   NtAllocateVirtualMemory  ... 1417216, 4096, ) == 0x0
 03025  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03026  1972   NtRegisterThreadTerminatePort  (24, ...
 03027  1716   NtWaitForSingleObject  (320, 0, 0x0, ...
 02915  1964   NtWaitForSingleObject  ... ) == 0x0
 03023   476   NtSetEventBoostPriority  ... ) == 0x0
 03028  1664   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03029  1516   NtSetEventBoostPriority  (324, ...
 03025  1736   NtAllocateVirtualMemory  ... 132710400, 1048576, ) == 0x0
 03030  1964   NtWaitForSingleObject  (324, 0, 0x0, ...
 03031   476   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03028  1664   NtDuplicateObject  ... 980, ) == 0x0
 03013  1440   NtWaitForSingleObject  ... ) == 0x0
 03029  1516   NtSetEventBoostPriority  ... ) == 0x0
 03032  1736   NtAllocateVirtualMemory  (-1, 133750784, 0, 8192, 4096, 4, ...
 03031   476   NtWaitForSingleObject  ... ) == 0x102
 03033  1440   NtSetEventBoostPriority  (324, ...
 03034  1664   NtWaitForSingleObject  (324, 0, 0x0, ...
 03035  1516   NtWaitForSingleObject  (324, 0, 0x0, ...
 03032  1736   NtAllocateVirtualMemory  ... 133750784, 8192, ) == 0x0
 03017   780   NtWaitForSingleObject  ... ) == 0x0
 03036   476   NtWaitForSingleObject  (324, 0, 0x0, ...
 03037   780   NtSetEventBoostPriority  (324, ...
 03038  1736   NtProtectVirtualMemory  (-1, (0x7f8e000), 4096, 260, ...
 03033  1440   NtSetEventBoostPriority  ... ) == 0x0
 03026  1972   NtRegisterThreadTerminatePort  ... ) == 0x0
 03030  1964   NtWaitForSingleObject  ... ) == 0x0
 03037   780   NtSetEventBoostPriority  ... ) == 0x0
 03038  1736   NtProtectVirtualMemory  ... (0x7f8e000), 4096, 4, ) == 0x0
 03039  1440   NtWaitForSingleObject  (320, 0, 0x0, ...
 03040  1964   NtSetEventBoostPriority  (324, ...
 03041  1972   NtWaitForSingleObject  (324, 0, 0x0, ...
 03042  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03034  1664   NtWaitForSingleObject  ... ) == 0x0
 03040  1964   NtSetEventBoostPriority  ... ) == 0x0
 03043   780   NtSetEventBoostPriority  (88, ...
 03044  1664   NtSetEventBoostPriority  (324, ...
 03042  1736   NtCreateThread  ... 984, {1636, 2092}, ) == 0x0
 02188  1656   NtWaitForSingleObject  ... ) == 0x0
 03043   780   NtSetEventBoostPriority  ... ) == 0x0
 03035  1516   NtWaitForSingleObject  ... ) == 0x0
 03044  1664   NtSetEventBoostPriority  ... ) == 0x0
 03045  1656   NtWaitForSingleObject  (324, 0, 0x0, ...
 03046  1736   NtQueryInformationThread  (984, Basic, 28, ...
 03047  1516   NtSetEventBoostPriority  (324, ...
 03048   780   NtTestAlert  (...
 03049  1964   NtSetEventBoostPriority  (320, ...
 03036   476   NtWaitForSingleObject  ... ) == 0x0
 03047  1516   NtSetEventBoostPriority  ... ) == 0x0
 03046  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff44000,Pid=1636,Tid=2092,}, 0x0, ) == 0x0
 03048   780   NtTestAlert  ... ) == 0x0
 03050   476   NtSetEventBoostPriority  (324, ...
 02942   740   NtWaitForSingleObject  ... ) == 0x0
 03049  1964   NtSetEventBoostPriority  ... ) == 0x0
 03051  1664   NtWaitForSingleObject  (324, 0, 0x0, ...
 03052  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75627, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75627, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\3\0\0d\6\0\0,\10\0\0" ...  ...
 03041  1972   NtWaitForSingleObject  ... ) == 0x0
 03053   740   NtWaitForSingleObject  (324, 0, 0x0, ...
 03054   780   NtContinue  (103349552, 1, ...
 03055  1964   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03052  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75628, 0}  ... {28, 56, reply, 0, 1636, 1736, 75628, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\3\0\0d\6\0\0,\10\0\0" )  ) == 0x0
 03056  1972   NtSetEventBoostPriority  (324, ...
 03057   780   NtRegisterThreadTerminatePort  (24, ...
 03055  1964   NtWaitForSingleObject  ... ) == 0x102
 03050   476   NtSetEventBoostPriority  ... ) == 0x0
 03058  1516   NtWaitForSingleObject  (324, 0, 0x0, ...
 03045  1656   NtWaitForSingleObject  ... ) == 0x0
 03056  1972   NtSetEventBoostPriority  ... ) == 0x0
 03059  1736   NtResumeThread  (984, ...
 03060  1964   NtWaitForSingleObject  (140, 0, 0x0, ...
 03061   476   NtWaitForSingleObject  (140, 0, 0x0, ...
 03062  1656   NtSetEventBoostPriority  (324, ...
 03057   780   NtRegisterThreadTerminatePort  ... ) == 0x0
 03059  1736   NtResumeThread  ... 1, ) == 0x0
 03063  1972   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03051  1664   NtWaitForSingleObject  ... ) == 0x0
 03062  1656   NtSetEventBoostPriority  ... ) == 0x0
 03064   780   NtWaitForSingleObject  (324, 0, 0x0, ...
 03065  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03066  1664   NtSetEventBoostPriority  (324, ...
 03063  1972   NtDuplicateObject  ... 988, ) == 0x0
 03067  2092   NtWaitForSingleObject  (88, 0, 0x0, ...
 03053   740   NtWaitForSingleObject  ... ) == 0x0
 03066  1664   NtSetEventBoostPriority  ... ) == 0x0
 03065  1736   NtAllocateVirtualMemory  ... 133758976, 1048576, ) == 0x0
 03068  1972   NtWaitForSingleObject  (324, 0, 0x0, ...
 03069   740   NtSetEventBoostPriority  (324, ...
 03070  1664   NtWaitForSingleObject  (320, 0, 0x0, ...
 03071  1736   NtAllocateVirtualMemory  (-1, 134799360, 0, 8192, 4096, 4, ...
 03058  1516   NtWaitForSingleObject  ... ) == 0x0
 03069   740   NtSetEventBoostPriority  ... ) == 0x0
 03072  1656   NtSetEventBoostPriority  (88, ...
 03071  1736   NtAllocateVirtualMemory  ... 134799360, 8192, ) == 0x0
 03073  1516   NtSetEventBoostPriority  (324, ...
 02195  1248   NtWaitForSingleObject  ... ) == 0x0
 03072  1656   NtSetEventBoostPriority  ... ) == 0x0
 03074   740   NtSetEventBoostPriority  (320, ...
 03075  1248   NtWaitForSingleObject  (324, 0, 0x0, ...
 03064   780   NtWaitForSingleObject  ... ) == 0x0
 03073  1516   NtSetEventBoostPriority  ... ) == 0x0
 03076  1656   NtTestAlert  (...
 03077   780   NtSetEventBoostPriority  (324, ...
 02974  1624   NtWaitForSingleObject  ... ) == 0x0
 03074   740   NtSetEventBoostPriority  ... ) == 0x0
 03078  1516   NtWaitForSingleObject  (320, 0, 0x0, ...
 03068  1972   NtWaitForSingleObject  ... ) == 0x0
 03079  1624   NtWaitForSingleObject  (324, 0, 0x0, ...
 03077   780   NtSetEventBoostPriority  ... ) == 0x0
 03076  1656   NtTestAlert  ... ) == 0x0
 03080   740   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03081  1736   NtProtectVirtualMemory  (-1, (0x808e000), 4096, 260, ...
 03082  1972   NtSetEventBoostPriority  (324, ...
 03083  1656   NtContinue  (104398128, 1, ...
 03080   740   NtWaitForSingleObject  ... ) == 0x102
 03075  1248   NtWaitForSingleObject  ... ) == 0x0
 03082  1972   NtSetEventBoostPriority  ... ) == 0x0
 03081  1736   NtProtectVirtualMemory  ... (0x808e000), 4096, 4, ) == 0x0
 03084  1656   NtRegisterThreadTerminatePort  (24, ...
 03085  1248   NtSetEventBoostPriority  (324, ...
 03086   740   NtWaitForSingleObject  (324, 0, 0x0, ...
 03087   780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03088  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03089  1972   NtWaitForSingleObject  (324, 0, 0x0, ...
 03079  1624   NtWaitForSingleObject  ... ) == 0x0
 03085  1248   NtSetEventBoostPriority  ... ) == 0x0
 03084  1656   NtRegisterThreadTerminatePort  ... ) == 0x0
 03087   780   NtDuplicateObject  ... 992, ) == 0x0
 03088  1736   NtCreateThread  ... 996, {1636, 2096}, ) == 0x0
 03090  1624   NtSetEventBoostPriority  (324, ...
 03091  1656   NtWaitForSingleObject  (324, 0, 0x0, ...
 03092   780   NtWaitForSingleObject  (324, 0, 0x0, ...
 03089  1972   NtWaitForSingleObject  ... ) == 0x0
 03093  1736   NtQueryInformationThread  (996, Basic, 28, ...
 03094  1972   NtSetEventBoostPriority  (324, ...
 03093  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff43000,Pid=1636,Tid=2096,}, 0x0, ) == 0x0
 03086   740   NtWaitForSingleObject  ... ) == 0x0
 03094  1972   NtSetEventBoostPriority  ... ) == 0x0
 03090  1624   NtSetEventBoostPriority  ... ) == 0x0
 03095  1248   NtSetEventBoostPriority  (88, ...
 03096   740   NtSetEventBoostPriority  (324, ...
 03097  1972   NtWaitForSingleObject  (320, 0, 0x0, ...
 03098  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75628, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75628, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\3\0\0d\6\0\00\10\0\0" ...  ...
 03091  1656   NtWaitForSingleObject  ... ) == 0x0
 02204  1036   NtWaitForSingleObject  ... ) == 0x0
 03095  1248   NtSetEventBoostPriority  ... ) == 0x0
 03096   740   NtSetEventBoostPriority  ... ) == 0x0
 03099  1624   NtSetEventBoostPriority  (320, ...
 03098  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75629, 0}  ... {28, 56, reply, 0, 1636, 1736, 75629, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\3\0\0d\6\0\00\10\0\0" )  ) == 0x0
 03100  1036   NtWaitForSingleObject  (324, 0, 0x0, ...
 03101  1656   NtSetEventBoostPriority  (324, ...
 03102  1248   NtTestAlert  (...
 03103   740   NtWaitForSingleObject  (140, 0, 0x0, ...
 03027  1716   NtWaitForSingleObject  ... ) == 0x0
 03099  1624   NtSetEventBoostPriority  ... ) == 0x0
 03104  1736   NtResumeThread  (996, ...
 03092   780   NtWaitForSingleObject  ... ) == 0x0
 03101  1656   NtSetEventBoostPriority  ... ) == 0x0
 03102  1248   NtTestAlert  ... ) == 0x0
 03105  1716   NtWaitForSingleObject  (324, 0, 0x0, ...
 03106  1624   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03107   780   NtSetEventBoostPriority  (324, ...
 03104  1736   NtResumeThread  ... 1, ) == 0x0
 03108  1248   NtContinue  (105446704, 1, ...
 03100  1036   NtWaitForSingleObject  ... ) == 0x0
 03107   780   NtSetEventBoostPriority  ... ) == 0x0
 03106  1624   NtWaitForSingleObject  ... ) == 0x102
 03109  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03110  1036   NtSetEventBoostPriority  (324, ...
 03111  1248   NtRegisterThreadTerminatePort  (24, ...
 03112  1656   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03113  2096   NtWaitForSingleObject  (88, 0, 0x0, ...
 03114  1624   NtWaitForSingleObject  (324, 0, 0x0, ...
 03115   780   NtWaitForSingleObject  (324, 0, 0x0, ...
 03105  1716   NtWaitForSingleObject  ... ) == 0x0
 03110  1036   NtSetEventBoostPriority  ... ) == 0x0
 03109  1736   NtAllocateVirtualMemory  ... 134807552, 1048576, ) == 0x0
 03112  1656   NtDuplicateObject  ... 1000, ) == 0x0
 03111  1248   NtRegisterThreadTerminatePort  ... ) == 0x0
 03116  1716   NtSetEventBoostPriority  (324, ...
 03117  1736   NtAllocateVirtualMemory  (-1, 135847936, 0, 8192, 4096, 4, ...
 03118  1656   NtWaitForSingleObject  (324, 0, 0x0, ...
 03115   780   NtWaitForSingleObject  ... ) == 0x0
 03116  1716   NtSetEventBoostPriority  ... ) == 0x0
 03119  1248   NtWaitForSingleObject  (324, 0, 0x0, ...
 03117  1736   NtAllocateVirtualMemory  ... 135847936, 8192, ) == 0x0
 03120   780   NtSetEventBoostPriority  (324, ...
 03121  1036   NtSetEventBoostPriority  (88, ...
 03114  1624   NtWaitForSingleObject  ... ) == 0x0
 03120   780   NtSetEventBoostPriority  ... ) == 0x0
 03122  1736   NtProtectVirtualMemory  (-1, (0x818e000), 4096, 260, ...
 03123  1624   NtSetEventBoostPriority  (324, ...
 02211   760   NtWaitForSingleObject  ... ) == 0x0
 03121  1036   NtSetEventBoostPriority  ... ) == 0x0
 03124   780   NtWaitForSingleObject  (320, 0, 0x0, ...
 03118  1656   NtWaitForSingleObject  ... ) == 0x0
 03125   760   NtWaitForSingleObject  (324, 0, 0x0, ...
 03122  1736   NtProtectVirtualMemory  ... (0x818e000), 4096, 4, ) == 0x0
 03126  1036   NtTestAlert  (...
 03123  1624   NtSetEventBoostPriority  ... ) == 0x0
 03127  1716   NtSetEventBoostPriority  (320, ...
 03128  1656   NtSetEventBoostPriority  (324, ...
 03129  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03126  1036   NtTestAlert  ... ) == 0x0
 03130  1624   NtWaitForSingleObject  (140, 0, 0x0, ...
 03039  1440   NtWaitForSingleObject  ... ) == 0x0
 03127  1716   NtSetEventBoostPriority  ... ) == 0x0
 03119  1248   NtWaitForSingleObject  ... ) == 0x0
 03128  1656   NtSetEventBoostPriority  ... ) == 0x0
 03131  1036   NtContinue  (106495280, 1, ...
 03132  1440   NtWaitForSingleObject  (324, 0, 0x0, ...
 03133  1248   NtSetEventBoostPriority  (324, ...
 03134  1716   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03129  1736   NtCreateThread  ... 1004, {1636, 2104}, ) == 0x0
 03125   760   NtWaitForSingleObject  ... ) == 0x0
 03133  1248   NtSetEventBoostPriority  ... ) == 0x0
 03135  1036   NtRegisterThreadTerminatePort  (24, ...
 03134  1716   NtWaitForSingleObject  ... ) == 0x102
 03136   760   NtSetEventBoostPriority  (324, ...
 03137  1736   NtQueryInformationThread  (1004, Basic, 28, ...
 03138  1656   NtWaitForSingleObject  (324, 0, 0x0, ...
 03139  1248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03132  1440   NtWaitForSingleObject  ... ) == 0x0
 03136   760   NtSetEventBoostPriority  ... ) == 0x0
 03140  1716   NtWaitForSingleObject  (140, 0, 0x0, ...
 03137  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff42000,Pid=1636,Tid=2104,}, 0x0, ) == 0x0
 03141  1440   NtSetEventBoostPriority  (324, ...
 03139  1248   NtDuplicateObject  ... 1008, ) == 0x0
 03135  1036   NtRegisterThreadTerminatePort  ... ) == 0x0
 03142   760   NtSetEventBoostPriority  (88, ...
 03138  1656   NtWaitForSingleObject  ... ) == 0x0
 03141  1440   NtSetEventBoostPriority  ... ) == 0x0
 03143  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75629, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75629, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\3\0\0d\6\0\08\10\0\0" ...  ...
 03144  1248   NtWaitForSingleObject  (324, 0, 0x0, ...
 03145  1036   NtWaitForSingleObject  (324, 0, 0x0, ...
 03146  1656   NtSetEventBoostPriority  (324, ...
 02220   860   NtWaitForSingleObject  ... ) == 0x0
 03142   760   NtSetEventBoostPriority  ... ) == 0x0
 03143  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75630, 0}  ... {28, 56, reply, 0, 1636, 1736, 75630, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\3\0\0d\6\0\08\10\0\0" )  ) == 0x0
 03144  1248   NtWaitForSingleObject  ... ) == 0x0
 03147   860   NtWaitForSingleObject  (324, 0, 0x0, ...
 03146  1656   NtSetEventBoostPriority  ... ) == 0x0
 03148   760   NtTestAlert  (...
 03149  1440   NtSetEventBoostPriority  (320, ...
 03150  1248   NtSetEventBoostPriority  (324, ...
 03151  1656   NtWaitForSingleObject  (320, 0, 0x0, ...
 03148   760   NtTestAlert  ... ) == 0x0
 03145  1036   NtWaitForSingleObject  ... ) == 0x0
 03150  1248   NtSetEventBoostPriority  ... ) == 0x0
 03070  1664   NtWaitForSingleObject  ... ) == 0x0
 03149  1440   NtSetEventBoostPriority  ... ) == 0x0
 03152  1736   NtResumeThread  (1004, ...
 03153  1036   NtSetEventBoostPriority  (324, ...
 03154   760   NtContinue  (107543856, 1, ...
 03155  1664   NtWaitForSingleObject  (324, 0, 0x0, ...
 03156  1440   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03147   860   NtWaitForSingleObject  ... ) == 0x0
 03153  1036   NtSetEventBoostPriority  ... ) == 0x0
 03152  1736   NtResumeThread  ... 1, ) == 0x0
 03157   760   NtRegisterThreadTerminatePort  (24, ...
 03158   860   NtSetEventBoostPriority  (324, ...
 03156  1440   NtWaitForSingleObject  ... ) == 0x102
 03159  1248   NtWaitForSingleObject  (324, 0, 0x0, ...
 03160  2104   NtWaitForSingleObject  (88, 0, 0x0, ...
 03161  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03162  1036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03155  1664   NtWaitForSingleObject  ... ) == 0x0
 03158   860   NtSetEventBoostPriority  ... ) == 0x0
 03163  1440   NtWaitForSingleObject  (324, 0, 0x0, ...
 03161  1736   NtAllocateVirtualMemory  ... 135856128, 1048576, ) == 0x0
 03164  1664   NtSetEventBoostPriority  (324, ...
 03162  1036   NtDuplicateObject  ... 1012, ) == 0x0
 03157   760   NtRegisterThreadTerminatePort  ... ) == 0x0
 03165   860   NtSetEventBoostPriority  (88, ...
 03159  1248   NtWaitForSingleObject  ... ) == 0x0
 03166  1736   NtAllocateVirtualMemory  (-1, 136896512, 0, 8192, 4096, 4, ...
 03167  1036   NtWaitForSingleObject  (324, 0, 0x0, ...
 03168   760   NtWaitForSingleObject  (324, 0, 0x0, ...
 02227   484   NtWaitForSingleObject  ... ) == 0x0
 03165   860   NtSetEventBoostPriority  ... ) == 0x0
 03169  1248   NtSetEventBoostPriority  (324, ...
 03166  1736   NtAllocateVirtualMemory  ... 136896512, 8192, ) == 0x0
 03170   484   NtWaitForSingleObject  (324, 0, 0x0, ...
 03171   860   NtTestAlert  (...
 03167  1036   NtWaitForSingleObject  ... ) == 0x0
 03169  1248   NtSetEventBoostPriority  ... ) == 0x0
 03164  1664   NtSetEventBoostPriority  ... ) == 0x0
 03172  1036   NtSetEventBoostPriority  (324, ...
 03171   860   NtTestAlert  ... ) == 0x0
 03173  1248   NtWaitForSingleObject  (324, 0, 0x0, ...
 03174  1736   NtProtectVirtualMemory  (-1, (0x828e000), 4096, 260, ...
 03168   760   NtWaitForSingleObject  ... ) == 0x0
 03172  1036   NtSetEventBoostPriority  ... ) == 0x0
 03175   860   NtContinue  (108592432, 1, ...
 03176  1664   NtSetEventBoostPriority  (320, ...
 03177   760   NtSetEventBoostPriority  (324, ...
 03174  1736   NtProtectVirtualMemory  ... (0x828e000), 4096, 4, ) == 0x0
 03178   860   NtRegisterThreadTerminatePort  (24, ...
 03163  1440   NtWaitForSingleObject  ... ) == 0x0
 03177   760   NtSetEventBoostPriority  ... ) == 0x0
 03078  1516   NtWaitForSingleObject  ... ) == 0x0
 03176  1664   NtSetEventBoostPriority  ... ) == 0x0
 03179  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03180  1036   NtWaitForSingleObject  (324, 0, 0x0, ...
 03181  1440   NtSetEventBoostPriority  (324, ...
 03178   860   NtRegisterThreadTerminatePort  ... ) == 0x0
 03182  1516   NtWaitForSingleObject  (324, 0, 0x0, ...
 03183  1664   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03179  1736   NtCreateThread  ... 1016, {1636, 2112}, ) == 0x0
 03170   484   NtWaitForSingleObject  ... ) == 0x0
 03184   860   NtWaitForSingleObject  (324, 0, 0x0, ...
 03183  1664   NtWaitForSingleObject  ... ) == 0x102
 03185   484   NtSetEventBoostPriority  (324, ...
 03186  1736   NtQueryInformationThread  (1016, Basic, 28, ...
 03173  1248   NtWaitForSingleObject  ... ) == 0x0
 03185   484   NtSetEventBoostPriority  ... ) == 0x0
 03187  1664   NtWaitForSingleObject  (140, 0, 0x0, ...
 03188  1248   NtSetEventBoostPriority  (324, ...
 03186  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff41000,Pid=1636,Tid=2112,}, 0x0, ) == 0x0
 03181  1440   NtSetEventBoostPriority  ... ) == 0x0
 03189   760   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03190   484   NtSetEventBoostPriority  (88, ...
 03180  1036   NtWaitForSingleObject  ... ) == 0x0
 03188  1248   NtSetEventBoostPriority  ... ) == 0x0
 03191  1440   NtWaitForSingleObject  (140, 0, 0x0, ...
 03189   760   NtDuplicateObject  ... 1020, ) == 0x0
 02236  1580   NtWaitForSingleObject  ... ) == 0x0
 03190   484   NtSetEventBoostPriority  ... ) == 0x0
 03192  1036   NtSetEventBoostPriority  (324, ...
 03193  1248   NtWaitForSingleObject  (320, 0, 0x0, ...
 03194  1580   NtWaitForSingleObject  (324, 0, 0x0, ...
 03195   760   NtWaitForSingleObject  (324, 0, 0x0, ...
 03196   484   NtTestAlert  (...
 03182  1516   NtWaitForSingleObject  ... ) == 0x0
 03192  1036   NtSetEventBoostPriority  ... ) == 0x0
 03197  1516   NtSetEventBoostPriority  (324, ...
 03196   484   NtTestAlert  ... ) == 0x0
 03184   860   NtWaitForSingleObject  ... ) == 0x0
 03198  1036   NtWaitForSingleObject  (320, 0, 0x0, ...
 03199   484   NtContinue  (109641008, 1, ...
 03200   860   NtSetEventBoostPriority  (324, ...
 03197  1516   NtSetEventBoostPriority  ... ) == 0x0
 03201  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75630, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75630, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\3\0\0d\6\0\0@\10\0\0" ...  ...
 03202   484   NtRegisterThreadTerminatePort  (24, ...
 03194  1580   NtWaitForSingleObject  ... ) == 0x0
 03200   860   NtSetEventBoostPriority  ... ) == 0x0
 03201  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75631, 0}  ... {28, 56, reply, 0, 1636, 1736, 75631, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\3\0\0d\6\0\0@\10\0\0" )  ) == 0x0
 03203  1516   NtSetEventBoostPriority  (320, ...
 03204  1580   NtSetEventBoostPriority  (324, ...
 03202   484   NtRegisterThreadTerminatePort  ... ) == 0x0
 03205  1736   NtResumeThread  (1016, ...
 03195   760   NtWaitForSingleObject  ... ) == 0x0
 03204  1580   NtSetEventBoostPriority  ... ) == 0x0
 03097  1972   NtWaitForSingleObject  ... ) == 0x0
 03203  1516   NtSetEventBoostPriority  ... ) == 0x0
 03206   484   NtWaitForSingleObject  (324, 0, 0x0, ...
 03207   760   NtSetEventBoostPriority  (324, ...
 03205  1736   NtResumeThread  ... 1, ) == 0x0
 03208   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03209  1972   NtWaitForSingleObject  (324, 0, 0x0, ...
 03210  1516   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03207   760   NtSetEventBoostPriority  ... ) == 0x0
 03206   484   NtWaitForSingleObject  ... ) == 0x0
 03211  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03208   860   NtDuplicateObject  ... 1024, ) == 0x0
 03210  1516   NtWaitForSingleObject  ... ) == 0x102
 03212  1580   NtSetEventBoostPriority  (88, ...
 03213  2112   NtWaitForSingleObject  (88, 0, 0x0, ...
 03214   484   NtSetEventBoostPriority  (324, ...
 03215   760   NtWaitForSingleObject  (324, 0, 0x0, ...
 03216   860   NtWaitForSingleObject  (324, 0, 0x0, ...
 03217  1516   NtWaitForSingleObject  (324, 0, 0x0, ...
 02243  1756   NtWaitForSingleObject  ... ) == 0x0
 03212  1580   NtSetEventBoostPriority  ... ) == 0x0
 03209  1972   NtWaitForSingleObject  ... ) == 0x0
 03214   484   NtSetEventBoostPriority  ... ) == 0x0
 03211  1736   NtAllocateVirtualMemory  ... 136904704, 1048576, ) == 0x0
 03218  1756   NtWaitForSingleObject  (324, 0, 0x0, ...
 03219  1972   NtSetEventBoostPriority  (324, ...
 03220  1580   NtTestAlert  (...
 03215   760   NtWaitForSingleObject  ... ) == 0x0
 03221  1736   NtAllocateVirtualMemory  (-1, 137945088, 0, 8192, 4096, 4, ...
 03220  1580   NtTestAlert  ... ) == 0x0
 03222   760   NtSetEventBoostPriority  (324, ...
 03221  1736   NtAllocateVirtualMemory  ... 137945088, 8192, ) == 0x0
 03223  1580   NtContinue  (110689584, 1, ...
 03216   860   NtWaitForSingleObject  ... ) == 0x0
 03222   760   NtSetEventBoostPriority  ... ) == 0x0
 03224  1736   NtProtectVirtualMemory  (-1, (0x838e000), 4096, 260, ...
 03225   860   NtSetEventBoostPriority  (324, ...
 03226  1580   NtRegisterThreadTerminatePort  (24, ...
 03227   760   NtWaitForSingleObject  (324, 0, 0x0, ...
 03217  1516   NtWaitForSingleObject  ... ) == 0x0
 03225   860   NtSetEventBoostPriority  ... ) == 0x0
 03224  1736   NtProtectVirtualMemory  ... (0x838e000), 4096, 4, ) == 0x0
 03219  1972   NtSetEventBoostPriority  ... ) == 0x0
 03228   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03226  1580   NtRegisterThreadTerminatePort  ... ) == 0x0
 03229  1516   NtSetEventBoostPriority  (324, ...
 03230  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03231   860   NtWaitForSingleObject  (324, 0, 0x0, ...
 03228   484   NtDuplicateObject  ... 1028, ) == 0x0
 03218  1756   NtWaitForSingleObject  ... ) == 0x0
 03232  1580   NtWaitForSingleObject  (324, 0, 0x0, ...
 03229  1516   NtSetEventBoostPriority  ... ) == 0x0
 03233  1972   NtSetEventBoostPriority  (320, ...
 03234  1756   NtSetEventBoostPriority  (324, ...
 03235   484   NtWaitForSingleObject  (324, 0, 0x0, ...
 03236  1516   NtWaitForSingleObject  (140, 0, 0x0, ...
 03227   760   NtWaitForSingleObject  ... ) == 0x0
 03234  1756   NtSetEventBoostPriority  ... ) == 0x0
 03124   780   NtWaitForSingleObject  ... ) == 0x0
 03233  1972   NtSetEventBoostPriority  ... ) == 0x0
 03237   760   NtSetEventBoostPriority  (324, ...
 03230  1736   NtCreateThread  ... 1032, {1636, 2116}, ) == 0x0
 03238   780   NtWaitForSingleObject  (324, 0, 0x0, ...
 03231   860   NtWaitForSingleObject  ... ) == 0x0
 03239  1972   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03240  1736   NtQueryInformationThread  (1032, Basic, 28, ...
 03241   860   NtSetEventBoostPriority  (324, ...
 03239  1972   NtWaitForSingleObject  ... ) == 0x102
 03240  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff40000,Pid=1636,Tid=2116,}, 0x0, ) == 0x0
 03232  1580   NtWaitForSingleObject  ... ) == 0x0
 03241   860   NtSetEventBoostPriority  ... ) == 0x0