Summary:





NtCallbackReturn(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryInformationToken(>)  5 
NtCreateEvent(>)  60 


NtGdiCreateBitmap(>)  1 
NtNotifyChangeKey(>)  2 
NtQueryVirtualMemory(>)  5 
NtOpenKey(>)  91 


NtGdiInit(>)  1 
NtOpenDirectoryObject(>)  2 
NtUnmapViewOfSection(>)  5 
NtContinue(>)  131 


NtGdiQueryFontAssocInfo(>)  1 
NtOpenProcessToken(>)  2 
NtSetInformationThread(>)  6 
NtCreateThread(>)  140 


NtGdiSelectBitmap(>)  1 
NtOpenProcessTokenEx(>)  2 
NtQueryInformationFile(>)  7 
NtResumeThread(>)  140 


NtOpenKeyedEvent(>)  1 
NtOpenThreadTokenEx(>)  2 
NtQueryInformationProcess(>)  7 
NtQueryInformationThread(>)  146 


NtOpenSymbolicLinkObject(>)  1 
NtQueryDefaultLocale(>)  2 
NtOpenThreadToken(>)  8 
NtClose(>)  148 


NtQueryObject(>)  1 
NtSetInformationObject(>)  2 
NtQuerySection(>)  8 
NtRequestWaitReplyPort(>)  154 


NtQuerySymbolicLinkObject(>)  1 
NtFreeVirtualMemory(>)  3 
NtUserFindExistingCursorIcon(>)  9 
NtProtectVirtualMemory(>)  212 


NtQuerySystemTime(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtSetInformationFile(>)  11 
NtQueryValueKey(>)  217 


NtSecureConnectPort(>)  1 
NtQueryVolumeInformationFile(>)  3 
NtCreateSection(>)  14 
NtTestAlert(>)  257 


NtSetInformationProcess(>)  1 
NtReadFile(>)  3 
NtUserRegisterClassExWOW(>)  14 
NtRegisterThreadTerminatePort(>)  258 


NtUserCallNoParam(>)  1 
NtFsControlFile(>)  4 
NtOpenFile(>)  17 
NtDuplicateObject(>)  265 


NtUserGetThreadDesktop(>)  1 
NtSetValueKey(>)  4 
NtOpenSection(>)  19 
NtAllocateVirtualMemory(>)  397 


NtConnectPort(>)  2 
NtWriteFile(>)  4 
NtMapViewOfSection(>)  24 
NtSetEventBoostPriority(>)  926 


NtCreateIoCompletion(>)  2 
NtCreateFile(>)  5 
NtQueryAttributesFile(>)  26 
NtWaitForSingleObject(>)  1124 


NtCreateMutant(>)  2 
NtCreateKey(>)  5 
NtQuerySystemInformation(>)  32 


NtDeviceIoControlFile(>)  2 
NtGdiGetStockObject(>)  5 



Trace:

 00001   928   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003   928   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006   928   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007   928   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009   928   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010   928   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011   928   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012   928   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013   928   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014   928   NtClose  (12, ... ) == 0x0
 00015   928   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016   928   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020   928   NtClose  (16, ... ) == 0x0
 00021   928   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022   928   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023   928   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024   928   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025   928   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027   928   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028   928   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029   928   NtClose  (16, ... ) == 0x0
 00030   928   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031   928   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033   928   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034   928   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1972, 928, 57957, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57957, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1972, 928, 57957, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036   928   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037   928   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039   928   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040   928   NtClose  (16, ... ) == 0x0
 00041   928   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043   928   NtClose  (16, ... ) == 0x0
 00044   928   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045   928   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047   928   NtClose  (16, ... ) == 0x0
 00048   928   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050   928   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051   928   NtClose  (16, ... ) == 0x0
 00052   928   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054   928   NtClose  (16, ... ) == 0x0
 00055   928   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056   928   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057   928   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058   928   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059   928   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1972, 928, 57958, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 1972, 928, 57958, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1972, 928, 57958, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1972, 928, 57959, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57959, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1972, 928, 57959, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061   928   NtProtectVirtualMemory  (-1, (0x409000), 65552, 4, ... (0x409000), 69632, 128, ) == 0x0
 00062   928   NtProtectVirtualMemory  (-1, (0x409000), 69632, 128, ... (0x409000), 69632, 4, ) == 0x0
 00063   928   NtFlushInstructionCache  (-1, 4231168, 65552, ... ) == 0x0
 00064   928   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065   928   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066   928   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067   928   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068   928   NtClose  (16, ... ) == 0x0
 00069   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070   928   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071   928   NtClose  (16, ... ) == 0x0
 00072   928   NtTestAlert  (... ) == 0x0
 00073   928   NtContinue  (1244464, 1, ...
 00074   928   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x40283e,}, 4, ... ) == 0x0
 00075   928   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00076   928   NtContinue  (1244400, 0, ...
 00077   928   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00078   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00079   928   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080   928   NtClose  (16, ... ) == 0x0
 00081   928   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00082   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00083   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00084   928   NtClose  (16, ... ) == 0x0
 00085   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00086   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00087   928   NtClose  (16, ... ) == 0x0
 00088   928   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00089   928   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00090   928   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00091   928   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00092   928   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00093   928   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00094   928   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00095   928   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00096   928   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00097   928   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00098   928   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00099   928   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00100   928   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00101   928   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00102   928   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00103   928   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00104   928   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00105   928   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00106   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00109   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1972, 928, 57960, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57960, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1972, 928, 57960, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00110   928   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00111   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00112   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00113   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 28, ) == 0x0
 00114   928   NtClose  (16, ... ) == 0x0
 00115   928   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00116   928   NtClose  (28, ... ) == 0x0
 00117   928   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00118   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00119   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00120   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 16, ) == 0x0
 00121   928   NtClose  (28, ... ) == 0x0
 00122   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00123   928   NtClose  (16, ... ) == 0x0
 00124   928   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00125   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00126   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00127   928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00128   928   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00129   928   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00130   928   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00131   928   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00132   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00133   928   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00134   928   NtClose  (36, ... ) == 0x0
 00135   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00136   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00137   928   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00138   928   NtClose  (36, ... ) == 0x0
 00139   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140   928   NtClose  (32, ... ) == 0x0
 00141   928   NtClose  (16, ... ) == 0x0
 00142   928   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00143   928   NtClose  (28, ... ) == 0x0
 00144   928   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00145   928   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00146   928   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00147   928   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00148   928   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00149   928   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00150   928   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00151   928   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00152   928   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00153   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00154   928   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00155   928   NtClose  (28, ... ) == 0x0
 00156   928   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00157   928   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00158   928   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00159   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00160   928   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00161   928   NtClose  (28, ... ) == 0x0
 00162   928   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00163   928   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00164   928   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00165   928   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00166   928   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00167   928   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00168   928   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00169   928   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00170   928   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00171   928   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00172   928   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00173   928   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00174   928   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00175   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176   928   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00177   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00178   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00179   928   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00180   928   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00181   928   NtClose  (28, ... ) == 0x0
 00182   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00183   928   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00184   928   NtClose  (28, ... ) == 0x0
 00185   928   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00186   928   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00187   928   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00191   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00192   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00194   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00195   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 16, ) }, ... 16, ) == 0x0
 00196   928   NtQueryValueKey  (16,  (16, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197   928   NtClose  (16, ... ) == 0x0
 00198   928   NtMapViewOfSection  (-2147482740, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x420000), 0x0, 1060864, ) == 0x0
 00199   928   NtClose  (-2147482740, ... ) == 0x0
 00200   928   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 16, ) == 0x0
 00201   928   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00202   928   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482740, ) == 0x0
 00203   928   NtQueryInformationToken  (-2147482740, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00204   928   NtQueryInformationToken  (-2147482740, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00205   928   NtClose  (-2147482740, ... ) == 0x0
 00206   928   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5439488, 4096, ) == 0x0
 00207   928   NtFreeVirtualMemory  (-1, (0x530000), 4096, 32768, ... (0x530000), 4096, ) == 0x0
 00208   928   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00209   928   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00210   928   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00211   928   NtClose  (-2147482740, ... ) == 0x0
 00212   928   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00213   928   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00214   928   NtClose  (-2147482740, ... ) == 0x0
 00215   928   NtQueryDefaultLocale  (0, -139609780, ... ) == 0x0
 00216   928   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00217   928   NtUserCallNoParam  (24, ... ) == 0x0
 00218   928   NtGdiCreateCompatibleDC  (0, ...
 00219   928   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5439488, 4096, ) == 0x0
 00218   928   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00220   928   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00221   928   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00222   928   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00223   928   NtGdiCreateSolidBrush  (0, 0, ...
 00224   928   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8650752, 4096, ) == 0x0
 00223   928   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00225   928   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00226   928   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00227   928   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00228   928   NtUserGetThreadDesktop  (928, 0, ... ) == 0x24
 00229   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00230   928   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00231   928   NtClose  (44, ... ) == 0x0
 00232   928   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00233   928   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x81b1c017
 00234   928   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00235   928   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x81b1c01c
 00236   928   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00237   928   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x81b1c01e
 00238   928   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00239   928   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81b18002
 00240   928   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00241   928   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x81b1c018
 00242   928   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00243   928   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x81b1c01a
 00244   928   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00245   928   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x81b1c01d
 00246   928   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00247   928   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x81b1c026
 00248   928   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00249   928   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x81b1c019
 00250   928   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x81b1c020
 00251   928   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x81b1c022
 00252   928   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x81b1c023
 00253   928   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x81b1c024
 00254   928   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x81b1c025
 00255   928   NtCallbackReturn  (0, 0, 0, ...
 00256   928   NtGdiInit  (... ) == 0x1
 00257   928   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00258   928   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00259   928   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 8716288, 28672, ) == 0x0
 00260   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00261   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00263   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00264   928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 48, ) == 0x0
 00265   928   NtQuerySection  (48, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00266   928   NtClose  (44, ... ) == 0x0
 00267   928   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00268   928   NtClose  (48, ... ) == 0x0
 00269   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 48, ) }, ... 48, ) == 0x0
 00270   928   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00271   928   NtClose  (48, ... ) == 0x0
 00272   928   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00273   928   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00274   928   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00275   928   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00276   928   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00277   928   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00278   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00280   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00281   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00282   928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 44, ) == 0x0
 00283   928   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00284   928   NtClose  (48, ... ) == 0x0
 00285   928   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00286   928   NtClose  (44, ... ) == 0x0
 00287   928   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00288   928   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00289   928   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00290   928   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00291   928   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00292   928   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00293   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00294   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00295   928   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8781824, 65536, ) == 0x0
 00296   928   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00297   928   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ... 8785920, 8192, ) == 0x0
 00298   928   NtAllocateVirtualMemory  (-1, 8794112, 0, 4096, 4096, 4, ... 8794112, 4096, ) == 0x0
 00299   928   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00300   928   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x870000), 0x0, 12288, ) == 0x0
 00301   928   NtClose  (44, ... ) == 0x0
 00302   928   NtAllocateVirtualMemory  (-1, 8798208, 0, 4096, 4096, 4, ... 8798208, 4096, ) == 0x0
 00303   928   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00304   928   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00305   928   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00306   928   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00307   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00310   928   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00311   928   NtFreeVirtualMemory  (-1, (0x850000), 0, 32768, ... (0x850000), 28672, ) == 0x0
 00312   928   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00313   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00314   928   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00315   928   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00316   928   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00317   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 8912896, 1048576, ) == 0x0
 00318   928   NtAllocateVirtualMemory  (-1, 8912896, 0, 32768, 4096, 4, ... 8912896, 32768, ) == 0x0
 00319   928   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00320   928   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "Jobaka3"}, 0, ... 48, ) }, 0, ... 48, ) == 0x0
 00321   928   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00322   928   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00323   928   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00324   928   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00325   928   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Protocol_Catalog9"}, ... 60, ) }, ... 60, ) == 0x0
 00326   928   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00327   928   NtNotifyChangeKey  (60, 56, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00328   928   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00329   928   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00330   928   NtQueryValueKey  (60,  (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00331   928   NtQueryValueKey  (60,  (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00332   928   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Catalog_Entries"}, ... 64, ) }, ... 64, ) == 0x0
 00333   928   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00334   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000001"}, ... 68, ) }, ... 68, ) == 0x0
 00335   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00336   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00337   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0R\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0R\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0S\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0S\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0T\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0R\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0R\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0S\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0S\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0T\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0R\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0R\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0S\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0S\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0T\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00338   928   NtClose  (68, ... ) == 0x0
 00339   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000002"}, ... 68, ) }, ... 68, ) == 0x0
 00340   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00341   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00342   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0W\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0W\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0X\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Y\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0W\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0W\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0X\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Y\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0W\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0W\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0X\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Y\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00343   928   NtClose  (68, ... ) == 0x0
 00344   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000003"}, ... 68, ) }, ... 68, ) == 0x0
 00345   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00346   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00347   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0]\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0^\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0]\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0^\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0]\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0^\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00348   928   NtClose  (68, ... ) == 0x0
 00349   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000004"}, ... 68, ) }, ... 68, ) == 0x0
 00350   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00351   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00352   928   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00353   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0b\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0b\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0c\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0d\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0b\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0b\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0c\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0d\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0b\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0b\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0c\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0d\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00354   928   NtClose  (68, ... ) == 0x0
 00355   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000005"}, ... 68, ) }, ... 68, ) == 0x0
 00356   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00357   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00358   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0g\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0h\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0g\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0h\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0g\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0h\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00359   928   NtClose  (68, ... ) == 0x0
 00360   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000006"}, ... 68, ) }, ... 68, ) == 0x0
 00361   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00362   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00363   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0m\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0m\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0m\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00364   928   NtClose  (68, ... ) == 0x0
 00365   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000007"}, ... 68, ) }, ... 68, ) == 0x0
 00366   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00367   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00368   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0q\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0q\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0r\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0s\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0q\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0q\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0r\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0s\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0q\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0q\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0r\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0s\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00369   928   NtClose  (68, ... ) == 0x0
 00370   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000008"}, ... 68, ) }, ... 68, ) == 0x0
 00371   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00372   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00373   928   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00374   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0w\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0w\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0x\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0y\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0w\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0w\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0x\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0y\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0w\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0w\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0x\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0y\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00375   928   NtClose  (68, ... ) == 0x0
 00376   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000009"}, ... 68, ) }, ... 68, ) == 0x0
 00377   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00378   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00379   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0|\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0}\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0|\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0}\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0|\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0}\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00380   928   NtClose  (68, ... ) == 0x0
 00381   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000010"}, ... 68, ) }, ... 68, ) == 0x0
 00382   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00383   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00384   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\201\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\202\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\201\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\202\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\201\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\202\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00385   928   NtClose  (68, ... ) == 0x0
 00386   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000011"}, ... 68, ) }, ... 68, ) == 0x0
 00387   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00388   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00389   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\206\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\206\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\207\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\210\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\206\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\206\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\207\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\210\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\206\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\206\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\207\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\210\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00390   928   NtClose  (68, ... ) == 0x0
 00391   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000012"}, ... 68, ) }, ... 68, ) == 0x0
 00392   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00393   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00394   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\213\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\213\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\214\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\215\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\213\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\213\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\214\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\215\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\213\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\213\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\214\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\215\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00395   928   NtClose  (68, ... ) == 0x0
 00396   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000013"}, ... 68, ) }, ... 68, ) == 0x0
 00397   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00398   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00399   928   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00400   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\221\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\221\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\222\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\223\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\221\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\221\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\222\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\223\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\221\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\221\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\222\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\223\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00401   928   NtClose  (68, ... ) == 0x0
 00402   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000014"}, ... 68, ) }, ... 68, ) == 0x0
 00403   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00404   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00405   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\226\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\227\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\226\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\227\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\226\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\227\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00406   928   NtClose  (68, ... ) == 0x0
 00407   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000015"}, ... 68, ) }, ... 68, ) == 0x0
 00408   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00409   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00410   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\233\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\234\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\233\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\234\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\233\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\234\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00411   928   NtClose  (68, ... ) == 0x0
 00412   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000016"}, ... 68, ) }, ... 68, ) == 0x0
 00413   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00414   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00415   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\240\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\240\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\241\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\242\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\240\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\240\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\241\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\242\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\240\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\240\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\241\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\242\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00416   928   NtClose  (68, ... ) == 0x0
 00417   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000017"}, ... 68, ) }, ... 68, ) == 0x0
 00418   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00419   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00420   928   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00421   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\246\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\246\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\247\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\250\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\246\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\246\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\247\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\250\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\246\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\246\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\247\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\250\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00422   928   NtClose  (68, ... ) == 0x0
 00423   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000018"}, ... 68, ) }, ... 68, ) == 0x0
 00424   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00425   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00426   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\253\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\254\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\253\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\254\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\253\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\254\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00427   928   NtClose  (68, ... ) == 0x0
 00428   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000019"}, ... 68, ) }, ... 68, ) == 0x0
 00429   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00430   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00431   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\260\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\261\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\260\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\261\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\260\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\261\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00432   928   NtClose  (68, ... ) == 0x0
 00433   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000020"}, ... 68, ) }, ... 68, ) == 0x0
 00434   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00435   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00436   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\265\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\265\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\266\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\267\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\265\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\265\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\266\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\267\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\265\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\265\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\266\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\267\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00437   928   NtClose  (68, ... ) == 0x0
 00438   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000021"}, ... 68, ) }, ... 68, ) == 0x0
 00439   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00440   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00441   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\272\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\272\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\273\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\274\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\272\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\272\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\273\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\274\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\272\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\272\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\273\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\274\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0\264\7\0\0\240\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00442   928   NtClose  (68, ... ) == 0x0
 00443   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000022"}, ... 68, ) }, ... 68, ) == 0x0
 00444   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00445   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00446   928   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00447   928   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\300\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\300\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\301\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0\264\7\0\0\240\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\302\1\0\0\264\7\0\0\240\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\303\1\0\0\264\7\0\0\240\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\303\1\0\0\264\7\0\0\240\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\304\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\300\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\300\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\301\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0\264\7\0\0\240\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\302\1\0\0\264\7\0\0\240\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\303\1\0\0\264\7\0\0\240\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\303\1\0\0\264\7\0\0\240\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\304\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\300\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\300\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\301\1\0\0\264\7\0\0\240\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0\264\7\0\0\240\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\302\1\0\0\264\7\0\0\240\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\303\1\0\0\264\7\0\0\240\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\303\1\0\0\264\7\0\0\240\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\304\1\0\0\264\7\0\0\240\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00448   928   NtClose  (68, ... ) == 0x0
 00449   928   NtClose  (64, ... ) == 0x0
 00450   928   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00451   928   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00452   928   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 68, ) }, ... 68, ) == 0x0
 00453   928   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00454   928   NtNotifyChangeKey  (68, 64, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00455   928   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00456   928   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00457   928   NtQueryValueKey  (68,  (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00458   928   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Catalog_Entries"}, ... 72, ) }, ... 72, ) == 0x0
 00459   928   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000001"}, ... 76, ) }, ... 76, ) == 0x0
 00460   928   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00461   928   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00462   928   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00463   928   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00464   928   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00465   928   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00466   928   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00467   928   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00468   928   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00469   928   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00470   928   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00471   928   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00472   928   NtClose  (76, ... ) == 0x0
 00473   928   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000002"}, ... 76, ) }, ... 76, ) == 0x0
 00474   928   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00475   928   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00476   928   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00477   928   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00478   928   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00479   928   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00480   928   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00481   928   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00482   928   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00483   928   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00484   928   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00485   928   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00486   928   NtClose  (76, ... ) == 0x0
 00487   928   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000003"}, ... 76, ) }, ... 76, ) == 0x0
 00488   928   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00489   928   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00490   928   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00491   928   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00492   928   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00493   928   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00494   928   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00495   928   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00496   928   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00497   928   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00498   928   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00499   928   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00500   928   NtClose  (76, ... ) == 0x0
 00501   928   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000004"}, ... 76, ) }, ... 76, ) == 0x0
 00502   928   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00503   928   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00504   928   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00505   928   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00506   928   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00507   928   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00508   928   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 00509   928   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00510   928   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00511   928   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00512   928   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00513   928   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00514   928   NtClose  (76, ... ) == 0x0
 00515   928   NtClose  (72, ... ) == 0x0
 00516   928   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 00517   928   NtClose  (52, ... ) == 0x0
 00518   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00519   928   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00520   928   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00521   928   NtQueryValueKey  (52,  (52, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00522   928   NtClose  (52, ... ) == 0x0
 00523   928   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00524   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00525   928   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00526   928   NtQueryInformationFile  (72, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00527   928   NtQueryInformationFile  (72, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00528   928   NtQueryInformationFile  (72, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00529   928   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 00530   928   NtQueryInformationFile  (72, 1355896, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00531   928   NtQueryInformationFile  (72, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00532   928   NtQueryInformationFile  (72, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00533   928   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00534   928   NtClose  (-2147482740, ... ) == 0x0
 00533   928   NtCreateFile  ... 76, {status=0x0, info=2}, ) == 0x0
 00535   928   NtQueryVolumeInformationFile  (76, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00536   928   NtQueryInformationFile  (76, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00537   928   NtQueryVolumeInformationFile  (72, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00538   928   NtSetInformationFile  (76, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00539   928   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 72, ... 80, ) == 0x0
 00540   928   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x850000), {0, 0}, 16384, ) == 0x0
 00541   928   NtClose  (80, ... ) == 0x0
 00542   928   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\2\0\204\214\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\240\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 15872, 0x0, 0, ... {status=0x0, info=15872}, ) \0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\240\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 15872, 0x0, 0, ... {status=0x0, info=15872}, ) == 0x0
 00543   928   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 00544   928   NtSetInformationFile  (76, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00545   928   NtClose  (72, ... ) == 0x0
 00546   928   NtClose  (76, ... ) == 0x0
 00547   928   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 76, ) }, ... 76, ) == 0x0
 00548   928   NtSetValueKey  (76,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 00549   928   NtSetInformationFile  (-2147482448, -139610320, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00550   928   NtSetInformationFile  (-2147482448, -139610412, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00551   928   NtSetInformationFile  (-2147482448, -139610720, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00548   928   NtSetValueKey  ... ) == 0x0
 00552   928   NtClose  (76, ... ) == 0x0
 00553   928   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 76, ) }, 0, ... 76, ) == 0x0
 00554   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9961472, 1048576, ) == 0x0
 00555   928   NtAllocateVirtualMemory  (-1, 11001856, 0, 8192, 4096, 4, ... 11001856, 8192, ) == 0x0
 00556   928   NtProtectVirtualMemory  (-1, (0xa7e000), 4096, 260, ... (0xa7e000), 4096, 4, ) == 0x0
 00557   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 72, {1972, 860}, ) == 0x0
 00558   928   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1972,Tid=860,}, 0x0, ) == 0x0
 00559   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\264\7\0\0\\3\0\0" ... {28, 56, reply, 0, 1972, 928, 57968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\264\7\0\0\\3\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57968, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\264\7\0\0\\3\0\0" ... {28, 56, reply, 0, 1972, 928, 57968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\264\7\0\0\\3\0\0" )  ) == 0x0
 00560   928   NtResumeThread  (72, ... 1, ) == 0x0
 00561   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11010048, 1048576, ) == 0x0
 00562   928   NtAllocateVirtualMemory  (-1, 12050432, 0, 8192, 4096, 4, ...
 00563   860   NtTestAlert  (... ) == 0x0
 00564   860   NtContinue  (11009328, 1, ...
 00565   860   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00566   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 80, ) == 0x0
 00567   860   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00562   928   NtAllocateVirtualMemory  ... 12050432, 8192, ) == 0x0
 00568   928   NtProtectVirtualMemory  (-1, (0xb7e000), 4096, 260, ... (0xb7e000), 4096, 4, ) == 0x0
 00569   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 84, {1972, 484}, ) == 0x0
 00570   928   NtQueryInformationThread  (84, Basic, 28, ...
 00571   860   NtAllocateVirtualMemory  (-1, 10997760, 0, 4096, 4096, 260, ... 10997760, 4096, ) == 0x0
 00572   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006452, ... ) }, 11006452, ... ) == 0x0
 00573   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00574   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 88, ... 92, ) == 0x0
 00575   860   NtClose  (88, ... ) == 0x0
 00576   860   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb80000), 0x0, 245760, ) == 0x0
 00570   928   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1972,Tid=484,}, 0x0, ) == 0x0
 00577   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57968, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\264\7\0\0\344\1\0\0" ... {28, 56, reply, 0, 1972, 928, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\264\7\0\0\344\1\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57969, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\264\7\0\0\344\1\0\0" ... {28, 56, reply, 0, 1972, 928, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\264\7\0\0\344\1\0\0" )  ) == 0x0
 00578   928   NtResumeThread  (84, ... 1, ) == 0x0
 00579   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12320768, 1048576, ) == 0x0
 00580   928   NtAllocateVirtualMemory  (-1, 13361152, 0, 8192, 4096, 4, ... 13361152, 8192, ) == 0x0
 00581   928   NtProtectVirtualMemory  (-1, (0xcbe000), 4096, 260, ... (0xcbe000), 4096, 4, ) == 0x0
 00582   860   NtClose  (92, ...
 00583   484   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00582   860   NtClose  ... ) == 0x0
 00583   484   NtCreateEvent  ... 92, ) == 0x0
 00584   484   NtWaitForSingleObject  (92, 0, 0x0, ...
 00585   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 88, {1972, 748}, ) == 0x0
 00586   928   NtQueryInformationThread  (88, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1972,Tid=748,}, 0x0, ) == 0x0
 00587   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57969, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\0\0\0\264\7\0\0\354\2\0\0" ...  ...
 00588   860   NtUnmapViewOfSection  (-1, 0xb80000, ... ) == 0x0
 00589   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006760, ... ) }, 11006760, ... ) == 0x0
 00590   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00591   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 00592   860   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00593   860   NtClose  (96, ... ) == 0x0
 00594   860   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 00587   928   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1972, 928, 57970, 0}  ... {28, 56, reply, 0, 1972, 928, 57970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\0\0\0\264\7\0\0\354\2\0\0" )  ) == 0x0
 00595   928   NtResumeThread  (88, ... 1, ) == 0x0
 00596   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13369344, 1048576, ) == 0x0
 00597   928   NtAllocateVirtualMemory  (-1, 14409728, 0, 8192, 4096, 4, ... 14409728, 8192, ) == 0x0
 00598   928   NtProtectVirtualMemory  (-1, (0xdbe000), 4096, 260, ... (0xdbe000), 4096, 4, ) == 0x0
 00599   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 96, {1972, 1580}, ) == 0x0
 00600   928   NtQueryInformationThread  (96, Basic, 28, ...
 00601   860   NtClose  (100, ...
 00602   748   NtWaitForSingleObject  (92, 0, 0x0, ...
 00601   860   NtClose  ... ) == 0x0
 00603   860   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00604   860   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00605   860   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00606   860   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00600   928   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1972,Tid=1580,}, 0x0, ) == 0x0
 00607   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57970, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0\264\7\0\0,\6\0\0" ... {28, 56, reply, 0, 1972, 928, 57971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0\264\7\0\0,\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57971, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0\264\7\0\0,\6\0\0" ... {28, 56, reply, 0, 1972, 928, 57971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0\264\7\0\0,\6\0\0" )  ) == 0x0
 00608   928   NtResumeThread  (96, ... 1, ) == 0x0
 00609   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14417920, 1048576, ) == 0x0
 00610   928   NtAllocateVirtualMemory  (-1, 15458304, 0, 8192, 4096, 4, ... 15458304, 8192, ) == 0x0
 00611   928   NtProtectVirtualMemory  (-1, (0xebe000), 4096, 260, ... (0xebe000), 4096, 4, ) == 0x0
 00612   860   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 00613  1580   NtWaitForSingleObject  (92, 0, 0x0, ...
 00612   860   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 00614   860   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00615   860   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00616   860   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00617   860   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00618   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 100, {1972, 1756}, ) == 0x0
 00619   928   NtQueryInformationThread  (100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1972,Tid=1756,}, 0x0, ) == 0x0
 00620   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57971, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\264\7\0\0\334\6\0\0" ... {28, 56, reply, 0, 1972, 928, 57972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\264\7\0\0\334\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57972, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\264\7\0\0\334\6\0\0" ... {28, 56, reply, 0, 1972, 928, 57972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\264\7\0\0\334\6\0\0" )  ) == 0x0
 00621   928   NtResumeThread  (100, ... 1, ) == 0x0
 00622   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15466496, 1048576, ) == 0x0
 00623   928   NtAllocateVirtualMemory  (-1, 16506880, 0, 8192, 4096, 4, ...
 00624   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... }, ...
 00625  1756   NtWaitForSingleObject  (92, 0, 0x0, ...
 00624   860   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00626   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00627   860   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00628   860   NtSetEventBoostPriority  (92, ...
 00584   484   NtWaitForSingleObject  ... ) == 0x0
 00629   484   NtSetEventBoostPriority  (92, ...
 00602   748   NtWaitForSingleObject  ... ) == 0x0
 00630   748   NtSetEventBoostPriority  (92, ...
 00613  1580   NtWaitForSingleObject  ... ) == 0x0
 00631  1580   NtSetEventBoostPriority  (92, ...
 00625  1756   NtWaitForSingleObject  ... ) == 0x0
 00632  1756   NtTestAlert  (... ) == 0x0
 00631  1580   NtSetEventBoostPriority  ... ) == 0x0
 00630   748   NtSetEventBoostPriority  ... ) == 0x0
 00629   484   NtSetEventBoostPriority  ... ) == 0x0
 00628   860   NtSetEventBoostPriority  ... ) == 0x0
 00623   928   NtAllocateVirtualMemory  ... 16506880, 8192, ) == 0x0
 00633  1756   NtContinue  (15465776, 1, ...
 00634  1580   NtTestAlert  (...
 00635   748   NtTestAlert  (...
 00636   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00637   928   NtProtectVirtualMemory  (-1, (0xfbe000), 4096, 260, ...
 00638  1756   NtRegisterThreadTerminatePort  (24, ...
 00634  1580   NtTestAlert  ... ) == 0x0
 00635   748   NtTestAlert  ... ) == 0x0
 00636   860   NtCreateEvent  ... 104, ) == 0x0
 00637   928   NtProtectVirtualMemory  ... (0xfbe000), 4096, 4, ) == 0x0
 00638  1756   NtRegisterThreadTerminatePort  ... ) == 0x0
 00639  1580   NtContinue  (14417200, 1, ...
 00640   748   NtContinue  (13368624, 1, ...
 00641   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 00642   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00643  1756   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00644  1580   NtRegisterThreadTerminatePort  (24, ...
 00645   748   NtRegisterThreadTerminatePort  (24, ...
 00641   860   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00642   928   NtCreateThread  ... 108, {1972, 1292}, ) == 0x0
 00643  1756   NtDuplicateObject  ... 112, ) == 0x0
 00644  1580   NtRegisterThreadTerminatePort  ... ) == 0x0
 00645   748   NtRegisterThreadTerminatePort  ... ) == 0x0
 00646   484   NtTestAlert  (...
 00647   928   NtQueryInformationThread  (108, Basic, 28, ...
 00648  1756   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00649  1580   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00650   748   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00646   484   NtTestAlert  ... ) == 0x0
 00651   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11006372, ... }, 11006372, ...
 00647   928   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1972,Tid=1292,}, 0x0, ) == 0x0
 00648  1756   NtWaitForSingleObject  ... ) == 0x102
 00649  1580   NtDuplicateObject  ... 116, ) == 0x0
 00652   484   NtContinue  (12057904, 1, ...
 00653   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57972, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0\264\7\0\0\14\5\0\0" ...  ...
 00654  1756   NtAllocateVirtualMemory  (-1, 15454208, 0, 4096, 4096, 260, ...
 00655  1580   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00656   484   NtRegisterThreadTerminatePort  (24, ...
 00653   928   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1972, 928, 57973, 0}  ... {28, 56, reply, 0, 1972, 928, 57973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0\264\7\0\0\14\5\0\0" )  ) == 0x0
 00654  1756   NtAllocateVirtualMemory  ... 15454208, 4096, ) == 0x0
 00655  1580   NtWaitForSingleObject  ... ) == 0x102
 00656   484   NtRegisterThreadTerminatePort  ... ) == 0x0
 00657   928   NtResumeThread  (108, ...
 00658  1756   NtWaitForSingleObject  (92, 0, 0x0, ...
 00659  1580   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00660   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00657   928   NtResumeThread  ... 1, ) == 0x0
 00659  1580   NtCreateEvent  ... 120, ) == 0x0
 00650   748   NtDuplicateObject  ... 124, ) == 0x0
 00661  1292   NtWaitForSingleObject  (92, 0, 0x0, ...
 00660   484   NtDuplicateObject  ... 128, ) == 0x0
 00662   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00663   748   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00664   484   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00662   928   NtAllocateVirtualMemory  ... 16515072, 1048576, ) == 0x0
 00663   748   NtWaitForSingleObject  ... ) == 0x102
 00664   484   NtWaitForSingleObject  ... ) == 0x102
 00665   928   NtAllocateVirtualMemory  (-1, 17555456, 0, 8192, 4096, 4, ...
 00666   748   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00667   484   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00665   928   NtAllocateVirtualMemory  ... 17555456, 8192, ) == 0x0
 00666   748   NtCreateEvent  ... 132, ) == 0x0
 00667   484   NtCreateEvent  ... 136, ) == 0x0
 00668   928   NtProtectVirtualMemory  (-1, (0x10be000), 4096, 260, ...
 00669  1580   NtWaitForSingleObject  (120, 0, 0x0, ...
 00670   748   NtClose  (132, ...
 00668   928   NtProtectVirtualMemory  ... (0x10be000), 4096, 4, ) == 0x0
 00670   748   NtClose  ... ) == 0x0
 00671   484   NtClose  (136, ...
 00651   860   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   748   NtWaitForSingleObject  (120, 0, 0x0, ...
 00671   484   NtClose  ... ) == 0x0
 00673   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11006372, ... }, 11006372, ...
 00674   484   NtWaitForSingleObject  (120, 0, 0x0, ...
 00675   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 136, {1972, 1956}, ) == 0x0
 00676   928   NtQueryInformationThread  (136, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1972,Tid=1956,}, 0x0, ) == 0x0
 00677   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57973, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\264\7\0\0\244\7\0\0" ... {28, 56, reply, 0, 1972, 928, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\264\7\0\0\244\7\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57974, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\264\7\0\0\244\7\0\0" ... {28, 56, reply, 0, 1972, 928, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\264\7\0\0\244\7\0\0" )  ) == 0x0
 00678   928   NtResumeThread  (136, ... 1, ) == 0x0
 00679   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17563648, 1048576, ) == 0x0
 00680   928   NtAllocateVirtualMemory  (-1, 18604032, 0, 8192, 4096, 4, ...
 00673   860   NtQueryAttributesFile  ... ) == 0x0
 00681  1956   NtWaitForSingleObject  (92, 0, 0x0, ...
 00682   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 00683   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 140, ) == 0x0
 00684   860   NtQuerySection  (140, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00685   860   NtClose  (132, ... ) == 0x0
 00686   860   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x662b0000), 0x0, 360448, ) == 0x0
 00687   860   NtClose  (140, ...
 00680   928   NtAllocateVirtualMemory  ... 18604032, 8192, ) == 0x0
 00688   928   NtProtectVirtualMemory  (-1, (0x11be000), 4096, 260, ... (0x11be000), 4096, 4, ) == 0x0
 00689   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 132, {1972, 1980}, ) == 0x0
 00690   928   NtQueryInformationThread  (132, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1972,Tid=1980,}, 0x0, ) == 0x0
 00691   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57974, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\264\7\0\0\274\7\0\0" ... {28, 56, reply, 0, 1972, 928, 57975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\264\7\0\0\274\7\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57975, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\264\7\0\0\274\7\0\0" ... {28, 56, reply, 0, 1972, 928, 57975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\264\7\0\0\274\7\0\0" )  ) == 0x0
 00692   928   NtResumeThread  (132, ... 1, ) == 0x0
 00687   860   NtClose  ... ) == 0x0
 00693  1980   NtWaitForSingleObject  (92, 0, 0x0, ...
 00694   860   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00695   860   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00696   860   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00697   860   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00698   860   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00699   860   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 00700   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18612224, 1048576, ) == 0x0
 00701   928   NtAllocateVirtualMemory  (-1, 19652608, 0, 8192, 4096, 4, ... 19652608, 8192, ) == 0x0
 00702   928   NtProtectVirtualMemory  (-1, (0x12be000), 4096, 260, ... (0x12be000), 4096, 4, ) == 0x0
 00703   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 140, {1972, 1784}, ) == 0x0
 00704   928   NtQueryInformationThread  (140, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1972,Tid=1784,}, 0x0, ) == 0x0
 00705   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57975, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\264\7\0\0\370\6\0\0" ...  ...
 00699   860   NtFlushInstructionCache  ... ) == 0x0
 00706   860   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00707   860   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00708   860   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 00705   928   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1972, 928, 57976, 0}  ... {28, 56, reply, 0, 1972, 928, 57976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\264\7\0\0\370\6\0\0" )  ) == 0x0
 00709   928   NtResumeThread  (140, ... 1, ) == 0x0
 00710   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19660800, 1048576, ) == 0x0
 00711   928   NtAllocateVirtualMemory  (-1, 20701184, 0, 8192, 4096, 4, ... 20701184, 8192, ) == 0x0
 00712   928   NtProtectVirtualMemory  (-1, (0x13be000), 4096, 260, ... (0x13be000), 4096, 4, ) == 0x0
 00713   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 144, {1972, 1480}, ) == 0x0
 00714   928   NtQueryInformationThread  (144, Basic, 28, ...
 00708   860   NtFlushInstructionCache  ... ) == 0x0
 00715  1784   NtWaitForSingleObject  (92, 0, 0x0, ...
 00716   860   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00717   860   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00718   860   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00719   860   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00720   860   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00721   860   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 00714   928   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1972,Tid=1480,}, 0x0, ) == 0x0
 00722   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57976, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\264\7\0\0\310\5\0\0" ... {28, 56, reply, 0, 1972, 928, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\264\7\0\0\310\5\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57977, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\264\7\0\0\310\5\0\0" ... {28, 56, reply, 0, 1972, 928, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\264\7\0\0\310\5\0\0" )  ) == 0x0
 00723   928   NtResumeThread  (144, ... 1, ) == 0x0
 00724   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20709376, 1048576, ) == 0x0
 00725   928   NtAllocateVirtualMemory  (-1, 21749760, 0, 8192, 4096, 4, ... 21749760, 8192, ) == 0x0
 00726   928   NtProtectVirtualMemory  (-1, (0x14be000), 4096, 260, ... (0x14be000), 4096, 4, ) == 0x0
 00721   860   NtFlushInstructionCache  ... ) == 0x0
 00727  1480   NtWaitForSingleObject  (92, 0, 0x0, ...
 00728   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00729   860   NtSetEventBoostPriority  (92, ...
 00658  1756   NtWaitForSingleObject  ... ) == 0x0
 00730  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15461328, ... ) }, 15461328, ... ) == 0x0
 00729   860   NtSetEventBoostPriority  ... ) == 0x0
 00731   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00732   860   NtWaitForSingleObject  (92, 0, 0x0, ...
 00731   928   NtCreateThread  ... 148, {1972, 1556}, ) == 0x0
 00733  1756   NtSetEventBoostPriority  (92, ...
 00734   928   NtQueryInformationThread  (148, Basic, 28, ...
 00661  1292   NtWaitForSingleObject  ... ) == 0x0
 00733  1756   NtSetEventBoostPriority  ... ) == 0x0
 00735  1292   NtSetEventBoostPriority  (92, ...
 00734   928   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1972,Tid=1556,}, 0x0, ) == 0x0
 00681  1956   NtWaitForSingleObject  ... ) == 0x0
 00735  1292   NtSetEventBoostPriority  ... ) == 0x0
 00736  1756   NtWaitForSingleObject  (92, 0, 0x0, ...
 00737  1956   NtSetEventBoostPriority  (92, ...
 00738   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57977, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\264\7\0\0\24\6\0\0" ...  ...
 00693  1980   NtWaitForSingleObject  ... ) == 0x0
 00737  1956   NtSetEventBoostPriority  ... ) == 0x0
 00739  1980   NtSetEventBoostPriority  (92, ...
 00738   928   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1972, 928, 57978, 0}  ... {28, 56, reply, 0, 1972, 928, 57978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\264\7\0\0\24\6\0\0" )  ) == 0x0
 00740  1292   NtTestAlert  (...
 00715  1784   NtWaitForSingleObject  ... ) == 0x0
 00739  1980   NtSetEventBoostPriority  ... ) == 0x0
 00741   928   NtResumeThread  (148, ...
 00742  1784   NtSetEventBoostPriority  (92, ...
 00740  1292   NtTestAlert  ... ) == 0x0
 00743  1956   NtTestAlert  (...
 00727  1480   NtWaitForSingleObject  ... ) == 0x0
 00742  1784   NtSetEventBoostPriority  ... ) == 0x0
 00741   928   NtResumeThread  ... 1, ) == 0x0
 00744  1292   NtContinue  (16514352, 1, ...
 00745  1480   NtSetEventBoostPriority  (92, ...
 00743  1956   NtTestAlert  ... ) == 0x0
 00746  1980   NtTestAlert  (...
 00747  1556   NtWaitForSingleObject  (92, 0, 0x0, ...
 00748   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00732   860   NtWaitForSingleObject  ... ) == 0x0
 00745  1480   NtSetEventBoostPriority  ... ) == 0x0
 00749  1292   NtRegisterThreadTerminatePort  (24, ...
 00750  1956   NtContinue  (17562928, 1, ...
 00746  1980   NtTestAlert  ... ) == 0x0
 00751   860   NtSetEventBoostPriority  (92, ...
 00748   928   NtAllocateVirtualMemory  ... 21757952, 1048576, ) == 0x0
 00752  1784   NtTestAlert  (...
 00749  1292   NtRegisterThreadTerminatePort  ... ) == 0x0
 00753  1956   NtRegisterThreadTerminatePort  (24, ...
 00736  1756   NtWaitForSingleObject  ... ) == 0x0
 00754  1980   NtContinue  (18611504, 1, ...
 00755   928   NtAllocateVirtualMemory  (-1, 22798336, 0, 8192, 4096, 4, ...
 00752  1784   NtTestAlert  ... ) == 0x0
 00756  1292   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00753  1956   NtRegisterThreadTerminatePort  ... ) == 0x0
 00757  1756   NtSetEventBoostPriority  (92, ...
 00758  1980   NtRegisterThreadTerminatePort  (24, ...
 00751   860   NtSetEventBoostPriority  ... ) == 0x0
 00759  1480   NtTestAlert  (...
 00760  1784   NtContinue  (19660080, 1, ...
 00755   928   NtAllocateVirtualMemory  ... 22798336, 8192, ) == 0x0
 00761  1956   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00747  1556   NtWaitForSingleObject  ... ) == 0x0
 00757  1756   NtSetEventBoostPriority  ... ) == 0x0
 00758  1980   NtRegisterThreadTerminatePort  ... ) == 0x0
 00762   860   NtWaitForSingleObject  (92, 0, 0x0, ...
 00759  1480   NtTestAlert  ... ) == 0x0
 00763  1784   NtRegisterThreadTerminatePort  (24, ...
 00764   928   NtProtectVirtualMemory  (-1, (0x15be000), 4096, 260, ...
 00756  1292   NtDuplicateObject  ... 152, ) == 0x0
 00765  1556   NtSetEventBoostPriority  (92, ...
 00761  1956   NtDuplicateObject  ... 156, ) == 0x0
 00766  1980   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00767  1480   NtContinue  (20708656, 1, ...
 00763  1784   NtRegisterThreadTerminatePort  ... ) == 0x0
 00764   928   NtProtectVirtualMemory  ... (0x15be000), 4096, 4, ) == 0x0
 00762   860   NtWaitForSingleObject  ... ) == 0x0
 00765  1556   NtSetEventBoostPriority  ... ) == 0x0
 00768  1292   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00769  1956   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00770  1756   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00771  1480   NtRegisterThreadTerminatePort  (24, ...
 00772  1784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00773   860   NtQuerySystemInformation  (Basic, 44, ...
 00774   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00766  1980   NtDuplicateObject  ... 160, ) == 0x0
 00768  1292   NtWaitForSingleObject  ... ) == 0x102
 00769  1956   NtWaitForSingleObject  ... ) == 0x102
 00770  1756   NtCreateEvent  ... 164, ) == 0x0
 00771  1480   NtRegisterThreadTerminatePort  ... ) == 0x0
 00775  1556   NtTestAlert  (...
 00773   860   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00774   928   NtCreateThread  ... 168, {1972, 460}, ) == 0x0
 00776  1980   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00777  1292   NtWaitForSingleObject  (120, 0, 0x0, ...
 00778  1956   NtWaitForSingleObject  (120, 0, 0x0, ...
 00779  1756   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 00780  1480   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00775  1556   NtTestAlert  ... ) == 0x0
 00772  1784   NtDuplicateObject  ... 172, ) == 0x0
 00781   928   NtQueryInformationThread  (168, Basic, 28, ...
 00776  1980   NtWaitForSingleObject  ... ) == 0x102
 00779  1756   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00782   860   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 00783  1556   NtContinue  (21757232, 1, ...
 00784  1784   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00780  1480   NtDuplicateObject  ... 176, ) == 0x0
 00785  1980   NtWaitForSingleObject  (120, 0, 0x0, ...
 00786  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 15461432, ... }, 15461432, ...
 00782   860   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00787  1556   NtRegisterThreadTerminatePort  (24, ...
 00784  1784   NtWaitForSingleObject  ... ) == 0x102
 00788  1480   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00789   860   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 00787  1556   NtRegisterThreadTerminatePort  ... ) == 0x0
 00790  1784   NtWaitForSingleObject  (120, 0, 0x0, ...
 00788  1480   NtWaitForSingleObject  ... ) == 0x102
 00789   860   NtOpenKey  ... 180, ) == 0x0
 00791  1556   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00792  1480   NtWaitForSingleObject  (120, 0, 0x0, ...
 00793   860   NtQueryValueKey  (180,  (180, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 00781   928   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1972,Tid=460,}, 0x0, ) == 0x0
 00793   860   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00794   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57978, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0\264\7\0\0\314\1\0\0" ...  ...
 00791  1556   NtDuplicateObject  ... 184, ) == 0x0
 00794   928   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1972, 928, 57979, 0}  ... {28, 56, reply, 0, 1972, 928, 57979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0\264\7\0\0\314\1\0\0" )  ) == 0x0
 00795  1556   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00796   928   NtResumeThread  (168, ...
 00795  1556   NtWaitForSingleObject  ... ) == 0x102
 00796   928   NtResumeThread  ... 1, ) == 0x0
 00797  1556   NtWaitForSingleObject  (120, 0, 0x0, ...
 00798   860   NtClose  (180, ...
 00799   460   NtWaitForSingleObject  (92, 0, 0x0, ...
 00798   860   NtClose  ... ) == 0x0
 00800   860   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00801   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 180, ) == 0x0
 00802   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 188, ) == 0x0
 00803   860   NtQuerySystemTime  (... {1464394398, 29916437}, ) == 0x0
 00804   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 192, ) == 0x0
 00805   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 22806528, 1048576, ) == 0x0
 00806   928   NtAllocateVirtualMemory  (-1, 23846912, 0, 8192, 4096, 4, ... 23846912, 8192, ) == 0x0
 00807   928   NtProtectVirtualMemory  (-1, (0x16be000), 4096, 260, ... (0x16be000), 4096, 4, ) == 0x0
 00808   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 196, {1972, 1068}, ) == 0x0
 00809   928   NtQueryInformationThread  (196, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1972,Tid=1068,}, 0x0, ) == 0x0
 00810   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57979, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0\264\7\0\0,\4\0\0" ...  ...
 00811   860   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00812   860   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00813   860   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00786  1756   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00810   928   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1972, 928, 57980, 0}  ... {28, 56, reply, 0, 1972, 928, 57980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0\264\7\0\0,\4\0\0" )  ) == 0x0
 00814  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 15461432, ... }, 15461432, ...
 00815   928   NtResumeThread  (196, ...
 00814  1756   NtQueryAttributesFile  ... ) == 0x0
 00815   928   NtResumeThread  ... 1, ) == 0x0
 00816  1756   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 00817   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00818   860   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 00819  1068   NtWaitForSingleObject  (92, 0, 0x0, ...
 00817   928   NtAllocateVirtualMemory  ... 23855104, 1048576, ) == 0x0
 00818   860   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00820   928   NtAllocateVirtualMemory  (-1, 24895488, 0, 8192, 4096, 4, ...
 00821   860   NtWaitForSingleObject  (92, 0, 0x0, ...
 00816  1756   NtOpenFile  ... 200, {status=0x0, info=1}, ) == 0x0
 00822  1756   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 200, ... 204, ) == 0x0
 00823  1756   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00824  1756   NtClose  (200, ... ) == 0x0
 00825  1756   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 00820   928   NtAllocateVirtualMemory  ... 24895488, 8192, ) == 0x0
 00826   928   NtProtectVirtualMemory  (-1, (0x17be000), 4096, 260, ... (0x17be000), 4096, 4, ) == 0x0
 00827   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 200, {1972, 1856}, ) == 0x0
 00828   928   NtQueryInformationThread  (200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1972,Tid=1856,}, 0x0, ) == 0x0
 00829   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57980, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\264\7\0\0@\7\0\0" ... {28, 56, reply, 0, 1972, 928, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\264\7\0\0@\7\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57981, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\264\7\0\0@\7\0\0" ... {28, 56, reply, 0, 1972, 928, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\264\7\0\0@\7\0\0" )  ) == 0x0
 00830   928   NtResumeThread  (200, ... 1, ) == 0x0
 00831  1756   NtClose  (204, ...
 00832  1856   NtWaitForSingleObject  (92, 0, 0x0, ...
 00831  1756   NtClose  ... ) == 0x0
 00833  1756   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00834  1756   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00835  1756   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00836  1756   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00837  1756   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00838   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24903680, 1048576, ) == 0x0
 00839   928   NtAllocateVirtualMemory  (-1, 25944064, 0, 8192, 4096, 4, ... 25944064, 8192, ) == 0x0
 00840   928   NtProtectVirtualMemory  (-1, (0x18be000), 4096, 260, ... (0x18be000), 4096, 4, ) == 0x0
 00841   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 204, {1972, 1596}, ) == 0x0
 00842   928   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1972,Tid=1596,}, 0x0, ) == 0x0
 00843   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57981, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\264\7\0\0<\6\0\0" ...  ...
 00844  1756   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00845  1756   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00846  1756   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00843   928   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1972, 928, 57982, 0}  ... {28, 56, reply, 0, 1972, 928, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\264\7\0\0<\6\0\0" )  ) == 0x0
 00847   928   NtResumeThread  (204, ... 1, ) == 0x0
 00848   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25952256, 1048576, ) == 0x0
 00849   928   NtAllocateVirtualMemory  (-1, 26992640, 0, 8192, 4096, 4, ... 26992640, 8192, ) == 0x0
 00850   928   NtProtectVirtualMemory  (-1, (0x19be000), 4096, 260, ... (0x19be000), 4096, 4, ) == 0x0
 00851   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 208, {1972, 1128}, ) == 0x0
 00852   928   NtQueryInformationThread  (208, Basic, 28, ...
 00853  1756   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 00854  1596   NtWaitForSingleObject  (92, 0, 0x0, ...
 00853  1756   NtFlushInstructionCache  ... ) == 0x0
 00855  1756   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00856  1756   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00857  1756   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00858  1756   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00859  1756   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00852   928   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1972,Tid=1128,}, 0x0, ) == 0x0
 00860   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57982, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\264\7\0\0h\4\0\0" ... {28, 56, reply, 0, 1972, 928, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\264\7\0\0h\4\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57983, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\264\7\0\0h\4\0\0" ... {28, 56, reply, 0, 1972, 928, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\264\7\0\0h\4\0\0" )  ) == 0x0
 00861   928   NtResumeThread  (208, ... 1, ) == 0x0
 00862   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27000832, 1048576, ) == 0x0
 00863   928   NtAllocateVirtualMemory  (-1, 28041216, 0, 8192, 4096, 4, ... 28041216, 8192, ) == 0x0
 00864   928   NtProtectVirtualMemory  (-1, (0x1abe000), 4096, 260, ... (0x1abe000), 4096, 4, ) == 0x0
 00865  1756   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 00866  1128   NtWaitForSingleObject  (92, 0, 0x0, ...
 00865  1756   NtFlushInstructionCache  ... ) == 0x0
 00867  1756   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00868  1756   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00869  1756   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00870  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00871  1756   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 212, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 212, 2, ) , 0, ... 212, 2, ) == 0x0
 00872   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 216, {1972, 1256}, ) == 0x0
 00873   928   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1972,Tid=1256,}, 0x0, ) == 0x0
 00874   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57983, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\264\7\0\0\350\4\0\0" ... {28, 56, reply, 0, 1972, 928, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\264\7\0\0\350\4\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57984, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\264\7\0\0\350\4\0\0" ... {28, 56, reply, 0, 1972, 928, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\264\7\0\0\350\4\0\0" )  ) == 0x0
 00875   928   NtResumeThread  (216, ... 1, ) == 0x0
 00876   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28049408, 1048576, ) == 0x0
 00877   928   NtAllocateVirtualMemory  (-1, 29089792, 0, 8192, 4096, 4, ...
 00878  1756   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 00879  1256   NtWaitForSingleObject  (92, 0, 0x0, ...
 00878  1756   NtOpenKey  ... 220, ) == 0x0
 00880  1756   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00881  1756   NtQueryValueKey  (220,  (220, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882  1756   NtQueryValueKey  (212,  (212, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00883  1756   NtQueryValueKey  (220,  (220, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00884  1756   NtQueryValueKey  (212,  (212, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00877   928   NtAllocateVirtualMemory  ... 29089792, 8192, ) == 0x0
 00885   928   NtProtectVirtualMemory  (-1, (0x1bbe000), 4096, 260, ... (0x1bbe000), 4096, 4, ) == 0x0
 00886   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 224, {1972, 220}, ) == 0x0
 00887   928   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1972,Tid=220,}, 0x0, ) == 0x0
 00888   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57984, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\264\7\0\0\334\0\0\0" ... {28, 56, reply, 0, 1972, 928, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\264\7\0\0\334\0\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57985, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\264\7\0\0\334\0\0\0" ... {28, 56, reply, 0, 1972, 928, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\264\7\0\0\334\0\0\0" )  ) == 0x0
 00889   928   NtResumeThread  (224, ... 1, ) == 0x0
 00890  1756   NtQueryValueKey  (220,  (220, "PrioritizeRecordData", Partial, 144, ... , Partial, 144, ...
 00891   220   NtWaitForSingleObject  (92, 0, 0x0, ...
 00890  1756   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00892  1756   NtQueryValueKey  (212,  (212, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00893  1756   NtQueryValueKey  (220,  (220, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00894  1756   NtQueryValueKey  (212,  (212, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895  1756   NtQueryValueKey  (220,  (220, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00896  1756   NtQueryValueKey  (220,  (220, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29097984, 1048576, ) == 0x0
 00898   928   NtAllocateVirtualMemory  (-1, 30138368, 0, 8192, 4096, 4, ... 30138368, 8192, ) == 0x0
 00899   928   NtProtectVirtualMemory  (-1, (0x1cbe000), 4096, 260, ... (0x1cbe000), 4096, 4, ) == 0x0
 00900   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {1972, 1800}, ) == 0x0
 00901   928   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=1972,Tid=1800,}, 0x0, ) == 0x0
 00902   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57985, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\264\7\0\0\10\7\0\0" ...  ...
 00903  1756   NtQueryValueKey  (220,  (220, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904  1756   NtQueryValueKey  (220,  (220, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905  1756   NtQueryValueKey  (220,  (220, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00902   928   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1972, 928, 57986, 0}  ... {28, 56, reply, 0, 1972, 928, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\264\7\0\0\10\7\0\0" )  ) == 0x0
 00906   928   NtResumeThread  (228, ... 1, ) == 0x0
 00907   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30146560, 1048576, ) == 0x0
 00908   928   NtAllocateVirtualMemory  (-1, 31186944, 0, 8192, 4096, 4, ... 31186944, 8192, ) == 0x0
 00909   928   NtProtectVirtualMemory  (-1, (0x1dbe000), 4096, 260, ... (0x1dbe000), 4096, 4, ) == 0x0
 00910   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 232, {1972, 1796}, ) == 0x0
 00911   928   NtQueryInformationThread  (232, Basic, 28, ...
 00912  1756   NtQueryValueKey  (220,  (220, "UseEdns", Partial, 144, ... , Partial, 144, ...
 00913  1800   NtWaitForSingleObject  (92, 0, 0x0, ...
 00912  1756   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914  1756   NtQueryValueKey  (220,  (220, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00915  1756   NtQueryValueKey  (220,  (220, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916  1756   NtQueryValueKey  (220,  (220, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917  1756   NtQueryValueKey  (212,  (212, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918  1756   NtQueryValueKey  (220,  (220, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00911   928   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=1972,Tid=1796,}, 0x0, ) == 0x0
 00919   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57986, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\264\7\0\0\4\7\0\0" ... {28, 56, reply, 0, 1972, 928, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\264\7\0\0\4\7\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57987, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\264\7\0\0\4\7\0\0" ... {28, 56, reply, 0, 1972, 928, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\264\7\0\0\4\7\0\0" )  ) == 0x0
 00920   928   NtResumeThread  (232, ... 1, ) == 0x0
 00921   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31195136, 1048576, ) == 0x0
 00922   928   NtAllocateVirtualMemory  (-1, 32235520, 0, 8192, 4096, 4, ... 32235520, 8192, ) == 0x0
 00923   928   NtProtectVirtualMemory  (-1, (0x1ebe000), 4096, 260, ... (0x1ebe000), 4096, 4, ) == 0x0
 00924  1756   NtQueryValueKey  (220,  (220, "RegisterAdapterName", Partial, 144, ... , Partial, 144, ...
 00925  1796   NtWaitForSingleObject  (92, 0, 0x0, ...
 00924  1756   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00926  1756   NtQueryValueKey  (212,  (212, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00927  1756   NtQueryValueKey  (220,  (220, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00928  1756   NtQueryValueKey  (212,  (212, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00929  1756   NtQueryValueKey  (220,  (220, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00930  1756   NtQueryValueKey  (212,  (212, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {1972, 1808}, ) == 0x0
 00932   928   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=1972,Tid=1808,}, 0x0, ) == 0x0
 00933   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57987, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\264\7\0\0\20\7\0\0" ... {28, 56, reply, 0, 1972, 928, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\264\7\0\0\20\7\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57988, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\264\7\0\0\20\7\0\0" ... {28, 56, reply, 0, 1972, 928, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\264\7\0\0\20\7\0\0" )  ) == 0x0
 00934   928   NtResumeThread  (236, ... 1, ) == 0x0
 00935   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32243712, 1048576, ) == 0x0
 00936   928   NtAllocateVirtualMemory  (-1, 33284096, 0, 8192, 4096, 4, ...
 00937  1756   NtQueryValueKey  (220,  (220, "RegistrationTtl", Partial, 144, ... , Partial, 144, ...
 00938  1808   NtWaitForSingleObject  (92, 0, 0x0, ...
 00937  1756   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00939  1756   NtQueryValueKey  (212,  (212, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940  1756   NtQueryValueKey  (220,  (220, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00941  1756   NtQueryValueKey  (212,  (212, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00942  1756   NtQueryValueKey  (220,  (220, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00943  1756   NtQueryValueKey  (212,  (212, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00936   928   NtAllocateVirtualMemory  ... 33284096, 8192, ) == 0x0
 00944   928   NtProtectVirtualMemory  (-1, (0x1fbe000), 4096, 260, ... (0x1fbe000), 4096, 4, ) == 0x0
 00945   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 240, {1972, 1700}, ) == 0x0
 00946   928   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=1972,Tid=1700,}, 0x0, ) == 0x0
 00947   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57988, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\264\7\0\0\244\6\0\0" ... {28, 56, reply, 0, 1972, 928, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\264\7\0\0\244\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57989, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\264\7\0\0\244\6\0\0" ... {28, 56, reply, 0, 1972, 928, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\264\7\0\0\244\6\0\0" )  ) == 0x0
 00948   928   NtResumeThread  (240, ... 1, ) == 0x0
 00949  1756   NtQueryValueKey  (220,  (220, "UpdateSecurityLevel", Partial, 144, ... , Partial, 144, ...
 00950  1700   NtWaitForSingleObject  (92, 0, 0x0, ...
 00949  1756   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951  1756   NtQueryValueKey  (212,  (212, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952  1756   NtQueryValueKey  (220,  (220, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953  1756   NtQueryValueKey  (220,  (220, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00954  1756   NtQueryValueKey  (220,  (220, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955  1756   NtQueryValueKey  (220,  (220, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00956   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33292288, 1048576, ) == 0x0
 00957   928   NtAllocateVirtualMemory  (-1, 34332672, 0, 8192, 4096, 4, ... 34332672, 8192, ) == 0x0
 00958   928   NtProtectVirtualMemory  (-1, (0x20be000), 4096, 260, ... (0x20be000), 4096, 4, ) == 0x0
 00959   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 244, {1972, 1156}, ) == 0x0
 00960   928   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=1972,Tid=1156,}, 0x0, ) == 0x0
 00961   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57989, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\264\7\0\0\204\4\0\0" ...  ...
 00962  1756   NtQueryValueKey  (220,  (220, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963  1756   NtQueryValueKey  (220,  (220, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00964  1756   NtQueryValueKey  (220,  (220, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   928   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1972, 928, 57990, 0}  ... {28, 56, reply, 0, 1972, 928, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\264\7\0\0\204\4\0\0" )  ) == 0x0
 00965   928   NtResumeThread  (244, ... 1, ) == 0x0
 00966   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34340864, 1048576, ) == 0x0
 00967   928   NtAllocateVirtualMemory  (-1, 35381248, 0, 8192, 4096, 4, ... 35381248, 8192, ) == 0x0
 00968   928   NtProtectVirtualMemory  (-1, (0x21be000), 4096, 260, ... (0x21be000), 4096, 4, ) == 0x0
 00969   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 248, {1972, 712}, ) == 0x0
 00970   928   NtQueryInformationThread  (248, Basic, 28, ...
 00971  1756   NtQueryValueKey  (220,  (220, "ServerPriorityTimeLimit", Partial, 144, ... , Partial, 144, ...
 00972  1156   NtWaitForSingleObject  (92, 0, 0x0, ...
 00971  1756   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973  1756   NtQueryValueKey  (220,  (220, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00974  1756   NtQueryValueKey  (220,  (220, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975  1756   NtQueryValueKey  (220,  (220, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00976  1756   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 252, ) }, ... 252, ) == 0x0
 00977  1756   NtQueryValueKey  (252,  (252, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (252, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00970   928   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=1972,Tid=712,}, 0x0, ) == 0x0
 00978   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57990, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\264\7\0\0\310\2\0\0" ... {28, 56, reply, 0, 1972, 928, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\264\7\0\0\310\2\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57991, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\264\7\0\0\310\2\0\0" ... {28, 56, reply, 0, 1972, 928, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\264\7\0\0\310\2\0\0" )  ) == 0x0
 00979   928   NtResumeThread  (248, ... 1, ) == 0x0
 00980   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35389440, 1048576, ) == 0x0
 00981   928   NtAllocateVirtualMemory  (-1, 36429824, 0, 8192, 4096, 4, ... 36429824, 8192, ) == 0x0
 00982   928   NtProtectVirtualMemory  (-1, (0x22be000), 4096, 260, ... (0x22be000), 4096, 4, ) == 0x0
 00983  1756   NtClose  (252, ...
 00984   712   NtWaitForSingleObject  (92, 0, 0x0, ...
 00983  1756   NtClose  ... ) == 0x0
 00985  1756   NtClose  (212, ... ) == 0x0
 00986  1756   NtClose  (220, ... ) == 0x0
 00987  1756   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 220, ) }, ... 220, ) == 0x0
 00988  1756   NtQueryValueKey  (220,  (220, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00989  1756   NtQueryValueKey  (220,  (220, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00990   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 212, {1972, 1728}, ) == 0x0
 00991   928   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=1972,Tid=1728,}, 0x0, ) == 0x0
 00992   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57991, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\264\7\0\0\300\6\0\0" ... {28, 56, reply, 0, 1972, 928, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\264\7\0\0\300\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57992, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\264\7\0\0\300\6\0\0" ... {28, 56, reply, 0, 1972, 928, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\264\7\0\0\300\6\0\0" )  ) == 0x0
 00993   928   NtResumeThread  (212, ... 1, ) == 0x0
 00994   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36438016, 1048576, ) == 0x0
 00995   928   NtAllocateVirtualMemory  (-1, 37478400, 0, 8192, 4096, 4, ...
 00996  1756   NtQueryValueKey  (220,  (220, "DnsMulticastQueryTimeouts", Partial, 144, ... , Partial, 144, ...
 00997  1728   NtWaitForSingleObject  (92, 0, 0x0, ...
 00996  1756   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00998  1756   NtClose  (220, ... ) == 0x0
 00999  1756   NtSetEventBoostPriority  (92, ...
 00799   460   NtWaitForSingleObject  ... ) == 0x0
 01000   460   NtSetEventBoostPriority  (92, ...
 00819  1068   NtWaitForSingleObject  ... ) == 0x0
 01001  1068   NtSetEventBoostPriority  (92, ...
 00821   860   NtWaitForSingleObject  ... ) == 0x0
 01002   860   NtSetEventBoostPriority  (92, ...
 00832  1856   NtWaitForSingleObject  ... ) == 0x0
 01003  1856   NtSetEventBoostPriority  (92, ...
 00854  1596   NtWaitForSingleObject  ... ) == 0x0
 01004  1596   NtSetEventBoostPriority  (92, ...
 00866  1128   NtWaitForSingleObject  ... ) == 0x0
 01005  1128   NtSetEventBoostPriority  (92, ...
 00879  1256   NtWaitForSingleObject  ... ) == 0x0
 01006  1256   NtSetEventBoostPriority  (92, ...
 00891   220   NtWaitForSingleObject  ... ) == 0x0
 01007   220   NtSetEventBoostPriority  (92, ...
 00913  1800   NtWaitForSingleObject  ... ) == 0x0
 01008  1800   NtSetEventBoostPriority  (92, ...
 00925  1796   NtWaitForSingleObject  ... ) == 0x0
 01009  1796   NtSetEventBoostPriority  (92, ...
 00938  1808   NtWaitForSingleObject  ... ) == 0x0
 01010  1808   NtSetEventBoostPriority  (92, ...
 00950  1700   NtWaitForSingleObject  ... ) == 0x0
 01011  1700   NtSetEventBoostPriority  (92, ...
 00972  1156   NtWaitForSingleObject  ... ) == 0x0
 01012  1156   NtSetEventBoostPriority  (92, ...
 00984   712   NtWaitForSingleObject  ... ) == 0x0
 01013   712   NtSetEventBoostPriority  (92, ...
 00997  1728   NtWaitForSingleObject  ... ) == 0x0
 01014  1728   NtAllocateVirtualMemory  (-1, 8802304, 0, 4096, 4096, 4, ... 8802304, 4096, ) == 0x0
 01013   712   NtSetEventBoostPriority  ... ) == 0x0
 01012  1156   NtSetEventBoostPriority  ... ) == 0x0
 01011  1700   NtSetEventBoostPriority  ... ) == 0x0
 01010  1808   NtSetEventBoostPriority  ... ) == 0x0
 01009  1796   NtSetEventBoostPriority  ... ) == 0x0
 01008  1800   NtSetEventBoostPriority  ... ) == 0x0
 01007   220   NtSetEventBoostPriority  ... ) == 0x0
 01006  1256   NtSetEventBoostPriority  ... ) == 0x0
 01005  1128   NtSetEventBoostPriority  ... ) == 0x0
 01004  1596   NtSetEventBoostPriority  ... ) == 0x0
 01003  1856   NtSetEventBoostPriority  ... ) == 0x0
 01002   860   NtSetEventBoostPriority  ... ) == 0x0
 01001  1068   NtSetEventBoostPriority  ... ) == 0x0
 01000   460   NtSetEventBoostPriority  ... ) == 0x0
 00999  1756   NtSetEventBoostPriority  ... ) == 0x0
 00995   928   NtAllocateVirtualMemory  ... 37478400, 8192, ) == 0x0
 01015  1728   NtTestAlert  (...
 01016   712   NtTestAlert  (...
 01017  1156   NtTestAlert  (...
 01018  1700   NtTestAlert  (...
 01019  1808   NtTestAlert  (...
 01020  1796   NtTestAlert  (...
 01021  1800   NtTestAlert  (...
 01022   220   NtTestAlert  (...
 01023  1256   NtTestAlert  (...
 01024  1128   NtTestAlert  (...
 01025  1596   NtTestAlert  (...
 01026  1856   NtTestAlert  (...
 01027   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01028  1068   NtTestAlert  (...
 01029   460   NtTestAlert  (...
 01030   928   NtProtectVirtualMemory  (-1, (0x23be000), 4096, 260, ...
 01015  1728   NtTestAlert  ... ) == 0x0
 01016   712   NtTestAlert  ... ) == 0x0
 01017  1156   NtTestAlert  ... ) == 0x0
 01018  1700   NtTestAlert  ... ) == 0x0
 01019  1808   NtTestAlert  ... ) == 0x0
 01020  1796   NtTestAlert  ... ) == 0x0
 01021  1800   NtTestAlert  ... ) == 0x0
 01022   220   NtTestAlert  ... ) == 0x0
 01023  1256   NtTestAlert  ... ) == 0x0
 01024  1128   NtTestAlert  ... ) == 0x0
 01025  1596   NtTestAlert  ... ) == 0x0
 01026  1856   NtTestAlert  ... ) == 0x0
 01027   860   NtCreateEvent  ... 220, ) == 0x0
 01028  1068   NtTestAlert  ... ) == 0x0
 01029   460   NtTestAlert  ... ) == 0x0
 01030   928   NtProtectVirtualMemory  ... (0x23be000), 4096, 4, ) == 0x0
 01031  1728   NtContinue  (36437296, 1, ...
 01032   712   NtContinue  (35388720, 1, ...
 01033  1156   NtContinue  (34340144, 1, ...
 01034  1700   NtContinue  (33291568, 1, ...
 01035  1808   NtContinue  (32242992, 1, ...
 01036  1796   NtContinue  (31194416, 1, ...
 01037  1800   NtContinue  (30145840, 1, ...
 01038   220   NtContinue  (29097264, 1, ...
 01039  1256   NtContinue  (28048688, 1, ...
 01040  1128   NtContinue  (27000112, 1, ...
 01041  1596   NtContinue  (25951536, 1, ...
 01042  1856   NtContinue  (24902960, 1, ...
 01043   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01044  1068   NtContinue  (23854384, 1, ...
 01045   460   NtContinue  (22805808, 1, ...
 01046   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01047  1728   NtRegisterThreadTerminatePort  (24, ...
 01048   712   NtRegisterThreadTerminatePort  (24, ...
 01049  1156   NtRegisterThreadTerminatePort  (24, ...
 01050  1700   NtRegisterThreadTerminatePort  (24, ...
 01051  1808   NtRegisterThreadTerminatePort  (24, ...
 01052  1796   NtRegisterThreadTerminatePort  (24, ...
 01053  1800   NtRegisterThreadTerminatePort  (24, ...
 01054   220   NtRegisterThreadTerminatePort  (24, ...
 01055  1256   NtRegisterThreadTerminatePort  (24, ...
 01056  1128   NtRegisterThreadTerminatePort  (24, ...
 01057  1596   NtRegisterThreadTerminatePort  (24, ...
 01058  1856   NtRegisterThreadTerminatePort  (24, ...
 01043   860   NtDuplicateObject  ... 252, ) == 0x0
 01059  1068   NtRegisterThreadTerminatePort  (24, ...
 01060   460   NtRegisterThreadTerminatePort  (24, ...
 01046   928   NtCreateThread  ... 256, {1972, 1356}, ) == 0x0
 01047  1728   NtRegisterThreadTerminatePort  ... ) == 0x0
 01048   712   NtRegisterThreadTerminatePort  ... ) == 0x0
 01049  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 01050  1700   NtRegisterThreadTerminatePort  ... ) == 0x0
 01051  1808   NtRegisterThreadTerminatePort  ... ) == 0x0
 01052  1796   NtRegisterThreadTerminatePort  ... ) == 0x0
 01053  1800   NtRegisterThreadTerminatePort  ... ) == 0x0
 01054   220   NtRegisterThreadTerminatePort  ... ) == 0x0
 01055  1256   NtRegisterThreadTerminatePort  ... ) == 0x0
 01056  1128   NtRegisterThreadTerminatePort  ... ) == 0x0
 01057  1596   NtRegisterThreadTerminatePort  ... ) == 0x0
 01058  1856   NtRegisterThreadTerminatePort  ... ) == 0x0
 01061   860   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01059  1068   NtRegisterThreadTerminatePort  ... ) == 0x0
 01060   460   NtRegisterThreadTerminatePort  ... ) == 0x0
 01062   928   NtQueryInformationThread  (256, Basic, 28, ...
 01063  1728   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01064   712   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01065  1156   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01066  1700   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01067  1808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01068  1796   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01069  1800   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01070   220   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01071  1256   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01072  1128   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01073  1596   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ...
 01074  1856   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01061   860   NtOpenKey  ... 260, ) == 0x0
 01075  1068   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01076   460   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01077  1756   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01062   928   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1972,Tid=1356,}, 0x0, ) == 0x0
 01063  1728   NtDuplicateObject  ... 264, ) == 0x0
 01064   712   NtDuplicateObject  ... 268, ) == 0x0
 01065  1156   NtDuplicateObject  ... 272, ) == 0x0
 01066  1700   NtDuplicateObject  ... 276, ) == 0x0
 01067  1808   NtDuplicateObject  ... 280, ) == 0x0
 01068  1796   NtDuplicateObject  ... 284, ) == 0x0
 01069  1800   NtDuplicateObject  ... 288, ) == 0x0
 01070   220   NtDuplicateObject  ... 292, ) == 0x0
 01071  1256   NtDuplicateObject  ... 296, ) == 0x0
 01072  1128   NtDuplicateObject  ... 300, ) == 0x0
 01073  1596   NtAllocateVirtualMemory  ... 1368064, 4096, ) == 0x0
 01074  1856   NtCreateEvent  ... 304, ) == 0x0
 01078   860   NtQueryValueKey  (260,  (260, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01075  1068   NtCreateEvent  ... 308, ) == 0x0
 01077  1756   NtCreateEvent  ... 312, ) == 0x0
 01079   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57992, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\264\7\0\0L\5\0\0" ...  ...
 01080  1728   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01081   712   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01082  1156   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01083  1700   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01084  1808   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01085  1796   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01086  1800   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01087   220   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01088  1256   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01089  1128   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01090  1596   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01091  1856   NtWaitForSingleObject  (304, 0, 0x0, ...
 01078   860   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01092  1068   NtClose  (308, ...
 01093  1756   NtClose  (312, ...
 01079   928   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1972, 928, 57993, 0}  ... {28, 56, reply, 0, 1972, 928, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\264\7\0\0L\5\0\0" )  ) == 0x0
 01080  1728   NtCreateEvent  ... 316, ) == 0x0
 01081   712   NtCreateEvent  ... 320, ) == 0x0
 01082  1156   NtCreateEvent  ... 324, ) == 0x0
 01083  1700   NtCreateEvent  ... 328, ) == 0x0
 01084  1808   NtCreateEvent  ... 332, ) == 0x0
 01085  1796   NtCreateEvent  ... 336, ) == 0x0
 01086  1800   NtCreateEvent  ... 340, ) == 0x0
 01087   220   NtCreateEvent  ... 344, ) == 0x0
 01088  1256   NtCreateEvent  ... 348, ) == 0x0
 01089  1128   NtCreateEvent  ... 352, ) == 0x0
 01090  1596   NtCreateEvent  ... 356, ) == 0x0
 01094   860   NtClose  (260, ...
 01092  1068   NtClose  ... ) == 0x0
 01093  1756   NtClose  ... ) == 0x0
 01095   928   NtResumeThread  (256, ...
 01096  1728   NtClose  (316, ...
 01097   712   NtClose  (320, ...
 01098  1156   NtClose  (324, ...
 01099  1700   NtClose  (328, ...
 01100  1808   NtClose  (332, ...
 01101  1796   NtClose  (336, ...
 01102  1800   NtClose  (340, ...
 01103   220   NtClose  (344, ...
 01104  1256   NtClose  (348, ...
 01105  1128   NtClose  (352, ...
 01106  1596   NtClose  (356, ...
 01094   860   NtClose  ... ) == 0x0
 01107  1068   NtWaitForSingleObject  (304, 0, 0x0, ...
 01108  1756   NtWaitForSingleObject  (304, 0, 0x0, ...
 01095   928   NtResumeThread  ... 1, ) == 0x0
 01096  1728   NtClose  ... ) == 0x0
 01097   712   NtClose  ... ) == 0x0
 01098  1156   NtClose  ... ) == 0x0
 01099  1700   NtClose  ... ) == 0x0
 01100  1808   NtClose  ... ) == 0x0
 01101  1796   NtClose  ... ) == 0x0
 01102  1800   NtClose  ... ) == 0x0
 01103   220   NtClose  ... ) == 0x0
 01104  1256   NtClose  ... ) == 0x0
 01105  1128   NtClose  ... ) == 0x0
 01106  1596   NtClose  ... ) == 0x0
 01109   860   NtWaitForSingleObject  (304, 0, 0x0, ...
 01076   460   NtCreateEvent  ... 356, ) == 0x0
 01110  1356   NtTestAlert  (...
 01111  1728   NtWaitForSingleObject  (304, 0, 0x0, ...
 01112   712   NtWaitForSingleObject  (304, 0, 0x0, ...
 01113  1156   NtWaitForSingleObject  (304, 0, 0x0, ...
 01114  1700   NtWaitForSingleObject  (304, 0, 0x0, ...
 01115  1808   NtWaitForSingleObject  (304, 0, 0x0, ...
 01116  1796   NtWaitForSingleObject  (304, 0, 0x0, ...
 01117  1800   NtWaitForSingleObject  (304, 0, 0x0, ...
 01118   220   NtWaitForSingleObject  (304, 0, 0x0, ...
 01119  1256   NtWaitForSingleObject  (304, 0, 0x0, ...
 01120  1128   NtWaitForSingleObject  (304, 0, 0x0, ...
 01121  1596   NtSetEventBoostPriority  (304, ...
 01122   460   NtClose  (356, ...
 01110  1356   NtTestAlert  ... ) == 0x0
 01123   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01122   460   NtClose  ... ) == 0x0
 01124  1356   NtContinue  (37485872, 1, ...
 01123   928   NtAllocateVirtualMemory  ... 37486592, 1048576, ) == 0x0
 01125   460   NtWaitForSingleObject  (304, 0, 0x0, ...
 01126  1356   NtRegisterThreadTerminatePort  (24, ...
 01127   928   NtAllocateVirtualMemory  (-1, 38526976, 0, 8192, 4096, 4, ...
 01126  1356   NtRegisterThreadTerminatePort  ... ) == 0x0
 01127   928   NtAllocateVirtualMemory  ... 38526976, 8192, ) == 0x0
 01091  1856   NtWaitForSingleObject  ... ) == 0x0
 01121  1596   NtSetEventBoostPriority  ... ) == 0x0
 01128   928   NtProtectVirtualMemory  (-1, (0x24be000), 4096, 260, ...
 01129  1856   NtSetEventBoostPriority  (304, ...
 01130  1596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01128   928   NtProtectVirtualMemory  ... (0x24be000), 4096, 4, ) == 0x0
 01107  1068   NtWaitForSingleObject  ... ) == 0x0
 01129  1856   NtSetEventBoostPriority  ... ) == 0x0
 01130  1596   NtDuplicateObject  ... 356, ) == 0x0
 01131  1356   NtWaitForSingleObject  (304, 0, 0x0, ...
 01132  1068   NtSetEventBoostPriority  (304, ...
 01133   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01134  1596   NtWaitForSingleObject  (304, 0, 0x0, ...
 01108  1756   NtWaitForSingleObject  ... ) == 0x0
 01132  1068   NtSetEventBoostPriority  ... ) == 0x0
 01133   928   NtCreateThread  ... 352, {1972, 1536}, ) == 0x0
 01135  1756   NtSetEventBoostPriority  (304, ...
 01136  1856   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01109   860   NtWaitForSingleObject  ... ) == 0x0
 01135  1756   NtSetEventBoostPriority  ... ) == 0x0
 01137   928   NtQueryInformationThread  (352, Basic, 28, ...
 01138   860   NtSetEventBoostPriority  (304, ...
 01136  1856   NtDuplicateObject  ... 348, ) == 0x0
 01139  1068   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01111  1728   NtWaitForSingleObject  ... ) == 0x0
 01138   860   NtSetEventBoostPriority  ... ) == 0x0
 01137   928   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1972,Tid=1536,}, 0x0, ) == 0x0
 01140  1856   NtWaitForSingleObject  (304, 0, 0x0, ...
 01141  1728   NtSetEventBoostPriority  (304, ...
 01139  1068   NtDuplicateObject  ... 344, ) == 0x0
 01142  1756   NtWaitForSingleObject  (304, 0, 0x0, ...
 01143   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57993, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\264\7\0\0\0\6\0\0" ...  ...
 01112   712   NtWaitForSingleObject  ... ) == 0x0
 01144  1068   NtWaitForSingleObject  (304, 0, 0x0, ...
 01145   712   NtSetEventBoostPriority  (304, ...
 01113  1156   NtWaitForSingleObject  ... ) == 0x0
 01146  1156   NtSetEventBoostPriority  (304, ...
 01114  1700   NtWaitForSingleObject  ... ) == 0x0
 01147  1700   NtSetEventBoostPriority  (304, ...
 01115  1808   NtWaitForSingleObject  ... ) == 0x0
 01148  1808   NtSetEventBoostPriority  (304, ...
 01116  1796   NtWaitForSingleObject  ... ) == 0x0
 01149  1796   NtSetEventBoostPriority  (304, ...
 01117  1800   NtWaitForSingleObject  ... ) == 0x0
 01150  1800   NtSetEventBoostPriority  (304, ...
 01118   220   NtWaitForSingleObject  ... ) == 0x0
 01151   220   NtSetEventBoostPriority  (304, ...
 01119  1256   NtWaitForSingleObject  ... ) == 0x0
 01152  1256   NtSetEventBoostPriority  (304, ...
 01120  1128   NtWaitForSingleObject  ... ) == 0x0
 01153  1128   NtSetEventBoostPriority  (304, ...
 01125   460   NtWaitForSingleObject  ... ) == 0x0
 01154   460   NtSetEventBoostPriority  (304, ...
 01131  1356   NtWaitForSingleObject  ... ) == 0x0
 01155  1356   NtSetEventBoostPriority  (304, ...
 01134  1596   NtWaitForSingleObject  ... ) == 0x0
 01156  1596   NtSetEventBoostPriority  (304, ...
 01140  1856   NtWaitForSingleObject  ... ) == 0x0
 01157  1856   NtSetEventBoostPriority  (304, ...
 01142  1756   NtWaitForSingleObject  ... ) == 0x0
 01158  1756   NtSetEventBoostPriority  (304, ...
 01144  1068   NtWaitForSingleObject  ... ) == 0x0
 01159  1068   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01158  1756   NtSetEventBoostPriority  ... ) == 0x0
 01160  1756   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01157  1856   NtSetEventBoostPriority  ... ) == 0x0
 01156  1596   NtSetEventBoostPriority  ... ) == 0x0
 01155  1356   NtSetEventBoostPriority  ... ) == 0x0
 01154   460   NtSetEventBoostPriority  ... ) == 0x0
 01153  1128   NtSetEventBoostPriority  ... ) == 0x0
 01152  1256   NtSetEventBoostPriority  ... ) == 0x0
 01151   220   NtSetEventBoostPriority  ... ) == 0x0
 01150  1800   NtSetEventBoostPriority  ... ) == 0x0
 01149  1796   NtSetEventBoostPriority  ... ) == 0x0
 01148  1808   NtSetEventBoostPriority  ... ) == 0x0
 01147  1700   NtSetEventBoostPriority  ... ) == 0x0
 01146  1156   NtSetEventBoostPriority  ... ) == 0x0
 01145   712   NtSetEventBoostPriority  ... ) == 0x0
 01141  1728   NtSetEventBoostPriority  ... ) == 0x0
 01161   860   NtOpenThreadToken  (-2, 0xc, 1, ...
 01143   928   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1972, 928, 57994, 0}  ... {28, 56, reply, 0, 1972, 928, 57994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\264\7\0\0\0\6\0\0" )  ) == 0x0
 01159  1068   NtWaitForSingleObject  ... ) == 0x102
 01160  1756   NtCreateEvent  ... 340, ) == 0x0
 01162  1856   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01163  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01164  1596   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01165  1128   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01166  1256   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01167   220   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01168  1800   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01169  1796   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01170  1808   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01171  1700   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01172  1156   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01173   712   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01174  1728   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01161   860   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01175   928   NtResumeThread  (352, ...
 01176  1068   NtWaitForSingleObject  (120, 0, 0x0, ...
 01177  1756   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01162  1856   NtWaitForSingleObject  ... ) == 0x102
 01178   460   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01164  1596   NtWaitForSingleObject  ... ) == 0x102
 01179   860   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01175   928   NtResumeThread  ... 1, ) == 0x0
 01177  1756   NtDuplicateObject  ... 336, ) == 0x0
 01180  1856   NtWaitForSingleObject  (120, 0, 0x0, ...
 01178   460   NtDuplicateObject  ... 332, ) == 0x0
 01181  1596   NtWaitForSingleObject  (120, 0, 0x0, ...
 01179   860   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01182   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01183  1756   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ...
 01184   460   NtWaitForSingleObject  (304, 0, 0x0, ...
 01185   860   NtWaitForSingleObject  (304, 0, 0x0, ...
 01182   928   NtAllocateVirtualMemory  ... 38535168, 1048576, ) == 0x0
 01183  1756   NtAllocateVirtualMemory  ... 1372160, 4096, ) == 0x0
 01186   928   NtAllocateVirtualMemory  (-1, 39575552, 0, 8192, 4096, 4, ...
 01187  1756   NtSetEventBoostPriority  (304, ...
 01163  1356   NtDuplicateObject  ... 328, ) == 0x0
 01165  1128   NtWaitForSingleObject  ... ) == 0x102
 01166  1256   NtWaitForSingleObject  ... ) == 0x102
 01167   220   NtWaitForSingleObject  ... ) == 0x102
 01168  1800   NtWaitForSingleObject  ... ) == 0x102
 01169  1796   NtWaitForSingleObject  ... ) == 0x102
 01170  1808   NtWaitForSingleObject  ... ) == 0x102
 01171  1700   NtWaitForSingleObject  ... ) == 0x102
 01172  1156   NtWaitForSingleObject  ... ) == 0x102
 01173   712   NtWaitForSingleObject  ... ) == 0x102
 01174  1728   NtWaitForSingleObject  ... ) == 0x102
 01188  1536   NtTestAlert  (...
 01186   928   NtAllocateVirtualMemory  ... 39575552, 8192, ) == 0x0
 01189  1356   NtWaitForSingleObject  (304, 0, 0x0, ...
 01190  1128   NtWaitForSingleObject  (304, 0, 0x0, ...
 01191  1256   NtWaitForSingleObject  (304, 0, 0x0, ...
 01192   220   NtWaitForSingleObject  (304, 0, 0x0, ...
 01193  1800   NtWaitForSingleObject  (304, 0, 0x0, ...
 01194  1796   NtWaitForSingleObject  (304, 0, 0x0, ...
 01195  1808   NtWaitForSingleObject  (304, 0, 0x0, ...
 01196  1700   NtWaitForSingleObject  (304, 0, 0x0, ...
 01197  1156   NtWaitForSingleObject  (304, 0, 0x0, ...
 01198   712   NtWaitForSingleObject  (304, 0, 0x0, ...
 01199  1728   NtWaitForSingleObject  (304, 0, 0x0, ...
 01188  1536   NtTestAlert  ... ) == 0x0
 01200   928   NtProtectVirtualMemory  (-1, (0x25be000), 4096, 260, ...
 01201  1536   NtContinue  (38534448, 1, ...
 01200   928   NtProtectVirtualMemory  ... (0x25be000), 4096, 4, ) == 0x0
 01202  1536   NtRegisterThreadTerminatePort  (24, ...
 01203   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01202  1536   NtRegisterThreadTerminatePort  ... ) == 0x0
 01203   928   NtCreateThread  ... 324, {1972, 444}, ) == 0x0
 01184   460   NtWaitForSingleObject  ... ) == 0x0
 01187  1756   NtSetEventBoostPriority  ... ) == 0x0
 01204   928   NtQueryInformationThread  (324, Basic, 28, ...
 01205   460   NtSetEventBoostPriority  (304, ...
 01206  1756   NtWaitForSingleObject  (304, 0, 0x0, ...
 01207  1536   NtWaitForSingleObject  (304, 0, 0x0, ...
 01185   860   NtWaitForSingleObject  ... ) == 0x0
 01205   460   NtSetEventBoostPriority  ... ) == 0x0
 01208   860   NtSetEventBoostPriority  (304, ...
 01204   928   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1972,Tid=444,}, 0x0, ) == 0x0
 01189  1356   NtWaitForSingleObject  ... ) == 0x0
 01208   860   NtSetEventBoostPriority  ... ) == 0x0
 01209  1356   NtSetEventBoostPriority  (304, ...
 01210   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57994, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\264\7\0\0\274\1\0\0" ...  ...
 01211   460   NtWaitForSingleObject  (304, 0, 0x0, ...
 01190  1128   NtWaitForSingleObject  ... ) == 0x0
 01209  1356   NtSetEventBoostPriority  ... ) == 0x0
 01210   928   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1972, 928, 57995, 0}  ... {28, 56, reply, 0, 1972, 928, 57995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\264\7\0\0\274\1\0\0" )  ) == 0x0
 01212  1128   NtSetEventBoostPriority  (304, ...
 01213   860   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01191  1256   NtWaitForSingleObject  ... ) == 0x0
 01212  1128   NtSetEventBoostPriority  ... ) == 0x0
 01214   928   NtResumeThread  (324, ...
 01215  1256   NtSetEventBoostPriority  (304, ...
 01213   860   NtCreateEvent  ... 320, ) == 0x0
 01216  1356   NtWaitForSingleObject  (304, 0, 0x0, ...
 01192   220   NtWaitForSingleObject  ... ) == 0x0
 01215  1256   NtSetEventBoostPriority  ... ) == 0x0
 01214   928   NtResumeThread  ... 1, ) == 0x0
 01217   860   NtWaitForSingleObject  (320, 0, 0x0, ...
 01218   220   NtSetEventBoostPriority  (304, ...
 01219  1128   NtWaitForSingleObject  (120, 0, 0x0, ...
 01220   444   NtTestAlert  (...
 01221  1256   NtWaitForSingleObject  (120, 0, 0x0, ...
 01193  1800   NtWaitForSingleObject  ... ) == 0x0
 01218   220   NtSetEventBoostPriority  ... ) == 0x0
 01220   444   NtTestAlert  ... ) == 0x0
 01222  1800   NtSetEventBoostPriority  (304, ...
 01223   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01194  1796   NtWaitForSingleObject  ... ) == 0x0
 01222  1800   NtSetEventBoostPriority  ... ) == 0x0
 01224   444   NtContinue  (39583024, 1, ...
 01225  1796   NtSetEventBoostPriority  (304, ...
 01223   928   NtAllocateVirtualMemory  ... 39583744, 1048576, ) == 0x0
 01226   220   NtWaitForSingleObject  (120, 0, 0x0, ...
 01195  1808   NtWaitForSingleObject  ... ) == 0x0
 01225  1796   NtSetEventBoostPriority  ... ) == 0x0
 01227   444   NtRegisterThreadTerminatePort  (24, ...
 01228   928   NtAllocateVirtualMemory  (-1, 40624128, 0, 8192, 4096, 4, ...
 01229  1808   NtSetEventBoostPriority  (304, ...
 01230  1800   NtWaitForSingleObject  (120, 0, 0x0, ...
 01227   444   NtRegisterThreadTerminatePort  ... ) == 0x0
 01196  1700   NtWaitForSingleObject  ... ) == 0x0
 01229  1808   NtSetEventBoostPriority  ... ) == 0x0
 01228   928   NtAllocateVirtualMemory  ... 40624128, 8192, ) == 0x0
 01231  1796   NtWaitForSingleObject  (120, 0, 0x0, ...
 01232  1700   NtSetEventBoostPriority  (304, ...
 01233   444   NtWaitForSingleObject  (304, 0, 0x0, ...
 01234   928   NtProtectVirtualMemory  (-1, (0x26be000), 4096, 260, ...
 01197  1156   NtWaitForSingleObject  ... ) == 0x0
 01232  1700   NtSetEventBoostPriority  ... ) == 0x0
 01235  1156   NtSetEventBoostPriority  (304, ...
 01234   928   NtProtectVirtualMemory  ... (0x26be000), 4096, 4, ) == 0x0
 01236  1808   NtWaitForSingleObject  (120, 0, 0x0, ...
 01198   712   NtWaitForSingleObject  ... ) == 0x0
 01235  1156   NtSetEventBoostPriority  ... ) == 0x0
 01237  1700   NtWaitForSingleObject  (120, 0, 0x0, ...
 01238   712   NtSetEventBoostPriority  (304, ...
 01239   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01199  1728   NtWaitForSingleObject  ... ) == 0x0
 01238   712   NtSetEventBoostPriority  ... ) == 0x0
 01240  1728   NtSetEventBoostPriority  (304, ...
 01239   928   NtCreateThread  ... 316, {1972, 1904}, ) == 0x0
 01241  1156   NtWaitForSingleObject  (120, 0, 0x0, ...
 01206  1756   NtWaitForSingleObject  ... ) == 0x0
 01240  1728   NtSetEventBoostPriority  ... ) == 0x0
 01242   928   NtQueryInformationThread  (316, Basic, 28, ...
 01243  1756   NtSetEventBoostPriority  (304, ...
 01244   712   NtWaitForSingleObject  (120, 0, 0x0, ...
 01207  1536   NtWaitForSingleObject  ... ) == 0x0
 01243  1756   NtSetEventBoostPriority  ... ) == 0x0
 01242   928   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1972,Tid=1904,}, 0x0, ) == 0x0
 01245  1536   NtSetEventBoostPriority  (304, ...
 01246  1728   NtWaitForSingleObject  (120, 0, 0x0, ...
 01211   460   NtWaitForSingleObject  ... ) == 0x0
 01245  1536   NtSetEventBoostPriority  ... ) == 0x0
 01247   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57995, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\264\7\0\0p\7\0\0" ...  ...
 01248   460   NtSetEventBoostPriority  (304, ...
 01249  1536   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01216  1356   NtWaitForSingleObject  ... ) == 0x0
 01248   460   NtSetEventBoostPriority  ... ) == 0x0
 01247   928   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1972, 928, 57996, 0}  ... {28, 56, reply, 0, 1972, 928, 57996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\264\7\0\0p\7\0\0" )  ) == 0x0
 01250  1756   NtSetEventBoostPriority  (320, ...
 01251  1356   NtSetEventBoostPriority  (304, ...
 01252   460   NtWaitForSingleObject  (304, 0, 0x0, ...
 01253   928   NtResumeThread  (316, ...
 01233   444   NtWaitForSingleObject  ... ) == 0x0
 01251  1356   NtSetEventBoostPriority  ... ) == 0x0
 01217   860   NtWaitForSingleObject  ... ) == 0x0
 01250  1756   NtSetEventBoostPriority  ... ) == 0x0
 01249  1536   NtDuplicateObject  ... 260, ) == 0x0
 01254   444   NtSetEventBoostPriority  (304, ...
 01253   928   NtResumeThread  ... 1, ) == 0x0
 01255   860   NtWaitForSingleObject  (304, 0, 0x0, ...
 01256  1356   NtWaitForSingleObject  (304, 0, 0x0, ...
 01257  1756   NtWaitForSingleObject  (304, 0, 0x0, ...
 01254   444   NtSetEventBoostPriority  ... ) == 0x0
 01258  1536   NtWaitForSingleObject  (304, 0, 0x0, ...
 01259   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01260  1904   NtTestAlert  (...
 01261   444   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01259   928   NtAllocateVirtualMemory  ... 40632320, 1048576, ) == 0x0
 01260  1904   NtTestAlert  ... ) == 0x0
 01255   860   NtWaitForSingleObject  ... ) == 0x0
 01262   928   NtAllocateVirtualMemory  (-1, 41672704, 0, 8192, 4096, 4, ...
 01263  1904   NtContinue  (40631600, 1, ...
 01264   860   NtSetEventBoostPriority  (304, ...
 01261   444   NtDuplicateObject  ... 312, ) == 0x0
 01265  1904   NtRegisterThreadTerminatePort  (24, ...
 01252   460   NtWaitForSingleObject  ... ) == 0x0
 01264   860   NtSetEventBoostPriority  ... ) == 0x0
 01266   444   NtWaitForSingleObject  (304, 0, 0x0, ...
 01267   460   NtSetEventBoostPriority  (304, ...
 01265  1904   NtRegisterThreadTerminatePort  ... ) == 0x0
 01268   860   NtWaitForSingleObject  (304, 0, 0x0, ...
 01257  1756   NtWaitForSingleObject  ... ) == 0x0
 01267   460   NtSetEventBoostPriority  ... ) == 0x0
 01262   928   NtAllocateVirtualMemory  ... 41672704, 8192, ) == 0x0
 01269  1756   NtSetEventBoostPriority  (304, ...
 01270   460   NtWaitForSingleObject  (320, 0, 0x0, ...
 01271   928   NtProtectVirtualMemory  (-1, (0x27be000), 4096, 260, ...
 01258  1536   NtWaitForSingleObject  ... ) == 0x0
 01269  1756   NtSetEventBoostPriority  ... ) == 0x0
 01272  1536   NtSetEventBoostPriority  (304, ...
 01271   928   NtProtectVirtualMemory  ... (0x27be000), 4096, 4, ) == 0x0
 01273  1904   NtWaitForSingleObject  (304, 0, 0x0, ...
 01256  1356   NtWaitForSingleObject  ... ) == 0x0
 01272  1536   NtSetEventBoostPriority  ... ) == 0x0
 01274   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01275  1356   NtSetEventBoostPriority  (304, ...
 01276  1756   NtWaitForSingleObject  (320, 0, 0x0, ...
 01266   444   NtWaitForSingleObject  ... ) == 0x0
 01274   928   NtCreateThread  ... 308, {1972, 1936}, ) == 0x0
 01277   444   NtSetEventBoostPriority  (304, ...
 01278   928   NtQueryInformationThread  (308, Basic, 28, ...
 01268   860   NtWaitForSingleObject  ... ) == 0x0
 01277   444   NtSetEventBoostPriority  ... ) == 0x0
 01275  1356   NtSetEventBoostPriority  ... ) == 0x0
 01279  1536   NtWaitForSingleObject  (320, 0, 0x0, ...
 01280   860   NtSetEventBoostPriority  (304, ...
 01278   928   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1972,Tid=1936,}, 0x0, ) == 0x0
 01281  1356   NtWaitForSingleObject  (320, 0, 0x0, ...
 01273  1904   NtWaitForSingleObject  ... ) == 0x0
 01280   860   NtSetEventBoostPriority  ... ) == 0x0
 01282   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57996, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\264\7\0\0\220\7\0\0" ...  ...
 01283  1904   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01284   444   NtWaitForSingleObject  (320, 0, 0x0, ...
 01283  1904   NtDuplicateObject  ... 360, ) == 0x0
 01282   928   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1972, 928, 57997, 0}  ... {28, 56, reply, 0, 1972, 928, 57997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\264\7\0\0\220\7\0\0" )  ) == 0x0
 01285  1904   NtWaitForSingleObject  (320, 0, 0x0, ...
 01286   928   NtResumeThread  (308, ...
 01287   860   NtSetEventBoostPriority  (320, ...
 01286   928   NtResumeThread  ... 1, ) == 0x0
 01270   460   NtWaitForSingleObject  ... ) == 0x0
 01287   860   NtSetEventBoostPriority  ... ) == 0x0
 01288  1936   NtTestAlert  (...
 01289   460   NtSetEventBoostPriority  (320, ...
 01290   860   NtWaitForSingleObject  (320, 0, 0x0, ...
 01276  1756   NtWaitForSingleObject  ... ) == 0x0
 01289   460   NtSetEventBoostPriority  ... ) == 0x0
 01288  1936   NtTestAlert  ... ) == 0x0
 01291  1756   NtSetEventBoostPriority  (320, ...
 01292   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01279  1536   NtWaitForSingleObject  ... ) == 0x0
 01291  1756   NtSetEventBoostPriority  ... ) == 0x0
 01293  1936   NtContinue  (41680176, 1, ...
 01294  1536   NtSetEventBoostPriority  (320, ...
 01292   928   NtAllocateVirtualMemory  ... 41680896, 1048576, ) == 0x0
 01295  1756   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01281  1356   NtWaitForSingleObject  ... ) == 0x0
 01294  1536   NtSetEventBoostPriority  ... ) == 0x0
 01296  1936   NtRegisterThreadTerminatePort  (24, ...
 01297   928   NtAllocateVirtualMemory  (-1, 42721280, 0, 8192, 4096, 4, ...
 01298   460   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01299  1356   NtWaitForSingleObject  (304, 0, 0x0, ...
 01300  1536   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01296  1936   NtRegisterThreadTerminatePort  ... ) == 0x0
 01297   928   NtAllocateVirtualMemory  ... 42721280, 8192, ) == 0x0
 01298   460   NtWaitForSingleObject  ... ) == 0x102
 01295  1756   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01300  1536   NtWaitForSingleObject  ... ) == 0x102
 01301   460   NtWaitForSingleObject  (120, 0, 0x0, ...
 01302  1756   NtSetEventBoostPriority  (304, ...
 01303  1536   NtWaitForSingleObject  (304, 0, 0x0, ...
 01299  1356   NtWaitForSingleObject  ... ) == 0x0
 01302  1756   NtSetEventBoostPriority  ... ) == 0x0
 01304  1356   NtSetEventBoostPriority  (304, ...
 01303  1536   NtWaitForSingleObject  ... ) == 0x0
 01305  1536   NtWaitForSingleObject  (120, 0, 0x0, ...
 01304  1356   NtSetEventBoostPriority  ... ) == 0x0
 01306  1756   NtWaitForSingleObject  (320, 0, 0x0, ...
 01307  1936   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01308   928   NtProtectVirtualMemory  (-1, (0x28be000), 4096, 260, ...
 01307  1936   NtDuplicateObject  ... 364, ) == 0x0
 01308   928   NtProtectVirtualMemory  ... (0x28be000), 4096, 4, ) == 0x0
 01309  1936   NtWaitForSingleObject  (320, 0, 0x0, ...
 01310   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 368, {1972, 1648}, ) == 0x0
 01311   928   NtQueryInformationThread  (368, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1972,Tid=1648,}, 0x0, ) == 0x0
 01312   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57997, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\264\7\0\0p\6\0\0" ... {28, 56, reply, 0, 1972, 928, 57998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\264\7\0\0p\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57998, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\264\7\0\0p\6\0\0" ... {28, 56, reply, 0, 1972, 928, 57998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\264\7\0\0p\6\0\0" )  ) == 0x0
 01313   928   NtResumeThread  (368, ... 1, ) == 0x0
 01314   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01315  1356   NtSetEventBoostPriority  (320, ...
 01316  1648   NtTestAlert  (...
 01284   444   NtWaitForSingleObject  ... ) == 0x0
 01315  1356   NtSetEventBoostPriority  ... ) == 0x0
 01317   444   NtSetEventBoostPriority  (320, ...
 01316  1648   NtTestAlert  ... ) == 0x0
 01285  1904   NtWaitForSingleObject  ... ) == 0x0
 01317   444   NtSetEventBoostPriority  ... ) == 0x0
 01318  1356   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01319  1904   NtSetEventBoostPriority  (320, ...
 01320  1648   NtContinue  (42728752, 1, ...
 01321   444   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01290   860   NtWaitForSingleObject  ... ) == 0x0
 01318  1356   NtWaitForSingleObject  ... ) == 0x102
 01322  1648   NtRegisterThreadTerminatePort  (24, ...
 01319  1904   NtSetEventBoostPriority  ... ) == 0x0
 01314   928   NtAllocateVirtualMemory  ... 42729472, 1048576, ) == 0x0
 01323   860   NtSetEventBoostPriority  (320, ...
 01324  1356   NtWaitForSingleObject  (120, 0, 0x0, ...
 01322  1648   NtRegisterThreadTerminatePort  ... ) == 0x0
 01325  1904   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01326   928   NtAllocateVirtualMemory  (-1, 43769856, 0, 8192, 4096, 4, ...
 01306  1756   NtWaitForSingleObject  ... ) == 0x0
 01323   860   NtSetEventBoostPriority  ... ) == 0x0
 01321   444   NtWaitForSingleObject  ... ) == 0x102
 01327  1756   NtSetEventBoostPriority  (320, ...
 01326   928   NtAllocateVirtualMemory  ... 43769856, 8192, ) == 0x0
 01328  1648   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01325  1904   NtWaitForSingleObject  ... ) == 0x102
 01309  1936   NtWaitForSingleObject  ... ) == 0x0
 01327  1756   NtSetEventBoostPriority  ... ) == 0x0
 01329   444   NtWaitForSingleObject  (120, 0, 0x0, ...
 01330   928   NtProtectVirtualMemory  (-1, (0x29be000), 4096, 260, ...
 01328  1648   NtDuplicateObject  ... 372, ) == 0x0
 01331  1936   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01332  1904   NtWaitForSingleObject  (120, 0, 0x0, ...
 01333   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006064, ... }, 11006064, ...
 01330   928   NtProtectVirtualMemory  ... (0x29be000), 4096, 4, ) == 0x0
 01334  1648   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01333   860   NtQueryAttributesFile  ... ) == 0x0
 01335   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01334  1648   NtWaitForSingleObject  ... ) == 0x102
 01336   860   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01337  1756   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 01331  1936   NtWaitForSingleObject  ... ) == 0x102
 01338  1648   NtWaitForSingleObject  (120, 0, 0x0, ...
 01336   860   NtOpenKey  ... 376, ) == 0x0
 01337  1756   NtOpenFile  ... 380, {status=0x0, info=0}, ) == 0x0
 01339  1936   NtWaitForSingleObject  (120, 0, 0x0, ...
 01335   928   NtCreateThread  ... 384, {1972, 148}, ) == 0x0
 01340   860   NtQueryValueKey  (376,  (376, "Transports", Partial, 144, ... , Partial, 144, ...
 01341  1756   NtDeviceIoControlFile  (380, 0, 0x0, 0x0, 0x390008,  (380, 0, 0x0, 0x0, 0x390008, "\242\33\206`|Q\10#h\336r\313\270M"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01342   928   NtQueryInformationThread  (384, Basic, 28, ...
 01340   860   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01343  1756   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01342   928   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1972,Tid=148,}, 0x0, ) == 0x0
 01343  1756   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01344   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57998, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\264\7\0\0\224\0\0\0" ...  ...
 01345  1756   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01344   928   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1972, 928, 57999, 0}  ... {28, 56, reply, 0, 1972, 928, 57999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\264\7\0\0\224\0\0\0" )  ) == 0x0
 01346   860   NtQueryValueKey  (376,  (376, "Transports", Partial, 144, ... , Partial, 144, ...
 01345  1756   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01346   860   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01347  1756   NtQuerySystemInformation  (Performance, 312, ...
 01348   860   NtClose  (376, ...
 01347  1756   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01348   860   NtClose  ... ) == 0x0
 01349  1756   NtQuerySystemInformation  (Exception, 16, ...
 01350   860   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01349  1756   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01350   860   NtOpenKey  ... 376, ) == 0x0
 01351  1756   NtQuerySystemInformation  (Lookaside, 32, ...
 01352   928   NtResumeThread  (384, ...
 01353   860   NtQueryValueKey  (376,  (376, "Mapping", Partial, 144, ... , Partial, 144, ...
 01352   928   NtResumeThread  ... 1, ) == 0x0
 01353   860   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01354   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01355   860   NtQueryValueKey  (376,  (376, "Mapping", Partial, 144, ... , Partial, 144, ...
 01354   928   NtAllocateVirtualMemory  ... 43778048, 1048576, ) == 0x0
 01355   860   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01356   928   NtAllocateVirtualMemory  (-1, 44818432, 0, 8192, 4096, 4, ...
 01357   860   NtQueryValueKey  (376,  (376, "Mapping", Partial, 152, ... , Partial, 152, ...
 01356   928   NtAllocateVirtualMemory  ... 44818432, 8192, ) == 0x0
 01357   860   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01351  1756   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01358   148   NtTestAlert  (...
 01359   928   NtProtectVirtualMemory  (-1, (0x2abe000), 4096, 260, ...
 01360  1756   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01358   148   NtTestAlert  ... ) == 0x0
 01359   928   NtProtectVirtualMemory  ... (0x2abe000), 4096, 4, ) == 0x0
 01360  1756   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01361   148   NtContinue  (43777328, 1, ...
 01362   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01363  1756   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01364   148   NtRegisterThreadTerminatePort  (24, ...
 01362   928   NtCreateThread  ... 388, {1972, 1828}, ) == 0x0
 01363  1756   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01364   148   NtRegisterThreadTerminatePort  ... ) == 0x0
 01365   928   NtQueryInformationThread  (388, Basic, 28, ...
 01366  1756   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01367   860   NtClose  (376, ...
 01365   928   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1972,Tid=1828,}, 0x0, ) == 0x0
 01368   148   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01367   860   NtClose  ... ) == 0x0
 01366  1756   NtCreateKey  ... -2147482740, 2, ) == 0x0
 01368   148   NtDuplicateObject  ... 376, ) == 0x0
 01369   860   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01370  1756   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "Z\16\221MU\233\10\375\356\337V@P\251\237J0\260\243\373q\212]P\365*v\312{\\333\13JW\337eWT\353\6So]\261f\3554)q\305\6{\376\251 \257*\317w{\271,\307E\300i\362\224\370\307Y\356\364w\371\336\253\236\177A", 80, ... , 0, 3,  (-2147482740, "Seed", 0, 3, "Z\16\221MU\233\10\375\356\337V@P\251\237J0\260\243\373q\212]P\365*v\312{\\333\13JW\337eWT\353\6So]\261f\3554)q\305\6{\376\251 \257*\317w{\271,\307E\300i\362\224\370\307Y\356\364w\371\336\253\236\177A", 80, ... , 80, ...
 01371   148   NtWaitForSingleObject  (304, 0, 0x0, ...
 01369   860   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01370  1756   NtSetValueKey  ... ) == 0x0
 01372   860   NtSetEventBoostPriority  (304, ...
 01373  1756   NtClose  (-2147482740, ...
 01371   148   NtWaitForSingleObject  ... ) == 0x0
 01372   860   NtSetEventBoostPriority  ... ) == 0x0
 01374   148   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01373  1756   NtClose  ... ) == 0x0
 01375   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 57999, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 57999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\264\7\0\0$\7\0\0" ...  ...
 01341  1756   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\343\242\344\325\30r\242cJ^r~\321\315?+\221\260\232\16\204\11\334H\332"\221\220\204u\262\3676\10\203\243\352\355\6\20\37\15\307\222\331\372\313\274\226d\13\334\227\206\260B\257\206\335\365_\30\336?i\246\265\213\352t\217\357vi\304\177\203\26>\20\343\226E\254\345X\1h\304\314B\202\337\306\32\3743\326Ez\2\17\364\227\2063\6\253\341\342\205\7\245\250G\257\277\270\337|c\35\331d\35b8\364m\321l$\213\302>\376~\357|\\335/\205 \1\312\222z\353\35\33\300W\275\271CGAp\252`\335\320\271QlF\315\220\375\350Q/j\16*s\376q\271\204\376\223\213\362\324\317\363X:\350\211n\307"\306\351\343O\221\324)2 \347\207\315+\307\354}\212:N\337;5\304\354\262{\263`\224\207\223/c\365\362B\332)\267\355\241cp\254\241\334\360\14\332\266\262\310\224\325\340\260 LP\237"", ) \221\220\204u\262\3676\10\203\243\352\355\6\20\37\15\307\222\331\372\313\274\226d\13\334\227\206\260B\257\206\335\365_\30\336?i\246\265\213\352t\217\357vi\304\177\203\26>\20\343\226E\254\345X\1h\304\314B\202\337\306\32\3743\326Ez\2\17\364\227\2063\6\253\341\342\205\7\245\250G\257\277\270\337|c\35\331d\35b8\364m\321l$\213\302>\376~\357|\\335/\205 \1\312\222z\353\35\33\300W\275\271CGAp\252`\335\320\271QlF\315\220\375\350Q/j\16*s\376q\271\204\376\223\213\362\324\317\363X:\350\211n\307 ... {status=0x0, info=256}, "\343\242\344\325\30r\242cJ^r~\321\315?+\221\260\232\16\204\11\334H\332"\221\220\204u\262\3676\10\203\243\352\355\6\20\37\15\307\222\331\372\313\274\226d\13\334\227\206\260B\257\206\335\365_\30\336?i\246\265\213\352t\217\357vi\304\177\203\26>\20\343\226E\254\345X\1h\304\314B\202\337\306\32\3743\326Ez\2\17\364\227\2063\6\253\341\342\205\7\245\250G\257\277\270\337|c\35\331d\35b8\364m\321l$\213\302>\376~\357|\\335/\205 \1\312\222z\353\35\33\300W\275\271CGAp\252`\335\320\271QlF\315\220\375\350Q/j\16*s\376q\271\204\376\223\213\362\324\317\363X:\350\211n\307"\306\351\343O\221\324)2 \347\207\315+\307\354}\212:N\337;5\304\354\262{\263`\224\207\223/c\365\362B\332)\267\355\241cp\254\241\334\360\14\332\266\262\310\224\325\340\260 LP\237"", ) ", ) == 0x0
 01375   928   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1972, 928, 58000, 0}  ... {28, 56, reply, 0, 1972, 928, 58000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\264\7\0\0$\7\0\0" )  ) == 0x0
 01376   860   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01374   148   NtWaitForSingleObject  ... ) == 0x102
 01377   928   NtResumeThread  (388, ...
 01376   860   NtOpenKey  ... 392, ) == 0x0
 01378   148   NtWaitForSingleObject  (120, 0, 0x0, ...
 01377   928   NtResumeThread  ... 1, ) == 0x0
 01379   860   NtQueryValueKey  (392,  (392, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01380   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01379   860   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01381  1756   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01382  1828   NtTestAlert  (...
 01383   860   NtQueryValueKey  (392,  (392, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01381  1756   NtCreateEvent  ... 396, ) == 0x0
 01382  1828   NtTestAlert  ... ) == 0x0
 01383   860   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01384  1756   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15461892, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15461892, 188, ...
 01385  1828   NtContinue  (44825904, 1, ...
 01380   928   NtAllocateVirtualMemory  ... 44826624, 1048576, ) == 0x0
 01386   860   NtQueryValueKey  (392,  (392, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01387  1828   NtRegisterThreadTerminatePort  (24, ...
 01388   928   NtAllocateVirtualMemory  (-1, 45867008, 0, 8192, 4096, 4, ...
 01386   860   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01387  1828   NtRegisterThreadTerminatePort  ... ) == 0x0
 01388   928   NtAllocateVirtualMemory  ... 45867008, 8192, ) == 0x0
 01389   860   NtQueryValueKey  (392,  (392, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01384  1756   NtConnectPort  ... 400, 0x0, 0x0, 0x0, 188, ) == 0x0
 01390   928   NtProtectVirtualMemory  (-1, (0x2bbe000), 4096, 260, ...
 01389   860   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01391  1756   NtRequestWaitReplyPort  (400, {200, 224, new_msg, 0, 1382232, 12, 2, 1310721}  (400, {200, 224, new_msg, 0, 1382232, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210\25\25\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\203\312\361\0y\246]W\10\27\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\340\26\25\0\1\4"\202x\1\24\0\0\27\25\0h\1\24\0\0\0\0\0\0\0\0\0\0\27\25\0P\0\0\0\10\27\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\353\0\372\31\221|\30\364\353\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... \202x\1\24\0\0\27\25\0h\1\24\0\0\0\0\0\0\0\0\0\0\27\25\0P\0\0\0\10\27\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\353\0\372\31\221|\30\364\353\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...
 01390   928   NtProtectVirtualMemory  ... (0x2bbe000), 4096, 4, ) == 0x0
 01392   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11007020, ... }, 11007020, ...
 01393   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01392   860   NtQueryAttributesFile  ... ) == 0x0
 01391  1756   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1972, 1756, 58002, 0}  ... {200, 224, reply, 0, 1972, 1756, 58002, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\203\312\361\0y\246]W\10\27\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\340\26\25\0\1\4"\202x\1\24\0\0\27\25\0h\1\24\0\0\0\0\0\0\0\0\0\0\27\25\0P\0\0\0\10\27\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\353\0\372\31\221|\30\364\353\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) \202x\1\24\0\0\27\25\0h\1\24\0\0\0\0\0\0\0\0\0\0\27\25\0P\0\0\0\10\27\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\353\0\372\31\221|\30\364\353\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) == 0x0
 01394  1828   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01393   928   NtCreateThread  ... 404, {1972, 1864}, ) == 0x0
 01395  1756   NtRequestWaitReplyPort  (400, {64, 88, new_msg, 0, 0, 0, 0, 0}  (400, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01394  1828   NtDuplicateObject  ... 408, ) == 0x0
 01396   928   NtQueryInformationThread  (404, Basic, 28, ...
 01397   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01398  1828   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01396   928   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1972,Tid=1864,}, 0x0, ) == 0x0
 01397   860   NtOpenFile  ... 412, {status=0x0, info=1}, ) == 0x0
 01398  1828   NtWaitForSingleObject  ... ) == 0x102
 01399   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58000, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\264\7\0\0H\7\0\0" ...  ...
 01400   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 412, ...
 01401  1828   NtWaitForSingleObject  (120, 0, 0x0, ...
 01399   928   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1972, 928, 58003, 0}  ... {28, 56, reply, 0, 1972, 928, 58003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\264\7\0\0H\7\0\0" )  ) == 0x0
 01400   860   NtCreateSection  ... 416, ) == 0x0
 01402   860   NtClose  (412, ... ) == 0x0
 01403   860   NtMapViewOfSection  (416, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x850000), 0x0, 20480, ) == 0x0
 01404   860   NtClose  (416, ... ) == 0x0
 01405   928   NtResumeThread  (404, ... 1, ) == 0x0
 01406   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 45875200, 1048576, ) == 0x0
 01407   928   NtAllocateVirtualMemory  (-1, 46915584, 0, 8192, 4096, 4, ... 46915584, 8192, ) == 0x0
 01408  1864   NtWaitForSingleObject  (92, 0, 0x0, ...
 01409   928   NtProtectVirtualMemory  (-1, (0x2cbe000), 4096, 260, ... (0x2cbe000), 4096, 4, ) == 0x0
 01410   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 416, {1972, 1524}, ) == 0x0
 01411   928   NtQueryInformationThread  (416, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1972,Tid=1524,}, 0x0, ) == 0x0
 01412   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58003, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\264\7\0\0\364\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\264\7\0\0\364\5\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58005, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\264\7\0\0\364\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\264\7\0\0\364\5\0\0" )  ) == 0x0
 01413   928   NtResumeThread  (416, ... 1, ) == 0x0
 01414   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01395  1756   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1972, 1756, 58004, 0}  ... {52, 76, reply, 0, 1972, 1756, 58004, 0} "\2\356Q\200\1\0\0\0P\306\233\201\0\220\372\177\220\353\3\370\370\37`\300l\353\3\370X\353Q\200\260\37\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 01415  1524   NtWaitForSingleObject  (92, 0, 0x0, ...
 01416  1756   NtClose  (396, ... ) == 0x0
 01417  1756   NtClose  (400, ... ) == 0x0
 01418  1756   NtWaitForSingleObject  (92, 0, 0x0, ...
 01414   928   NtAllocateVirtualMemory  ... 46923776, 1048576, ) == 0x0
 01419   928   NtAllocateVirtualMemory  (-1, 47964160, 0, 8192, 4096, 4, ... 47964160, 8192, ) == 0x0
 01420   928   NtProtectVirtualMemory  (-1, (0x2dbe000), 4096, 260, ... (0x2dbe000), 4096, 4, ) == 0x0
 01421   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 400, {1972, 2044}, ) == 0x0
 01422   928   NtQueryInformationThread  (400, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1972,Tid=2044,}, 0x0, ) == 0x0
 01423   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58005, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\264\7\0\0\374\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\264\7\0\0\374\7\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58007, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\264\7\0\0\374\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\264\7\0\0\374\7\0\0" )  ) == 0x0
 01424   928   NtResumeThread  (400, ... 1, ) == 0x0
 01425   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 47972352, 1048576, ) == 0x0
 01426   928   NtAllocateVirtualMemory  (-1, 49012736, 0, 8192, 4096, 4, ... 49012736, 8192, ) == 0x0
 01427  2044   NtWaitForSingleObject  (92, 0, 0x0, ...
 01428   928   NtProtectVirtualMemory  (-1, (0x2ebe000), 4096, 260, ... (0x2ebe000), 4096, 4, ) == 0x0
 01429   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 396, {1972, 240}, ) == 0x0
 01430   928   NtQueryInformationThread  (396, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1972,Tid=240,}, 0x0, ) == 0x0
 01431   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58007, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\264\7\0\0\360\0\0\0" ... {28, 56, reply, 0, 1972, 928, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\264\7\0\0\360\0\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58008, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\264\7\0\0\360\0\0\0" ... {28, 56, reply, 0, 1972, 928, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\264\7\0\0\360\0\0\0" )  ) == 0x0
 01432   928   NtResumeThread  (396, ... 1, ) == 0x0
 01433   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01434   240   NtWaitForSingleObject  (92, 0, 0x0, ...
 01433   928   NtAllocateVirtualMemory  ... 49020928, 1048576, ) == 0x0
 01435   928   NtAllocateVirtualMemory  (-1, 50061312, 0, 8192, 4096, 4, ... 50061312, 8192, ) == 0x0
 01436   928   NtProtectVirtualMemory  (-1, (0x2fbe000), 4096, 260, ... (0x2fbe000), 4096, 4, ) == 0x0
 01437   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 412, {1972, 968}, ) == 0x0
 01438   928   NtQueryInformationThread  (412, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1972,Tid=968,}, 0x0, ) == 0x0
 01439   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58008, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\264\7\0\0\310\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\264\7\0\0\310\3\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58009, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\264\7\0\0\310\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\264\7\0\0\310\3\0\0" )  ) == 0x0
 01440   928   NtResumeThread  (412, ... 1, ) == 0x0
 01441   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 50069504, 1048576, ) == 0x0
 01442   928   NtAllocateVirtualMemory  (-1, 51109888, 0, 8192, 4096, 4, ... 51109888, 8192, ) == 0x0
 01443   968   NtWaitForSingleObject  (92, 0, 0x0, ...
 01444   928   NtProtectVirtualMemory  (-1, (0x30be000), 4096, 260, ... (0x30be000), 4096, 4, ) == 0x0
 01445   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 420, {1972, 308}, ) == 0x0
 01446   928   NtQueryInformationThread  (420, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1972,Tid=308,}, 0x0, ) == 0x0
 01447   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58009, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\264\7\0\04\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\264\7\0\04\1\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58010, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\264\7\0\04\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\264\7\0\04\1\0\0" )  ) == 0x0
 01448   928   NtResumeThread  (420, ... 1, ) == 0x0
 01449   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01450   308   NtWaitForSingleObject  (92, 0, 0x0, ...
 01449   928   NtAllocateVirtualMemory  ... 51118080, 1048576, ) == 0x0
 01451   928   NtAllocateVirtualMemory  (-1, 52158464, 0, 8192, 4096, 4, ... 52158464, 8192, ) == 0x0
 01452   928   NtProtectVirtualMemory  (-1, (0x31be000), 4096, 260, ... (0x31be000), 4096, 4, ) == 0x0
 01453   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 424, {1972, 764}, ) == 0x0
 01454   928   NtQueryInformationThread  (424, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1972,Tid=764,}, 0x0, ) == 0x0
 01455   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58010, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\264\7\0\0\374\2\0\0" ... {28, 56, reply, 0, 1972, 928, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\264\7\0\0\374\2\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58011, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\264\7\0\0\374\2\0\0" ... {28, 56, reply, 0, 1972, 928, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\264\7\0\0\374\2\0\0" )  ) == 0x0
 01456   928   NtResumeThread  (424, ... 1, ) == 0x0
 01457   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 52166656, 1048576, ) == 0x0
 01458   928   NtAllocateVirtualMemory  (-1, 53207040, 0, 8192, 4096, 4, ... 53207040, 8192, ) == 0x0
 01459   764   NtWaitForSingleObject  (92, 0, 0x0, ...
 01460   928   NtProtectVirtualMemory  (-1, (0x32be000), 4096, 260, ... (0x32be000), 4096, 4, ) == 0x0
 01461   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 428, {1972, 2000}, ) == 0x0
 01462   928   NtQueryInformationThread  (428, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1972,Tid=2000,}, 0x0, ) == 0x0
 01463   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58011, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\264\7\0\0\320\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\264\7\0\0\320\7\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58012, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\264\7\0\0\320\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\264\7\0\0\320\7\0\0" )  ) == 0x0
 01464   928   NtResumeThread  (428, ... 1, ) == 0x0
 01465   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01466  2000   NtWaitForSingleObject  (92, 0, 0x0, ...
 01465   928   NtAllocateVirtualMemory  ... 53215232, 1048576, ) == 0x0
 01467   928   NtAllocateVirtualMemory  (-1, 54255616, 0, 8192, 4096, 4, ... 54255616, 8192, ) == 0x0
 01468   928   NtProtectVirtualMemory  (-1, (0x33be000), 4096, 260, ... (0x33be000), 4096, 4, ) == 0x0
 01469   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 432, {1972, 1852}, ) == 0x0
 01470   928   NtQueryInformationThread  (432, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1972,Tid=1852,}, 0x0, ) == 0x0
 01471   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58012, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\264\7\0\0<\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\264\7\0\0<\7\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58013, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\264\7\0\0<\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\264\7\0\0<\7\0\0" )  ) == 0x0
 01472   928   NtResumeThread  (432, ... 1, ) == 0x0
 01473   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 54263808, 1048576, ) == 0x0
 01474   928   NtAllocateVirtualMemory  (-1, 55304192, 0, 8192, 4096, 4, ... 55304192, 8192, ) == 0x0
 01475  1852   NtWaitForSingleObject  (92, 0, 0x0, ...
 01476   928   NtProtectVirtualMemory  (-1, (0x34be000), 4096, 260, ... (0x34be000), 4096, 4, ) == 0x0
 01477   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 436, {1972, 1420}, ) == 0x0
 01478   928   NtQueryInformationThread  (436, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1972,Tid=1420,}, 0x0, ) == 0x0
 01479   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58013, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\264\7\0\0\214\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\264\7\0\0\214\5\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58014, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\264\7\0\0\214\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\264\7\0\0\214\5\0\0" )  ) == 0x0
 01480   928   NtResumeThread  (436, ... 1, ) == 0x0
 01481   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01482  1420   NtWaitForSingleObject  (92, 0, 0x0, ...
 01481   928   NtAllocateVirtualMemory  ... 55312384, 1048576, ) == 0x0
 01483   928   NtAllocateVirtualMemory  (-1, 56352768, 0, 8192, 4096, 4, ... 56352768, 8192, ) == 0x0
 01484   928   NtProtectVirtualMemory  (-1, (0x35be000), 4096, 260, ... (0x35be000), 4096, 4, ) == 0x0
 01485   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 440, {1972, 164}, ) == 0x0
 01486   928   NtQueryInformationThread  (440, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1972,Tid=164,}, 0x0, ) == 0x0
 01487   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58014, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\264\7\0\0\244\0\0\0" ... {28, 56, reply, 0, 1972, 928, 58015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\264\7\0\0\244\0\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58015, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\264\7\0\0\244\0\0\0" ... {28, 56, reply, 0, 1972, 928, 58015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\264\7\0\0\244\0\0\0" )  ) == 0x0
 01488   928   NtResumeThread  (440, ... 1, ) == 0x0
 01489   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 56360960, 1048576, ) == 0x0
 01490   928   NtAllocateVirtualMemory  (-1, 57401344, 0, 8192, 4096, 4, ... 57401344, 8192, ) == 0x0
 01491   164   NtWaitForSingleObject  (92, 0, 0x0, ...
 01492   928   NtProtectVirtualMemory  (-1, (0x36be000), 4096, 260, ... (0x36be000), 4096, 4, ) == 0x0
 01493   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 444, {1972, 1564}, ) == 0x0
 01494   928   NtQueryInformationThread  (444, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1972,Tid=1564,}, 0x0, ) == 0x0
 01495   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58015, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\264\7\0\0\34\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\264\7\0\0\34\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58016, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\264\7\0\0\34\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\264\7\0\0\34\6\0\0" )  ) == 0x0
 01496   928   NtResumeThread  (444, ... 1, ) == 0x0
 01497   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01498  1564   NtWaitForSingleObject  (92, 0, 0x0, ...
 01497   928   NtAllocateVirtualMemory  ... 57409536, 1048576, ) == 0x0
 01499   928   NtAllocateVirtualMemory  (-1, 58449920, 0, 8192, 4096, 4, ... 58449920, 8192, ) == 0x0
 01500   928   NtProtectVirtualMemory  (-1, (0x37be000), 4096, 260, ... (0x37be000), 4096, 4, ) == 0x0
 01501   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 448, {1972, 1592}, ) == 0x0
 01502   928   NtQueryInformationThread  (448, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1972,Tid=1592,}, 0x0, ) == 0x0
 01503   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58016, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\264\7\0\08\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\264\7\0\08\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58017, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\264\7\0\08\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\264\7\0\08\6\0\0" )  ) == 0x0
 01504   928   NtResumeThread  (448, ... 1, ) == 0x0
 01505   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 58458112, 1048576, ) == 0x0
 01506   928   NtAllocateVirtualMemory  (-1, 59498496, 0, 8192, 4096, 4, ... 59498496, 8192, ) == 0x0
 01507  1592   NtWaitForSingleObject  (92, 0, 0x0, ...
 01508   928   NtProtectVirtualMemory  (-1, (0x38be000), 4096, 260, ... (0x38be000), 4096, 4, ) == 0x0
 01509   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 452, {1972, 2032}, ) == 0x0
 01510   928   NtQueryInformationThread  (452, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1972,Tid=2032,}, 0x0, ) == 0x0
 01511   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58017, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\264\7\0\0\360\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\264\7\0\0\360\7\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58018, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\264\7\0\0\360\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\264\7\0\0\360\7\0\0" )  ) == 0x0
 01512   928   NtResumeThread  (452, ... 1, ) == 0x0
 01513   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01514  2032   NtWaitForSingleObject  (92, 0, 0x0, ...
 01513   928   NtAllocateVirtualMemory  ... 59506688, 1048576, ) == 0x0
 01515   928   NtAllocateVirtualMemory  (-1, 60547072, 0, 8192, 4096, 4, ... 60547072, 8192, ) == 0x0
 01516   928   NtProtectVirtualMemory  (-1, (0x39be000), 4096, 260, ... (0x39be000), 4096, 4, ) == 0x0
 01517   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 456, {1972, 1500}, ) == 0x0
 01518   928   NtQueryInformationThread  (456, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1972,Tid=1500,}, 0x0, ) == 0x0
 01519   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58018, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\264\7\0\0\334\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\264\7\0\0\334\5\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58019, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\264\7\0\0\334\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\264\7\0\0\334\5\0\0" )  ) == 0x0
 01520   928   NtResumeThread  (456, ... 1, ) == 0x0
 01521   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 60555264, 1048576, ) == 0x0
 01522   928   NtAllocateVirtualMemory  (-1, 61595648, 0, 8192, 4096, 4, ... 61595648, 8192, ) == 0x0
 01523  1500   NtWaitForSingleObject  (92, 0, 0x0, ...
 01524   928   NtProtectVirtualMemory  (-1, (0x3abe000), 4096, 260, ... (0x3abe000), 4096, 4, ) == 0x0
 01525   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 460, {1972, 932}, ) == 0x0
 01526   928   NtQueryInformationThread  (460, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1972,Tid=932,}, 0x0, ) == 0x0
 01527   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58019, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\264\7\0\0\244\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\264\7\0\0\244\3\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58020, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\264\7\0\0\244\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\264\7\0\0\244\3\0\0" )  ) == 0x0
 01528   928   NtResumeThread  (460, ... 1, ) == 0x0
 01529   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01530   932   NtWaitForSingleObject  (92, 0, 0x0, ...
 01529   928   NtAllocateVirtualMemory  ... 61603840, 1048576, ) == 0x0
 01531   928   NtAllocateVirtualMemory  (-1, 62644224, 0, 8192, 4096, 4, ... 62644224, 8192, ) == 0x0
 01532   928   NtProtectVirtualMemory  (-1, (0x3bbe000), 4096, 260, ... (0x3bbe000), 4096, 4, ) == 0x0
 01533   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 464, {1972, 1528}, ) == 0x0
 01534   928   NtQueryInformationThread  (464, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1972,Tid=1528,}, 0x0, ) == 0x0
 01535   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58020, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\264\7\0\0\370\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\264\7\0\0\370\5\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58021, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\264\7\0\0\370\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\264\7\0\0\370\5\0\0" )  ) == 0x0
 01536   928   NtResumeThread  (464, ... 1, ) == 0x0
 01537   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 62652416, 1048576, ) == 0x0
 01538   928   NtAllocateVirtualMemory  (-1, 63692800, 0, 8192, 4096, 4, ... 63692800, 8192, ) == 0x0
 01539  1528   NtWaitForSingleObject  (92, 0, 0x0, ...
 01540   928   NtProtectVirtualMemory  (-1, (0x3cbe000), 4096, 260, ... (0x3cbe000), 4096, 4, ) == 0x0
 01541   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 468, {1972, 1780}, ) == 0x0
 01542   928   NtQueryInformationThread  (468, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1972,Tid=1780,}, 0x0, ) == 0x0
 01543   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58021, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\264\7\0\0\364\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\264\7\0\0\364\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58022, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\264\7\0\0\364\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\264\7\0\0\364\6\0\0" )  ) == 0x0
 01544   928   NtResumeThread  (468, ... 1, ) == 0x0
 01545   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01546  1780   NtWaitForSingleObject  (92, 0, 0x0, ...
 01545   928   NtAllocateVirtualMemory  ... 63700992, 1048576, ) == 0x0
 01547   928   NtAllocateVirtualMemory  (-1, 64741376, 0, 8192, 4096, 4, ... 64741376, 8192, ) == 0x0
 01548   928   NtProtectVirtualMemory  (-1, (0x3dbe000), 4096, 260, ... (0x3dbe000), 4096, 4, ) == 0x0
 01549   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 472, {1972, 1804}, ) == 0x0
 01550   928   NtQueryInformationThread  (472, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1972,Tid=1804,}, 0x0, ) == 0x0
 01551   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58022, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\264\7\0\0\14\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\264\7\0\0\14\7\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58023, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\264\7\0\0\14\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\264\7\0\0\14\7\0\0" )  ) == 0x0
 01552   928   NtResumeThread  (472, ... 1, ) == 0x0
 01553   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 64749568, 1048576, ) == 0x0
 01554   928   NtAllocateVirtualMemory  (-1, 65789952, 0, 8192, 4096, 4, ... 65789952, 8192, ) == 0x0
 01555  1804   NtWaitForSingleObject  (92, 0, 0x0, ...
 01556   928   NtProtectVirtualMemory  (-1, (0x3ebe000), 4096, 260, ... (0x3ebe000), 4096, 4, ) == 0x0
 01557   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 476, {1972, 1644}, ) == 0x0
 01558   928   NtQueryInformationThread  (476, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1972,Tid=1644,}, 0x0, ) == 0x0
 01559   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58023, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\264\7\0\0l\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\264\7\0\0l\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58024, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\264\7\0\0l\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\264\7\0\0l\6\0\0" )  ) == 0x0
 01560   928   NtResumeThread  (476, ... 1, ) == 0x0
 01561   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01562  1644   NtWaitForSingleObject  (92, 0, 0x0, ...
 01561   928   NtAllocateVirtualMemory  ... 65798144, 1048576, ) == 0x0
 01563   928   NtAllocateVirtualMemory  (-1, 66838528, 0, 8192, 4096, 4, ... 66838528, 8192, ) == 0x0
 01564   928   NtProtectVirtualMemory  (-1, (0x3fbe000), 4096, 260, ... (0x3fbe000), 4096, 4, ) == 0x0
 01565   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 480, {1972, 336}, ) == 0x0
 01566   928   NtQueryInformationThread  (480, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1972,Tid=336,}, 0x0, ) == 0x0
 01567   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58024, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\264\7\0\0P\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\264\7\0\0P\1\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58025, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\264\7\0\0P\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\264\7\0\0P\1\0\0" )  ) == 0x0
 01568   928   NtResumeThread  (480, ... 1, ) == 0x0
 01569   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 66846720, 1048576, ) == 0x0
 01570   928   NtAllocateVirtualMemory  (-1, 67887104, 0, 8192, 4096, 4, ... 67887104, 8192, ) == 0x0
 01571   336   NtWaitForSingleObject  (92, 0, 0x0, ...
 01572   928   NtProtectVirtualMemory  (-1, (0x40be000), 4096, 260, ... (0x40be000), 4096, 4, ) == 0x0
 01573   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 484, {1972, 800}, ) == 0x0
 01574   928   NtQueryInformationThread  (484, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1972,Tid=800,}, 0x0, ) == 0x0
 01575   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58025, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\264\7\0\0 \3\0\0" ... {28, 56, reply, 0, 1972, 928, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\264\7\0\0 \3\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58026, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\264\7\0\0 \3\0\0" ... {28, 56, reply, 0, 1972, 928, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\264\7\0\0 \3\0\0" )  ) == 0x0
 01576   928   NtResumeThread  (484, ... 1, ) == 0x0
 01577   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01578   800   NtWaitForSingleObject  (92, 0, 0x0, ...
 01577   928   NtAllocateVirtualMemory  ... 67895296, 1048576, ) == 0x0
 01579   928   NtAllocateVirtualMemory  (-1, 68935680, 0, 8192, 4096, 4, ... 68935680, 8192, ) == 0x0
 01580   928   NtProtectVirtualMemory  (-1, (0x41be000), 4096, 260, ... (0x41be000), 4096, 4, ) == 0x0
 01581   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 488, {1972, 504}, ) == 0x0
 01582   928   NtQueryInformationThread  (488, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1972,Tid=504,}, 0x0, ) == 0x0
 01583   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58026, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\264\7\0\0\370\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\264\7\0\0\370\1\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58027, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\264\7\0\0\370\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\264\7\0\0\370\1\0\0" )  ) == 0x0
 01584   928   NtResumeThread  (488, ... 1, ) == 0x0
 01585   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 68943872, 1048576, ) == 0x0
 01586   928   NtAllocateVirtualMemory  (-1, 69984256, 0, 8192, 4096, 4, ... 69984256, 8192, ) == 0x0
 01587   504   NtWaitForSingleObject  (92, 0, 0x0, ...
 01588   928   NtProtectVirtualMemory  (-1, (0x42be000), 4096, 260, ... (0x42be000), 4096, 4, ) == 0x0
 01589   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 492, {1972, 888}, ) == 0x0
 01590   928   NtQueryInformationThread  (492, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1972,Tid=888,}, 0x0, ) == 0x0
 01591   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58027, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\264\7\0\0x\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\264\7\0\0x\3\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58028, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\264\7\0\0x\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\264\7\0\0x\3\0\0" )  ) == 0x0
 01592   928   NtResumeThread  (492, ... 1, ) == 0x0
 01593   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01594   888   NtWaitForSingleObject  (92, 0, 0x0, ...
 01593   928   NtAllocateVirtualMemory  ... 69992448, 1048576, ) == 0x0
 01595   928   NtAllocateVirtualMemory  (-1, 71032832, 0, 8192, 4096, 4, ... 71032832, 8192, ) == 0x0
 01596   928   NtProtectVirtualMemory  (-1, (0x43be000), 4096, 260, ... (0x43be000), 4096, 4, ) == 0x0
 01597   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 496, {1972, 1392}, ) == 0x0
 01598   928   NtQueryInformationThread  (496, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1972,Tid=1392,}, 0x0, ) == 0x0
 01599   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58028, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\264\7\0\0p\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\264\7\0\0p\5\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58029, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\264\7\0\0p\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\264\7\0\0p\5\0\0" )  ) == 0x0
 01600   928   NtResumeThread  (496, ... 1, ) == 0x0
 01601   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 71041024, 1048576, ) == 0x0
 01602   928   NtAllocateVirtualMemory  (-1, 72081408, 0, 8192, 4096, 4, ... 72081408, 8192, ) == 0x0
 01603  1392   NtWaitForSingleObject  (92, 0, 0x0, ...
 01604   928   NtProtectVirtualMemory  (-1, (0x44be000), 4096, 260, ... (0x44be000), 4096, 4, ) == 0x0
 01605   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 500, {1972, 2020}, ) == 0x0
 01606   928   NtQueryInformationThread  (500, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1972,Tid=2020,}, 0x0, ) == 0x0
 01607   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58029, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\264\7\0\0\344\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\264\7\0\0\344\7\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58030, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\264\7\0\0\344\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\264\7\0\0\344\7\0\0" )  ) == 0x0
 01608   928   NtResumeThread  (500, ... 1, ) == 0x0
 01609   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01610  2020   NtWaitForSingleObject  (92, 0, 0x0, ...
 01609   928   NtAllocateVirtualMemory  ... 72089600, 1048576, ) == 0x0
 01611   928   NtAllocateVirtualMemory  (-1, 73129984, 0, 8192, 4096, 4, ... 73129984, 8192, ) == 0x0
 01612   928   NtProtectVirtualMemory  (-1, (0x45be000), 4096, 260, ... (0x45be000), 4096, 4, ) == 0x0
 01613   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 504, {1972, 740}, ) == 0x0
 01614   928   NtQueryInformationThread  (504, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1972,Tid=740,}, 0x0, ) == 0x0
 01615   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58030, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\264\7\0\0\344\2\0\0" ... {28, 56, reply, 0, 1972, 928, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\264\7\0\0\344\2\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58031, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\264\7\0\0\344\2\0\0" ... {28, 56, reply, 0, 1972, 928, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\264\7\0\0\344\2\0\0" )  ) == 0x0
 01616   928   NtResumeThread  (504, ... 1, ) == 0x0
 01617   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 73138176, 1048576, ) == 0x0
 01618   928   NtAllocateVirtualMemory  (-1, 74178560, 0, 8192, 4096, 4, ... 74178560, 8192, ) == 0x0
 01619   740   NtWaitForSingleObject  (92, 0, 0x0, ...
 01620   928   NtProtectVirtualMemory  (-1, (0x46be000), 4096, 260, ... (0x46be000), 4096, 4, ) == 0x0
 01621   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 508, {1972, 1676}, ) == 0x0
 01622   928   NtQueryInformationThread  (508, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1972,Tid=1676,}, 0x0, ) == 0x0
 01623   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58031, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\264\7\0\0\214\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\264\7\0\0\214\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58032, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\264\7\0\0\214\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\264\7\0\0\214\6\0\0" )  ) == 0x0
 01624   928   NtResumeThread  (508, ... 1, ) == 0x0
 01625   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01626  1676   NtWaitForSingleObject  (92, 0, 0x0, ...
 01625   928   NtAllocateVirtualMemory  ... 74186752, 1048576, ) == 0x0
 01627   928   NtAllocateVirtualMemory  (-1, 75227136, 0, 8192, 4096, 4, ... 75227136, 8192, ) == 0x0
 01628   928   NtProtectVirtualMemory  (-1, (0x47be000), 4096, 260, ... (0x47be000), 4096, 4, ) == 0x0
 01629   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 512, {1972, 496}, ) == 0x0
 01630   928   NtQueryInformationThread  (512, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1972,Tid=496,}, 0x0, ) == 0x0
 01631   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58032, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\264\7\0\0\360\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\264\7\0\0\360\1\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58033, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\264\7\0\0\360\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\264\7\0\0\360\1\0\0" )  ) == 0x0
 01632   928   NtResumeThread  (512, ... 1, ) == 0x0
 01633   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 75235328, 1048576, ) == 0x0
 01634   928   NtAllocateVirtualMemory  (-1, 76275712, 0, 8192, 4096, 4, ... 76275712, 8192, ) == 0x0
 01635   496   NtWaitForSingleObject  (92, 0, 0x0, ...
 01636   928   NtProtectVirtualMemory  (-1, (0x48be000), 4096, 260, ... (0x48be000), 4096, 4, ) == 0x0
 01637   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 516, {1972, 1020}, ) == 0x0
 01638   928   NtQueryInformationThread  (516, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1972,Tid=1020,}, 0x0, ) == 0x0
 01639   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58033, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\264\7\0\0\374\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\264\7\0\0\374\3\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58034, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\264\7\0\0\374\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\264\7\0\0\374\3\0\0" )  ) == 0x0
 01640   928   NtResumeThread  (516, ... 1, ) == 0x0
 01641   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 76283904, 1048576, ) == 0x0
 01642   928   NtAllocateVirtualMemory  (-1, 77324288, 0, 8192, 4096, 4, ... 77324288, 8192, ) == 0x0
 01643  1020   NtWaitForSingleObject  (92, 0, 0x0, ...
 01644   928   NtProtectVirtualMemory  (-1, (0x49be000), 4096, 260, ... (0x49be000), 4096, 4, ) == 0x0
 01645   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 520, {1972, 432}, ) == 0x0
 01646   928   NtQueryInformationThread  (520, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1972,Tid=432,}, 0x0, ) == 0x0
 01647   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58034, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\264\7\0\0\260\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\264\7\0\0\260\1\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58035, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\264\7\0\0\260\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\264\7\0\0\260\1\0\0" )  ) == 0x0
 01648   928   NtResumeThread  (520, ... 1, ) == 0x0
 01649   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01650   432   NtWaitForSingleObject  (92, 0, 0x0, ...
 01649   928   NtAllocateVirtualMemory  ... 77332480, 1048576, ) == 0x0
 01651   928   NtAllocateVirtualMemory  (-1, 78372864, 0, 8192, 4096, 4, ... 78372864, 8192, ) == 0x0
 01652   928   NtProtectVirtualMemory  (-1, (0x4abe000), 4096, 260, ... (0x4abe000), 4096, 4, ) == 0x0
 01653   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 524, {1972, 1332}, ) == 0x0
 01654   928   NtQueryInformationThread  (524, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1972,Tid=1332,}, 0x0, ) == 0x0
 01655   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58035, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\264\7\0\04\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\264\7\0\04\5\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58036, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\264\7\0\04\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\264\7\0\04\5\0\0" )  ) == 0x0
 01656   928   NtResumeThread  (524, ... 1, ) == 0x0
 01657   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 78381056, 1048576, ) == 0x0
 01658   928   NtAllocateVirtualMemory  (-1, 79421440, 0, 8192, 4096, 4, ... 79421440, 8192, ) == 0x0
 01659  1332   NtWaitForSingleObject  (92, 0, 0x0, ...
 01660   928   NtProtectVirtualMemory  (-1, (0x4bbe000), 4096, 260, ... (0x4bbe000), 4096, 4, ) == 0x0
 01661   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 528, {1972, 1328}, ) == 0x0
 01662   928   NtQueryInformationThread  (528, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1972,Tid=1328,}, 0x0, ) == 0x0
 01663   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58036, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\264\7\0\00\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\264\7\0\00\5\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58037, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\264\7\0\00\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\264\7\0\00\5\0\0" )  ) == 0x0
 01664   928   NtResumeThread  (528, ... 1, ) == 0x0
 01665   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01666  1328   NtWaitForSingleObject  (92, 0, 0x0, ...
 01665   928   NtAllocateVirtualMemory  ... 79429632, 1048576, ) == 0x0
 01667   928   NtAllocateVirtualMemory  (-1, 80470016, 0, 8192, 4096, 4, ... 80470016, 8192, ) == 0x0
 01668   928   NtProtectVirtualMemory  (-1, (0x4cbe000), 4096, 260, ... (0x4cbe000), 4096, 4, ) == 0x0
 01669   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 532, {1972, 752}, ) == 0x0
 01670   928   NtQueryInformationThread  (532, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1972,Tid=752,}, 0x0, ) == 0x0
 01671   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58037, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\264\7\0\0\360\2\0\0" ... {28, 56, reply, 0, 1972, 928, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\264\7\0\0\360\2\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58038, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\264\7\0\0\360\2\0\0" ... {28, 56, reply, 0, 1972, 928, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\264\7\0\0\360\2\0\0" )  ) == 0x0
 01672   928   NtResumeThread  (532, ... 1, ) == 0x0
 01673   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 80478208, 1048576, ) == 0x0
 01674   928   NtAllocateVirtualMemory  (-1, 81518592, 0, 8192, 4096, 4, ... 81518592, 8192, ) == 0x0
 01675   752   NtWaitForSingleObject  (92, 0, 0x0, ...
 01676   928   NtProtectVirtualMemory  (-1, (0x4dbe000), 4096, 260, ... (0x4dbe000), 4096, 4, ) == 0x0
 01677   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 536, {1972, 120}, ) == 0x0
 01678   928   NtQueryInformationThread  (536, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1972,Tid=120,}, 0x0, ) == 0x0
 01679   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58038, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\264\7\0\0x\0\0\0" ... {28, 56, reply, 0, 1972, 928, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\264\7\0\0x\0\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58039, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\264\7\0\0x\0\0\0" ... {28, 56, reply, 0, 1972, 928, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\264\7\0\0x\0\0\0" )  ) == 0x0
 01680   928   NtResumeThread  (536, ... 1, ) == 0x0
 01681   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01682   120   NtWaitForSingleObject  (92, 0, 0x0, ...
 01681   928   NtAllocateVirtualMemory  ... 81526784, 1048576, ) == 0x0
 01683   928   NtAllocateVirtualMemory  (-1, 82567168, 0, 8192, 4096, 4, ... 82567168, 8192, ) == 0x0
 01684   928   NtProtectVirtualMemory  (-1, (0x4ebe000), 4096, 260, ... (0x4ebe000), 4096, 4, ) == 0x0
 01685   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 540, {1972, 1732}, ) == 0x0
 01686   928   NtQueryInformationThread  (540, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1972,Tid=1732,}, 0x0, ) == 0x0
 01687   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58039, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\264\7\0\0\304\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\264\7\0\0\304\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58040, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\264\7\0\0\304\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\264\7\0\0\304\6\0\0" )  ) == 0x0
 01688   928   NtResumeThread  (540, ... 1, ) == 0x0
 01689   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 82575360, 1048576, ) == 0x0
 01690   928   NtAllocateVirtualMemory  (-1, 83615744, 0, 8192, 4096, 4, ... 83615744, 8192, ) == 0x0
 01691  1732   NtWaitForSingleObject  (92, 0, 0x0, ...
 01692   928   NtProtectVirtualMemory  (-1, (0x4fbe000), 4096, 260, ... (0x4fbe000), 4096, 4, ) == 0x0
 01693   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 544, {1972, 188}, ) == 0x0
 01694   928   NtQueryInformationThread  (544, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1972,Tid=188,}, 0x0, ) == 0x0
 01695   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58040, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\264\7\0\0\274\0\0\0" ... {28, 56, reply, 0, 1972, 928, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\264\7\0\0\274\0\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58041, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\264\7\0\0\274\0\0\0" ... {28, 56, reply, 0, 1972, 928, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\264\7\0\0\274\0\0\0" )  ) == 0x0
 01696   928   NtResumeThread  (544, ... 1, ) == 0x0
 01697   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01698   188   NtWaitForSingleObject  (92, 0, 0x0, ...
 01697   928   NtAllocateVirtualMemory  ... 83623936, 1048576, ) == 0x0
 01699   928   NtAllocateVirtualMemory  (-1, 84664320, 0, 8192, 4096, 4, ... 84664320, 8192, ) == 0x0
 01700   928   NtProtectVirtualMemory  (-1, (0x50be000), 4096, 260, ... (0x50be000), 4096, 4, ) == 0x0
 01701   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 548, {1972, 1636}, ) == 0x0
 01702   928   NtQueryInformationThread  (548, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1972,Tid=1636,}, 0x0, ) == 0x0
 01703   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58041, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\264\7\0\0d\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\264\7\0\0d\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58042, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\264\7\0\0d\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\264\7\0\0d\6\0\0" )  ) == 0x0
 01704   928   NtResumeThread  (548, ... 1, ) == 0x0
 01705   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 84672512, 1048576, ) == 0x0
 01706   928   NtAllocateVirtualMemory  (-1, 85712896, 0, 8192, 4096, 4, ... 85712896, 8192, ) == 0x0
 01707  1636   NtWaitForSingleObject  (92, 0, 0x0, ...
 01708   928   NtProtectVirtualMemory  (-1, (0x51be000), 4096, 260, ... (0x51be000), 4096, 4, ) == 0x0
 01709   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 552, {1972, 624}, ) == 0x0
 01710   928   NtQueryInformationThread  (552, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1972,Tid=624,}, 0x0, ) == 0x0
 01711   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58042, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\264\7\0\0p\2\0\0" ... {28, 56, reply, 0, 1972, 928, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\264\7\0\0p\2\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58043, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\264\7\0\0p\2\0\0" ... {28, 56, reply, 0, 1972, 928, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\264\7\0\0p\2\0\0" )  ) == 0x0
 01712   928   NtResumeThread  (552, ... 1, ) == 0x0
 01713   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01714   624   NtWaitForSingleObject  (92, 0, 0x0, ...
 01713   928   NtAllocateVirtualMemory  ... 85721088, 1048576, ) == 0x0
 01715   928   NtAllocateVirtualMemory  (-1, 86761472, 0, 8192, 4096, 4, ... 86761472, 8192, ) == 0x0
 01716   928   NtProtectVirtualMemory  (-1, (0x52be000), 4096, 260, ... (0x52be000), 4096, 4, ) == 0x0
 01717   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 556, {1972, 1948}, ) == 0x0
 01718   928   NtQueryInformationThread  (556, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1972,Tid=1948,}, 0x0, ) == 0x0
 01719   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58043, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\264\7\0\0\234\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\264\7\0\0\234\7\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58044, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\264\7\0\0\234\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\264\7\0\0\234\7\0\0" )  ) == 0x0
 01720   928   NtResumeThread  (556, ... 1, ) == 0x0
 01721   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 86769664, 1048576, ) == 0x0
 01722   928   NtAllocateVirtualMemory  (-1, 87810048, 0, 8192, 4096, 4, ... 87810048, 8192, ) == 0x0
 01723  1948   NtWaitForSingleObject  (92, 0, 0x0, ...
 01724   928   NtProtectVirtualMemory  (-1, (0x53be000), 4096, 260, ... (0x53be000), 4096, 4, ) == 0x0
 01725   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 560, {1972, 988}, ) == 0x0
 01726   928   NtQueryInformationThread  (560, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1972,Tid=988,}, 0x0, ) == 0x0
 01727   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58044, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\264\7\0\0\334\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\264\7\0\0\334\3\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58045, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\264\7\0\0\334\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\264\7\0\0\334\3\0\0" )  ) == 0x0
 01728   928   NtResumeThread  (560, ... 1, ) == 0x0
 01729   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01730   988   NtWaitForSingleObject  (92, 0, 0x0, ...
 01729   928   NtAllocateVirtualMemory  ... 87818240, 1048576, ) == 0x0
 01731   928   NtAllocateVirtualMemory  (-1, 88858624, 0, 8192, 4096, 4, ... 88858624, 8192, ) == 0x0
 01732   928   NtProtectVirtualMemory  (-1, (0x54be000), 4096, 260, ... (0x54be000), 4096, 4, ) == 0x0
 01733   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 564, {1972, 468}, ) == 0x0
 01734   928   NtQueryInformationThread  (564, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1972,Tid=468,}, 0x0, ) == 0x0
 01735   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58045, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\264\7\0\0\324\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\264\7\0\0\324\1\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58046, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\264\7\0\0\324\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\264\7\0\0\324\1\0\0" )  ) == 0x0
 01736   928   NtResumeThread  (564, ... 1, ) == 0x0
 01737   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 88866816, 1048576, ) == 0x0
 01738   928   NtAllocateVirtualMemory  (-1, 89907200, 0, 8192, 4096, 4, ... 89907200, 8192, ) == 0x0
 01739   468   NtWaitForSingleObject  (92, 0, 0x0, ...
 01740   928   NtProtectVirtualMemory  (-1, (0x55be000), 4096, 260, ... (0x55be000), 4096, 4, ) == 0x0
 01741   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 568, {1972, 380}, ) == 0x0
 01742   928   NtQueryInformationThread  (568, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1972,Tid=380,}, 0x0, ) == 0x0
 01743   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58046, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\264\7\0\0|\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\264\7\0\0|\1\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58047, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\264\7\0\0|\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\264\7\0\0|\1\0\0" )  ) == 0x0
 01744   928   NtResumeThread  (568, ... 1, ) == 0x0
 01745   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01746   380   NtWaitForSingleObject  (92, 0, 0x0, ...
 01745   928   NtAllocateVirtualMemory  ... 89915392, 1048576, ) == 0x0
 01747   928   NtAllocateVirtualMemory  (-1, 90955776, 0, 8192, 4096, 4, ... 90955776, 8192, ) == 0x0
 01748   928   NtProtectVirtualMemory  (-1, (0x56be000), 4096, 260, ... (0x56be000), 4096, 4, ) == 0x0
 01749   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 572, {1972, 1692}, ) == 0x0
 01750   928   NtQueryInformationThread  (572, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1972,Tid=1692,}, 0x0, ) == 0x0
 01751   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58047, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\264\7\0\0\234\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\264\7\0\0\234\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58048, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\264\7\0\0\234\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\264\7\0\0\234\6\0\0" )  ) == 0x0
 01752   928   NtResumeThread  (572, ... 1, ) == 0x0
 01753   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 90963968, 1048576, ) == 0x0
 01754   928   NtAllocateVirtualMemory  (-1, 92004352, 0, 8192, 4096, 4, ... 92004352, 8192, ) == 0x0
 01755  1692   NtWaitForSingleObject  (92, 0, 0x0, ...
 01756   928   NtProtectVirtualMemory  (-1, (0x57be000), 4096, 260, ... (0x57be000), 4096, 4, ) == 0x0
 01757   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 576, {1972, 1792}, ) == 0x0
 01758   928   NtQueryInformationThread  (576, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1972,Tid=1792,}, 0x0, ) == 0x0
 01759   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58048, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\264\7\0\0\0\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\264\7\0\0\0\7\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58049, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\264\7\0\0\0\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\264\7\0\0\0\7\0\0" )  ) == 0x0
 01760   928   NtResumeThread  (576, ... 1, ) == 0x0
 01761   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01762  1792   NtWaitForSingleObject  (92, 0, 0x0, ...
 01761   928   NtAllocateVirtualMemory  ... 92012544, 1048576, ) == 0x0
 01763   928   NtAllocateVirtualMemory  (-1, 93052928, 0, 8192, 4096, 4, ... 93052928, 8192, ) == 0x0
 01764   928   NtProtectVirtualMemory  (-1, (0x58be000), 4096, 260, ... (0x58be000), 4096, 4, ) == 0x0
 01765   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 580, {1972, 784}, ) == 0x0
 01766   928   NtQueryInformationThread  (580, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1972,Tid=784,}, 0x0, ) == 0x0
 01767   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58049, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\264\7\0\0\20\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\264\7\0\0\20\3\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58050, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\264\7\0\0\20\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\264\7\0\0\20\3\0\0" )  ) == 0x0
 01768   928   NtResumeThread  (580, ... 1, ) == 0x0
 01769   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 93061120, 1048576, ) == 0x0
 01770   928   NtAllocateVirtualMemory  (-1, 94101504, 0, 8192, 4096, 4, ... 94101504, 8192, ) == 0x0
 01771   784   NtWaitForSingleObject  (92, 0, 0x0, ...
 01772   928   NtProtectVirtualMemory  (-1, (0x59be000), 4096, 260, ... (0x59be000), 4096, 4, ) == 0x0
 01773   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 584, {1972, 1520}, ) == 0x0
 01774   928   NtQueryInformationThread  (584, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1972,Tid=1520,}, 0x0, ) == 0x0
 01775   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58050, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\264\7\0\0\360\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\264\7\0\0\360\5\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58051, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\264\7\0\0\360\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\264\7\0\0\360\5\0\0" )  ) == 0x0
 01776   928   NtResumeThread  (584, ... 1, ) == 0x0
 01777   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01778  1520   NtWaitForSingleObject  (92, 0, 0x0, ...
 01777   928   NtAllocateVirtualMemory  ... 94109696, 1048576, ) == 0x0
 01779   928   NtAllocateVirtualMemory  (-1, 95150080, 0, 8192, 4096, 4, ... 95150080, 8192, ) == 0x0
 01780   928   NtProtectVirtualMemory  (-1, (0x5abe000), 4096, 260, ... (0x5abe000), 4096, 4, ) == 0x0
 01781   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 588, {1972, 1696}, ) == 0x0
 01782   928   NtQueryInformationThread  (588, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1972,Tid=1696,}, 0x0, ) == 0x0
 01783   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58051, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\264\7\0\0\240\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\264\7\0\0\240\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58052, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\264\7\0\0\240\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\264\7\0\0\240\6\0\0" )  ) == 0x0
 01784   928   NtResumeThread  (588, ... 1, ) == 0x0
 01785   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01786  1696   NtWaitForSingleObject  (92, 0, 0x0, ...
 01785   928   NtAllocateVirtualMemory  ... 95158272, 1048576, ) == 0x0
 01787   928   NtAllocateVirtualMemory  (-1, 96198656, 0, 8192, 4096, 4, ... 96198656, 8192, ) == 0x0
 01788   928   NtProtectVirtualMemory  (-1, (0x5bbe000), 4096, 260, ... (0x5bbe000), 4096, 4, ) == 0x0
 01789   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 592, {1972, 1744}, ) == 0x0
 01790   928   NtQueryInformationThread  (592, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1972,Tid=1744,}, 0x0, ) == 0x0
 01791   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58052, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\264\7\0\0\320\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\264\7\0\0\320\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58053, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\264\7\0\0\320\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\264\7\0\0\320\6\0\0" )  ) == 0x0
 01792   928   NtResumeThread  (592, ... 1, ) == 0x0
 01793   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 96206848, 1048576, ) == 0x0
 01794   928   NtAllocateVirtualMemory  (-1, 97247232, 0, 8192, 4096, 4, ... 97247232, 8192, ) == 0x0
 01795  1744   NtWaitForSingleObject  (92, 0, 0x0, ...
 01796   928   NtProtectVirtualMemory  (-1, (0x5cbe000), 4096, 260, ... (0x5cbe000), 4096, 4, ) == 0x0
 01797   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 596, {1972, 1124}, ) == 0x0
 01798   928   NtQueryInformationThread  (596, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1972,Tid=1124,}, 0x0, ) == 0x0
 01799   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58053, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\264\7\0\0d\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\264\7\0\0d\4\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58054, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\264\7\0\0d\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\264\7\0\0d\4\0\0" )  ) == 0x0
 01800   928   NtResumeThread  (596, ... 1, ) == 0x0
 01801   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01802  1124   NtWaitForSingleObject  (92, 0, 0x0, ...
 01801   928   NtAllocateVirtualMemory  ... 97255424, 1048576, ) == 0x0
 01803   928   NtAllocateVirtualMemory  (-1, 98295808, 0, 8192, 4096, 4, ... 98295808, 8192, ) == 0x0
 01804   928   NtProtectVirtualMemory  (-1, (0x5dbe000), 4096, 260, ... (0x5dbe000), 4096, 4, ) == 0x0
 01805   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 600, {1972, 1496}, ) == 0x0
 01806   928   NtQueryInformationThread  (600, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1972,Tid=1496,}, 0x0, ) == 0x0
 01807   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58054, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\264\7\0\0\330\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\264\7\0\0\330\5\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58055, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\264\7\0\0\330\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\264\7\0\0\330\5\0\0" )  ) == 0x0
 01808   928   NtResumeThread  (600, ... 1, ) == 0x0
 01809   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 98304000, 1048576, ) == 0x0
 01810   928   NtAllocateVirtualMemory  (-1, 99344384, 0, 8192, 4096, 4, ... 99344384, 8192, ) == 0x0
 01811  1496   NtWaitForSingleObject  (92, 0, 0x0, ...
 01812   928   NtProtectVirtualMemory  (-1, (0x5ebe000), 4096, 260, ... (0x5ebe000), 4096, 4, ) == 0x0
 01813   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 604, {1972, 168}, ) == 0x0
 01814   928   NtQueryInformationThread  (604, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1972,Tid=168,}, 0x0, ) == 0x0
 01815   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58055, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\264\7\0\0\250\0\0\0" ... {28, 56, reply, 0, 1972, 928, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\264\7\0\0\250\0\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58056, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\264\7\0\0\250\0\0\0" ... {28, 56, reply, 0, 1972, 928, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\264\7\0\0\250\0\0\0" )  ) == 0x0
 01816   928   NtResumeThread  (604, ... 1, ) == 0x0
 01817   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01818   168   NtWaitForSingleObject  (92, 0, 0x0, ...
 01817   928   NtAllocateVirtualMemory  ... 99352576, 1048576, ) == 0x0
 01819   928   NtAllocateVirtualMemory  (-1, 100392960, 0, 8192, 4096, 4, ... 100392960, 8192, ) == 0x0
 01820   928   NtProtectVirtualMemory  (-1, (0x5fbe000), 4096, 260, ... (0x5fbe000), 4096, 4, ) == 0x0
 01821   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 608, {1972, 1284}, ) == 0x0
 01822   928   NtQueryInformationThread  (608, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1972,Tid=1284,}, 0x0, ) == 0x0
 01823   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58056, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\264\7\0\0\4\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\264\7\0\0\4\5\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58057, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\264\7\0\0\4\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\264\7\0\0\4\5\0\0" )  ) == 0x0
 01824   928   NtResumeThread  (608, ... 1, ) == 0x0
 01825   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 100401152, 1048576, ) == 0x0
 01826   928   NtAllocateVirtualMemory  (-1, 101441536, 0, 8192, 4096, 4, ... 101441536, 8192, ) == 0x0
 01827  1284   NtWaitForSingleObject  (92, 0, 0x0, ...
 01828   928   NtProtectVirtualMemory  (-1, (0x60be000), 4096, 260, ... (0x60be000), 4096, 4, ) == 0x0
 01829   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 612, {1972, 1268}, ) == 0x0
 01830   928   NtQueryInformationThread  (612, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1972,Tid=1268,}, 0x0, ) == 0x0
 01831   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58057, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\264\7\0\0\364\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\264\7\0\0\364\4\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58058, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\264\7\0\0\364\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\264\7\0\0\364\4\0\0" )  ) == 0x0
 01832   928   NtResumeThread  (612, ... 1, ) == 0x0
 01833   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01834  1268   NtWaitForSingleObject  (92, 0, 0x0, ...
 01833   928   NtAllocateVirtualMemory  ... 101449728, 1048576, ) == 0x0
 01835   928   NtAllocateVirtualMemory  (-1, 102490112, 0, 8192, 4096, 4, ... 102490112, 8192, ) == 0x0
 01836   928   NtProtectVirtualMemory  (-1, (0x61be000), 4096, 260, ... (0x61be000), 4096, 4, ) == 0x0
 01837   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 616, {1972, 840}, ) == 0x0
 01838   928   NtQueryInformationThread  (616, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1972,Tid=840,}, 0x0, ) == 0x0
 01839   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58058, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\264\7\0\0H\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\264\7\0\0H\3\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58059, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\264\7\0\0H\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\264\7\0\0H\3\0\0" )  ) == 0x0
 01840   928   NtResumeThread  (616, ... 1, ) == 0x0
 01841   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 102498304, 1048576, ) == 0x0
 01842   928   NtAllocateVirtualMemory  (-1, 103538688, 0, 8192, 4096, 4, ... 103538688, 8192, ) == 0x0
 01843   840   NtWaitForSingleObject  (92, 0, 0x0, ...
 01844   928   NtProtectVirtualMemory  (-1, (0x62be000), 4096, 260, ... (0x62be000), 4096, 4, ) == 0x0
 01845   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 620, {1972, 1336}, ) == 0x0
 01846   928   NtQueryInformationThread  (620, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1972,Tid=1336,}, 0x0, ) == 0x0
 01847   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58059, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\264\7\0\08\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\264\7\0\08\5\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58060, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\264\7\0\08\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\264\7\0\08\5\0\0" )  ) == 0x0
 01848   928   NtResumeThread  (620, ... 1, ) == 0x0
 01849   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01850  1336   NtWaitForSingleObject  (92, 0, 0x0, ...
 01849   928   NtAllocateVirtualMemory  ... 103546880, 1048576, ) == 0x0
 01851   928   NtAllocateVirtualMemory  (-1, 104587264, 0, 8192, 4096, 4, ... 104587264, 8192, ) == 0x0
 01852   928   NtProtectVirtualMemory  (-1, (0x63be000), 4096, 260, ... (0x63be000), 4096, 4, ) == 0x0
 01853   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 624, {1972, 1200}, ) == 0x0
 01854   928   NtQueryInformationThread  (624, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1972,Tid=1200,}, 0x0, ) == 0x0
 01855   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58060, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\264\7\0\0\260\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\264\7\0\0\260\4\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58061, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\264\7\0\0\260\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\264\7\0\0\260\4\0\0" )  ) == 0x0
 01856   928   NtResumeThread  (624, ... 1, ) == 0x0
 01857   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 104595456, 1048576, ) == 0x0
 01858   928   NtAllocateVirtualMemory  (-1, 105635840, 0, 8192, 4096, 4, ... 105635840, 8192, ) == 0x0
 01859  1200   NtWaitForSingleObject  (92, 0, 0x0, ...
 01860   928   NtProtectVirtualMemory  (-1, (0x64be000), 4096, 260, ... (0x64be000), 4096, 4, ) == 0x0
 01861   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 628, {1972, 1920}, ) == 0x0
 01862   928   NtQueryInformationThread  (628, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1972,Tid=1920,}, 0x0, ) == 0x0
 01863   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58061, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\264\7\0\0\200\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\264\7\0\0\200\7\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58062, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\264\7\0\0\200\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\264\7\0\0\200\7\0\0" )  ) == 0x0
 01864   928   NtResumeThread  (628, ... 1, ) == 0x0
 01865   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01866  1920   NtWaitForSingleObject  (92, 0, 0x0, ...
 01865   928   NtAllocateVirtualMemory  ... 105644032, 1048576, ) == 0x0
 01867   928   NtAllocateVirtualMemory  (-1, 106684416, 0, 8192, 4096, 4, ... 106684416, 8192, ) == 0x0
 01868   928   NtProtectVirtualMemory  (-1, (0x65be000), 4096, 260, ... (0x65be000), 4096, 4, ) == 0x0
 01869   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 632, {1972, 896}, ) == 0x0
 01870   928   NtQueryInformationThread  (632, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1972,Tid=896,}, 0x0, ) == 0x0
 01871   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58062, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\264\7\0\0\200\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\264\7\0\0\200\3\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58063, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\264\7\0\0\200\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\264\7\0\0\200\3\0\0" )  ) == 0x0
 01872   928   NtResumeThread  (632, ... 1, ) == 0x0
 01873   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 106692608, 1048576, ) == 0x0
 01874   928   NtAllocateVirtualMemory  (-1, 107732992, 0, 8192, 4096, 4, ... 107732992, 8192, ) == 0x0
 01875   896   NtWaitForSingleObject  (92, 0, 0x0, ...
 01876   928   NtProtectVirtualMemory  (-1, (0x66be000), 4096, 260, ... (0x66be000), 4096, 4, ) == 0x0
 01877   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 636, {1972, 2016}, ) == 0x0
 01878   928   NtQueryInformationThread  (636, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1972,Tid=2016,}, 0x0, ) == 0x0
 01879   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58063, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\264\7\0\0\340\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\264\7\0\0\340\7\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58064, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\264\7\0\0\340\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\264\7\0\0\340\7\0\0" )  ) == 0x0
 01880   928   NtResumeThread  (636, ... 1, ) == 0x0
 01881   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01882  2016   NtWaitForSingleObject  (92, 0, 0x0, ...
 01881   928   NtAllocateVirtualMemory  ... 107741184, 1048576, ) == 0x0
 01883   928   NtAllocateVirtualMemory  (-1, 108781568, 0, 8192, 4096, 4, ... 108781568, 8192, ) == 0x0
 01884   928   NtProtectVirtualMemory  (-1, (0x67be000), 4096, 260, ... (0x67be000), 4096, 4, ) == 0x0
 01885   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 640, {1972, 2012}, ) == 0x0
 01886   928   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=1972,Tid=2012,}, 0x0, ) == 0x0
 01887   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58064, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\264\7\0\0\334\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\264\7\0\0\334\7\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58065, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\264\7\0\0\334\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\264\7\0\0\334\7\0\0" )  ) == 0x0
 01888   928   NtResumeThread  (640, ... 1, ) == 0x0
 01889   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 108789760, 1048576, ) == 0x0
 01890   928   NtAllocateVirtualMemory  (-1, 109830144, 0, 8192, 4096, 4, ... 109830144, 8192, ) == 0x0
 01891  2012   NtWaitForSingleObject  (92, 0, 0x0, ...
 01892   928   NtProtectVirtualMemory  (-1, (0x68be000), 4096, 260, ... (0x68be000), 4096, 4, ) == 0x0
 01893   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 644, {1972, 1604}, ) == 0x0
 01894   928   NtQueryInformationThread  (644, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=1972,Tid=1604,}, 0x0, ) == 0x0
 01895   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58065, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\264\7\0\0D\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\264\7\0\0D\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58066, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\264\7\0\0D\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\264\7\0\0D\6\0\0" )  ) == 0x0
 01896   928   NtResumeThread  (644, ... 1, ) == 0x0
 01897   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01898  1604   NtWaitForSingleObject  (92, 0, 0x0, ...
 01897   928   NtAllocateVirtualMemory  ... 109838336, 1048576, ) == 0x0
 01899   928   NtAllocateVirtualMemory  (-1, 110878720, 0, 8192, 4096, 4, ... 110878720, 8192, ) == 0x0
 01900   928   NtProtectVirtualMemory  (-1, (0x69be000), 4096, 260, ... (0x69be000), 4096, 4, ) == 0x0
 01901   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 648, {1972, 1572}, ) == 0x0
 01902   928   NtQueryInformationThread  (648, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=1972,Tid=1572,}, 0x0, ) == 0x0
 01903   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58066, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\264\7\0\0$\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\264\7\0\0$\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58067, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\264\7\0\0$\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\264\7\0\0$\6\0\0" )  ) == 0x0
 01904   928   NtResumeThread  (648, ... 1, ) == 0x0
 01905   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 110886912, 1048576, ) == 0x0
 01906   928   NtAllocateVirtualMemory  (-1, 111927296, 0, 8192, 4096, 4, ... 111927296, 8192, ) == 0x0
 01907  1572   NtWaitForSingleObject  (92, 0, 0x0, ...
 01908   928   NtProtectVirtualMemory  (-1, (0x6abe000), 4096, 260, ... (0x6abe000), 4096, 4, ) == 0x0
 01909   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 652, {1972, 596}, ) == 0x0
 01910   928   NtQueryInformationThread  (652, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff58000,Pid=1972,Tid=596,}, 0x0, ) == 0x0
 01911   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58067, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\264\7\0\0T\2\0\0" ... {28, 56, reply, 0, 1972, 928, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\264\7\0\0T\2\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58068, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\264\7\0\0T\2\0\0" ... {28, 56, reply, 0, 1972, 928, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\264\7\0\0T\2\0\0" )  ) == 0x0
 01912   928   NtResumeThread  (652, ... 1, ) == 0x0
 01913   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01914   596   NtWaitForSingleObject  (92, 0, 0x0, ...
 01913   928   NtAllocateVirtualMemory  ... 111935488, 1048576, ) == 0x0
 01915   928   NtAllocateVirtualMemory  (-1, 112975872, 0, 8192, 4096, 4, ... 112975872, 8192, ) == 0x0
 01916   928   NtProtectVirtualMemory  (-1, (0x6bbe000), 4096, 260, ... (0x6bbe000), 4096, 4, ) == 0x0
 01917   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 656, {1972, 376}, ) == 0x0
 01918   928   NtQueryInformationThread  (656, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff57000,Pid=1972,Tid=376,}, 0x0, ) == 0x0
 01919   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58068, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\264\7\0\0x\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\264\7\0\0x\1\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58069, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\264\7\0\0x\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\264\7\0\0x\1\0\0" )  ) == 0x0
 01920   928   NtResumeThread  (656, ... 1, ) == 0x0
 01921   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 112984064, 1048576, ) == 0x0
 01922   928   NtAllocateVirtualMemory  (-1, 114024448, 0, 8192, 4096, 4, ... 114024448, 8192, ) == 0x0
 01923   376   NtWaitForSingleObject  (92, 0, 0x0, ...
 01924   928   NtProtectVirtualMemory  (-1, (0x6cbe000), 4096, 260, ... (0x6cbe000), 4096, 4, ) == 0x0
 01925   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 660, {1972, 1168}, ) == 0x0
 01926   928   NtQueryInformationThread  (660, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff56000,Pid=1972,Tid=1168,}, 0x0, ) == 0x0
 01927   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58069, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\264\7\0\0\220\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\264\7\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58070, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\264\7\0\0\220\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\264\7\0\0\220\4\0\0" )  ) == 0x0
 01928   928   NtResumeThread  (660, ... 1, ) == 0x0
 01929   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01930  1168   NtWaitForSingleObject  (92, 0, 0x0, ...
 01929   928   NtAllocateVirtualMemory  ... 114032640, 1048576, ) == 0x0
 01931   928   NtAllocateVirtualMemory  (-1, 115073024, 0, 8192, 4096, 4, ... 115073024, 8192, ) == 0x0
 01932   928   NtProtectVirtualMemory  (-1, (0x6dbe000), 4096, 260, ... (0x6dbe000), 4096, 4, ) == 0x0
 01933   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 664, {1972, 428}, ) == 0x0
 01934   928   NtQueryInformationThread  (664, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff55000,Pid=1972,Tid=428,}, 0x0, ) == 0x0
 01935   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58070, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\264\7\0\0\254\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\264\7\0\0\254\1\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58071, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\264\7\0\0\254\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\264\7\0\0\254\1\0\0" )  ) == 0x0
 01936   928   NtResumeThread  (664, ... 1, ) == 0x0
 01937   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 115081216, 1048576, ) == 0x0
 01938   928   NtAllocateVirtualMemory  (-1, 116121600, 0, 8192, 4096, 4, ... 116121600, 8192, ) == 0x0
 01939   428   NtWaitForSingleObject  (92, 0, 0x0, ...
 01940   928   NtProtectVirtualMemory  (-1, (0x6ebe000), 4096, 260, ... (0x6ebe000), 4096, 4, ) == 0x0
 01941   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 668, {1972, 1344}, ) == 0x0
 01942   928   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff54000,Pid=1972,Tid=1344,}, 0x0, ) == 0x0
 01943   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58071, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\264\7\0\0@\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\264\7\0\0@\5\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58072, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\264\7\0\0@\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\264\7\0\0@\5\0\0" )  ) == 0x0
 01944   928   NtResumeThread  (668, ... 1, ) == 0x0
 01945   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01946  1344   NtWaitForSingleObject  (92, 0, 0x0, ...
 01945   928   NtAllocateVirtualMemory  ... 116129792, 1048576, ) == 0x0
 01947   928   NtAllocateVirtualMemory  (-1, 117170176, 0, 8192, 4096, 4, ... 117170176, 8192, ) == 0x0
 01948   928   NtProtectVirtualMemory  (-1, (0x6fbe000), 4096, 260, ... (0x6fbe000), 4096, 4, ) == 0x0
 01949   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {1972, 1300}, ) == 0x0
 01950   928   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff53000,Pid=1972,Tid=1300,}, 0x0, ) == 0x0
 01951   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58072, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\264\7\0\0\24\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\264\7\0\0\24\5\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58073, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\264\7\0\0\24\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\264\7\0\0\24\5\0\0" )  ) == 0x0
 01952   928   NtResumeThread  (672, ... 1, ) == 0x0
 01953   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 117178368, 1048576, ) == 0x0
 01954   928   NtAllocateVirtualMemory  (-1, 118218752, 0, 8192, 4096, 4, ... 118218752, 8192, ) == 0x0
 01955  1300   NtWaitForSingleObject  (92, 0, 0x0, ...
 01956   928   NtProtectVirtualMemory  (-1, (0x70be000), 4096, 260, ... (0x70be000), 4096, 4, ) == 0x0
 01957   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 676, {1972, 1096}, ) == 0x0
 01958   928   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff52000,Pid=1972,Tid=1096,}, 0x0, ) == 0x0
 01959   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58073, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\264\7\0\0H\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\264\7\0\0H\4\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58074, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\264\7\0\0H\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\264\7\0\0H\4\0\0" )  ) == 0x0
 01960   928   NtResumeThread  (676, ... 1, ) == 0x0
 01961   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01962  1096   NtWaitForSingleObject  (92, 0, 0x0, ...
 01961   928   NtAllocateVirtualMemory  ... 118226944, 1048576, ) == 0x0
 01963   928   NtAllocateVirtualMemory  (-1, 119267328, 0, 8192, 4096, 4, ... 119267328, 8192, ) == 0x0
 01964   928   NtProtectVirtualMemory  (-1, (0x71be000), 4096, 260, ... (0x71be000), 4096, 4, ) == 0x0
 01965   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {1972, 252}, ) == 0x0
 01966   928   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff51000,Pid=1972,Tid=252,}, 0x0, ) == 0x0
 01967   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58074, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\264\7\0\0\374\0\0\0" ... {28, 56, reply, 0, 1972, 928, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\264\7\0\0\374\0\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58075, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\264\7\0\0\374\0\0\0" ... {28, 56, reply, 0, 1972, 928, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\264\7\0\0\374\0\0\0" )  ) == 0x0
 01968   928   NtResumeThread  (680, ... 1, ) == 0x0
 01969   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 119275520, 1048576, ) == 0x0
 01970   928   NtAllocateVirtualMemory  (-1, 120315904, 0, 8192, 4096, 4, ... 120315904, 8192, ) == 0x0
 01971   252   NtWaitForSingleObject  (92, 0, 0x0, ...
 01972   928   NtProtectVirtualMemory  (-1, (0x72be000), 4096, 260, ... (0x72be000), 4096, 4, ) == 0x0
 01973   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {1972, 500}, ) == 0x0
 01974   928   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff50000,Pid=1972,Tid=500,}, 0x0, ) == 0x0
 01975   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58075, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\264\7\0\0\364\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\264\7\0\0\364\1\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58076, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\264\7\0\0\364\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\264\7\0\0\364\1\0\0" )  ) == 0x0
 01976   928   NtResumeThread  (684, ... 1, ) == 0x0
 01977   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01978   500   NtWaitForSingleObject  (92, 0, 0x0, ...
 01977   928   NtAllocateVirtualMemory  ... 120324096, 1048576, ) == 0x0
 01979   928   NtAllocateVirtualMemory  (-1, 121364480, 0, 8192, 4096, 4, ... 121364480, 8192, ) == 0x0
 01980   928   NtProtectVirtualMemory  (-1, (0x73be000), 4096, 260, ... (0x73be000), 4096, 4, ) == 0x0
 01981   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 688, {1972, 1132}, ) == 0x0
 01982   928   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4f000,Pid=1972,Tid=1132,}, 0x0, ) == 0x0
 01983   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58076, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\264\7\0\0l\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\264\7\0\0l\4\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58077, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\264\7\0\0l\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\264\7\0\0l\4\0\0" )  ) == 0x0
 01984   928   NtResumeThread  (688, ... 1, ) == 0x0
 01985   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 121372672, 1048576, ) == 0x0
 01986   928   NtAllocateVirtualMemory  (-1, 122413056, 0, 8192, 4096, 4, ... 122413056, 8192, ) == 0x0
 01987  1132   NtWaitForSingleObject  (92, 0, 0x0, ...
 01988   928   NtProtectVirtualMemory  (-1, (0x74be000), 4096, 260, ... (0x74be000), 4096, 4, ) == 0x0
 01989   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 692, {1972, 1024}, ) == 0x0
 01990   928   NtQueryInformationThread  (692, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4e000,Pid=1972,Tid=1024,}, 0x0, ) == 0x0
 01991   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58077, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\264\7\0\0\0\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\264\7\0\0\0\4\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58078, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\264\7\0\0\0\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\264\7\0\0\0\4\0\0" )  ) == 0x0
 01992   928   NtResumeThread  (692, ... 1, ) == 0x0
 01993   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01994  1024   NtWaitForSingleObject  (92, 0, 0x0, ...
 01993   928   NtAllocateVirtualMemory  ... 122421248, 1048576, ) == 0x0
 01995   928   NtAllocateVirtualMemory  (-1, 123461632, 0, 8192, 4096, 4, ... 123461632, 8192, ) == 0x0
 01996   928   NtProtectVirtualMemory  (-1, (0x75be000), 4096, 260, ... (0x75be000), 4096, 4, ) == 0x0
 01997   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 696, {1972, 948}, ) == 0x0
 01998   928   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4d000,Pid=1972,Tid=948,}, 0x0, ) == 0x0
 01999   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58078, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\264\7\0\0\264\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\264\7\0\0\264\3\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58079, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\264\7\0\0\264\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\264\7\0\0\264\3\0\0" )  ) == 0x0
 02000   928   NtResumeThread  (696, ... 1, ) == 0x0
 02001   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 123469824, 1048576, ) == 0x0
 02002   928   NtAllocateVirtualMemory  (-1, 124510208, 0, 8192, 4096, 4, ... 124510208, 8192, ) == 0x0
 02003   948   NtWaitForSingleObject  (92, 0, 0x0, ...
 02004   928   NtProtectVirtualMemory  (-1, (0x76be000), 4096, 260, ... (0x76be000), 4096, 4, ) == 0x0
 02005   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 700, {1972, 1388}, ) == 0x0
 02006   928   NtQueryInformationThread  (700, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4c000,Pid=1972,Tid=1388,}, 0x0, ) == 0x0
 02007   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58079, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\264\7\0\0l\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\264\7\0\0l\5\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58080, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\264\7\0\0l\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\264\7\0\0l\5\0\0" )  ) == 0x0
 02008   928   NtResumeThread  (700, ... 1, ) == 0x0
 02009   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02010  1388   NtWaitForSingleObject  (92, 0, 0x0, ...
 02009   928   NtAllocateVirtualMemory  ... 124518400, 1048576, ) == 0x0
 02011   928   NtAllocateVirtualMemory  (-1, 125558784, 0, 8192, 4096, 4, ... 125558784, 8192, ) == 0x0
 02012   928   NtProtectVirtualMemory  (-1, (0x77be000), 4096, 260, ... (0x77be000), 4096, 4, ) == 0x0
 02013   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 704, {1972, 520}, ) == 0x0
 02014   928   NtQueryInformationThread  (704, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4b000,Pid=1972,Tid=520,}, 0x0, ) == 0x0
 02015   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58080, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\264\7\0\0\10\2\0\0" ... {28, 56, reply, 0, 1972, 928, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\264\7\0\0\10\2\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58081, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\264\7\0\0\10\2\0\0" ... {28, 56, reply, 0, 1972, 928, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\264\7\0\0\10\2\0\0" )  ) == 0x0
 02016   928   NtResumeThread  (704, ... 1, ) == 0x0
 02017   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 125566976, 1048576, ) == 0x0
 02018   928   NtAllocateVirtualMemory  (-1, 126607360, 0, 8192, 4096, 4, ... 126607360, 8192, ) == 0x0
 02019   520   NtWaitForSingleObject  (92, 0, 0x0, ...
 02020   928   NtProtectVirtualMemory  (-1, (0x78be000), 4096, 260, ... (0x78be000), 4096, 4, ) == 0x0
 02021   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 708, {1972, 276}, ) == 0x0
 02022   928   NtQueryInformationThread  (708, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4a000,Pid=1972,Tid=276,}, 0x0, ) == 0x0
 02023   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58081, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\264\7\0\0\24\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\264\7\0\0\24\1\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58082, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\264\7\0\0\24\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\264\7\0\0\24\1\0\0" )  ) == 0x0
 02024   928   NtResumeThread  (708, ... 1, ) == 0x0
 02025   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02026   276   NtWaitForSingleObject  (92, 0, 0x0, ...
 02025   928   NtAllocateVirtualMemory  ... 126615552, 1048576, ) == 0x0
 02027   928   NtAllocateVirtualMemory  (-1, 127655936, 0, 8192, 4096, 4, ... 127655936, 8192, ) == 0x0
 02028   928   NtProtectVirtualMemory  (-1, (0x79be000), 4096, 260, ... (0x79be000), 4096, 4, ) == 0x0
 02029   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 712, {1972, 996}, ) == 0x0
 02030   928   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff49000,Pid=1972,Tid=996,}, 0x0, ) == 0x0
 02031   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58082, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\264\7\0\0\344\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\264\7\0\0\344\3\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58083, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\264\7\0\0\344\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\264\7\0\0\344\3\0\0" )  ) == 0x0
 02032   928   NtResumeThread  (712, ... 1, ) == 0x0
 02033   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 127664128, 1048576, ) == 0x0
 02034   928   NtAllocateVirtualMemory  (-1, 128704512, 0, 8192, 4096, 4, ... 128704512, 8192, ) == 0x0
 02035   996   NtWaitForSingleObject  (92, 0, 0x0, ...
 02036   928   NtProtectVirtualMemory  (-1, (0x7abe000), 4096, 260, ... (0x7abe000), 4096, 4, ) == 0x0
 02037   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 716, {1972, 1064}, ) == 0x0
 02038   928   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff48000,Pid=1972,Tid=1064,}, 0x0, ) == 0x0
 02039   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58083, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\264\7\0\0(\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\264\7\0\0(\4\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58084, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\264\7\0\0(\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\264\7\0\0(\4\0\0" )  ) == 0x0
 02040   928   NtResumeThread  (716, ... 1, ) == 0x0
 02041   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02042  1064   NtWaitForSingleObject  (92, 0, 0x0, ...
 02041   928   NtAllocateVirtualMemory  ... 128712704, 1048576, ) == 0x0
 02043   928   NtAllocateVirtualMemory  (-1, 129753088, 0, 8192, 4096, 4, ... 129753088, 8192, ) == 0x0
 02044   928   NtProtectVirtualMemory  (-1, (0x7bbe000), 4096, 260, ... (0x7bbe000), 4096, 4, ) == 0x0
 02045   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 720, {1972, 1600}, ) == 0x0
 02046   928   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff47000,Pid=1972,Tid=1600,}, 0x0, ) == 0x0
 02047   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58084, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\264\7\0\0@\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\264\7\0\0@\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58085, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\264\7\0\0@\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\264\7\0\0@\6\0\0" )  ) == 0x0
 02048   928   NtResumeThread  (720, ... 1, ) == 0x0
 02049   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 129761280, 1048576, ) == 0x0
 02050   928   NtAllocateVirtualMemory  (-1, 130801664, 0, 8192, 4096, 4, ... 130801664, 8192, ) == 0x0
 02051  1600   NtWaitForSingleObject  (92, 0, 0x0, ...
 02052   928   NtProtectVirtualMemory  (-1, (0x7cbe000), 4096, 260, ... (0x7cbe000), 4096, 4, ) == 0x0
 02053   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 724, {1972, 1372}, ) == 0x0
 02054   928   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff46000,Pid=1972,Tid=1372,}, 0x0, ) == 0x0
 02055   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58085, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\264\7\0\0\\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\264\7\0\0\\5\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58086, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\264\7\0\0\\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\264\7\0\0\\5\0\0" )  ) == 0x0
 02056   928   NtResumeThread  (724, ... 1, ) == 0x0
 02057   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02058  1372   NtWaitForSingleObject  (92, 0, 0x0, ...
 02057   928   NtAllocateVirtualMemory  ... 130809856, 1048576, ) == 0x0
 02059   928   NtAllocateVirtualMemory  (-1, 131850240, 0, 8192, 4096, 4, ... 131850240, 8192, ) == 0x0
 02060   928   NtProtectVirtualMemory  (-1, (0x7dbe000), 4096, 260, ... (0x7dbe000), 4096, 4, ) == 0x0
 02061   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 728, {1972, 2040}, ) == 0x0
 02062   928   NtQueryInformationThread  (728, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff45000,Pid=1972,Tid=2040,}, 0x0, ) == 0x0
 02063   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58086, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\264\7\0\0\370\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\264\7\0\0\370\7\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58087, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\264\7\0\0\370\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\264\7\0\0\370\7\0\0" )  ) == 0x0
 02064   928   NtResumeThread  (728, ... 1, ) == 0x0
 02065   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 131858432, 1048576, ) == 0x0
 02066   928   NtAllocateVirtualMemory  (-1, 132898816, 0, 8192, 4096, 4, ... 132898816, 8192, ) == 0x0
 02067  2040   NtWaitForSingleObject  (92, 0, 0x0, ...
 02068   928   NtProtectVirtualMemory  (-1, (0x7ebe000), 4096, 260, ... (0x7ebe000), 4096, 4, ) == 0x0
 02069   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 732, {1972, 216}, ) == 0x0
 02070   928   NtQueryInformationThread  (732, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff44000,Pid=1972,Tid=216,}, 0x0, ) == 0x0
 02071   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58087, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\264\7\0\0\330\0\0\0" ... {28, 56, reply, 0, 1972, 928, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\264\7\0\0\330\0\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58088, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\264\7\0\0\330\0\0\0" ... {28, 56, reply, 0, 1972, 928, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\264\7\0\0\330\0\0\0" )  ) == 0x0
 02072   928   NtResumeThread  (732, ... 1, ) == 0x0
 02073   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02074   216   NtWaitForSingleObject  (92, 0, 0x0, ...
 02073   928   NtAllocateVirtualMemory  ... 132907008, 1048576, ) == 0x0
 02075   928   NtAllocateVirtualMemory  (-1, 133947392, 0, 8192, 4096, 4, ... 133947392, 8192, ) == 0x0
 02076   928   NtProtectVirtualMemory  (-1, (0x7fbe000), 4096, 260, ... (0x7fbe000), 4096, 4, ) == 0x0
 02077   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 736, {1972, 152}, ) == 0x0
 02078   928   NtQueryInformationThread  (736, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff43000,Pid=1972,Tid=152,}, 0x0, ) == 0x0
 02079   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58088, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\264\7\0\0\230\0\0\0" ... {28, 56, reply, 0, 1972, 928, 58089, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\264\7\0\0\230\0\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58089, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\264\7\0\0\230\0\0\0" ... {28, 56, reply, 0, 1972, 928, 58089, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\264\7\0\0\230\0\0\0" )  ) == 0x0
 02080   928   NtResumeThread  (736, ... 1, ) == 0x0
 02081   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 133955584, 1048576, ) == 0x0
 02082   928   NtAllocateVirtualMemory  (-1, 134995968, 0, 8192, 4096, 4, ... 134995968, 8192, ) == 0x0
 02083   152   NtWaitForSingleObject  (92, 0, 0x0, ...
 02084   928   NtProtectVirtualMemory  (-1, (0x80be000), 4096, 260, ... (0x80be000), 4096, 4, ) == 0x0
 02085   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 740, {1972, 900}, ) == 0x0
 02086   928   NtQueryInformationThread  (740, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff42000,Pid=1972,Tid=900,}, 0x0, ) == 0x0
 02087   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58089, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58089, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\264\7\0\0\204\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58090, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\264\7\0\0\204\3\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58090, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58089, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\264\7\0\0\204\3\0\0" ... {28, 56, reply, 0, 1972, 928, 58090, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\264\7\0\0\204\3\0\0" )  ) == 0x0
 02088   928   NtResumeThread  (740, ... 1, ) == 0x0
 02089   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02090   900   NtWaitForSingleObject  (92, 0, 0x0, ...
 02089   928   NtAllocateVirtualMemory  ... 135004160, 1048576, ) == 0x0
 02091   928   NtAllocateVirtualMemory  (-1, 136044544, 0, 8192, 4096, 4, ... 136044544, 8192, ) == 0x0
 02092   928   NtProtectVirtualMemory  (-1, (0x81be000), 4096, 260, ... (0x81be000), 4096, 4, ) == 0x0
 02093   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 744, {1972, 1272}, ) == 0x0
 02094   928   NtQueryInformationThread  (744, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff41000,Pid=1972,Tid=1272,}, 0x0, ) == 0x0
 02095   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58090, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58090, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\264\7\0\0\370\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58091, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\264\7\0\0\370\4\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58091, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58090, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\264\7\0\0\370\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58091, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\264\7\0\0\370\4\0\0" )  ) == 0x0
 02096   928   NtResumeThread  (744, ... 1, ) == 0x0
 02097   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 136052736, 1048576, ) == 0x0
 02098   928   NtAllocateVirtualMemory  (-1, 137093120, 0, 8192, 4096, 4, ... 137093120, 8192, ) == 0x0
 02099  1272   NtWaitForSingleObject  (92, 0, 0x0, ...
 02100   928   NtProtectVirtualMemory  (-1, (0x82be000), 4096, 260, ... (0x82be000), 4096, 4, ) == 0x0
 02101   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 748, {1972, 1240}, ) == 0x0
 02102   928   NtQueryInformationThread  (748, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff40000,Pid=1972,Tid=1240,}, 0x0, ) == 0x0
 02103   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58091, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58091, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\264\7\0\0\330\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58092, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\264\7\0\0\330\4\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58092, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58091, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\264\7\0\0\330\4\0\0" ... {28, 56, reply, 0, 1972, 928, 58092, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\264\7\0\0\330\4\0\0" )  ) == 0x0
 02104   928   NtResumeThread  (748, ... 1, ) == 0x0
 02105   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02106  1240   NtWaitForSingleObject  (92, 0, 0x0, ...
 02105   928   NtAllocateVirtualMemory  ... 137101312, 1048576, ) == 0x0
 02107   928   NtAllocateVirtualMemory  (-1, 138141696, 0, 8192, 4096, 4, ... 138141696, 8192, ) == 0x0
 02108   928   NtProtectVirtualMemory  (-1, (0x83be000), 4096, 260, ... (0x83be000), 4096, 4, ) == 0x0
 02109   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 752, {1972, 1776}, ) == 0x0
 02110   928   NtQueryInformationThread  (752, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3f000,Pid=1972,Tid=1776,}, 0x0, ) == 0x0
 02111   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58092, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58092, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\264\7\0\0\360\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58093, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\264\7\0\0\360\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58093, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58092, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\264\7\0\0\360\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58093, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\264\7\0\0\360\6\0\0" )  ) == 0x0
 02112   928   NtResumeThread  (752, ... 1, ) == 0x0
 02113   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 138149888, 1048576, ) == 0x0
 02114   928   NtAllocateVirtualMemory  (-1, 139190272, 0, 8192, 4096, 4, ... 139190272, 8192, ) == 0x0
 02115  1776   NtWaitForSingleObject  (92, 0, 0x0, ...
 02116   928   NtProtectVirtualMemory  (-1, (0x84be000), 4096, 260, ... (0x84be000), 4096, 4, ) == 0x0
 02117   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 756, {1972, 1324}, ) == 0x0
 02118   928   NtQueryInformationThread  (756, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3e000,Pid=1972,Tid=1324,}, 0x0, ) == 0x0
 02119   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58093, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58093, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\264\7\0\0,\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58094, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\264\7\0\0,\5\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58094, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58093, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\264\7\0\0,\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58094, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\264\7\0\0,\5\0\0" )  ) == 0x0
 02120   928   NtResumeThread  (756, ... 1, ) == 0x0
 02121   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02122  1324   NtWaitForSingleObject  (92, 0, 0x0, ...
 02121   928   NtAllocateVirtualMemory  ... 139198464, 1048576, ) == 0x0
 02123   928   NtAllocateVirtualMemory  (-1, 140238848, 0, 8192, 4096, 4, ... 140238848, 8192, ) == 0x0
 02124   928   NtProtectVirtualMemory  (-1, (0x85be000), 4096, 260, ... (0x85be000), 4096, 4, ) == 0x0
 02125   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 760, {1972, 1884}, ) == 0x0
 02126   928   NtQueryInformationThread  (760, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3d000,Pid=1972,Tid=1884,}, 0x0, ) == 0x0
 02127   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58094, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58094, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\264\7\0\0\\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58095, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\264\7\0\0\\7\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58095, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58094, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\264\7\0\0\\7\0\0" ... {28, 56, reply, 0, 1972, 928, 58095, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\264\7\0\0\\7\0\0" )  ) == 0x0
 02128   928   NtResumeThread  (760, ... 1, ) == 0x0
 02129   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 140247040, 1048576, ) == 0x0
 02130   928   NtAllocateVirtualMemory  (-1, 141287424, 0, 8192, 4096, 4, ... 141287424, 8192, ) == 0x0
 02131  1884   NtWaitForSingleObject  (92, 0, 0x0, ...
 02132   928   NtProtectVirtualMemory  (-1, (0x86be000), 4096, 260, ... (0x86be000), 4096, 4, ) == 0x0
 02133   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 764, {1972, 248}, ) == 0x0
 02134   928   NtQueryInformationThread  (764, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3c000,Pid=1972,Tid=248,}, 0x0, ) == 0x0
 02135   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58095, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58095, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\264\7\0\0\370\0\0\0" ... {28, 56, reply, 0, 1972, 928, 58096, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\264\7\0\0\370\0\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58096, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58095, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\264\7\0\0\370\0\0\0" ... {28, 56, reply, 0, 1972, 928, 58096, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\264\7\0\0\370\0\0\0" )  ) == 0x0
 02136   928   NtResumeThread  (764, ... 1, ) == 0x0
 02137   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02138   248   NtWaitForSingleObject  (92, 0, 0x0, ...
 02137   928   NtAllocateVirtualMemory  ... 141295616, 1048576, ) == 0x0
 02139   928   NtAllocateVirtualMemory  (-1, 142336000, 0, 8192, 4096, 4, ... 142336000, 8192, ) == 0x0
 02140   928   NtProtectVirtualMemory  (-1, (0x87be000), 4096, 260, ... (0x87be000), 4096, 4, ) == 0x0
 02141   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 768, {1972, 1652}, ) == 0x0
 02142   928   NtQueryInformationThread  (768, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3b000,Pid=1972,Tid=1652,}, 0x0, ) == 0x0
 02143   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58096, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58096, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\264\7\0\0t\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58097, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\264\7\0\0t\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58097, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58096, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\264\7\0\0t\6\0\0" ... {28, 56, reply, 0, 1972, 928, 58097, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\264\7\0\0t\6\0\0" )  ) == 0x0
 02144   928   NtResumeThread  (768, ... 1, ) == 0x0
 02145   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 142344192, 1048576, ) == 0x0
 02146   928   NtAllocateVirtualMemory  (-1, 143384576, 0, 8192, 4096, 4, ... 143384576, 8192, ) == 0x0
 02147  1652   NtWaitForSingleObject  (92, 0, 0x0, ...
 02148   928   NtProtectVirtualMemory  (-1, (0x88be000), 4096, 260, ... (0x88be000), 4096, 4, ) == 0x0
 02149   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 772, {1972, 588}, ) == 0x0
 02150   928   NtQueryInformationThread  (772, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3a000,Pid=1972,Tid=588,}, 0x0, ) == 0x0
 02151   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58097, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58097, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\264\7\0\0L\2\0\0" ... {28, 56, reply, 0, 1972, 928, 58098, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\264\7\0\0L\2\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58098, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58097, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\264\7\0\0L\2\0\0" ... {28, 56, reply, 0, 1972, 928, 58098, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\264\7\0\0L\2\0\0" )  ) == 0x0
 02152   928   NtResumeThread  (772, ... 1, ) == 0x0
 02153   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02154   588   NtWaitForSingleObject  (92, 0, 0x0, ...
 02153   928   NtAllocateVirtualMemory  ... 143392768, 1048576, ) == 0x0
 02155   928   NtAllocateVirtualMemory  (-1, 144433152, 0, 8192, 4096, 4, ... 144433152, 8192, ) == 0x0
 02156   928   NtProtectVirtualMemory  (-1, (0x89be000), 4096, 260, ... (0x89be000), 4096, 4, ) == 0x0
 02157   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 776, {1972, 440}, ) == 0x0
 02158   928   NtQueryInformationThread  (776, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff39000,Pid=1972,Tid=440,}, 0x0, ) == 0x0
 02159   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58098, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58098, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\264\7\0\0\270\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58099, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\264\7\0\0\270\1\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58099, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58098, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\264\7\0\0\270\1\0\0" ... {28, 56, reply, 0, 1972, 928, 58099, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\264\7\0\0\270\1\0\0" )  ) == 0x0
 02160   928   NtResumeThread  (776, ... 1, ) == 0x0
 02161   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 144441344, 1048576, ) == 0x0
 02162   928   NtAllocateVirtualMemory  (-1, 145481728, 0, 8192, 4096, 4, ... 145481728, 8192, ) == 0x0
 02163   440   NtWaitForSingleObject  (92, 0, 0x0, ...
 02164   928   NtProtectVirtualMemory  (-1, (0x8abe000), 4096, 260, ... (0x8abe000), 4096, 4, ) == 0x0
 02165   928   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 780, {1972, 1296}, ) == 0x0
 02166   928   NtQueryInformationThread  (780, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff38000,Pid=1972,Tid=1296,}, 0x0, ) == 0x0
 02167   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1972, 928, 58099, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58099, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0\264\7\0\0\20\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58100, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0\264\7\0\0\20\5\0\0" )  ... {28, 56, reply, 0, 1972, 928, 58100, 0}  (24, {28, 56, new_msg, 0, 1972, 928, 58099, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0\264\7\0\0\20\5\0\0" ... {28, 56, reply, 0, 1972, 928, 58100, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0\264\7\0\0\20\5\0\0" )  ) == 0x0
 02168   928   NtResumeThread  (780, ... 1, ) == 0x0
 02169   928   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02170  1296   NtWaitForSingleObject  (92, 0, 0x0, ...
 02169   928   NtCreateEvent  ... 784, ) == 0x0
 02171   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 788, ) == 0x0
 02172   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 792, ) }, ... 792, ) == 0x0
 02173   928   NtOpenKey  (0x20019, {24, 792, 0x40, 0, 0,  (0x20019, {24, 792, 0x40, 0, 0, "ActiveComputerName"}, ... 796, ) }, ... 796, ) == 0x0
 02174   928   NtQueryValueKey  (796,  (796, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (796, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (796, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02175   928   NtClose  (796, ... ) == 0x0
 02176   928   NtClose  (792, ... ) == 0x0
 02177   928   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 792, ) == 0x0
 02178   928   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 796, ) == 0x0
 02179   928   NtDuplicateObject  (-1, 792, -1, 0x0, 0, 2, ... 800, ) == 0x0
 02180   928   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 02181   928   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02182   928   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 804, ) == 0x0
 02183   928   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02184   928   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02185   928   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243192,  (0xc0100080, {24, 0, 0x40, 0, 1243192, "\??\PIPE\InitShutdown"}, 0x0, 0, 3, 1, 64, 0, 0, ... 808, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 808, {status=0x0, info=1}, ) == 0x0
 02186   928   NtSetInformationFile  (808, 1243248, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02187   928   NtSetInformationFile  (808, 1243236, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02188   928   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02189   928   NtWriteFile  (808, 785, 0, 0,  (808, 785, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\300\340M\211U\15\323\21\243"\0\300O\243!\241\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) \0\300O\243!\241\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02190   928   NtReadFile  (808, 785, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (808, 785, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\232(\0\0\23\0\PIPE\InitShutdown\0\37`\300\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02191   928   NtFsControlFile  (808, 785, 0x0, 0x0, 0x11c017,  (808, 785, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\1\0\330\376\22\0x\33", 30, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\232(\0\0\23\0\PIPE\InitShutdown\0\37`\300\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 30, 1024, ... {status=0x103, info=76},  (808, 785, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\1\0\330\376\22\0x\33", 30, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\232(\0\0\23\0\PIPE\InitShutdown\0\37`\300\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02192   928   NtWaitForSingleObject  (785, 0, 0x0, ...
 02193   860   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 02194   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11007328, ... ) }, 11007328, ... ) == 0x0
 02195   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 812, {status=0x0, info=1}, ) }, 5, 96, ... 812, {status=0x0, info=1}, ) == 0x0
 02196   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 812, ... 816, ) == 0x0
 02197   860   NtQuerySection  (816, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02198   860   NtClose  (812, ... ) == 0x0
 02199   860   NtMapViewOfSection  (816, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 02200   860   NtClose  (816, ... ) == 0x0
 02201   860   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 02192   928   NtWaitForSingleObject  ... ) == 0x0
 02202   928   NtClose  (804, ... ) == 0x0
 02203   928   NtClose  (808, ... ) == 0x0
 02204   860   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ... (0x71a91000), 4096, 4, ) == 0x0
 02205   860   NtFlushInstructionCache  (-1, 1906905088, 128, ... ) == 0x0
 02206   928   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02207   928   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 808, ) == 0x0
 02208   928   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02209   928   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02210   928   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243188,  (0xc0100080, {24, 0, 0x40, 0, 1243188, "\??\PIPE\winreg"}, 0x0, 0, 3, 1, 64, 0, 0, ... 804, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 804, {status=0x0, info=1}, ) == 0x0
 02211   928   NtSetInformationFile  (804, 1243244, 8, Pipe, ...
 02212   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02213   860   NtSetEventBoostPriority  (92, ...
 01408  1864   NtWaitForSingleObject  ... ) == 0x0
 02214  1864   NtSetEventBoostPriority  (92, ...
 01415  1524   NtWaitForSingleObject  ... ) == 0x0
 02215  1524   NtSetEventBoostPriority  (92, ...
 01418  1756   NtWaitForSingleObject  ... ) == 0x0
 02216  1756   NtSetEventBoostPriority  (92, ...
 01427  2044   NtWaitForSingleObject  ... ) == 0x0
 02217  2044   NtSetEventBoostPriority  (92, ...
 01434   240   NtWaitForSingleObject  ... ) == 0x0
 02218   240   NtSetEventBoostPriority  (92, ...
 01443   968   NtWaitForSingleObject  ... ) == 0x0
 02219   968   NtSetEventBoostPriority  (92, ...
 01450   308   NtWaitForSingleObject  ... ) == 0x0
 02220   308   NtSetEventBoostPriority  (92, ...
 01459   764   NtWaitForSingleObject  ... ) == 0x0
 02221   764   NtSetEventBoostPriority  (92, ...
 01466  2000   NtWaitForSingleObject  ... ) == 0x0
 02222  2000   NtSetEventBoostPriority  (92, ...
 01475  1852   NtWaitForSingleObject  ... ) == 0x0
 02223  1852   NtSetEventBoostPriority  (92, ...
 01482  1420   NtWaitForSingleObject  ... ) == 0x0
 02224  1420   NtSetEventBoostPriority  (92, ...
 01491   164   NtWaitForSingleObject  ... ) == 0x0
 02225   164   NtSetEventBoostPriority  (92, ...
 01498  1564   NtWaitForSingleObject  ... ) == 0x0
 02226  1564   NtSetEventBoostPriority  (92, ...
 01507  1592   NtWaitForSingleObject  ... ) == 0x0
 02227  1592   NtSetEventBoostPriority  (92, ...
 01514  2032   NtWaitForSingleObject  ... ) == 0x0
 02228  2032   NtSetEventBoostPriority  (92, ...
 01523  1500   NtWaitForSingleObject  ... ) == 0x0
 02229  1500   NtSetEventBoostPriority  (92, ...
 01530   932   NtWaitForSingleObject  ... ) == 0x0
 02230   932   NtSetEventBoostPriority  (92, ...
 01539  1528   NtWaitForSingleObject  ... ) == 0x0
 02231  1528   NtSetEventBoostPriority  (92, ...
 01546  1780   NtWaitForSingleObject  ... ) == 0x0
 02232  1780   NtSetEventBoostPriority  (92, ...
 01555  1804   NtWaitForSingleObject  ... ) == 0x0
 02233  1804   NtSetEventBoostPriority  (92, ...
 01562  1644   NtWaitForSingleObject  ... ) == 0x0
 02234  1644   NtAllocateVirtualMemory  (-1, 8806400, 0, 4096, 4096, 4, ... 8806400, 4096, ) == 0x0
 02233  1804   NtSetEventBoostPriority  ... ) == 0x0
 02232  1780   NtSetEventBoostPriority  ... ) == 0x0
 02231  1528   NtSetEventBoostPriority  ... ) == 0x0
 02230   932   NtSetEventBoostPriority  ... ) == 0x0
 02229  1500   NtSetEventBoostPriority  ... ) == 0x0
 02228  2032   NtSetEventBoostPriority  ... ) == 0x0
 02227  1592   NtSetEventBoostPriority  ... ) == 0x0
 02226  1564   NtSetEventBoostPriority  ... ) == 0x0
 02225   164   NtSetEventBoostPriority  ... ) == 0x0
 02224  1420   NtSetEventBoostPriority  ... ) == 0x0
 02223  1852   NtSetEventBoostPriority  ... ) == 0x0
 02222  2000   NtSetEventBoostPriority  ... ) == 0x0
 02221   764   NtSetEventBoostPriority  ... ) == 0x0
 02220   308   NtSetEventBoostPriority  ... ) == 0x0
 02219   968   NtSetEventBoostPriority  ... ) == 0x0
 02218   240   NtSetEventBoostPriority  ... ) == 0x0
 02217  2044   NtSetEventBoostPriority  ... ) == 0x0
 02215  1524   NtSetEventBoostPriority  ... ) == 0x0
 02214  1864   NtSetEventBoostPriority  ... ) == 0x0
 02213   860   NtSetEventBoostPriority  ... ) == 0x0
 02216  1756   NtSetEventBoostPriority  ... ) == 0x0
 02211   928   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02235  1644   NtSetEventBoostPriority  (92, ...
 02236  1804   NtTestAlert  (...
 02237  1780   NtTestAlert  (...
 02238  1528   NtTestAlert  (...
 02239   932   NtTestAlert  (...
 02240  1500   NtTestAlert  (...
 02241  2032   NtTestAlert  (...
 02242  1592   NtTestAlert  (...
 02243  1564   NtTestAlert  (...
 02244   164   NtTestAlert  (...
 02245  1420   NtTestAlert  (...
 02246  1852   NtTestAlert  (...
 02247  2000   NtTestAlert  (...
 02248   764   NtTestAlert  (...
 02249   308   NtTestAlert  (...
 02250   968   NtTestAlert  (...
 02251   240   NtTestAlert  (...
 02252  2044   NtTestAlert  (...
 02253  1524   NtTestAlert  (...
 02254  1864   NtTestAlert  (...
 02255  1756   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02256   928   NtSetInformationFile  (804, 1243232, 8, Completion, ...
 01571   336   NtWaitForSingleObject  ... ) == 0x0
 02235  1644   NtSetEventBoostPriority  ... ) == 0x0
 02236  1804   NtTestAlert  ... ) == 0x0
 02237  1780   NtTestAlert  ... ) == 0x0
 02238  1528   NtTestAlert  ... ) == 0x0
 02239   932   NtTestAlert  ... ) == 0x0
 02240  1500   NtTestAlert  ... ) == 0x0
 02241  2032   NtTestAlert  ... ) == 0x0
 02242  1592   NtTestAlert  ... ) == 0x0
 02243  1564   NtTestAlert  ... ) == 0x0
 02244   164   NtTestAlert  ... ) == 0x0
 02245  1420   NtTestAlert  ... ) == 0x0
 02246  1852   NtTestAlert  ... ) == 0x0
 02247  2000   NtTestAlert  ... ) == 0x0
 02248   764   NtTestAlert  ... ) == 0x0
 02249   308   NtTestAlert  ... ) == 0x0
 02250   968   NtTestAlert  ... ) == 0x0
 02251   240   NtTestAlert  ... ) == 0x0
 02252  2044   NtTestAlert  ... ) == 0x0
 02253  1524   NtTestAlert  ... ) == 0x0
 02254  1864   NtTestAlert  ... ) == 0x0
 02257   860   NtClose  (392, ...
 02258   336   NtSetEventBoostPriority  (92, ...
 02256   928   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02259  1644   NtTestAlert  (...
 02260  1804   NtContinue  (64748848, 1, ...
 02261  1780   NtContinue  (63700272, 1, ...
 02262  1528   NtContinue  (62651696, 1, ...
 02263   932   NtContinue  (61603120, 1, ...
 02264  1500   NtContinue  (60554544, 1, ...
 02265  2032   NtContinue  (59505968, 1, ...
 02266  1592   NtContinue  (58457392, 1, ...
 02267  1564   NtContinue  (57408816, 1, ...
 02268   164   NtContinue  (56360240, 1, ...
 02269  1420   NtContinue  (55311664, 1, ...
 02270  1852   NtContinue  (54263088, 1, ...
 02271  2000   NtContinue  (53214512, 1, ...
 02272   764   NtContinue  (52165936, 1, ...
 02273   308   NtContinue  (51117360, 1, ...
 02274   968   NtContinue  (50068784, 1, ...
 02275   240   NtContinue  (49020208, 1, ...
 02276  2044   NtContinue  (47971632, 1, ...
 02277  1524   NtContinue  (46923056, 1, ...
 02278  1864   NtContinue  (45874480, 1, ...
 01578   800   NtWaitForSingleObject  ... ) == 0x0
 02258   336   NtSetEventBoostPriority  ... ) == 0x0
 02257   860   NtClose  ... ) == 0x0
 02279   928   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02259  1644   NtTestAlert  ... ) == 0x0
 02280  1804   NtRegisterThreadTerminatePort  (24, ...
 02281  1780   NtRegisterThreadTerminatePort  (24, ...
 02282  1528   NtRegisterThreadTerminatePort  (24, ...
 02283   932   NtRegisterThreadTerminatePort  (24, ...
 02284  1500   NtRegisterThreadTerminatePort  (24, ...
 02285  2032   NtRegisterThreadTerminatePort  (24, ...
 02286  1592   NtRegisterThreadTerminatePort  (24, ...
 02287  1564   NtRegisterThreadTerminatePort  (24, ...
 02288   164   NtRegisterThreadTerminatePort  (24, ...
 02289  1420   NtRegisterThreadTerminatePort  (24, ...
 02290  1852   NtRegisterThreadTerminatePort  (24, ...
 02291  2000   NtRegisterThreadTerminatePort  (24, ...
 02292   764   NtRegisterThreadTerminatePort  (24, ...
 02293   308   NtRegisterThreadTerminatePort  (24, ...
 02294   968   NtRegisterThreadTerminatePort  (24, ...
 02295   240   NtRegisterThreadTerminatePort  (24, ...
 02296  2044   NtRegisterThreadTerminatePort  (24, ...
 02297  1524   NtRegisterThreadTerminatePort  (24, ...
 02298   800   NtSetEventBoostPriority  (92, ...
 02299  1864   NtRegisterThreadTerminatePort  (24, ...
 02255  1756   NtCreateKey  ... 392, 2, ) == 0x0
 02300   860   NtWaitForSingleObject  (92, 0, 0x0, ...
 02279   928   NtSetInformationThread  ... ) == 0x0
 02301  1644   NtContinue  (65797424, 1, ...
 02280  1804   NtRegisterThreadTerminatePort  ... ) == 0x0
 02281  1780   NtRegisterThreadTerminatePort  ... ) == 0x0
 02282  1528   NtRegisterThreadTerminatePort  ... ) == 0x0
 02283   932   NtRegisterThreadTerminatePort  ... ) == 0x0
 02284  1500   NtRegisterThreadTerminatePort  ... ) == 0x0
 02285  2032   NtRegisterThreadTerminatePort  ... ) == 0x0
 02286  1592   NtRegisterThreadTerminatePort  ... ) == 0x0
 02287  1564   NtRegisterThreadTerminatePort  ... ) == 0x0
 02288   164   NtRegisterThreadTerminatePort  ... ) == 0x0
 02289  1420   NtRegisterThreadTerminatePort  ... ) == 0x0
 02290  1852   NtRegisterThreadTerminatePort  ... ) == 0x0
 02291  2000   NtRegisterThreadTerminatePort  ... ) == 0x0
 02292   764   NtRegisterThreadTerminatePort  ... ) == 0x0
 02293   308   NtRegisterThreadTerminatePort  ... ) == 0x0
 02294   968   NtRegisterThreadTerminatePort  ... ) == 0x0
 02295   240   NtRegisterThreadTerminatePort  ... ) == 0x0
 02296  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 01587   504   NtWaitForSingleObject  ... ) == 0x0
 02298   800   NtSetEventBoostPriority  ... ) == 0x0
 02297  1524   NtRegisterThreadTerminatePort  ... ) == 0x0
 02299  1864   NtRegisterThreadTerminatePort  ... ) == 0x0
 02302  1756   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02303   928   NtWriteFile  (804, 785, 0, 0,  (804, 785, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\1\320\2143D"\3611\252\252\220\08\0\20\3\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... \3611\252\252\220\08\0\20\3\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ...
 02304  1644   NtRegisterThreadTerminatePort  (24, ...
 02305  1804   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02306  1780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02307  1528   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02308   932   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02309  1500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02310  2032   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02311  1592   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02312  1564   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02313   164   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02314  1420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02315  1852   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02316  2000   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02317   764   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 02318   308   NtWaitForSingleObject  (304, 0, 0x0, ...
 02319   968   NtWaitForSingleObject  (304, 0, 0x0, ...
 02320   240   NtWaitForSingleObject  (304, 0, 0x0, ...
 02321   504   NtSetEventBoostPriority  (92, ...
 02322  2044   NtWaitForSingleObject  (304, 0, 0x0, ...
 02323   336   NtTestAlert  (...
 02324  1524   NtWaitForSingleObject  (304, 0, 0x0, ...
 02325  1864   NtWaitForSingleObject  (304, 0, 0x0, ...
 02302  1756   NtOpenKey  ... 816, ) == 0x0
 02326   800   NtTestAlert  (...
 02303   928   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 02304  1644   NtRegisterThreadTerminatePort  ... ) == 0x0
 02305  1804   NtDuplicateObject  ... 812, ) == 0x0
 02306  1780   NtDuplicateObject  ... 820, ) == 0x0
 02307  1528   NtDuplicateObject  ... 824, ) == 0x0
 02308   932   NtDuplicateObject  ... 828, ) == 0x0
 02309  1500   NtDuplicateObject  ... 832, ) == 0x0
 02310  2032   NtDuplicateObject  ... 836, ) == 0x0
 02311  1592   NtDuplicateObject  ... 840, ) == 0x0
 02312  1564   NtDuplicateObject  ... 844, ) == 0x0
 02313   164   NtDuplicateObject  ... 848, ) == 0x0
 02314  1420   NtDuplicateObject  ... 852, ) == 0x0
 02315  1852   NtDuplicateObject  ... 856, ) == 0x0
 02316  2000   NtDuplicateObject  ... 860, ) == 0x0
 02317   764   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 01594   888   NtWaitForSingleObject  ... ) == 0x0
 02321   504   NtSetEventBoostPriority  ... ) == 0x0
 02323   336   NtTestAlert  ... ) == 0x0
 02327  1756   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02326   800   NtTestAlert  ... ) == 0x0
 02328   928   NtReadFile  (804, 785, 0, 0, 1024, {0, 0}, 0, ...
 02329  1644   NtWaitForSingleObject  (304, 0, 0x0, ...
 02330  1804   NtWaitForSingleObject  (304, 0, 0x0, ...
 02331  1780   NtWaitForSingleObject  (304, 0, 0x0, ...
 02332  1528   NtWaitForSingleObject  (304, 0, 0x0, ...
 02333   932   NtWaitForSingleObject  (304, 0, 0x0, ...
 02334  1500   NtWaitForSingleObject  (304, 0, 0x0, ...
 02335  2032   NtWaitForSingleObject  (304, 0, 0x0, ...
 02336  1592   NtWaitForSingleObject  (304, 0, 0x0, ...
 02337  1564   NtWaitForSingleObject  (304, 0, 0x0, ...
 02338   164   NtWaitForSingleObject  (304, 0, 0x0, ...
 02339  1420   NtWaitForSingleObject  (304, 0, 0x0, ...
 02340  1852   NtWaitForSingleObject  (304, 0, 0x0, ...
 02341  2000   NtWaitForSingleObject  (304, 0, 0x0, ...
 02342   888   NtSetEventBoostPriority  (92, ...
 02343   764   NtSetEventBoostPriority  (304, ...
 02344   336   NtContinue  (66846000, 1, ...
 02327  1756   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02345   800   NtContinue  (67894576, 1, ...
 02328   928   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\2019\0\0\15\0\PIPE\winreg\0\177\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01603  1392   NtWaitForSingleObject  ... ) == 0x0
 02342   888   NtSetEventBoostPriority  ... ) == 0x0
 02318   308   NtWaitForSingleObject  ... ) == 0x0
 02343   764   NtSetEventBoostPriority  ... ) == 0x0
 02346   336   NtRegisterThreadTerminatePort  (24, ...
 02347  1756   NtQueryValueKey  (392,  (392, "Hostname", Partial, 144, ... , Partial, 144, ...
 02348   800   NtRegisterThreadTerminatePort  (24, ...
 02349   504   NtTestAlert  (...
 02350  1392   NtSetEventBoostPriority  (92, ...
 02351   928   NtFsControlFile  (804, 785, 0x0, 0x0, 0x11c017,  (804, 785, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\31\0\314\376\22\0x\33", 30, 1024, ... , 30, 1024, ...
 02352   308   NtSetEventBoostPriority  (304, ...
 02353   764   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02346   336   NtRegisterThreadTerminatePort  ... ) == 0x0
 02354   888   NtTestAlert  (...
 02348   800   NtRegisterThreadTerminatePort  ... ) == 0x0
 01610  2020   NtWaitForSingleObject  ... ) == 0x0
 02350  1392   NtSetEventBoostPriority  ... ) == 0x0
 02349   504   NtTestAlert  ... ) == 0x0
 02319   968   NtWaitForSingleObject  ... ) == 0x0
 02351   928   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\2019\0\0\15\0\PIPE\winreg\0\177\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02353   764   NtDuplicateObject  ... 864, ) == 0x0
 02355   336   NtWaitForSingleObject  (304, 0, 0x0, ...
 02354   888   NtTestAlert  ... ) == 0x0
 02356  2020   NtSetEventBoostPriority  (92, ...
 02357   800   NtWaitForSingleObject  (304, 0, 0x0, ...
 02352   308   NtSetEventBoostPriority  ... ) == 0x0
 02347  1756   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02358   504   NtContinue  (68943152, 1, ...
 02359   968   NtSetEventBoostPriority  (304, ...
 02360   928   NtWaitForSingleObject  (785, 0, 0x0, ...
 02361   764   NtWaitForSingleObject  (304, 0, 0x0, ...
 02362  1392   NtTestAlert  (...
 01619   740   NtWaitForSingleObject  ... ) == 0x0
 02356  2020   NtSetEventBoostPriority  ... ) == 0x0
 02363   888   NtContinue  (69991728, 1, ...
 02364   308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02365  1756   NtQueryValueKey  (392,  (392, "Hostname", Partial, 144, ... , Partial, 144, ...
 02366   504   NtRegisterThreadTerminatePort  (24, ...
 02320   240   NtWaitForSingleObject  ... ) == 0x0
 02359   968   NtSetEventBoostPriority  ... ) == 0x0
 02367   740   NtSetEventBoostPriority  (92, ...
 02362  1392   NtTestAlert  ... ) == 0x0
 02368   888   NtRegisterThreadTerminatePort  (24, ...
 02364   308   NtDuplicateObject  ... 868, ) == 0x0
 02365  1756   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02366   504   NtRegisterThreadTerminatePort  ... ) == 0x0
 02369   240   NtSetEventBoostPriority  (304, ...
 01626  1676   NtWaitForSingleObject  ... ) == 0x0
 02367   740   NtSetEventBoostPriority  ... ) == 0x0
 02370   968   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02371  1392   NtContinue  (71040304, 1, ...
 02368   888   NtRegisterThreadTerminatePort  ... ) == 0x0
 02372  2020   NtTestAlert  (...
 02373  1756   NtWaitForSingleObject  (304, 0, 0x0, ...
 02374   504   NtWaitForSingleObject  (304, 0, 0x0, ...
 02375  1676   NtSetEventBoostPriority  (92, ...
 02322  2044   NtWaitForSingleObject  ... ) == 0x0
 02369   240   NtSetEventBoostPriority  ... ) == 0x0
 02376   308   NtWaitForSingleObject  (304, 0, 0x0, ...
 02370   968   NtDuplicateObject  ... 872, ) == 0x0
 02377  1392   NtRegisterThreadTerminatePort  (24, ...
 02378   888   NtWaitForSingleObject  (304, 0, 0x0, ...
 02372  2020   NtTestAlert  ... ) == 0x0
 02379   740   NtTestAlert  (...
 01635   496   NtWaitForSingleObject  ... ) == 0x0
 02375  1676   NtSetEventBoostPriority  ... ) == 0x0
 02380  2044   NtSetEventBoostPriority  (304, ...
 02381   240   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02377  1392   NtRegisterThreadTerminatePort  ... ) == 0x0
 02382   968   NtWaitForSingleObject  (304, 0, 0x0, ...
 02383  2020   NtContinue  (72088880, 1, ...
 02384   496   NtSetEventBoostPriority  (92, ...
 02379   740   NtTestAlert  ... ) == 0x0
 02324  1524   NtWaitForSingleObject  ... ) == 0x0
 02381   240   NtDuplicateObject  ... 876, ) == 0x0
 02385  1392   NtWaitForSingleObject  (304, 0, 0x0, ...
 01643  1020   NtWaitForSingleObject  ... ) == 0x0
 02384   496   NtSetEventBoostPriority  ... ) == 0x0
 02386  2020   NtRegisterThreadTerminatePort  (24, ...
 02387   740   NtContinue  (73137456, 1, ...
 02388  1524   NtSetEventBoostPriority  (304, ...
 02380  2044   NtSetEventBoostPriority  ... ) == 0x0
 02389  1676   NtTestAlert  (...
 02390   240   NtWaitForSingleObject  (304, 0, 0x0, ...
 02391  1020   NtSetEventBoostPriority  (92, ...
 02386  2020   NtRegisterThreadTerminatePort  ... ) == 0x0
 02392   740   NtRegisterThreadTerminatePort  (24, ...
 02325  1864   NtWaitForSingleObject  ... ) == 0x0
 02393  2044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02389  1676   NtTestAlert  ... ) == 0x0
 01650   432   NtWaitForSingleObject  ... ) == 0x0
 02391  1020   NtSetEventBoostPriority  ... ) == 0x0
 02394  2020   NtWaitForSingleObject  (304, 0, 0x0, ...
 02392   740   NtRegisterThreadTerminatePort  ... ) == 0x0
 02395  1864   NtSetEventBoostPriority  (304, ...
 02393  2044   NtDuplicateObject  ... 880, ) == 0x0
 02396   432   NtSetEventBoostPriority  (92, ...
 02397  1676   NtContinue  (74186032, 1, ...
 02388  1524   NtSetEventBoostPriority  ... ) == 0x0
 02398   496   NtTestAlert  (...
 02399  1020   NtTestAlert  (...
 02400   740   NtWaitForSingleObject  (304, 0, 0x0, ...
 02329  1644   NtWaitForSingleObject  ... ) == 0x0
 02395  1864   NtSetEventBoostPriority  ... ) == 0x0
 01659  1332   NtWaitForSingleObject  ... ) == 0x0
 02396   432   NtSetEventBoostPriority  ... ) == 0x0
 02401  1676   NtRegisterThreadTerminatePort  (24, ...
 02402  1524   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02398   496   NtTestAlert  ... ) == 0x0
 02399  1020   NtTestAlert  ... ) == 0x0
 02403  2044   NtWaitForSingleObject  (304, 0, 0x0, ...
 02404  1644   NtSetEventBoostPriority  (304, ...
 02405  1332   NtSetEventBoostPriority  (92, ...
 02406  1864   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02401  1676   NtRegisterThreadTerminatePort  ... ) == 0x0
 02402  1524   NtDuplicateObject  ... 884, ) == 0x0
 02407   496   NtContinue  (75234608, 1, ...
 02408  1020   NtContinue  (76283184, 1, ...
 01666  1328   NtWaitForSingleObject  ... ) == 0x0
 02405  1332   NtSetEventBoostPriority  ... ) == 0x0
 02330  1804   NtWaitForSingleObject  ... ) == 0x0
 02404  1644   NtSetEventBoostPriority  ... ) == 0x0
 02406  1864   NtDuplicateObject  ... 888, ) == 0x0
 02409  1676   NtWaitForSingleObject  (304, 0, 0x0, ...
 02410   432   NtTestAlert  (...
 02411   496   NtRegisterThreadTerminatePort  (24, ...
 02412  1328   NtSetEventBoostPriority  (92, ...
 02413  1020   NtRegisterThreadTerminatePort  (24, ...
 02414  1524   NtWaitForSingleObject  (304, 0, 0x0, ...
 02415  1804   NtSetEventBoostPriority  (304, ...
 02416  1332   NtTestAlert  (...
 02417  1644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02418  1864   NtWaitForSingleObject  (304, 0, 0x0, ...
 02410   432   NtTestAlert  ... ) == 0x0
 01675   752   NtWaitForSingleObject  ... ) == 0x0
 02412  1328   NtSetEventBoostPriority  ... ) == 0x0
 02411   496   NtRegisterThreadTerminatePort  ... ) == 0x0
 02413  1020   NtRegisterThreadTerminatePort  ... ) == 0x0
 02331  1780   NtWaitForSingleObject  ... ) == 0x0
 02415  1804   NtSetEventBoostPriority  ... ) == 0x0
 02416  1332   NtTestAlert  ... ) == 0x0
 02417  1644   NtDuplicateObject  ... 892, ) == 0x0
 02419   752   NtSetEventBoostPriority  (92, ...
 02420   432   NtContinue  (77331760, 1, ...
 02421   496   NtWaitForSingleObject  (304, 0, 0x0, ...
 02422  1780   NtSetEventBoostPriority  (304, ...
 02423  1020   NtWaitForSingleObject  (304, 0, 0x0, ...
 02424  1328   NtTestAlert  (...
 02425  1332   NtContinue  (78380336, 1, ...
 01682   120   NtWaitForSingleObject  ... ) == 0x0
 02419   752   NtSetEventBoostPriority  ... ) == 0x0
 02426  1644   NtWaitForSingleObject  (304, 0, 0x0, ...
 02427   432   NtRegisterThreadTerminatePort  (24, ...
 02428  1804   NtWaitForSingleObject  (304, 0, 0x0, ...
 02332  1528   NtWaitForSingleObject  ... ) == 0x0
 02422  1780   NtSetEventBoostPriority  ... ) == 0x0
 02424  1328   NtTestAlert  ... ) == 0x0
 02429   120   NtSetEventBoostPriority  (92, ...
 02430  1332   NtRegisterThreadTerminatePort  (24, ...
 02427   432   NtRegisterThreadTerminatePort  ... ) == 0x0
 02431  1528   NtSetEventBoostPriority  (304, ...
 02432   752   NtTestAlert  (...
 01691  1732   NtWaitForSingleObject  ... ) == 0x0
 02429   120   NtSetEventBoostPriority  ... ) == 0x0
 02433  1328   NtContinue  (79428912, 1, ...
 02430  1332   NtRegisterThreadTerminatePort  ... ) == 0x0
 02333   932   NtWaitForSingleObject  ... ) == 0x0
 02431  1528   NtSetEventBoostPriority  ... ) == 0x0
 02434   432   NtWaitForSingleObject  (304, 0, 0x0, ...
 02435  1732   NtSetEventBoostPriority  (92, ...
 02432   752   NtTestAlert  ... ) == 0x0
 02436  1780   NtWaitForSingleObject  (304, 0, 0x0, ...
 02437  1328   NtRegisterThreadTerminatePort  (24, ...
 02438   932   NtSetEventBoostPriority  (304, ...
 02439  1332   NtWaitForSingleObject  (304, 0, 0x0, ...
 02440   120   NtTestAlert  (...
 02441  1528   NtWaitForSingleObject  (304, 0, 0x0, ...
 01698   188   NtWaitForSingleObject  ... ) == 0x0
 02435  1732   NtSetEventBoostPriority  ... ) == 0x0
 02442   752   NtContinue  (80477488, 1, ...
 02334  1500   NtWaitForSingleObject  ... ) == 0x0
 02438   932   NtSetEventBoostPriority  ... ) == 0x0
 02437  1328   NtRegisterThreadTerminatePort  ... ) == 0x0
 02440   120   NtTestAlert  ... ) == 0x0
 02443   188   NtSetEventBoostPriority  (92, ...
 02444  1500   NtSetEventBoostPriority  (304, ...
 02445   752   NtRegisterThreadTerminatePort  (24, ...
 02446  1732   NtTestAlert  (...
 02447  1328   NtWaitForSingleObject  (304, 0, 0x0, ...
 01707  1636   NtWaitForSingleObject  ... ) == 0x0
 02335  2032   NtWaitForSingleObject  ... ) == 0x0
 02444  1500   NtSetEventBoostPriority  ... ) == 0x0
 02443   188   NtSetEventBoostPriority  ... ) == 0x0
 02448   120   NtContinue  (81526064, 1, ...
 02445   752   NtRegisterThreadTerminatePort  ... ) == 0x0
 02446  1732   NtTestAlert  ... ) == 0x0
 02449   932   NtWaitForSingleObject  (304, 0, 0x0, ...
 02450  1636   NtSetEventBoostPriority  (92, ...
 02451  2032   NtSetEventBoostPriority  (304, ...
 02452  1500   NtWaitForSingleObject  (304, 0, 0x0, ...
 02453   120   NtRegisterThreadTerminatePort  (24, ...
 02454   752   NtWaitForSingleObject  (304, 0, 0x0, ...
 02455  1732   NtContinue  (82574640, 1, ...
 01714   624   NtWaitForSingleObject  ... ) == 0x0
 02336  1592   NtWaitForSingleObject  ... ) == 0x0
 02451  2032   NtSetEventBoostPriority  ... ) == 0x0
 02450  1636   NtSetEventBoostPriority  ... ) == 0x0
 02453   120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02456   188   NtTestAlert  (...
 02457   624   NtSetEventBoostPriority  (92, ...
 02458  1592   NtSetEventBoostPriority  (304, ...
 02459  1732   NtRegisterThreadTerminatePort  (24, ...
 02460  2032   NtWaitForSingleObject  (304, 0, 0x0, ...
 02461   120   NtWaitForSingleObject  (304, 0, 0x0, ...
 01723  1948   NtWaitForSingleObject  ... ) == 0x0
 02337  1564   NtWaitForSingleObject  ... ) == 0x0
 02458  1592   NtSetEventBoostPriority  ... ) == 0x0
 02457   624   NtSetEventBoostPriority  ... ) == 0x0
 02456   188   NtTestAlert  ... ) == 0x0
 02459  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 02462  1636   NtTestAlert  (...
 02463  1948   NtSetEventBoostPriority  (92, ...
 02464  1564   NtSetEventBoostPriority  (304, ...
 02465  1592   NtWaitForSingleObject  (304, 0, 0x0, ...
 02466   188   NtContinue  (83623216, 1, ...
 02467  1732   NtWaitForSingleObject  (304, 0, 0x0, ...
 01730   988   NtWaitForSingleObject  ... ) == 0x0
 02338   164   NtWaitForSingleObject  ... ) == 0x0
 02464  1564   NtSetEventBoostPriority  ... ) == 0x0
 02463  1948   NtSetEventBoostPriority  ... ) == 0x0
 02462  1636   NtTestAlert  ... ) == 0x0
 02468   188   NtRegisterThreadTerminatePort  (24, ...
 02469   624   NtTestAlert  (...
 02470   988   NtSetEventBoostPriority  (92, ...
 02471   164   NtSetEventBoostPriority  (304, ...
 02472  1564   NtWaitForSingleObject  (304, 0, 0x0, ...
 02473  1636   NtContinue  (84671792, 1, ...
 02468   188   NtRegisterThreadTerminatePort  ... ) == 0x0
 01739   468   NtWaitForSingleObject  ... ) == 0x0
 02339  1420   NtWaitForSingleObject  ... ) == 0x0
 02471   164   NtSetEventBoostPriority  ... ) == 0x0
 02470   988   NtSetEventBoostPriority  ... ) == 0x0
 02469   624   NtTestAlert  ... ) == 0x0
 02474  1636   NtRegisterThreadTerminatePort  (24, ...
 02475   468   NtSetEventBoostPriority  (92, ...
 02476  1420   NtSetEventBoostPriority  (304, ...
 02477   188   NtWaitForSingleObject  (304, 0, 0x0, ...
 02478  1948   NtTestAlert  (...
 02479   164   NtWaitForSingleObject  (304, 0, 0x0, ...
 02480   624   NtContinue  (85720368, 1, ...
 01746   380   NtWaitForSingleObject  ... ) == 0x0
 02340  1852   NtWaitForSingleObject  ... ) == 0x0
 02476  1420   NtSetEventBoostPriority  ... ) == 0x0
 02475   468   NtSetEventBoostPriority  ... ) == 0x0
 02474  1636   NtRegisterThreadTerminatePort  ... ) == 0x0
 02481   988   NtTestAlert  (...
 02478  1948   NtTestAlert  ... ) == 0x0
 02482   380   NtSetEventBoostPriority  (92, ...
 02483  1852   NtSetEventBoostPriority  (304, ...
 02484   624   NtRegisterThreadTerminatePort  (24, ...
 02485  1420   NtWaitForSingleObject  (304, 0, 0x0, ...
 02486  1636   NtWaitForSingleObject  (304, 0, 0x0, ...
 02481   988   NtTestAlert  ... ) == 0x0
 01755  1692   NtWaitForSingleObject  ... ) == 0x0
 02341  2000   NtWaitForSingleObject  ... ) == 0x0
 02483  1852   NtSetEventBoostPriority  ... ) == 0x0
 02482   380   NtSetEventBoostPriority  ... ) == 0x0
 02487  1948   NtContinue  (86768944, 1, ...
 02484   624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02488   468   NtTestAlert  (...
 02489  1692   NtSetEventBoostPriority  (92, ...
 02490  2000   NtSetEventBoostPriority  (304, ...
 02491   988   NtContinue  (87817520, 1, ...
 02492  1852   NtWaitForSingleObject  (304, 0, 0x0, ...
 02493  1948   NtRegisterThreadTerminatePort  (24, ...
 02494   624   NtWaitForSingleObject  (304, 0, 0x0, ...
 01762  1792   NtWaitForSingleObject  ... ) == 0x0
 02355   336   NtWaitForSingleObject  ... ) == 0x0
 02490  2000   NtSetEventBoostPriority  ... ) == 0x0
 02489  1692   NtSetEventBoostPriority  ... ) == 0x0
 02488   468   NtTestAlert  ... ) == 0x0
 02495   988   NtRegisterThreadTerminatePort  (24, ...
 02493  1948   NtRegisterThreadTerminatePort  ... ) == 0x0
 02496   380   NtTestAlert  (...
 02497  1792   NtSetEventBoostPriority  (92, ...
 02498   336   NtSetEventBoostPriority  (304, ...
 02499  2000   NtWaitForSingleObject  (304, 0, 0x0, ...
 02500   468   NtContinue  (88866096, 1, ...
 02495   988   NtRegisterThreadTerminatePort  ... ) == 0x0
 02501  1948   NtWaitForSingleObject  (304, 0, 0x0, ...
 01771   784   NtWaitForSingleObject  ... ) == 0x0
 02357   800   NtWaitForSingleObject  ... ) == 0x0
 02497  1792   NtSetEventBoostPriority  ... ) == 0x0
 02496   380   NtTestAlert  ... ) == 0x0
 02502   468   NtRegisterThreadTerminatePort  (24, ...
 02503   988   NtWaitForSingleObject  (304, 0, 0x0, ...
 02498   336   NtSetEventBoostPriority  ... ) == 0x0
 02504  1692   NtTestAlert  (...
 02505   784   NtSetEventBoostPriority  (92, ...
 02506   800   NtSetEventBoostPriority  (304, ...
 02507   380   NtContinue  (89914672, 1, ...
 02502   468   NtRegisterThreadTerminatePort  ... ) == 0x0
 02508  1792   NtTestAlert  (...
 02509   336   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01778  1520   NtWaitForSingleObject  ... ) == 0x0
 02505   784   NtSetEventBoostPriority  ... ) == 0x0
 02504  1692   NtTestAlert  ... ) == 0x0
 02361   764   NtWaitForSingleObject  ... ) == 0x0
 02510   380   NtRegisterThreadTerminatePort  (24, ...
 02511   468   NtWaitForSingleObject  (304, 0, 0x0, ...
 02508  1792   NtTestAlert  ... ) == 0x0
 02512  1520   NtSetEventBoostPriority  (92, ...
 02509   336   NtDuplicateObject  ... 896, ) == 0x0
 02506   800   NtSetEventBoostPriority  ... ) == 0x0
 02513  1692   NtContinue  (90963248, 1, ...
 02514   764   NtSetEventBoostPriority  (304, ...
 02510   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 02515   784   NtTestAlert  (...
 01786  1696   NtWaitForSingleObject  ... ) == 0x0
 02512  1520   NtSetEventBoostPriority  ... ) == 0x0
 02516  1792   NtContinue  (92011824, 1, ...
 02517   800   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02518  1692   NtRegisterThreadTerminatePort  (24, ...
 02373  1756   NtWaitForSingleObject  ... ) == 0x0
 02519   380   NtWaitForSingleObject  (304, 0, 0x0, ...
 02520  1696   NtSetEventBoostPriority  (92, ...
 02515   784   NtTestAlert  ... ) == 0x0
 02514   764   NtSetEventBoostPriority  ... ) == 0x0
 02521   336   NtWaitForSingleObject  (304, 0, 0x0, ...
 02522  1792   NtRegisterThreadTerminatePort  (24, ...
 02517   800   NtDuplicateObject  ... 900, ) == 0x0
 02518  1692   NtRegisterThreadTerminatePort  ... ) == 0x0
 02523  1756   NtSetEventBoostPriority  (304, ...
 02524  1520   NtTestAlert  (...
 01795  1744   NtWaitForSingleObject  ... ) == 0x0
 02520  1696   NtSetEventBoostPriority  ... ) == 0x0
 02525   784   NtContinue  (93060400, 1, ...
 02526   764   NtWaitForSingleObject  (304, 0, 0x0, ...
 02522  1792   NtRegisterThreadTerminatePort  ... ) == 0x0
 02527  1692   NtWaitForSingleObject  (304, 0, 0x0, ...
 02376   308   NtWaitForSingleObject  ... ) == 0x0
 02523  1756   NtSetEventBoostPriority  ... ) == 0x0
 02528  1744   NtAllocateVirtualMemory  (-1, 8810496, 0, 4096, 4096, 4, ...
 02524  1520   NtTestAlert  ... ) == 0x0
 02529   800   NtWaitForSingleObject  (304, 0, 0x0, ...
 02530   784   NtRegisterThreadTerminatePort  (24, ...
 02531  1792   NtWaitForSingleObject  (304, 0, 0x0, ...
 02532  1696   NtTestAlert  (...
 02533   308   NtSetEventBoostPriority  (304, ...
 02528  1744   NtAllocateVirtualMemory  ... 8810496, 4096, ) == 0x0
 02534  1520   NtContinue  (94108976, 1, ...
 02530   784   NtRegisterThreadTerminatePort  ... ) == 0x0
 02535  1756   NtClose  (392, ...
 02374   504   NtWaitForSingleObject  ... ) == 0x0
 02533   308   NtSetEventBoostPriority  ... ) == 0x0
 02532  1696   NtTestAlert  ... ) == 0x0
 02536  1520   NtRegisterThreadTerminatePort  (24, ...
 02537   784   NtWaitForSingleObject  (304, 0, 0x0, ...
 02538   504   NtSetEventBoostPriority  (304, ...
 02535  1756   NtClose  ... ) == 0x0
 02539   308   NtWaitForSingleObject  (304, 0, 0x0, ...
 02540  1696   NtContinue  (95157552, 1, ...
 02536  1520   NtRegisterThreadTerminatePort  ... ) == 0x0
 02541  1744   NtSetEventBoostPriority  (92, ...
 02378   888   NtWaitForSingleObject  ... ) == 0x0
 02542  1756   NtClose  (816, ...
 02538   504   NtSetEventBoostPriority  ... ) == 0x0
 02543  1696   NtRegisterThreadTerminatePort  (24, ...
 02544  1520   NtWaitForSingleObject  (304, 0, 0x0, ...
 01802  1124   NtWaitForSingleObject  ... ) == 0x0
 02541  1744   NtSetEventBoostPriority  ... ) == 0x0
 02545   888   NtSetEventBoostPriority  (304, ...
 02542  1756   NtClose  ... ) == 0x0
 02546   504   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02543  1696   NtRegisterThreadTerminatePort  ... ) == 0x0
 02547  1124   NtSetEventBoostPriority  (92, ...
 02548  1744   NtTestAlert  (...
 02382   968   NtWaitForSingleObject  ... ) == 0x0
 02549  1756   NtWaitForSingleObject  (92, 0, 0x0, ...
 02546   504   NtDuplicateObject  ... 816, ) == 0x0
 01811  1496   NtWaitForSingleObject  ... ) == 0x0
 02547  1124   NtSetEventBoostPriority  ... ) == 0x0
 02550  1696   NtWaitForSingleObject  (304, 0, 0x0, ...
 02548  1744   NtTestAlert  ... ) == 0x0
 02551   968   NtSetEventBoostPriority  (304, ...
 02545   888   NtSetEventBoostPriority  ... ) == 0x0
 02552  1496   NtSetEventBoostPriority  (92, ...
 02553   504   NtWaitForSingleObject  (304, 0, 0x0, ...
 02554  1124   NtTestAlert  (...
 02555  1744   NtContinue  (96206128, 1, ...
 02385  1392   NtWaitForSingleObject  ... ) == 0x0
 02551   968   NtSetEventBoostPriority  ... ) == 0x0
 01818   168   NtWaitForSingleObject  ... ) == 0x0
 02552  1496   NtSetEventBoostPriority  ... ) == 0x0
 02556   888   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02554  1124   NtTestAlert  ... ) == 0x0
 02557  1392   NtSetEventBoostPriority  (304, ...
 02558  1744   NtRegisterThreadTerminatePort  (24, ...
 02559   168   NtSetEventBoostPriority  (92, ...
 02560   968   NtWaitForSingleObject  (304, 0, 0x0, ...
 02556   888   NtDuplicateObject  ... 392, ) == 0x0
 02390   240   NtWaitForSingleObject  ... ) == 0x0
 02561  1124   NtContinue  (97254704, 1, ...
 02557  1392   NtSetEventBoostPriority  ... ) == 0x0
 02562  1496   NtTestAlert  (...
 01827  1284   NtWaitForSingleObject  ... ) == 0x0
 02559   168   NtSetEventBoostPriority  ... ) == 0x0
 02558  1744   NtRegisterThreadTerminatePort  ... ) == 0x0
 02563   240   NtSetEventBoostPriority  (304, ...
 02564  1124   NtRegisterThreadTerminatePort  (24, ...
 02565  1392   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02566  1284   NtSetEventBoostPriority  (92, ...
 02562  1496   NtTestAlert  ... ) == 0x0
 02567   888   NtWaitForSingleObject  (304, 0, 0x0, ...
 02568  1744   NtWaitForSingleObject  (304, 0, 0x0, ...
 02394  2020   NtWaitForSingleObject  ... ) == 0x0
 02563   240   NtSetEventBoostPriority  ... ) == 0x0
 02564  1124   NtRegisterThreadTerminatePort  ... ) == 0x0
 01834  1268   NtWaitForSingleObject  ... ) == 0x0
 02566  1284   NtSetEventBoostPriority  ... ) == 0x0
 02565  1392   NtDuplicateObject  ... 904, ) == 0x0
 02569  1496   NtContinue  (98303280, 1, ...
 02570  2020   NtSetEventBoostPriority  (304, ...
 02571   240   NtWaitForSingleObject  (304, 0, 0x0, ...
 02572  1268   NtSetEventBoostPriority  (92, ...
 02573  1124   NtWaitForSingleObject  (304, 0, 0x0, ...
 02574   168   NtTestAlert  (...
 02575  1284   NtTestAlert  (...
 02400   740   NtWaitForSingleObject  ... ) == 0x0
 02576  1496   NtRegisterThreadTerminatePort  (24, ...
 02570  2020   NtSetEventBoostPriority  ... ) == 0x0
 02577  1392   NtWaitForSingleObject  (304, 0, 0x0, ...
 01843   840   NtWaitForSingleObject  ... ) == 0x0
 02572  1268   NtSetEventBoostPriority  ... ) == 0x0
 02574   168   NtTestAlert  ... ) == 0x0
 02575  1284   NtTestAlert  ... ) == 0x0
 02578   740   NtSetEventBoostPriority  (304, ...
 02576  1496   NtRegisterThreadTerminatePort  ... ) == 0x0
 02579  2020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02580   840   NtSetEventBoostPriority  (92, ...
 02581   168   NtContinue  (99351856, 1, ...
 02582  1284   NtContinue  (100400432, 1, ...
 02403  2044   NtWaitForSingleObject  ... ) == 0x0
 02583  1496   NtWaitForSingleObject  (304, 0, 0x0, ...
 01850  1336   NtWaitForSingleObject  ... ) == 0x0
 02580   840   NtSetEventBoostPriority  ... ) == 0x0
 02579  2020   NtDuplicateObject  ... 908, ) == 0x0
 02584   168   NtRegisterThreadTerminatePort  (24, ...
 02585  1284   NtRegisterThreadTerminatePort  (24, ...
 02586  2044   NtSetEventBoostPriority  (304, ...
 02578   740   NtSetEventBoostPriority  ... ) == 0x0
 02587  1268   NtTestAlert  (...
 02588  1336   NtSetEventBoostPriority  (92, ...
 02589   840   NtTestAlert  (...
 02584   168   NtRegisterThreadTerminatePort  ... ) == 0x0
 02585  1284   NtRegisterThreadTerminatePort  ... ) == 0x0
 02414  1524   NtWaitForSingleObject  ... ) == 0x0
 02586  2044   NtSetEventBoostPriority  ... ) == 0x0
 02590   740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01859  1200   NtWaitForSingleObject  ... ) == 0x0
 02588  1336   NtSetEventBoostPriority  ... ) == 0x0
 02587  1268   NtTestAlert  ... ) == 0x0
 02589   840   NtTestAlert  ... ) == 0x0
 02591   168   NtWaitForSingleObject  (304, 0, 0x0, ...
 02592  1524   NtSetEventBoostPriority  (304, ...
 02593  1284   NtWaitForSingleObject  (304, 0, 0x0, ...
 02594  2044   NtWaitForSingleObject  (304, 0, 0x0, ...
 02595  1200   NtSetEventBoostPriority  (92, ...
 02590   740   NtDuplicateObject  ... 912, ) == 0x0
 02596  2020   NtWaitForSingleObject  (304, 0, 0x0, ...
 02597  1268   NtContinue  (101449008, 1, ...
 02598   840   NtContinue  (102497584, 1, ...
 02599  1336   NtTestAlert  (...
 02418  1864   NtWaitForSingleObject  ... ) == 0x0
 02592  1524   NtSetEventBoostPriority  ... ) == 0x0
 01866  1920   NtWaitForSingleObject  ... ) == 0x0
 02595  1200   NtSetEventBoostPriority  ... ) == 0x0
 02600  1268   NtRegisterThreadTerminatePort  (24, ...
 02601   840   NtRegisterThreadTerminatePort  (24, ...
 02602  1864   NtSetEventBoostPriority  (304, ...
 02599  1336   NtTestAlert  ... ) == 0x0
 02603  1920   NtSetEventBoostPriority  (92, ...
 02604  1524   NtWaitForSingleObject  (304, 0, 0x0, ...
 02605   740   NtWaitForSingleObject  (304, 0, 0x0, ...
 02600  1268   NtRegisterThreadTerminatePort  ... ) == 0x0
 02409  1676   NtWaitForSingleObject  ... ) == 0x0
 02602  1864   NtSetEventBoostPriority  ... ) == 0x0
 02601   840   NtRegisterThreadTerminatePort  ... ) == 0x0
 01875   896   NtWaitForSingleObject  ... ) == 0x0
 02603  1920   NtSetEventBoostPriority  ... ) == 0x0
 02606  1336   NtContinue  (103546160, 1, ...
 02607  1200   NtTestAlert  (...
 02608  1676   NtSetEventBoostPriority  (304, ...
 02609  1268   NtWaitForSingleObject  (304, 0, 0x0, ...
 02610  1864   NtWaitForSingleObject  (304, 0, 0x0, ...
 02611   896   NtSetEventBoostPriority  (92, ...
 02612   840   NtWaitForSingleObject  (304, 0, 0x0, ...
 02613  1336   NtRegisterThreadTerminatePort  (24, ...
 02421   496   NtWaitForSingleObject  ... ) == 0x0
 02607  1200   NtTestAlert  ... ) == 0x0
 02608  1676   NtSetEventBoostPriority  ... ) == 0x0
 02614  1920   NtTestAlert  (...
 01882  2016   NtWaitForSingleObject  ... ) == 0x0
 02611   896   NtSetEventBoostPriority  ... ) == 0x0
 02613  1336   NtRegisterThreadTerminatePort  ... ) == 0x0
 02615   496   NtSetEventBoostPriority  (304, ...
 02616  1200   NtContinue  (104594736, 1, ...
 02617  1676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02618  2016   NtSetEventBoostPriority  (92, ...
 02614  1920   NtTestAlert  ... ) == 0x0
 02619  1336   NtWaitForSingleObject  (304, 0, 0x0, ...
 02423  1020   NtWaitForSingleObject  ... ) == 0x0
 02620  1200   NtRegisterThreadTerminatePort  (24, ...
 01891  2012   NtWaitForSingleObject  ... ) == 0x0
 02618  2016   NtSetEventBoostPriority  ... ) == 0x0
 02617  1676   NtDuplicateObject  ... 916, ) == 0x0
 02621  1920   NtContinue  (105643312, 1, ...
 02615   496   NtSetEventBoostPriority  ... ) == 0x0
 02622   896   NtTestAlert  (...
 02623  1020   NtSetEventBoostPriority  (304, ...
 02624  2012   NtSetEventBoostPriority  (92, ...
 02620  1200   NtRegisterThreadTerminatePort  ... ) == 0x0
 02625  2016   NtTestAlert  (...
 02626  1920   NtRegisterThreadTerminatePort  (24, ...
 02627   496   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02622   896   NtTestAlert  ... ) == 0x0
 01898  1604   NtWaitForSingleObject  ... ) == 0x0
 02624  2012   NtSetEventBoostPriority  ... ) == 0x0
 02426  1644   NtWaitForSingleObject  ... ) == 0x0
 02628  1200   NtWaitForSingleObject  (304, 0, 0x0, ...
 02625  2016   NtTestAlert  ... ) == 0x0
 02626  1920   NtRegisterThreadTerminatePort  ... ) == 0x0
 02627   496   NtDuplicateObject  ... 920, ) == 0x0
 02629  1604   NtSetEventBoostPriority  (92, ...
 02630   896   NtContinue  (106691888, 1, ...
 02623  1020   NtSetEventBoostPriority  ... ) == 0x0
 02631  1676   NtWaitForSingleObject  (304, 0, 0x0, ...
 02632  1644   NtSetEventBoostPriority  (304, ...
 02633  2012   NtTestAlert  (...
 02634  2016   NtContinue  (107740464, 1, ...
 02635  1920   NtWaitForSingleObject  (304, 0, 0x0, ...
 01907  1572   NtWaitForSingleObject  ... ) == 0x0
 02629  1604   NtSetEventBoostPriority  ... ) == 0x0
 02636   896   NtRegisterThreadTerminatePort  (24, ...
 02637  1020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02428  1804   NtWaitForSingleObject  ... ) == 0x0
 02632  1644   NtSetEventBoostPriority  ... ) == 0x0
 02633  2012   NtTestAlert  ... ) == 0x0
 02638  2016   NtRegisterThreadTerminatePort  (24, ...
 02639   496   NtWaitForSingleObject  (304, 0, 0x0, ...
 02640  1572   NtSetEventBoostPriority  (92, ...
 02636   896   NtRegisterThreadTerminatePort  ... ) == 0x0
 02641  1804   NtSetEventBoostPriority  (304, ...
 02637  1020   NtDuplicateObject  ... 924, ) == 0x0
 02642  1604   NtTestAlert  (...
 02643  2012   NtContinue  (108789040, 1, ...
 02638  2016   NtRegisterThreadTerminatePort  ... ) == 0x0
 01914   596   NtWaitForSingleObject  ... ) == 0x0
 02640  1572   NtSetEventBoostPriority  ... ) == 0x0
 02436  1780   NtWaitForSingleObject  ... ) == 0x0
 02641  1804   NtSetEventBoostPriority  ... ) == 0x0
 02644   896   NtWaitForSingleObject  (304, 0, 0x0, ...
 02645  1644   NtWaitForSingleObject  (304, 0, 0x0, ...
 02642  1604   NtTestAlert  ... ) == 0x0
 02646  2012   NtRegisterThreadTerminatePort  (24, ...
 02647   596   NtSetEventBoostPriority  (92, ...
 02648  2016   NtWaitForSingleObject  (304, 0, 0x0, ...
 02649  1020   NtWaitForSingleObject  (304, 0, 0x0, ...
 02650  1780   NtSetEventBoostPriority  (304, ...
 02651  1804   NtWaitForSingleObject  (304, 0, 0x0, ...
 02652  1572   NtTestAlert  (...
 02653  1604   NtContinue  (109837616, 1, ...
 01923   376   NtWaitForSingleObject  ... ) == 0x0
 02647   596   NtSetEventBoostPriority  ... ) == 0x0
 02646  2012   NtRegisterThreadTerminatePort  ... ) == 0x0
 02434   432   NtWaitForSingleObject  ... ) == 0x0
 02650  1780   NtSetEventBoostPriority  ... ) == 0x0
 02652  1572   NtTestAlert  ... ) == 0x0
 02654   376   NtSetEventBoostPriority  (92, ...
 02655  1604   NtRegisterThreadTerminatePort  (24, ...
 02656   432   NtSetEventBoostPriority  (304, ...
 02657  2012   NtWaitForSingleObject  (304, 0, 0x0, ...
 02658  1780   NtWaitForSingleObject  (304, 0, 0x0, ...
 01930  1168   NtWaitForSingleObject  ... ) == 0x0
 02654   376   NtSetEventBoostPriority  ... ) == 0x0
 02659  1572   NtContinue  (110886192, 1, ...
 02441  1528   NtWaitForSingleObject  ... ) == 0x0
 02655  1604   NtRegisterThreadTerminatePort  ... ) == 0x0
 02656   432   NtSetEventBoostPriority  ... ) == 0x0
 02660   596   NtTestAlert  (...
 02661  1168   NtSetEventBoostPriority  (92, ...
 02662  1572   NtRegisterThreadTerminatePort  (24, ...
 02663  1528   NtSetEventBoostPriority  (304, ...
 02664  1604   NtWaitForSingleObject  (304, 0, 0x0, ...
 02665   432   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01939   428   NtWaitForSingleObject  ... ) == 0x0
 02661  1168   NtSetEventBoostPriority  ... ) == 0x0
 02660   596   NtTestAlert  ... ) == 0x0
 02662  1572   NtRegisterThreadTerminatePort  ... ) == 0x0
 02439  1332   NtWaitForSingleObject  ... ) == 0x0
 02663  1528   NtSetEventBoostPriority  ... ) == 0x0
 02666   376   NtTestAlert  (...
 02667   428   NtSetEventBoostPriority  (92, ...
 02665   432   NtDuplicateObject  ... 928, ) == 0x0
 02668   596   NtContinue  (111934768, 1, ...
 02669  1332   NtSetEventBoostPriority  (304, ...
 02670  1572   NtWaitForSingleObject  (304, 0, 0x0, ...
 02671  1528   NtWaitForSingleObject  (304, 0, 0x0, ...
 01946  1344   NtWaitForSingleObject  ... ) == 0x0
 02667   428   NtSetEventBoostPriority  ... ) == 0x0
 02666   376   NtTestAlert  ... ) == 0x0
 02672  1168   NtTestAlert  (...
 02447  1328   NtWaitForSingleObject  ... ) == 0x0
 02673   596   NtRegisterThreadTerminatePort  (24, ...
 02669  1332   NtSetEventBoostPriority  ... ) == 0x0
 02674   432   NtWaitForSingleObject  (304, 0, 0x0, ...
 02675  1344   NtSetEventBoostPriority  (92, ...
 02676   376   NtContinue  (112983344, 1, ...
 02672  1168   NtTestAlert  ... ) == 0x0
 02677  1328   NtSetEventBoostPriority  (304, ...
 02673   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 02678  1332   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01955  1300   NtWaitForSingleObject  ... ) == 0x0
 02675  1344   NtSetEventBoostPriority  ... ) == 0x0
 02679   376   NtRegisterThreadTerminatePort  (24, ...
 02680  1168   NtContinue  (114031920, 1, ...
 02449   932   NtWaitForSingleObject  ... ) == 0x0
 02681   596   NtWaitForSingleObject  (304, 0, 0x0, ...
 02682  1300   NtSetEventBoostPriority  (92, ...
 02678  1332   NtDuplicateObject  ... 932, ) == 0x0
 02677  1328   NtSetEventBoostPriority  ... ) == 0x0
 02683   428   NtTestAlert  (...
 02679   376   NtRegisterThreadTerminatePort  ... ) == 0x0
 02684  1168   NtRegisterThreadTerminatePort  (24, ...
 02685   932   NtSetEventBoostPriority  (304, ...
 02686  1344   NtTestAlert  (...
 01962  1096   NtWaitForSingleObject  ... ) == 0x0
 02682  1300   NtSetEventBoostPriority  ... ) == 0x0
 02687  1328   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02683   428   NtTestAlert  ... ) == 0x0
 02688   376   NtWaitForSingleObject  (304, 0, 0x0, ...
 02684  1168   NtRegisterThreadTerminatePort  ... ) == 0x0
 02452  1500   NtWaitForSingleObject  ... ) == 0x0
 02685   932   NtSetEventBoostPriority  ... ) == 0x0
 02689  1096   NtSetEventBoostPriority  (92, ...
 02686  1344   NtTestAlert  ... ) == 0x0
 02690  1332   NtWaitForSingleObject  (304, 0, 0x0, ...
 02687  1328   NtDuplicateObject  ... 936, ) == 0x0
 02691   428   NtContinue  (115080496, 1, ...
 02692  1300   NtTestAlert  (...
 02693  1500   NtSetEventBoostPriority  (304, ...
 02694  1168   NtWaitForSingleObject  (304, 0, 0x0, ...
 01971   252   NtWaitForSingleObject  ... ) == 0x0
 02689  1096   NtSetEventBoostPriority  ... ) == 0x0
 02695   932   NtWaitForSingleObject  (304, 0, 0x0, ...
 02696  1344   NtContinue  (116129072, 1, ...
 02697   428   NtRegisterThreadTerminatePort  (24, ...
 02454   752   NtWaitForSingleObject  ... ) == 0x0
 02693  1500   NtSetEventBoostPriority  ... ) == 0x0
 02692  1300   NtTestAlert  ... ) == 0x0
 02698  1328   NtWaitForSingleObject  (304, 0, 0x0, ...
 02699   252   NtSetEventBoostPriority  (92, ...
 02700  1096   NtTestAlert  (...
 02701  1344   NtRegisterThreadTerminatePort  (24, ...
 02702   752   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 02697   428   NtRegisterThreadTerminatePort  ... ) == 0x0
 02703  1500   NtWaitForSingleObject  (304, 0, 0x0, ...
 02704  1300   NtContinue  (117177648, 1, ...
 01978   500   NtWaitForSingleObject  ... ) == 0x0
 02699   252   NtSetEventBoostPriority  ... ) == 0x0
 02700  1096   NtTestAlert  ... ) == 0x0
 02702   752   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 02701  1344   NtRegisterThreadTerminatePort  ... ) == 0x0
 02705   428   NtWaitForSingleObject  (304, 0, 0x0, ...
 02706   500   NtSetEventBoostPriority  (92, ...
 02707  1300   NtRegisterThreadTerminatePort  (24, ...
 02708   752   NtSetEventBoostPriority  (304, ...
 02709  1096   NtContinue  (118226224, 1, ...
 02710  1344   NtWaitForSingleObject  (304, 0, 0x0, ...
 02711   252   NtTestAlert  (...
 01987  1132   NtWaitForSingleObject  ... ) == 0x0
 02706   500   NtSetEventBoostPriority  ... ) == 0x0
 02460  2032   NtWaitForSingleObject  ... ) == 0x0
 02707  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 02712  1096   NtRegisterThreadTerminatePort  (24, ...
 02708   752   NtSetEventBoostPriority  ... ) == 0x0
 02713  1132   NtSetEventBoostPriority  (92, ...
 02711   252   NtTestAlert  ... ) == 0x0
 02714  2032   NtSetEventBoostPriority  (304, ...
 02715  1300   NtWaitForSingleObject  (304, 0, 0x0, ...
 02712  1096   NtRegisterThreadTerminatePort  ... ) == 0x0
 02716   500   NtTestAlert  (...
 01994  1024   NtWaitForSingleObject  ... ) == 0x0
 02713  1132   NtSetEventBoostPriority  ... ) == 0x0
 02717   252   NtContinue  (119274800, 1, ...
 02461   120   NtWaitForSingleObject  ... ) == 0x0
 02714  2032   NtSetEventBoostPriority  ... ) == 0x0
 02718   752   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02719  1096   NtWaitForSingleObject  (304, 0, 0x0, ...
 02720  1024   NtSetEventBoostPriority  (92, ...
 02716   500   NtTestAlert  ... ) == 0x0
 02721   120   NtSetEventBoostPriority  (304, ...
 02722   252   NtRegisterThreadTerminatePort  (24, ...
 02723  2032   NtWaitForSingleObject  (304, 0, 0x0, ...
 02718   752   NtDuplicateObject  ... 940, ) == 0x0
 02724  1132   NtTestAlert  (...
 02003   948   NtWaitForSingleObject  ... ) == 0x0
 02720  1024   NtSetEventBoostPriority  ... ) == 0x0
 02465  1592   NtWaitForSingleObject  ... ) == 0x0
 02725   500   NtContinue  (120323376, 1, ...
 02722   252   NtRegisterThreadTerminatePort  ... ) == 0x0
 02721   120   NtSetEventBoostPriority  ... ) == 0x0
 02726   752   NtWaitForSingleObject  (304, 0, 0x0, ...
 02727   948   NtSetEventBoostPriority  (92, ...
 02724  1132   NtTestAlert  ... ) == 0x0
 02728  1592   NtSetEventBoostPriority  (304, ...
 02729   500   NtRegisterThreadTerminatePort  (24, ...
 02730   252   NtWaitForSingleObject  (304, 0, 0x0, ...
 02731   120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02010  1388   NtWaitForSingleObject  ... ) == 0x0
 02727   948   NtSetEventBoostPriority  ... ) == 0x0
 02732  1132   NtContinue  (121371952, 1, ...
 02467  1732   NtWaitForSingleObject  ... ) == 0x0
 02728  1592   NtSetEventBoostPriority  ... ) == 0x0
 02729   500   NtRegisterThreadTerminatePort  ... ) == 0x0
 02733  1024   NtTestAlert  (...
 02734  1388   NtSetEventBoostPriority  (92, ...
 02731   120   NtDuplicateObject  ... 944, ) == 0x0
 02735  1732   NtSetEventBoostPriority  (304, ...
 02736  1132   NtRegisterThreadTerminatePort  (24, ...
 02737  1592   NtWaitForSingleObject  (304, 0, 0x0, ...
 02738   500   NtWaitForSingleObject  (304, 0, 0x0, ...
 02019   520   NtWaitForSingleObject  ... ) == 0x0
 02734  1388   NtSetEventBoostPriority  ... ) == 0x0
 02733  1024   NtTestAlert  ... ) == 0x0
 02739   948   NtTestAlert  (...
 02472  1564   NtWaitForSingleObject  ... ) == 0x0
 02736  1132   NtRegisterThreadTerminatePort  ... ) == 0x0
 02735  1732   NtSetEventBoostPriority  ... ) == 0x0
 02740   120   NtWaitForSingleObject  (304, 0, 0x0, ...
 02741   520   NtAllocateVirtualMemory  (-1, 8814592, 0, 4096, 4096, 4, ...
 02742  1024   NtContinue  (122420528, 1, ...
 02739   948   NtTestAlert  ... ) == 0x0
 02743  1564   NtSetEventBoostPriority  (304, ...
 02744  1132   NtWaitForSingleObject  (304, 0, 0x0, ...
 02745  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02741   520   NtAllocateVirtualMemory  ... 8814592, 4096, ) == 0x0
 02746  1024   NtRegisterThreadTerminatePort  (24, ...
 02747   948   NtContinue  (123469104, 1, ...
 02479   164   NtWaitForSingleObject  ... ) == 0x0
 02743  1564   NtSetEventBoostPriority  ... ) == 0x0
 02748  1388   NtTestAlert  (...
 02745  1732   NtDuplicateObject  ... 948, ) == 0x0
 02746  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 02749   164   NtSetEventBoostPriority  (304, ...
 02750   948   NtRegisterThreadTerminatePort  (24, ...
 02751  1564   NtWaitForSingleObject  (304, 0, 0x0, ...
 02748  1388   NtTestAlert  ... ) == 0x0
 02752   520   NtSetEventBoostPriority  (92, ...
 02477   188   NtWaitForSingleObject  ... ) == 0x0
 02749   164   NtSetEventBoostPriority  ... ) == 0x0
 02753  1024   NtWaitForSingleObject  (304, 0, 0x0, ...
 02750   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 02754  1732   NtWaitForSingleObject  (304, 0, 0x0, ...
 02755  1388   NtContinue  (124517680, 1, ...
 02756   188   NtSetEventBoostPriority  (304, ...
 02026   276   NtWaitForSingleObject  ... ) == 0x0
 02752   520   NtSetEventBoostPriority  ... ) == 0x0
 02757   164   NtWaitForSingleObject  (304, 0, 0x0, ...
 02758   948   NtWaitForSingleObject  (304, 0, 0x0, ...
 02485  1420   NtWaitForSingleObject  ... ) == 0x0
 02759   276   NtSetEventBoostPriority  (92, ...
 02760  1388   NtRegisterThreadTerminatePort  (24, ...
 02761   520   NtTestAlert  (...
 02756   188   NtSetEventBoostPriority  ... ) == 0x0
 02035   996   NtWaitForSingleObject  ... ) == 0x0
 02759   276   NtSetEventBoostPriority  ... ) == 0x0
 02762  1420   NtSetEventBoostPriority  (304, ...
 02760  1388   NtRegisterThreadTerminatePort  ... ) == 0x0
 02761   520   NtTestAlert  ... ) == 0x0
 02763   996   NtSetEventBoostPriority  (92, ...
 02764   188   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02486  1636   NtWaitForSingleObject  ... ) == 0x0
 02762  1420   NtSetEventBoostPriority  ... ) == 0x0
 02765  1388   NtWaitForSingleObject  (304, 0, 0x0, ...
 02042  1064   NtWaitForSingleObject  ... ) == 0x0
 02763   996   NtSetEventBoostPriority  ... ) == 0x0
 02766   520   NtContinue  (125566256, 1, ...
 02767  1636   NtSetEventBoostPriority  (304, ...
 02764   188   NtDuplicateObject  ... 952, ) == 0x0
 02768  1420   NtWaitForSingleObject  (304, 0, 0x0, ...
 02769   276   NtTestAlert  (...
 02770  1064   NtSetEventBoostPriority  (92, ...
 02492  1852   NtWaitForSingleObject  ... ) == 0x0
 02771   520   NtRegisterThreadTerminatePort  (24, ...
 02767  1636   NtSetEventBoostPriority  ... ) == 0x0
 02772   996   NtTestAlert  (...
 02773   188   NtWaitForSingleObject  (304, 0, 0x0, ...
 02051  1600   NtWaitForSingleObject  ... ) == 0x0
 02770  1064   NtSetEventBoostPriority  ... ) == 0x0
 02769   276   NtTestAlert  ... ) == 0x0
 02774  1852   NtSetEventBoostPriority  (304, ...
 02775  1636   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02772   996   NtTestAlert  ... ) == 0x0
 02776  1600   NtSetEventBoostPriority  (92, ...
 02771   520   NtRegisterThreadTerminatePort  ... ) == 0x0
 02777   276   NtContinue  (126614832, 1, ...
 02494   624   NtWaitForSingleObject  ... ) == 0x0
 02774  1852   NtSetEventBoostPriority  ... ) == 0x0
 02775  1636   NtDuplicateObject  ... 956, ) == 0x0
 02058  1372   NtWaitForSingleObject  ... ) == 0x0
 02776  1600   NtSetEventBoostPriority  ... ) == 0x0
 02778   996   NtContinue  (127663408, 1, ...
 02779   520   NtWaitForSingleObject  (304, 0, 0x0, ...
 02780   624   NtSetEventBoostPriority  (304, ...
 02781   276   NtRegisterThreadTerminatePort  (24, ...
 02782  1852   NtWaitForSingleObject  (304, 0, 0x0, ...
 02783  1064   NtTestAlert  (...
 02784  1372   NtSetEventBoostPriority  (92, ...
 02785  1636   NtWaitForSingleObject  (304, 0, 0x0, ...
 02786   996   NtRegisterThreadTerminatePort  (24, ...
 02499  2000   NtWaitForSingleObject  ... ) == 0x0
 02781   276   NtRegisterThreadTerminatePort  ... ) == 0x0
 02780   624   NtSetEventBoostPriority  ... ) == 0x0
 02787  1600   NtTestAlert  (...
 02067  2040   NtWaitForSingleObject  ... ) == 0x0
 02784  1372   NtSetEventBoostPriority  ... ) == 0x0
 02783  1064   NtTestAlert  ... ) == 0x0
 02786   996   NtRegisterThreadTerminatePort  ... ) == 0x0
 02788  2000   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ...
 02789   276   NtWaitForSingleObject  (304, 0, 0x0, ...
 02790   624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02791  2040   NtSetEventBoostPriority  (92, ...
 02787  1600   NtTestAlert  ... ) == 0x0
 02792  1064   NtContinue  (128711984, 1, ...
 02793   996   NtWaitForSingleObject  (304, 0, 0x0, ...
 02788  2000   NtAllocateVirtualMemory  ... 1396736, 4096, ) == 0x0
 02794  1372   NtTestAlert  (...
 02074   216   NtWaitForSingleObject  ... ) == 0x0
 02791  2040   NtSetEventBoostPriority  ... ) == 0x0
 02790   624   NtDuplicateObject  ... 960, ) == 0x0
 02795  1600   NtContinue  (129760560, 1, ...
 02796  1064   NtRegisterThreadTerminatePort  (24, ...
 02797  2000   NtSetEventBoostPriority  (304, ...
 02798   216   NtSetEventBoostPriority  (92, ...
 02794  1372   NtTestAlert  ... ) == 0x0
 02799  2040   NtTestAlert  (...
 02800  1600   NtRegisterThreadTerminatePort  (24, ...
 02796  1064   NtRegisterThreadTerminatePort  ... ) == 0x0
 02801   624   NtWaitForSingleObject  (304, 0, 0x0, ...
 02083   152   NtWaitForSingleObject  ... ) == 0x0
 02798   216   NtSetEventBoostPriority  ... ) == 0x0
 02802  1372   NtContinue  (130809136, 1, ...
 02799  2040   NtTestAlert  ... ) == 0x0
 02800  1600   NtRegisterThreadTerminatePort  ... ) == 0x0
 02803  1064   NtWaitForSingleObject  (304, 0, 0x0, ...
 02804   152   NtSetEventBoostPriority  (92, ...
 02501  1948   NtWaitForSingleObject  ... ) == 0x0
 02797  2000   NtSetEventBoostPriority  ... ) == 0x0
 02805  1372   NtRegisterThreadTerminatePort  (24, ...
 02806  2040   NtContinue  (131857712, 1, ...
 02807  1600   NtWaitForSingleObject  (304, 0, 0x0, ...
 02808   216   NtTestAlert  (...
 02090   900   NtWaitForSingleObject  ... ) == 0x0
 02804   152   NtSetEventBoostPriority  ... ) == 0x0
 02809  1948   NtSetEventBoostPriority  (304, ...
 02810  2000   NtWaitForSingleObject  (304, 0, 0x0, ...
 02805  1372   NtRegisterThreadTerminatePort  ... ) == 0x0
 02811  2040   NtRegisterThreadTerminatePort  (24, ...
 02812   900   NtSetEventBoostPriority  (92, ...
 02808   216   NtTestAlert  ... ) == 0x0
 02503   988   NtWaitForSingleObject  ... ) == 0x0
 02813  1372   NtWaitForSingleObject  (304, 0, 0x0, ...
 02099  1272   NtWaitForSingleObject  ... ) == 0x0
 02812   900   NtSetEventBoostPriority  ... ) == 0x0
 02811  2040   NtRegisterThreadTerminatePort  ... ) == 0x0
 02814   216   NtContinue  (132906288, 1, ...
 02815   988   NtSetEventBoostPriority  (304, ...
 02809  1948   NtSetEventBoostPriority  ... ) == 0x0
 02816   152   NtTestAlert  (...
 02817  1272   NtSetEventBoostPriority  (92, ...
 02818  2040   NtWaitForSingleObject  (304, 0, 0x0, ...
 02819   216   NtRegisterThreadTerminatePort  (24, ...
 02511   468   NtWaitForSingleObject  ... ) == 0x0
 02820  1948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02106  1240   NtWaitForSingleObject  ... ) == 0x0
 02817  1272   NtSetEventBoostPriority  ... ) == 0x0
 02816   152   NtTestAlert  ... ) == 0x0
 02815   988   NtSetEventBoostPriority  ... ) == 0x0
 02821   900   NtTestAlert  (...
 02819   216   NtRegisterThreadTerminatePort  ... ) == 0x0
 02822   468   NtSetEventBoostPriority  (304, ...
 02823  1240   NtSetEventBoostPriority  (92, ...
 02820  1948   NtDuplicateObject  ... 964, ) == 0x0
 02824   152   NtContinue  (133954864, 1, ...
 02825   988   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02821   900   NtTestAlert  ... ) == 0x0
 02826   216   NtWaitForSingleObject  (304, 0, 0x0, ...
 02115  1776   NtWaitForSingleObject  ... ) == 0x0
 02823  1240   NtSetEventBoostPriority  ... ) == 0x0
 02521   336   NtWaitForSingleObject  ... ) == 0x0
 02822   468   NtSetEventBoostPriority  ... ) == 0x0
 02827  1272   NtTestAlert  (...
 02828   152   NtRegisterThreadTerminatePort  (24, ...
 02825   988   NtDuplicateObject  ... 968, ) == 0x0
 02829   900   NtContinue  (135003440, 1, ...
 02830  1948   NtWaitForSingleObject  (304, 0, 0x0, ...
 02831  1776   NtSetEventBoostPriority  (92, ...
 02832   336   NtSetEventBoostPriority  (304, ...
 02833   468   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02827  1272   NtTestAlert  ... ) == 0x0
 02828   152   NtRegisterThreadTerminatePort  ... ) == 0x0
 02834  1240   NtTestAlert  (...
 02835   900   NtRegisterThreadTerminatePort  (24, ...
 02122  1324   NtWaitForSingleObject  ... ) == 0x0
 02831  1776   NtSetEventBoostPriority  ... ) == 0x0
 02519   380   NtWaitForSingleObject  ... ) == 0x0
 02832   336   NtSetEventBoostPriority  ... ) == 0x0
 02833   468   NtDuplicateObject  ... 972, ) == 0x0
 02836  1272   NtContinue  (136052016, 1, ...
 02837   152   NtWaitForSingleObject  (304, 0, 0x0, ...
 02834  1240   NtTestAlert  ... ) == 0x0
 02838  1324   NtSetEventBoostPriority  (92, ...
 02835   900   NtRegisterThreadTerminatePort  ... ) == 0x0
 02839   988   NtWaitForSingleObject  (304, 0, 0x0, ...
 02840   380   NtSetEventBoostPriority  (304, ...
 02841   336   NtWaitForSingleObject  (304, 0, 0x0, ...
 02842  1776   NtTestAlert  (...
 02843  1272   NtRegisterThreadTerminatePort  (24, ...
 02844   468   NtWaitForSingleObject  (304, 0, 0x0, ...
 02131  1884   NtWaitForSingleObject  ... ) == 0x0
 02838  1324   NtSetEventBoostPriority  ... ) == 0x0
 02845  1240   NtContinue  (137100592, 1, ...
 02846   900   NtWaitForSingleObject  (304, 0, 0x0, ...
 02526   764   NtWaitForSingleObject  ... ) == 0x0
 02840   380   NtSetEventBoostPriority  ... ) == 0x0
 02842  1776   NtTestAlert  ... ) == 0x0
 02843  1272   NtRegisterThreadTerminatePort  ... ) == 0x0
 02847  1884   NtSetEventBoostPriority  (92, ...
 02848  1240   NtRegisterThreadTerminatePort  (24, ...
 02849  1324   NtTestAlert  (...
 02850   764   NtSetEventBoostPriority  (304, ...
 02851   380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02852  1776   NtContinue  (138149168, 1, ...
 02138   248   NtWaitForSingleObject  ... ) == 0x0
 02847  1884   NtSetEventBoostPriority  ... ) == 0x0
 02853  1272   NtWaitForSingleObject  (304, 0, 0x0, ...
 02848  1240   NtRegisterThreadTerminatePort  ... ) == 0x0
 02849  1324   NtTestAlert  ... ) == 0x0
 02527  1692   NtWaitForSingleObject  ... ) == 0x0
 02850   764   NtSetEventBoostPriority  ... ) == 0x0
 02851   380   NtDuplicateObject  ... 976, ) == 0x0
 02854   248   NtSetEventBoostPriority  (92, ...
 02855  1776   NtRegisterThreadTerminatePort  (24, ...
 02856  1884   NtTestAlert  (...
 02857  1240   NtWaitForSingleObject  (304, 0, 0x0, ...
 02858  1692   NtSetEventBoostPriority  (304, ...
 02859  1324   NtContinue  (139197744, 1, ...
 02860   764   NtWaitForSingleObject  (304, 0, 0x0, ...
 02147  1652   NtWaitForSingleObject  ... ) == 0x0
 02854   248   NtSetEventBoostPriority  ... ) == 0x0
 02855  1776   NtRegisterThreadTerminatePort  ... ) == 0x0
 02856  1884   NtTestAlert  ... ) == 0x0
 02861   380   NtWaitForSingleObject  (304, 0, 0x0, ...
 02529   800   NtWaitForSingleObject  ... ) == 0x0
 02862  1324   NtRegisterThreadTerminatePort  (24, ...
 02863  1652   NtSetEventBoostPriority  (92, ...
 02858  1692   NtSetEventBoostPriority  ... ) == 0x0
 02864  1776   NtWaitForSingleObject  (304, 0, 0x0, ...
 02865  1884   NtContinue  (140246320, 1, ...
 02866   800   NtSetEventBoostPriority  (304, ...
 02154   588   NtWaitForSingleObject  ... ) == 0x0
 02863  1652   NtSetEventBoostPriority  ... ) == 0x0
 02862  1324   NtRegisterThreadTerminatePort  ... ) == 0x0
 02867  1692   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02868   248   NtTestAlert  (...
 02869  1884   NtRegisterThreadTerminatePort  (24, ...
 02870   588   NtSetEventBoostPriority  (92, ...
 02531  1792   NtWaitForSingleObject  ... ) == 0x0
 02866   800   NtSetEventBoostPriority  ... ) == 0x0
 02871  1324   NtWaitForSingleObject  (304, 0, 0x0, ...
 02867  1692   NtDuplicateObject  ... 980, ) == 0x0
 02868   248   NtTestAlert  ... ) == 0x0
 02163   440   NtWaitForSingleObject  ... ) == 0x0
 02872  1792   NtSetEventBoostPriority  (304, ...
 02870   588   NtSetEventBoostPriority  ... ) == 0x0
 02869  1884   NtRegisterThreadTerminatePort  ... ) == 0x0
 02873   800   NtWaitForSingleObject  (304, 0, 0x0, ...
 02874  1652   NtTestAlert  (...
 02875   440   NtSetEventBoostPriority  (92, ...
 02537   784   NtWaitForSingleObject  ... ) == 0x0
 02876   248   NtContinue  (141294896, 1, ...
 02872  1792   NtSetEventBoostPriority  ... ) == 0x0
 02877  1692   NtWaitForSingleObject  (304, 0, 0x0, ...
 02878  1884   NtWaitForSingleObject  (304, 0, 0x0, ...
 02879   588   NtTestAlert  (...
 02170  1296   NtWaitForSingleObject  ... ) == 0x0
 02875   440   NtSetEventBoostPriority  ... ) == 0x0
 02874  1652   NtTestAlert  ... ) == 0x0
 02880   784   NtSetEventBoostPriority  (304, ...
 02881   248   NtRegisterThreadTerminatePort  (24, ...
 02882  1792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02883  1296   NtSetEventBoostPriority  (92, ...
 02879   588   NtTestAlert  ... ) == 0x0
 02884  1652   NtContinue  (142343472, 1, ...
 02539   308   NtWaitForSingleObject  ... ) == 0x0
 02881   248   NtRegisterThreadTerminatePort  ... ) == 0x0
 02300   860   NtWaitForSingleObject  ... ) == 0x0
 02883  1296   NtSetEventBoostPriority  ... ) == 0x0
 02882  1792   NtDuplicateObject  ... 984, ) == 0x0
 02885   588   NtContinue  (143392048, 1, ...
 02886  1652   NtRegisterThreadTerminatePort  (24, ...
 02887   308   NtSetEventBoostPriority  (304, ...
 02888   860   NtSetEventBoostPriority  (92, ...
 02889   248   NtWaitForSingleObject  (304, 0, 0x0, ...
 02880   784   NtSetEventBoostPriority  ... ) == 0x0
 02890   440   NtTestAlert  (...
 02891  1296   NtTestAlert  (...
 02892   588   NtRegisterThreadTerminatePort  (24, ...
 02886  1652   NtRegisterThreadTerminatePort  ... ) == 0x0
 02549  1756   NtWaitForSingleObject  ... ) == 0x0
 02888   860   NtSetEventBoostPriority  ... ) == 0x0
 02544  1520   NtWaitForSingleObject  ... ) == 0x0
 02887   308   NtSetEventBoostPriority  ... ) == 0x0
 02893  1792   NtWaitForSingleObject  (304, 0, 0x0, ...
 02894   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02890   440   NtTestAlert  ... ) == 0x0
 02891  1296   NtTestAlert  ... ) == 0x0
 02892   588   NtRegisterThreadTerminatePort  ... ) == 0x0
 02895  1756   NtWaitForSingleObject  (304, 0, 0x0, ...
 02896  1652   NtWaitForSingleObject  (304, 0, 0x0, ...
 02897  1520   NtSetEventBoostPriority  (304, ...
 02898   308   NtWaitForSingleObject  (304, 0, 0x0, ...
 02894   784   NtDuplicateObject  ... 988, ) == 0x0
 02899   440   NtContinue  (144440624, 1, ...
 02900  1296   NtContinue  (145489200, 1, ...
 02901   588   NtWaitForSingleObject  (304, 0, 0x0, ...
 02902   860   NtWaitForSingleObject  (304, 0, 0x0, ...
 02553   504   NtWaitForSingleObject  ... ) == 0x0
 02897  1520   NtSetEventBoostPriority  ... ) == 0x0
 02903   440   NtRegisterThreadTerminatePort  (24, ...
 02904  1296   NtRegisterThreadTerminatePort  (24, ...
 02905   784   NtWaitForSingleObject  (304, 0, 0x0, ...
 02906   504   NtSetEventBoostPriority  (304, ...
 02907  1520   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02903   440   NtRegisterThreadTerminatePort  ... ) == 0x0
 02904  1296   NtRegisterThreadTerminatePort  ... ) == 0x0
 02550  1696   NtWaitForSingleObject  ... ) == 0x0
 02906   504   NtSetEventBoostPriority  ... ) == 0x0
 02907  1520   NtDuplicateObject  ... 992, ) == 0x0
 02908   440   NtWaitForSingleObject  (304, 0, 0x0, ...
 02909  1696   NtSetEventBoostPriority  (304, ...
 02910  1296   NtWaitForSingleObject  (304, 0, 0x0, ...
 02911   504   NtWaitForSingleObject  (304, 0, 0x0, ...
 02912  1520   NtWaitForSingleObject  (304, 0, 0x0, ...
 02560   968   NtWaitForSingleObject  ... ) == 0x0
 02909  1696   NtSetEventBoostPriority  ... ) == 0x0
 02913   968   NtSetEventBoostPriority  (304, ...
 02914  1696   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02567   888   NtWaitForSingleObject  ... ) == 0x0
 02914  1696   NtDuplicateObject  ... 996, ) == 0x0
 02915   888   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ...
 02913   968   NtSetEventBoostPriority  ... ) == 0x0
 02915   888   NtAllocateVirtualMemory  ... 1400832, 4096, ) == 0x0
 02916   968   NtWaitForSingleObject  (304, 0, 0x0, ...
 02917   888   NtSetEventBoostPriority  (304, ...
 02918  1696   NtWaitForSingleObject  (304, 0, 0x0, ...
 02568  1744   NtWaitForSingleObject  ... ) == 0x0
 02919  1744   NtSetEventBoostPriority  (304, ...
 02571   240   NtWaitForSingleObject  ... ) == 0x0
 02920   240   NtSetEventBoostPriority  (304, ...
 02577  1392   NtWaitForSingleObject  ... ) == 0x0
 02921  1392   NtSetEventBoostPriority  (304, ...
 02573  1124   NtWaitForSingleObject  ... ) == 0x0
 02922  1124   NtSetEventBoostPriority  (304, ...
 02583  1496   NtWaitForSingleObject  ... ) == 0x0
 02923  1496   NtSetEventBoostPriority  (304, ...
 02591   168   NtWaitForSingleObject  ... ) == 0x0
 02924   168   NtSetEventBoostPriority  (304, ...
 02593  1284   NtWaitForSingleObject  ... ) == 0x0
 02925  1284   NtSetEventBoostPriority  (304, ...
 02594  2044   NtWaitForSingleObject  ... ) == 0x0
 02926  2044   NtSetEventBoostPriority  (304, ...
 02596  2020   NtWaitForSingleObject  ... ) == 0x0
 02927  2020   NtSetEventBoostPriority  (304, ...
 02605   740   NtWaitForSingleObject  ... ) == 0x0
 02928   740   NtSetEventBoostPriority  (304, ...
 02604  1524   NtWaitForSingleObject  ... ) == 0x0
 02929  1524   NtSetEventBoostPriority  (304, ...
 02609  1268   NtWaitForSingleObject  ... ) == 0x0
 02930  1268   NtSetEventBoostPriority  (304, ...
 02610  1864   NtWaitForSingleObject  ... ) == 0x0
 02931  1864   NtSetEventBoostPriority  (304, ...
 02612   840   NtWaitForSingleObject  ... ) == 0x0
 02932   840   NtSetEventBoostPriority  (304, ...
 02619  1336   NtWaitForSingleObject  ... ) == 0x0
 02933  1336   NtSetEventBoostPriority  (304, ...
 02628  1200   NtWaitForSingleObject  ... ) == 0x0
 02934  1200   NtSetEventBoostPriority  (304, ...
 02631  1676   NtWaitForSingleObject  ... ) == 0x0
 02935  1676   NtSetEventBoostPriority  (304, ...
 02635  1920   NtWaitForSingleObject  ... ) == 0x0
 02936  1920   NtSetEventBoostPriority  (304, ...
 02639   496   NtWaitForSingleObject  ... ) == 0x0
 02937   496   NtSetEventBoostPriority  (304, ...
 02645  1644   NtWaitForSingleObject  ... ) == 0x0
 02938  1644   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 02939  1644   NtSetEventBoostPriority  (304, ...
 02937   496   NtSetEventBoostPriority  ... ) == 0x0
 02935  1676   NtSetEventBoostPriority  ... ) == 0x0
 02928   740   NtSetEventBoostPriority  ... ) == 0x0
 02927  2020   NtSetEventBoostPriority  ... ) == 0x0
 02921  1392   NtSetEventBoostPriority  ... ) == 0x0
 02919  1744   NtSetEventBoostPriority  ... ) == 0x0
 02936  1920   NtSetEventBoostPriority  ... ) == 0x0
 02934  1200   NtSetEventBoostPriority  ... ) == 0x0
 02933  1336   NtSetEventBoostPriority  ... ) == 0x0
 02932   840   NtSetEventBoostPriority  ... ) == 0x0
 02931  1864   NtSetEventBoostPriority  ... ) == 0x0
 02930  1268   NtSetEventBoostPriority  ... ) == 0x0
 02929  1524   NtSetEventBoostPriority  ... ) == 0x0
 02926  2044   NtSetEventBoostPriority  ... ) == 0x0
 02925  1284   NtSetEventBoostPriority  ... ) == 0x0
 02924   168   NtSetEventBoostPriority  ... ) == 0x0
 02923  1496   NtSetEventBoostPriority  ... ) == 0x0
 02922  1124   NtSetEventBoostPriority  ... ) == 0x0
 02920   240   NtSetEventBoostPriority  ... ) == 0x0
 02917   888   NtSetEventBoostPriority  ... ) == 0x0
 02940   496   NtWaitForSingleObject  (304, 0, 0x0, ...
 02941  1676   NtWaitForSingleObject  (304, 0, 0x0, ...
 02942   740   NtWaitForSingleObject  (304, 0, 0x0, ...
 02943  2020   NtWaitForSingleObject  (304, 0, 0x0, ...
 02944  1392   NtWaitForSingleObject  (304, 0, 0x0, ...
 02644   896   NtWaitForSingleObject  ... ) == 0x0
 02939  1644   NtSetEventBoostPriority  ... ) == 0x0
 02945  1920   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02946  1200   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02947  1336   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02948   840   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02949  1864   NtWaitForSingleObject  (304, 0, 0x0, ...
 02950  1268   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02951  1524   NtWaitForSingleObject  (304, 0, 0x0, ...
 02952  2044   NtWaitForSingleObject  (304, 0, 0x0, ...
 02953  1284   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02954   168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02955  1496   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02956  1124   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02957   240   NtWaitForSingleObject  (304, 0, 0x0, ...
 02958   888   NtWaitForSingleObject  (304, 0, 0x0, ...
 02959  1744   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02960   896   NtSetEventBoostPriority  (304, ...
 02961  1644   NtWaitForSingleObject  (304, 0, 0x0, ...
 02945  1920   NtDuplicateObject  ... 1000, ) == 0x0
 02946  1200   NtDuplicateObject  ... 1004, ) == 0x0
 02947  1336   NtDuplicateObject  ... 1008, ) == 0x0
 02948   840   NtDuplicateObject  ... 1012, ) == 0x0
 02950  1268   NtDuplicateObject  ... 1016, ) == 0x0
 02953  1284   NtDuplicateObject  ... 1020, ) == 0x0
 02954   168   NtDuplicateObject  ... 1024, ) == 0x0
 02955  1496   NtDuplicateObject  ... 1028, ) == 0x0
 02956  1124   NtDuplicateObject  ... 1032, ) == 0x0
 02959  1744   NtDuplicateObject  ... 1036, ) == 0x0
 02649  1020   NtWaitForSingleObject  ... ) == 0x0
 02960   896   NtSetEventBoostPriority  ... ) == 0x0
 02962  1920   NtWaitForSingleObject  (304, 0, 0x0, ...
 02963  1200   NtWaitForSingleObject  (304, 0, 0x0, ...
 02964  1336   NtWaitForSingleObject  (304, 0, 0x0, ...
 02965   840   NtWaitForSingleObject  (304, 0, 0x0, ...
 02966  1268   NtWaitForSingleObject  (304, 0, 0x0, ...
 02967  1284   NtWaitForSingleObject  (304, 0, 0x0, ...
 02968   168   NtWaitForSingleObject  (304, 0, 0x0, ...
 02969  1496   NtWaitForSingleObject  (304, 0, 0x0, ...
 02970  1744   NtWaitForSingleObject  (304, 0, 0x0, ...
 02971  1020   NtSetEventBoostPriority  (304, ...
 02972   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02648  2016   NtWaitForSingleObject  ... ) == 0x0
 02971  1020   NtSetEventBoostPriority  ... ) == 0x0
 02973  2016   NtSetEventBoostPriority  (304, ...
 02972   896   NtDuplicateObject  ... 1040, ) == 0x0
 02651  1804   NtWaitForSingleObject  ... ) == 0x0
 02974  1020   NtWaitForSingleObject  (304, 0, 0x0, ...
 02973  2016   NtSetEventBoostPriority  ... ) == 0x0
 02975  1124   NtWaitForSingleObject  (304, 0, 0x0, ...
 02976  1804   NtSetEventBoostPriority  (304, ...
 02977   896   NtWaitForSingleObject  (304, 0, 0x0, ...
 02978  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02657  2012   NtWaitForSingleObject  ... ) == 0x0
 02978  2016   NtDuplicateObject  ... 1044, ) == 0x0
 02979  2012   NtSetEventBoostPriority  (304, ...
 02976  1804   NtSetEventBoostPriority  ... ) == 0x0
 02658  1780   NtWaitForSingleObject  ... ) == 0x0
 02980  1804   NtWaitForSingleObject  (304, 0, 0x0, ...
 02981  1780   NtSetEventBoostPriority  (304, ...
 02664  1604   NtWaitForSingleObject  ... ) == 0x0
 02982  1604   NtSetEventBoostPriority  (304, ...
 02670  1572   NtWaitForSingleObject  ... ) == 0x0
 02983  1572   NtSetEventBoostPriority  (304, ...
 02671  1528   NtWaitForSingleObject  ... ) == 0x0
 02984  1528   NtSetEventBoostPriority  (304, ...
 02674   432   NtWaitForSingleObject  ... ) == 0x0
 02985   432   NtSetEventBoostPriority  (304, ...
 02681   596   NtWaitForSingleObject  ... ) == 0x0
 02986   596   NtSetEventBoostPriority  (304, ...
 02690  1332   NtWaitForSingleObject  ... ) == 0x0
 02987  1332   NtSetEventBoostPriority  (304, ...
 02688   376   NtWaitForSingleObject  ... ) == 0x0
 02988   376   NtSetEventBoostPriority  (304, ...
 02694  1168   NtWaitForSingleObject  ... ) == 0x0
 02989  1168   NtSetEventBoostPriority  (304, ...
 02698  1328   NtWaitForSingleObject  ... ) == 0x0
 02990  1328   NtSetEventBoostPriority  (304, ...
 02695   932   NtWaitForSingleObject  ... ) == 0x0
 02991   932   NtSetEventBoostPriority  (304, ...
 02703  1500   NtWaitForSingleObject  ... ) == 0x0
 02992  1500   NtSetEventBoostPriority  (304, ...
 02705   428   NtWaitForSingleObject  ... ) == 0x0
 02993   428   NtSetEventBoostPriority  (304, ...
 02710  1344   NtWaitForSingleObject  ... ) == 0x0
 02994  1344   NtSetEventBoostPriority  (304, ...
 02715  1300   NtWaitForSingleObject  ... ) == 0x0
 02995  1300   NtSetEventBoostPriority  (304, ...
 02719  1096   NtWaitForSingleObject  ... ) == 0x0
 02996  1096   NtSetEventBoostPriority  (304, ...
 02723  2032   NtWaitForSingleObject  ... ) == 0x0
 02997  2032   NtSetEventBoostPriority  (304, ...
 02726   752   NtWaitForSingleObject  ... ) == 0x0
 02998   752   NtSetEventBoostPriority  (304, ...
 02730   252   NtWaitForSingleObject  ... ) == 0x0
 02999   252   NtSetEventBoostPriority  (304, ...
 02737  1592   NtWaitForSingleObject  ... ) == 0x0
 03000  1592   NtSetEventBoostPriority  (304, ...
 02738   500   NtWaitForSingleObject  ... ) == 0x0
 03001   500   NtSetEventBoostPriority  (304, ...
 02740   120   NtWaitForSingleObject  ... ) == 0x0
 03002   120   NtSetEventBoostPriority  (304, ...
 02744  1132   NtWaitForSingleObject  ... ) == 0x0
 03003  1132   NtSetEventBoostPriority  (304, ...
 02751  1564   NtWaitForSingleObject  ... ) == 0x0
 03004  1564   NtSetEventBoostPriority  (304, ...
 02754  1732   NtWaitForSingleObject  ... ) == 0x0
 03005  1732   NtSetEventBoostPriority  (304, ...
 02753  1024   NtWaitForSingleObject  ... ) == 0x0
 03006  1024   NtSetEventBoostPriority  (304, ...
 02757   164   NtWaitForSingleObject  ... ) == 0x0
 03007   164   NtSetEventBoostPriority  (304, ...
 02758   948   NtWaitForSingleObject  ... ) == 0x0
 03008   948   NtSetEventBoostPriority  (304, ...
 02765  1388   NtWaitForSingleObject  ... ) == 0x0
 03009  1388   NtSetEventBoostPriority  (304, ...
 02768  1420   NtWaitForSingleObject  ... ) == 0x0
 03010  1420   NtSetEventBoostPriority  (304, ...
 02773   188   NtWaitForSingleObject  ... ) == 0x0
 03011   188   NtSetEventBoostPriority  (304, ...
 02779   520   NtWaitForSingleObject  ... ) == 0x0
 03012   520   NtSetEventBoostPriority  (304, ...
 02785  1636   NtWaitForSingleObject  ... ) == 0x0
 03013  1636   NtSetEventBoostPriority  (304, ...
 02782  1852   NtWaitForSingleObject  ... ) == 0x0
 03014  1852   NtSetEventBoostPriority  (304, ...
 02789   276   NtWaitForSingleObject  ... ) == 0x0
 03015   276   NtSetEventBoostPriority  (304, ...
 02793   996   NtWaitForSingleObject  ... ) == 0x0
 03016   996   NtSetEventBoostPriority  (304, ...
 02801   624   NtWaitForSingleObject  ... ) == 0x0
 03017   624   NtSetEventBoostPriority  (304, ...
 02803  1064   NtWaitForSingleObject  ... ) == 0x0
 03018  1064   NtSetEventBoostPriority  (304, ...
 02807  1600   NtWaitForSingleObject  ... ) == 0x0
 03019  1600   NtSetEventBoostPriority  (304, ...
 02810  2000   NtWaitForSingleObject  ... ) == 0x0
 03020  2000   NtSetEventBoostPriority  (304, ...
 02813  1372   NtWaitForSingleObject  ... ) == 0x0
 03021  1372   NtSetEventBoostPriority  (304, ...
 02818  2040   NtWaitForSingleObject  ... ) == 0x0
 03022  2040   NtSetEventBoostPriority  (304, ...
 02826   216   NtWaitForSingleObject  ... ) == 0x0
 03023   216   NtSetEventBoostPriority  (304, ...
 02830  1948   NtWaitForSingleObject  ... ) == 0x0
 03024  1948   NtSetEventBoostPriority  (304, ...
 02839   988   NtWaitForSingleObject  ... ) == 0x0
 03025   988   NtSetEventBoostPriority  (304, ...
 02837   152   NtWaitForSingleObject  ... ) == 0x0
 03026   152   NtSetEventBoostPriority  (304, ...
 02844   468   NtWaitForSingleObject  ... ) == 0x0
 03027   468   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 03028   468   NtSetEventBoostPriority  (304, ...
 03025   988   NtSetEventBoostPriority  ... ) == 0x0
 03024  1948   NtSetEventBoostPriority  ... ) == 0x0
 03020  2000   NtSetEventBoostPriority  ... ) == 0x0
 03017   624   NtSetEventBoostPriority  ... ) == 0x0
 03013  1636   NtSetEventBoostPriority  ... ) == 0x0
 03012   520   NtSetEventBoostPriority  ... ) == 0x0
 03011   188   NtSetEventBoostPriority  ... ) == 0x0
 03005  1732   NtSetEventBoostPriority  ... ) == 0x0
 03002   120   NtSetEventBoostPriority  ... ) == 0x0
 02998   752   NtSetEventBoostPriority  ... ) == 0x0
 02990  1328   NtSetEventBoostPriority  ... ) == 0x0
 02987  1332   NtSetEventBoostPriority  ... ) == 0x0
 02985   432   NtSetEventBoostPriority  ... ) == 0x0
 03026   152   NtSetEventBoostPriority  ... ) == 0x0
 03023   216   NtSetEventBoostPriority  ... ) == 0x0
 03022  2040   NtSetEventBoostPriority  ... ) == 0x0
 03021  1372   NtSetEventBoostPriority  ... ) == 0x0
 03019  1600   NtSetEventBoostPriority  ... ) == 0x0
 03018  1064   NtSetEventBoostPriority  ... ) == 0x0
 03016   996   NtSetEventBoostPriority  ... ) == 0x0
 03015   276   NtSetEventBoostPriority  ... ) == 0x0
 03014  1852   NtSetEventBoostPriority  ... ) == 0x0
 03010  1420   NtSetEventBoostPriority  ... ) == 0x0
 03009  1388   NtSetEventBoostPriority  ... ) == 0x0
 03008   948   NtSetEventBoostPriority  ... ) == 0x0
 03007   164   NtSetEventBoostPriority  ... ) == 0x0
 03006  1024   NtSetEventBoostPriority  ... ) == 0x0
 03004  1564   NtSetEventBoostPriority  ... ) == 0x0
 03003  1132   NtSetEventBoostPriority  ... ) == 0x0
 03001   500   NtSetEventBoostPriority  ... ) == 0x0
 03000  1592   NtSetEventBoostPriority  ... ) == 0x0
 02999   252   NtSetEventBoostPriority  ... ) == 0x0
 02997  2032   NtSetEventBoostPriority  ... ) == 0x0
 02996  1096   NtSetEventBoostPriority  ... ) == 0x0
 02995  1300   NtSetEventBoostPriority  ... ) == 0x0
 02994  1344   NtSetEventBoostPriority  ... ) == 0x0
 02993   428   NtSetEventBoostPriority  ... ) == 0x0
 02992  1500   NtSetEventBoostPriority  ... ) == 0x0
 02991   932   NtSetEventBoostPriority  ... ) == 0x0
 02989  1168   NtSetEventBoostPriority  ... ) == 0x0
 02988   376   NtSetEventBoostPriority  ... ) == 0x0
 02986   596   NtSetEventBoostPriority  ... ) == 0x0
 02984  1528   NtSetEventBoostPriority  ... ) == 0x0
 02983  1572   NtSetEventBoostPriority  ... ) == 0x0
 02982  1604   NtSetEventBoostPriority  ... ) == 0x0
 02981  1780   NtSetEventBoostPriority  ... ) == 0x0
 02979  2012   NtSetEventBoostPriority  ... ) == 0x0
 03029  2016   NtWaitForSingleObject  (304, 0, 0x0, ...
 03030   988   NtWaitForSingleObject  (304, 0, 0x0, ...
 03031  1948   NtWaitForSingleObject  (304, 0, 0x0, ...
 02841   336   NtWaitForSingleObject  ... ) == 0x0
 03028   468   NtSetEventBoostPriority  ... ) == 0x0
 03032   624   NtWaitForSingleObject  (304, 0, 0x0, ...
 03033  1636   NtWaitForSingleObject  (304, 0, 0x0, ...
 03034  2000   NtWaitForSingleObject  (304, 0, 0x0, ...
 03035   188   NtWaitForSingleObject  (304, 0, 0x0, ...
 03036  1732   NtWaitForSingleObject  (304, 0, 0x0, ...
 03037   120   NtWaitForSingleObject  (304, 0, 0x0, ...
 03038   520   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03039  1328   NtWaitForSingleObject  (304, 0, 0x0, ...
 03040  1332   NtWaitForSingleObject  (304, 0, 0x0, ...
 03041   432   NtWaitForSingleObject  (304, 0, 0x0, ...
 03042   152   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03043   216   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03044  2040   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03045  1372   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03046  1600   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03047  1064   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03048   996   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03049   276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03050  1852   NtWaitForSingleObject  (304, 0, 0x0, ...
 03051  1420   NtWaitForSingleObject  (304, 0, 0x0, ...
 03052  1388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03053   948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03054   164   NtWaitForSingleObject  (304, 0, 0x0, ...
 03055  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03056  1564   NtWaitForSingleObject  (304, 0, 0x0, ...
 03057  1132   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03058   500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03059  1592   NtWaitForSingleObject  (304, 0, 0x0, ...
 03060   252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03061  2032   NtWaitForSingleObject  (304, 0, 0x0, ...
 03062  1096   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03063  1300   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03064  1344   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03065   428   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03066  1500   NtWaitForSingleObject  (304, 0, 0x0, ...
 03067   932   NtWaitForSingleObject  (304, 0, 0x0, ...
 03068  1168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03069   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03070   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03071  1528   NtWaitForSingleObject  (304, 0, 0x0, ...
 03072  1572   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03073  1604   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03074  1780   NtWaitForSingleObject  (304, 0, 0x0, ...
 03075  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03076   752   NtWaitForSingleObject  (304, 0, 0x0, ...
 03077   336   NtSetEventBoostPriority  (304, ...
 03078   468   NtWaitForSingleObject  (304, 0, 0x0, ...
 03038   520   NtDuplicateObject  ... 1048, ) == 0x0
 03042   152   NtDuplicateObject  ... 1052, ) == 0x0
 03043   216   NtDuplicateObject  ... 1056, ) == 0x0
 03044  2040   NtDuplicateObject  ... 1060, ) == 0x0
 03045  1372   NtDuplicateObject  ... 1064, ) == 0x0
 03046  1600   NtDuplicateObject  ... 1068, ) == 0x0
 03047  1064   NtDuplicateObject  ... 1072, ) == 0x0
 03048   996   NtDuplicateObject  ... 1076, ) == 0x0
 03049   276   NtDuplicateObject  ... 1080, ) == 0x0
 03052  1388   NtDuplicateObject  ... 1084, ) == 0x0
 03053   948   NtDuplicateObject  ... 1088, ) == 0x0
 03055  1024   NtDuplicateObject  ... 1092, ) == 0x0
 03057  1132   NtDuplicateObject  ... 1096, ) == 0x0
 03058   500   NtDuplicateObject  ... 1100, ) == 0x0
 03060   252   NtDuplicateObject  ... 1104, ) == 0x0
 03062  1096   NtDuplicateObject  ... 1108, ) == 0x0
 03063  1300   NtDuplicateObject  ... 1112, ) == 0x0
 03064  1344   NtDuplicateObject  ... 1116, ) == 0x0
 03065   428   NtDuplicateObject  ... 1120, ) == 0x0
 03068  1168   NtDuplicateObject  ... 1124, ) == 0x0
 03069   376   NtDuplicateObject  ... 1128, ) == 0x0
 03070   596   NtDuplicateObject  ... 1132, ) == 0x0
 03072  1572   NtDuplicateObject  ... 1136, ) == 0x0
 03073  1604   NtDuplicateObject  ... 1140, ) == 0x0
 03075  2012   NtDuplicateObject  ... 1144, ) == 0x0
 02846   900   NtWaitForSingleObject  ... ) == 0x0
 03079   520   NtWaitForSingleObject  (304, 0, 0x0, ...
 03077   336   NtSetEventBoostPriority  ... ) == 0x0
 03080   152   NtWaitForSingleObject  (304, 0, 0x0, ...
 03081   216   NtWaitForSingleObject  (304, 0, 0x0, ...
 03082  2040   NtWaitForSingleObject  (304, 0, 0x0, ...
 03083  1372   NtWaitForSingleObject  (304, 0, 0x0, ...
 03084  1600   NtWaitForSingleObject  (304, 0, 0x0, ...
 03085  1064   NtWaitForSingleObject  (304, 0, 0x0, ...
 03086   996   NtWaitForSingleObject  (304, 0, 0x0, ...
 03087   276   NtWaitForSingleObject  (304, 0, 0x0, ...
 03088  1388   NtWaitForSingleObject  (304, 0, 0x0, ...
 03089   948   NtWaitForSingleObject  (304, 0, 0x0, ...
 03090  1024   NtWaitForSingleObject  (304, 0, 0x0, ...
 03091  1132   NtWaitForSingleObject  (304, 0, 0x0, ...
 03092   500   NtWaitForSingleObject  (304, 0, 0x0, ...
 03093   252   NtWaitForSingleObject  (304, 0, 0x0, ...
 03094  1096   NtWaitForSingleObject  (304, 0, 0x0, ...
 03095  1300   NtWaitForSingleObject  (304, 0, 0x0, ...
 03096  1344   NtWaitForSingleObject  (304, 0, 0x0, ...
 03097   428   NtWaitForSingleObject  (304, 0, 0x0, ...
 03098  1168   NtWaitForSingleObject  (304, 0, 0x0, ...
 03099   376   NtWaitForSingleObject  (304, 0, 0x0, ...
 03100   596   NtWaitForSingleObject  (304, 0, 0x0, ...
 03101  1572   NtWaitForSingleObject  (304, 0, 0x0, ...
 03102  1604   NtWaitForSingleObject  (304, 0, 0x0, ...
 03103   900   NtSetEventBoostPriority  (304, ...
 03104   336   NtWaitForSingleObject  (304, 0, 0x0, ...
 02853  1272   NtWaitForSingleObject  ... ) == 0x0
 03105  1272   NtSetEventBoostPriority  (304, ...
 02860   764   NtWaitForSingleObject  ... ) == 0x0
 03106   764   NtSetEventBoostPriority  (304, ...
 02857  1240   NtWaitForSingleObject  ... ) == 0x0
 03107  1240   NtSetEventBoostPriority  (304, ...
 02861   380   NtWaitForSingleObject  ... ) == 0x0
 03108   380   NtSetEventBoostPriority  (304, ...
 02864  1776   NtWaitForSingleObject  ... ) == 0x0
 03109  1776   NtSetEventBoostPriority  (304, ...
 02871  1324   NtWaitForSingleObject  ... ) == 0x0
 03110  1324   NtSetEventBoostPriority  (304, ...
 02877  1692   NtWaitForSingleObject  ... ) == 0x0
 03111  1692   NtSetEventBoostPriority  (304, ...
 02873   800   NtWaitForSingleObject  ... ) == 0x0
 03112   800   NtSetEventBoostPriority  (304, ...
 02878  1884   NtWaitForSingleObject  ... ) == 0x0
 03113  1884   NtSetEventBoostPriority  (304, ...
 02889   248   NtWaitForSingleObject  ... ) == 0x0
 03114   248   NtSetEventBoostPriority  (304, ...
 02893  1792   NtWaitForSingleObject  ... ) == 0x0
 03115  1792   NtSetEventBoostPriority  (304, ...
 02895  1756   NtWaitForSingleObject  ... ) == 0x0
 03116  1756   NtSetEventBoostPriority  (304, ...
 02898   308   NtWaitForSingleObject  ... ) == 0x0
 03117   308   NtSetEventBoostPriority  (304, ...
 02896  1652   NtWaitForSingleObject  ... ) == 0x0
 03118  1652   NtSetEventBoostPriority  (304, ...
 02902   860   NtWaitForSingleObject  ... ) == 0x0
 03119   860   NtSetEventBoostPriority  (304, ...
 02905   784   NtWaitForSingleObject  ... ) == 0x0
 03120   784   NtSetEventBoostPriority  (304, ...
 02901   588   NtWaitForSingleObject  ... ) == 0x0
 03121   588   NtSetEventBoostPriority  (304, ...
 02908   440   NtWaitForSingleObject  ... ) == 0x0
 03122   440   NtSetEventBoostPriority  (304, ...
 02910  1296   NtWaitForSingleObject  ... ) == 0x0
 03123  1296   NtSetEventBoostPriority  (304, ...
 02912  1520   NtWaitForSingleObject  ... ) == 0x0
 03124  1520   NtSetEventBoostPriority  (304, ...
 02911   504   NtWaitForSingleObject  ... ) == 0x0
 03125   504   NtSetEventBoostPriority  (304, ...
 02916   968   NtWaitForSingleObject  ... ) == 0x0
 03126   968   NtSetEventBoostPriority  (304, ...
 02918  1696   NtWaitForSingleObject  ... ) == 0x0
 03127  1696   NtSetEventBoostPriority  (304, ...
 02940   496   NtWaitForSingleObject  ... ) == 0x0
 03128   496   NtSetEventBoostPriority  (304, ...
 02941  1676   NtWaitForSingleObject  ... ) == 0x0
 03129  1676   NtSetEventBoostPriority  (304, ...
 02942   740   NtWaitForSingleObject  ... ) == 0x0
 03130   740   NtSetEventBoostPriority  (304, ...
 02943  2020   NtWaitForSingleObject  ... ) == 0x0
 03131  2020   NtSetEventBoostPriority  (304, ...
 02949  1864   NtWaitForSingleObject  ... ) == 0x0
 03132  1864   NtSetEventBoostPriority  (304, ...
 02951  1524   NtWaitForSingleObject  ... ) == 0x0
 03133  1524   NtSetEventBoostPriority  (304, ...
 02952  2044   NtWaitForSingleObject  ... ) == 0x0
 03134  2044   NtSetEventBoostPriority  (304, ...
 02957   240   NtWaitForSingleObject  ... ) == 0x0
 03135   240   NtSetEventBoostPriority  (304, ...
 02958   888   NtWaitForSingleObject  ... ) == 0x0
 03136   888   NtSetEventBoostPriority  (304, ...
 02961  1644   NtWaitForSingleObject  ... ) == 0x0
 03137  1644   NtSetEventBoostPriority  (304, ...
 02944  1392   NtWaitForSingleObject  ... ) == 0x0
 03138  1392   NtSetEventBoostPriority  (304, ...
 02962  1920   NtWaitForSingleObject  ... ) == 0x0
 03139  1920   NtSetEventBoostPriority  (304, ...
 02963  1200   NtWaitForSingleObject  ... ) == 0x0
 03140  1200   NtSetEventBoostPriority  (304, ...
 02964  1336   NtWaitForSingleObject  ... ) == 0x0
 03141  1336   NtSetEventBoostPriority  (304, ...
 02965   840   NtWaitForSingleObject  ... ) == 0x0
 03142   840   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 03143   840   NtSetEventBoostPriority  (304, ...
 03141  1336   NtSetEventBoostPriority  ... ) == 0x0
 03140  1200   NtSetEventBoostPriority  ... ) == 0x0
 03139  1920   NtSetEventBoostPriority  ... ) == 0x0
 03137  1644   NtSetEventBoostPriority  ... ) == 0x0
 03136   888   NtSetEventBoostPriority  ... ) == 0x0
 03135   240   NtSetEventBoostPriority  ... ) == 0x0
 03134  2044   NtSetEventBoostPriority  ... ) == 0x0
 03133  1524   NtSetEventBoostPriority  ... ) == 0x0
 03132  1864   NtSetEventBoostPriority  ... ) == 0x0
 03127  1696   NtSetEventBoostPriority  ... ) == 0x0
 03126   968   NtSetEventBoostPriority  ... ) == 0x0
 03124  1520   NtSetEventBoostPriority  ... ) == 0x0
 03120   784   NtSetEventBoostPriority  ... ) == 0x0
 03119   860   NtSetEventBoostPriority  ... ) == 0x0
 03117   308   NtSetEventBoostPriority  ... ) == 0x0
 03116  1756   NtSetEventBoostPriority  ... ) == 0x0
 03115  1792   NtSetEventBoostPriority  ... ) == 0x0
 03111  1692   NtSetEventBoostPriority  ... ) == 0x0
 03108   380   NtSetEventBoostPriority  ... ) == 0x0
 03106   764   NtSetEventBoostPriority  ... ) == 0x0
 03138  1392   NtSetEventBoostPriority  ... ) == 0x0
 03131  2020   NtSetEventBoostPriority  ... ) == 0x0
 03130   740   NtSetEventBoostPriority  ... ) == 0x0
 03129  1676   NtSetEventBoostPriority  ... ) == 0x0
 03128   496   NtSetEventBoostPriority  ... ) == 0x0
 03125   504   NtSetEventBoostPriority  ... ) == 0x0
 03123  1296   NtSetEventBoostPriority  ... ) == 0x0
 03122   440   NtSetEventBoostPriority  ... ) == 0x0
 03121   588   NtSetEventBoostPriority  ... ) == 0x0
 03118  1652   NtSetEventBoostPriority  ... ) == 0x0
 03114   248   NtSetEventBoostPriority  ... ) == 0x0
 03113  1884   NtSetEventBoostPriority  ... ) == 0x0
 03112   800   NtSetEventBoostPriority  ... ) == 0x0
 03110  1324   NtSetEventBoostPriority  ... ) == 0x0
 03109  1776   NtSetEventBoostPriority  ... ) == 0x0
 03107  1240   NtSetEventBoostPriority  ... ) == 0x0
 03105  1272   NtSetEventBoostPriority  ... ) == 0x0
 03103   900   NtSetEventBoostPriority  ... ) == 0x0
 03144  2012   NtWaitForSingleObject  (304, 0, 0x0, ...
 03145  1336   NtWaitForSingleObject  (304, 0, 0x0, ...
 03146  1200   NtWaitForSingleObject  (304, 0, 0x0, ...
 03147  1920   NtWaitForSingleObject  (304, 0, 0x0, ...
 02966  1268   NtWaitForSingleObject  ... ) == 0x0
 03143   840   NtSetEventBoostPriority  ... ) == 0x0
 03148  1644   NtWaitForSingleObject  (304, 0, 0x0, ...
 03149   888   NtWaitForSingleObject  (304, 0, 0x0, ...
 03150   240   NtWaitForSingleObject  (304, 0, 0x0, ...
 03151  2044   NtWaitForSingleObject  (304, 0, 0x0, ...
 03152  1524   NtWaitForSingleObject  (304, 0, 0x0, ...
 03153  1696   NtWaitForSingleObject  (304, 0, 0x0, ...
 03154  1864   NtWaitForSingleObject  (304, 0, 0x0, ...
 03155  1520   NtWaitForSingleObject  (304, 0, 0x0, ...
 03156   784   NtWaitForSingleObject  (304, 0, 0x0, ...
 03157   860   NtWaitForSingleObject  (304, 0, 0x0, ...
 03158   968   NtWaitForSingleObject  (304, 0, 0x0, ...
 03159   308   NtWaitForSingleObject  (304, 0, 0x0, ...
 03160  1792   NtWaitForSingleObject  (304, 0, 0x0, ...
 03161  1692   NtWaitForSingleObject  (304, 0, 0x0, ...
 03162   380   NtWaitForSingleObject  (304, 0, 0x0, ...
 03163   764   NtWaitForSingleObject  (304, 0, 0x0, ...
 03164  1392   NtWaitForSingleObject  (304, 0, 0x0, ...
 03165  2020   NtWaitForSingleObject  (304, 0, 0x0, ...
 03166   740   NtWaitForSingleObject  (304, 0, 0x0, ...
 03167  1676   NtWaitForSingleObject  (304, 0, 0x0, ...
 03168   496   NtWaitForSingleObject  (304, 0, 0x0, ...
 03169   504   NtWaitForSingleObject  (304, 0, 0x0, ...
 03170  1296   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03171   440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03172   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03173  1652   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03174   248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03175  1884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03176   800   NtWaitForSingleObject  (304, 0, 0x0, ...
 03177  1324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03178  1776   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03179  1240   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03180  1272   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03181   900   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03182  1756   NtWaitForSingleObject  (320, 0, 0x0, ...
 03183  1268   NtSetEventBoostPriority  (304, ...
 03184   840   NtWaitForSingleObject  (304, 0, 0x0, ...
 03170  1296   NtDuplicateObject  ... 1148, ) == 0x0
 03171   440   NtDuplicateObject  ... 1152, ) == 0x0
 03172   588   NtDuplicateObject  ... 1156, ) == 0x0
 03173  1652   NtDuplicateObject  ... 1160, ) == 0x0
 03174   248   NtDuplicateObject  ... 1164, ) == 0x0
 03175  1884   NtDuplicateObject  ... 1168, ) == 0x0
 03177  1324   NtDuplicateObject  ... 1172, ) == 0x0
 03178  1776   NtDuplicateObject  ... 1176, ) == 0x0
 03179  1240   NtDuplicateObject  ... 1180, ) == 0x0
 03180  1272   NtDuplicateObject  ... 1184, ) == 0x0
 03181   900   NtDuplicateObject  ... 1188, ) == 0x0
 02967  1284   NtWaitForSingleObject  ... ) == 0x0
 03183  1268   NtSetEventBoostPriority  ... ) == 0x0
 03185  1296   NtWaitForSingleObject  (304, 0, 0x0, ...
 03186   440   NtWaitForSingleObject  (304, 0, 0x0, ...
 03187   588   NtWaitForSingleObject  (304, 0, 0x0, ...
 03188  1652   NtWaitForSingleObject  (304, 0, 0x0, ...
 03189   248   NtWaitForSingleObject  (304, 0, 0x0, ...
 03190  1884   NtWaitForSingleObject  (304, 0, 0x0, ...
 03191  1324   NtWaitForSingleObject  (304, 0, 0x0, ...
 03192  1776   NtWaitForSingleObject  (304, 0, 0x0, ...
 03193  1240   NtWaitForSingleObject  (304, 0, 0x0, ...
 03194  1272   NtWaitForSingleObject  (304, 0, 0x0, ...
 03195  1284   NtSetEventBoostPriority  (304, ...
 03196  1268   NtWaitForSingleObject  (304, 0, 0x0, ...
 02968   168   NtWaitForSingleObject  ... ) == 0x0
 03195  1284   NtSetEventBoostPriority  ... ) == 0x0
 03197   900   NtWaitForSingleObject  (304, 0, 0x0, ...
 03198   168   NtSetEventBoostPriority  (304, ...
 03199  1284   NtWaitForSingleObject  (304, 0, 0x0, ...
 02969  1496   NtWaitForSingleObject  ... ) == 0x0
 03198   168   NtSetEventBoostPriority  ... ) == 0x0
 03200  1496   NtSetEventBoostPriority  (304, ...
 02970  1744   NtWaitForSingleObject  ... ) == 0x0
 03201  1744   NtSetEventBoostPriority  (304, ...
 02975  1124   NtWaitForSingleObject  ... ) == 0x0
 03202  1124   NtSetEventBoostPriority  (304, ...
 02977   896   NtWaitForSingleObject  ... ) == 0x0
 03203   896   NtSetEventBoostPriority  (304, ...
 02974  1020   NtWaitForSingleObject  ... ) == 0x0
 03204  1020   NtSetEventBoostPriority  (304, ...
 02980  1804   NtWaitForSingleObject  ... ) == 0x0
 03205  1804   NtSetEventBoostPriority  (304, ...
 03029  2016   NtWaitForSingleObject  ... ) == 0x0
 03206  2016   NtSetEventBoostPriority  (304, ...
 03030   988   NtWaitForSingleObject  ... ) == 0x0
 03207   988   NtSetEventBoostPriority  (304, ...
 03031  1948   NtWaitForSingleObject  ... ) == 0x0
 03208  1948   NtSetEventBoostPriority  (304, ...
 03032   624   NtWaitForSingleObject  ... ) == 0x0
 03209   624   NtSetEventBoostPriority  (304, ...
 03034  2000   NtWaitForSingleObject  ... ) == 0x0
 03210  2000   NtSetEventBoostPriority  (304, ...
 03033  1636   NtWaitForSingleObject  ... ) == 0x0
 03211  1636   NtSetEventBoostPriority  (304, ...
 03035   188   NtWaitForSingleObject  ... ) == 0x0
 03212   188   NtSetEventBoostPriority  (304, ...
 03036  1732   NtWaitForSingleObject  ... ) == 0x0
 03213  1732   NtSetEventBoostPriority  (304, ...
 03037   120   NtWaitForSingleObject  ... ) == 0x0
 03214   120   NtSetEventBoostPriority  (304, ...
 03039  1328   NtWaitForSingleObject  ... ) == 0x0
 03215  1328   NtSetEventBoostPriority  (304, ...
 03040  1332   NtWaitForSingleObject  ... ) == 0x0
 03216  1332   NtSetEventBoostPriority  (304, ...
 03050  1852   NtWaitForSingleObject  ... ) == 0x0
 03217  1852   NtSetEventBoostPriority  (304, ...
 03051  1420   NtWaitForSingleObject  ... ) == 0x0
 03218  1420   NtSetEventBoostPriority  (304, ...
 03054   164   NtWaitForSingleObject  ... ) == 0x0
 03219   164   NtSetEventBoostPriority  (304, ...
 03056  1564   NtWaitForSingleObject  ... ) == 0x0
 03220  1564   NtSetEventBoostPriority  (304, ...
 03059  1592   NtWaitForSingleObject  ... ) == 0x0
 03221  1592   NtSetEventBoostPriority  (304, ...
 03061  2032   NtWaitForSingleObject  ... ) == 0x0
 03222  2032   NtSetEventBoostPriority  (304, ...
 03066  1500   NtWaitForSingleObject  ... ) == 0x0
 03223  1500   NtSetEventBoostPriority  (304, ...
 03067   932   NtWaitForSingleObject  ... ) == 0x0
 03224   932   NtSetEventBoostPriority  (304, ...
 03071  1528   NtWaitForSingleObject  ... ) == 0x0
 03225  1528   NtSetEventBoostPriority  (304, ...
 03074  1780   NtWaitForSingleObject  ... ) == 0x0
 03226  1780   NtSetEventBoostPriority  (304, ...
 03076   752   NtWaitForSingleObject  ... ) == 0x0
 03227   752   NtSetEventBoostPriority  (304, ...
 03078   468   NtWaitForSingleObject  ... ) == 0x0
 03228   468   NtSetEventBoostPriority  (304, ...
 03041   432   NtWaitForSingleObject  ... ) == 0x0
 03229   432   NtSetEventBoostPriority  (304, ...
 03079   520   NtWaitForSingleObject  ... ) == 0x0
 03230   520   NtSetEventBoostPriority  (304, ...
 03080   152   NtWaitForSingleObject  ... ) == 0x0
 03231   152   NtSetEventBoostPriority  (304, ...
 03081   216   NtWaitForSingleObject  ... ) == 0x0
 03232   216   NtSetEventBoostPriority  (304, ...
 03082  2040   NtWaitForSingleObject  ... ) == 0x0
 03233  2040   NtSetEventBoostPriority  (304, ...
 03083  1372   NtWaitForSingleObject  ... ) == 0x0
 03234  1372   NtSetEventBoostPriority  (304, ...
 03084  1600   NtWaitForSingleObject  ... ) == 0x0
 03235  1600   NtSetEventBoostPriority  (304, ...
 03085  1064   NtWaitForSingleObject  ... ) == 0x0
 03236  1064   NtSetEventBoostPriority  (304, ...
 03086   996   NtWaitForSingleObject  ... ) == 0x0
 03237   996   NtSetEventBoostPriority  (304, ...
 03087   276   NtWaitForSingleObject  ... ) == 0x0
 03238   276   NtSetEventBoostPriority  (304, ...
 03088  1388   NtWaitForSingleObject  ... ) == 0x0
 03239  1388   NtSetEventBoostPriority  (304, ...
 03089   948   NtWaitForSingleObject  ... ) == 0x0
 03240   948   NtSetEventBoostPriority  (304, ...
 03090  1024   NtWaitForSingleObject  ... ) == 0x0
 03241  1024   NtSetEventBoostPriority  (304, ...
 03091  1132   NtWaitForSingleObject  ... ) == 0x0
 03242  1132   NtSetEventBoostPriority  (304, ...
 03092   500   NtWaitForSingleObject  ... ) == 0x0
 03243   500   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ... 1417216, 4096, ) == 0x0
 03244   500   NtSetEventBoostPriority  (304, ...
 03242  1132   NtSetEventBoostPriority  ... ) == 0x0
 03241  1024   NtSetEventBoostPriority  ... ) == 0x0
 03240   948   NtSetEventBoostPriority  ... ) == 0x0
 03239  1388   NtSetEventBoostPriority  ... ) == 0x0
 03238   276   NtSetEventBoostPriority  ... ) == 0x0
 03237   996   NtSetEventBoostPriority  ... ) == 0x0
 03236  1064   NtSetEventBoostPriority  ... ) == 0x0
 03235  1600   NtSetEventBoostPriority  ... ) == 0x0
 03234  1372   NtSetEventBoostPriority  ... ) == 0x0
 03233  2040   NtSetEventBoostPriority  ... ) == 0x0
 03232   216   NtSetEventBoostPriority  ... ) == 0x0
 03231   152   NtSetEventBoostPriority  ... ) == 0x0
 03230   520   NtSetEventBoostPriority  ... ) == 0x0
 03228   468   NtSetEventBoostPriority  ... ) == 0x0
 03227   752   NtSetEventBoostPriority  ... ) == 0x0
 03226  1780   NtSetEventBoostPriority  ... ) == 0x0
 03225  1528   NtSetEventBoostPriority  ... ) == 0x0
 03224   932   NtSetEventBoostPriority  ... ) == 0x0
 03223  1500   NtSetEventBoostPriority  ... ) == 0x0
 03222  2032   NtSetEventBoostPriority  ... ) == 0x0
 03221  1592   NtSetEventBoostPriority  ... ) == 0x0
 03220  1564   NtSetEventBoostPriority  ... ) == 0x0
 03219   164   NtSetEventBoostPriority  ... ) == 0x0
 03218  1420   NtSetEventBoostPriority  ... ) == 0x0
 03217  1852   NtSetEventBoostPriority  ... ) == 0x0
 03210  2000   NtSetEventBoostPriority  ... ) == 0x0
 03206  2016   NtSetEventBoostPriority  ... ) == 0x0
 03205  1804   NtSetEventBoostPriority  ... ) == 0x0
 03203   896   NtSetEventBoostPriority  ... ) == 0x0
 03202  1124   NtSetEventBoostPriority  ... ) == 0x0
 03201  1744   NtSetEventBoostPriority  ... ) == 0x0
 03200  1496   NtSetEventBoostPriority  ... ) == 0x0
 03245   168   NtWaitForSingleObject  (304, 0, 0x0, ...
 03229   432   NtSetEventBoostPriority  ... ) == 0x0
 03216  1332   NtSetEventBoostPriority  ... ) == 0x0
 03215  1328   NtSetEventBoostPriority  ... ) == 0x0
 03214   120   NtSetEventBoostPriority  ... ) == 0x0
 03213  1732   NtSetEventBoostPriority  ... ) == 0x0
 03212   188   NtSetEventBoostPriority  ... ) == 0x0
 03211  1636   NtSetEventBoostPriority  ... ) == 0x0
 03209   624   NtSetEventBoostPriority  ... ) == 0x0
 03208  1948   NtSetEventBoostPriority  ... ) == 0x0
 03207   988   NtSetEventBoostPriority  ... ) == 0x0
 03204  1020   NtSetEventBoostPriority  ... ) == 0x0
 03246  1132   NtWaitForSingleObject  (304, 0, 0x0, ...
 03247  1024   NtWaitForSingleObject  (304, 0, 0x0, ...
 03248   948   NtWaitForSingleObject  (304, 0, 0x0, ...
 03249  1388   NtWaitForSingleObject  (304, 0, 0x0, ...
 03250   276   NtWaitForSingleObject  (304, 0, 0x0, ...
 03251   996   NtWaitForSingleObject  (304, 0, 0x0, ...
 03252  1064   NtWaitForSingleObject  (304, 0, 0x0, ...
 03253  1600   NtWaitForSingleObject  (304, 0, 0x0, ...
 03254  1372   NtWaitForSingleObject  (304, 0, 0x0, ...
 03255  2040   NtWaitForSingleObject  (304, 0, 0x0, ...
 03256   216   NtWaitForSingleObject  (304, 0, 0x0, ...
 03257   152   NtWaitForSingleObject  (320, 0, 0x0, ...
 03093   252   NtWaitForSingleObject  ... ) == 0x0
 03244   500   NtSetEventBoostPriority  ... ) == 0x0
 03258   520   NtWaitForSingleObject  (320, 0, 0x0, ...
 03259   752   NtWaitForSingleObject  (320, 0, 0x0, ...
 03260   468   NtWaitForSingleObject  (320, 0, 0x0, ...
 03261  1780   NtWaitForSingleObject  (320, 0, 0x0, ...
 03262  1528   NtWaitForSingleObject  (320, 0, 0x0, ...
 03263   932   NtWaitForSingleObject  (320, 0, 0x0, ...
 03264  1500   NtWaitForSingleObject  (304, 0, 0x0, ...
 03265  2032   NtWaitForSingleObject  (304, 0, 0x0, ...
 03266  1592   NtWaitForSingleObject  (304, 0, 0x0, ...
 03267  1564   NtWaitForSingleObject  (304, 0, 0x0, ...
 03268   164   NtWaitForSingleObject  (304, 0, 0x0, ...
 03269  1420   NtWaitForSingleObject  (304, 0, 0x0, ...
 03270  2000   NtWaitForSingleObject  (304, 0, 0x0, ...
 03271  2016   NtWaitForSingleObject  (304, 0, 0x0, ...
 03272  1852   NtWaitForSingleObject  (304, 0, 0x0, ...
 03273   896   NtWaitForSingleObject  (304, 0, 0x0, ...
 03274  1124   NtWaitForSingleObject  (304, 0, 0x0, ...
 03275  1804   NtSetEventBoostPriority  (320, ...
 03276  1496   NtWaitForSingleObject  (304, 0, 0x0, ...
 03277  1744   NtWaitForSingleObject  (304, 0, 0x0, ...
 03278   432   NtWaitForSingleObject  (304, 0, 0x0, ...
 03279  1332   NtWaitForSingleObject  (304, 0, 0x0, ...
 03280  1328   NtWaitForSingleObject  (304, 0, 0x0, ...
 03281   120   NtWaitForSingleObject  (304, 0, 0x0, ...
 03282  1732   NtWaitForSingleObject  (304, 0, 0x0, ...
 03283   188   NtWaitForSingleObject  (304, 0, 0x0, ...
 03284  1636   NtWaitForSingleObject  (320, 0, 0x0, ...
 03285   624   NtWaitForSingleObject  (320, 0, 0x0, ...
 03286  1948   NtWaitForSingleObject  (320, 0, 0x0, ...
 03287   988   NtWaitForSingleObject  (320, 0, 0x0, ...
 03288  1020   NtWaitForSingleObject  (304, 0, 0x0, ...
 03289   252   NtSetEventBoostPriority  (304, ...
 03290   500   NtWaitForSingleObject  (304, 0, 0x0, ...
 03182  1756   NtWaitForSingleObject  ... ) == 0x0
 03275  1804   NtSetEventBoostPriority  ... ) == 0x0
 03094  1096   NtWaitForSingleObject  ... ) == 0x0
 03289   252   NtSetEventBoostPriority  ... ) == 0x0
 03291  1756   NtWaitForSingleObject  (304, 0, 0x0, ...
 03292  1096   NtSetEventBoostPriority  (304, ...
 03293  1804   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03095  1300   NtWaitForSingleObject  ... ) == 0x0
 03292  1096   NtSetEventBoostPriority  ... ) == 0x0
 03294   252   NtWaitForSingleObject  (304, 0, 0x0, ...
 03295  1300   NtSetEventBoostPriority  (304, ...
 03293  1804   NtWaitForSingleObject  ... ) == 0x102
 03296  1096   NtWaitForSingleObject  (304, 0, 0x0, ...
 03096  1344   NtWaitForSingleObject  ... ) == 0x0
 03295  1300   NtSetEventBoostPriority  ... ) == 0x0
 03297  1804   NtWaitForSingleObject  (120, 0, 0x0, ...
 03298  1344   NtSetEventBoostPriority  (304, ...
 03299  1300   NtWaitForSingleObject  (304, 0, 0x0, ...
 03097   428   NtWaitForSingleObject  ... ) == 0x0
 03298  1344   NtSetEventBoostPriority  ... ) == 0x0
 03300   428   NtSetEventBoostPriority  (304, ...
 03098  1168   NtWaitForSingleObject  ... ) == 0x0
 03301  1168   NtSetEventBoostPriority  (304, ...
 03099   376   NtWaitForSingleObject  ... ) == 0x0
 03302   376   NtSetEventBoostPriority  (304, ...
 03100   596   NtWaitForSingleObject  ... ) == 0x0
 03303   596   NtSetEventBoostPriority  (304, ...
 03101  1572   NtWaitForSingleObject  ... ) == 0x0
 03304  1572   NtSetEventBoostPriority  (304, ...
 03102  1604   NtWaitForSingleObject  ... ) == 0x0
 03305  1604   NtSetEventBoostPriority  (304, ...
 03104   336   NtWaitForSingleObject  ... ) == 0x0
 03306   336   NtSetEventBoostPriority  (304, ...
 03144  2012   NtWaitForSingleObject  ... ) == 0x0
 03307  2012   NtSetEventBoostPriority  (304, ...
 03145  1336   NtWaitForSingleObject  ... ) == 0x0
 03308  1336   NtSetEventBoostPriority  (304, ...
 03146  1200   NtWaitForSingleObject  ... ) == 0x0
 03309  1200   NtSetEventBoostPriority  (304, ...
 03148  1644   NtWaitForSingleObject  ... ) == 0x0
 03310  1644   NtSetEventBoostPriority  (304, ...
 03149   888   NtWaitForSingleObject  ... ) == 0x0
 03311   888   NtSetEventBoostPriority  (304, ...
 03150   240   NtWaitForSingleObject  ... ) == 0x0
 03312   240   NtSetEventBoostPriority  (304, ...
 03151  2044   NtWaitForSingleObject  ... ) == 0x0
 03313  2044   NtSetEventBoostPriority  (304, ...
 03152  1524   NtWaitForSingleObject  ... ) == 0x0
 03314  1524   NtSetEventBoostPriority  (304, ...
 03147  1920   NtWaitForSingleObject  ... ) == 0x0
 03315  1920   NtSetEventBoostPriority  (304, ...
 03154  1864   NtWaitForSingleObject  ... ) == 0x0
 03316  1864   NtSetEventBoostPriority  (304, ...
 03153  1696   NtWaitForSingleObject  ... ) == 0x0
 03317  1696   NtSetEventBoostPriority  (304, ...
 03155  1520   NtWaitForSingleObject  ... ) == 0x0
 03318  1520   NtSetEventBoostPriority  (304, ...
 03156   784   NtWaitForSingleObject  ... ) == 0x0
 03319   784   NtSetEventBoostPriority  (304, ...
 03158   968   NtWaitForSingleObject  ... ) == 0x0
 03320   968   NtSetEventBoostPriority  (304, ...
 03159   308   NtWaitForSingleObject  ... ) == 0x0
 03321   308   NtSetEventBoostPriority  (304, ...
 03157   860   NtWaitForSingleObject  ... ) == 0x0
 03322   860   NtSetEventBoostPriority  (304, ...
 03160  1792   NtWaitForSingleObject  ... ) == 0x0
 03323  1792   NtSetEventBoostPriority  (304, ...
 03161  1692   NtWaitForSingleObject  ... ) == 0x0
 03324  1692   NtSetEventBoostPriority  (304, ...
 03162   380   NtWaitForSingleObject  ... ) == 0x0
 03325   380   NtSetEventBoostPriority  (304, ...
 03164  1392   NtWaitForSingleObject  ... ) == 0x0
 03326  1392   NtSetEventBoostPriority  (304, ...
 03165  2020   NtWaitForSingleObject  ... ) == 0x0
 03327  2020   NtSetEventBoostPriority  (304, ...
 03166   740   NtWaitForSingleObject  ... ) == 0x0
 03328   740   NtSetEventBoostPriority  (304, ...
 03167  1676   NtWaitForSingleObject  ... ) == 0x0
 03329  1676   NtSetEventBoostPriority  (304, ...
 03168   496   NtWaitForSingleObject  ... ) == 0x0
 03330   496   NtSetEventBoostPriority  (304, ...
 03169   504   NtWaitForSingleObject  ... ) == 0x0
 03331   504   NtSetEventBoostPriority  (304, ...
 03176   800   NtWaitForSingleObject  ... ) == 0x0
 03332   800   NtSetEventBoostPriority  (304, ...
 03184   840   NtWaitForSingleObject  ... ) == 0x0
 03333   840   NtSetEventBoostPriority  (304, ...
 03163   764   NtWaitForSingleObject  ... ) == 0x0
 03334   764   NtSetEventBoostPriority  (304, ...
 03185  1296   NtWaitForSingleObject  ... ) == 0x0
 03335  1296   NtSetEventBoostPriority  (304, ...
 03186   440   NtWaitForSingleObject  ... ) == 0x0
 03336   440   NtSetEventBoostPriority  (304, ...
 03187   588   NtWaitForSingleObject  ... ) == 0x0
 03337   588   NtSetEventBoostPriority  (304, ...
 03188  1652   NtWaitForSingleObject  ... ) == 0x0
 03338  1652   NtSetEventBoostPriority  (304, ...
 03189   248   NtWaitForSingleObject  ... ) == 0x0
 03339   248   NtSetEventBoostPriority  (304, ...
 03190  1884   NtWaitForSingleObject  ... ) == 0x0
 03340  1884   NtSetEventBoostPriority  (304, ...
 03191  1324   NtWaitForSingleObject  ... ) == 0x0
 03341  1324   NtSetEventBoostPriority  (304, ...
 03192  1776   NtWaitForSingleObject  ... ) == 0x0
 03342  1776   NtSetEventBoostPriority  (304, ...
 03193  1240   NtWaitForSingleObject  ... ) == 0x0
 03343  1240   NtSetEventBoostPriority  (304, ...
 03194  1272   NtWaitForSingleObject  ... ) == 0x0
 03344  1272   NtSetEventBoostPriority  (304, ...
 03197   900   NtWaitForSingleObject  ... ) == 0x0
 03345   900   NtSetEventBoostPriority  (304, ...
 03196  1268   NtWaitForSingleObject  ... ) == 0x0
 03346  1268   NtSetEventBoostPriority  (304, ...
 03199  1284   NtWaitForSingleObject  ... ) == 0x0
 03347  1284   NtSetEventBoostPriority  (304, ...
 03245   168   NtWaitForSingleObject  ... ) == 0x0
 03348   168   NtSetEventBoostPriority  (304, ...
 03246  1132   NtWaitForSingleObject  ... ) == 0x0
 03349  1132   NtSetEventBoostPriority  (304, ...
 03247  1024   NtWaitForSingleObject  ... ) == 0x0
 03350  1024   NtSetEventBoostPriority  (304, ...
 03248   948   NtWaitForSingleObject  ... ) == 0x0
 03351   948   NtSetEventBoostPriority  (304, ...
 03249  1388   NtWaitForSingleObject  ... ) == 0x0
 03352  1388   NtSetEventBoostPriority  (304, ...
 03250   276   NtWaitForSingleObject  ... ) == 0x0
 03353   276   NtSetEventBoostPriority  (304, ...
 03251   996   NtWaitForSingleObject  ... ) == 0x0
 03354   996   NtSetEventBoostPriority  (304, ...
 03252  1064   NtWaitForSingleObject  ... ) == 0x0
 03355  1064   NtSetEventBoostPriority  (304, ...
 03253  1600   NtWaitForSingleObject  ... ) == 0x0
 03356  1600   NtSetEventBoostPriority  (304, ...
 03254  1372   NtWaitForSingleObject  ... ) == 0x0
 03357  1372   NtSetEventBoostPriority  (304, ...
 03255  2040   NtWaitForSingleObject  ... ) == 0x0
 03358  2040   NtSetEventBoostPriority  (304, ...
 03256   216   NtWaitForSingleObject  ... ) == 0x0
 03359   216   NtSetEventBoostPriority  (304, ...
 03264  1500   NtWaitForSingleObject  ... ) == 0x0
 03360  1500   NtSetEventBoostPriority  (304, ...
 03265  2032   NtWaitForSingleObject  ... ) == 0x0
 03361  2032   NtSetEventBoostPriority  (304, ...
 03266  1592   NtWaitForSingleObject  ... ) == 0x0
 03362  1592   NtSetEventBoostPriority  (304, ...
 03267  1564   NtWaitForSingleObject  ... ) == 0x0
 03363  1564   NtSetEventBoostPriority  (304, ...
 03268   164   NtWaitForSingleObject  ... ) == 0x0
 03364   164   NtSetEventBoostPriority  (304, ...
 03269  1420   NtWaitForSingleObject  ... ) == 0x0
 03365  1420   NtSetEventBoostPriority  (304, ...
 03270  2000   NtWaitForSingleObject  ... ) == 0x0
 03366  2000   NtSetEventBoostPriority  (304, ...
 03272  1852   NtWaitForSingleObject  ... ) == 0x0
 03367  1852   NtSetEventBoostPriority  (304, ...
 03271  2016   NtWaitForSingleObject  ... ) == 0x0
 03368  2016   NtSetEventBoostPriority  (304, ...
 03273   896   NtWaitForSingleObject  ... ) == 0x0
 03369   896   NtSetEventBoostPriority  (304, ...
 03274  1124   NtWaitForSingleObject  ... ) == 0x0
 03370  1124   NtSetEventBoostPriority  (304, ...
 03277  1744   NtWaitForSingleObject  ... ) == 0x0
 03371  1744   NtSetEventBoostPriority  (304, ...