Summary:


NtAddAtom(>)  1 
NtGdiHfontCreate(>)  2 
NtQueryDefaultLocale(>)  8 
NtOpenSection(>)  40 

NtEnumerateValueKey(>)  1 
NtNotifyChangeKey(>)  2 
NtReleaseMutant(>)  8 
NtOpenFile(>)  48 

NtGdiCreateBitmap(>)  1 
NtOpenDirectoryObject(>)  2 
NtGdiCreateCompatibleDC(>)  9 
NtUserFindExistingCursorIcon(>)  57 

NtGdiInit(>)  1 
NtQuerySystemTime(>)  2 
NtQueryDebugFilterState(>)  9 
NtContinue(>)  65 

NtGdiQueryFontAssocInfo(>)  1 
NtUserGetObjectInformation(>)  2 
NtSetInformationProcess(>)  9 
NtUserRegisterClassExWOW(>)  67 

NtGdiSelectBitmap(>)  1 
NtUserGetThreadDesktop(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtQueryAttributesFile(>)  74 

NtOpenKeyedEvent(>)  1 
NtUserMessageCall(>)  2 
NtQueryVirtualMemory(>)  11 
NtMapViewOfSection(>)  78 

NtOpenProcess(>)  1 
NtUserSetWindowFNID(>)  2 
NtQueryInformationFile(>)  13 
NtCreateSection(>)  97 

NtOpenSymbolicLinkObject(>)  1 
NtUserSetWindowLong(>)  2 
NtCreateKey(>)  14 
NtCreateThread(>)  102 

NtQueryEvent(>)  1 
NtAccessCheck(>)  3 
NtCreateMutant(>)  14 
NtResumeThread(>)  105 

NtQueryInstallUILanguage(>)  1 
NtCreateSemaphore(>)  3 
NtOpenProcessTokenEx(>)  14 
NtQueryInformationThread(>)  112 

NtQueryObject(>)  1 
NtFreeVirtualMemory(>)  3 
NtQueryDirectoryFile(>)  14 
NtRegisterThreadTerminatePort(>)  124 

NtQuerySymbolicLinkObject(>)  1 
NtOpenEvent(>)  3 
NtUserSystemParametersInfo(>)  14 
NtQuerySystemInformation(>)  125 

NtReadFile(>)  1 
NtQueryPerformanceCounter(>)  3 
NtDeviceIoControlFile(>)  15 
NtTestAlert(>)  125 

NtSecureConnectPort(>)  1 
NtSetInformationObject(>)  3 
NtOpenThreadTokenEx(>)  15 
NtDuplicateObject(>)  126 

NtSetEvent(>)  1 
NtSetInformationThread(>)  3 
NtSetValueKey(>)  15 
NtFlushInstructionCache(>)  130 

NtUserCreateWindowEx(>)  1 
NtUserGetDC(>)  3 
NtCreateFile(>)  17 
NtRequestWaitReplyPort(>)  131 

NtUserGetGUIThreadInfo(>)  1 
NtOpenThreadToken(>)  4 
NtUserGetWindowDC(>)  17 
NtOpenKey(>)  162 

NtUserGetProcessWindowStation(>)  1 
NtUserGetClassInfo(>)  4 
NtQueryInformationProcess(>)  19 
NtOpenMutant(>)  190 

NtUserGetThreadState(>)  1 
NtOpenProcessToken(>)  6 
NtQueryInformationToken(>)  20 
NtQueryValueKey(>)  242 

NtCallbackReturn(>)  2 
NtWriteFile(>)  6 
NtUserCallOneParam(>)  20 
NtAllocateVirtualMemory(>)  295 

NtConnectPort(>)  2 
NtGdiGetStockObject(>)  7 
NtQuerySection(>)  22 
NtClose(>)  360 

NtFsControlFile(>)  2 
NtQueryVolumeInformationFile(>)  7 
NtUnmapViewOfSection(>)  26 
NtProtectVirtualMemory(>)  366 

NtGdiCreatePatternBrushInternal(>)  2 
NtSetInformationFile(>)  7 
NtCreateEvent(>)  36 
NtSetEventBoostPriority(>)  529 

NtGdiCreateSolidBrush(>)  2 
NtUserCallNoParam(>)  7 
NtUserRegisterWindowMessage(>)  36 
NtWaitForSingleObject(>)  725 


Trace:
 00001   896   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... -2147482748, {status=0x0, info=1}, ) }, 0, 32, ... -2147482748, {status=0x0, info=1}, ) == 0x0
 00002   896   NtQueryInformationFile  (-2147482748, -142414796, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00003   896   NtReadFile  (-2147482748, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474},  (-2147482748, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474}, "\21\0\0\0SCCA\17\0\0\0\2424\0\0P\0A\0C\0K\0E\0D\0.\0E\0X\0E\0\0\0\0\00\366i\201\0\0\0\0\0\0\0\0\20\0\0\0@-\201\367\0@\300\367\30,\201\367x@s\201@-\201\367\241\6\355\11\0\0\0\0\230\0\0\0\34\0\0\0\310\2\0\0\331\2\0\0\364$\0\0\36\14\0\0\301\0\0\1\0\0\0\212\3\0\0\200\14V6\217\260\310\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\01\0\0\0\0\0\0\02\0\0\0\2\0\0\01\0\0\0%\1\0\0f\0\0\05\0\0\0\6\0\0\0V\1\0\0\5\0\0\0\322\0\0\04\0\0\0\4\0\0\0[\1\0\0\3\0\0\0<\1\0\03\0\0\0\4\0\0\0^\1\0\0\4\0\0\0\244\1\0\05\0\0\0\4\0\0\0b\1\0\0\32\0\0\0\20\2\0\03\0\0\0\2\0\0\0|\1\0\0\23\0\0\0x\2\0\02\0\0\0\2\0\0\0\217\1\0\0\7\0\0\0\336\2\0\02\0\0\0\6\0\0\0\226\1\0\0\22\0\0\0D\3\0\05\0\0\0\2\0\0\0\250\1\0\0\14\0\0\0\260\3\0\03\0\0\0\2\0\0\0\264\1\0\0\13\0\0\0\30\4\0\05\0\0\0\2\0\0\0\277\1\0\0*\0\0\0\204\4\0\03\0\0\0\2\0\0\0\351\1\0\0\21\0\0\0\354\4\0\02\0\0\0\2\0\0\0\372\1\0\0\2\0\0\0R\5\0\02\0\0\0\4\0\0\0\374\1\0\0\1\0\0\0\270\5\0\04\0\0\0\4\0\0\0\375\1\0\0\22\0\0\0"\6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) \6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) == 0x0
 00004   896   NtClose  (-2147482748, ... ) == 0x0
 00005   896   NtCreateFile  (0x100080, {24, 0, 0x240, 0, 0,  (0x100080, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482748, {status=0x0, info=0}, ) }, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482748, {status=0x0, info=0}, ) == 0x0
 00006   896   NtQueryVolumeInformationFile  (-2147482748, -142414840, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00007   896   NtClose  (-2147482748, ... ) == 0x0
 00008   896   NtCreateFile  (0x100180, {24, 0, 0x240, 0, 0,  (0x100180, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... }, 0x0, 0, 7, 1, 32, 0, 0, ...
 00009   896   NtContinue  (-142419640, 0, ...
 00008   896   NtCreateFile  ... -2147482748, {status=0x0, info=1}, ) == 0x0
 00010   896   NtQueryVolumeInformationFile  (-2147482748, -142414852, 24, Volume, ... {status=0x0, info=18}, ) == 0x0
 00011   896   NtFsControlFile  (-2147482748, 0, 0x0, 0x0, 0x90120,  (-2147482748, 0, 0x0, 0x0, 0x90120, "\1\0\0\0!\0\0\0H\10\0\0\0\0\1\0\2309\0\0\0\0\2\0\15\1\0\0\0\0\1\0\357\0\0\0\0\3\0X\244\0\0\0\0\4\0\217\10\0\0\0\0\1\0\214;\0\0\0\0\2\0XK\0\0\0\0\3\0f\10\0\0\0\0\1\0Z\10\0\0\0\0\1\0\304\10\0\0\0\0\1\0Y\10\0\0\0\0\1\0C\10\0\0\0\0\1\0/:\0\0\0\0\3\0\235\244\0\0\0\0\3\0\26\11\0\0\0\0\1\0\201\246\0\0\0\0\3\0\224\246\0\0\0\0\3\0@C\0\0\0\0\2\0r\10\0\0\0\0\1\0g\10\0\0\0\0\1\0\2\1\0\0\0\0\1\0o%\0\0\0\0\3\0\243\10\0\0\0\0\1\0q\10\0\0\0\0\1\0p\10\0\0\0\0\1\0@\31\0\0\0\0\1\0\2339\0\0\0\0\1\0\5\0\0\0\0\0\5\0\34\0\0\0\0\0\1\0'\0\0\0\0\0\1\0\210\0\0\0\0\0\1\0\2329\0\0\0\0\1\0", 272, 0, ... {status=0x0, info=0}, 0x0, ) , 272, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00012   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00013   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=1146}, ) == 0x0
 00014   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00015   896   NtClose  (-2147481484, ... ) == 0x0
 00016   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00017   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=15820}, ) == 0x0
 00018   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00019   896   NtClose  (-2147481484, ... ) == 0x0
 00020   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00021   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=16366}, ) == 0x0
 00022   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16354}, ) == 0x0
 00023   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16348}, ) == 0x0
 00024   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16364}, ) == 0x0
 00025   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=11386}, ) == 0x0
 00026   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00027   896   NtClose  (-2147481484, ... ) == 0x0
 00028   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00029   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=2228}, ) == 0x0
 00030   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00031   896   NtClose  (-2147481484, ... ) == 0x0
 00032   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2982_X-WW_AC3F9C03\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00033   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=68}, ) == 0x0
 00034   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00035   896   NtClose  (-2147481484, ... ) == 0x0
 00036   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481484, ... -2147482104, ) == 0x0
 00037   896   NtClose  (-2147482104, ... ) == 0x0
 00038   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482104, ... -2147482660, ) == 0x0
 00039   896   NtClose  (-2147482660, ... ) == 0x0
 00040   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482660, ... -2147482656, ) == 0x0
 00041   896   NtClose  (-2147482656, ... ) == 0x0
 00042   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482656, ... -2147482652, ) == 0x0
 00043   896   NtClose  (-2147482652, ... ) == 0x0
 00044   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482652, ... -2147482724, ) == 0x0
 00045   896   NtClose  (-2147482724, ... ) == 0x0
 00046   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482724, ... -2147481452, ) == 0x0
 00047   896   NtClose  (-2147481452, ... ) == 0x0
 00048   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481452, ... -2147482684, ) == 0x0
 00049   896   NtClose  (-2147482684, ... ) == 0x0
 00050   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482684, ... -2147482680, ) == 0x0
 00051   896   NtClose  (-2147482680, ... ) == 0x0
 00052   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482680, ... -2147481628, ) == 0x0
 00053   896   NtClose  (-2147481628, ... ) == 0x0
 00054   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481628, ... -2147482760, ) == 0x0
 00055   896   NtClose  (-2147482760, ... ) == 0x0
 00056   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482760, ... -2147482764, ) == 0x0
 00057   896   NtClose  (-2147482764, ... ) == 0x0
 00058   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482764, ... -2147482688, ) == 0x0
 00059   896   NtClose  (-2147482688, ... ) == 0x0
 00060   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482688, ... -2147482136, ) == 0x0
 00061   896   NtClose  (-2147482136, ... ) == 0x0
 00062   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482136, ... -2147481480, ) == 0x0
 00063   896   NtClose  (-2147481480, ... ) == 0x0
 00064   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481480, ... -2147482676, ) == 0x0
 00065   896   NtClose  (-2147482676, ... ) == 0x0
 00066   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482676, ... -2147482672, ) == 0x0
 00067   896   NtClose  (-2147482672, ... ) == 0x0
 00068   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482672, ... -2147482668, ) == 0x0
 00069   896   NtClose  (-2147482668, ... ) == 0x0
 00070   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482668, ... -2147482664, ) == 0x0
 00071   896   NtClose  (-2147482664, ... ) == 0x0
 00072   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482664, ... -2147481588, ) == 0x0
 00073   896   NtClose  (-2147481588, ... ) == 0x0
 00074   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481588, ... -2147481584, ) == 0x0
 00075   896   NtClose  (-2147481584, ... ) == 0x0
 00076   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481584, ... -2147482692, ) == 0x0
 00077   896   NtClose  (-2147482692, ... ) == 0x0
 00078   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482692, ... -2147481512, ) == 0x0
 00079   896   NtClose  (-2147481512, ... ) == 0x0
 00080   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481512, ... -2147481580, ) == 0x0
 00081   896   NtClose  (-2147481580, ... ) == 0x0
 00082   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481580, ... -2147481552, ) == 0x0
 00083   896   NtClose  (-2147481552, ... ) == 0x0
 00084   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481552, ... -2147481592, ) == 0x0
 00085   896   NtClose  (-2147481592, ... ) == 0x0
 00086   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481592, ... -2147481596, ) == 0x0
 00087   896   NtClose  (-2147481596, ... ) == 0x0
 00088   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481596, ... -2147482108, ) == 0x0
 00089   896   NtClose  (-2147482108, ... ) == 0x0
 00090   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482108, ... -2147482732, ) == 0x0
 00091   896   NtClose  (-2147482732, ... ) == 0x0
 00092   896   NtClose  (-2147481484, ... ) == 0x0
 00093   896   NtClose  (-2147482104, ... ) == 0x0
 00094   896   NtClose  (-2147482660, ... ) == 0x0
 00095   896   NtClose  (-2147482656, ... ) == 0x0
 00096   896   NtClose  (-2147482652, ... ) == 0x0
 00097   896   NtClose  (-2147482724, ... ) == 0x0
 00098   896   NtClose  (-2147481452, ... ) == 0x0
 00099   896   NtClose  (-2147482684, ... ) == 0x0
 00100   896   NtClose  (-2147482680, ... ) == 0x0
 00101   896   NtClose  (-2147481628, ... ) == 0x0
 00102   896   NtClose  (-2147482760, ... ) == 0x0
 00103   896   NtClose  (-2147482764, ... ) == 0x0
 00104   896   NtClose  (-2147482688, ... ) == 0x0
 00105   896   NtClose  (-2147482136, ... ) == 0x0
 00106   896   NtClose  (-2147481480, ... ) == 0x0
 00107   896   NtClose  (-2147482676, ... ) == 0x0
 00108   896   NtClose  (-2147482672, ... ) == 0x0
 00109   896   NtClose  (-2147482668, ... ) == 0x0
 00110   896   NtClose  (-2147482664, ... ) == 0x0
 00111   896   NtClose  (-2147481588, ... ) == 0x0
 00112   896   NtClose  (-2147481584, ... ) == 0x0
 00113   896   NtClose  (-2147482692, ... ) == 0x0
 00114   896   NtClose  (-2147481512, ... ) == 0x0
 00115   896   NtClose  (-2147481580, ... ) == 0x0
 00116   896   NtClose  (-2147481552, ... ) == 0x0
 00117   896   NtClose  (-2147481592, ... ) == 0x0
 00118   896   NtClose  (-2147481596, ... ) == 0x0
 00119   896   NtClose  (-2147482108, ... ) == 0x0
 00120   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482108, ... -2147481596, ) == 0x0
 00121   896   NtClose  (-2147481596, ... ) == 0x0
 00122   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481596, ... -2147481592, ) == 0x0
 00123   896   NtClose  (-2147481592, ... ) == 0x0
 00124   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481592, ... -2147481552, ) == 0x0
 00125   896   NtClose  (-2147481552, ... ) == 0x0
 00126   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481552, ... -2147481580, ) == 0x0
 00127   896   NtClose  (-2147481580, ... ) == 0x0
 00128   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481580, ... -2147481512, ) == 0x0
 00129   896   NtClose  (-2147481512, ... ) == 0x0
 00130   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481512, ... -2147482692, ) == 0x0
 00131   896   NtClose  (-2147482692, ... ) == 0x0
 00132   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482692, ... -2147481584, ) == 0x0
 00133   896   NtClose  (-2147481584, ... ) == 0x0
 00134   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481584, ... -2147481588, ) == 0x0
 00135   896   NtClose  (-2147481588, ... ) == 0x0
 00136   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481588, ... -2147482664, ) == 0x0
 00137   896   NtClose  (-2147482664, ... ) == 0x0
 00138   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482664, ... -2147482668, ) == 0x0
 00139   896   NtClose  (-2147482668, ... ) == 0x0
 00140   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482668, ... -2147482672, ) == 0x0
 00141   896   NtClose  (-2147482672, ... ) == 0x0
 00142   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482672, ... -2147482676, ) == 0x0
 00143   896   NtClose  (-2147482676, ... ) == 0x0
 00144   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482676, ... -2147481480, ) == 0x0
 00145   896   NtClose  (-2147481480, ... ) == 0x0
 00146   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481480, ... -2147482136, ) == 0x0
 00147   896   NtClose  (-2147482136, ... ) == 0x0
 00148   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482136, ... -2147482688, ) == 0x0
 00149   896   NtClose  (-2147482688, ... ) == 0x0
 00150   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482688, ... -2147482764, ) == 0x0
 00151   896   NtClose  (-2147482764, ... ) == 0x0
 00152   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482764, ... -2147482760, ) == 0x0
 00153   896   NtClose  (-2147482760, ... ) == 0x0
 00154   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482760, ... -2147481628, ) == 0x0
 00155   896   NtClose  (-2147481628, ... ) == 0x0
 00156   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481628, ... -2147482680, ) == 0x0
 00157   896   NtClose  (-2147482680, ... ) == 0x0
 00158   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482680, ... -2147482684, ) == 0x0
 00159   896   NtClose  (-2147482684, ... ) == 0x0
 00160   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482684, ... -2147481452, ) == 0x0
 00161   896   NtClose  (-2147481452, ... ) == 0x0
 00162   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481452, ... -2147482724, ) == 0x0
 00163   896   NtClose  (-2147482724, ... ) == 0x0
 00164   896   NtClose  (-2147482108, ... ) == 0x0
 00165   896   NtClose  (-2147481596, ... ) == 0x0
 00166   896   NtClose  (-2147481592, ... ) == 0x0
 00167   896   NtClose  (-2147481552, ... ) == 0x0
 00168   896   NtClose  (-2147481580, ... ) == 0x0
 00169   896   NtClose  (-2147481512, ... ) == 0x0
 00170   896   NtClose  (-2147482692, ... ) == 0x0
 00171   896   NtClose  (-2147481584, ... ) == 0x0
 00172   896   NtClose  (-2147481588, ... ) == 0x0
 00173   896   NtClose  (-2147482664, ... ) == 0x0
 00174   896   NtClose  (-2147482668, ... ) == 0x0
 00175   896   NtClose  (-2147482672, ... ) == 0x0
 00176   896   NtClose  (-2147482676, ... ) == 0x0
 00177   896   NtClose  (-2147481480, ... ) == 0x0
 00178   896   NtClose  (-2147482136, ... ) == 0x0
 00179   896   NtClose  (-2147482688, ... ) == 0x0
 00180   896   NtClose  (-2147482764, ... ) == 0x0
 00181   896   NtClose  (-2147482760, ... ) == 0x0
 00182   896   NtClose  (-2147481628, ... ) == 0x0
 00183   896   NtClose  (-2147482680, ... ) == 0x0
 00184   896   NtClose  (-2147482684, ... ) == 0x0
 00185   896   NtClose  (-2147481452, ... ) == 0x0
 00186   896   NtClose  (-2147482748, ... ) == 0x0
 00187   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   896   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00189   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 5636096, 2097152, ) == 0x0
 00191   896   NtAllocateVirtualMemory  (-1, 5636096, 0, 4096, 4096, 4, ... 5636096, 4096, ) == 0x0
 00192   896   NtAllocateVirtualMemory  (-1, 5640192, 0, 8192, 4096, 4, ... 5640192, 8192, ) == 0x0
 00193   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00194   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00195   896   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00196   896   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00197   896   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00198   896   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00199   896   NtClose  (12, ... ) == 0x0
 00200   896   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00201   896   NtQueryVolumeInformationFile  (12, 2292428, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00202   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 2292380, ... ) }, 2292380, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00203   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00204   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00205   896   NtClose  (16, ... ) == 0x0
 00206   896   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00207   896   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00208   896   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00209   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00210   896   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00211   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00212   896   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00213   896   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 5645112, {12, 0, 0}, 2290520, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 5645112, {12, 0, 0}, 2290520, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) == 0x0
 00214   896   NtClose  (16, ... ) == 0x0
 00215   896   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00216   896   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00217   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00218   896   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00219   896   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00220   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2290836, 2291036, 2089900544, 2290760}  (24, {28, 56, new_msg, 0, 2290836, 2291036, 2089900544, 2290760} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81841, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81841, 0}  (24, {28, 56, new_msg, 0, 2290836, 2291036, 2089900544, 2290760} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81841, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ) == 0x0
 00221   896   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00222   896   NtAllocateVirtualMemory  (-1, 2281472, 0, 4096, 4096, 260, ... 2281472, 4096, ) == 0x0
 00223   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00224   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00225   896   NtClose  (16, ... ) == 0x0
 00226   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00227   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00228   896   NtClose  (16, ... ) == 0x0
 00229   896   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00230   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00231   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00232   896   NtClose  (16, ... ) == 0x0
 00233   896   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00234   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00235   896   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00236   896   NtClose  (16, ... ) == 0x0
 00237   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00238   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00239   896   NtClose  (16, ... ) == 0x0
 00240   896   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00241   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   896   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00244   896   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81842, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ... {24, 52, reply, 0, 1252, 896, 81842, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81842, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ) == 0x0
 00245   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81843, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81843, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81843, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ) == 0x0
 00246   896   NtProtectVirtualMemory  (-1, (0x409000), 65552, 4, ... (0x409000), 69632, 128, ) == 0x0
 00247   896   NtProtectVirtualMemory  (-1, (0x409000), 69632, 128, ... (0x409000), 69632, 4, ) == 0x0
 00248   896   NtFlushInstructionCache  (-1, 4231168, 65552, ... ) == 0x0
 00249   896   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00250   896   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00251   896   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00252   896   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00253   896   NtClose  (16, ... ) == 0x0
 00254   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00255   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00256   896   NtClose  (16, ... ) == 0x0
 00257   896   NtTestAlert  (... ) == 0x0
 00258   896   NtContinue  (2293040, 1, ...
 00259   896   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x41a000,}, 4, ... ) == 0x0
 00260   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00261   896   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   896   NtClose  (16, ... ) == 0x0
 00263   896   NtAllocateVirtualMemory  (-1, 5648384, 0, 4096, 4096, 4, ... 5648384, 4096, ) == 0x0
 00264   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "crtdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00265   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\crtdll.dll"}, 2291232, ... ) }, 2291232, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00266   896   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00267   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\crtdll.dll"}, 2291232, ... ) }, 2291232, ... ) == 0x0
 00268   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\crtdll.dll"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00269   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00270   896   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00271   896   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00272   896   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00273   896   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00274   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00275   896   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00276   896   NtClose  (36, ... ) == 0x0
 00277   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00278   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00279   896   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00280   896   NtClose  (36, ... ) == 0x0
 00281   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00282   896   NtClose  (32, ... ) == 0x0
 00283   896   NtClose  (16, ... ) == 0x0
 00284   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73d90000), 0x0, 159744, ) == 0x0
 00285   896   NtClose  (28, ... ) == 0x0
 00286   896   NtProtectVirtualMemory  (-1, (0x73d9103c), 400, 4, ... (0x73d91000), 4096, 32, ) == 0x0
 00287   896   NtProtectVirtualMemory  (-1, (0x73d91000), 4096, 32, ... (0x73d91000), 4096, 4, ) == 0x0
 00288   896   NtFlushInstructionCache  (-1, 1943605248, 400, ... ) == 0x0
 00289   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\crtdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00290   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\crtdll.dll"}, 2288836, ... ) }, 2288836, ... ) == 0x0
 00291   896   NtAllocateVirtualMemory  (-1, 5652480, 0, 8192, 4096, 4, ... 5652480, 8192, ) == 0x0
 00292   896   NtAllocateVirtualMemory  (-1, 5660672, 0, 4096, 4096, 4, ... 5660672, 4096, ) == 0x0
 00293   896   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00294   896   NtRequestWaitReplyPort  (24, {40, 68, new_msg, 0, 6553714, 5505056, 7143529, 101}  (24, {40, 68, new_msg, 0, 6553714, 5505056, 7143529, 101} "\0\0\0\0\0\2\2\0l\20\201|\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 1252, 896, 81844, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" )  ... {40, 68, reply, 0, 1252, 896, 81844, 0}  (24, {40, 68, new_msg, 0, 6553714, 5505056, 7143529, 101} "\0\0\0\0\0\2\2\0l\20\201|\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 1252, 896, 81844, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" )  ) == 0x0
 00295   896   NtRequestWaitReplyPort  (24, {40, 68, new_msg, 0, 1252, 896, 81844, 0}  (24, {40, 68, new_msg, 0, 1252, 896, 81844, 0} "\0\0\0\0\0\2\2\0\\20\201|\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 1252, 896, 81845, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" )  ... {40, 68, reply, 0, 1252, 896, 81845, 0}  (24, {40, 68, new_msg, 0, 1252, 896, 81844, 0} "\0\0\0\0\0\2\2\0\\20\201|\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 1252, 896, 81845, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" )  ) == 0x0
 00296   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00297   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   896   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 28, ) }, ... 28, ) == 0x0
 00299   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx6"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00300   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx7"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00301   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx8"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00302   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx9"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00303   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx10"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx11"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00305   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx12"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00306   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx13"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00307   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx14"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx15"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx16"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx17"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx18"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx19"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00313   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx20"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx21"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00315   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx22"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00316   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx23"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00317   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx24"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx25"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00319   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx26"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00320   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx27"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00321   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx28"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00322   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx29"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00323   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx30"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00324   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx31"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00325   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00326   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx33"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00327   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx34"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00328   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx35"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00329   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx36"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00330   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx37"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00331   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx38"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00332   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx39"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00333   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx40"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00334   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx41"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00335   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx42"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00336   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx43"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00337   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx44"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00338   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx45"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00339   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx46"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00340   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx47"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00341   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx48"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00342   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx49"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00343   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx50"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00344   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx51"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00345   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx52"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00346   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx53"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00347   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx54"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00348   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx55"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00349   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx56"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00350   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx57"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00351   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx58"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00352   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx59"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00353   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx60"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00354   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx61"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00355   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx62"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00356   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx63"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00357   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx64"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00358   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx65"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00359   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx66"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00360   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx67"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx68"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00362   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx69"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx70"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00364   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx71"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00365   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx72"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00366   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx73"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00367   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx74"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00368   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx75"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00369   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx76"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00370   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx77"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00371   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx78"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00372   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx79"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00373   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx80"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00374   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx81"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00375   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx82"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00376   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx83"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00377   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx84"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00378   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx85"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00379   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00380   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx87"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00381   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx88"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00382   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx89"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00383   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx90"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00384   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx91"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx92"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00386   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx93"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00387   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx94"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00388   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx95"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00389   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx96"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00390   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx97"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00391   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx98"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00392   896   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx99"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00393   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 7733248, 2097152, ) == 0x0
 00394   896   NtAllocateVirtualMemory  (-1, 9822208, 0, 8192, 4096, 4, ... 9822208, 8192, ) == 0x0
 00395   896   NtProtectVirtualMemory  (-1, (0x95e000), 4096, 260, ... (0x95e000), 4096, 4, ) == 0x0
 00396   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292332, 2292276, 1, ... 16, {1252, 2016}, ) == 0x0
 00397   896   NtQueryInformationThread  (16, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1252,Tid=2016,}, 0x0, ) == 0x0
 00398   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2088770935, 4231184, 5580752, 0}  (24, {28, 56, new_msg, 0, 2088770935, 4231184, 5580752, 0} "\0\0\0\0\1\0\1\0mtx99\0sr\20\0\0\0\344\4\0\0\340\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81846, 0} "\0\0\0\0\1\0\1\0\0\0\0\09\0sr\20\0\0\0\344\4\0\0\340\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81846, 0}  (24, {28, 56, new_msg, 0, 2088770935, 4231184, 5580752, 0} "\0\0\0\0\1\0\1\0mtx99\0sr\20\0\0\0\344\4\0\0\340\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81846, 0} "\0\0\0\0\1\0\1\0\0\0\0\09\0sr\20\0\0\0\344\4\0\0\340\7\0\0" )  ) == 0x0
 00399   896   NtResumeThread  (16, ... 1, ) == 0x0
 00400  2016   NtTestAlert  (... ) == 0x0
 00401  2016   NtContinue  (9829680, 1, ...
 00402  2016   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00403   896   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00404   896   NtContinue  (2292976, 0, ...
 00405   896   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00406   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00407   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00408  2016   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 36, ) == 0x0
 00409  2016   NtWaitForSingleObject  (36, 0, 0x0, ...
 00410   896   NtClose  (32, ... ) == 0x0
 00411   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00412   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00413   896   NtClose  (32, ... ) == 0x0
 00414   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00415   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00416   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00417   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00418   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00419   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00420   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00421   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00422   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00423   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00424   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00425   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00426   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00427   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00428   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00429   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00430   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00431   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00432   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00433   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00434   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00435   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 2290184}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 2290184} "\210\6!\1\0\0\0\0\344\0#\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81847, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81847, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 2290184} "\210\6!\1\0\0\0\0\344\0#\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81847, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ) == 0x0
 00436   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 2287576, ... ) }, 2287576, ... ) == 0x0
 00437   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00438   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 40, ) == 0x0
 00439   896   NtClose  (32, ... ) == 0x0
 00440   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x960000), 0x0, 110592, ) == 0x0
 00441   896   NtClose  (40, ... ) == 0x0
 00442   896   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 00443   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 2287484, ... ) }, 2287484, ... ) == 0x0
 00444   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00445   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 40, ... 32, ) == 0x0
 00446   896   NtClose  (40, ... ) == 0x0
 00447   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x960000), 0x0, 110592, ) == 0x0
 00448   896   NtClose  (32, ... ) == 0x0
 00449   896   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 00450   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 2287792, ... ) }, 2287792, ... ) == 0x0
 00451   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00452   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 40, ) == 0x0
 00453   896   NtQuerySection  (40, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00454   896   NtClose  (32, ... ) == 0x0
 00455   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00456   896   NtClose  (40, ... ) == 0x0
 00457   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00458   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00459   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00460   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00461   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00462   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00463   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00464   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00465   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00466   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 40, ) }, ... 40, ) == 0x0
 00467   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00468   896   NtClose  (40, ... ) == 0x0
 00469   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00470   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00471   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00472   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 40, ) }, ... 40, ) == 0x0
 00473   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00474   896   NtClose  (40, ... ) == 0x0
 00475   896   NtAllocateVirtualMemory  (-1, 2277376, 0, 4096, 4096, 260, ... 2277376, 4096, ) == 0x0
 00476   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00477   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00478   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00479   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00480   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00481   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00482   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00483   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00484   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00485   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00486   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00487   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00488   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00489   896   NtAllocateVirtualMemory  (-1, 5664768, 0, 4096, 4096, 4, ... 5664768, 4096, ) == 0x0
 00490   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00491   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 40, ) }, ... 40, ) == 0x0
 00492   896   NtQueryValueKey  (40,  (40, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (40, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00493   896   NtQueryValueKey  (40,  (40, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (40, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00494   896   NtClose  (40, ... ) == 0x0
 00495   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 40, ) }, ... 40, ) == 0x0
 00496   896   NtQueryValueKey  (40,  (40, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00497   896   NtClose  (40, ... ) == 0x0
 00498   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 40, ) }, ... 40, ) == 0x0
 00499   896   NtSetInformationObject  (40, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00500   896   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00501   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00502   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00503   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 2284708, ... ) }, 2284708, ... ) == 0x0
 00504   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 2288112, ... ) }, 2288112, ... ) == 0x0
 00505   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00506   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00507   896   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00508   896   NtClose  (32, ... ) == 0x0
 00509   896   NtMapViewOfSection  (-2147482748, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x960000), 0x0, 1060864, ) == 0x0
 00510   896   NtClose  (-2147482748, ... ) == 0x0
 00511   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00512   896   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00513   896   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482748, ) == 0x0
 00514   896   NtQueryInformationToken  (-2147482748, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00515   896   NtQueryInformationToken  (-2147482748, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00516   896   NtClose  (-2147482748, ... ) == 0x0
 00517   896   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 10944512, 4096, ) == 0x0
 00518   896   NtFreeVirtualMemory  (-1, (0xa70000), 4096, 32768, ... (0xa70000), 4096, ) == 0x0
 00519   896   NtDuplicateObject  (-1, 44, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00520   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482748, ) }, ... -2147482748, ) == 0x0
 00521   896   NtQueryValueKey  (-2147482748,  (-2147482748, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00522   896   NtClose  (-2147482748, ... ) == 0x0
 00523   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482748, ) }, ... -2147482748, ) == 0x0
 00524   896   NtQueryValueKey  (-2147482748,  (-2147482748, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00525   896   NtClose  (-2147482748, ... ) == 0x0
 00526   896   NtQueryDefaultLocale  (0, -135747252, ... ) == 0x0
 00527   896   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00528   896   NtUserCallNoParam  (24, ... ) == 0x0
 00529   896   NtGdiCreateCompatibleDC  (0, ...
 00530   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 10944512, 4096, ) == 0x0
 00529   896   NtGdiCreateCompatibleDC  ... ) == 0x860107ab
 00531   896   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00532   896   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00533   896   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x870506a2
 00534   896   NtGdiCreateSolidBrush  (0, 0, ...
 00535   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 14155776, 4096, ) == 0x0
 00534   896   NtGdiCreateSolidBrush  ... ) == 0x1100680
 00536   896   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00537   896   NtGdiCreateCompatibleDC  (0, ... ) == 0xf6010687
 00538   896   NtGdiSelectBitmap  (-167704953, -2029713758, ... ) == 0x185000f
 00539   896   NtUserGetThreadDesktop  (896, 0, ... ) == 0x30
 00540   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 56, ) }, ... 56, ) == 0x0
 00541   896   NtQueryValueKey  (56,  (56, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (56, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00542   896   NtClose  (56, ... ) == 0x0
 00543   896   NtUserFindExistingCursorIcon  (2289288, 2289304, 2289352, ... ) == 0x10011
 00544   896   NtUserRegisterClassExWOW  (2289300, 2289368, 2289384, 2289400, 673, 128, 0, ... ) == 0x8177c017
 00545   896   NtUserFindExistingCursorIcon  (2289288, 2289304, 2289352, ... ) == 0x10011
 00546   896   NtUserRegisterClassExWOW  (2289300, 2289368, 2289384, 2289400, 674, 128, 0, ... ) == 0x8177c01c
 00547   896   NtUserFindExistingCursorIcon  (2289288, 2289304, 2289352, ... ) == 0x10011
 00548   896   NtUserRegisterClassExWOW  (2289300, 2289368, 2289384, 2289400, 675, 128, 0, ... ) == 0x8177c01e
 00549   896   NtUserFindExistingCursorIcon  (2289288, 2289304, 2289352, ... ) == 0x10011
 00550   896   NtUserRegisterClassExWOW  (2289300, 2289368, 2289384, 2289400, 676, 128, 0, ... ) == 0x81778002
 00551   896   NtUserFindExistingCursorIcon  (2289288, 2289304, 2289352, ... ) == 0x10013
 00552   896   NtUserRegisterClassExWOW  (2289300, 2289368, 2289384, 2289400, 677, 128, 0, ... ) == 0x8177c018
 00553   896   NtUserFindExistingCursorIcon  (2289288, 2289304, 2289352, ... ) == 0x10011
 00554   896   NtUserRegisterClassExWOW  (2289300, 2289368, 2289384, 2289400, 678, 128, 0, ... ) == 0x8177c01a
 00555   896   NtUserFindExistingCursorIcon  (2289288, 2289304, 2289352, ... ) == 0x10011
 00556   896   NtUserRegisterClassExWOW  (2289300, 2289368, 2289384, 2289400, 679, 128, 0, ... ) == 0x8177c01d
 00557   896   NtUserFindExistingCursorIcon  (2289288, 2289304, 2289352, ... ) == 0x10011
 00558   896   NtUserRegisterClassExWOW  (2289300, 2289368, 2289384, 2289400, 681, 128, 0, ... ) == 0x8177c026
 00559   896   NtUserFindExistingCursorIcon  (2289288, 2289304, 2289352, ... ) == 0x10011
 00560   896   NtUserRegisterClassExWOW  (2289300, 2289368, 2289384, 2289400, 680, 128, 0, ... ) == 0x8177c019
 00561   896   NtUserRegisterClassExWOW  (2289252, 2289320, 2289336, 2289352, 0, 128, 0, ... ) == 0x8177c020
 00562   896   NtUserRegisterClassExWOW  (2289508, 2289604, 2289588, 2289576, 0, 130, 0, ... ) == 0x8177c022
 00563   896   NtUserRegisterClassExWOW  (2289252, 2289320, 2289336, 2289352, 0, 128, 0, ... ) == 0x8177c023
 00564   896   NtUserRegisterClassExWOW  (2289508, 2289604, 2289588, 2289576, 0, 130, 0, ... ) == 0x8177c024
 00565   896   NtUserRegisterClassExWOW  (2289252, 2289320, 2289336, 2289352, 0, 128, 0, ... ) == 0x8177c025
 00566   896   NtCallbackReturn  (0, 0, 0, ...
 00567   896   NtGdiInit  (... ) == 0x1
 00568   896   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00569   896   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00570   896   NtSetEventBoostPriority  (36, ...
 00409  2016   NtWaitForSingleObject  ... ) == 0x0
 00571  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00572  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 9827864, ... }, 9827864, ...
 00570   896   NtSetEventBoostPriority  ... ) == 0x0
 00573   896   NtWaitForSingleObject  (36, 0, 0x0, ...
 00572  2016   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00574  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\pstorec.dll"}, 9827864, ... ) }, 9827864, ... ) == 0x0
 00575  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\pstorec.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00576  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 60, ) == 0x0
 00577  2016   NtQuerySection  (60, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00578  2016   NtClose  (56, ... ) == 0x0
 00579  2016   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 53248, ) == 0x0
 00580  2016   NtClose  (60, ... ) == 0x0
 00581  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 60, ) }, ... 60, ) == 0x0
 00582  2016   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00583  2016   NtClose  (60, ... ) == 0x0
 00584  2016   NtAllocateVirtualMemory  (-1, 9818112, 0, 4096, 4096, 260, ... 9818112, 4096, ) == 0x0
 00585  2016   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00586  2016   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00587  2016   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00588  2016   NtProtectVirtualMemory  (-1, (0x5e0c1000), 432, 4, ... (0x5e0c1000), 4096, 32, ) == 0x0
 00589  2016   NtProtectVirtualMemory  (-1, (0x5e0c1000), 4096, 32, ... (0x5e0c1000), 4096, 4, ) == 0x0
 00590  2016   NtFlushInstructionCache  (-1, 1577848832, 432, ... ) == 0x0
 00591  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00592  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 9827048, ... ) }, 9827048, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00593  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ATL.DLL"}, 9827048, ... ) }, 9827048, ... ) == 0x0
 00594  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ATL.DLL"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00595  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 56, ) == 0x0
 00596  2016   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00597  2016   NtClose  (60, ... ) == 0x0
 00598  2016   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 69632, ) == 0x0
 00599  2016   NtClose  (56, ... ) == 0x0
 00600  2016   NtProtectVirtualMemory  (-1, (0x76b21000), 556, 4, ... (0x76b21000), 4096, 32, ) == 0x0
 00601  2016   NtProtectVirtualMemory  (-1, (0x76b21000), 4096, 32, ... (0x76b21000), 4096, 4, ) == 0x0
 00602  2016   NtFlushInstructionCache  (-1, 1991380992, 556, ... ) == 0x0
 00603  2016   NtProtectVirtualMemory  (-1, (0x76b21000), 556, 4, ... (0x76b21000), 4096, 32, ) == 0x0
 00604  2016   NtProtectVirtualMemory  (-1, (0x76b21000), 4096, 32, ... (0x76b21000), 4096, 4, ) == 0x0
 00605  2016   NtFlushInstructionCache  (-1, 1991380992, 556, ... ) == 0x0
 00606  2016   NtProtectVirtualMemory  (-1, (0x76b21000), 556, 4, ... (0x76b21000), 4096, 32, ) == 0x0
 00607  2016   NtProtectVirtualMemory  (-1, (0x76b21000), 4096, 32, ... (0x76b21000), 4096, 4, ) == 0x0
 00608  2016   NtFlushInstructionCache  (-1, 1991380992, 556, ... ) == 0x0
 00609  2016   NtProtectVirtualMemory  (-1, (0x76b21000), 556, 4, ... (0x76b21000), 4096, 32, ) == 0x0
 00610  2016   NtProtectVirtualMemory  (-1, (0x76b21000), 4096, 32, ... (0x76b21000), 4096, 4, ) == 0x0
 00611  2016   NtFlushInstructionCache  (-1, 1991380992, 556, ... ) == 0x0
 00612  2016   NtProtectVirtualMemory  (-1, (0x5e0c1000), 432, 4, ... (0x5e0c1000), 4096, 32, ) == 0x0
 00613  2016   NtProtectVirtualMemory  (-1, (0x5e0c1000), 4096, 32, ... (0x5e0c1000), 4096, 4, ) == 0x0
 00614  2016   NtFlushInstructionCache  (-1, 1577848832, 432, ... ) == 0x0
 00615  2016   NtProtectVirtualMemory  (-1, (0x5e0c1000), 432, 4, ... (0x5e0c1000), 4096, 32, ) == 0x0
 00616  2016   NtProtectVirtualMemory  (-1, (0x5e0c1000), 4096, 32, ... (0x5e0c1000), 4096, 4, ) == 0x0
 00617  2016   NtFlushInstructionCache  (-1, 1577848832, 432, ... ) == 0x0
 00618  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00619  2016   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00620  2016   NtClose  (56, ... ) == 0x0
 00621  2016   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00622  2016   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00623  2016   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00624  2016   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00625  2016   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00626  2016   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00627  2016   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00628  2016   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00629  2016   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00630  2016   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00631  2016   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00632  2016   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00633  2016   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00634  2016   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00635  2016   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00636  2016   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00637  2016   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00638  2016   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00639  2016   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00640  2016   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00641  2016   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00642  2016   NtProtectVirtualMemory  (-1, (0x5e0c1000), 432, 4, ... (0x5e0c1000), 4096, 32, ) == 0x0
 00643  2016   NtProtectVirtualMemory  (-1, (0x5e0c1000), 4096, 32, ... (0x5e0c1000), 4096, 4, ) == 0x0
 00644  2016   NtFlushInstructionCache  (-1, 1577848832, 432, ... ) == 0x0
 00645  2016   NtProtectVirtualMemory  (-1, (0x5e0c1000), 432, 4, ... (0x5e0c1000), 4096, 32, ) == 0x0
 00646  2016   NtProtectVirtualMemory  (-1, (0x5e0c1000), 4096, 32, ... (0x5e0c1000), 4096, 4, ) == 0x0
 00647  2016   NtFlushInstructionCache  (-1, 1577848832, 432, ... ) == 0x0
 00648  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00649  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00650  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14221312, 65536, ) == 0x0
 00651  2016   NtAllocateVirtualMemory  (-1, 14221312, 0, 4096, 4096, 4, ... 14221312, 4096, ) == 0x0
 00652  2016   NtAllocateVirtualMemory  (-1, 14225408, 0, 8192, 4096, 4, ... 14225408, 8192, ) == 0x0
 00653  2016   NtAllocateVirtualMemory  (-1, 14233600, 0, 4096, 4096, 4, ... 14233600, 4096, ) == 0x0
 00654  2016   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 56, ) }, ... 56, ) == 0x0
 00655  2016   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xda0000), 0x0, 12288, ) == 0x0
 00656  2016   NtClose  (56, ... ) == 0x0
 00657  2016   NtAllocateVirtualMemory  (-1, 14237696, 0, 4096, 4096, 4, ... 14237696, 4096, ) == 0x0
 00658  2016   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00659  2016   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00660  2016   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00661  2016   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00662  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00663  2016   NtQueryPerformanceCounter  (... {-1439969459, 16}, {3579545, 0}, ) == 0x0
 00664  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665  2016   NtAllocateVirtualMemory  (-1, 5668864, 0, 4096, 4096, 4, ... 5668864, 4096, ) == 0x0
 00666  2016   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 56, {status=0x0, info=0}, ) }, 7, 16, ... 56, {status=0x0, info=0}, ) == 0x0
 00667  2016   NtDeviceIoControlFile  (56, 0, 0x0, 0x0, 0x390008,  (56, 0, 0x0, 0x0, 0x390008, "B].\220\36%\215\320\1\307\240\363\357\312j\225\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00668  2016   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00669  2016   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00670  2016   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00671  2016   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00672  2016   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00673  2016   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00674  2016   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00675  2016   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482748, 2, ) }, 0, 0x0, 0, ... -2147482748, 2, ) == 0x0
 00676  2016   NtSetValueKey  (-2147482748,  (-2147482748, "Seed", 0, 3, "?YL\\332\271\230l\232OO\322+\17\374\256)\355d\367@(\257B\225\323\316\264\240A\15B\234\345h\206eF\3\331\353\346\322O2\353F\350\24006\330\205~\262\274\245e\246~\245\307d\150\371\11\3558\350~}&)P5\375o\303A", 80, ... ) , 0, 3,  (-2147482748, "Seed", 0, 3, "?YL\\332\271\230l\232OO\322+\17\374\256)\355d\367@(\257B\225\323\316\264\240A\15B\234\345h\206eF\3\331\353\346\322O2\353F\350\24006\330\205~\262\274\245e\246~\245\307d\150\371\11\3558\350~}&)P5\375o\303A", 80, ... ) , 80, ... ) == 0x0
 00677  2016   NtClose  (-2147482748, ... ) == 0x0
 00667  2016   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\253\36\241\323\257\370 \340\265\267u\1\273{\363m~\240\3G\365;\340c\26\335B:\11$\223\211\346yY\334\16s\4\254\322\11\274\243\203\361\5*W\261d\306\315*\2307\214\322\247\244\274\364\314_\345i2\327\370\374\356/\267\256&\206\373\341\332F'\202`\254\306!\351\352\3\356F\327<\225\2515\252f5q\233;V\34\20\221\247\317g\336\313\266?\304\236\217&\302\336%[\246\300\0Y\371\26\264\245\272\270\302\335+\220z\347\25\245u(\10\2NP|@\357\301\261\231j\301L{K_=\20\3520\351\252T(\6\\327\314\307;\263\306\375\220\227\234Q\306\327, ) , ) == 0x0
 00678  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00679  2016   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00680  2016   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00681  2016   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00682  2016   NtClose  (60, ... ) == 0x0
 00683  2016   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 60, ) }, ... 60, ) == 0x0
 00684  2016   NtQueryValueKey  (60,  (60, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00685  2016   NtClose  (60, ... ) == 0x0
 00686  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00687  2016   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00688  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00689  2016   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00690  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00691  2016   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00692  2016   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00693  2016   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00694  2016   NtClose  (60, ... ) == 0x0
 00695  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00696  2016   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00697  2016   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00698  2016   NtClose  (60, ... ) == 0x0
 00699  2016   NtOpenEvent  (0x1f0003, {24, 28, 0x0, 0, 0,  (0x1f0003, {24, 28, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00700  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00701  2016   NtSetEventBoostPriority  (36, ...
 00573   896   NtWaitForSingleObject  ... ) == 0x0
 00702   896   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 14352384, 28672, ) == 0x0
 00703   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00704   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 2291484, ... }, 2291484, ...
 00701  2016   NtSetEventBoostPriority  ... ) == 0x0
 00705  2016   NtWaitForSingleObject  (36, 0, 0x0, ...
 00704   896   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00706   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 2291484, ... ) }, 2291484, ... ) == 0x0
 00707   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00708   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 64, ) == 0x0
 00709   896   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00710   896   NtClose  (60, ... ) == 0x0
 00711   896   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00712   896   NtClose  (64, ... ) == 0x0
 00713   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00714   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00715   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00716   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00717   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 2290668, ... ) }, 2290668, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00718   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 2290668, ... ) }, 2290668, ... ) == 0x0
 00719   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00720   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 60, ) == 0x0
 00721   896   NtQuerySection  (60, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00722   896   NtClose  (64, ... ) == 0x0
 00723   896   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00724   896   NtClose  (60, ... ) == 0x0
 00725   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00726   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00727   896   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00728   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00729   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00730   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00731   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00732   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00733   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00734   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00735   896   NtSetEventBoostPriority  (36, ...
 00705  2016   NtWaitForSingleObject  ... ) == 0x0
 00736  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 60, ) }, ... 60, ) == 0x0
 00737  2016   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c9c0000), 0x0, 8482816, ) == 0x0
 00738  2016   NtClose  (60, ... ) == 0x0
 00739  2016   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00740  2016   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ...
 00735   896   NtSetEventBoostPriority  ... ) == 0x0
 00741   896   NtWaitForSingleObject  (36, 0, 0x0, ...
 00740  2016   NtProtectVirtualMemory  ... (0x7c9c1000), 8192, 4, ) == 0x0
 00742  2016   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00743  2016   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00744  2016   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00745  2016   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00746  2016   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00747  2016   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00748  2016   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00749  2016   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00750  2016   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00751  2016   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00752  2016   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00753  2016   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00754  2016   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00755  2016   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00756  2016   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00757  2016   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00758  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 60, ) }, ... 60, ) == 0x0
 00759  2016   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00760  2016   NtClose  (60, ... ) == 0x0
 00761  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00762  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00763  2016   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00764  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00765  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00766  2016   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00767  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00768  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00769  2016   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00770  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00771  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00772  2016   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00773  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00774  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00775  2016   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00776  2016   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00777  2016   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00778  2016   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00779  2016   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00780  2016   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00781  2016   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00782  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00783  2016   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00784  2016   NtCreateSemaphore  (0x1f0003, {24, 28, 0x80, 5672464, 0,  (0x1f0003, {24, 28, 0x80, 5672464, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 60, ) }, 0, 2147483647, ... 60, ) == STATUS_OBJECT_NAME_EXISTS
 00785  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shell32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00786  2016   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SYSTEM\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00787  2016   NtQueryValueKey  (64,  (64, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00788  2016   NtClose  (64, ... ) == 0x0
 00789  2016   NtQueryDefaultUILanguage  (9826196, ...
 00790  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00791  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482748, ) == 0x0
 00792  2016   NtQueryInformationToken  (-2147482748, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00793  2016   NtClose  (-2147482748, ... ) == 0x0
 00794  2016   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482748, ) }, ... -2147482748, ) == 0x0
 00795  2016   NtOpenKey  (0x80000000, {24, -2147482748, 0x240, 0, 0,  (0x80000000, {24, -2147482748, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00796  2016   NtOpenKey  (0x80000000, {24, -2147482748, 0x640, 0, 0,  (0x80000000, {24, -2147482748, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 00797  2016   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00798  2016   NtClose  (-2147481452, ... ) == 0x0
 00799  2016   NtClose  (-2147482748, ... ) == 0x0
 00789  2016   NtQueryDefaultUILanguage  ... ) == 0x0
 00800  2016   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 64, {status=0x0, info=1}, ) }, 1, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00801  2016   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 64, ... 68, ) == 0x0
 00802  2016   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xdc0000), 0x0, 8462336, ) == 0x0
 00803  2016   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00804  2016   NtQueryDefaultUILanguage  (2090319928, ...
 00805  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00806  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482748, ) == 0x0
 00807  2016   NtQueryInformationToken  (-2147482748, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00808  2016   NtClose  (-2147482748, ... ) == 0x0
 00809  2016   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482748, ) }, ... -2147482748, ) == 0x0
 00810  2016   NtOpenKey  (0x80000000, {24, -2147482748, 0x240, 0, 0,  (0x80000000, {24, -2147482748, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00811  2016   NtOpenKey  (0x80000000, {24, -2147482748, 0x640, 0, 0,  (0x80000000, {24, -2147482748, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 00812  2016   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00813  2016   NtClose  (-2147481452, ... ) == 0x0
 00814  2016   NtClose  (-2147482748, ... ) == 0x0
 00804  2016   NtQueryDefaultUILanguage  ... ) == 0x0
 00815  2016   NtAllocateVirtualMemory  (-1, 9814016, 0, 4096, 4096, 260, ... 9814016, 4096, ) == 0x0
 00816  2016   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00817  2016   NtQueryDefaultLocale  (1, 9824292, ... ) == 0x0
 00818  2016   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00819  2016   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 9825328, 1179817, 9825052}  (24, {128, 156, new_msg, 0, 2088850039, 9825328, 1179817, 9825052} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1@\0\0\0\377\377\377\377\0\0\0\0@ \377\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0$\360\225\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 2016, 81848, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1@\0\0\0\377\377\377\377\0\0\0\0@ \377\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0$\360\225\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 2016, 81848, 0}  (24, {128, 156, new_msg, 0, 2088850039, 9825328, 1179817, 9825052} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1@\0\0\0\377\377\377\377\0\0\0\0@ \377\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0$\360\225\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 2016, 81848, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1@\0\0\0\377\377\377\377\0\0\0\0@ \377\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0$\360\225\0\0\0\0\0" )  ) == 0x0
 00820  2016   NtClose  (64, ... ) == 0x0
 00821  2016   NtClose  (68, ... ) == 0x0
 00822  2016   NtUnmapViewOfSection  (-1, 0xdc0000, ... ) == 0x0
 00823  2016   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00824  2016   NtAllocateVirtualMemory  (-1, 5672960, 0, 4096, 4096, 4, ... 5672960, 4096, ) == 0x0
 00825  2016   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00826  2016   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00827  2016   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00828  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 9823484, ... ) }, 9823484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00829  2016   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00830  2016   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00831  2016   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00832  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 9823548, ... ) }, 9823548, ... ) == 0x0
 00833  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 68, {status=0x0, info=1}, ) }, 3, 33, ... 68, {status=0x0, info=1}, ) == 0x0
 00834  2016   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00835  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00836  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 64, ... 72, ) == 0x0
 00837  2016   NtClose  (64, ... ) == 0x0
 00838  2016   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xdc0000), 0x0, 1056768, ) == 0x0
 00839  2016   NtClose  (72, ... ) == 0x0
 00840  2016   NtUnmapViewOfSection  (-1, 0xdc0000, ... ) == 0x0
 00841  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00842  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 72, ... 64, ) == 0x0
 00843  2016   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00844  2016   NtClose  (72, ... ) == 0x0
 00845  2016   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 00846  2016   NtClose  (64, ... ) == 0x0
 00847  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00848  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00849  2016   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00850  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00851  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00852  2016   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00853  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00854  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00855  2016   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00856  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00857  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00858  2016   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00859  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00860  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00861  2016   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00862  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00863  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00864  2016   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00865  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00866  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00867  2016   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00868  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00869  2016   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 9825028, ... ) , 42, 9825028, ... ) == 0x0
 00870  2016   NtQueryDefaultUILanguage  (9823712, ...
 00871  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00872  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482748, ) == 0x0
 00873  2016   NtQueryInformationToken  (-2147482748, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00874  2016   NtClose  (-2147482748, ... ) == 0x0
 00875  2016   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482748, ) }, ... -2147482748, ) == 0x0
 00876  2016   NtOpenKey  (0x80000000, {24, -2147482748, 0x240, 0, 0,  (0x80000000, {24, -2147482748, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00877  2016   NtOpenKey  (0x80000000, {24, -2147482748, 0x640, 0, 0,  (0x80000000, {24, -2147482748, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 00878  2016   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00879  2016   NtClose  (-2147481452, ... ) == 0x0
 00880  2016   NtClose  (-2147482748, ... ) == 0x0
 00870  2016   NtQueryDefaultUILanguage  ... ) == 0x0
 00881  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 9822552, ... ) }, 9822552, ... ) == 0x0
 00882  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00883  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 64, ... 72, ) == 0x0
 00884  2016   NtClose  (64, ... ) == 0x0
 00885  2016   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xdc0000), 0x0, 4096, ) == 0x0
 00886  2016   NtClose  (72, ... ) == 0x0
 00887  2016   NtUnmapViewOfSection  (-1, 0xdc0000, ... ) == 0x0
 00888  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 9822148, ... ) }, 9822148, ... ) == 0x0
 00889  2016   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 9822892,  (0x80100080, {24, 0, 0x40, 0, 9822892, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00890  2016   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 72, ... 64, ) == 0x0
 00891  2016   NtClose  (72, ... ) == 0x0
 00892  2016   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xdc0000), {0, 0}, 4096, ) == 0x0
 00893  2016   NtClose  (64, ... ) == 0x0
 00894  2016   NtUnmapViewOfSection  (-1, 0xdc0000, ... ) == 0x0
 00895  2016   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 64, {status=0x0, info=1}, ) }, 1, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00896  2016   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 64, ... 72, ) == 0x0
 00897  2016   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xdc0000), 0x0, 4096, ) == 0x0
 00898  2016   NtQueryInformationFile  (64, 9822544, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00899  2016   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00900  2016   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 9822844, 1179817, 9822568}  (24, {128, 156, new_msg, 0, 2088850039, 9822844, 1179817, 9822568} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1@\0\0\0H\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0p\346\225\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 2016, 81851, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1@\0\0\0H\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0p\346\225\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 2016, 81851, 0}  (24, {128, 156, new_msg, 0, 2088850039, 9822844, 1179817, 9822568} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1@\0\0\0H\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0p\346\225\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 2016, 81851, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1@\0\0\0H\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0p\346\225\0\0\0\0\0" )  ) == 0x0
 00901  2016   NtClose  (64, ... ) == 0x0
 00902  2016   NtClose  (72, ... ) == 0x0
 00903  2016   NtUnmapViewOfSection  (-1, 0xdc0000, ... ) == 0x0
 00904  2016   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00905  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 72, ) == 0x0
 00906  2016   NtCallbackReturn  (0, 0, 0, ...
 00907  2016   NtUserGetThreadState  (18, ... ) == 0x1
 00908  2016   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00909  2016   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 00910  2016   NtUserGetDC  (0, ... ) == 0x1010052
 00911  2016   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00912  2016   NtUserSystemParametersInfo  (38, 4, 2001086940, 0, ... ) == 0x1
 00913  2016   NtUserSystemParametersInfo  (66, 12, 9824544, 0, ... ) == 0x1
 00914  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00915  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00916  2016   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00917  2016   NtClose  (64, ... ) == 0x0
 00918  2016   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00919  2016   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00920  2016   NtAccessCheck  (5675136, 76, 0x1, 9824376, 9824428, 56, 9824408, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00921  2016   NtClose  (76, ... ) == 0x0
 00922  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00923  2016   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00924  2016   NtClose  (76, ... ) == 0x0
 00925  2016   NtUserSystemParametersInfo  (41, 500, 9824572, 0, ... ) == 0x1
 00926  2016   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00927  2016   NtAccessCheck  (5675136, 76, 0x1, 9824376, 9824428, 56, 9824408, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00928  2016   NtClose  (76, ... ) == 0x0
 00929  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00930  2016   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931  2016   NtClose  (76, ... ) == 0x0
 00932  2016   NtUserSystemParametersInfo  (27, 0, 2001085788, 0, ... ) == 0x1
 00933  2016   NtUserSystemParametersInfo  (102, 0, 2001086828, 0, ... ) == 0x1
 00934  2016   NtClose  (64, ... ) == 0x0
 00935  2016   NtUserSystemParametersInfo  (4130, 0, 9825076, 0, ... ) == 0x1
 00936  2016   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 64, ) }, ... 64, ) == 0x0
 00937  2016   NtEnumerateValueKey  (64, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00938  2016   NtClose  (64, ... ) == 0x0
 00939  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00940  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c03b
 00941  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c03d
 00942  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00943  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c03f
 00944  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00945  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c041
 00946  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00947  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c043
 00948  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c045
 00949  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00950  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c047
 00951  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00952  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c049
 00953  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00954  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c04b
 00955  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00956  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c04d
 00957  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00958  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c04f
 00959  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c051
 00960  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00961  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c053
 00962  2016   NtUserFindExistingCursorIcon  (9824320, 9824336, 9824384, ... ) == 0x10011
 00963  2016   NtUserRegisterClassExWOW  (9824264, 9824332, 9824348, 9824364, 0, 384, 0, ... ) == 0x8169c055
 00964  2016   NtUserFindExistingCursorIcon  (9824320, 9824336, 9824384, ... ) == 0x10011
 00965  2016   NtUserRegisterClassExWOW  (9824264, 9824332, 9824348, 9824364, 0, 384, 0, ... ) == 0x8169c057
 00966  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00967  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c059
 00968  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10013
 00969  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c05b
 00970  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00971  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c05d
 00972  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00973  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c05f
 00974  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00975  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c017
 00976  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00977  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c019
 00978  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10013
 00979  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c018
 00980  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00981  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c01a
 00982  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00983  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c01c
 00984  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00985  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c01e
 00986  2016   NtUserFindExistingCursorIcon  (9824316, 9824332, 9824380, ... ) == 0x10011
 00987  2016   NtUserRegisterClassExWOW  (9824316, 9824384, 9824400, 9824416, 0, 384, 0, ... ) == 0x8169c01b
 00988  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00989  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c068
 00990  2016   NtUserFindExistingCursorIcon  (9824324, 9824340, 9824388, ... ) == 0x10011
 00991  2016   NtUserRegisterClassExWOW  (9824268, 9824336, 9824352, 9824368, 0, 384, 0, ... ) == 0x8169c06a
 00992  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00993  2016   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 00994  2016   NtClose  (64, ... ) == 0x0
 00995  2016   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00996  2016   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00997  2016   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00998  2016   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00999  2016   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01000  2016   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01001  2016   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01002  2016   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01003  2016   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01004  2016   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01005  2016   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01006  2016   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01007  2016   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01008  2016   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01009  2016   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01010  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01011  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01012  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14417920, 65536, ) == 0x0
 01013  2016   NtAllocateVirtualMemory  (-1, 14417920, 0, 4096, 4096, 4, ... 14417920, 4096, ) == 0x0
 01014  2016   NtAllocateVirtualMemory  (-1, 14422016, 0, 8192, 4096, 4, ... 14422016, 8192, ) == 0x0
 01015  2016   NtAllocateVirtualMemory  (-1, 14430208, 0, 4096, 4096, 4, ... 14430208, 4096, ) == 0x0
 01016  2016   NtAllocateVirtualMemory  (-1, 14434304, 0, 4096, 4096, 4, ... 14434304, 4096, ) == 0x0
 01017  2016   NtQueryDefaultUILanguage  (9824324, ...
 01018  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01019  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482748, ) == 0x0
 01020  2016   NtQueryInformationToken  (-2147482748, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01021  2016   NtClose  (-2147482748, ... ) == 0x0
 01022  2016   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482748, ) }, ... -2147482748, ) == 0x0
 01023  2016   NtOpenKey  (0x80000000, {24, -2147482748, 0x240, 0, 0,  (0x80000000, {24, -2147482748, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024  2016   NtOpenKey  (0x80000000, {24, -2147482748, 0x640, 0, 0,  (0x80000000, {24, -2147482748, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 01025  2016   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026  2016   NtClose  (-2147481452, ... ) == 0x0
 01027  2016   NtClose  (-2147482748, ... ) == 0x0
 01017  2016   NtQueryDefaultUILanguage  ... ) == 0x0
 01028  2016   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll"}, 1, 96, ... 64, {status=0x0, info=1}, ) }, 1, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 01029  2016   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 64, ... 76, ) == 0x0
 01030  2016   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xde0000), 0x0, 618496, ) == 0x0
 01031  2016   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01032  2016   NtQueryDefaultLocale  (1, 9822420, ... ) == 0x0
 01033  2016   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01034  2016   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 9823456, 1179817, 9823180}  (24, {128, 156, new_msg, 0, 2088850039, 9823456, 1179817, 9823180} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1@\0\0\0\377\377\377\377\0\0\0\0\340q\345\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0\324\350\225\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 2016, 81852, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1@\0\0\0\377\377\377\377\0\0\0\0\340q\345\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0\324\350\225\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 2016, 81852, 0}  (24, {128, 156, new_msg, 0, 2088850039, 9823456, 1179817, 9823180} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1@\0\0\0\377\377\377\377\0\0\0\0\340q\345\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0\324\350\225\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 2016, 81852, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1@\0\0\0\377\377\377\377\0\0\0\0\340q\345\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0\324\350\225\0\0\0\0\0" )  ) == 0x0
 01035  2016   NtClose  (64, ... ) == 0x0
 01036  2016   NtClose  (76, ... ) == 0x0
 01037  2016   NtUnmapViewOfSection  (-1, 0xde0000, ... ) == 0x0
 01038  2016   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01039  2016   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {1252, 0}, ... 76, ) == 0x0
 01040  2016   NtQueryInformationProcess  (76, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01041  2016   NtClose  (76, ... ) == 0x0
 01042  2016   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01043  2016   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 01044  2016   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 01045  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01046  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 01047  2016   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01048  2016   NtClose  (76, ... ) == 0x0
 01049  2016   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 76, ) }, ... 76, ) == 0x0
 01050  2016   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 01051  2016   NtAccessCheck  (5675136, 64, 0x1, 9825516, 9825568, 56, 9825548, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01052  2016   NtClose  (64, ... ) == 0x0
 01053  2016   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "Control Panel\Desktop"}, ... 64, ) }, ... 64, ) == 0x0
 01054  2016   NtQueryValueKey  (64,  (64, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01055  2016   NtClose  (64, ... ) == 0x0
 01056  2016   NtUserSystemParametersInfo  (41, 500, 9825696, 0, ... ) == 0x1
 01057  2016   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 01058  2016   NtClose  (76, ... ) == 0x0
 01059  2016   NtUserFindExistingCursorIcon  (9825448, 9825464, 9825512, ... ) == 0x10011
 01060  2016   NtUserRegisterClassExWOW  (9825392, 9825460, 9825476, 9825492, 0, 384, 0, ... ) == 0x8169c03b
 01061  2016   NtUserRegisterClassExWOW  (9825392, 9825460, 9825476, 9825492, 0, 384, 0, ... ) == 0x8169c03d
 01062  2016   NtUserFindExistingCursorIcon  (9825448, 9825464, 9825512, ... ) == 0x10011
 01063  2016   NtUserRegisterClassExWOW  (9825392, 9825460, 9825476, 9825492, 0, 384, 0, ... ) == 0x8169c03f
 01064  2016   NtUserFindExistingCursorIcon  (9825448, 9825464, 9825512, ... ) == 0x10011
 01065  2016   NtUserRegisterClassExWOW  (9825392, 9825460, 9825476, 9825492, 0, 384, 0, ... ) == 0x8169c041
 01066  2016   NtUserFindExistingCursorIcon  (9825448, 9825464, 9825512, ... ) == 0x10011
 01067  2016   NtUserRegisterClassExWOW  (9825392, 9825460, 9825476, 9825492, 0, 384, 0, ... ) == 0x8169c043
 01068  2016   NtUserRegisterClassExWOW  (9825392, 9825460, 9825476, 9825492, 0, 384, 0, ... ) == 0x8169c045
 01069  2016   NtUserFindExistingCursorIcon  (9825448, 9825464, 9825512, ... ) == 0x10011
 01070  2016   NtUserRegisterClassExWOW  (9825392, 9825460, 9825476, 9825492, 0, 384, 0, ... ) == 0x8169c047
 01071  2016   NtUserFindExistingCursorIcon  (9825448, 9825464, 9825512, ... ) == 0x10011
 01072  2016   NtUserRegisterClassExWOW  (9825392, 9825460, 9825476, 9825492, 0, 384, 0, ... ) == 0x8169c049
 01073  2016   NtUserFindExistingCursorIcon  (9825448, 9825464, 9825512, ... ) == 0x10011
 01074  2016   NtUserRegisterClassExWOW  (9825392, 9825460, 9825476, 9825492, 0, 384, 0, ... ) == 0x8169c04b
 01075  2016   NtUserFindExistingCursorIcon  (9825448, 9825464, 9825512, ... ) == 0x10011
 01076  2016   NtUserRegisterClassExWOW  (9825392, 9825460, 9825476, 9825492, 0, 384, 0, ... ) == 0x8169c04d
 01077  2016   NtUserFindExistingCursorIcon  (9825448, 9825464, 9825512, ... ) == 0x10011
 01078  2016   NtUserRegisterClassExWOW  (9825392, 9825460, 9825476, 9825492, 0, 384, 0, ... ) == 0x8169c04f
 01079  2016   NtUserRegisterClassExWOW  (9825392, 9825460, 9825476, 9825492, 0, 384, 0, ... ) == 0x8169c051
 01080  2016   NtUserFindExistingCursorIcon  (9825448, 9825464, 9825512, ... ) == 0x10011
 01081  2016   NtUserRegisterClassExWOW  (9825392, 9825460, 9825476, 9825492, 0, 384, 0, ... ) == 0x8169c053
 01082  2016   NtUserFindExistingCursorIcon  (9825444, 9825460, 9825508, ... ) == 0x10011
 01083  2016   NtUserRegisterClassExWOW  (9825388, 9825456, 9825472, 9825488, 0, 384, 0, ... ) == 0x8169c055
 01084  2016   NtUserFindExistingCursorIcon  (9825444, 9825460, 9825508, ... ) == 0x10011
 01085  2016   NtUserRegisterClassExWOW  (9825388, 9825456, 9825472, 9825488, 0, 384, 0, ... ) == 0x8169c057
 01086  2016   NtUserFindExistingCursorIcon  (9825448, 9825464, 9825512, ... ) == 0x10011
 01087  2016   NtUserRegisterClassExWOW  (9825392, 9825460, 9825476, 9825492, 0, 384, 0, ... ) == 0x8169c059
 01088  2016   NtUserFindExistingCursorIcon  (9825448, 9825464, 9825512, ... ) == 0x10013
 01089  2016   NtUserRegisterClassExWOW  (9825392, 9825460, 9825476, 9825492, 0, 384, 0, ... ) == 0x8169c05b
 01090  2016   NtUserFindExistingCursorIcon  (9825448, 9825464, 9825512, ... ) == 0x10011
 01091  2016   NtUserRegisterClassExWOW  (9825392, 9825460, 9825476, 9825492, 0, 384, 0, ... ) == 0x8169c05d
 01092  2016   NtUserFindExistingCursorIcon  (9825448, 9825464, 9825512, ... ) == 0x10011
 01093  2016   NtUserRegisterClassExWOW  (9825392, 9825460, 9825476, 9825492, 0, 384, 0, ... ) == 0x8169c05f
 01094  2016   NtSetEventBoostPriority  (36, ...
 00741   896   NtWaitForSingleObject  ... ) == 0x0
 01095   896   NtFreeVirtualMemory  (-1, (0xdb0000), 0, 32768, ... (0xdb0000), 28672, ) == 0x0
 01096   896   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 01097   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01098   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 01094  2016   NtSetEventBoostPriority  ... ) == 0x0
 01099  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "oleaut32.dll"}, ... 76, ) }, ... 76, ) == 0x0
 01100  2016   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 01101  2016   NtClose  (76, ... ) == 0x0
 01102  2016   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01103   896   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 01104   896   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 01105   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15269888, 1048576, ) == 0x0
 01106   896   NtAllocateVirtualMemory  (-1, 15269888, 0, 32768, 4096, 4, ... 15269888, 32768, ) == 0x0
 01107   896   NtWaitForSingleObject  (36, 0, 0x0, ...
 01108  2016   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01109  2016   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 01110  2016   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01111  2016   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01112  2016   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 01113  2016   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01114  2016   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01115  2016   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 01116  2016   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01117  2016   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01118  2016   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 01119  2016   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01120  2016   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01121  2016   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 01122  2016   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01123  2016   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01124  2016   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 01125  2016   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01126  2016   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01127  2016   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 01128  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oleaut32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01129  2016   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc077
 01130  2016   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01131  2016   NtOpenKey  (0x9, {24, 40, 0x40, 0, 0,  (0x9, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01132  2016   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01133  2016   NtSetEventBoostPriority  (36, ...
 01107   896   NtWaitForSingleObject  ... ) == 0x0
 01134   896   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "Jobaka3"}, 0, ... 76, ) }, 0, ... 76, ) == 0x0
 01135   896   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 64, ) }, ... 64, ) == 0x0
 01136   896   NtQueryValueKey  (64,  (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01137   896   NtQueryValueKey  (64,  (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01133  2016   NtSetEventBoostPriority  ... ) == 0x0
 01138  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc_os.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01139  2016   NtAllocateVirtualMemory  (-1, 5677056, 0, 4096, 4096, 4, ... 5677056, 4096, ) == 0x0
 01140  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc_os.dll"}, 9827864, ... }, 9827864, ...
 01141   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 80, ) == 0x0
 01142   896   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Protocol_Catalog9"}, ... 84, ) }, ... 84, ) == 0x0
 01143   896   NtQueryValueKey  (84,  (84, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 01144   896   NtNotifyChangeKey  (84, 80, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 01145   896   NtQueryValueKey  (84,  (84, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 01146   896   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01147   896   NtQueryValueKey  (84,  (84, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 01148   896   NtQueryValueKey  (84,  (84, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 01149   896   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Catalog_Entries"}, ... 88, ) }, ... 88, ) == 0x0
 01150   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000001"}, ... 92, ) }, ... 92, ) == 0x0
 01151   896   NtQueryValueKey  (92,  (92, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01152   896   NtQueryValueKey  (92,  (92, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01153   896   NtQueryValueKey  (92,  (92, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\202\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\202\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\203\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\203\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0t\4\0\0\344\4\0\0\340\7\0\0c\0\0\0\1\0\1\04\0\0\300\0\0\0\0\204\4\0\0\344\4\0\0\340\7\0\0c\0\0\0\0\0\1\0\0\0\0\0t\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0d\366\225\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0D\0\32\2\240 V\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0s\0f\0c\0_\0o\0s\0.\0d\0l\0l\0\30\366\225\0\204\4\0\0\344\4\0\0\340\7\0\0c\0\0\0\1\0\1\0\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (92, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\202\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\202\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\203\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\203\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0t\4\0\0\344\4\0\0\340\7\0\0c\0\0\0\1\0\1\04\0\0\300\0\0\0\0\204\4\0\0\344\4\0\0\340\7\0\0c\0\0\0\0\0\1\0\0\0\0\0t\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0d\366\225\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0D\0\32\2\240 V\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0s\0f\0c\0_\0o\0s\0.\0d\0l\0l\0\30\366\225\0\204\4\0\0\344\4\0\0\340\7\0\0c\0\0\0\1\0\1\0\0\0\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\203\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0t\4\0\0\344\4\0\0\340\7\0\0c\0\0\0\1\0\1\04\0\0\300\0\0\0\0\204\4\0\0\344\4\0\0\340\7\0\0c\0\0\0\0\0\1\0\0\0\0\0t\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0d\366\225\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0D\0\32\2\240 V\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0s\0f\0c\0_\0o\0s\0.\0d\0l\0l\0\30\366\225\0\204\4\0\0\344\4\0\0\340\7\0\0c\0\0\0\1\0\1\0\0\0\0\0"}, 900, ) == 0x0
 01154   896   NtClose  (92, ... ) == 0x0
 01155   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000002"}, ... 92, ) }, ... 92, ) == 0x0
 01140  2016   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01156  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\sfc_os.dll"}, 9827864, ... ) }, 9827864, ... ) == 0x0
 01157  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\sfc_os.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 01158  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 01159  2016   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01160  2016   NtClose  (96, ... ) == 0x0
 01161  2016   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01162   896   NtQueryValueKey  (92,  (92, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01163   896   NtQueryValueKey  (92,  (92, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01164   896   NtQueryValueKey  (92,  (92, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\215\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\215\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\216\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\216\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\217\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\217\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\4\0\0\344\4\0\0\340\7\0\0I\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\306v\377\377\377\377\0\0\0\0\0\0\0\0\0\240\2\0\220\4\0\0\344\4\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (92, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\215\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\215\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\216\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\216\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\217\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\217\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\4\0\0\344\4\0\0\340\7\0\0I\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\306v\377\377\377\377\0\0\0\0\0\0\0\0\0\240\2\0\220\4\0\0\344\4\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\216\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\217\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0 (92, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\215\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\215\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\216\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\216\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\217\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\217\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\4\0\0\344\4\0\0\340\7\0\0I\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\306v\377\377\377\377\0\0\0\0\0\0\0\0\0\240\2\0\220\4\0\0\344\4\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0"}, 900, ) }, 900, ) == 0x0
 01165   896   NtClose  (92, ... ) == 0x0
 01166   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000003"}, ... 92, ) }, ... 92, ) == 0x0
 01167   896   NtQueryValueKey  (92,  (92, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01161  2016   NtMapViewOfSection  ... (0x76c60000), 0x0, 172032, ) == 0x0
 01168  2016   NtClose  (100, ... ) == 0x0
 01169  2016   NtProtectVirtualMemory  (-1, (0x76c61000), 816, 4, ... (0x76c61000), 4096, 32, ) == 0x0
 01170   896   NtQueryValueKey  (92,  (92, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01171   896   NtAllocateVirtualMemory  (-1, 5681152, 0, 4096, 4096, 4, ... 5681152, 4096, ) == 0x0
 01172   896   NtQueryValueKey  (92,  (92, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\225\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\225\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\226\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\227\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\227\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\306v\0\0\0\0\0\20\0\0 \0\0\0\230\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (92, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\225\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\225\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\226\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\227\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\227\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\306v\0\0\0\0\0\20\0\0 \0\0\0\230\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\226\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\227\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0 (92, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\225\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\225\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\226\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\227\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\227\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\306v\0\0\0\0\0\20\0\0 \0\0\0\230\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0"}, 900, ) }, 900, ) == 0x0
 01173   896   NtClose  (92, ... ) == 0x0
 01174   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000004"}, ... 92, ) }, ... 92, ) == 0x0
 01175   896   NtQueryValueKey  (92,  (92, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01176  2016   NtProtectVirtualMemory  (-1, (0x76c61000), 4096, 32, ... (0x76c61000), 4096, 4, ) == 0x0
 01177  2016   NtFlushInstructionCache  (-1, 1992691712, 816, ... ) == 0x0
 01178  2016   NtProtectVirtualMemory  (-1, (0x76c61000), 816, 4, ... (0x76c61000), 4096, 32, ) == 0x0
 01179  2016   NtProtectVirtualMemory  (-1, (0x76c61000), 4096, 32, ... (0x76c61000), 4096, 4, ) == 0x0
 01180  2016   NtFlushInstructionCache  (-1, 1992691712, 816, ... ) == 0x0
 01181  2016   NtProtectVirtualMemory  (-1, (0x76c61000), 816, 4, ...
 01182   896   NtQueryValueKey  (92,  (92, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01183   896   NtQueryValueKey  (92,  (92, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\240\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\240\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\241\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\242\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\242\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (92, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\240\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\240\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\241\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\242\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\242\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\241\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\242\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0 (92, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\240\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\240\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\241\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\242\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\242\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 01184   896   NtClose  (92, ... ) == 0x0
 01185   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000005"}, ... 92, ) }, ... 92, ) == 0x0
 01186   896   NtQueryValueKey  (92,  (92, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01187   896   NtQueryValueKey  (92,  (92, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01181  2016   NtProtectVirtualMemory  ... (0x76c61000), 4096, 32, ) == 0x0
 01188  2016   NtProtectVirtualMemory  (-1, (0x76c61000), 4096, 32, ... (0x76c61000), 4096, 4, ) == 0x0
 01189  2016   NtFlushInstructionCache  (-1, 1992691712, 816, ... ) == 0x0
 01190  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... 100, ) }, ... 100, ) == 0x0
 01191  2016   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 188416, ) == 0x0
 01192  2016   NtClose  (100, ... ) == 0x0
 01193  2016   NtProtectVirtualMemory  (-1, (0x76c31000), 1204, 4, ...
 01194   896   NtQueryValueKey  (92,  (92, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\253\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\253\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\254\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\255\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\255\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (92, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\253\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\253\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\254\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\255\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\255\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\254\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\255\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0 (92, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\253\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\253\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\254\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\255\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\255\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 01195   896   NtClose  (92, ... ) == 0x0
 01196   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000006"}, ... 92, ) }, ... 92, ) == 0x0
 01197   896   NtQueryValueKey  (92,  (92, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01198   896   NtQueryValueKey  (92,  (92, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01199   896   NtQueryValueKey  (92,  (92, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\251\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0\0\0\0\0 \0\0\0\260\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\260\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\262\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0 \0\0\0\262\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\263\4\0\0\344\4\0\0\340\7\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\303v\264\4\0\0\263\4\0\0\344\4\0\0\340\7\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\264\4\0\0\344\4\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (92, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\251\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0\0\0\0\0 \0\0\0\260\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\260\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\262\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0 \0\0\0\262\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\263\4\0\0\344\4\0\0\340\7\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\303v\264\4\0\0\263\4\0\0\344\4\0\0\340\7\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\264\4\0\0\344\4\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\262\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0 \0\0\0\262\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\263\4\0\0\344\4\0\0\340\7\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\303v\264\4\0\0\263\4\0\0\344\4\0\0\340\7\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\264\4\0\0\344\4\0\0"}, 900, ) == 0x0
 01193  2016   NtProtectVirtualMemory  ... (0x76c31000), 4096, 32, ) == 0x0
 01200   896   NtClose  (92, ... ) == 0x0
 01201   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000007"}, ... }, ...
 01202  2016   NtProtectVirtualMemory  (-1, (0x76c31000), 4096, 32, ... (0x76c31000), 4096, 4, ) == 0x0
 01203  2016   NtFlushInstructionCache  (-1, 1992495104, 1204, ... ) == 0x0
 01204  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 01205  2016   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77a80000), 0x0, 606208, ) == 0x0
 01206  2016   NtClose  (92, ...
 01201   896   NtOpenKey  ... 100, ) == 0x0
 01207   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01208   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01209   896   NtAllocateVirtualMemory  (-1, 5685248, 0, 4096, 4096, 4, ... 5685248, 4096, ) == 0x0
 01210   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\266\4\0\0\344\4\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w\0\0\0\0<\5\0\0\4\0\0\0\273\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\250w\0\0\0\0\0\20\0\0\0\0\0\0 \0\0\0\274\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\274\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\275\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\275\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\276\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\266\4\0\0\344\4\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w\0\0\0\0<\5\0\0\4\0\0\0\273\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\250w\0\0\0\0\0\20\0\0\0\0\0\0 \0\0\0\274\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\274\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\275\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\275\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\276\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\275\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\276\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\266\4\0\0\344\4\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w\0\0\0\0<\5\0\0\4\0\0\0\273\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\250w\0\0\0\0\0\20\0\0\0\0\0\0 \0\0\0\274\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\274\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\275\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\275\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\276\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0"}, 900, ) }, 900, ) == 0x0
 01206  2016   NtClose  ... ) == 0x0
 01211  2016   NtProtectVirtualMemory  (-1, (0x77a81000), 1340, 4, ... (0x77a81000), 4096, 32, ) == 0x0
 01212   896   NtClose  (100, ... ) == 0x0
 01213   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000008"}, ... 100, ) }, ... 100, ) == 0x0
 01214   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01215   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01216   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\301\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\301\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\303\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w\0\0\0\0\0\20\0\0 \0\0\0\303\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\250w\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\304\4\0\0\344\4\0\0\340\7\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\250w<\5\0\0\304\4\0\0\344\4\0\0\340\7\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w\0\0\0\0<\5\0\0\4\0\0\0\305\4\0\0\344\4\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\301\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\301\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\303\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w\0\0\0\0\0\20\0\0 \0\0\0\303\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\250w\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\304\4\0\0\344\4\0\0\340\7\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\250w<\5\0\0\304\4\0\0\344\4\0\0\340\7\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w\0\0\0\0<\5\0\0\4\0\0\0\305\4\0\0\344\4\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\303\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w\0\0\0\0\0\20\0\0 \0\0\0\303\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\250w\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\304\4\0\0\344\4\0\0\340\7\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\250w<\5\0\0\304\4\0\0\344\4\0\0\340\7\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w\0\0\0\0<\5\0\0\4\0\0\0\305\4\0\0\344\4\0\0"}, 900, ) == 0x0
 01217   896   NtClose  (100, ... ) == 0x0
 01218   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000009"}, ... }, ...
 01219  2016   NtProtectVirtualMemory  (-1, (0x77a81000), 4096, 32, ... (0x77a81000), 4096, 4, ) == 0x0
 01220  2016   NtFlushInstructionCache  (-1, 2007502848, 1340, ... ) == 0x0
 01221  2016   NtProtectVirtualMemory  (-1, (0x77a81000), 1340, 4, ... (0x77a81000), 4096, 32, ) == 0x0
 01222  2016   NtProtectVirtualMemory  (-1, (0x77a81000), 4096, 32, ...
 01218   896   NtOpenKey  ... 100, ) == 0x0
 01223   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01224   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01225   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\312\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\312\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\313\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\306\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\250w\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\314\4\0\0\344\4\0\0\340\7\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\250w<\5\0\0\314\4\0\0\344\4\0\0\340\7\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\315\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w\0\0\0\0<\5\0\0\4\0\0\0\315\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\312\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\312\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\313\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\306\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\250w\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\314\4\0\0\344\4\0\0\340\7\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\250w<\5\0\0\314\4\0\0\344\4\0\0\340\7\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\315\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w\0\0\0\0<\5\0\0\4\0\0\0\315\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\313\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\306\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\250w\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\314\4\0\0\344\4\0\0\340\7\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\250w<\5\0\0\314\4\0\0\344\4\0\0\340\7\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\315\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w\0\0\0\0<\5\0\0\4\0\0\0\315\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0"}, 900, ) == 0x0
 01226   896   NtClose  (100, ... ) == 0x0
 01227   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000010"}, ... 100, ) }, ... 100, ) == 0x0
 01222  2016   NtProtectVirtualMemory  ... (0x77a81000), 4096, 4, ) == 0x0
 01228  2016   NtFlushInstructionCache  (-1, 2007502848, 1340, ... ) == 0x0
 01229  2016   NtProtectVirtualMemory  (-1, (0x77a81000), 1340, 4, ... (0x77a81000), 4096, 32, ) == 0x0
 01230  2016   NtProtectVirtualMemory  (-1, (0x77a81000), 4096, 32, ... (0x77a81000), 4096, 4, ) == 0x0
 01231  2016   NtFlushInstructionCache  (-1, 2007502848, 1340, ... ) == 0x0
 01232  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 92, ) }, ... 92, ) == 0x0
 01233  2016   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01234   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01235   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01236   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\325\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\325\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\326\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\326\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\327\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\327\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\321\4\0\0\344\4\0\0\340\7\0\0I\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\262w\377\377\377\377\0\0\0\0\0\0\0\0\0 \1\0\330\4\0\0\344\4\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\325\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\325\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\326\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\326\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\327\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\327\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\321\4\0\0\344\4\0\0\340\7\0\0I\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\262w\377\377\377\377\0\0\0\0\0\0\0\0\0 \1\0\330\4\0\0\344\4\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\326\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\327\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\325\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\325\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\326\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\326\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\327\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\327\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\321\4\0\0\344\4\0\0\340\7\0\0I\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\262w\377\377\377\377\0\0\0\0\0\0\0\0\0 \1\0\330\4\0\0\344\4\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0"}, 900, ) }, 900, ) == 0x0
 01237   896   NtClose  (100, ... ) == 0x0
 01238   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000011"}, ... 100, ) }, ... 100, ) == 0x0
 01239   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01233  2016   NtMapViewOfSection  ... (0x77b20000), 0x0, 73728, ) == 0x0
 01240  2016   NtClose  (92, ... ) == 0x0
 01241  2016   NtProtectVirtualMemory  (-1, (0x77b21000), 160, 4, ... (0x77b21000), 4096, 32, ) == 0x0
 01242   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01243   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\334\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\334\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\335\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\262w\0\0\0\0\0\20\0\0 \0\0\0\335\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\262w\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\336\4\0\0\344\4\0\0\340\7\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\262w\240\0\0\0\336\4\0\0\344\4\0\0\340\7\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\337\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\262w\0\0\0\0\240\0\0\0\4\0\0\0\337\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\262w\0\0\0\0\0\20\0\0\0\0\0\0 \0\0\0\340\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\262w\0\0\0\0\0\20\0\0 \0\0\0\340\4\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\334\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\334\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\335\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\262w\0\0\0\0\0\20\0\0 \0\0\0\335\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\262w\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\336\4\0\0\344\4\0\0\340\7\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\262w\240\0\0\0\336\4\0\0\344\4\0\0\340\7\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\337\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\262w\0\0\0\0\240\0\0\0\4\0\0\0\337\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\262w\0\0\0\0\0\20\0\0\0\0\0\0 \0\0\0\340\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\262w\0\0\0\0\0\20\0\0 \0\0\0\340\4\0\0"}, 900, ) }, 900, ) == 0x0
 01244   896   NtClose  (100, ... ) == 0x0
 01245  2016   NtProtectVirtualMemory  (-1, (0x77b21000), 4096, 32, ... (0x77b21000), 4096, 4, ) == 0x0
 01246  2016   NtFlushInstructionCache  (-1, 2008158208, 160, ... ) == 0x0
 01247  2016   NtProtectVirtualMemory  (-1, (0x77b21000), 160, 4, ... (0x77b21000), 4096, 32, ) == 0x0
 01248  2016   NtProtectVirtualMemory  (-1, (0x77b21000), 4096, 32, ... (0x77b21000), 4096, 4, ) == 0x0
 01249  2016   NtFlushInstructionCache  (-1, 2008158208, 160, ... ) == 0x0
 01250   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000012"}, ... 100, ) }, ... 100, ) == 0x0
 01251   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01252   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01253   896   NtAllocateVirtualMemory  (-1, 5689344, 0, 4096, 4096, 4, ... 5689344, 4096, ) == 0x0
 01254   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\347\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\347\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\350\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\262w\0\0\0\0\240\0\0\0\4\0\0\0\350\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\262w\0\0\0\0\0\20\0\0\0\0\0\0 \0\0\0\351\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\262w\0\0\0\0\0\20\0\0 \0\0\0\351\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\262w\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\352\4\0\0\344\4\0\0\340\7\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\262w\240\0\0\0\352\4\0\0\344\4\0\0\340\7\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\353\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w\0\0\0\0<\5\0\0\4\0\0\0\353\4\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\347\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\347\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\350\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\262w\0\0\0\0\240\0\0\0\4\0\0\0\350\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\262w\0\0\0\0\0\20\0\0\0\0\0\0 \0\0\0\351\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\262w\0\0\0\0\0\20\0\0 \0\0\0\351\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\262w\0\0\0\0\0\20\0\0\0\0\0\0\4\0\0\0\352\4\0\0\344\4\0\0\340\7\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\262w\240\0\0\0\352\4\0\0\344\4\0\0\340\7\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\353\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\250w\0\0\0\0<\5\0\0\4\0\0\0\353\4\0\0"}, 900, ) }, 900, ) == 0x0
 01255   896   NtClose  (100, ... ) == 0x0
 01256  2016   NtProtectVirtualMemory  (-1, (0x77b21000), 160, 4, ... (0x77b21000), 4096, 32, ) == 0x0
 01257  2016   NtProtectVirtualMemory  (-1, (0x77b21000), 4096, 32, ... (0x77b21000), 4096, 4, ) == 0x0
 01258  2016   NtFlushInstructionCache  (-1, 2008158208, 160, ... ) == 0x0
 01259  2016   NtProtectVirtualMemory  (-1, (0x77a81000), 1340, 4, ... (0x77a81000), 4096, 32, ) == 0x0
 01260  2016   NtProtectVirtualMemory  (-1, (0x77a81000), 4096, 32, ... (0x77a81000), 4096, 4, ) == 0x0
 01261  2016   NtFlushInstructionCache  (-1, 2007502848, 1340, ... ) == 0x0
 01262   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000013"}, ... 100, ) }, ... 100, ) == 0x0
 01263   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01264   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01265   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\362\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\362\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\363\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\363\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\364\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\303v\0\0\0\0\264\4\0\0\4\0\0\0\364\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0\0\0\0\0 \0\0\0\365\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0 \0\0\0\365\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\303v\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\362\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\362\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\363\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\363\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\364\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\303v\0\0\0\0\264\4\0\0\4\0\0\0\364\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0\0\0\0\0 \0\0\0\365\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0 \0\0\0\365\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\303v\0\0\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\363\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\364\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\303v\0\0\0\0\264\4\0\0\4\0\0\0\364\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0\0\0\0\0 \0\0\0\365\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0\0\20\303v\0\0\0\0\0\20\0\0 \0\0\0\365\4\0\0\344\4\0\0\340\7\0\0`\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\20\303v\0\0\0\0"}, 900, ) == 0x0
 01266   896   NtClose  (100, ... ) == 0x0
 01267   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000014"}, ... 100, ) }, ... 100, ) == 0x0
 01268  2016   NtProtectVirtualMemory  (-1, (0x76c31000), 1204, 4, ... (0x76c31000), 4096, 32, ) == 0x0
 01269  2016   NtProtectVirtualMemory  (-1, (0x76c31000), 4096, 32, ... (0x76c31000), 4096, 4, ) == 0x0
 01270  2016   NtFlushInstructionCache  (-1, 1992495104, 1204, ... ) == 0x0
 01271  2016   NtProtectVirtualMemory  (-1, (0x76c31000), 1204, 4, ... (0x76c31000), 4096, 32, ) == 0x0
 01272  2016   NtProtectVirtualMemory  (-1, (0x76c31000), 4096, 32, ... (0x76c31000), 4096, 4, ) == 0x0
 01273  2016   NtFlushInstructionCache  (-1, 1992495104, 1204, ... ) == 0x0
 01274   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01275   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01276   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\375\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\375\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\376\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\376\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\377\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\377\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\5\0\0\344\4\0\0\340\7\0\0V\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\16\0\0\0\0\0\0\0\30\0\0\0\10\0\0\0\354\360\225\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\375\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\375\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\376\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\376\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\377\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\377\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\5\0\0\344\4\0\0\340\7\0\0V\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\16\0\0\0\0\0\0\0\30\0\0\0\10\0\0\0\354\360\225\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\376\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\377\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\375\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\375\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\376\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\376\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\377\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\377\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\5\0\0\344\4\0\0\340\7\0\0V\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\16\0\0\0\0\0\0\0\30\0\0\0\10\0\0\0\354\360\225\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0"}, 900, ) }, 900, ) == 0x0
 01277   896   NtClose  (100, ... ) == 0x0
 01278   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000015"}, ... 100, ) }, ... 100, ) == 0x0
 01279   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01280  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 92, ) }, ... 92, ) == 0x0
 01281  2016   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 163840, ) == 0x0
 01282  2016   NtClose  (92, ... ) == 0x0
 01283  2016   NtProtectVirtualMemory  (-1, (0x76c91000), 504, 4, ... (0x76c91000), 4096, 32, ) == 0x0
 01284   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01285   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\6\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\6\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\7\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\7\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\10\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\10\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\11\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\6\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\6\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\7\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\7\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\10\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\10\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\11\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\7\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\10\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\6\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\6\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\7\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\7\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\10\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\10\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\11\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 01286   896   NtClose  (100, ... ) == 0x0
 01287   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000016"}, ... 100, ) }, ... 100, ) == 0x0
 01288   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01289   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01290  2016   NtProtectVirtualMemory  (-1, (0x76c91000), 4096, 32, ... (0x76c91000), 4096, 4, ) == 0x0
 01291  2016   NtFlushInstructionCache  (-1, 1992888320, 504, ... ) == 0x0
 01292  2016   NtProtectVirtualMemory  (-1, (0x76c91000), 504, 4, ... (0x76c91000), 4096, 32, ) == 0x0
 01293  2016   NtProtectVirtualMemory  (-1, (0x76c91000), 4096, 32, ... (0x76c91000), 4096, 4, ) == 0x0
 01294   896   NtAllocateVirtualMemory  (-1, 5693440, 0, 4096, 4096, 4, ... 5693440, 4096, ) == 0x0
 01295   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\20\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\20\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\21\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\21\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\22\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\22\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\23\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\20\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\20\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\21\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\21\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\22\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\22\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\23\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\21\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\22\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\20\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\20\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\21\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\21\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\22\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\22\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\23\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 01296   896   NtClose  (100, ... ) == 0x0
 01297   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000017"}, ... 100, ) }, ... 100, ) == 0x0
 01298   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01299   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01300  2016   NtFlushInstructionCache  (-1, 1992888320, 504, ... ) == 0x0
 01301  2016   NtProtectVirtualMemory  (-1, (0x76c31000), 1204, 4, ... (0x76c31000), 4096, 32, ) == 0x0
 01302  2016   NtProtectVirtualMemory  (-1, (0x76c31000), 4096, 32, ... (0x76c31000), 4096, 4, ) == 0x0
 01303  2016   NtFlushInstructionCache  (-1, 1992495104, 1204, ... ) == 0x0
 01304  2016   NtProtectVirtualMemory  (-1, (0x76c61000), 816, 4, ... (0x76c61000), 4096, 32, ) == 0x0
 01305  2016   NtProtectVirtualMemory  (-1, (0x76c61000), 4096, 32, ... (0x76c61000), 4096, 4, ) == 0x0
 01306   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\33\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\33\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\34\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\35\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\35\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\33\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\33\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\34\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\35\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\35\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\34\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\35\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\33\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\33\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\34\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\35\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0\35\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 01307   896   NtClose  (100, ... ) == 0x0
 01308   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000018"}, ... 100, ) }, ... 100, ) == 0x0
 01309   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01310   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01311   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0 \5\0\0\344\4\0\0\340\7\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\306v0\3\0\0 \5\0\0\344\4\0\0\340\7\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0!\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0"\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0"\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0#\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0#\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0$\5\0\0\344\4\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0 \5\0\0\344\4\0\0\340\7\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\306v0\3\0\0 \5\0\0\344\4\0\0\340\7\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0!\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0"\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0"\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0#\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0#\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0$\5\0\0\344\4\0\0"}, 900, ) \5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0 \5\0\0\344\4\0\0\340\7\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\306v0\3\0\0 \5\0\0\344\4\0\0\340\7\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0!\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0"\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0"\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0#\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0#\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0$\5\0\0\344\4\0\0"}, 900, ) \5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0#\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0 \5\0\0\344\4\0\0\340\7\0\06\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\377\377\377\377\0\20\306v0\3\0\0 \5\0\0\344\4\0\0\340\7\0\06\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0!\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0"\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0"\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0#\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0#\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0$\5\0\0\344\4\0\0"}, 900, ) }, 900, ) == 0x0
 01312  2016   NtFlushInstructionCache  (-1, 1992691712, 816, ... ) == 0x0
 01313   896   NtClose  (100, ... ) == 0x0
 01314   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000019"}, ... 100, ) }, ... 100, ) == 0x0
 01315   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01316   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01317   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0&\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0&\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0'\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0'\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0(\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0(\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0)\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0&\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0&\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0'\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0'\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0(\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0(\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0)\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0'\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0(\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0&\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0&\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0'\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0'\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0(\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0(\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0)\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 01318   896   NtClose  (100, ... ) == 0x0
 01319   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000020"}, ... 100, ) }, ... 100, ) == 0x0
 01320   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01321   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01322  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASN1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01323   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0,\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0,\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0-\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0-\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0.\5\0\0\344\4\0\0\340\7\0\0v\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0.\5\0\0\344\4\0\0\340\7\0\0v\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0W\340;\252\20\0\0\0\0\0\0\0\231\2366\0\0\0\0\0/\5\0\0\344\4\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0\0\1\0\0\0\0\0\200\0\0\0\0\30\0\0\0\0\0\0\0\374\361\225\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\0\306\2\14\362\225\0\0\0\0\0\\0R\0e\0g\0i\0s\0t\0r\0y\0\\0M\0a\0c\0h\0i\0n\0e\0\\0S\0o\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0,\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0,\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0-\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0-\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0.\5\0\0\344\4\0\0\340\7\0\0v\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0.\5\0\0\344\4\0\0\340\7\0\0v\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0W\340;\252\20\0\0\0\0\0\0\0\231\2366\0\0\0\0\0/\5\0\0\344\4\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0\0\1\0\0\0\0\0\200\0\0\0\0\30\0\0\0\0\0\0\0\374\361\225\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\0\306\2\14\362\225\0\0\0\0\0\\0R\0e\0g\0i\0s\0t\0r\0y\0\\0M\0a\0c\0h\0i\0n\0e\0\\0S\0o\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0-\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0.\5\0\0\344\4\0\0\340\7\0\0v\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0.\5\0\0\344\4\0\0\340\7\0\0v\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0W\340;\252\20\0\0\0\0\0\0\0\231\2366\0\0\0\0\0/\5\0\0\344\4\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0\0\1\0\0\0\0\0\200\0\0\0\0\30\0\0\0\0\0\0\0\374\361\225\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\0\306\2\14\362\225\0\0\0\0\0\\0R\0e\0g\0i\0s\0t\0r\0y\0\\0M\0a\0c\0h\0i\0n\0e\0\\0S\0o\0"}, 900, ) == 0x0
 01324   896   NtClose  (100, ... ) == 0x0
 01325   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000021"}, ... 100, ) }, ... 100, ) == 0x0
 01326  2016   NtQueryPerformanceCounter  (... {-1438916521, 16}, {3579545, 0}, ) == 0x0
 01327  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CRYPT32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01328  2016   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01329  2016   NtAllocateVirtualMemory  (-1, 5697536, 0, 4096, 4096, 4, ... 5697536, 4096, ) == 0x0
 01330  2016   NtAllocateVirtualMemory  (-1, 5701632, 0, 4096, 4096, 4, ... 5701632, 4096, ) == 0x0
 01331   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01332   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01333   896   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 92, ) == 0x0
 01334   896   NtWaitForSingleObject  (92, 0, 0x0, ...
 01335  2016   NtSetEventBoostPriority  (92, ...
 01334   896   NtWaitForSingleObject  ... ) == 0x0
 01336   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\09\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\09\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0:\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0:\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0;\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0;\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0<\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\09\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\09\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0:\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0:\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0;\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0;\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0<\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0:\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0;\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\09\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\09\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0:\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0X\0\0\0`\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\222V\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0:\5\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0;\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0V\0\2\0\0\0\220\0\0\0;\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0<\5\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 01337   896   NtClose  (100, ... ) == 0x0
 01338   896   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000022"}, ... 100, ) }, ... 100, ) == 0x0
 01339   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01340   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... , Partial, 144, ...
 01335  2016   NtSetEventBoostPriority  ... ) == 0x0
 01341  2016   NtAllocateVirtualMemory  (-1, 5705728, 0, 4096, 4096, 4, ... 5705728, 4096, ) == 0x0
 01342  2016   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01343  2016   NtAllocateVirtualMemory  (-1, 5709824, 0, 4096, 4096, 4, ... 5709824, 4096, ) == 0x0
 01344  2016   NtCreateEvent  (0x1f0003, {24, 28, 0x80, 9827988, 0,  (0x1f0003, {24, 28, 0x80, 9827988, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01345  2016   NtOpenEvent  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 96, ) }, ... 96, ) == 0x0
 01340   896   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01346   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0C\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0C\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0D\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0X\0\0\0D\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0E\5\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\5\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0F\5\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0F\5\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0X\0\0\0G\5\0\0\344\4\0\0\340\7\0\0\12\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\00W\0\0\0\0\0\0\0\0\0\0\20\0\0\0\20\0\0\4\0\0\0G\5\0\0\344\4\0\0\340\7\0\0\12\0\0\0\1\0\1\0\0\0\0\0\20\0\0\0\0\0\0\0\00W\0\0\0\0\0\0\20\0\0H\5\0\0\344\4\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0C\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0C\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0D\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0X\0\0\0D\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0E\5\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\5\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0F\5\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0F\5\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0X\0\0\0G\5\0\0\344\4\0\0\340\7\0\0\12\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\00W\0\0\0\0\0\0\0\0\0\0\20\0\0\0\20\0\0\4\0\0\0G\5\0\0\344\4\0\0\340\7\0\0\12\0\0\0\1\0\1\0\0\0\0\0\20\0\0\0\0\0\0\0\00W\0\0\0\0\0\0\20\0\0H\5\0\0\344\4\0\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0C\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0C\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0D\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0X\0\0\0D\5\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0E\5\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\5\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0F\5\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0F\5\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0X\0\0\0G\5\0\0\344\4\0\0\340\7\0\0\12\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\00W\0\0\0\0\0\0\0\0\0\0\20\0\0\0\20\0\0\4\0\0\0G\5\0\0\344\4\0\0\340\7\0\0\12\0\0\0\1\0\1\0\0\0\0\0\20\0\0\0\0\0\0\0\00W\0\0\0\0\0\0\20\0\0H\5\0\0\344\4\0\0"}, 900, ) == 0x0
 01347   896   NtClose  (100, ... ) == 0x0
 01348   896   NtClose  (88, ... ) == 0x0
 01349   896   NtWaitForSingleObject  (80, 0, {0, 0}, ... ) == 0x102
 01350   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 01351  2016   NtAllocateVirtualMemory  (-1, 5713920, 0, 4096, 4096, 4, ... 5713920, 4096, ) == 0x0
 01352  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMAGEHLP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01353  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01354  2016   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01355  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01356  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16318464, 1048576, ) == 0x0
 01357   896   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 100, ) }, ... 100, ) == 0x0
 01358   896   NtQueryValueKey  (100,  (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01359   896   NtNotifyChangeKey  (100, 88, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 01360   896   NtQueryValueKey  (100,  (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01361   896   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01362   896   NtQueryValueKey  (100,  (100, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01363  2016   NtAllocateVirtualMemory  (-1, 16318464, 0, 1048576, 4096, 4, ... 16318464, 1048576, ) == 0x0
 01364  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01365  2016   NtCreateMutant  (0x1f0001, 0x0, 0, ... 104, ) == 0x0
 01366  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 108, ) == 0x0
 01367  2016   NtCreateMutant  (0x1f0001, 0x0, 0, ... 112, ) == 0x0
 01368  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 116, ) == 0x0
 01369   896   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Catalog_Entries"}, ... 120, ) }, ... 120, ) == 0x0
 01370   896   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "000000000001"}, ... 124, ) }, ... 124, ) == 0x0
 01371   896   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01372   896   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01373   896   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01374   896   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01375  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 128, ) == 0x0
 01376  2016   NtSetEvent  (128, ... 0x0, ) == 0x0
 01377  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc_os.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01378  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01379  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc.dll"}, 9827864, ... }, 9827864, ...
 01380   896   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01381   896   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01382   896   NtQueryValueKey  (124,  (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01383   896   NtQueryValueKey  (124,  (124, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01384   896   NtQueryValueKey  (124,  (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01385   896   NtQueryValueKey  (124,  (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01386   896   NtQueryValueKey  (124,  (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01387   896   NtQueryValueKey  (124,  (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01388   896   NtClose  (124, ... ) == 0x0
 01389   896   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "000000000002"}, ... 124, ) }, ... 124, ) == 0x0
 01390   896   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01391   896   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01392   896   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01393   896   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01394   896   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01395   896   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01396   896   NtQueryValueKey  (124,  (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01397   896   NtQueryValueKey  (124,  (124, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01398   896   NtQueryValueKey  (124,  (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01399   896   NtQueryValueKey  (124,  (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01400   896   NtQueryValueKey  (124,  (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01401   896   NtQueryValueKey  (124,  (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01402   896   NtClose  (124, ... ) == 0x0
 01403   896   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "000000000003"}, ... 124, ) }, ... 124, ) == 0x0
 01404   896   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01405   896   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01406   896   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01379  2016   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01407  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\sfc.dll"}, 9827864, ... ) }, 9827864, ... ) == 0x0
 01408  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\sfc.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01409  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 136, ) == 0x0
 01410  2016   NtQuerySection  (136, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01411  2016   NtClose  (132, ... ) == 0x0
 01412  2016   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01413   896   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01414   896   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01415   896   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01416   896   NtQueryValueKey  (124,  (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01417   896   NtQueryValueKey  (124,  (124, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01418   896   NtQueryValueKey  (124,  (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01412  2016   NtMapViewOfSection  ... (0x76bb0000), 0x0, 20480, ) == 0x0
 01419  2016   NtClose  (136, ... ) == 0x0
 01420   896   NtQueryValueKey  (124,  (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01421   896   NtQueryValueKey  (124,  (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01422   896   NtQueryValueKey  (124,  (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01423  2016   NtProtectVirtualMemory  (-1, (0x76bb1000), 76, 4, ... (0x76bb1000), 4096, 32, ) == 0x0
 01424  2016   NtProtectVirtualMemory  (-1, (0x76bb1000), 4096, 32, ... (0x76bb1000), 4096, 4, ) == 0x0
 01425  2016   NtFlushInstructionCache  (-1, 1991970816, 76, ... ) == 0x0
 01426  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.dll"}, ... }, ...
 01427   896   NtClose  (124, ... ) == 0x0
 01428   896   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "000000000004"}, ... 124, ) }, ... 124, ) == 0x0
 01429   896   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01430   896   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01431   896   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01432   896   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01426  2016   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01433  2016   NtQueryPerformanceCounter  (... {-1438894231, 16}, {3579545, 0}, ) == 0x0
 01434  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01435  2016   NtAllocateVirtualMemory  (-1, 5718016, 0, 4096, 4096, 4, ... 5718016, 4096, ) == 0x0
 01436  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 9827220, ... }, 9827220, ...
 01437   896   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01438   896   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01439   896   NtQueryValueKey  (124,  (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 01440   896   NtQueryValueKey  (124,  (124, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   896   NtQueryValueKey  (124,  (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01442   896   NtQueryValueKey  (124,  (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01443   896   NtQueryValueKey  (124,  (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01444   896   NtQueryValueKey  (124,  (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01445   896   NtClose  (124, ... ) == 0x0
 01446   896   NtClose  (120, ... ) == 0x0
 01447   896   NtWaitForSingleObject  (88, 0, {0, 0}, ... ) == 0x102
 01448   896   NtClose  (64, ... ) == 0x0
 01449   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01450   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01451   896   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 64, ) }, ... 64, ) == 0x0
 01452   896   NtQueryValueKey  (64,  (64, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01453   896   NtClose  (64, ... ) == 0x0
 01454   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 64, ) == 0x0
 01455   896   NtWaitForSingleObject  (36, 0, 0x0, ...
 01436  2016   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01456  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 9827220, ... ) }, 9827220, ... ) == 0x0
 01457  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 01458  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 120, ... 124, ) == 0x0
 01459  2016   NtQuerySection  (124, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01460  2016   NtClose  (120, ... ) == 0x0
 01461  2016   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77fe0000), 0x0, 69632, ) == 0x0
 01462  2016   NtClose  (124, ... ) == 0x0
 01463  2016   NtProtectVirtualMemory  (-1, (0x77fe1000), 388, 4, ... (0x77fe1000), 4096, 32, ) == 0x0
 01464  2016   NtProtectVirtualMemory  (-1, (0x77fe1000), 4096, 32, ... (0x77fe1000), 4096, 4, ) == 0x0
 01465  2016   NtFlushInstructionCache  (-1, 2013138944, 388, ... ) == 0x0
 01466  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01467  2016   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 124, ) == 0x0
 01468  2016   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 120, ) == 0x0
 01469  2016   NtSetEventBoostPriority  (36, ...
 01455   896   NtWaitForSingleObject  ... ) == 0x0
 01470   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 2290224,  (0x80100080, {24, 0, 0x40, 0, 2290224, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... }, 0x0, 0, 1, 1, 2097252, 0, 0, ...
 01469  2016   NtSetEventBoostPriority  ... ) == 0x0
 01471  2016   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 136, ) }, ... 136, ) == 0x0
 01472  2016   NtQueryEvent  (136, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 01473  2016   NtClose  (136, ... ) == 0x0
 01474  2016   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 9828792, 140, ... 136, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 9828792, 140, ... 136, 0x0, 0x0, 256, 140, ) == 0x0
 01475  2016   NtRequestWaitReplyPort  (136, {28, 52, new_msg, 0, 0, 0, 0, 0}  (136, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\376\1\330\230V\0" ... {188, 212, reply, 0, 1252, 2016, 81854, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\376\1\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ... {188, 212, reply, 0, 1252, 2016, 81854, 0}  (136, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\376\1\330\230V\0" ... {188, 212, reply, 0, 1252, 2016, 81854, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\376\1\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ) == 0x0
 01476  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 01477  2016   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "ActiveComputerName"}, ... 140, ) }, ... 140, ) == 0x0
 01478  2016   NtQueryValueKey  (140,  (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01479  2016   NtClose  (140, ... ) == 0x0
 01480  2016   NtClose  (132, ... ) == 0x0
 01481  2016   NtAllocateVirtualMemory  (-1, 5722112, 0, 8192, 4096, 4, ... 5722112, 8192, ) == 0x0
 01482  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx6"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01483  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx7"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx8"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01485  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx9"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01486  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx10"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01487  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx11"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01488  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx12"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01489  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx13"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01490  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx14"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01491  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx15"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01492  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx16"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01493  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx17"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx18"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01495  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx19"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01496  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx20"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01497  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx21"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01498  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx22"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01499  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx23"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01500  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx24"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01501  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx25"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01502  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx26"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01503  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx27"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx28"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01505  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx29"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01506  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx30"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01507  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx31"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01508  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01509  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx33"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01510  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx34"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01511  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx35"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01512  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx36"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01513  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx37"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01514  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx38"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01515  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx39"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01516  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx40"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01517  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx41"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01518  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx42"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01519  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx43"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01520  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx44"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01521  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx45"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01522  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx46"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01523  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx47"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx48"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01525  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx49"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01526  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx50"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01527  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx51"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01528  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx52"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01529  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx53"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01530  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx54"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01531  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx55"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx56"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01533  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx57"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01534  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx58"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01535  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx59"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01536  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx60"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01537  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx61"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01538  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx62"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01539  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx63"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01540  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx64"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01541  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx65"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01542  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx66"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01543  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx67"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01544  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx68"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01545  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx69"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01546  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx70"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01547  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx71"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01548  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx72"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01549  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx73"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01550  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx74"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01551  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx75"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01552  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx76"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01553  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx77"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01554  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx78"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01555  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx79"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01556  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx80"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01557  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx81"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01558  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx82"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01559  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx83"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01560  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx84"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01561  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx85"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01562  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01563  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx87"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01564  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx88"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01565  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx89"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01566  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx90"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01567  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx91"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01568  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx92"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01569  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx93"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01570  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx94"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01571  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx95"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01572  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx96"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01573  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx97"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01574  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx98"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01575  2016   NtOpenMutant  (0x100000, {24, 28, 0x0, 0, 0,  (0x100000, {24, 28, 0x0, 0, 0, "kkq-vx_mtx99"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01576  2016   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "kkq-vx_mtx1"}, 0, ... 132, ) }, 0, ... 132, ) == 0x0
 01577  2016   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "kkq-vx_mtx6"}, 1, ... 140, ) }, 1, ... 140, ) == 0x0
 01578  2016   NtWaitForSingleObject  (140, 0, 0x0, ... ) == 0x0
 01579  2016   NtUserRegisterClassExWOW  (9829496, 9829592, 9829576, 9829564, 0, 386, 0, ... ) == 0x8169c191
 01580  2016   NtUserCreateWindowEx  (-2147483648, 9829800, 9828564, "13238272, 0, 0, 0, 0, 0, 0, 4194304, 0, 1073742848, 0, ...
 01470   896   NtCreateFile  ... 144, {status=0x0, info=1}, ) == 0x0
 01581   896   NtQueryInformationFile  (144, 2290660, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01582   896   NtQueryInformationFile  (144, 2290576, 24, Standard, ...
 01583  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 9825984, ... ) }, 9825984, ... ) == 0x0
 01584  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 01585  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 148, ... 152, ) == 0x0
 01582   896   NtQueryInformationFile  ... {status=0x0, info=24}, ) == 0x0
 01586   896   NtQueryInformationFile  (144, 2290392, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01587   896   NtQueryInformationFile  (144, 5721960, 4094, Stream, ...
 01588  2016   NtClose  (148, ... ) == 0x0
 01589  2016   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xde0000), 0x0, 221184, ) == 0x0
 01590  2016   NtClose  (152, ... ) == 0x0
 01591  2016   NtUnmapViewOfSection  (-1, 0xde0000, ... ) == 0x0
 01592  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 9826292, ... ) }, 9826292, ... ) == 0x0
 01593  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 01587   896   NtQueryInformationFile  ... {status=0x0, info=38}, ) == 0x0
 01594   896   NtQueryInformationFile  (144, 2288840, 40, Basic, ...
 01595  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 152, ... 148, ) == 0x0
 01594   896   NtQueryInformationFile  ... {status=0x0, info=40}, ) == 0x0
 01596   896   NtQueryInformationFile  (144, 2289116, 4, Ea, ...
 01597  2016   NtQuerySection  (148, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01598  2016   NtClose  (152, ... ) == 0x0
 01599  2016   NtMapViewOfSection  (148, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 229376, ) == 0x0
 01600  2016   NtClose  (148, ... ) == 0x0
 01601  2016   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 01596   896   NtQueryInformationFile  ... {status=0x0, info=4}, ) == 0x0
 01602   896   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 2288992,  (0x40110080, {24, 0, 0x40, 0, 2288992, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01603   896   NtClose  (-2147482748, ... ) == 0x0
 01604  2016   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 01605  2016   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 01606  2016   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 01602   896   NtCreateFile  ... 148, {status=0x0, info=2}, ) == 0x0
 01607   896   NtQueryVolumeInformationFile  (148, 2289144, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01608   896   NtQueryInformationFile  (148, 2288728, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01609   896   NtQueryVolumeInformationFile  (144, 2289144, 536, Attribute, ...
 01610  2016   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 01611  2016   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 01612  2016   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 01613  2016   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 01614  2016   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 01615  2016   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 01609   896   NtQueryVolumeInformationFile  ... {status=0x0, info=20}, ) == 0x0
 01616   896   NtQueryVolumeInformationFile  (144, 2288488, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01617   896   NtSetInformationFile  (148, 2289044, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01618   896   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 144, ...
 01619  2016   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 01620  2016   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 01621  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01622  2016   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01623  2016   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 01624  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01618   896   NtCreateSection  ... 152, ) == 0x0
 01625   896   NtMapViewOfSection  (152, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xde0000), {0, 0}, 151552, ) == 0x0
 01626   896   NtClose  (152, ... ) == 0x0
 01628  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 152, ) == 0x0
 01629  2016   NtQueryInformationToken  (152, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01630  2016   NtClose  (152, ... ) == 0x0
 01631  2016   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 152, ) }, ... 152, ) == 0x0
 01632  2016   NtOpenKey  (0x1, {24, 152, 0x40, 0, 0,  (0x1, {24, 152, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 156, ) }, ... 156, ) == 0x0
 01633  2016   NtQueryValueKey  (156,  (156, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01627   896   NtWriteFile  (148, 0, 0, 0,  (148, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\204\214\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\10\0\0>\0\0\0"\0\0\0\0\0\0\0\240\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\15\0\6\0\4\0\0\0\0\0\0\0\00\25\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0 \0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ... \0\0\0\0\0\0\0\240\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\15\0\6\0\4\0\0\0\0\0\0\0\00\25\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0 \0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ...
 01634  2016   NtClose  (156, ... ) == 0x0
 01635  2016   NtClose  (152, ... ) == 0x0
 01636  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01627   896   NtWriteFile  ... {status=0x0, info=61440}, ) == 0x0
 01637   896   NtWriteFile  (148, 0, 0, 0,  (148, 0, 0, 0, "\247ZX\323\335\350\251\244\247\321\335`\251\241\247W\347]\234\331IH[]\254\331IH\323M\4\331IH\333\262\\320\314]\14\251\242\247\325\335\30\251\241\247\10\325\355h\251\241\247\333\264H\321\277\341\XXX\253\375\325\355h\251\241\247\333\264H\321\277\341\XXX\253\375\323\345\364\251\244\247\17\323g\247\17t\321\233W\347]\234\330IH\333\260^a\233W\335\215PXX0\36\337IH\260\333$\247\247\247\355\350\251\244\247\10\325\345\231\251\244\247\17\247Mp\1UH\325\335\231\251\244\247\10\325\335\230\252\244\247\10\247Mt\250XH\333\234@W\347]\224\330IH[]\274\331IH\333\260]\321\335t\251\241\247\325\335t\251\241\247\100\20\302IH\323\335\30\251\241\247\10\323`\247LeXXXX\321\233\371t\332IH[]|\332IH\333\260Pa\233W\335\357\XX\325\335p\251\241\247\10\323\335t\251\241\247\10\323`\247\317\250XXX\321\233\371\14\331IH[],\331IH\333\260Wa\233W\335%\XX\325\3359\251\241\247\10\247\355p\251\241\247\260\215\324\247\247\333\234P\321\237\37\321\345\20\251\241\247\247\355p\251\241\247\247Ml7IH\371\20\332IH\333\260\\321\335<\251\243\247\263\22\323\335<\251\243\247W\346\334]9\251\241\247\323M\364\331IH\333\232Sa\210,K\323Ml\331IH\333\232\[M(\331IHa\210-N\323\335<\251\243\247\323M\4\331IH\333\262\\320\314]9\251\241\247\247\335<\251\243\247\323\335\20\251\241\247a\335<\251\243\247*\360\325\3359\251\241\247\10\325\335=\251\242\247\10\260@~XXW\347]\304\330IH[]|\331IH\333\260P\321\335<\251\243\247\323\335<\251\243\247\325\324]9\251\241\247\333\220\247\30\330dYX", 61440, 0x0, 0, ... , 61440, 0x0, 0, ...
 01638  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 152, ) == 0x0
 01639  2016   NtQueryInformationToken  (152, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01640  2016   NtClose  (152, ... ) == 0x0
 01641  2016   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 152, ) }, ... 152, ) == 0x0
 01642  2016   NtOpenKey  (0x1, {24, 152, 0x40, 0, 0,  (0x1, {24, 152, 0x40, 0, 0, "Control Panel\Desktop"}, ... 156, ) }, ... 156, ) == 0x0
 01643  2016   NtQueryValueKey  (156,  (156, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01637   896   NtWriteFile  ... {status=0x0, info=61440}, ) == 0x0
 01644   896   NtWriteFile  (148, 0, 0, 0,  (148, 0, 0, 0, "\34\213U\3709\24\275 \220D\0u\20\212\24=\260\261D\0:U\30\17\2040\1\0\0G\241\14\22U\0\5\344\3\0\09\307r\275\241\210\21U\0\5\273\3\0\09E\364\17\206\270\0\0\0\241 \21U\0@\3\5\274\21U\0P\215E\265P\350\244\307\377\377\203\304\10\241\274\21U\0\5\262\3\0\0\17\277\25\304\21U\0\1\320\211E\354\241,\22U\0\203\350\7\211E\350\213E\354\212\4\3\210E\347\213E\354\17\277\25\304\21U\0\3\25\364\21U\0\203\352\21\210\24\3h\340\237D\0\377u\364\377u\350\215E\265P\213E\24\3770\377u\10S\377u\20\17\277\5\10\22U\0H%\377\0\0\0P\350\274\4\0\0\203\304$\213E\354\211E\350\212U\347\210\24\3\2410\22U\0\5\277\3\0\0\1E\354\213E\3649E\354v\3\211E\354\213E\3649E\350sS\353\202h\247\34U\0\350\366\243\377\377h\340\237D\0\377u\364\17\277\25\244\21U\0\17\277\15\230\21U\0\1\312\203\352\7RP\213U\24\3772\377u\10S\377u\20\213\25\240\20U\0\3\25\24\21U\0\203\352\4\201\342\377\0\0\0R\350=\4\0\0\203\304(\213E\24\377\0\213E\364\215\34\3C\213E\24\213\25(\22U\0\203\302\149\20\17\206$\376\377\377h\243\34U\0\350\205\243\377\377h\340\237D\0\213\25\330\21U\0\17\277\15\320\20U\0\1\312\203\352\12R\17\277\25<\21U\0\203\352\11RPR\17\277\25\244\21U\0\203\352\6R\17\277\25\30\21U\0\203\352\10R\377u\20\213\25\340\21U\0\3\25\344\21U\0\203\352\7\201\342\377\0\0\0R\350\267\3\0\0\203\304(_^[\311\303Wh\226\34U\0\350\31\243\377\377YP\377\25\230\265D\0\243d\22U\0\241\270\21U\0\3\5\4\22", 28160, 0x0, 0, ... , 28160, 0x0, 0, ...
 01645  2016   NtClose  (156, ... ) == 0x0
 01646  2016   NtClose  (152, ... ) == 0x0
 01647  2016   NtUserGetProcessWindowStation  (... ) == 0x2c
 01644   896   NtWriteFile  ... {status=0x0, info=28160}, ) == 0x0
 01648   896   NtUnmapViewOfSection  (-1, 0xde0000, ... ) == 0x0
 01649   896   NtSetInformationFile  (148, 2290392, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01650   896   NtClose  (144, ...
 01651  2016   NtUserGetObjectInformation  (44, 2, 9828080, 64, 9828076, ... ) == 0x1
 01652  2016   NtUserGetGUIThreadInfo  (2016, 9828100, ... ) == 0x1
 01653  2016   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 9827944, 64, ... 144, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 9827944, 64, ... 144, 0x0, 0x0, 0x0, 64, ) == 0x0
 01654  2016   NtRequestWaitReplyPort  (144, {32, 56, new_msg, 0, 0, 0, 0, 0}  (144, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 2016, 81856, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1252, 2016, 81856, 0}  (144, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 2016, 81856, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01655  2016   NtRequestWaitReplyPort  (144, {32, 56, new_msg, 0, 0, 0, 0, 0}  (144, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01650   896   NtClose  ... ) == 0x0
 01656   896   NtClose  (148, ... ) == 0x0
 01657   896   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 148, ) }, ... 148, ) == 0x0
 01658   896   NtSetValueKey  (148,  (148, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (148, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 01659   896   NtSetInformationFile  (-2147482448, -135747792, 8, EndOfFile, ...
 01655  2016   NtRequestWaitReplyPort  ... {32, 56, reply, 0, 1252, 2016, 81857, 0}  ... {32, 56, reply, 0, 1252, 2016, 81857, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01660  2016   NtUserCallNoParam  (29, ...
 01661  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 9825340, ... ) }, 9825340, ... ) == 0x0
 01660  2016   NtUserCallNoParam  ... ) == 0x0
 01662  2016   NtUserSystemParametersInfo  (41, 0, 1524240760, 0, ... ) == 0x1
 01663  2016   NtGdiHfontCreate  (9827468, 356, 0, 0, 5719792, ... ) == 0x640a0596
 01659   896   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01664   896   NtSetInformationFile  (-2147482448, -135747884, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01665   896   NtSetInformationFile  (-2147482448, -135748192, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01666   896   NtSetInformationFile  (-2147482448, -135748288, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01658   896   NtSetValueKey  ... ) == 0x0
 01667   896   NtClose  (148, ...
 01668  2016   NtGdiHfontCreate  (9827468, 356, 0, 0, 5719784, ... ) == 0x740a05de
 01669  2016   NtRequestWaitReplyPort  (144, {32, 56, new_msg, 0, 0, 0, 0, 0}  (144, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01667   896   NtClose  ... ) == 0x0
 01670   896   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 148, ) }, 0, ... 148, ) == 0x0
 01671   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 17367040, 2097152, ) == 0x0
 01672   896   NtAllocateVirtualMemory  (-1, 19456000, 0, 8192, 4096, 4, ...
 01669  2016   NtRequestWaitReplyPort  ... {32, 56, reply, 0, 1252, 2016, 81858, 0}  ... {32, 56, reply, 0, 1252, 2016, 81858, 0} "\0\0\0\0\0\0\0\0\230\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01673  2016   NtMapViewOfSection  (152, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xde0000), {0, 0}, 327680, ) == 0x0
 01674  2016   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01675  2016   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 01676  2016   NtUserGetWindowDC  (0, ...
 01672   896   NtAllocateVirtualMemory  ... 19456000, 8192, ) == 0x0
 01677   896   NtProtectVirtualMemory  (-1, (0x128e000), 4096, 260, ... (0x128e000), 4096, 4, ) == 0x0
 01678   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 156, {1252, 596}, ) == 0x0
 01679   896   NtQueryInformationThread  (156, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1252,Tid=596,}, 0x0, ) == 0x0
 01680   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2293460, 2089878865, 5640936, 2089878893}  (24, {28, 56, new_msg, 0, 2293460, 2089878865, 5640936, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0\344\4\0\0T\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81859, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0\344\4\0\0T\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81859, 0}  (24, {28, 56, new_msg, 0, 2293460, 2089878865, 5640936, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0\344\4\0\0T\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81859, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0\344\4\0\0T\2\0\0" )  ) == 0x0
 01681   896   NtResumeThread  (156, ... 1, ) == 0x0
 01676  2016   NtUserGetWindowDC  ... ) == 0x1010054
 01682   596   NtTestAlert  (...
 01683  2016   NtUserCallOneParam  (16842836, 57, ...
 01682   596   NtTestAlert  ... ) == 0x0
 01683  2016   NtUserCallOneParam  ... ) == 0x1
 01684   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01685  2016   NtUserGetWindowDC  (0, ...
 01684   896   NtAllocateVirtualMemory  ... 19464192, 2097152, ) == 0x0
 01685  2016   NtUserGetWindowDC  ... ) == 0x1010054
 01686   896   NtAllocateVirtualMemory  (-1, 21553152, 0, 8192, 4096, 4, ...
 01687  2016   NtUserCallOneParam  (16842836, 57, ...
 01686   896   NtAllocateVirtualMemory  ... 21553152, 8192, ) == 0x0
 01688   596   NtContinue  (19463472, 1, ...
 01689   896   NtProtectVirtualMemory  (-1, (0x148e000), 4096, 260, ...
 01690   596   NtRegisterThreadTerminatePort  (24, ...
 01689   896   NtProtectVirtualMemory  ... (0x148e000), 4096, 4, ) == 0x0
 01690   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 01687  2016   NtUserCallOneParam  ... ) == 0x1
 01691   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01692  2016   NtUserGetWindowDC  (0, ...
 01691   596   NtDuplicateObject  ... 160, ) == 0x0
 01692  2016   NtUserGetWindowDC  ... ) == 0x1010054
 01693   596   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01694  2016   NtUserCallOneParam  (16842836, 57, ...
 01695   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01694  2016   NtUserCallOneParam  ... ) == 0x1
 01695   896   NtCreateThread  ... 164, {1252, 376}, ) == 0x0
 01696  2016   NtUserGetWindowDC  (0, ...
 01697   896   NtQueryInformationThread  (164, Basic, 28, ...
 01693   596   NtWaitForSingleObject  ... ) == 0x102
 01697   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1252,Tid=376,}, 0x0, ) == 0x0
 01698   596   NtAllocateVirtualMemory  (-1, 19451904, 0, 4096, 4096, 260, ...
 01699   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81859, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81859, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0\344\4\0\0x\1\0\0" ...  ...
 01698   596   NtAllocateVirtualMemory  ... 19451904, 4096, ) == 0x0
 01700   596   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 19460596, ... ) }, 19460596, ... ) == 0x0
 01701   596   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01702   596   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 168, ... 172, ) == 0x0
 01703   596   NtClose  (168, ... ) == 0x0
 01696  2016   NtUserGetWindowDC  ... ) == 0x1010054
 01699   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81860, 0}  ... {28, 56, reply, 0, 1252, 896, 81860, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0\344\4\0\0x\1\0\0" )  ) == 0x0
 01704  2016   NtUserCallOneParam  (16842836, 57, ...
 01705   896   NtResumeThread  (164, ...
 01704  2016   NtUserCallOneParam  ... ) == 0x1
 01705   896   NtResumeThread  ... 1, ) == 0x0
 01706  2016   NtUserGetWindowDC  (0, ...
 01707   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01706  2016   NtUserGetWindowDC  ... ) == 0x1010054
 01707   896   NtAllocateVirtualMemory  ... 23003136, 2097152, ) == 0x0
 01708  2016   NtUserCallOneParam  (16842836, 57, ...
 01709   896   NtAllocateVirtualMemory  (-1, 25092096, 0, 8192, 4096, 4, ...
 01710   596   NtMapViewOfSection  (172, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01711   376   NtWaitForSingleObject  (36, 0, 0x0, ...
 01708  2016   NtUserCallOneParam  ... ) == 0x1
 01710   596   NtMapViewOfSection  ... (0xe30000), 0x0, 245760, ) == 0x0
 01712  2016   NtUserGetWindowDC  (0, ...
 01713   596   NtClose  (172, ...
 01712  2016   NtUserGetWindowDC  ... ) == 0x1010054
 01713   596   NtClose  ... ) == 0x0
 01714  2016   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 01715  2016   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01716  2016   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 01717   596   NtUnmapViewOfSection  (-1, 0xe30000, ... ) == 0x0
 01718   596   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 19460904, ... ) }, 19460904, ... ) == 0x0
 01719   596   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 172, {status=0x0, info=1}, ) }, 5, 96, ... 172, {status=0x0, info=1}, ) == 0x0
 01720   596   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 172, ... 168, ) == 0x0
 01721   596   NtQuerySection  (168, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01722   596   NtClose  (172, ...
 01723  2016   NtUserGetWindowDC  (0, ...
 01709   896   NtAllocateVirtualMemory  ... 25092096, 8192, ) == 0x0
 01723  2016   NtUserGetWindowDC  ... ) == 0x1010054
 01724   896   NtProtectVirtualMemory  (-1, (0x17ee000), 4096, 260, ...
 01725  2016   NtGdiCreatePatternBrushInternal  (59048383, 0, 0, ...
 01724   896   NtProtectVirtualMemory  ... (0x17ee000), 4096, 4, ) == 0x0
 01722   596   NtClose  ... ) == 0x0
 01726   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01727   596   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01726   896   NtCreateThread  ... 172, {1252, 420}, ) == 0x0
 01727   596   NtMapViewOfSection  ... (0x71a50000), 0x0, 258048, ) == 0x0
 01728   896   NtQueryInformationThread  (172, Basic, 28, ...
 01729   596   NtClose  (168, ...
 01725  2016   NtGdiCreatePatternBrushInternal  ... ) == 0xb91006e8
 01729   596   NtClose  ... ) == 0x0
 01730  2016   NtUserCallOneParam  (16842836, 57, ...
 01731   596   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 01730  2016   NtUserCallOneParam  ... ) == 0x1
 01728   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1252,Tid=420,}, 0x0, ) == 0x0
 01732  2016   NtUserCallNoParam  (29, ...
 01733   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81860, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81860, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0\344\4\0\0\244\1\0\0" ...  ...
 01734  2016   NtWaitForSingleObject  (36, 0, 0x0, ...
 01733   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81861, 0}  ... {28, 56, reply, 0, 1252, 896, 81861, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0\344\4\0\0\244\1\0\0" )  ) == 0x0
 01735   896   NtResumeThread  (172, ... 1, ) == 0x0
 01736   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 25100288, 2097152, ) == 0x0
 01737   896   NtAllocateVirtualMemory  (-1, 27189248, 0, 8192, 4096, 4, ... 27189248, 8192, ) == 0x0
 01738   896   NtProtectVirtualMemory  (-1, (0x19ee000), 4096, 260, ... (0x19ee000), 4096, 4, ) == 0x0
 01731   596   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 01739   420   NtWaitForSingleObject  (36, 0, 0x0, ...
 01740   596   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01741   596   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01742   596   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01743   596   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01744   596   NtFlushInstructionCache  (-1, 1906642944, 1060, ...
 01745   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 168, {1252, 384}, ) == 0x0
 01746   896   NtQueryInformationThread  (168, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1252,Tid=384,}, 0x0, ) == 0x0
 01747   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81861, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81861, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0\344\4\0\0\200\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81862, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0\344\4\0\0\200\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81862, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81861, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0\344\4\0\0\200\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81862, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0\344\4\0\0\200\1\0\0" )  ) == 0x0
 01748   896   NtResumeThread  (168, ... 1, ) == 0x0
 01749   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 27197440, 2097152, ) == 0x0
 01750   896   NtAllocateVirtualMemory  (-1, 29286400, 0, 8192, 4096, 4, ...
 01744   596   NtFlushInstructionCache  ... ) == 0x0
 01751   384   NtWaitForSingleObject  (36, 0, 0x0, ...
 01752   596   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01753   596   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01754   596   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01750   896   NtAllocateVirtualMemory  ... 29286400, 8192, ) == 0x0
 01755   896   NtProtectVirtualMemory  (-1, (0x1bee000), 4096, 260, ... (0x1bee000), 4096, 4, ) == 0x0
 01756   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 176, {1252, 1028}, ) == 0x0
 01757   896   NtQueryInformationThread  (176, Basic, 28, ...
 01758   596   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01759   596   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01760   596   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01761   596   NtSetEventBoostPriority  (36, ...
 01711   376   NtWaitForSingleObject  ... ) == 0x0
 01762   376   NtSetEventBoostPriority  (36, ...
 01734  2016   NtWaitForSingleObject  ... ) == 0x0
 01763  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 9824780, ... ) }, 9824780, ... ) == 0x0
 01762   376   NtSetEventBoostPriority  ... ) == 0x0
 01761   596   NtSetEventBoostPriority  ... ) == 0x0
 01757   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1252,Tid=1028,}, 0x0, ) == 0x0
 01764  2016   NtSetEventBoostPriority  (36, ...
 01765   596   NtWaitForSingleObject  (36, 0, 0x0, ...
 01766   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81862, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81862, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\344\4\0\0\4\4\0\0" ...  ...
 01739   420   NtWaitForSingleObject  ... ) == 0x0
 01764  2016   NtSetEventBoostPriority  ... ) == 0x0
 01767   376   NtTestAlert  (...
 01768   420   NtSetEventBoostPriority  (36, ...
 01766   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81863, 0}  ... {28, 56, reply, 0, 1252, 896, 81863, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\344\4\0\0\4\4\0\0" )  ) == 0x0
 01769  2016   NtWaitForSingleObject  (36, 0, 0x0, ...
 01751   384   NtWaitForSingleObject  ... ) == 0x0
 01768   420   NtSetEventBoostPriority  ... ) == 0x0
 01767   376   NtTestAlert  ... ) == 0x0
 01770   896   NtResumeThread  (176, ...
 01771   384   NtSetEventBoostPriority  (36, ...
 01772   376   NtContinue  (21560624, 1, ...
 01769  2016   NtWaitForSingleObject  ... ) == 0x0
 01771   384   NtSetEventBoostPriority  ... ) == 0x0
 01770   896   NtResumeThread  ... 1, ) == 0x0
 01773  2016   NtSetEventBoostPriority  (36, ...
 01774   376   NtRegisterThreadTerminatePort  (24, ...
 01775   420   NtTestAlert  (...
 01776  1028   NtWaitForSingleObject  (36, 0, 0x0, ...
 01777   384   NtTestAlert  (...
 01765   596   NtWaitForSingleObject  ... ) == 0x0
 01773  2016   NtSetEventBoostPriority  ... ) == 0x0
 01774   376   NtRegisterThreadTerminatePort  ... ) == 0x0
 01775   420   NtTestAlert  ... ) == 0x0
 01778   596   NtSetEventBoostPriority  (36, ...
 01777   384   NtTestAlert  ... ) == 0x0
 01779   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01780   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01776  1028   NtWaitForSingleObject  ... ) == 0x0
 01781   420   NtContinue  (25099568, 1, ...
 01782   384   NtContinue  (27196720, 1, ...
 01779   896   NtAllocateVirtualMemory  ... 29294592, 2097152, ) == 0x0
 01778   596   NtSetEventBoostPriority  ... ) == 0x0
 01732  2016   NtUserCallNoParam  ... ) == 0x0
 01783  1028   NtAllocateVirtualMemory  (-1, 14241792, 0, 4096, 4096, 4, ...
 01784   420   NtRegisterThreadTerminatePort  (24, ...
 01785   384   NtRegisterThreadTerminatePort  (24, ...
 01786   896   NtAllocateVirtualMemory  (-1, 31383552, 0, 8192, 4096, 4, ...
 01787   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01788  2016   NtUserCallNoParam  (29, ...
 01783  1028   NtAllocateVirtualMemory  ... 14241792, 4096, ) == 0x0
 01784   420   NtRegisterThreadTerminatePort  ... ) == 0x0
 01785   384   NtRegisterThreadTerminatePort  ... ) == 0x0
 01786   896   NtAllocateVirtualMemory  ... 31383552, 8192, ) == 0x0
 01787   596   NtCreateEvent  ... 180, ) == 0x0
 01789  2016   NtWaitForSingleObject  (36, 0, 0x0, ...
 01780   376   NtDuplicateObject  ... 184, ) == 0x0
 01790   420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01791   384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01792   896   NtProtectVirtualMemory  (-1, (0x1dee000), 4096, 260, ...
 01793  1028   NtSetEventBoostPriority  (36, ...
 01794   376   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 01795   596   NtWaitForSingleObject  (36, 0, 0x0, ...
 01790   420   NtDuplicateObject  ... 188, ) == 0x0
 01792   896   NtProtectVirtualMemory  ... (0x1dee000), 4096, 4, ) == 0x0
 01789  2016   NtWaitForSingleObject  ... ) == 0x0
 01793  1028   NtSetEventBoostPriority  ... ) == 0x0
 01794   376   NtWaitForSingleObject  ... ) == 0x102
 01796   420   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 01791   384   NtDuplicateObject  ... 192, ) == 0x0
 01797  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 9824776, ... }, 9824776, ...
 01798  1028   NtTestAlert  (...
 01799   376   NtAllocateVirtualMemory  (-1, 21549056, 0, 4096, 4096, 260, ...
 01796   420   NtWaitForSingleObject  ... ) == 0x102
 01797  2016   NtQueryAttributesFile  ... ) == 0x0
 01800   384   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 01798  1028   NtTestAlert  ... ) == 0x0
 01799   376   NtAllocateVirtualMemory  ... 21549056, 4096, ) == 0x0
 01801   420   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01802   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 01800   384   NtWaitForSingleObject  ... ) == 0x102
 01803  1028   NtContinue  (29293872, 1, ...
 01804  2016   NtSetEventBoostPriority  (36, ...
 01801   420   NtCreateEvent  ... 196, ) == 0x0
 01802   896   NtCreateThread  ... 200, {1252, 2012}, ) == 0x0
 01805   384   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01806  1028   NtRegisterThreadTerminatePort  (24, ...
 01795   596   NtWaitForSingleObject  ... ) == 0x0
 01804  2016   NtSetEventBoostPriority  ... ) == 0x0
 01807   376   NtWaitForSingleObject  (36, 0, 0x0, ...
 01808   896   NtQueryInformationThread  (200, Basic, 28, ...
 01805   384   NtCreateEvent  ... 204, ) == 0x0
 01809   420   NtWaitForSingleObject  (196, 0, 0x0, ...
 01810   596   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 01811  2016   NtWaitForSingleObject  (36, 0, 0x0, ...
 01808   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1252,Tid=2012,}, 0x0, ) == 0x0
 01806  1028   NtRegisterThreadTerminatePort  ... ) == 0x0
 01810   596   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01812   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81863, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81863, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\344\4\0\0\334\7\0\0" ...  ...
 01813   596   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 19460516, ... }, 19460516, ...
 01814  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01812   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81864, 0}  ... {28, 56, reply, 0, 1252, 896, 81864, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\344\4\0\0\334\7\0\0" )  ) == 0x0
 01815   384   NtClose  (204, ...
 01814  1028   NtDuplicateObject  ... 208, ) == 0x0
 01816   896   NtResumeThread  (200, ...
 01815   384   NtClose  ... ) == 0x0
 01817  1028   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 01816   896   NtResumeThread  ... 1, ) == 0x0
 01818   384   NtWaitForSingleObject  (196, 0, 0x0, ...
 01817  1028   NtWaitForSingleObject  ... ) == 0x102
 01819   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01820  2012   NtWaitForSingleObject  (36, 0, 0x0, ...
 01819   896   NtAllocateVirtualMemory  ... 31391744, 2097152, ) == 0x0
 01821   896   NtAllocateVirtualMemory  (-1, 33480704, 0, 8192, 4096, 4, ... 33480704, 8192, ) == 0x0
 01822   896   NtProtectVirtualMemory  (-1, (0x1fee000), 4096, 260, ... (0x1fee000), 4096, 4, ) == 0x0
 01823   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 204, {1252, 1168}, ) == 0x0
 01824   896   NtQueryInformationThread  (204, Basic, 28, ...
 01825  1028   NtWaitForSingleObject  (196, 0, 0x0, ...
 01824   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1252,Tid=1168,}, 0x0, ) == 0x0
 01826   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81864, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81864, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\4\0\0\220\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81865, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\4\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81865, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81864, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\4\0\0\220\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81865, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\4\0\0\220\4\0\0" )  ) == 0x0
 01827   896   NtResumeThread  (204, ... 1, ) == 0x0
 01828  1168   NtWaitForSingleObject  (36, 0, 0x0, ...
 01829   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 33488896, 2097152, ) == 0x0
 01830   896   NtAllocateVirtualMemory  (-1, 35577856, 0, 8192, 4096, 4, ... 35577856, 8192, ) == 0x0
 01831   896   NtProtectVirtualMemory  (-1, (0x21ee000), 4096, 260, ... (0x21ee000), 4096, 4, ) == 0x0
 01832   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 212, {1252, 1180}, ) == 0x0
 01833   896   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1252,Tid=1180,}, 0x0, ) == 0x0
 01834   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81865, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81865, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\4\0\0\234\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81866, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\4\0\0\234\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81866, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81865, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\4\0\0\234\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81866, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\4\0\0\234\4\0\0" )  ) == 0x0
 01835   896   NtResumeThread  (212, ... 1, ) == 0x0
 01836   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 35586048, 2097152, ) == 0x0
 01837   896   NtAllocateVirtualMemory  (-1, 37675008, 0, 8192, 4096, 4, ...
 01838  1180   NtWaitForSingleObject  (36, 0, 0x0, ...
 01837   896   NtAllocateVirtualMemory  ... 37675008, 8192, ) == 0x0
 01839   896   NtProtectVirtualMemory  (-1, (0x23ee000), 4096, 260, ... (0x23ee000), 4096, 4, ) == 0x0
 01840   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 216, {1252, 928}, ) == 0x0
 01841   896   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1252,Tid=928,}, 0x0, ) == 0x0
 01842   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81866, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81866, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\4\0\0\240\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81867, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\4\0\0\240\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81867, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81866, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\4\0\0\240\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81867, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\4\0\0\240\3\0\0" )  ) == 0x0
 01843   896   NtResumeThread  (216, ... 1, ) == 0x0
 01844   928   NtWaitForSingleObject  (36, 0, 0x0, ...
 01845   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 37683200, 2097152, ) == 0x0
 01846   896   NtAllocateVirtualMemory  (-1, 39772160, 0, 8192, 4096, 4, ... 39772160, 8192, ) == 0x0
 01847   896   NtProtectVirtualMemory  (-1, (0x25ee000), 4096, 260, ... (0x25ee000), 4096, 4, ) == 0x0
 01848   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 220, {1252, 428}, ) == 0x0
 01849   896   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1252,Tid=428,}, 0x0, ) == 0x0
 01850   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81867, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81867, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\4\0\0\254\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81868, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\4\0\0\254\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81868, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81867, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\4\0\0\254\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81868, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\4\0\0\254\1\0\0" )  ) == 0x0
 01851   896   NtResumeThread  (220, ... 1, ) == 0x0
 01852   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 39780352, 2097152, ) == 0x0
 01853   896   NtAllocateVirtualMemory  (-1, 41869312, 0, 8192, 4096, 4, ...
 01854   428   NtWaitForSingleObject  (36, 0, 0x0, ...
 01853   896   NtAllocateVirtualMemory  ... 41869312, 8192, ) == 0x0
 01855   896   NtProtectVirtualMemory  (-1, (0x27ee000), 4096, 260, ... (0x27ee000), 4096, 4, ) == 0x0
 01856   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 224, {1252, 1732}, ) == 0x0
 01857   896   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1252,Tid=1732,}, 0x0, ) == 0x0
 01858   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81868, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81868, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0\304\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81869, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0\304\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81869, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81868, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0\304\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81869, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0\304\6\0\0" )  ) == 0x0
 01859   896   NtResumeThread  (224, ... 1, ) == 0x0
 01860  1732   NtWaitForSingleObject  (36, 0, 0x0, ...
 01861   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 41877504, 2097152, ) == 0x0
 01862   896   NtAllocateVirtualMemory  (-1, 43966464, 0, 8192, 4096, 4, ... 43966464, 8192, ) == 0x0
 01863   896   NtProtectVirtualMemory  (-1, (0x29ee000), 4096, 260, ... (0x29ee000), 4096, 4, ) == 0x0
 01864   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 228, {1252, 748}, ) == 0x0
 01865   896   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1252,Tid=748,}, 0x0, ) == 0x0
 01866   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81869, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81869, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\354\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81870, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\354\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81870, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81869, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\354\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81870, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\354\2\0\0" )  ) == 0x0
 01867   896   NtResumeThread  (228, ... 1, ) == 0x0
 01868   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 43974656, 2097152, ) == 0x0
 01869   896   NtAllocateVirtualMemory  (-1, 46063616, 0, 8192, 4096, 4, ...
 01870   748   NtWaitForSingleObject  (36, 0, 0x0, ...
 01869   896   NtAllocateVirtualMemory  ... 46063616, 8192, ) == 0x0
 01871   896   NtProtectVirtualMemory  (-1, (0x2bee000), 4096, 260, ... (0x2bee000), 4096, 4, ) == 0x0
 01872   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 232, {1252, 900}, ) == 0x0
 01873   896   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1252,Tid=900,}, 0x0, ) == 0x0
 01874   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81870, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81870, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\204\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81871, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\204\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81871, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81870, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\204\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81871, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\204\3\0\0" )  ) == 0x0
 01875   896   NtResumeThread  (232, ... 1, ) == 0x0
 01876   900   NtWaitForSingleObject  (36, 0, 0x0, ...
 01877   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 46071808, 2097152, ) == 0x0
 01878   896   NtAllocateVirtualMemory  (-1, 48160768, 0, 8192, 4096, 4, ... 48160768, 8192, ) == 0x0
 01879   896   NtProtectVirtualMemory  (-1, (0x2dee000), 4096, 260, ... (0x2dee000), 4096, 4, ) == 0x0
 01813   596   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01880   596   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 19460516, ... ) }, 19460516, ... ) == 0x0
 01881   596   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 01882   596   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 236, ... 240, ) == 0x0
 01883   596   NtQuerySection  (240, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01884   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 244, {1252, 1388}, ) == 0x0
 01885   896   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1252,Tid=1388,}, 0x0, ) == 0x0
 01886   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81871, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81871, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0l\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81872, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0l\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81872, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81871, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0l\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81872, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0l\5\0\0" )  ) == 0x0
 01887   896   NtResumeThread  (244, ... 1, ) == 0x0
 01888   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 48168960, 2097152, ) == 0x0
 01889   896   NtAllocateVirtualMemory  (-1, 50257920, 0, 8192, 4096, 4, ...
 01890   596   NtClose  (236, ...
 01891  1388   NtWaitForSingleObject  (36, 0, 0x0, ...
 01890   596   NtClose  ... ) == 0x0
 01892   596   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x662b0000), 0x0, 360448, ) == 0x0
 01893   596   NtClose  (240, ... ) == 0x0
 01894   596   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01895   596   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01896   596   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01889   896   NtAllocateVirtualMemory  ... 50257920, 8192, ) == 0x0
 01897   896   NtProtectVirtualMemory  (-1, (0x2fee000), 4096, 260, ... (0x2fee000), 4096, 4, ) == 0x0
 01898   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 240, {1252, 2036}, ) == 0x0
 01899   896   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1252,Tid=2036,}, 0x0, ) == 0x0
 01900   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81872, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81872, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\4\0\0\364\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81873, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\4\0\0\364\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81873, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81872, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\4\0\0\364\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81873, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\4\0\0\364\7\0\0" )  ) == 0x0
 01901   896   NtResumeThread  (240, ... 1, ) == 0x0
 01902   596   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01903  2036   NtWaitForSingleObject  (36, 0, 0x0, ...
 01902   596   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01904   596   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01905   596   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01906   596   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01907   596   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01908   596   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01909   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 50266112, 2097152, ) == 0x0
 01910   896   NtAllocateVirtualMemory  (-1, 52355072, 0, 8192, 4096, 4, ... 52355072, 8192, ) == 0x0
 01911   896   NtProtectVirtualMemory  (-1, (0x31ee000), 4096, 260, ... (0x31ee000), 4096, 4, ) == 0x0
 01912   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 236, {1252, 1372}, ) == 0x0
 01913   896   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1252,Tid=1372,}, 0x0, ) == 0x0
 01914   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81873, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81873, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\4\0\0\\5\0\0" ...  ...
 01915   596   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01916   596   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01917   596   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01914   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81874, 0}  ... {28, 56, reply, 0, 1252, 896, 81874, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\4\0\0\\5\0\0" )  ) == 0x0
 01918   896   NtResumeThread  (236, ... 1, ) == 0x0
 01919   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 52363264, 2097152, ) == 0x0
 01920   896   NtAllocateVirtualMemory  (-1, 54452224, 0, 8192, 4096, 4, ... 54452224, 8192, ) == 0x0
 01921   896   NtProtectVirtualMemory  (-1, (0x33ee000), 4096, 260, ... (0x33ee000), 4096, 4, ) == 0x0
 01922   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 248, {1252, 1600}, ) == 0x0
 01923   896   NtQueryInformationThread  (248, Basic, 28, ...
 01924   596   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01925  1372   NtWaitForSingleObject  (36, 0, 0x0, ...
 01924   596   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01926   596   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01927   596   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01928   596   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01929   596   NtSetEventBoostPriority  (36, ...
 01807   376   NtWaitForSingleObject  ... ) == 0x0
 01930   376   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 21556176, ... ) }, 21556176, ... ) == 0x0
 01931   376   NtSetEventBoostPriority  (36, ...
 01811  2016   NtWaitForSingleObject  ... ) == 0x0
 01932  2016   NtSetEventBoostPriority  (36, ...
 01820  2012   NtWaitForSingleObject  ... ) == 0x0
 01933  2012   NtSetEventBoostPriority  (36, ...
 01828  1168   NtWaitForSingleObject  ... ) == 0x0
 01934  1168   NtSetEventBoostPriority  (36, ...
 01838  1180   NtWaitForSingleObject  ... ) == 0x0
 01935  1180   NtSetEventBoostPriority  (36, ...
 01844   928   NtWaitForSingleObject  ... ) == 0x0
 01936   928   NtSetEventBoostPriority  (36, ...
 01854   428   NtWaitForSingleObject  ... ) == 0x0
 01937   428   NtSetEventBoostPriority  (36, ...
 01860  1732   NtWaitForSingleObject  ... ) == 0x0
 01938  1732   NtSetEventBoostPriority  (36, ...
 01870   748   NtWaitForSingleObject  ... ) == 0x0
 01939   748   NtSetEventBoostPriority  (36, ...
 01876   900   NtWaitForSingleObject  ... ) == 0x0
 01940   900   NtSetEventBoostPriority  (36, ...
 01891  1388   NtWaitForSingleObject  ... ) == 0x0
 01941  1388   NtSetEventBoostPriority  (36, ...
 01903  2036   NtWaitForSingleObject  ... ) == 0x0
 01942  2036   NtSetEventBoostPriority  (36, ...
 01925  1372   NtWaitForSingleObject  ... ) == 0x0
 01943  1372   NtTestAlert  (... ) == 0x0
 01942  2036   NtSetEventBoostPriority  ... ) == 0x0
 01941  1388   NtSetEventBoostPriority  ... ) == 0x0
 01940   900   NtSetEventBoostPriority  ... ) == 0x0
 01939   748   NtSetEventBoostPriority  ... ) == 0x0
 01938  1732   NtSetEventBoostPriority  ... ) == 0x0
 01937   428   NtSetEventBoostPriority  ... ) == 0x0
 01936   928   NtSetEventBoostPriority  ... ) == 0x0
 01935  1180   NtSetEventBoostPriority  ... ) == 0x0
 01934  1168   NtSetEventBoostPriority  ... ) == 0x0
 01933  2012   NtSetEventBoostPriority  ... ) == 0x0
 01932  2016   NtSetEventBoostPriority  ... ) == 0x0
 01931   376   NtSetEventBoostPriority  ... ) == 0x0
 01929   596   NtSetEventBoostPriority  ... ) == 0x0
 01923   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1252,Tid=1600,}, 0x0, ) == 0x0
 01944  1372   NtContinue  (52362544, 1, ...
 01945  2036   NtTestAlert  (...
 01946  1388   NtTestAlert  (...
 01947   900   NtTestAlert  (...
 01948   748   NtTestAlert  (...
 01949  1732   NtTestAlert  (...
 01950   428   NtTestAlert  (...
 01951   928   NtTestAlert  (...
 01952  1180   NtTestAlert  (...
 01953  1168   NtTestAlert  (...
 01954  2012   NtTestAlert  (...
 01955   376   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01956   596   NtQuerySystemInformation  (Basic, 44, ...
 01957   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81874, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81874, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0@\6\0\0" ...  ...
 01958  1372   NtRegisterThreadTerminatePort  (24, ...
 01945  2036   NtTestAlert  ... ) == 0x0
 01946  1388   NtTestAlert  ... ) == 0x0
 01947   900   NtTestAlert  ... ) == 0x0
 01948   748   NtTestAlert  ... ) == 0x0
 01949  1732   NtTestAlert  ... ) == 0x0
 01950   428   NtTestAlert  ... ) == 0x0
 01951   928   NtTestAlert  ... ) == 0x0
 01952  1180   NtTestAlert  ... ) == 0x0
 01953  1168   NtTestAlert  ... ) == 0x0
 01954  2012   NtTestAlert  ... ) == 0x0
 01955   376   NtCreateEvent  ... 252, ) == 0x0
 01956   596   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01957   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81875, 0}  ... {28, 56, reply, 0, 1252, 896, 81875, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0@\6\0\0" )  ) == 0x0
 01958  1372   NtRegisterThreadTerminatePort  ... ) == 0x0
 01959  2036   NtContinue  (50265392, 1, ...
 01960  1388   NtContinue  (48168240, 1, ...
 01961   900   NtContinue  (46071088, 1, ...
 01962   748   NtContinue  (43973936, 1, ...
 01963  1732   NtContinue  (41876784, 1, ...
 01964   428   NtContinue  (39779632, 1, ...
 01965   928   NtContinue  (37682480, 1, ...
 01966  1180   NtContinue  (35585328, 1, ...
 01967  1168   NtContinue  (33488176, 1, ...
 01968  2012   NtContinue  (31391024, 1, ...
 01969   376   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 01788  2016   NtUserCallNoParam  ... ) == 0x0
 01970   896   NtResumeThread  (248, ...
 01971  1372   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01972  2036   NtRegisterThreadTerminatePort  (24, ...
 01973  1388   NtRegisterThreadTerminatePort  (24, ...
 01974   900   NtRegisterThreadTerminatePort  (24, ...
 01975   748   NtRegisterThreadTerminatePort  (24, ...
 01976  1732   NtRegisterThreadTerminatePort  (24, ...
 01977   428   NtRegisterThreadTerminatePort  (24, ...
 01978   928   NtRegisterThreadTerminatePort  (24, ...
 01979  1180   NtRegisterThreadTerminatePort  (24, ...
 01980  1168   NtRegisterThreadTerminatePort  (24, ...
 01981  2012   NtRegisterThreadTerminatePort  (24, ...
 01969   376   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01982  2016   NtWaitForSingleObject  (36, 0, 0x0, ...
 01970   896   NtResumeThread  ... 1, ) == 0x0
 01971  1372   NtDuplicateObject  ... 256, ) == 0x0
 01972  2036   NtRegisterThreadTerminatePort  ... ) == 0x0
 01973  1388   NtRegisterThreadTerminatePort  ... ) == 0x0
 01974   900   NtRegisterThreadTerminatePort  ... ) == 0x0
 01975   748   NtRegisterThreadTerminatePort  ... ) == 0x0
 01976  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 01977   428   NtRegisterThreadTerminatePort  ... ) == 0x0
 01978   928   NtRegisterThreadTerminatePort  ... ) == 0x0
 01979  1180   NtRegisterThreadTerminatePort  ... ) == 0x0
 01980  1168   NtRegisterThreadTerminatePort  ... ) == 0x0
 01981  2012   NtRegisterThreadTerminatePort  ... ) == 0x0
 01983   376   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 21556280, ... }, 21556280, ...
 01984   596   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 01985  1600   NtWaitForSingleObject  (36, 0, 0x0, ...
 01986  1372   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 01987  2036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01988  1388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01989   900   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01990   748   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01991  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01992   428   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01993   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01994  1180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01995  1168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01996  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01997   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01984   596   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01986  1372   NtWaitForSingleObject  ... ) == 0x102
 01987  2036   NtDuplicateObject  ... 260, ) == 0x0
 01988  1388   NtDuplicateObject  ... 264, ) == 0x0
 01989   900   NtDuplicateObject  ... 268, ) == 0x0
 01990   748   NtDuplicateObject  ... 272, ) == 0x0
 01991  1732   NtDuplicateObject  ... 276, ) == 0x0
 01992   428   NtDuplicateObject  ... 280, ) == 0x0
 01993   928   NtDuplicateObject  ... 284, ) == 0x0
 01994  1180   NtDuplicateObject  ... 288, ) == 0x0
 01995  1168   NtDuplicateObject  ... 292, ) == 0x0
 01997   896   NtAllocateVirtualMemory  ... 54460416, 2097152, ) == 0x0
 01998   596   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 01999  1372   NtWaitForSingleObject  (196, 0, 0x0, ...
 02000  2036   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02001  1388   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02002   900   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02003   748   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02004  1732   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02005   428   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02006   928   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02007  1180   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02008  1168   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02009   896   NtAllocateVirtualMemory  (-1, 56549376, 0, 8192, 4096, 4, ...
 01998   596   NtOpenKey  ... 296, ) == 0x0
 02000  2036   NtWaitForSingleObject  ... ) == 0x102
 02001  1388   NtWaitForSingleObject  ... ) == 0x102
 02002   900   NtWaitForSingleObject  ... ) == 0x102
 02003   748   NtWaitForSingleObject  ... ) == 0x102
 02004  1732   NtWaitForSingleObject  ... ) == 0x102
 02005   428   NtWaitForSingleObject  ... ) == 0x102
 02006   928   NtWaitForSingleObject  ... ) == 0x102
 02007  1180   NtWaitForSingleObject  ... ) == 0x102
 02008  1168   NtWaitForSingleObject  ... ) == 0x102
 02009   896   NtAllocateVirtualMemory  ... 56549376, 8192, ) == 0x0
 02010   596   NtQueryValueKey  (296,  (296, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 02011  2036   NtWaitForSingleObject  (196, 0, 0x0, ...
 02012  1388   NtWaitForSingleObject  (196, 0, 0x0, ...
 02013   900   NtWaitForSingleObject  (196, 0, 0x0, ...
 02014   748   NtAllocateVirtualMemory  (-1, 5730304, 0, 4096, 4096, 4, ...
 02015  1732   NtWaitForSingleObject  (92, 0, 0x0, ...
 02016   428   NtWaitForSingleObject  (92, 0, 0x0, ...
 02017   928   NtWaitForSingleObject  (92, 0, 0x0, ...
 02018  1180   NtWaitForSingleObject  (92, 0, 0x0, ...
 02019  1168   NtWaitForSingleObject  (92, 0, 0x0, ...
 02020   896   NtProtectVirtualMemory  (-1, (0x35ee000), 4096, 260, ...
 02010   596   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02014   748   NtAllocateVirtualMemory  ... 5730304, 4096, ) == 0x0
 02020   896   NtProtectVirtualMemory  ... (0x35ee000), 4096, 4, ) == 0x0
 01996  2012   NtDuplicateObject  ... 300, ) == 0x0
 02021   596   NtClose  (296, ...
 02022   748   NtSetEventBoostPriority  (92, ...
 01983   376   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02023  2012   NtWaitForSingleObject  (92, 0, 0x0, ...
 02021   596   NtClose  ... ) == 0x0
 02015  1732   NtWaitForSingleObject  ... ) == 0x0
 02022   748   NtSetEventBoostPriority  ... ) == 0x0
 02024   376   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 21556280, ... }, 21556280, ...
 02025  1732   NtSetEventBoostPriority  (92, ...
 02026   596   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 02027   748   NtWaitForSingleObject  (196, 0, 0x0, ...
 02016   428   NtWaitForSingleObject  ... ) == 0x0
 02025  1732   NtSetEventBoostPriority  ... ) == 0x0
 02024   376   NtQueryAttributesFile  ... ) == 0x0
 02026   596   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02028   428   NtSetEventBoostPriority  (92, ...
 02029   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02030  1732   NtWaitForSingleObject  (196, 0, 0x0, ...
 02017   928   NtWaitForSingleObject  ... ) == 0x0
 02028   428   NtSetEventBoostPriority  ... ) == 0x0
 02031   596   NtWaitForSingleObject  (92, 0, 0x0, ...
 02029   896   NtCreateThread  ... 296, {1252, 1948}, ) == 0x0
 02032   928   NtSetEventBoostPriority  (92, ...
 02033   376   NtWaitForSingleObject  (92, 0, 0x0, ...
 02018  1180   NtWaitForSingleObject  ... ) == 0x0
 02032   928   NtSetEventBoostPriority  ... ) == 0x0
 02034   896   NtQueryInformationThread  (296, Basic, 28, ...
 02035  1180   NtSetEventBoostPriority  (92, ...
 02036   428   NtWaitForSingleObject  (196, 0, 0x0, ...
 02019  1168   NtWaitForSingleObject  ... ) == 0x0
 02035  1180   NtSetEventBoostPriority  ... ) == 0x0
 02034   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1252,Tid=1948,}, 0x0, ) == 0x0
 02037  1168   NtSetEventBoostPriority  (92, ...
 02038   928   NtWaitForSingleObject  (196, 0, 0x0, ...
 02023  2012   NtWaitForSingleObject  ... ) == 0x0
 02037  1168   NtSetEventBoostPriority  ... ) == 0x0
 02039   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81875, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81875, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0\344\4\0\0\234\7\0\0" ...  ...
 02040  2012   NtSetEventBoostPriority  (92, ...
 02041  1180   NtWaitForSingleObject  (196, 0, 0x0, ...
 02031   596   NtWaitForSingleObject  ... ) == 0x0
 02040  2012   NtSetEventBoostPriority  ... ) == 0x0
 02042   596   NtSetEventBoostPriority  (92, ...
 02043  1168   NtWaitForSingleObject  (196, 0, 0x0, ...
 02039   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81876, 0}  ... {28, 56, reply, 0, 1252, 896, 81876, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0\344\4\0\0\234\7\0\0" )  ) == 0x0
 02033   376   NtWaitForSingleObject  ... ) == 0x0
 02042   596   NtSetEventBoostPriority  ... ) == 0x0
 02044   376   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 02045   896   NtResumeThread  (296, ...
 02046  2012   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02044   376   NtOpenFile  ... 304, {status=0x0, info=1}, ) == 0x0
 02045   896   NtResumeThread  ... 1, ) == 0x0
 02047   376   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 304, ...
 02046  2012   NtWaitForSingleObject  ... ) == 0x102
 02048   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02049   596   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02050  1948   NtWaitForSingleObject  (36, 0, 0x0, ...
 02051  2012   NtWaitForSingleObject  (196, 0, 0x0, ...
 02048   896   NtAllocateVirtualMemory  ... 56557568, 2097152, ) == 0x0
 02049   596   NtCreateEvent  ... 308, ) == 0x0
 02052   896   NtAllocateVirtualMemory  (-1, 58646528, 0, 8192, 4096, 4, ...
 02053   596   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02047   376   NtCreateSection  ... 312, ) == 0x0
 02053   596   NtCreateEvent  ... 316, ) == 0x0
 02054   376   NtQuerySection  (312, Image, 48, ...
 02055   596   NtQuerySystemTime  (...
 02054   376   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02055   596   NtQuerySystemTime  ... {1449297914, 29929616}, ) == 0x0
 02056   376   NtClose  (304, ...
 02052   896   NtAllocateVirtualMemory  ... 58646528, 8192, ) == 0x0
 02056   376   NtClose  ... ) == 0x0
 02057   896   NtProtectVirtualMemory  (-1, (0x37ee000), 4096, 260, ...
 02058   376   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02057   896   NtProtectVirtualMemory  ... (0x37ee000), 4096, 4, ) == 0x0
 02059   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02060   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02059   596   NtCreateEvent  ... 304, ) == 0x0
 02060   896   NtCreateThread  ... 320, {1252, 252}, ) == 0x0
 02061   596   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 02062   896   NtQueryInformationThread  (320, Basic, 28, ...
 02061   596   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02058   376   NtMapViewOfSection  ... (0x76f20000), 0x0, 159744, ) == 0x0
 02063   596   NtQuerySystemInformation  (Performance, 312, ...
 02064   376   NtClose  (312, ...
 02063   596   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 02064   376   NtClose  ... ) == 0x0
 02062   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=1252,Tid=252,}, 0x0, ) == 0x0
 02065   376   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 02066   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81876, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81876, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\1\0\0\344\4\0\0\374\0\0\0" ...  ...
 02065   376   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 02066   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81877, 0}  ... {28, 56, reply, 0, 1252, 896, 81877, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\1\0\0\344\4\0\0\374\0\0\0" )  ) == 0x0
 02067   376   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 02068   896   NtResumeThread  (320, ...
 02069   596   NtQueryInformationProcess  (-1, QuotaLimits, 32, ...
 02068   896   NtResumeThread  ... 1, ) == 0x0
 02069   596   NtQueryInformationProcess  ... {process info, class 1, size 32}, 0x0, ) == 0x0
 02067   376   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 02070   252   NtWaitForSingleObject  (36, 0, 0x0, ...
 02071   596   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 02072   376   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 02071   596   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 02072   376   NtFlushInstructionCache  ... ) == 0x0
 02073   596   NtWaitForSingleObject  (36, 0, 0x0, ...
 02074   376   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02075   376   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02076   376   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02077   376   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02078   376   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 02079   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 58654720, 2097152, ) == 0x0
 02080   896   NtAllocateVirtualMemory  (-1, 60743680, 0, 8192, 4096, 4, ... 60743680, 8192, ) == 0x0
 02081   896   NtProtectVirtualMemory  (-1, (0x39ee000), 4096, 260, ... (0x39ee000), 4096, 4, ) == 0x0
 02082   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 312, {1252, 1300}, ) == 0x0
 02083   896   NtQueryInformationThread  (312, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=1252,Tid=1300,}, 0x0, ) == 0x0
 02084   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81877, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81877, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0\344\4\0\0\24\5\0\0" ...  ...
 02078   376   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 02085   376   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02086   376   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02087   376   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 02084   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81878, 0}  ... {28, 56, reply, 0, 1252, 896, 81878, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0\344\4\0\0\24\5\0\0" )  ) == 0x0
 02088   896   NtResumeThread  (312, ... 1, ) == 0x0
 02089   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 60751872, 2097152, ) == 0x0
 02090   896   NtAllocateVirtualMemory  (-1, 62840832, 0, 8192, 4096, 4, ... 62840832, 8192, ) == 0x0
 02091   896   NtProtectVirtualMemory  (-1, (0x3bee000), 4096, 260, ... (0x3bee000), 4096, 4, ) == 0x0
 02092   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 324, {1252, 1096}, ) == 0x0
 02093   896   NtQueryInformationThread  (324, Basic, 28, ...
 02087   376   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 02094  1300   NtWaitForSingleObject  (36, 0, 0x0, ...
 02095   376   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02096   376   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02097   376   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02098   376   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02099   376   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02100   376   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 02093   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=1252,Tid=1096,}, 0x0, ) == 0x0
 02101   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81878, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81878, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\344\4\0\0H\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81879, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\344\4\0\0H\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81879, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81878, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\344\4\0\0H\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81879, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\344\4\0\0H\4\0\0" )  ) == 0x0
 02102   896   NtResumeThread  (324, ... 1, ) == 0x0
 02103   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 62849024, 2097152, ) == 0x0
 02104   896   NtAllocateVirtualMemory  (-1, 64937984, 0, 8192, 4096, 4, ... 64937984, 8192, ) == 0x0
 02105   896   NtProtectVirtualMemory  (-1, (0x3dee000), 4096, 260, ... (0x3dee000), 4096, 4, ) == 0x0
 02100   376   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 02106  1096   NtWaitForSingleObject  (36, 0, 0x0, ...
 02107   376   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02108   376   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02109   376   NtCreateKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 328, 2, ) }, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 328, 2, ) , 0, ... 328, 2, ) == 0x0
 02110   376   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 332, ) }, ... 332, ) == 0x0
 02111   376   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02112   376   NtQueryValueKey  (332,  (332, "QueryAdapterName", Partial, 144, ... , Partial, 144, ...
 02113   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 336, {1252, 1708}, ) == 0x0
 02114   896   NtQueryInformationThread  (336, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=1252,Tid=1708,}, 0x0, ) == 0x0
 02115   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81879, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81879, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\344\4\0\0\254\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81880, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\344\4\0\0\254\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81880, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81879, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\344\4\0\0\254\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81880, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\344\4\0\0\254\6\0\0" )  ) == 0x0
 02116   896   NtResumeThread  (336, ... 1, ) == 0x0
 02117   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 64946176, 2097152, ) == 0x0
 02118   896   NtAllocateVirtualMemory  (-1, 67035136, 0, 8192, 4096, 4, ...
 02112   376   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02119  1708   NtWaitForSingleObject  (36, 0, 0x0, ...
 02120   376   NtQueryValueKey  (328,  (328, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02121   376   NtQueryValueKey  (332,  (332, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02122   376   NtQueryValueKey  (328,  (328, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (328, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02123   376   NtQueryValueKey  (332,  (332, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02124   376   NtQueryValueKey  (328,  (328, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02125   376   NtQueryValueKey  (332,  (332, "AllowUnqualifiedQuery", Partial, 144, ... , Partial, 144, ...
 02118   896   NtAllocateVirtualMemory  ... 67035136, 8192, ) == 0x0
 02126   896   NtProtectVirtualMemory  (-1, (0x3fee000), 4096, 260, ... (0x3fee000), 4096, 4, ) == 0x0
 02127   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 340, {1252, 1024}, ) == 0x0
 02128   896   NtQueryInformationThread  (340, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=1252,Tid=1024,}, 0x0, ) == 0x0
 02129   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81880, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81880, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\344\4\0\0\0\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81881, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\344\4\0\0\0\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81881, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81880, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\344\4\0\0\0\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81881, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\344\4\0\0\0\4\0\0" )  ) == 0x0
 02130   896   NtResumeThread  (340, ... 1, ) == 0x0
 02125   376   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02131  1024   NtWaitForSingleObject  (36, 0, 0x0, ...
 02132   376   NtQueryValueKey  (328,  (328, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02133   376   NtQueryValueKey  (332,  (332, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02134   376   NtQueryValueKey  (332,  (332, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02135   376   NtQueryValueKey  (332,  (332, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02136   376   NtQueryValueKey  (332,  (332, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02137   376   NtQueryValueKey  (332,  (332, "WaitForNameErrorOnAll", Partial, 144, ... , Partial, 144, ...
 02138   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 67043328, 2097152, ) == 0x0
 02139   896   NtAllocateVirtualMemory  (-1, 69132288, 0, 8192, 4096, 4, ... 69132288, 8192, ) == 0x0
 02140   896   NtProtectVirtualMemory  (-1, (0x41ee000), 4096, 260, ... (0x41ee000), 4096, 4, ) == 0x0
 02141   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 344, {1252, 1324}, ) == 0x0
 02142   896   NtQueryInformationThread  (344, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=1252,Tid=1324,}, 0x0, ) == 0x0
 02143   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81881, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81881, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0\344\4\0\0,\5\0\0" ...  ...
 02137   376   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02144   376   NtQueryValueKey  (332,  (332, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02145   376   NtQueryValueKey  (332,  (332, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02146   376   NtQueryValueKey  (332,  (332, "UseHostsFile", Partial, 144, ... , Partial, 144, ...
 02143   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81882, 0}  ... {28, 56, reply, 0, 1252, 896, 81882, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0\344\4\0\0,\5\0\0" )  ) == 0x0
 02147   896   NtResumeThread  (344, ... 1, ) == 0x0
 02148   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 69140480, 2097152, ) == 0x0
 02149   896   NtAllocateVirtualMemory  (-1, 71229440, 0, 8192, 4096, 4, ... 71229440, 8192, ) == 0x0
 02150   896   NtProtectVirtualMemory  (-1, (0x43ee000), 4096, 260, ... (0x43ee000), 4096, 4, ) == 0x0
 02151   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 348, {1252, 1776}, ) == 0x0
 02152   896   NtQueryInformationThread  (348, Basic, 28, ...
 02146   376   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02153  1324   NtWaitForSingleObject  (36, 0, 0x0, ...
 02154   376   NtQueryValueKey  (332,  (332, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02155   376   NtQueryValueKey  (328,  (328, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02156   376   NtQueryValueKey  (332,  (332, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02157   376   NtQueryValueKey  (332,  (332, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02158   376   NtQueryValueKey  (328,  (328, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02159   376   NtQueryValueKey  (332,  (332, "RegisterReverseLookup", Partial, 144, ... , Partial, 144, ...
 02152   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=1252,Tid=1776,}, 0x0, ) == 0x0
 02160   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81882, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81882, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\344\4\0\0\360\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81883, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\344\4\0\0\360\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81883, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81882, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\344\4\0\0\360\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81883, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\344\4\0\0\360\6\0\0" )  ) == 0x0
 02161   896   NtResumeThread  (348, ... 1, ) == 0x0
 02162   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 71237632, 2097152, ) == 0x0
 02163   896   NtAllocateVirtualMemory  (-1, 73326592, 0, 8192, 4096, 4, ... 73326592, 8192, ) == 0x0
 02164   896   NtProtectVirtualMemory  (-1, (0x45ee000), 4096, 260, ... (0x45ee000), 4096, 4, ) == 0x0
 02159   376   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02165  1776   NtWaitForSingleObject  (36, 0, 0x0, ...
 02166   376   NtQueryValueKey  (328,  (328, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02167   376   NtQueryValueKey  (332,  (332, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02168   376   NtQueryValueKey  (328,  (328, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02169   376   NtQueryValueKey  (332,  (332, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02170   376   NtQueryValueKey  (328,  (328, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02171   376   NtQueryValueKey  (332,  (332, "RegistrationRefreshInterval", Partial, 144, ... , Partial, 144, ...
 02172   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 352, {1252, 500}, ) == 0x0
 02173   896   NtQueryInformationThread  (352, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1252,Tid=500,}, 0x0, ) == 0x0
 02174   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81883, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81883, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\344\4\0\0\364\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81884, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\344\4\0\0\364\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81884, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81883, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\344\4\0\0\364\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81884, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\344\4\0\0\364\1\0\0" )  ) == 0x0
 02175   896   NtResumeThread  (352, ... 1, ) == 0x0
 02176   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 73334784, 2097152, ) == 0x0
 02177   896   NtAllocateVirtualMemory  (-1, 75423744, 0, 8192, 4096, 4, ...
 02171   376   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02178   500   NtWaitForSingleObject  (36, 0, 0x0, ...
 02179   376   NtQueryValueKey  (328,  (328, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02180   376   NtQueryValueKey  (332,  (332, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02181   376   NtQueryValueKey  (328,  (328, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02182   376   NtQueryValueKey  (332,  (332, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02183   376   NtQueryValueKey  (328,  (328, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02184   376   NtQueryValueKey  (332,  (332, "UpdateZoneExcludeFile", Partial, 144, ... , Partial, 144, ...
 02177   896   NtAllocateVirtualMemory  ... 75423744, 8192, ) == 0x0
 02185   896   NtProtectVirtualMemory  (-1, (0x47ee000), 4096, 260, ... (0x47ee000), 4096, 4, ) == 0x0
 02186   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 356, {1252, 248}, ) == 0x0
 02187   896   NtQueryInformationThread  (356, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1252,Tid=248,}, 0x0, ) == 0x0
 02188   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81884, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81884, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\344\4\0\0\370\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\344\4\0\0\370\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81885, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81884, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\344\4\0\0\370\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\344\4\0\0\370\0\0\0" )  ) == 0x0
 02189   896   NtResumeThread  (356, ... 1, ) == 0x0
 02184   376   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02190   248   NtWaitForSingleObject  (36, 0, 0x0, ...
 02191   376   NtQueryValueKey  (332,  (332, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02192   376   NtQueryValueKey  (332,  (332, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02193   376   NtQueryValueKey  (332,  (332, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02194   376   NtQueryValueKey  (332,  (332, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02195   376   NtQueryValueKey  (332,  (332, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02196   376   NtQueryValueKey  (332,  (332, "AdapterTimeoutLimit", Partial, 144, ... , Partial, 144, ...
 02197   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 75431936, 2097152, ) == 0x0
 02198   896   NtAllocateVirtualMemory  (-1, 77520896, 0, 8192, 4096, 4, ... 77520896, 8192, ) == 0x0
 02199   896   NtProtectVirtualMemory  (-1, (0x49ee000), 4096, 260, ... (0x49ee000), 4096, 4, ) == 0x0
 02200   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 360, {1252, 1884}, ) == 0x0
 02201   896   NtQueryInformationThread  (360, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1252,Tid=1884,}, 0x0, ) == 0x0
 02202   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81885, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\344\4\0\0\\7\0\0" ...  ...
 02196   376   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02203   376   NtQueryValueKey  (332,  (332, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02204   376   NtQueryValueKey  (332,  (332, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02205   376   NtQueryValueKey  (332,  (332, "MulticastListenLevel", Partial, 144, ... , Partial, 144, ...
 02202   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81886, 0}  ... {28, 56, reply, 0, 1252, 896, 81886, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\344\4\0\0\\7\0\0" )  ) == 0x0
 02206   896   NtResumeThread  (360, ... 1, ) == 0x0
 02207   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 77529088, 2097152, ) == 0x0
 02208   896   NtAllocateVirtualMemory  (-1, 79618048, 0, 8192, 4096, 4, ... 79618048, 8192, ) == 0x0
 02209   896   NtProtectVirtualMemory  (-1, (0x4bee000), 4096, 260, ... (0x4bee000), 4096, 4, ) == 0x0
 02210   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 364, {1252, 1308}, ) == 0x0
 02211   896   NtQueryInformationThread  (364, Basic, 28, ...
 02205   376   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02212  1884   NtWaitForSingleObject  (36, 0, 0x0, ...
 02213   376   NtQueryValueKey  (332,  (332, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02214   376   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\Setup"}, ... 368, ) }, ... 368, ) == 0x0
 02215   376   NtQueryValueKey  (368,  (368, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (368, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02216   376   NtClose  (368, ... ) == 0x0
 02217   376   NtClose  (328, ...
 02211   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1252,Tid=1308,}, 0x0, ) == 0x0
 02218   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81886, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81886, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\344\4\0\0\34\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\344\4\0\0\34\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81887, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81886, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\344\4\0\0\34\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\344\4\0\0\34\5\0\0" )  ) == 0x0
 02219   896   NtResumeThread  (364, ... 1, ) == 0x0
 02220   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 79626240, 2097152, ) == 0x0
 02221   896   NtAllocateVirtualMemory  (-1, 81715200, 0, 8192, 4096, 4, ... 81715200, 8192, ) == 0x0
 02222   896   NtProtectVirtualMemory  (-1, (0x4dee000), 4096, 260, ... (0x4dee000), 4096, 4, ) == 0x0
 02217   376   NtClose  ... ) == 0x0
 02223  1308   NtWaitForSingleObject  (36, 0, 0x0, ...
 02224   376   NtClose  (332, ... ) == 0x0
 02225   376   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 332, ) }, ... 332, ) == 0x0
 02226   376   NtQueryValueKey  (332,  (332, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02227   376   NtQueryValueKey  (332,  (332, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02228   376   NtQueryValueKey  (332,  (332, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02229   376   NtClose  (332, ...
 02230   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 328, {1252, 1676}, ) == 0x0
 02231   896   NtQueryInformationThread  (328, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1252,Tid=1676,}, 0x0, ) == 0x0
 02232   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81887, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0\344\4\0\0\214\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0\344\4\0\0\214\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81888, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0\344\4\0\0\214\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0\344\4\0\0\214\6\0\0" )  ) == 0x0
 02233   896   NtResumeThread  (328, ... 1, ) == 0x0
 02234   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 81723392, 2097152, ) == 0x0
 02235   896   NtAllocateVirtualMemory  (-1, 83812352, 0, 8192, 4096, 4, ...
 02229   376   NtClose  ... ) == 0x0
 02236  1676   NtWaitForSingleObject  (36, 0, 0x0, ...
 02237   376   NtSetEventBoostPriority  (36, ...
 01982  2016   NtWaitForSingleObject  ... ) == 0x0
 02238  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 9825988, ... ) }, 9825988, ... ) == 0x0
 02237   376   NtSetEventBoostPriority  ... ) == 0x0
 02235   896   NtAllocateVirtualMemory  ... 83812352, 8192, ) == 0x0
 02239   376   NtWaitForSingleObject  (36, 0, 0x0, ...
 02240   896   NtProtectVirtualMemory  (-1, (0x4fee000), 4096, 260, ... (0x4fee000), 4096, 4, ) == 0x0
 02241   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 332, {1252, 1620}, ) == 0x0
 02242   896   NtQueryInformationThread  (332, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1252,Tid=1620,}, 0x0, ) == 0x0
 02243   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81888, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\344\4\0\0T\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81889, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\344\4\0\0T\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81889, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\344\4\0\0T\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81889, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\344\4\0\0T\6\0\0" )  ) == 0x0
 02244   896   NtResumeThread  (332, ... 1, ) == 0x0
 02245  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 5, 96, ... }, 5, 96, ...
 02246  1620   NtWaitForSingleObject  (36, 0, 0x0, ...
 02245  2016   NtOpenFile  ... 368, {status=0x0, info=1}, ) == 0x0
 02247  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 368, ... 372, ) == 0x0
 02248  2016   NtClose  (368, ... ) == 0x0
 02249  2016   NtMapViewOfSection  (372, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe30000), 0x0, 294912, ) == 0x0
 02250  2016   NtClose  (372, ... ) == 0x0
 02251  2016   NtUnmapViewOfSection  (-1, 0xe30000, ... ) == 0x0
 02252   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 83820544, 2097152, ) == 0x0
 02253   896   NtAllocateVirtualMemory  (-1, 85909504, 0, 8192, 4096, 4, ... 85909504, 8192, ) == 0x0
 02254   896   NtProtectVirtualMemory  (-1, (0x51ee000), 4096, 260, ... (0x51ee000), 4096, 4, ) == 0x0
 02255   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 372, {1252, 1296}, ) == 0x0
 02256   896   NtQueryInformationThread  (372, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1252,Tid=1296,}, 0x0, ) == 0x0
 02257   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81889, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81889, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0\344\4\0\0\20\5\0\0" ...  ...
 02258  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 9826296, ... ) }, 9826296, ... ) == 0x0
 02259  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 02260  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 368, ... 376, ) == 0x0
 02257   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81890, 0}  ... {28, 56, reply, 0, 1252, 896, 81890, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0\344\4\0\0\20\5\0\0" )  ) == 0x0
 02261   896   NtResumeThread  (372, ... 1, ) == 0x0
 02262   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 85917696, 2097152, ) == 0x0
 02263   896   NtAllocateVirtualMemory  (-1, 88006656, 0, 8192, 4096, 4, ... 88006656, 8192, ) == 0x0
 02264   896   NtProtectVirtualMemory  (-1, (0x53ee000), 4096, 260, ... (0x53ee000), 4096, 4, ) == 0x0
 02265   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 380, {1252, 440}, ) == 0x0
 02266   896   NtQueryInformationThread  (380, Basic, 28, ...
 02267  2016   NtQuerySection  (376, Image, 48, ...
 02268  1296   NtWaitForSingleObject  (36, 0, 0x0, ...
 02267  2016   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02269  2016   NtClose  (368, ... ) == 0x0
 02270  2016   NtMapViewOfSection  (376, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74720000), 0x0, 307200, ) == 0x0
 02271  2016   NtClose  (376, ... ) == 0x0
 02272  2016   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 02273  2016   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 02266   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1252,Tid=440,}, 0x0, ) == 0x0
 02274   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81890, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81890, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\344\4\0\0\270\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81891, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\344\4\0\0\270\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81891, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81890, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\344\4\0\0\270\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81891, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\344\4\0\0\270\1\0\0" )  ) == 0x0
 02275   896   NtResumeThread  (380, ... 1, ) == 0x0
 02276   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 88014848, 2097152, ) == 0x0
 02277   896   NtAllocateVirtualMemory  (-1, 90103808, 0, 8192, 4096, 4, ... 90103808, 8192, ) == 0x0
 02278   896   NtProtectVirtualMemory  (-1, (0x55ee000), 4096, 260, ... (0x55ee000), 4096, 4, ) == 0x0
 02279  2016   NtFlushInstructionCache  (-1, 1953632256, 928, ...
 02280   440   NtWaitForSingleObject  (36, 0, 0x0, ...
 02279  2016   NtFlushInstructionCache  ... ) == 0x0
 02281  2016   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 02282  2016   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 02283  2016   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 02284  2016   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 02285  2016   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 02286   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 376, {1252, 1588}, ) == 0x0
 02287   896   NtQueryInformationThread  (376, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1252,Tid=1588,}, 0x0, ) == 0x0
 02288   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81891, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81891, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\344\4\0\04\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81892, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\344\4\0\04\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81892, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81891, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\344\4\0\04\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81892, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\344\4\0\04\6\0\0" )  ) == 0x0
 02289   896   NtResumeThread  (376, ... 1, ) == 0x0
 02290   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 90112000, 2097152, ) == 0x0
 02291   896   NtAllocateVirtualMemory  (-1, 92200960, 0, 8192, 4096, 4, ...
 02292  2016   NtFlushInstructionCache  (-1, 1953632256, 928, ...
 02293  1588   NtWaitForSingleObject  (36, 0, 0x0, ...
 02292  2016   NtFlushInstructionCache  ... ) == 0x0
 02294  2016   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 02295  2016   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 02296  2016   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 02297  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSCTF.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02298  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ntdll.dll"}, 9823652, ... ) }, 9823652, ... ) == 0x0
 02291   896   NtAllocateVirtualMemory  ... 92200960, 8192, ) == 0x0
 02299   896   NtProtectVirtualMemory  (-1, (0x57ee000), 4096, 260, ... (0x57ee000), 4096, 4, ) == 0x0
 02300   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 368, {1252, 2044}, ) == 0x0
 02301   896   NtQueryInformationThread  (368, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1252,Tid=2044,}, 0x0, ) == 0x0
 02302   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81892, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81892, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\344\4\0\0\374\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81893, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\344\4\0\0\374\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81893, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81892, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\344\4\0\0\374\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81893, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\344\4\0\0\374\7\0\0" )  ) == 0x0
 02303   896   NtResumeThread  (368, ... 1, ) == 0x0
 02304  2016   NtQueryInformationProcess  (-1, Wow64, 4, ...
 02305  2044   NtWaitForSingleObject  (36, 0, 0x0, ...
 02304  2016   NtQueryInformationProcess  ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02306  2016   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 02307  2016   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.Private", ... ) , ... ) == 0xc0a1
 02308  2016   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.SetFocus", ... ) , ... ) == 0xc0a2
 02309  2016   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ThreadTerminate", ... ) , ... ) == 0xc0a3
 02310  2016   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ThreadItemChange", ... ) , ... ) == 0xc0a4
 02311   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 92209152, 2097152, ) == 0x0
 02312   896   NtAllocateVirtualMemory  (-1, 94298112, 0, 8192, 4096, 4, ... 94298112, 8192, ) == 0x0
 02313   896   NtProtectVirtualMemory  (-1, (0x59ee000), 4096, 260, ... (0x59ee000), 4096, 4, ) == 0x0
 02314   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 384, {1252, 588}, ) == 0x0
 02315   896   NtQueryInformationThread  (384, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1252,Tid=588,}, 0x0, ) == 0x0
 02316   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81893, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81893, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\344\4\0\0L\2\0\0" ...  ...
 02317  2016   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.LangBarModal", ... ) , ... ) == 0xc0a5
 02318  2016   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.RpcSendReceive", ... ) , ... ) == 0xc0a6
 02319  2016   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ThreadMarshal", ... ) , ... ) == 0xc0a7
 02316   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81894, 0}  ... {28, 56, reply, 0, 1252, 896, 81894, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\344\4\0\0L\2\0\0" )  ) == 0x0
 02320   896   NtResumeThread  (384, ... 1, ) == 0x0
 02321   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 94306304, 2097152, ) == 0x0
 02322   896   NtAllocateVirtualMemory  (-1, 96395264, 0, 8192, 4096, 4, ... 96395264, 8192, ) == 0x0
 02323   896   NtProtectVirtualMemory  (-1, (0x5bee000), 4096, 260, ... (0x5bee000), 4096, 4, ) == 0x0
 02324   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 388, {1252, 1652}, ) == 0x0
 02325   896   NtQueryInformationThread  (388, Basic, 28, ...
 02326  2016   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.CheckThreadInputIdel", ... , ...
 02327   588   NtWaitForSingleObject  (36, 0, 0x0, ...
 02326  2016   NtUserRegisterWindowMessage  ... ) == 0xc0a8
 02328  2016   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.StubCleanUp", ... ) , ... ) == 0xc0a9
 02329  2016   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ShowFloating", ... ) , ... ) == 0xc0aa
 02330  2016   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.LBUpdate", ... ) , ... ) == 0xc0ab
 02331  2016   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.MuiMgrDirtyUpdate", ... ) , ... ) == 0xc0ac
 02332  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\imm32.dll"}, 9823660, ... ) }, 9823660, ... ) == 0x0
 02325   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1252,Tid=1652,}, 0x0, ) == 0x0
 02333   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81894, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81894, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\4\0\0t\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81895, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\4\0\0t\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81895, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81894, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\4\0\0t\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81895, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\4\0\0t\6\0\0" )  ) == 0x0
 02334   896   NtResumeThread  (388, ... 1, ) == 0x0
 02335   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 96403456, 2097152, ) == 0x0
 02336   896   NtAllocateVirtualMemory  (-1, 98492416, 0, 8192, 4096, 4, ... 98492416, 8192, ) == 0x0
 02337   896   NtProtectVirtualMemory  (-1, (0x5dee000), 4096, 260, ... (0x5dee000), 4096, 4, ) == 0x0
 02338  2016   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 3998, 9826052, 0, 0}  (24, {24, 52, new_msg, 0, 3998, 9826052, 0, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\340\7\0\0\0\0\0\0" ...  ...
 02339  1652   NtWaitForSingleObject  (36, 0, 0x0, ...
 02338  2016   NtRequestWaitReplyPort  ... {24, 52, reply, 0, 1252, 2016, 81896, 0}  ... {24, 52, reply, 0, 1252, 2016, 81896, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\340\7\0\0\0\0\0\0" )  ) == 0x0
 02340  2016   NtUserGetThreadDesktop  (2016, 0, ... ) == 0x30
 02341  2016   NtUserGetObjectInformation  (48, 2, 5643920, 520, 9825960, ... ) == 0x1
 02342  2016   NtOpenProcessToken  (-1, 0x8, ... 392, ) == 0x0
 02343  2016   NtQueryInformationToken  (392, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02344  2016   NtQueryInformationToken  (392, User, 36, ...
 02345   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 396, {1252, 1376}, ) == 0x0
 02346   896   NtQueryInformationThread  (396, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1252,Tid=1376,}, 0x0, ) == 0x0
 02347   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81895, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81895, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\344\4\0\0`\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81897, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\344\4\0\0`\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81897, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81895, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\344\4\0\0`\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81897, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\344\4\0\0`\5\0\0" )  ) == 0x0
 02348   896   NtResumeThread  (396, ... 1, ) == 0x0
 02349   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 98500608, 2097152, ) == 0x0
 02350   896   NtAllocateVirtualMemory  (-1, 100589568, 0, 8192, 4096, 4, ...
 02344  2016   NtQueryInformationToken  ... {token info, class 1, size 36}, 36, ) == 0x0
 02351  1376   NtWaitForSingleObject  (36, 0, 0x0, ...
 02352  2016   NtClose  (392, ... ) == 0x0
 02353  2016   NtCreateSection  (0xf0007, {24, 28, 0x80, 0, 0,  (0xf0007, {24, 28, 0x80, 0, 0, "CiceroSharedMemDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, {3240, 0}, 4, 134217728, 0, ... 392, ) }, {3240, 0}, 4, 134217728, 0, ... 392, ) == STATUS_OBJECT_NAME_EXISTS
 02354  2016   NtMapViewOfSection  (392, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xdb0000), {0, 0}, 4096, ) == 0x0
 02355  2016   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\Compatibility\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02356  2016   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\SystemShared\"}, ... 400, ) }, ... 400, ) == 0x0
 02357  2016   NtQueryValueKey  (400,  (400, "CUAS", Partial, 144, ... , Partial, 144, ...
 02350   896   NtAllocateVirtualMemory  ... 100589568, 8192, ) == 0x0
 02358   896   NtProtectVirtualMemory  (-1, (0x5fee000), 4096, 260, ... (0x5fee000), 4096, 4, ) == 0x0
 02359   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 404, {1252, 1436}, ) == 0x0
 02360   896   NtQueryInformationThread  (404, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1252,Tid=1436,}, 0x0, ) == 0x0
 02361   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81897, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81897, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\344\4\0\0\234\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81898, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\344\4\0\0\234\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81898, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81897, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\344\4\0\0\234\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81898, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\344\4\0\0\234\5\0\0" )  ) == 0x0
 02362   896   NtResumeThread  (404, ... 1, ) == 0x0
 02357  2016   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02363  1436   NtWaitForSingleObject  (36, 0, 0x0, ...
 02364  2016   NtClose  (400, ... ) == 0x0
 02365  2016   NtUserFindExistingCursorIcon  (9825492, 9825508, 9825556, ... ) == 0x10011
 02366  2016   NtUserRegisterClassExWOW  (9825764, 9825860, 9825844, 9825832, 0, 386, 0, ... ) == 0x8169c0ad
 02367  2016   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "CTF.LBES.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 400, ) }, 0, ... 400, ) == STATUS_OBJECT_NAME_EXISTS
 02368  2016   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "CTF.Compart.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 408, ) }, 0, ... 408, ) == STATUS_OBJECT_NAME_EXISTS
 02369  2016   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "CTF.Asm.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... }, 0, ...
 02370   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 100597760, 2097152, ) == 0x0
 02371   896   NtAllocateVirtualMemory  (-1, 102686720, 0, 8192, 4096, 4, ... 102686720, 8192, ) == 0x0
 02372   896   NtProtectVirtualMemory  (-1, (0x61ee000), 4096, 260, ... (0x61ee000), 4096, 4, ) == 0x0
 02373   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 412, {1252, 1368}, ) == 0x0
 02374   896   NtQueryInformationThread  (412, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1252,Tid=1368,}, 0x0, ) == 0x0
 02375   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81898, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81898, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\344\4\0\0X\5\0\0" ...  ...
 02369  2016   NtCreateMutant  ... 416, ) == STATUS_OBJECT_NAME_EXISTS
 02376  2016   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "CTF.Layouts.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 420, ) }, 0, ... 420, ) == STATUS_OBJECT_NAME_EXISTS
 02377  2016   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "CTF.TMD.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 424, ) }, 0, ... 424, ) == STATUS_OBJECT_NAME_EXISTS
 02378  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ...
 02375   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81899, 0}  ... {28, 56, reply, 0, 1252, 896, 81899, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\344\4\0\0X\5\0\0" )  ) == 0x0
 02379   896   NtResumeThread  (412, ... 1, ) == 0x0
 02380   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 102694912, 2097152, ) == 0x0
 02381   896   NtAllocateVirtualMemory  (-1, 104783872, 0, 8192, 4096, 4, ... 104783872, 8192, ) == 0x0
 02382   896   NtProtectVirtualMemory  (-1, (0x63ee000), 4096, 260, ... (0x63ee000), 4096, 4, ) == 0x0
 02383   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 428, {1252, 724}, ) == 0x0
 02384   896   NtQueryInformationThread  (428, Basic, 28, ...
 02378  2016   NtOpenThreadTokenEx  ... ) == STATUS_NO_TOKEN
 02385  1368   NtWaitForSingleObject  (36, 0, 0x0, ...
 02386  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 02387  2016   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02388  2016   NtClose  (432, ... ) == 0x0
 02389  2016   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 432, ) }, ... 432, ) == 0x0
 02390  2016   NtSetInformationObject  (432, Handle, {Inherit=0,ProtectFromClose=1,}, 9765120, ... ) == 0x0
 02391  2016   NtOpenKey  (0x20019, {24, 432, 0x40, 0, 0,  (0x20019, {24, 432, 0x40, 0, 0, "Keyboard Layout\Toggle"}, ... }, ...
 02384   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1252,Tid=724,}, 0x0, ) == 0x0
 02392   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81899, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81899, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\344\4\0\0\324\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81900, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\344\4\0\0\324\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81900, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81899, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\344\4\0\0\324\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81900, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\344\4\0\0\324\2\0\0" )  ) == 0x0
 02393   896   NtResumeThread  (428, ... 1, ) == 0x0
 02394   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 104792064, 2097152, ) == 0x0
 02395   896   NtAllocateVirtualMemory  (-1, 106881024, 0, 8192, 4096, 4, ... 106881024, 8192, ) == 0x0
 02396   896   NtProtectVirtualMemory  (-1, (0x65ee000), 4096, 260, ... (0x65ee000), 4096, 4, ) == 0x0
 02391  2016   NtOpenKey  ... 436, ) == 0x0
 02397   724   NtWaitForSingleObject  (36, 0, 0x0, ...
 02398  2016   NtQueryValueKey  (436,  (436, "Language Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02399  2016   NtQueryValueKey  (436,  (436, "Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02400  2016   NtQueryValueKey  (436,  (436, "Layout Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02401  2016   NtClose  (436, ... ) == 0x0
 02402  2016   NtAllocateVirtualMemory  (-1, 5734400, 0, 4096, 4096, 4, ... 5734400, 4096, ) == 0x0
 02403  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\KERNEL32.dll"}, 9823480, ... }, 9823480, ...
 02404   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 436, {1252, 1276}, ) == 0x0
 02405   896   NtQueryInformationThread  (436, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1252,Tid=1276,}, 0x0, ) == 0x0
 02406   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81900, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81900, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0\374\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81901, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0\374\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81901, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81900, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0\374\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81901, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0\374\4\0\0" )  ) == 0x0
 02407   896   NtResumeThread  (436, ... 1, ) == 0x0
 02408   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 106889216, 2097152, ) == 0x0
 02409   896   NtAllocateVirtualMemory  (-1, 108978176, 0, 8192, 4096, 4, ...
 02403  2016   NtQueryAttributesFile  ... ) == 0x0
 02410  1276   NtWaitForSingleObject  (36, 0, 0x0, ...
 02411  2016   NtQueryDefaultUILanguage  (9826040, ...
 02412  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02413  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482748, ) == 0x0
 02414  2016   NtQueryInformationToken  (-2147482748, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02415  2016   NtClose  (-2147482748, ... ) == 0x0
 02416  2016   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482748, ) }, ... -2147482748, ) == 0x0
 02409   896   NtAllocateVirtualMemory  ... 108978176, 8192, ) == 0x0
 02417   896   NtProtectVirtualMemory  (-1, (0x67ee000), 4096, 260, ... (0x67ee000), 4096, 4, ) == 0x0
 02418   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 440, {1252, 220}, ) == 0x0
 02419   896   NtQueryInformationThread  (440, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1252,Tid=220,}, 0x0, ) == 0x0
 02420   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81901, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81901, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0\334\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81902, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0\334\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81902, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81901, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0\334\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81902, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0\334\0\0\0" )  ) == 0x0
 02421   896   NtResumeThread  (440, ... 1, ) == 0x0
 02422  2016   NtOpenKey  (0x80000000, {24, -2147482748, 0x240, 0, 0,  (0x80000000, {24, -2147482748, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... }, ...
 02423   220   NtWaitForSingleObject  (36, 0, 0x0, ...
 02422  2016   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02424  2016   NtOpenKey  (0x80000000, {24, -2147482748, 0x640, 0, 0,  (0x80000000, {24, -2147482748, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 02425  2016   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02426  2016   NtClose  (-2147481452, ... ) == 0x0
 02427  2016   NtClose  (-2147482748, ... ) == 0x0
 02411  2016   NtQueryDefaultUILanguage  ... ) == 0x0
 02428  2016   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\"}, ... }, ...
 02429   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 108986368, 2097152, ) == 0x0
 02430   896   NtAllocateVirtualMemory  (-1, 111075328, 0, 8192, 4096, 4, ... 111075328, 8192, ) == 0x0
 02431   896   NtProtectVirtualMemory  (-1, (0x69ee000), 4096, 260, ... (0x69ee000), 4096, 4, ) == 0x0
 02432   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 444, {1252, 1328}, ) == 0x0
 02433   896   NtQueryInformationThread  (444, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1252,Tid=1328,}, 0x0, ) == 0x0
 02434   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81902, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81902, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\4\0\00\5\0\0" ...  ...
 02428  2016   NtOpenKey  ... 448, ) == 0x0
 02435  2016   NtQueryValueKey  (448,  (448, "EnableAnchorContext", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02436  2016   NtClose  (448, ... ) == 0x0
 02437  2016   NtSetEventBoostPriority  (36, ...
 02434   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81903, 0}  ... {28, 56, reply, 0, 1252, 896, 81903, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\4\0\00\5\0\0" )  ) == 0x0
 02438   896   NtResumeThread  (444, ... 1, ) == 0x0
 02439   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 111083520, 2097152, ) == 0x0
 02440   896   NtAllocateVirtualMemory  (-1, 113172480, 0, 8192, 4096, 4, ... 113172480, 8192, ) == 0x0
 02441   896   NtProtectVirtualMemory  (-1, (0x6bee000), 4096, 260, ... (0x6bee000), 4096, 4, ) == 0x0
 02442   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 448, {1252, 1636}, ) == 0x0
 02443   896   NtQueryInformationThread  (448, Basic, 28, ...
 01985  1600   NtWaitForSingleObject  ... ) == 0x0
 02437  2016   NtSetEventBoostPriority  ... ) == 0x0
 02444  1328   NtWaitForSingleObject  (36, 0, 0x0, ...
 02445  1600   NtSetEventBoostPriority  (36, ...
 02446  2016   NtCreateMutant  (0x1f0001, {24, 28, 0x80, 0, 0,  (0x1f0001, {24, 28, 0x80, 0, 0, "CTF.TimListCache.FMPDefaultS-1-5-21-1292428093-1383384898-725345543-1003MUTEX.DefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... }, 0, ...
 02050  1948   NtWaitForSingleObject  ... ) == 0x0
 02445  1600   NtSetEventBoostPriority  ... ) == 0x0
 02447  1948   NtSetEventBoostPriority  (36, ...
 02446  2016   NtCreateMutant  ... 452, ) == STATUS_OBJECT_NAME_EXISTS
 02443   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1252,Tid=1636,}, 0x0, ) == 0x0
 02070   252   NtWaitForSingleObject  ... ) == 0x0
 02447  1948   NtSetEventBoostPriority  ... ) == 0x0
 02448  2016   NtOpenSection  (0xf001f, {24, 28, 0x0, 0, 0,  (0xf001f, {24, 28, 0x0, 0, 0, "CTF.TimListCache.FMPDefaultS-1-5-21-1292428093-1383384898-725345543-1003SFM.DefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, ... }, ...
 02449   252   NtSetEventBoostPriority  (36, ...
 02450   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81903, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81903, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\344\4\0\0d\6\0\0" ...  ...
 02451  1600   NtTestAlert  (...
 02073   596   NtWaitForSingleObject  ... ) == 0x0
 02449   252   NtSetEventBoostPriority  ... ) == 0x0
 02448  2016   NtOpenSection  ... 456, ) == 0x0
 02450   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81904, 0}  ... {28, 56, reply, 0, 1252, 896, 81904, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\344\4\0\0d\6\0\0" )  ) == 0x0
 02452   596   NtSetEventBoostPriority  (36, ...
 02451  1600   NtTestAlert  ... ) == 0x0
 02453  1948   NtTestAlert  (...
 02454  2016   NtMapViewOfSection  (456, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ...
 02094  1300   NtWaitForSingleObject  ... ) == 0x0
 02452   596   NtSetEventBoostPriority  ... ) == 0x0
 02455   896   NtResumeThread  (448, ...
 02456  1600   NtContinue  (54459696, 1, ...
 02453  1948   NtTestAlert  ... ) == 0x0
 02457   252   NtTestAlert  (...
 02458  1300   NtSetEventBoostPriority  (36, ...
 02454  2016   NtMapViewOfSection  ... (0xe30000), {0, 0}, 262144, ) == 0x0
 02455   896   NtResumeThread  ... 1, ) == 0x0
 02459  1600   NtRegisterThreadTerminatePort  (24, ...
 02460  1948   NtContinue  (56556848, 1, ...
 02106  1096   NtWaitForSingleObject  ... ) == 0x0
 02458  1300   NtSetEventBoostPriority  ... ) == 0x0
 02457   252   NtTestAlert  ... ) == 0x0
 02461  2016   NtWaitForSingleObject  (452, 0, {-50000000, -1}, ...
 02462   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02463  1636   NtWaitForSingleObject  (36, 0, 0x0, ...
 02459  1600   NtRegisterThreadTerminatePort  ... ) == 0x0
 02464  1096   NtSetEventBoostPriority  (36, ...
 02465  1948   NtRegisterThreadTerminatePort  (24, ...
 02466   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02467   252   NtContinue  (58654000, 1, ...
 02461  2016   NtWaitForSingleObject  ... ) == 0x0
 02462   596   NtCreateEvent  ... 460, ) == 0x0
 02119  1708   NtWaitForSingleObject  ... ) == 0x0
 02464  1096   NtSetEventBoostPriority  ... ) == 0x0
 02468  1600   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02465  1948   NtRegisterThreadTerminatePort  ... ) == 0x0
 02466   896   NtAllocateVirtualMemory  ... 113180672, 2097152, ) == 0x0
 02469   252   NtRegisterThreadTerminatePort  (24, ...
 02470  2016   NtReleaseMutant  (452, ...
 02471  1708   NtSetEventBoostPriority  (36, ...
 02472   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02473  1300   NtTestAlert  (...
 02474  1096   NtTestAlert  (...
 02475  1948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02476   896   NtAllocateVirtualMemory  (-1, 115269632, 0, 8192, 4096, 4, ...
 02469   252   NtRegisterThreadTerminatePort  ... ) == 0x0
 02131  1024   NtWaitForSingleObject  ... ) == 0x0
 02471  1708   NtSetEventBoostPriority  ... ) == 0x0
 02472   596   NtDuplicateObject  ... 464, ) == 0x0
 02473  1300   NtTestAlert  ... ) == 0x0
 02474  1096   NtTestAlert  ... ) == 0x0
 02468  1600   NtDuplicateObject  ... 468, ) == 0x0
 02470  2016   NtReleaseMutant  ... 0x0, ) == 0x0
 02476   896   NtAllocateVirtualMemory  ... 115269632, 8192, ) == 0x0
 02477  1024   NtSetEventBoostPriority  (36, ...
 02478   252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02475  1948   NtDuplicateObject  ... 472, ) == 0x0
 02479   596   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 02480  1300   NtContinue  (60751152, 1, ...
 02481  1096   NtContinue  (62848304, 1, ...
 02482  1600   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02483  2016   NtWaitForSingleObject  (452, 0, {-50000000, -1}, ...
 02153  1324   NtWaitForSingleObject  ... ) == 0x0
 02477  1024   NtSetEventBoostPriority  ... ) == 0x0
 02484   896   NtProtectVirtualMemory  (-1, (0x6dee000), 4096, 260, ...
 02485  1708   NtTestAlert  (...
 02486  1948   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02479   596   NtOpenKey  ... 476, ) == 0x0
 02487  1300   NtRegisterThreadTerminatePort  (24, ...
 02488  1096   NtRegisterThreadTerminatePort  (24, ...
 02482  1600   NtWaitForSingleObject  ... ) == 0x102
 02489  1324   NtSetEventBoostPriority  (36, ...
 02483  2016   NtWaitForSingleObject  ... ) == 0x0
 02478   252   NtDuplicateObject  ... 480, ) == 0x0
 02484   896   NtProtectVirtualMemory  ... (0x6dee000), 4096, 4, ) == 0x0
 02485  1708   NtTestAlert  ... ) == 0x0
 02486  1948   NtWaitForSingleObject  ... ) == 0x102
 02490  1024   NtTestAlert  (...
 02487  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 02488  1096   NtRegisterThreadTerminatePort  ... ) == 0x0
 02165  1776   NtWaitForSingleObject  ... ) == 0x0
 02489  1324   NtSetEventBoostPriority  ... ) == 0x0
 02491  1600   NtWaitForSingleObject  (196, 0, 0x0, ...
 02492  2016   NtReleaseMutant  (452, ...
 02493   252   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02494   596   NtQueryValueKey  (476,  (476, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 02495  1708   NtContinue  (64945456, 1, ...
 02496  1948   NtWaitForSingleObject  (196, 0, 0x0, ...
 02490  1024   NtTestAlert  ... ) == 0x0
 02497  1300   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02498  1776   NtSetEventBoostPriority  (36, ...
 02499  1096   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02500   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02492  2016   NtReleaseMutant  ... 0x0, ) == 0x0
 02493   252   NtWaitForSingleObject  ... ) == 0x102
 02494   596   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02501  1708   NtRegisterThreadTerminatePort  (24, ...
 02502  1024   NtContinue  (67042608, 1, ...
 02503  1324   NtTestAlert  (...
 02178   500   NtWaitForSingleObject  ... ) == 0x0
 02498  1776   NtSetEventBoostPriority  ... ) == 0x0
 02497  1300   NtDuplicateObject  ... 484, ) == 0x0
 02500   896   NtCreateThread  ... 488, {1252, 704}, ) == 0x0
 02499  1096   NtDuplicateObject  ... 492, ) == 0x0
 02504   252   NtWaitForSingleObject  (196, 0, 0x0, ...
 02505   596   NtClose  (476, ...
 02501  1708   NtRegisterThreadTerminatePort  ... ) == 0x0
 02506  1024   NtRegisterThreadTerminatePort  (24, ...
 02507   500   NtSetEventBoostPriority  (36, ...
 02503  1324   NtTestAlert  ... ) == 0x0
 02508  2016   NtWaitForSingleObject  (452, 0, {-50000000, -1}, ...
 02509  1300   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02510   896   NtQueryInformationThread  (488, Basic, 28, ...
 02511  1096   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02505   596   NtClose  ... ) == 0x0
 02512  1708   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02190   248   NtWaitForSingleObject  ... ) == 0x0
 02507   500   NtSetEventBoostPriority  ... ) == 0x0
 02506  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 02513  1324   NtContinue  (69139760, 1, ...
 02508  2016   NtWaitForSingleObject  ... ) == 0x0
 02509  1300   NtWaitForSingleObject  ... ) == 0x102
 02510   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1252,Tid=704,}, 0x0, ) == 0x0
 02511  1096   NtWaitForSingleObject  ... ) == 0x102
 02514   596   NtOpenThreadToken  (-2, 0xc, 1, ...
 02515  1776   NtTestAlert  (...
 02516   248   NtSetEventBoostPriority  (36, ...
 02512  1708   NtDuplicateObject  ... 476, ) == 0x0
 02517  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02518  1324   NtRegisterThreadTerminatePort  (24, ...
 02519  2016   NtReleaseMutant  (452, ...
 02520  1300   NtWaitForSingleObject  (196, 0, 0x0, ...
 02521   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81904, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81904, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\4\0\0\300\2\0\0" ...  ...
 02522  1096   NtWaitForSingleObject  (196, 0, 0x0, ...
 02514   596   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02212  1884   NtWaitForSingleObject  ... ) == 0x0
 02516   248   NtSetEventBoostPriority  ... ) == 0x0
 02515  1776   NtTestAlert  ... ) == 0x0
 02523  1708   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02524   500   NtTestAlert  (...
 02518  1324   NtRegisterThreadTerminatePort  ... ) == 0x0
 02519  2016   NtReleaseMutant  ... 0x0, ) == 0x0
 02517  1024   NtDuplicateObject  ... 496, ) == 0x0
 02521   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81905, 0}  ... {28, 56, reply, 0, 1252, 896, 81905, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\4\0\0\300\2\0\0" )  ) == 0x0
 02525  1884   NtSetEventBoostPriority  (36, ...
 02526   596   NtOpenThreadToken  (-2, 0x20008, 1, ...
 02527  1776   NtContinue  (71236912, 1, ...
 02523  1708   NtWaitForSingleObject  ... ) == 0x102
 02524   500   NtTestAlert  ... ) == 0x0
 02528  1324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02529  2016   NtUserMessageCall  (0x90130, WM_NCCREATE, 0x0, 0x95f840, 0, 670, 1, ...
 02530  1024   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02223  1308   NtWaitForSingleObject  ... ) == 0x0
 02525  1884   NtSetEventBoostPriority  ... ) == 0x0
 02531   896   NtResumeThread  (488, ...
 02526   596   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02532  1776   NtRegisterThreadTerminatePort  (24, ...
 02533  1708   NtWaitForSingleObject  (196, 0, 0x0, ...
 02534   500   NtContinue  (73334064, 1, ...
 02535   248   NtTestAlert  (...
 02528  1324   NtDuplicateObject  ... 500, ) == 0x0
 02536  1308   NtSetEventBoostPriority  (36, ...
 02530  1024   NtWaitForSingleObject  ... ) == 0x102
 02529  2016   NtUserMessageCall  ... ) == 0x1
 02531   896   NtResumeThread  ... 1, ) == 0x0
 02537   596   NtWaitForSingleObject  (36, 0, 0x0, ...
 02532  1776   NtRegisterThreadTerminatePort  ... ) == 0x0
 02538   500   NtRegisterThreadTerminatePort  (24, ...
 02535   248   NtTestAlert  ... ) == 0x0
 02236  1676   NtWaitForSingleObject  ... ) == 0x0
 02536  1308   NtSetEventBoostPriority  ... ) == 0x0
 02539  1324   NtAllocateVirtualMemory  (-1, 5738496, 0, 4096, 4096, 4, ...
 02540  1024   NtWaitForSingleObject  (92, 0, 0x0, ...
 02541  2016   NtUserSetWindowFNID  (1507596, 681, ...
 02542   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02543  1776   NtWaitForSingleObject  (92, 0, 0x0, ...
 02538   500   NtRegisterThreadTerminatePort  ... ) == 0x0
 02544  1676   NtAllocateVirtualMemory  (-1, 14245888, 0, 4096, 4096, 4, ...
 02545   248   NtContinue  (75431216, 1, ...
 02546  1884   NtTestAlert  (...
 02547   704   NtWaitForSingleObject  (36, 0, 0x0, ...
 02539  1324   NtAllocateVirtualMemory  ... 5738496, 4096, ) == 0x0
 02541  2016   NtUserSetWindowFNID  ... ) == 0x1
 02542   896   NtAllocateVirtualMemory  ... 115277824, 2097152, ) == 0x0
 02548  1308   NtTestAlert  (...
 02544  1676   NtAllocateVirtualMemory  ... 14245888, 4096, ) == 0x0
 02549   500   NtWaitForSingleObject  (92, 0, 0x0, ...
 02550   248   NtRegisterThreadTerminatePort  (24, ...
 02546  1884   NtTestAlert  ... ) == 0x0
 02551  1324   NtSetEventBoostPriority  (92, ...
 02552  2016   NtWaitForSingleObject  (92, 0, 0x0, ...
 02553   896   NtAllocateVirtualMemory  (-1, 117366784, 0, 8192, 4096, 4, ...
 02548  1308   NtTestAlert  ... ) == 0x0
 02554  1676   NtSetEventBoostPriority  (36, ...
 02550   248   NtRegisterThreadTerminatePort  ... ) == 0x0
 02555  1884   NtContinue  (77528368, 1, ...
 02540  1024   NtWaitForSingleObject  ... ) == 0x0
 02551  1324   NtSetEventBoostPriority  ... ) == 0x0
 02556  1308   NtContinue  (79625520, 1, ...
 02239   376   NtWaitForSingleObject  ... ) == 0x0
 02554  1676   NtSetEventBoostPriority  ... ) == 0x0
 02557   248   NtWaitForSingleObject  (92, 0, 0x0, ...
 02558  1024   NtSetEventBoostPriority  (92, ...
 02559  1884   NtRegisterThreadTerminatePort  (24, ...
 02560  1324   NtWaitForSingleObject  (92, 0, 0x0, ...
 02561   376   NtSetEventBoostPriority  (36, ...
 02562  1308   NtRegisterThreadTerminatePort  (24, ...
 02563  1676   NtTestAlert  (...
 02553   896   NtAllocateVirtualMemory  ... 117366784, 8192, ) == 0x0
 02543  1776   NtWaitForSingleObject  ... ) == 0x0
 02558  1024   NtSetEventBoostPriority  ... ) == 0x0
 02559  1884   NtRegisterThreadTerminatePort  ... ) == 0x0
 02246  1620   NtWaitForSingleObject  ... ) == 0x0
 02561   376   NtSetEventBoostPriority  ... ) == 0x0
 02562  1308   NtRegisterThreadTerminatePort  ... ) == 0x0
 02563  1676   NtTestAlert  ... ) == 0x0
 02564  1776   NtSetEventBoostPriority  (92, ...
 02565   896   NtProtectVirtualMemory  (-1, (0x6fee000), 4096, 260, ...
 02566  1620   NtSetEventBoostPriority  (36, ...
 02567  1884   NtWaitForSingleObject  (92, 0, 0x0, ...
 02568  1024   NtWaitForSingleObject  (196, 0, 0x0, ...
 02569  1308   NtWaitForSingleObject  (92, 0, 0x0, ...
 02552  2016   NtWaitForSingleObject  ... ) == 0x0
 02570  1676   NtContinue  (81722672, 1, ...
 02268  1296   NtWaitForSingleObject  ... ) == 0x0
 02566  1620   NtSetEventBoostPriority  ... ) == 0x0
 02565   896   NtProtectVirtualMemory  ... (0x6fee000), 4096, 4, ) == 0x0
 02564  1776   NtSetEventBoostPriority  ... ) == 0x0
 02571   376   NtWaitForSingleObject  (92, 0, 0x0, ...
 02572  2016   NtSetEventBoostPriority  (92, ...
 02573  1296   NtSetEventBoostPriority  (36, ...
 02574  1676   NtRegisterThreadTerminatePort  (24, ...
 02575   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02576  1776   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02280   440   NtWaitForSingleObject  ... ) == 0x0
 02573  1296   NtSetEventBoostPriority  ... ) == 0x0
 02549   500   NtWaitForSingleObject  ... ) == 0x0
 02572  2016   NtSetEventBoostPriority  ... ) == 0x0
 02577  1620   NtTestAlert  (...
 02575   896   NtCreateThread  ... 504, {1252, 1152}, ) == 0x0
 02578   440   NtSetEventBoostPriority  (36, ...
 02576  1776   NtDuplicateObject  ... 508, ) == 0x0
 02574  1676   NtRegisterThreadTerminatePort  ... ) == 0x0
 02579   500   NtSetEventBoostPriority  (92, ...
 02580  1296   NtTestAlert  (...
 02577  1620   NtTestAlert  ... ) == 0x0
 02293  1588   NtWaitForSingleObject  ... ) == 0x0
 02578   440   NtSetEventBoostPriority  ... ) == 0x0
 02581   896   NtQueryInformationThread  (504, Basic, 28, ...
 02582  2016   NtUserSetWindowLong  (1507596, 0, 5738968, 0, ...
 02557   248   NtWaitForSingleObject  ... ) == 0x0
 02583  1676   NtWaitForSingleObject  (92, 0, 0x0, ...
 02580  1296   NtTestAlert  ... ) == 0x0
 02584  1588   NtSetEventBoostPriority  (36, ...
 02585  1620   NtContinue  (83819824, 1, ...
 02579   500   NtSetEventBoostPriority  ... ) == 0x0
 02586  1776   NtWaitForSingleObject  (92, 0, 0x0, ...
 02587   440   NtTestAlert  (...
 02582  2016   NtUserSetWindowLong  ... ) == 0x0
 02588   248   NtSetEventBoostPriority  (92, ...
 02305  2044   NtWaitForSingleObject  ... ) == 0x0
 02584  1588   NtSetEventBoostPriority  ... ) == 0x0
 02589  1296   NtContinue  (85916976, 1, ...
 02590  1620   NtRegisterThreadTerminatePort  (24, ...
 02591   500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02587   440   NtTestAlert  ... ) == 0x0
 02592  2016   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\IMM"}, ... }, ...
 02593  2044   NtSetEventBoostPriority  (36, ...
 02560  1324   NtWaitForSingleObject  ... ) == 0x0
 02588   248   NtSetEventBoostPriority  ... ) == 0x0
 02581   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1252,Tid=1152,}, 0x0, ) == 0x0
 02594  1296   NtRegisterThreadTerminatePort  (24, ...
 02590  1620   NtRegisterThreadTerminatePort  ... ) == 0x0
 02591   500   NtDuplicateObject  ... 512, ) == 0x0
 02595   440   NtContinue  (88014128, 1, ...
 02327   588   NtWaitForSingleObject  ... ) == 0x0
 02593  2044   NtSetEventBoostPriority  ... ) == 0x0
 02592  2016   NtOpenKey  ... 516, ) == 0x0
 02596  1324   NtSetEventBoostPriority  (92, ...
 02597   248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02598   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81905, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81905, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0\200\4\0\0" ...  ...
 02594  1296   NtRegisterThreadTerminatePort  ... ) == 0x0
 02599  1620   NtWaitForSingleObject  (92, 0, 0x0, ...
 02600  1588   NtTestAlert  (...
 02601   588   NtSetEventBoostPriority  (36, ...
 02602   440   NtRegisterThreadTerminatePort  (24, ...
 02603   500   NtWaitForSingleObject  (92, 0, 0x0, ...
 02604  2016   NtQueryValueKey  (516,  (516, "Ime File", Partial, 144, ... , Partial, 144, ...
 02567  1884   NtWaitForSingleObject  ... ) == 0x0
 02597   248   NtDuplicateObject  ... 520, ) == 0x0
 02598   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81906, 0}  ... {28, 56, reply, 0, 1252, 896, 81906, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0\200\4\0\0" )  ) == 0x0
 02605  1296   NtWaitForSingleObject  (92, 0, 0x0, ...
 02596  1324   NtSetEventBoostPriority  ... ) == 0x0
 02606  2044   NtTestAlert  (...
 02339  1652   NtWaitForSingleObject  ... ) == 0x0
 02601   588   NtSetEventBoostPriority  ... ) == 0x0
 02600  1588   NtTestAlert  ... ) == 0x0
 02602   440   NtRegisterThreadTerminatePort  ... ) == 0x0
 02604  2016   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 02607  1884   NtSetEventBoostPriority  (92, ...
 02608   896   NtResumeThread  (504, ...
 02609   248   NtWaitForSingleObject  (92, 0, 0x0, ...
 02610  1324   NtWaitForSingleObject  (92, 0, 0x0, ...
 02611  1652   NtSetEventBoostPriority  (36, ...
 02606  2044   NtTestAlert  ... ) == 0x0
 02612  1588   NtContinue  (90111280, 1, ...
 02613   440   NtWaitForSingleObject  (92, 0, 0x0, ...
 02614   588   NtTestAlert  (...
 02569  1308   NtWaitForSingleObject  ... ) == 0x0
 02608   896   NtResumeThread  ... 1, ) == 0x0
 02351  1376   NtWaitForSingleObject  ... ) == 0x0
 02611  1652   NtSetEventBoostPriority  ... ) == 0x0
 02615  2044   NtContinue  (92208432, 1, ...
 02616  1588   NtRegisterThreadTerminatePort  (24, ...
 02607  1884   NtSetEventBoostPriority  ... ) == 0x0
 02617  2016   NtClose  (516, ...
 02618  1152   NtWaitForSingleObject  (36, 0, 0x0, ...
 02614   588   NtTestAlert  ... ) == 0x0
 02619  1308   NtSetEventBoostPriority  (92, ...
 02620  1376   NtSetEventBoostPriority  (36, ...
 02621   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02622  2044   NtRegisterThreadTerminatePort  (24, ...
 02616  1588   NtRegisterThreadTerminatePort  ... ) == 0x0
 02623  1884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02617  2016   NtClose  ... ) == 0x0
 02624   588   NtContinue  (94305584, 1, ...
 02363  1436   NtWaitForSingleObject  ... ) == 0x0
 02620  1376   NtSetEventBoostPriority  ... ) == 0x0
 02571   376   NtWaitForSingleObject  ... ) == 0x0
 02621   896   NtAllocateVirtualMemory  ... 117374976, 2097152, ) == 0x0
 02622  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 02625  1588   NtWaitForSingleObject  (92, 0, 0x0, ...
 02623  1884   NtDuplicateObject  ... 516, ) == 0x0
 02626  2016   NtWaitForSingleObject  (36, 0, 0x0, ...
 02627  1436   NtSetEventBoostPriority  (36, ...
 02628   588   NtRegisterThreadTerminatePort  (24, ...
 02619  1308   NtSetEventBoostPriority  ... ) == 0x0
 02629  1652   NtTestAlert  (...
 02630   376   NtSetEventBoostPriority  (92, ...
 02631   896   NtAllocateVirtualMemory  (-1, 119463936, 0, 8192, 4096, 4, ...
 02632  2044   NtWaitForSingleObject  (92, 0, 0x0, ...
 02633  1376   NtTestAlert  (...
 02385  1368   NtWaitForSingleObject  ... ) == 0x0
 02627  1436   NtSetEventBoostPriority  ... ) == 0x0
 02628   588   NtRegisterThreadTerminatePort  ... ) == 0x0
 02634  1308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02629  1652   NtTestAlert  ... ) == 0x0
 02583  1676   NtWaitForSingleObject  ... ) == 0x0
 02630   376   NtSetEventBoostPriority  ... ) == 0x0
 02631   896   NtAllocateVirtualMemory  ... 119463936, 8192, ) == 0x0
 02635  1884   NtWaitForSingleObject  (92, 0, 0x0, ...
 02636  1368   NtSetEventBoostPriority  (36, ...
 02633  1376   NtTestAlert  ... ) == 0x0
 02637   588   NtWaitForSingleObject  (92, 0, 0x0, ...
 02634  1308   NtDuplicateObject  ... 524, ) == 0x0
 02638  1676   NtSetEventBoostPriority  (92, ...
 02639  1652   NtContinue  (96402736, 1, ...
 02640   376   NtWaitForSingleObject  (92, 0, 0x0, ...
 02641   896   NtProtectVirtualMemory  (-1, (0x71ee000), 4096, 260, ...
 02397   724   NtWaitForSingleObject  ... ) == 0x0
 02636  1368   NtSetEventBoostPriority  ... ) == 0x0
 02642  1376   NtContinue  (98499888, 1, ...
 02643  1436   NtTestAlert  (...
 02586  1776   NtWaitForSingleObject  ... ) == 0x0
 02638  1676   NtSetEventBoostPriority  ... ) == 0x0
 02644  1652   NtRegisterThreadTerminatePort  (24, ...
 02645  1308   NtWaitForSingleObject  (92, 0, 0x0, ...
 02646   724   NtSetEventBoostPriority  (36, ...
 02641   896   NtProtectVirtualMemory  ... (0x71ee000), 4096, 4, ) == 0x0
 02647  1376   NtRegisterThreadTerminatePort  (24, ...
 02648  1776   NtSetEventBoostPriority  (92, ...
 02643  1436   NtTestAlert  ... ) == 0x0
 02649  1368   NtTestAlert  (...
 02644  1652   NtRegisterThreadTerminatePort  ... ) == 0x0
 02410  1276   NtWaitForSingleObject  ... ) == 0x0
 02646   724   NtSetEventBoostPriority  ... ) == 0x0
 02650  1676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02603   500   NtWaitForSingleObject  ... ) == 0x0
 02648  1776   NtSetEventBoostPriority  ... ) == 0x0
 02647  1376   NtRegisterThreadTerminatePort  ... ) == 0x0
 02651  1436   NtContinue  (100597040, 1, ...
 02649  1368   NtTestAlert  ... ) == 0x0
 02652  1276   NtSetEventBoostPriority  (36, ...
 02653  1652   NtWaitForSingleObject  (92, 0, 0x0, ...
 02654   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02655   500   NtSetEventBoostPriority  (92, ...
 02650  1676   NtDuplicateObject  ... 528, ) == 0x0
 02656  1776   NtWaitForSingleObject  (92, 0, 0x0, ...
 02657  1376   NtWaitForSingleObject  (92, 0, 0x0, ...
 02658  1436   NtRegisterThreadTerminatePort  (24, ...
 02423   220   NtWaitForSingleObject  ... ) == 0x0
 02652  1276   NtSetEventBoostPriority  ... ) == 0x0
 02659  1368   NtContinue  (102694192, 1, ...
 02660   724   NtTestAlert  (...
 02599  1620   NtWaitForSingleObject  ... ) == 0x0
 02655   500   NtSetEventBoostPriority  ... ) == 0x0
 02654   896   NtCreateThread  ... 532, {1252, 1228}, ) == 0x0
 02661  1676   NtWaitForSingleObject  (92, 0, 0x0, ...
 02662   220   NtSetEventBoostPriority  (36, ...
 02658  1436   NtRegisterThreadTerminatePort  ... ) == 0x0
 02663  1368   NtRegisterThreadTerminatePort  (24, ...
 02664  1620   NtSetEventBoostPriority  (92, ...
 02660   724   NtTestAlert  ... ) == 0x0
 02665   500   NtWaitForSingleObject  (92, 0, 0x0, ...
 02666   896   NtQueryInformationThread  (532, Basic, 28, ...
 02444  1328   NtWaitForSingleObject  ... ) == 0x0
 02662   220   NtSetEventBoostPriority  ... ) == 0x0
 02667  1436   NtWaitForSingleObject  (92, 0, 0x0, ...
 02605  1296   NtWaitForSingleObject  ... ) == 0x0
 02663  1368   NtRegisterThreadTerminatePort  ... ) == 0x0
 02668   724   NtContinue  (104791344, 1, ...
 02664  1620   NtSetEventBoostPriority  ... ) == 0x0
 02669  1276   NtTestAlert  (...
 02670  1328   NtSetEventBoostPriority  (36, ...
 02666   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1252,Tid=1228,}, 0x0, ) == 0x0
 02671   220   NtTestAlert  (...
 02672  1296   NtSetEventBoostPriority  (92, ...
 02673  1368   NtWaitForSingleObject  (92, 0, 0x0, ...
 02674   724   NtRegisterThreadTerminatePort  (24, ...
 02675  1620   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02463  1636   NtWaitForSingleObject  ... ) == 0x0
 02670  1328   NtSetEventBoostPriority  ... ) == 0x0
 02669  1276   NtTestAlert  ... ) == 0x0
 02676   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81906, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81906, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\344\4\0\0\314\4\0\0" ...  ...
 02671   220   NtTestAlert  ... ) == 0x0
 02609   248   NtWaitForSingleObject  ... ) == 0x0
 02672  1296   NtSetEventBoostPriority  ... ) == 0x0
 02674   724   NtRegisterThreadTerminatePort  ... ) == 0x0
 02677  1636   NtSetEventBoostPriority  (36, ...
 02675  1620   NtDuplicateObject  ... 536, ) == 0x0
 02678  1276   NtContinue  (106888496, 1, ...
 02679   220   NtContinue  (108985648, 1, ...
 02680   248   NtSetEventBoostPriority  (92, ...
 02681  1296   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02537   596   NtWaitForSingleObject  ... ) == 0x0
 02677  1636   NtSetEventBoostPriority  ... ) == 0x0
 02682   724   NtWaitForSingleObject  (92, 0, 0x0, ...
 02683  1328   NtTestAlert  (...
 02676   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81907, 0}  ... {28, 56, reply, 0, 1252, 896, 81907, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\344\4\0\0\314\4\0\0" )  ) == 0x0
 02684  1276   NtRegisterThreadTerminatePort  (24, ...
 02685   220   NtRegisterThreadTerminatePort  (24, ...
 02610  1324   NtWaitForSingleObject  ... ) == 0x0
 02680   248   NtSetEventBoostPriority  ... ) == 0x0
 02686   596   NtSetEventBoostPriority  (36, ...
 02681  1296   NtDuplicateObject  ... 540, ) == 0x0
 02687  1620   NtWaitForSingleObject  (92, 0, 0x0, ...
 02688  1636   NtTestAlert  (...
 02683  1328   NtTestAlert  ... ) == 0x0
 02689   896   NtResumeThread  (532, ...
 02684  1276   NtRegisterThreadTerminatePort  ... ) == 0x0
 02690  1324   NtSetEventBoostPriority  (92, ...
 02685   220   NtRegisterThreadTerminatePort  ... ) == 0x0
 02547   704   NtWaitForSingleObject  ... ) == 0x0
 02686   596   NtSetEventBoostPriority  ... ) == 0x0
 02691   248   NtWaitForSingleObject  (92, 0, 0x0, ...
 02688  1636   NtTestAlert  ... ) == 0x0
 02692  1328   NtContinue  (111082800, 1, ...
 02689   896   NtResumeThread  ... 1, ) == 0x0
 02613   440   NtWaitForSingleObject  ... ) == 0x0
 02690  1324   NtSetEventBoostPriority  ... ) == 0x0
 02693  1276   NtWaitForSingleObject  (92, 0, 0x0, ...
 02694   704   NtSetEventBoostPriority  (36, ...
 02695   220   NtWaitForSingleObject  (92, 0, 0x0, ...
 02696  1296   NtWaitForSingleObject  (92, 0, 0x0, ...
 02697  1228   NtWaitForSingleObject  (36, 0, 0x0, ...
 02698   596   NtWaitForSingleObject  (92, 0, 0x0, ...
 02699  1636   NtContinue  (113179952, 1, ...
 02700  1328   NtRegisterThreadTerminatePort  (24, ...
 02701   440   NtSetEventBoostPriority  (92, ...
 02702   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02703  1324   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02618  1152   NtWaitForSingleObject  ... ) == 0x0
 02694   704   NtSetEventBoostPriority  ... ) == 0x0
 02704  1636   NtRegisterThreadTerminatePort  (24, ...
 02625  1588   NtWaitForSingleObject  ... ) == 0x0
 02700  1328   NtRegisterThreadTerminatePort  ... ) == 0x0
 02702   896   NtAllocateVirtualMemory  ... 119472128, 2097152, ) == 0x0
 02705  1152   NtSetEventBoostPriority  (36, ...
 02703  1324   NtWaitForSingleObject  ... ) == 0x102
 02701   440   NtSetEventBoostPriority  ... ) == 0x0
 02704  1636   NtRegisterThreadTerminatePort  ... ) == 0x0
 02706  1588   NtSetEventBoostPriority  (92, ...
 02707  1328   NtWaitForSingleObject  (92, 0, 0x0, ...
 02626  2016   NtWaitForSingleObject  ... ) == 0x0
 02705  1152   NtSetEventBoostPriority  ... ) == 0x0
 02708   896   NtAllocateVirtualMemory  (-1, 121561088, 0, 8192, 4096, 4, ...
 02709  1324   NtWaitForSingleObject  (92, 0, 0x0, ...
 02710   440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02711  1636   NtWaitForSingleObject  (92, 0, 0x0, ...
 02632  2044   NtWaitForSingleObject  ... ) == 0x0
 02706  1588   NtSetEventBoostPriority  ... ) == 0x0
 02712   704   NtTestAlert  (...
 02713  2016   NtSetEventBoostPriority  (36, ...
 02714  1152   NtTestAlert  (...
 02710   440   NtDuplicateObject  ... 544, ) == 0x0
 02708   896   NtAllocateVirtualMemory  ... 121561088, 8192, ) == 0x0
 02715  2044   NtSetEventBoostPriority  (92, ...
 02716  1588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02697  1228   NtWaitForSingleObject  ... ) == 0x0
 02713  2016   NtSetEventBoostPriority  ... ) == 0x0
 02712   704   NtTestAlert  ... ) == 0x0
 02714  1152   NtTestAlert  ... ) == 0x0
 02717   896   NtProtectVirtualMemory  (-1, (0x73ee000), 4096, 260, ...
 02635  1884   NtWaitForSingleObject  ... ) == 0x0
 02718  1228   NtTestAlert  (...
 02716  1588   NtDuplicateObject  ... 548, ) == 0x0
 02715  2044   NtSetEventBoostPriority  ... ) == 0x0
 02719   440   NtWaitForSingleObject  (92, 0, 0x0, ...
 02720   704   NtContinue  (115277104, 1, ...
 02721  1152   NtContinue  (117374256, 1, ...
 02717   896   NtProtectVirtualMemory  ... (0x73ee000), 4096, 4, ) == 0x0
 02718  1228   NtTestAlert  ... ) == 0x0
 02722  1884   NtSetEventBoostPriority  (92, ...
 02723  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "version.dll"}, ... }, ...
 02724  2044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02725   704   NtRegisterThreadTerminatePort  (24, ...
 02726  1152   NtRegisterThreadTerminatePort  (24, ...
 02727   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02728  1588   NtWaitForSingleObject  (92, 0, 0x0, ...
 02637   588   NtWaitForSingleObject  ... ) == 0x0
 02722  1884   NtSetEventBoostPriority  ... ) == 0x0
 02723  2016   NtOpenSection  ... 552, ) == 0x0
 02724  2044   NtDuplicateObject  ... 556, ) == 0x0
 02725   704   NtRegisterThreadTerminatePort  ... ) == 0x0
 02726  1152   NtRegisterThreadTerminatePort  ... ) == 0x0
 02727   896   NtCreateThread  ... 560, {1252, 792}, ) == 0x0
 02729   588   NtSetEventBoostPriority  (92, ...
 02730  1884   NtWaitForSingleObject  (92, 0, 0x0, ...
 02731  2016   NtMapViewOfSection  (552, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02732  1228   NtContinue  (119471408, 1, ...
 02733   704   NtWaitForSingleObject  (92, 0, 0x0, ...
 02734  1152   NtWaitForSingleObject  (92, 0, 0x0, ...
 02640   376   NtWaitForSingleObject  ... ) == 0x0
 02735   896   NtQueryInformationThread  (560, Basic, 28, ...
 02729   588   NtSetEventBoostPriority  ... ) == 0x0
 02736  2044   NtWaitForSingleObject  (92, 0, 0x0, ...
 02731  2016   NtMapViewOfSection  ... (0x77c00000), 0x0, 32768, ) == 0x0
 02737  1228   NtRegisterThreadTerminatePort  (24, ...
 02738   376   NtSetEventBoostPriority  (92, ...
 02739   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02740  2016   NtClose  (552, ...
 02737  1228   NtRegisterThreadTerminatePort  ... ) == 0x0
 02645  1308   NtWaitForSingleObject  ... ) == 0x0
 02739   588   NtDuplicateObject  ... 564, ) == 0x0
 02740  2016   NtClose  ... ) == 0x0
 02741  1228   NtWaitForSingleObject  (92, 0, 0x0, ...
 02742  1308   NtSetEventBoostPriority  (92, ...
 02738   376   NtSetEventBoostPriority  ... ) == 0x0
 02735   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1252,Tid=792,}, 0x0, ) == 0x0
 02743   588   NtWaitForSingleObject  (92, 0, 0x0, ...
 02653  1652   NtWaitForSingleObject  ... ) == 0x0
 02742  1308   NtSetEventBoostPriority  ... ) == 0x0
 02744   376   NtWaitForSingleObject  (92, 0, 0x0, ...
 02745   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81907, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81907, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\344\4\0\0\30\3\0\0" ...  ...
 02746  1652   NtSetEventBoostPriority  (92, ...
 02747  1308   NtWaitForSingleObject  (92, 0, 0x0, ...
 02656  1776   NtWaitForSingleObject  ... ) == 0x0
 02745   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81908, 0}  ... {28, 56, reply, 0, 1252, 896, 81908, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\344\4\0\0\30\3\0\0" )  ) == 0x0
 02746  1652   NtSetEventBoostPriority  ... ) == 0x0
 02748  2016   NtProtectVirtualMemory  (-1, (0x77c01000), 304, 4, ...
 02749  1776   NtSetEventBoostPriority  (92, ...
 02750   896   NtResumeThread  (560, ...
 02751  1652   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02748  2016   NtProtectVirtualMemory  ... (0x77c01000), 4096, 32, ) == 0x0
 02657  1376   NtWaitForSingleObject  ... ) == 0x0
 02750   896   NtResumeThread  ... 1, ) == 0x0
 02751  1652   NtDuplicateObject  ... 552, ) == 0x0
 02752  2016   NtProtectVirtualMemory  (-1, (0x77c01000), 4096, 32, ...
 02753  1376   NtSetEventBoostPriority  (92, ...
 02749  1776   NtSetEventBoostPriority  ... ) == 0x0
 02754   792   NtWaitForSingleObject  (36, 0, 0x0, ...
 02755   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02752  2016   NtProtectVirtualMemory  ... (0x77c01000), 4096, 4, ) == 0x0
 02661  1676   NtWaitForSingleObject  ... ) == 0x0
 02756  1776   NtWaitForSingleObject  (92, 0, 0x0, ...
 02755   896   NtAllocateVirtualMemory  ... 121569280, 2097152, ) == 0x0
 02757  2016   NtFlushInstructionCache  (-1, 2009075712, 304, ...
 02758  1676   NtSetEventBoostPriority  (92, ...
 02759   896   NtAllocateVirtualMemory  (-1, 123658240, 0, 8192, 4096, 4, ...
 02757  2016   NtFlushInstructionCache  ... ) == 0x0
 02665   500   NtWaitForSingleObject  ... ) == 0x0
 02758  1676   NtSetEventBoostPriority  ... ) == 0x0
 02759   896   NtAllocateVirtualMemory  ... 123658240, 8192, ) == 0x0
 02753  1376   NtSetEventBoostPriority  ... ) == 0x0
 02760  1652   NtWaitForSingleObject  (92, 0, 0x0, ...
 02761   500   NtSetEventBoostPriority  (92, ...
 02762  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\version.dll"}, ... }, ...
 02763   896   NtProtectVirtualMemory  (-1, (0x75ee000), 4096, 260, ...
 02764  1376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02667  1436   NtWaitForSingleObject  ... ) == 0x0
 02762  2016   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02763   896   NtProtectVirtualMemory  ... (0x75ee000), 4096, 4, ) == 0x0
 02764  1376   NtDuplicateObject  ... 568, ) == 0x0
 02765  1436   NtSetEventBoostPriority  (92, ...
 02766  2016   NtSetEventBoostPriority  (36, ...
 02761   500   NtSetEventBoostPriority  ... ) == 0x0
 02767  1676   NtWaitForSingleObject  (92, 0, 0x0, ...
 02768   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02673  1368   NtWaitForSingleObject  ... ) == 0x0
 02754   792   NtWaitForSingleObject  ... ) == 0x0
 02766  2016   NtSetEventBoostPriority  ... ) == 0x0
 02769   500   NtWaitForSingleObject  (92, 0, 0x0, ...
 02768   896   NtCreateThread  ... 572, {1252, 1484}, ) == 0x0
 02770   792   NtTestAlert  (...
 02771  1368   NtSetEventBoostPriority  (92, ...
 02772  2016   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ...
 02770   792   NtTestAlert  ... ) == 0x0
 02773   896   NtQueryInformationThread  (572, Basic, 28, ...
 02682   724   NtWaitForSingleObject  ... ) == 0x0
 02772  2016   NtQueryInformationProcess  ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02771  1368   NtSetEventBoostPriority  ... ) == 0x0
 02765  1436   NtSetEventBoostPriority  ... ) == 0x0
 02774  1376   NtWaitForSingleObject  (92, 0, 0x0, ...
 02773   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1252,Tid=1484,}, 0x0, ) == 0x0
 02775   724   NtSetEventBoostPriority  (92, ...
 02776   792   NtContinue  (121568560, 1, ...
 02777  1368   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02778  1436   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02779   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81908, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81908, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\344\4\0\0\314\5\0\0" ...  ...
 02687  1620   NtWaitForSingleObject  ... ) == 0x0
 02780   792   NtRegisterThreadTerminatePort  (24, ...
 02777  1368   NtDuplicateObject  ... 576, ) == 0x0
 02778  1436   NtDuplicateObject  ... 580, ) == 0x0
 02781  1620   NtSetEventBoostPriority  (92, ...
 02780   792   NtRegisterThreadTerminatePort  ... ) == 0x0
 02775   724   NtSetEventBoostPriority  ... ) == 0x0
 02782  2016   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ...
 02779   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81909, 0}  ... {28, 56, reply, 0, 1252, 896, 81909, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\344\4\0\0\314\5\0\0" )  ) == 0x0
 02783  1368   NtWaitForSingleObject  (92, 0, 0x0, ...
 02691   248   NtWaitForSingleObject  ... ) == 0x0
 02781  1620   NtSetEventBoostPriority  ... ) == 0x0
 02784   792   NtWaitForSingleObject  (92, 0, 0x0, ...
 02785   724   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02782  2016   NtSetInformationProcess  ... ) == 0x0
 02786   896   NtResumeThread  (572, ...
 02787   248   NtSetEventBoostPriority  (92, ...
 02788  1620   NtWaitForSingleObject  (92, 0, 0x0, ...
 02785   724   NtDuplicateObject  ... 584, ) == 0x0
 02789  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 9824780, ... }, 9824780, ...
 02693  1276   NtWaitForSingleObject  ... ) == 0x0
 02786   896   NtResumeThread  ... 1, ) == 0x0
 02787   248   NtSetEventBoostPriority  ... ) == 0x0
 02790  1436   NtWaitForSingleObject  (92, 0, 0x0, ...
 02791  1484   NtWaitForSingleObject  (36, 0, 0x0, ...
 02789  2016   NtQueryAttributesFile  ... ) == 0x0
 02792  1276   NtSetEventBoostPriority  (92, ...
 02793   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02794   248   NtWaitForSingleObject  (92, 0, 0x0, ...
 02795  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... }, 5, 96, ...
 02696  1296   NtWaitForSingleObject  ... ) == 0x0
 02793   896   NtAllocateVirtualMemory  ... 123666432, 2097152, ) == 0x0
 02795  2016   NtOpenFile  ... 588, {status=0x0, info=1}, ) == 0x0
 02796  1296   NtSetEventBoostPriority  (92, ...
 02797   896   NtAllocateVirtualMemory  (-1, 125755392, 0, 8192, 4096, 4, ...
 02792  1276   NtSetEventBoostPriority  ... ) == 0x0
 02798   724   NtWaitForSingleObject  (92, 0, 0x0, ...
 02698   596   NtWaitForSingleObject  ... ) == 0x0
 02796  1296   NtSetEventBoostPriority  ... ) == 0x0
 02799  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 588, ...
 02800  1276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02801   596   NtSetEventBoostPriority  (92, ...
 02802  1296   NtWaitForSingleObject  (92, 0, 0x0, ...
 02799  2016   NtCreateSection  ... 592, ) == 0x0
 02695   220   NtWaitForSingleObject  ... ) == 0x0
 02801   596   NtSetEventBoostPriority  ... ) == 0x0
 02800  1276   NtDuplicateObject  ... 596, ) == 0x0
 02797   896   NtAllocateVirtualMemory  ... 125755392, 8192, ) == 0x0
 02803   220   NtSetEventBoostPriority  (92, ...
 02804  2016   NtClose  (588, ...
 02805   596   NtWaitForSingleObject  (36, 0, 0x0, ...
 02707  1328   NtWaitForSingleObject  ... ) == 0x0
 02806   896   NtProtectVirtualMemory  (-1, (0x77ee000), 4096, 260, ...
 02804  2016   NtClose  ... ) == 0x0
 02803   220   NtSetEventBoostPriority  ... ) == 0x0
 02807  1276   NtWaitForSingleObject  (92, 0, 0x0, ...
 02808  1328   NtSetEventBoostPriority  (92, ...
 02806   896   NtProtectVirtualMemory  ... (0x77ee000), 4096, 4, ) == 0x0
 02809  2016   NtMapViewOfSection  (592, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02810   220   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02709  1324   NtWaitForSingleObject  ... ) == 0x0
 02811   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02809  2016   NtMapViewOfSection  ... (0x1490000), 0x0, 180224, ) == 0x0
 02810   220   NtDuplicateObject  ... 588, ) == 0x0
 02812  1324   NtSetEventBoostPriority  (92, ...
 02811   896   NtCreateThread  ... 600, {1252, 888}, ) == 0x0
 02808  1328   NtSetEventBoostPriority  ... ) == 0x0
 02813  2016   NtClose  (592, ...
 02711  1636   NtWaitForSingleObject  ... ) == 0x0
 02812  1324   NtSetEventBoostPriority  ... ) == 0x0
 02814   896   NtQueryInformationThread  (600, Basic, 28, ...
 02815  1328   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02816  1636   NtSetEventBoostPriority  (92, ...
 02813  2016   NtClose  ... ) == 0x0
 02817   220   NtWaitForSingleObject  (92, 0, 0x0, ...
 02818  1324   NtWaitForSingleObject  (196, 0, 0x0, ...
 02719   440   NtWaitForSingleObject  ... ) == 0x0
 02815  1328   NtDuplicateObject  ... 592, ) == 0x0
 02819  2016   NtUnmapViewOfSection  (-1, 0x1490000, ...
 02820   440   NtSetEventBoostPriority  (92, ...
 02816  1636   NtSetEventBoostPriority  ... ) == 0x0
 02814   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1252,Tid=888,}, 0x0, ) == 0x0
 02819  2016   NtUnmapViewOfSection  ... ) == 0x0
 02728  1588   NtWaitForSingleObject  ... ) == 0x0
 02820   440   NtSetEventBoostPriority  ... ) == 0x0
 02821  1636   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02822   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81909, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81909, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0x\3\0\0" ...  ...
 02823  1588   NtSetEventBoostPriority  (92, ...
 02824  2016   NtSetEventBoostPriority  (36, ...
 02825   440   NtWaitForSingleObject  (92, 0, 0x0, ...
 02821  1636   NtDuplicateObject  ... 604, ) == 0x0
 02730  1884   NtWaitForSingleObject  ... ) == 0x0
 02823  1588   NtSetEventBoostPriority  ... ) == 0x0
 02822   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81910, 0}  ... {28, 56, reply, 0, 1252, 896, 81910, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0x\3\0\0" )  ) == 0x0
 02791  1484   NtWaitForSingleObject  ... ) == 0x0
 02824  2016   NtSetEventBoostPriority  ... ) == 0x0
 02826  1328   NtWaitForSingleObject  (92, 0, 0x0, ...
 02827  1884   NtAllocateVirtualMemory  (-1, 5742592, 0, 4096, 4096, 4, ...
 02828  1588   NtWaitForSingleObject  (92, 0, 0x0, ...
 02829  1484   NtSetEventBoostPriority  (36, ...
 02830   896   NtResumeThread  (600, ...
 02831  1636   NtWaitForSingleObject  (92, 0, 0x0, ...
 02827  1884   NtAllocateVirtualMemory  ... 5742592, 4096, ) == 0x0
 02832  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 9824376, ... }, 9824376, ...
 02805   596   NtWaitForSingleObject  ... ) == 0x0
 02829  1484   NtSetEventBoostPriority  ... ) == 0x0
 02830   896   NtResumeThread  ... 1, ) == 0x0
 02833  1884   NtSetEventBoostPriority  (92, ...
 02834   596   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 19460208, ... }, 19460208, ...
 02832  2016   NtQueryAttributesFile  ... ) == 0x0
 02835   888   NtWaitForSingleObject  (36, 0, 0x0, ...
 02836  1484   NtTestAlert  (...
 02733   704   NtWaitForSingleObject  ... ) == 0x0
 02834   596   NtQueryAttributesFile  ... ) == 0x0
 02837  2016   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 9825120,  (0x80100080, {24, 0, 0x40, 0, 9825120, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... }, 0x0, 0, 5, 1, 96, 0, 0, ...
 02836  1484   NtTestAlert  ... ) == 0x0
 02838   596   NtSetEventBoostPriority  (36, ...
 02839   704   NtSetEventBoostPriority  (92, ...
 02837  2016   NtCreateFile  ... 608, {status=0x0, info=1}, ) == 0x0
 02835   888   NtWaitForSingleObject  ... ) == 0x0
 02840  1484   NtContinue  (123665712, 1, ...
 02734  1152   NtWaitForSingleObject  ... ) == 0x0
 02841  2016   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 608, ...
 02842   888   NtTestAlert  (...
 02843  1484   NtRegisterThreadTerminatePort  (24, ...
 02844  1152   NtSetEventBoostPriority  (92, ...
 02841  2016   NtCreateSection  ... 612, ) == 0x0
 02842   888   NtTestAlert  ... ) == 0x0
 02843  1484   NtRegisterThreadTerminatePort  ... ) == 0x0
 02736  2044   NtWaitForSingleObject  ... ) == 0x0
 02844  1152   NtSetEventBoostPriority  ... ) == 0x0
 02839   704   NtSetEventBoostPriority  ... ) == 0x0
 02838   596   NtSetEventBoostPriority  ... ) == 0x0
 02833  1884   NtSetEventBoostPriority  ... ) == 0x0
 02845   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02846  2016   NtClose  (608, ...
 02847  1484   NtWaitForSingleObject  (92, 0, 0x0, ...
 02848  2044   NtSetEventBoostPriority  (92, ...
 02849  1152   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02850   704   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02851   888   NtContinue  (125762864, 1, ...
 02852   596   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 02845   896   NtAllocateVirtualMemory  ... 125763584, 2097152, ) == 0x0
 02846  2016   NtClose  ... ) == 0x0
 02853  1884   NtWaitForSingleObject  (92, 0, 0x0, ...
 02741  1228   NtWaitForSingleObject  ... ) == 0x0
 02848  2044   NtSetEventBoostPriority  ... ) == 0x0
 02849  1152   NtDuplicateObject  ... 608, ) == 0x0
 02850   704   NtDuplicateObject  ... 616, ) == 0x0
 02854   888   NtRegisterThreadTerminatePort  (24, ...
 02852   596   NtOpenKey  ... 620, ) == 0x0
 02855   896   NtAllocateVirtualMemory  (-1, 127852544, 0, 8192, 4096, 4, ...
 02856  2016   NtMapViewOfSection  (612, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ...
 02857  1228   NtSetEventBoostPriority  (92, ...
 02858  2044   NtWaitForSingleObject  (92, 0, 0x0, ...
 02859  1152   NtWaitForSingleObject  (92, 0, 0x0, ...
 02854   888   NtRegisterThreadTerminatePort  ... ) == 0x0
 02860   596   NtQueryValueKey  (620,  (620, "Transports", Partial, 144, ... , Partial, 144, ...
 02855   896   NtAllocateVirtualMemory  ... 127852544, 8192, ) == 0x0
 02743   588   NtWaitForSingleObject  ... ) == 0x0
 02857  1228   NtSetEventBoostPriority  ... ) == 0x0
 02856  2016   NtMapViewOfSection  ... (0x1490000), {0, 0}, 180224, ) == 0x0
 02861   704   NtWaitForSingleObject  (92, 0, 0x0, ...
 02862   888   NtWaitForSingleObject  (92, 0, 0x0, ...
 02860   596   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 02863   588   NtSetEventBoostPriority  (92, ...
 02864   896   NtProtectVirtualMemory  (-1, (0x79ee000), 4096, 260, ...
 02865  2016   NtClose  (612, ...
 02744   376   NtWaitForSingleObject  ... ) == 0x0
 02863   588   NtSetEventBoostPriority  ... ) == 0x0
 02866   596   NtQueryValueKey  (620,  (620, "Transports", Partial, 144, ... , Partial, 144, ...
 02864   896   NtProtectVirtualMemory  ... (0x79ee000), 4096, 4, ) == 0x0
 02867   376   NtSetEventBoostPriority  (92, ...
 02865  2016   NtClose  ... ) == 0x0
 02868   588   NtWaitForSingleObject  (92, 0, 0x0, ...
 02866   596   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 02869  1228   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02747  1308   NtWaitForSingleObject  ... ) == 0x0
 02867   376   NtSetEventBoostPriority  ... ) == 0x0
 02870   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02871  2016   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ...
 02872  1308   NtSetEventBoostPriority  (92, ...
 02869  1228   NtDuplicateObject  ... 612, ) == 0x0
 02873   596   NtClose  (620, ...
 02870   896   NtCreateThread  ... 624, {1252, 1120}, ) == 0x0
 02756  1776   NtWaitForSingleObject  ... ) == 0x0
 02871  2016   NtQueryInformationProcess  ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02874  1228   NtWaitForSingleObject  (92, 0, 0x0, ...
 02873   596   NtClose  ... ) == 0x0
 02875   896   NtQueryInformationThread  (624, Basic, 28, ...
 02876  1776   NtSetEventBoostPriority  (92, ...
 02877  2016   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ...
 02878   596   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 02875   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1252,Tid=1120,}, 0x0, ) == 0x0
 02760  1652   NtWaitForSingleObject  ... ) == 0x0
 02876  1776   NtSetEventBoostPriority  ... ) == 0x0
 02877  2016   NtSetInformationProcess  ... ) == 0x0
 02878   596   NtOpenKey  ... 620, ) == 0x0
 02879  1652   NtSetEventBoostPriority  (92, ...
 02880   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81910, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81910, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0`\4\0\0" ...  ...
 02872  1308   NtSetEventBoostPriority  ... ) == 0x0
 02881   376   NtWaitForSingleObject  (92, 0, 0x0, ...
 02882  2016   NtQueryDefaultLocale  (1, 9825740, ...
 02767  1676   NtWaitForSingleObject  ... ) == 0x0
 02879  1652   NtSetEventBoostPriority  ... ) == 0x0
 02883   596   NtQueryValueKey  (620,  (620, "Mapping", Partial, 144, ... , Partial, 144, ...
 02884  1308   NtWaitForSingleObject  (92, 0, 0x0, ...
 02885  1676   NtSetEventBoostPriority  (92, ...
 02882  2016   NtQueryDefaultLocale  ... ) == 0x0
 02886  1652   NtWaitForSingleObject  (92, 0, 0x0, ...
 02883   596   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 02769   500   NtWaitForSingleObject  ... ) == 0x0
 02885  1676   NtSetEventBoostPriority  ... ) == 0x0
 02887  1776   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02880   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81911, 0}  ... {28, 56, reply, 0, 1252, 896, 81911, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0`\4\0\0" )  ) == 0x0
 02888  2016   NtQueryVirtualMemory  (-1, 0x1490000, Basic, 28, ...
 02889   500   NtSetEventBoostPriority  (92, ...
 02890  1676   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02887  1776   NtWaitForSingleObject  ... ) == 0x102
 02891   896   NtResumeThread  (624, ...
 02774  1376   NtWaitForSingleObject  ... ) == 0x0
 02889   500   NtSetEventBoostPriority  ... ) == 0x0
 02888  2016   NtQueryVirtualMemory  ... {BaseAddress=0x1490000,AllocationBase=0x1490000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 02892   596   NtWaitForSingleObject  (92, 0, 0x0, ...
 02893  1776   NtWaitForSingleObject  (196, 0, 0x0, ...
 02894  1376   NtSetEventBoostPriority  (92, ...
 02891   896   NtResumeThread  ... 1, ) == 0x0
 02890  1676   NtWaitForSingleObject  ... ) == 0x102
 02895  2016   NtQueryVirtualMemory  (-1, 0x1490000, Basic, 28, ...
 02783  1368   NtWaitForSingleObject  ... ) == 0x0
 02894  1376   NtSetEventBoostPriority  ... ) == 0x0
 02896   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02897  1676   NtWaitForSingleObject  (92, 0, 0x0, ...
 02898  1368   NtSetEventBoostPriority  (92, ...
 02895  2016   NtQueryVirtualMemory  ... {BaseAddress=0x1490000,AllocationBase=0x1490000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 02899  1376   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02896   896   NtAllocateVirtualMemory  ... 127860736, 2097152, ) == 0x0
 02784   792   NtWaitForSingleObject  ... ) == 0x0
 02898  1368   NtSetEventBoostPriority  ... ) == 0x0
 02900  2016   NtUnmapViewOfSection  (-1, 0x1490000, ...
 02901   500   NtWaitForSingleObject  (92, 0, 0x0, ...
 02902  1120   NtTestAlert  (...
 02903   792   NtSetEventBoostPriority  (92, ...
 02904   896   NtAllocateVirtualMemory  (-1, 129949696, 0, 8192, 4096, 4, ...
 02905  1368   NtWaitForSingleObject  (92, 0, 0x0, ...
 02900  2016   NtUnmapViewOfSection  ... ) == 0x0
 02788  1620   NtWaitForSingleObject  ... ) == 0x0
 02903   792   NtSetEventBoostPriority  ... ) == 0x0
 02902  1120   NtTestAlert  ... ) == 0x0
 02899  1376   NtWaitForSingleObject  ... ) == 0x102
 02904   896   NtAllocateVirtualMemory  ... 129949696, 8192, ) == 0x0
 02906  1620   NtSetEventBoostPriority  (92, ...
 02907  2016   NtWaitForSingleObject  (92, 0, 0x0, ...
 02908  1120   NtContinue  (127860016, 1, ...
 02909  1376   NtWaitForSingleObject  (196, 0, 0x0, ...
 02790  1436   NtWaitForSingleObject  ... ) == 0x0
 02910   896   NtProtectVirtualMemory  (-1, (0x7bee000), 4096, 260, ...
 02911  1120   NtRegisterThreadTerminatePort  (24, ...
 02912  1436   NtSetEventBoostPriority  (92, ...
 02910   896   NtProtectVirtualMemory  ... (0x7bee000), 4096, 4, ) == 0x0
 02911  1120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02794   248   NtWaitForSingleObject  ... ) == 0x0
 02912  1436   NtSetEventBoostPriority  ... ) == 0x0
 02913   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02906  1620   NtSetEventBoostPriority  ... ) == 0x0
 02914   792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02915   248   NtSetEventBoostPriority  (92, ...
 02916  1436   NtWaitForSingleObject  (92, 0, 0x0, ...
 02917  1620   NtWaitForSingleObject  (92, 0, 0x0, ...
 02798   724   NtWaitForSingleObject  ... ) == 0x0
 02915   248   NtSetEventBoostPriority  ... ) == 0x0
 02914   792   NtDuplicateObject  ... 628, ) == 0x0
 02918  1120   NtWaitForSingleObject  (92, 0, 0x0, ...
 02913   896   NtCreateThread  ... 632, {1252, 840}, ) == 0x0
 02919   724   NtSetEventBoostPriority  (92, ...
 02920   792   NtWaitForSingleObject  (92, 0, 0x0, ...
 02802  1296   NtWaitForSingleObject  ... ) == 0x0
 02919   724   NtSetEventBoostPriority  ... ) == 0x0
 02921   896   NtQueryInformationThread  (632, Basic, 28, ...
 02922  1296   NtSetEventBoostPriority  (92, ...
 02923   724   NtWaitForSingleObject  (92, 0, 0x0, ...
 02807  1276   NtWaitForSingleObject  ... ) == 0x0
 02921   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1252,Tid=840,}, 0x0, ) == 0x0
 02922  1296   NtSetEventBoostPriority  ... ) == 0x0
 02924   248   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02925  1276   NtSetEventBoostPriority  (92, ...
 02926   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81911, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81911, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0H\3\0\0" ...  ...
 02927  1296   NtWaitForSingleObject  (92, 0, 0x0, ...
 02924   248   NtCreateEvent  ... 636, ) == 0x0
 02817   220   NtWaitForSingleObject  ... ) == 0x0
 02925  1276   NtSetEventBoostPriority  ... ) == 0x0
 02926   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81912, 0}  ... {28, 56, reply, 0, 1252, 896, 81912, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0H\3\0\0" )  ) == 0x0
 02928   220   NtSetEventBoostPriority  (92, ...
 02929   248   NtWaitForSingleObject  (636, 0, 0x0, ...
 02930  1276   NtWaitForSingleObject  (92, 0, 0x0, ...
 02825   440   NtWaitForSingleObject  ... ) == 0x0
 02928   220   NtSetEventBoostPriority  ... ) == 0x0
 02931   896   NtResumeThread  (632, ...
 02932   440   NtSetEventBoostPriority  (92, ...
 02933   220   NtWaitForSingleObject  (92, 0, 0x0, ...
 02826  1328   NtWaitForSingleObject  ... ) == 0x0
 02931   896   NtResumeThread  ... 1, ) == 0x0
 02932   440   NtSetEventBoostPriority  ... ) == 0x0
 02934  1328   NtSetEventBoostPriority  (92, ...
 02935   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02936   440   NtWaitForSingleObject  (92, 0, 0x0, ...
 02831  1636   NtWaitForSingleObject  ... ) == 0x0
 02934  1328   NtSetEventBoostPriority  ... ) == 0x0
 02935   896   NtAllocateVirtualMemory  ... 129957888, 2097152, ) == 0x0
 02937  1636   NtSetEventBoostPriority  (92, ...
 02938  1328   NtWaitForSingleObject  (92, 0, 0x0, ...
 02828  1588   NtWaitForSingleObject  ... ) == 0x0
 02937  1636   NtSetEventBoostPriority  ... ) == 0x0
 02939   896   NtAllocateVirtualMemory  (-1, 132046848, 0, 8192, 4096, 4, ...
 02940   840   NtTestAlert  (...
 02941  1588   NtSetEventBoostPriority  (92, ...
 02942  1636   NtWaitForSingleObject  (92, 0, 0x0, ...
 02939   896   NtAllocateVirtualMemory  ... 132046848, 8192, ) == 0x0
 02853  1884   NtWaitForSingleObject  ... ) == 0x0
 02940   840   NtTestAlert  ... ) == 0x0
 02941  1588   NtSetEventBoostPriority  ... ) == 0x0
 02943  1884   NtSetEventBoostPriority  (92, ...
 02944   840   NtContinue  (129957168, 1, ...
 02945  1588   NtWaitForSingleObject  (92, 0, 0x0, ...
 02847  1484   NtWaitForSingleObject  ... ) == 0x0
 02943  1884   NtSetEventBoostPriority  ... ) == 0x0
 02946   840   NtRegisterThreadTerminatePort  (24, ...
 02947  1484   NtSetEventBoostPriority  (92, ...
 02948  1884   NtWaitForSingleObject  (636, 0, 0x0, ...
 02859  1152   NtWaitForSingleObject  ... ) == 0x0
 02946   840   NtRegisterThreadTerminatePort  ... ) == 0x0
 02947  1484   NtSetEventBoostPriority  ... ) == 0x0
 02949   896   NtProtectVirtualMemory  (-1, (0x7dee000), 4096, 260, ...
 02950  1152   NtSetEventBoostPriority  (92, ...
 02951  1484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02949   896   NtProtectVirtualMemory  ... (0x7dee000), 4096, 4, ) == 0x0
 02858  2044   NtWaitForSingleObject  ... ) == 0x0
 02950  1152   NtSetEventBoostPriority  ... ) == 0x0
 02951  1484   NtDuplicateObject  ... 640, ) == 0x0
 02952  2044   NtSetEventBoostPriority  (92, ...
 02953   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 02954  1152   NtWaitForSingleObject  (92, 0, 0x0, ...
 02955   840   NtWaitForSingleObject  (92, 0, 0x0, ...
 02861   704   NtWaitForSingleObject  ... ) == 0x0
 02953   896   NtCreateThread  ... 644, {1252, 876}, ) == 0x0
 02952  2044   NtSetEventBoostPriority  ... ) == 0x0
 02956  1484   NtWaitForSingleObject  (92, 0, 0x0, ...
 02957   704   NtSetEventBoostPriority  (92, ...
 02958   896   NtQueryInformationThread  (644, Basic, 28, ...
 02959  2044   NtWaitForSingleObject  (636, 0, 0x0, ...
 02862   888   NtWaitForSingleObject  ... ) == 0x0
 02957   704   NtSetEventBoostPriority  ... ) == 0x0
 02958   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1252,Tid=876,}, 0x0, ) == 0x0
 02960   888   NtSetEventBoostPriority  (92, ...
 02961   704   NtWaitForSingleObject  (92, 0, 0x0, ...
 02868   588   NtWaitForSingleObject  ... ) == 0x0
 02960   888   NtSetEventBoostPriority  ... ) == 0x0
 02962   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81912, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81912, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\4\0\0l\3\0\0" ...  ...
 02963   588   NtSetEventBoostPriority  (92, ...
 02874  1228   NtWaitForSingleObject  ... ) == 0x0
 02964  1228   NtSetEventBoostPriority  (92, ...
 02881   376   NtWaitForSingleObject  ... ) == 0x0
 02965   376   NtSetEventBoostPriority  (92, ...
 02884  1308   NtWaitForSingleObject  ... ) == 0x0
 02966  1308   NtSetEventBoostPriority  (92, ...
 02886  1652   NtWaitForSingleObject  ... ) == 0x0
 02967  1652   NtSetEventBoostPriority  (92, ...
 02892   596   NtWaitForSingleObject  ... ) == 0x0
 02968   596   NtSetEventBoostPriority  (92, ...
 02897  1676   NtWaitForSingleObject  ... ) == 0x0
 02969  1676   NtSetEventBoostPriority  (92, ...
 02901   500   NtWaitForSingleObject  ... ) == 0x0
 02970   500   NtSetEventBoostPriority  (92, ...
 02905  1368   NtWaitForSingleObject  ... ) == 0x0
 02971  1368   NtSetEventBoostPriority  (92, ...
 02907  2016   NtWaitForSingleObject  ... ) == 0x0
 02972  2016   NtAllocateVirtualMemory  (-1, 5746688, 0, 4096, 4096, 4, ... 5746688, 4096, ) == 0x0
 02973  2016   NtSetEventBoostPriority  (92, ...
 02970   500   NtSetEventBoostPriority  ... ) == 0x0
 02969  1676   NtSetEventBoostPriority  ... ) == 0x0
 02968   596   NtSetEventBoostPriority  ... ) == 0x0
 02966  1308   NtSetEventBoostPriority  ... ) == 0x0
 02965   376   NtSetEventBoostPriority  ... ) == 0x0
 02964  1228   NtSetEventBoostPriority  ... ) == 0x0
 02962   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81913, 0}  ... {28, 56, reply, 0, 1252, 896, 81913, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\4\0\0l\3\0\0" )  ) == 0x0
 02971  1368   NtSetEventBoostPriority  ... ) == 0x0
 02967  1652   NtSetEventBoostPriority  ... ) == 0x0
 02963   588   NtSetEventBoostPriority  ... ) == 0x0
 02974   888   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02975   500   NtSetEventBoostPriority  (636, ...
 02917  1620   NtWaitForSingleObject  ... ) == 0x0
 02973  2016   NtSetEventBoostPriority  ... ) == 0x0
 02976   596   NtQueryValueKey  (620,  (620, "Mapping", Partial, 144, ... , Partial, 144, ...
 02977  1676   NtWaitForSingleObject  (196, 0, 0x0, ...
 02978   376   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02979  1308   NtWaitForSingleObject  (636, 0, 0x0, ...
 02980   896   NtResumeThread  (644, ...
 02981  1368   NtWaitForSingleObject  (636, 0, 0x0, ...
 02982  1652   NtWaitForSingleObject  (636, 0, 0x0, ...
 02983   588   NtWaitForSingleObject  (92, 0, 0x0, ...
 02974   888   NtDuplicateObject  ... 648, ) == 0x0
 02984  1228   NtWaitForSingleObject  (92, 0, 0x0, ...
 02985  1620   NtSetEventBoostPriority  (92, ...
 02986  2016   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ...
 02929   248   NtWaitForSingleObject  ... ) == 0x0
 02975   500   NtSetEventBoostPriority  ... ) == 0x0
 02976   596   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 02980   896   NtResumeThread  ... 1, ) == 0x0
 02987   888   NtWaitForSingleObject  (92, 0, 0x0, ...
 02916  1436   NtWaitForSingleObject  ... ) == 0x0
 02985  1620   NtSetEventBoostPriority  ... ) == 0x0
 02986  2016   NtQueryInformationProcess  ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02988   248   NtWaitForSingleObject  (92, 0, 0x0, ...
 02989   500   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 02990   596   NtWaitForSingleObject  (92, 0, 0x0, ...
 02991   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02992  1436   NtSetEventBoostPriority  (92, ...
 02978   376   NtCreateEvent  ... 652, ) == 0x0
 02993   876   NtTestAlert  (...
 02994  2016   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ...
 02989   500   NtWaitForSingleObject  ... ) == 0x102
 02995  1620   NtWaitForSingleObject  (636, 0, 0x0, ...
 02918  1120   NtWaitForSingleObject  ... ) == 0x0
 02996   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02993   876   NtTestAlert  ... ) == 0x0
 02994  2016   NtSetInformationProcess  ... ) == 0x0
 02997   500   NtWaitForSingleObject  (196, 0, 0x0, ...
 02998  1120   NtSetEventBoostPriority  (92, ...
 02996   376   NtDuplicateObject  ... 656, ) == 0x0
 02999   876   NtContinue  (132054320, 1, ...
 03000  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 9824772, ... }, 9824772, ...
 02920   792   NtWaitForSingleObject  ... ) == 0x0
 02998  1120   NtSetEventBoostPriority  ... ) == 0x0
 03001   376   NtWaitForSingleObject  (92, 0, 0x0, ...
 03002   876   NtRegisterThreadTerminatePort  (24, ...
 02992  1436   NtSetEventBoostPriority  ... ) == 0x0
 02991   896   NtAllocateVirtualMemory  ... 132055040, 2097152, ) == 0x0
 03003   792   NtSetEventBoostPriority  (92, ...
 03004  1120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03002   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 03005  1436   NtWaitForSingleObject  (92, 0, 0x0, ...
 02927  1296   NtWaitForSingleObject  ... ) == 0x0
 03003   792   NtSetEventBoostPriority  ... ) == 0x0
 03006   896   NtAllocateVirtualMemory  (-1, 134144000, 0, 8192, 4096, 4, ...
 03000  2016   NtQueryAttributesFile  ... ) == 0x0
 03004  1120   NtDuplicateObject  ... 660, ) == 0x0
 03007  1296   NtSetEventBoostPriority  (92, ...
 03008   876   NtWaitForSingleObject  (92, 0, 0x0, ...
 03006   896   NtAllocateVirtualMemory  ... 134144000, 8192, ) == 0x0
 03009  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... }, 5, 96, ...
 02923   724   NtWaitForSingleObject  ... ) == 0x0
 03007  1296   NtSetEventBoostPriority  ... ) == 0x0
 03010  1120   NtWaitForSingleObject  (92, 0, 0x0, ...
 03011   896   NtProtectVirtualMemory  (-1, (0x7fee000), 4096, 260, ...
 03012   724   NtSetEventBoostPriority  (92, ...
 03009  2016   NtOpenFile  ... 664, {status=0x0, info=1}, ) == 0x0
 03013   792   NtWaitForSingleObject  (92, 0, 0x0, ...
 02930  1276   NtWaitForSingleObject  ... ) == 0x0
 03011   896   NtProtectVirtualMemory  ... (0x7fee000), 4096, 4, ) == 0x0
 03014  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 664, ...
 03015  1276   NtSetEventBoostPriority  (92, ...
 03016   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03014  2016   NtCreateSection  ... 668, ) == 0x0
 02936   440   NtWaitForSingleObject  ... ) == 0x0
 03015  1276   NtSetEventBoostPriority  ... ) == 0x0
 03012   724   NtSetEventBoostPriority  ... ) == 0x0
 03017  1296   NtWaitForSingleObject  (636, 0, 0x0, ...
 03018  2016   NtClose  (664, ...
 03019   440   NtSetEventBoostPriority  (92, ...
 03020  1276   NtWaitForSingleObject  (636, 0, 0x0, ...
 03021   724   NtWaitForSingleObject  (636, 0, 0x0, ...
 03016   896   NtCreateThread  ... 672, {1252, 1104}, ) == 0x0
 02933   220   NtWaitForSingleObject  ... ) == 0x0
 03019   440   NtSetEventBoostPriority  ... ) == 0x0
 03022   220   NtSetEventBoostPriority  (92, ...
 03023   896   NtQueryInformationThread  (672, Basic, 28, ...
 03018  2016   NtClose  ... ) == 0x0
 02938  1328   NtWaitForSingleObject  ... ) == 0x0
 03023   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1252,Tid=1104,}, 0x0, ) == 0x0
 03024  2016   NtMapViewOfSection  (668, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 03025  1328   NtSetEventBoostPriority  (92, ...
 03026   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81913, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81913, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\0P\4\0\0" ...  ...
 03024  2016   NtMapViewOfSection  ... (0x1490000), 0x0, 180224, ) == 0x0
 02942  1636   NtWaitForSingleObject  ... ) == 0x0
 03026   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81914, 0}  ... {28, 56, reply, 0, 1252, 896, 81914, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\0P\4\0\0" )  ) == 0x0
 03027  2016   NtClose  (668, ...
 03028  1636   NtSetEventBoostPriority  (92, ...
 03025  1328   NtSetEventBoostPriority  ... ) == 0x0
 03022   220   NtSetEventBoostPriority  ... ) == 0x0
 03029   440   NtWaitForSingleObject  (636, 0, 0x0, ...
 03027  2016   NtClose  ... ) == 0x0
 02945  1588   NtWaitForSingleObject  ... ) == 0x0
 03030  1328   NtWaitForSingleObject  (636, 0, 0x0, ...
 03031   220   NtWaitForSingleObject  (636, 0, 0x0, ...
 03032  2016   NtUnmapViewOfSection  (-1, 0x1490000, ...
 03033  1588   NtSetEventBoostPriority  (92, ...
 03028  1636   NtSetEventBoostPriority  ... ) == 0x0
 03034   896   NtResumeThread  (672, ...
 02955   840   NtWaitForSingleObject  ... ) == 0x0
 03033  1588   NtSetEventBoostPriority  ... ) == 0x0
 03035  1636   NtWaitForSingleObject  (636, 0, 0x0, ...
 03036   840   NtSetEventBoostPriority  (92, ...
 03034   896   NtResumeThread  ... 1, ) == 0x0
 03032  2016   NtUnmapViewOfSection  ... ) == 0x0
 02956  1484   NtWaitForSingleObject  ... ) == 0x0
 03036   840   NtSetEventBoostPriority  ... ) == 0x0
 03037   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03038  1484   NtSetEventBoostPriority  (92, ...
 03039  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 9824368, ... }, 9824368, ...
 03040   840   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02954  1152   NtWaitForSingleObject  ... ) == 0x0
 03038  1484   NtSetEventBoostPriority  ... ) == 0x0
 03037   896   NtAllocateVirtualMemory  ... 134152192, 2097152, ) == 0x0
 03039  2016   NtQueryAttributesFile  ... ) == 0x0
 03041  1588   NtWaitForSingleObject  (636, 0, 0x0, ...
 03042  1104   NtTestAlert  (...
 03043  1152   NtSetEventBoostPriority  (92, ...
 03044  1484   NtWaitForSingleObject  (636, 0, 0x0, ...
 03045   896   NtAllocateVirtualMemory  (-1, 136241152, 0, 8192, 4096, 4, ...
 03046  2016   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 9825112,  (0x80100080, {24, 0, 0x40, 0, 9825112, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... }, 0x0, 0, 5, 1, 96, 0, 0, ...
 02961   704   NtWaitForSingleObject  ... ) == 0x0
 03042  1104   NtTestAlert  ... ) == 0x0
 03043  1152   NtSetEventBoostPriority  ... ) == 0x0
 03040   840   NtDuplicateObject  ... 668, ) == 0x0
 03045   896   NtAllocateVirtualMemory  ... 136241152, 8192, ) == 0x0
 03046  2016   NtCreateFile  ... 664, {status=0x0, info=1}, ) == 0x0
 03047   704   NtSetEventBoostPriority  (92, ...
 03048  1104   NtContinue  (134151472, 1, ...
 03049  1152   NtWaitForSingleObject  (92, 0, 0x0, ...
 03050   840   NtWaitForSingleObject  (92, 0, 0x0, ...
 03051  2016   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 664, ...
 02983   588   NtWaitForSingleObject  ... ) == 0x0
 03052  1104   NtRegisterThreadTerminatePort  (24, ...
 03047   704   NtSetEventBoostPriority  ... ) == 0x0
 03053   896   NtProtectVirtualMemory  (-1, (0x81ee000), 4096, 260, ...
 03054   588   NtSetEventBoostPriority  (92, ...
 03052  1104   NtRegisterThreadTerminatePort  ... ) == 0x0
 03055   704   NtWaitForSingleObject  (636, 0, 0x0, ...
 03053   896   NtProtectVirtualMemory  ... (0x81ee000), 4096, 4, ) == 0x0
 02984  1228   NtWaitForSingleObject  ... ) == 0x0
 03054   588   NtSetEventBoostPriority  ... ) == 0x0
 03051  2016   NtCreateSection  ... 676, ) == 0x0
 03056  1228   NtSetEventBoostPriority  (92, ...
 03057   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03058  1104   NtWaitForSingleObject  (92, 0, 0x0, ...
 02987   888   NtWaitForSingleObject  ... ) == 0x0
 03056  1228   NtSetEventBoostPriority  ... ) == 0x0
 03059  2016   NtClose  (664, ...
 03057   896   NtCreateThread  ... 680, {1252, 860}, ) == 0x0
 03060   888   NtSetEventBoostPriority  (92, ...
 03061  1228   NtWaitForSingleObject  (92, 0, 0x0, ...
 03059  2016   NtClose  ... ) == 0x0
 02988   248   NtWaitForSingleObject  ... ) == 0x0
 03060   888   NtSetEventBoostPriority  ... ) == 0x0
 03062   896   NtQueryInformationThread  (680, Basic, 28, ...
 03063   588   NtWaitForSingleObject  (636, 0, 0x0, ...
 03064   248   NtSetEventBoostPriority  (92, ...
 03065  2016   NtMapViewOfSection  (676, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ...
 03062   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1252,Tid=860,}, 0x0, ) == 0x0
 02990   596   NtWaitForSingleObject  ... ) == 0x0
 03064   248   NtSetEventBoostPriority  ... ) == 0x0
 03065  2016   NtMapViewOfSection  ... (0x1490000), {0, 0}, 180224, ) == 0x0
 03066   888   NtWaitForSingleObject  (636, 0, 0x0, ...
 03067   596   NtSetEventBoostPriority  (92, ...
 03068   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81914, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81914, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\0\\3\0\0" ...  ...
 03069  2016   NtClose  (676, ...
 03001   376   NtWaitForSingleObject  ... ) == 0x0
 03067   596   NtSetEventBoostPriority  ... ) == 0x0
 03068   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81915, 0}  ... {28, 56, reply, 0, 1252, 896, 81915, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\0\\3\0\0" )  ) == 0x0
 03070   248   NtSetEventBoostPriority  (636, ...
 03071   376   NtSetEventBoostPriority  (92, ...
 03069  2016   NtClose  ... ) == 0x0
 03072   896   NtResumeThread  (680, ...
 03005  1436   NtWaitForSingleObject  ... ) == 0x0
 03071   376   NtSetEventBoostPriority  ... ) == 0x0
 02948  1884   NtWaitForSingleObject  ... ) == 0x0
 03070   248   NtSetEventBoostPriority  ... ) == 0x0
 03073  2016   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ...
 03074  1436   NtSetEventBoostPriority  (92, ...
 03072   896   NtResumeThread  ... 1, ) == 0x0
 03075   596   NtQueryValueKey  (620,  (620, "Mapping", Partial, 152, ... , Partial, 152, ...
 03076  1884   NtWaitForSingleObject  (92, 0, 0x0, ...
 03077   248   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03008   876   NtWaitForSingleObject  ... ) == 0x0
 03074  1436   NtSetEventBoostPriority  ... ) == 0x0
 03073  2016   NtQueryInformationProcess  ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03078   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03075   596   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 03079   876   NtSetEventBoostPriority  (92, ...
 03077   248   NtWaitForSingleObject  ... ) == 0x102
 03080   376   NtWaitForSingleObject  (92, 0, 0x0, ...
 03081   860   NtTestAlert  (...
 03082  2016   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ...
 03083  1436   NtWaitForSingleObject  (636, 0, 0x0, ...
 03010  1120   NtWaitForSingleObject  ... ) == 0x0
 03079   876   NtSetEventBoostPriority  ... ) == 0x0
 03084   596   NtClose  (620, ...
 03085   248   NtWaitForSingleObject  (196, 0, 0x0, ...
 03081   860   NtTestAlert  ... ) == 0x0
 03082  2016   NtSetInformationProcess  ... ) == 0x0
 03086  1120   NtSetEventBoostPriority  (92, ...
 03087   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03084   596   NtClose  ... ) == 0x0
 03078   896   NtAllocateVirtualMemory  ... 136249344, 2097152, ) == 0x0
 03088   860   NtContinue  (136248624, 1, ...
 03013   792   NtWaitForSingleObject  ... ) == 0x0
 03086  1120   NtSetEventBoostPriority  ... ) == 0x0
 03089  2016   NtQueryDefaultLocale  (1, 9825732, ...
 03090   596   NtWaitForSingleObject  (92, 0, 0x0, ...
 03091   896   NtAllocateVirtualMemory  (-1, 138338304, 0, 8192, 4096, 4, ...
 03092   792   NtSetEventBoostPriority  (92, ...
 03093   860   NtRegisterThreadTerminatePort  (24, ...
 03087   876   NtDuplicateObject  ... 620, ) == 0x0
 03094  1120   NtWaitForSingleObject  (636, 0, 0x0, ...
 03049  1152   NtWaitForSingleObject  ... ) == 0x0
 03092   792   NtSetEventBoostPriority  ... ) == 0x0
 03091   896   NtAllocateVirtualMemory  ... 138338304, 8192, ) == 0x0
 03093   860   NtRegisterThreadTerminatePort  ... ) == 0x0
 03095   876   NtWaitForSingleObject  (92, 0, 0x0, ...
 03096  1152   NtSetEventBoostPriority  (92, ...
 03097   792   NtWaitForSingleObject  (636, 0, 0x0, ...
 03098   896   NtProtectVirtualMemory  (-1, (0x83ee000), 4096, 260, ...
 03089  2016   NtQueryDefaultLocale  ... ) == 0x0
 03050   840   NtWaitForSingleObject  ... ) == 0x0
 03096  1152   NtSetEventBoostPriority  ... ) == 0x0
 03099   860   NtWaitForSingleObject  (92, 0, 0x0, ...
 03098   896   NtProtectVirtualMemory  ... (0x83ee000), 4096, 4, ) == 0x0
 03100   840   NtSetEventBoostPriority  (92, ...
 03101  2016   NtQueryVirtualMemory  (-1, 0x1490000, Basic, 28, ...
 03058  1104   NtWaitForSingleObject  ... ) == 0x0
 03100   840   NtSetEventBoostPriority  ... ) == 0x0
 03102   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03103  1104   NtSetEventBoostPriority  (92, ...
 03101  2016   NtQueryVirtualMemory  ... {BaseAddress=0x1490000,AllocationBase=0x1490000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 03104  1152   NtWaitForSingleObject  (636, 0, 0x0, ...
 03105   840   NtWaitForSingleObject  (636, 0, 0x0, ...
 03061  1228   NtWaitForSingleObject  ... ) == 0x0
 03103  1104   NtSetEventBoostPriority  ... ) == 0x0
 03106  2016   NtUnmapViewOfSection  (-1, 0x1490000, ...
 03107  1228   NtSetEventBoostPriority  (92, ...
 03108  1104   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03076  1884   NtWaitForSingleObject  ... ) == 0x0
 03106  2016   NtUnmapViewOfSection  ... ) == 0x0
 03107  1228   NtSetEventBoostPriority  ... ) == 0x0
 03102   896   NtCreateThread  ... 676, {1252, 1516}, ) == 0x0
 03109  1884   NtSetEventBoostPriority  (92, ...
 03110  2016   NtWaitForSingleObject  (92, 0, 0x0, ...
 03111  1228   NtWaitForSingleObject  (636, 0, 0x0, ...
 03080   376   NtWaitForSingleObject  ... ) == 0x0
 03112   896   NtQueryInformationThread  (676, Basic, 28, ...
 03109  1884   NtSetEventBoostPriority  ... ) == 0x0
 03108  1104   NtDuplicateObject  ... 664, ) == 0x0
 03113   376   NtSetEventBoostPriority  (92, ...
 03112   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1252,Tid=1516,}, 0x0, ) == 0x0
 03114  1104   NtWaitForSingleObject  (92, 0, 0x0, ...
 03090   596   NtWaitForSingleObject  ... ) == 0x0
 03113   376   NtSetEventBoostPriority  ... ) == 0x0
 03115   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81915, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81915, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\0\354\5\0\0" ...  ...
 03116   596   NtAllocateVirtualMemory  (-1, 5750784, 0, 4096, 4096, 4, ...
 03117   376   NtWaitForSingleObject  (92, 0, 0x0, ...
 03116   596   NtAllocateVirtualMemory  ... 5750784, 4096, ) == 0x0
 03115   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81916, 0}  ... {28, 56, reply, 0, 1252, 896, 81916, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\0\354\5\0\0" )  ) == 0x0
 03118  1884   NtSetEventBoostPriority  (636, ...
 03119   596   NtSetEventBoostPriority  (92, ...
 02959  2044   NtWaitForSingleObject  ... ) == 0x0
 03118  1884   NtSetEventBoostPriority  ... ) == 0x0
 03120  2044   NtWaitForSingleObject  (92, 0, 0x0, ...
 03095   876   NtWaitForSingleObject  ... ) == 0x0
 03119   596   NtSetEventBoostPriority  ... ) == 0x0
 03121   876   NtSetEventBoostPriority  (92, ...
 03122  1884   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03099   860   NtWaitForSingleObject  ... ) == 0x0
 03121   876   NtSetEventBoostPriority  ... ) == 0x0
 03123   596   NtWaitForSingleObject  (92, 0, 0x0, ...
 03124   860   NtSetEventBoostPriority  (92, ...
 03122  1884   NtWaitForSingleObject  ... ) == 0x102
 03125   896   NtResumeThread  (676, ...
 03110  2016   NtWaitForSingleObject  ... ) == 0x0
 03124   860   NtSetEventBoostPriority  ... ) == 0x0
 03126  1884   NtWaitForSingleObject  (92, 0, 0x0, ...
 03127  2016   NtSetEventBoostPriority  (92, ...
 03125   896   NtResumeThread  ... 1, ) == 0x0
 03128   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03129   876   NtWaitForSingleObject  (92, 0, 0x0, ...
 03130  1516   NtTestAlert  (...
 03114  1104   NtWaitForSingleObject  ... ) == 0x0
 03131   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03127  2016   NtSetEventBoostPriority  ... ) == 0x0
 03130  1516   NtTestAlert  ... ) == 0x0
 03132  1104   NtSetEventBoostPriority  (92, ...
 03131   896   NtAllocateVirtualMemory  ... 138346496, 2097152, ) == 0x0
 03133  2016   NtWaitForSingleObject  (92, 0, 0x0, ...
 03134  1516   NtContinue  (138345776, 1, ...
 03117   376   NtWaitForSingleObject  ... ) == 0x0
 03132  1104   NtSetEventBoostPriority  ... ) == 0x0
 03135   896   NtAllocateVirtualMemory  (-1, 140435456, 0, 8192, 4096, 4, ...
 03136   376   NtSetEventBoostPriority  (92, ...
 03137  1516   NtRegisterThreadTerminatePort  (24, ...
 03128   860   NtDuplicateObject  ... 684, ) == 0x0
 03120  2044   NtWaitForSingleObject  ... ) == 0x0
 03135   896   NtAllocateVirtualMemory  ... 140435456, 8192, ) == 0x0
 03137  1516   NtRegisterThreadTerminatePort  ... ) == 0x0
 03138  2044   NtSetEventBoostPriority  (92, ...
 03139   860   NtWaitForSingleObject  (92, 0, 0x0, ...
 03136   376   NtSetEventBoostPriority  ... ) == 0x0
 03140  1104   NtWaitForSingleObject  (92, 0, 0x0, ...
 03141   896   NtProtectVirtualMemory  (-1, (0x85ee000), 4096, 260, ...
 03123   596   NtWaitForSingleObject  ... ) == 0x0
 03138  2044   NtSetEventBoostPriority  ... ) == 0x0
 03142   376   NtWaitForSingleObject  (636, 0, 0x0, ...
 03143   596   NtSetEventBoostPriority  (92, ...
 03141   896   NtProtectVirtualMemory  ... (0x85ee000), 4096, 4, ) == 0x0
 03144  1516   NtWaitForSingleObject  (92, 0, 0x0, ...
 03126  1884   NtWaitForSingleObject  ... ) == 0x0
 03143   596   NtSetEventBoostPriority  ... ) == 0x0
 03145   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03146  1884   NtSetEventBoostPriority  (92, ...
 03147  2044   NtSetEventBoostPriority  (636, ...
 03129   876   NtWaitForSingleObject  ... ) == 0x0
 03145   896   NtCreateThread  ... 688, {1252, 780}, ) == 0x0
 02979  1308   NtWaitForSingleObject  ... ) == 0x0
 03147  2044   NtSetEventBoostPriority  ... ) == 0x0
 03148   876   NtSetEventBoostPriority  (92, ...
 03149  1308   NtWaitForSingleObject  (92, 0, 0x0, ...
 03150   896   NtQueryInformationThread  (688, Basic, 28, ...
 03151  2044   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03133  2016   NtWaitForSingleObject  ... ) == 0x0
 03148   876   NtSetEventBoostPriority  ... ) == 0x0
 03150   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1252,Tid=780,}, 0x0, ) == 0x0
 03152  2016   NtSetEventBoostPriority  (92, ...
 03151  2044   NtWaitForSingleObject  ... ) == 0x102
 03153   876   NtWaitForSingleObject  (92, 0, 0x0, ...
 03146  1884   NtSetEventBoostPriority  ... ) == 0x0
 03154   596   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 03139   860   NtWaitForSingleObject  ... ) == 0x0
 03152  2016   NtSetEventBoostPriority  ... ) == 0x0
 03155  2044   NtWaitForSingleObject  (196, 0, 0x0, ...
 03156   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81916, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81916, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0\14\3\0\0" ...  ...
 03157  1884   NtWaitForSingleObject  (196, 0, 0x0, ...
 03158   860   NtSetEventBoostPriority  (92, ...
 03154   596   NtOpenKey  ... 692, ) == 0x0
 03159  2016   NtWaitForSingleObject  (92, 0, 0x0, ...
 03156   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81917, 0}  ... {28, 56, reply, 0, 1252, 896, 81917, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0\14\3\0\0" )  ) == 0x0
 03140  1104   NtWaitForSingleObject  ... ) == 0x0
 03158   860   NtSetEventBoostPriority  ... ) == 0x0
 03160   596   NtQueryValueKey  (692,  (692, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 03161  1104   NtSetEventBoostPriority  (92, ...
 03162   896   NtResumeThread  (688, ...
 03144  1516   NtWaitForSingleObject  ... ) == 0x0
 03161  1104   NtSetEventBoostPriority  ... ) == 0x0
 03160   596   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 03163  1516   NtSetEventBoostPriority  (92, ...
 03162   896   NtResumeThread  ... 1, ) == 0x0
 03164  1104   NtWaitForSingleObject  (92, 0, 0x0, ...
 03149  1308   NtWaitForSingleObject  ... ) == 0x0
 03163  1516   NtSetEventBoostPriority  ... ) == 0x0
 03165   596   NtQueryValueKey  (692,  (692, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 03166   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03167   860   NtWaitForSingleObject  (92, 0, 0x0, ...
 03168   780   NtTestAlert  (...
 03169  1308   NtSetEventBoostPriority  (92, ...
 03170  1516   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03165   596   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 03153   876   NtWaitForSingleObject  ... ) == 0x0
 03169  1308   NtSetEventBoostPriority  ... ) == 0x0
 03168   780   NtTestAlert  ... ) == 0x0
 03166   896   NtAllocateVirtualMemory  ... 140443648, 2097152, ) == 0x0
 03170  1516   NtDuplicateObject  ... 696, ) == 0x0
 03171   876   NtSetEventBoostPriority  (92, ...
 03172   596   NtQueryValueKey  (692,  (692, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 03173   780   NtContinue  (140442928, 1, ...
 03174   896   NtAllocateVirtualMemory  (-1, 142532608, 0, 8192, 4096, 4, ...
 03159  2016   NtWaitForSingleObject  ... ) == 0x0
 03175  1516   NtWaitForSingleObject  (92, 0, 0x0, ...
 03172   596   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03176   780   NtRegisterThreadTerminatePort  (24, ...
 03174   896   NtAllocateVirtualMemory  ... 142532608, 8192, ) == 0x0
 03177  2016   NtSetEventBoostPriority  (92, ...
 03178   596   NtQueryValueKey  (692,  (692, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 03176   780   NtRegisterThreadTerminatePort  ... ) == 0x0
 03179   896   NtProtectVirtualMemory  (-1, (0x87ee000), 4096, 260, ...
 03164  1104   NtWaitForSingleObject  ... ) == 0x0
 03177  2016   NtSetEventBoostPriority  ... ) == 0x0
 03178   596   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 03171   876   NtSetEventBoostPriority  ... ) == 0x0
 03180  1308   NtSetEventBoostPriority  (636, ...
 03181  1104   NtSetEventBoostPriority  (92, ...
 03179   896   NtProtectVirtualMemory  ... (0x87ee000), 4096, 4, ) == 0x0
 03182  2016   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ...
 03183   596   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 03184   876   NtWaitForSingleObject  (636, 0, 0x0, ...
 03167   860   NtWaitForSingleObject  ... ) == 0x0
 02981  1368   NtWaitForSingleObject  ... ) == 0x0
 03180  1308   NtSetEventBoostPriority  ... ) == 0x0
 03185   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03181  1104   NtSetEventBoostPriority  ... ) == 0x0
 03186   780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03183   596   NtCreateEvent  ... 700, ) == 0x0
 03187  1368   NtWaitForSingleObject  (92, 0, 0x0, ...
 03188   860   NtSetEventBoostPriority  (92, ...
 03189  1308   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03182  2016   NtSetInformationThread  ... ) == 0x0
 03190  1104   NtWaitForSingleObject  (636, 0, 0x0, ...
 03186   780   NtDuplicateObject  ... 704, ) == 0x0
 03185   896   NtCreateThread  ... 708, {1252, 940}, ) == 0x0
 03175  1516   NtWaitForSingleObject  ... ) == 0x0
 03188   860   NtSetEventBoostPriority  ... ) == 0x0
 03189  1308   NtWaitForSingleObject  ... ) == 0x102
 03191  2016   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 03192   780   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 03193  1516   NtSetEventBoostPriority  (92, ...
 03194   896   NtQueryInformationThread  (708, Basic, 28, ...
 03195   860   NtWaitForSingleObject  (636, 0, 0x0, ...
 03196  1308   NtWaitForSingleObject  (92, 0, 0x0, ...
 03191  2016   NtCreateEvent  ... 712, ) == 0x0
 03187  1368   NtWaitForSingleObject  ... ) == 0x0
 03193  1516   NtSetEventBoostPriority  ... ) == 0x0
 03192   780   NtCreateEvent  ... 716, ) == 0x0
 03194   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1252,Tid=940,}, 0x0, ) == 0x0
 03197   596   NtWaitForSingleObject  (700, 0, 0x0, ...
 03198  1368   NtSetEventBoostPriority  (92, ...
 03199  2016   NtClose  (712, ...
 03200   780   NtClose  (716, ...
 03201   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81917, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81917, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0\254\3\0\0" ...  ...
 03196  1308   NtWaitForSingleObject  ... ) == 0x0
 03198  1368   NtSetEventBoostPriority  ... ) == 0x0
 03199  2016   NtClose  ... ) == 0x0
 03200   780   NtClose  ... ) == 0x0
 03202  1308   NtWaitForSingleObject  (196, 0, 0x0, ...
 03201   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81918, 0}  ... {28, 56, reply, 0, 1252, 896, 81918, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0\254\3\0\0" )  ) == 0x0
 03203  1516   NtWaitForSingleObject  (636, 0, 0x0, ...
 03204  2016   NtSetEventBoostPriority  (700, ...
 03205  1368   NtSetEventBoostPriority  (636, ...
 03206   780   NtWaitForSingleObject  (700, 0, 0x0, ...
 03207   896   NtResumeThread  (708, ...
 02982  1652   NtWaitForSingleObject  ... ) == 0x0
 03205  1368   NtSetEventBoostPriority  ... ) == 0x0
 03208  1652   NtSetEventBoostPriority  (636, ...
 03207   896   NtResumeThread  ... 1, ) == 0x0
 02995  1620   NtWaitForSingleObject  ... ) == 0x0
 03208  1652   NtSetEventBoostPriority  ... ) == 0x0
 03209  1368   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03210  1620   NtSetEventBoostPriority  (636, ...
 03211   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03197   596   NtWaitForSingleObject  ... ) == 0x0
 03204  2016   NtSetEventBoostPriority  ... ) == 0x0
 03212   940   NtWaitForSingleObject  (36, 0, 0x0, ...
 03017  1296   NtWaitForSingleObject  ... ) == 0x0
 03210  1620   NtSetEventBoostPriority  ... ) == 0x0
 03209  1368   NtWaitForSingleObject  ... ) == 0x102
 03211   896   NtAllocateVirtualMemory  ... 142540800, 2097152, ) == 0x0
 03213   596   NtSetEventBoostPriority  (700, ...
 03214  2016   NtUnmapViewOfSection  (-1, 0x77c00000, ...
 03215  1296   NtSetEventBoostPriority  (636, ...
 03216  1620   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03217  1368   NtWaitForSingleObject  (196, 0, 0x0, ...
 03218   896   NtAllocateVirtualMemory  (-1, 144629760, 0, 8192, 4096, 4, ...
 03206   780   NtWaitForSingleObject  ... ) == 0x0
 03213   596   NtSetEventBoostPriority  ... ) == 0x0
 03020  1276   NtWaitForSingleObject  ... ) == 0x0
 03215  1296   NtSetEventBoostPriority  ... ) == 0x0
 03214  2016   NtUnmapViewOfSection  ... ) == 0x0
 03219  1652   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03216  1620   NtWaitForSingleObject  ... ) == 0x102
 03220   780   NtWaitForSingleObject  (636, 0, 0x0, ...
 03218   896   NtAllocateVirtualMemory  ... 144629760, 8192, ) == 0x0
 03221  1276   NtSetEventBoostPriority  (636, ...
 03222   596   NtWaitForSingleObject  (36, 0, 0x0, ...
 03223  1296   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03224  2016   NtSetEventBoostPriority  (36, ...
 03219  1652   NtWaitForSingleObject  ... ) == 0x102
 03225  1620   NtWaitForSingleObject  (196, 0, 0x0, ...
 03021   724   NtWaitForSingleObject  ... ) == 0x0
 03221  1276   NtSetEventBoostPriority  ... ) == 0x0
 03226   896   NtProtectVirtualMemory  (-1, (0x89ee000), 4096, 260, ...
 03212   940   NtWaitForSingleObject  ... ) == 0x0
 03224  2016   NtSetEventBoostPriority  ... ) == 0x0
 03227  1652   NtWaitForSingleObject  (196, 0, 0x0, ...
 03228   724   NtSetEventBoostPriority  (636, ...
 03223  1296   NtWaitForSingleObject  ... ) == 0x102
 03229   940   NtAllocateVirtualMemory  (-1, 14249984, 0, 4096, 4096, 4, ...
 03226   896   NtProtectVirtualMemory  ... (0x89ee000), 4096, 4, ) == 0x0
 03230  2016   NtOpenMutant  (0x120001, {24, 28, 0x0, 0, 0,  (0x120001, {24, 28, 0x0, 0, 0, "ShimCacheMutex"}, ... }, ...
 03029   440   NtWaitForSingleObject  ... ) == 0x0
 03228   724   NtSetEventBoostPriority  ... ) == 0x0
 03229   940   NtAllocateVirtualMemory  ... 14249984, 4096, ) == 0x0
 03231  1296   NtWaitForSingleObject  (196, 0, 0x0, ...
 03232   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03233  1276   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03234   440   NtSetEventBoostPriority  (636, ...
 03230  2016   NtOpenMutant  ... 716, ) == 0x0
 03235   724   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03232   896   NtCreateThread  ... 712, {1252, 1268}, ) == 0x0
 03030  1328   NtWaitForSingleObject  ... ) == 0x0
 03234   440   NtSetEventBoostPriority  ... ) == 0x0
 03233  1276   NtWaitForSingleObject  ... ) == 0x102
 03236  2016   NtWaitForSingleObject  (716, 0, {-1000000, -1}, ...
 03235   724   NtWaitForSingleObject  ... ) == 0x102
 03237  1328   NtSetEventBoostPriority  (636, ...
 03238   896   NtQueryInformationThread  (712, Basic, 28, ...
 03239   440   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03240  1276   NtWaitForSingleObject  (196, 0, 0x0, ...
 03236  2016   NtWaitForSingleObject  ... ) == 0x0
 03031   220   NtWaitForSingleObject  ... ) == 0x0
 03237  1328   NtSetEventBoostPriority  ... ) == 0x0
 03241   724   NtWaitForSingleObject  (196, 0, 0x0, ...
 03238   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1252,Tid=1268,}, 0x0, ) == 0x0
 03242   940   NtSetEventBoostPriority  (36, ...
 03243   220   NtSetEventBoostPriority  (636, ...
 03244  2016   NtOpenSection  (0x2, {24, 28, 0x0, 0, 0,  (0x2, {24, 28, 0x0, 0, 0, "ShimSharedMemory"}, ... }, ...
 03239   440   NtWaitForSingleObject  ... ) == 0x102
 03245  1328   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03035  1636   NtWaitForSingleObject  ... ) == 0x0
 03243   220   NtSetEventBoostPriority  ... ) == 0x0
 03222   596   NtWaitForSingleObject  ... ) == 0x0
 03242   940   NtSetEventBoostPriority  ... ) == 0x0
 03244  2016   NtOpenSection  ... 720, ) == 0x0
 03246   440   NtWaitForSingleObject  (196, 0, 0x0, ...
 03247  1636   NtSetEventBoostPriority  (636, ...
 03245  1328   NtWaitForSingleObject  ... ) == 0x102
 03248   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81918, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81918, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0\364\4\0\0" ...  ...
 03249   596   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 19461164, ... }, 19461164, ...
 03250   940   NtTestAlert  (...
 03251   220   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03041  1588   NtWaitForSingleObject  ... ) == 0x0
 03247  1636   NtSetEventBoostPriority  ... ) == 0x0
 03252  1328   NtWaitForSingleObject  (196, 0, 0x0, ...
 03249   596   NtQueryAttributesFile  ... ) == 0x0
 03248   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81919, 0}  ... {28, 56, reply, 0, 1252, 896, 81919, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0\364\4\0\0" )  ) == 0x0
 03250   940   NtTestAlert  ... ) == 0x0
 03253  1588   NtSetEventBoostPriority  (636, ...
 03251   220   NtWaitForSingleObject  ... ) == 0x102
 03254  2016   NtMapViewOfSection  (720, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ...
 03255   596   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 03256   896   NtResumeThread  (712, ...
 03044  1484   NtWaitForSingleObject  ... ) == 0x0
 03253  1588   NtSetEventBoostPriority  ... ) == 0x0
 03257   940   NtContinue  (142540080, 1, ...
 03258   220   NtWaitForSingleObject  (196, 0, 0x0, ...
 03255   596   NtOpenFile  ... 724, {status=0x0, info=1}, ) == 0x0
 03254  2016   NtMapViewOfSection  ... (0xe70000), {0, 0}, 57344, ) == 0x0
 03259  1484   NtSetEventBoostPriority  (636, ...
 03256   896   NtResumeThread  ... 1, ) == 0x0
 03260  1588   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03261   940   NtRegisterThreadTerminatePort  (24, ...
 03262  1636   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03263  1268   NtWaitForSingleObject  (36, 0, 0x0, ...
 03055   704   NtWaitForSingleObject  ... ) == 0x0
 03264  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ...
 03265   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03259  1484   NtSetEventBoostPriority  ... ) == 0x0
 03266   596   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 724, ...
 03260  1588   NtWaitForSingleObject  ... ) == 0x102
 03262  1636   NtWaitForSingleObject  ... ) == 0x102
 03267   704   NtSetEventBoostPriority  (636, ...
 03264  2016   NtOpenThreadTokenEx  ... ) == STATUS_NO_TOKEN
 03261   940   NtRegisterThreadTerminatePort  ... ) == 0x0
 03268  1484   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03266   596   NtCreateSection  ... 728, ) == 0x0
 03269  1588   NtWaitForSingleObject  (196, 0, 0x0, ...
 03270  1636   NtWaitForSingleObject  (196, 0, 0x0, ...
 03063   588   NtWaitForSingleObject  ... ) == 0x0
 03267   704   NtSetEventBoostPriority  ... ) == 0x0
 03271  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ...
 03272   940   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03273   596   NtClose  (724, ...
 03274   588   NtSetEventBoostPriority  (636, ...
 03265   896   NtAllocateVirtualMemory  ... 144637952, 2097152, ) == 0x0
 03268  1484   NtWaitForSingleObject  ... ) == 0x102
 03271  2016   NtOpenProcessTokenEx  ... 732, ) == 0x0
 03272   940   NtDuplicateObject  ... 736, ) == 0x0
 03066   888   NtWaitForSingleObject  ... ) == 0x0
 03274   588   NtSetEventBoostPriority  ... ) == 0x0
 03273   596   NtClose  ... ) == 0x0
 03275   896   NtAllocateVirtualMemory  (-1, 146726912, 0, 8192, 4096, 4, ...
 03276  1484   NtWaitForSingleObject  (196, 0, 0x0, ...
 03277   704   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03278   888   NtSetEventBoostPriority  (636, ...
 03279   940   NtWaitForSingleObject  (636, 0, 0x0, ...
 03280   588   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03281   596   NtMapViewOfSection  (728, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 03275   896   NtAllocateVirtualMemory  ... 146726912, 8192, ) == 0x0
 03083  1436   NtWaitForSingleObject  ... ) == 0x0
 03278   888   NtSetEventBoostPriority  ... ) == 0x0
 03277   704   NtWaitForSingleObject  ... ) == 0x102
 03282  2016   NtQueryInformationToken  (732, User, 80, ...
 03281   596   NtMapViewOfSection  ... (0x1490000), 0x0, 20480, ) == 0x0
 03283  1436   NtSetEventBoostPriority  (636, ...
 03284   896   NtProtectVirtualMemory  (-1, (0x8bee000), 4096, 260, ...
 03285   888   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03286   704   NtWaitForSingleObject  (196, 0, 0x0, ...
 03282  2016   NtQueryInformationToken  ... {token info, class 1, size 36}, 36, ) == 0x0
 03280   588   NtWaitForSingleObject  ... ) == 0x102
 03094  1120   NtWaitForSingleObject  ... ) == 0x0
 03283  1436   NtSetEventBoostPriority  ... ) == 0x0
 03284   896   NtProtectVirtualMemory  ... (0x8bee000), 4096, 4, ) == 0x0
 03287   596   NtClose  (728, ...
 03288  2016   NtClose  (732, ...
 03289  1120   NtSetEventBoostPriority  (636, ...
 03290   588   NtWaitForSingleObject  (196, 0, 0x0, ...
 03291  1436   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03292   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03287   596   NtClose  ... ) == 0x0
 03097   792   NtWaitForSingleObject  ... ) == 0x0
 03289  1120   NtSetEventBoostPriority  ... ) == 0x0
 03288  2016   NtClose  ... ) == 0x0
 03285   888   NtWaitForSingleObject  ... ) == 0x102
 03291  1436   NtWaitForSingleObject  ... ) == 0x102
 03293   792   NtSetEventBoostPriority  (636, ...
 03294  1120   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03295  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... }, ...
 03296   888   NtWaitForSingleObject  (196, 0, 0x0, ...
 03104  1152   NtWaitForSingleObject  ... ) == 0x0
 03297  1436   NtAllocateVirtualMemory  (-1, 5754880, 0, 4096, 4096, 4, ...
 03293   792   NtSetEventBoostPriority  ... ) == 0x0
 03298   596   NtUnmapViewOfSection  (-1, 0x1490000, ...
 03292   896   NtCreateThread  ... 732, {1252, 644}, ) == 0x0
 03295  2016   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03299  1152   NtWaitForSingleObject  (92, 0, 0x0, ...
 03297  1436   NtAllocateVirtualMemory  ... 5754880, 4096, ) == 0x0
 03300   792   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03298   596   NtUnmapViewOfSection  ... ) == 0x0
 03301   896   NtQueryInformationThread  (732, Basic, 28, ...
 03294  1120   NtWaitForSingleObject  ... ) == 0x102
 03302  1436   NtSetEventBoostPriority  (92, ...
 03300   792   NtWaitForSingleObject  ... ) == 0x102
 03303  2016   NtReleaseMutant  (716, ...
 03301   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1252,Tid=644,}, 0x0, ) == 0x0
 03304  1120   NtWaitForSingleObject  (92, 0, 0x0, ...
 03299  1152   NtWaitForSingleObject  ... ) == 0x0
 03302  1436   NtSetEventBoostPriority  ... ) == 0x0
 03305   792   NtWaitForSingleObject  (92, 0, 0x0, ...
 03303  2016   NtReleaseMutant  ... 0x0, ) == 0x0
 03306   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81919, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81919, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0\204\2\0\0" ...  ...
 03307  1152   NtSetEventBoostPriority  (92, ...
 03308   596   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 19461472, ... }, 19461472, ...
 03309  2016   NtWaitForSingleObject  (36, 0, 0x0, ...
 03304  1120   NtWaitForSingleObject  ... ) == 0x0
 03307  1152   NtSetEventBoostPriority  ... ) == 0x0
 03306   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81920, 0}  ... {28, 56, reply, 0, 1252, 896, 81920, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0\204\2\0\0" )  ) == 0x0
 03308   596   NtQueryAttributesFile  ... ) == 0x0
 03310  1120   NtSetEventBoostPriority  (92, ...
 03311  1436   NtWaitForSingleObject  (196, 0, 0x0, ...
 03312  1152   NtSetEventBoostPriority  (636, ...
 03305   792   NtWaitForSingleObject  ... ) == 0x0
 03310  1120   NtSetEventBoostPriority  ... ) == 0x0
 03313   596   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 03314   792   NtWaitForSingleObject  (196, 0, 0x0, ...
 03105   840   NtWaitForSingleObject  ... ) == 0x0
 03312  1152   NtSetEventBoostPriority  ... ) == 0x0
 03315   896   NtResumeThread  (732, ...
 03316   840   NtSetEventBoostPriority  (636, ...
 03313   596   NtOpenFile  ... 728, {status=0x0, info=1}, ) == 0x0
 03317  1152   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03111  1228   NtWaitForSingleObject  ... ) == 0x0
 03316   840   NtSetEventBoostPriority  ... ) == 0x0
 03315   896   NtResumeThread  ... 1, ) == 0x0
 03318   596   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 728, ...
 03319  1228   NtSetEventBoostPriority  (636, ...
 03317  1152   NtWaitForSingleObject  ... ) == 0x102
 03320   840   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03321   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03142   376   NtWaitForSingleObject  ... ) == 0x0
 03319  1228   NtSetEventBoostPriority  ... ) == 0x0
 03318   596   NtCreateSection  ... 724, ) == 0x0
 03322  1152   NtWaitForSingleObject  (196, 0, 0x0, ...
 03323  1120   NtWaitForSingleObject  (196, 0, 0x0, ...
 03324   644   NtWaitForSingleObject  (36, 0, 0x0, ...
 03325   376   NtSetEventBoostPriority  (636, ...
 03321   896   NtAllocateVirtualMemory  ... 146735104, 2097152, ) == 0x0
 03320   840   NtWaitForSingleObject  ... ) == 0x102
 03326  1228   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03327   596   NtQuerySection  (724, Image, 48, ...
 03184   876   NtWaitForSingleObject  ... ) == 0x0
 03325   376   NtSetEventBoostPriority  ... ) == 0x0
 03328   896   NtAllocateVirtualMemory  (-1, 148824064, 0, 8192, 4096, 4, ...
 03329   840   NtWaitForSingleObject  (196, 0, 0x0, ...
 03326  1228   NtWaitForSingleObject  ... ) == 0x102
 03330   876   NtSetEventBoostPriority  (636, ...
 03327   596   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03328   896   NtAllocateVirtualMemory  ... 148824064, 8192, ) == 0x0
 03190  1104   NtWaitForSingleObject  ... ) == 0x0
 03330   876   NtSetEventBoostPriority  ... ) == 0x0
 03331  1228   NtWaitForSingleObject  (196, 0, 0x0, ...
 03332   596   NtClose  (728, ...
 03333   376   NtWaitForSingleObject  (636, 0, 0x0, ...
 03334  1104   NtSetEventBoostPriority  (636, ...
 03335   896   NtProtectVirtualMemory  (-1, (0x8dee000), 4096, 260, ...
 03332   596   NtClose  ... ) == 0x0
 03195   860   NtWaitForSingleObject  ... ) == 0x0
 03334  1104   NtSetEventBoostPriority  ... ) == 0x0
 03335   896   NtProtectVirtualMemory  ... (0x8dee000), 4096, 4, ) == 0x0
 03336   860   NtSetEventBoostPriority  (636, ...
 03337   596   NtMapViewOfSection  (724, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 03338   876   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03203  1516   NtWaitForSingleObject  ... ) == 0x0
 03339   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03337   596   NtMapViewOfSection  ... (0x71a90000), 0x0, 32768, ) == 0x0
 03338   876   NtWaitForSingleObject  ... ) == 0x102
 03340  1516   NtSetEventBoostPriority  (636, ...
 03339   896   NtCreateThread  ... 728, {1252, 1736}, ) == 0x0
 03336   860   NtSetEventBoostPriority  ... ) == 0x0
 03341  1104   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03342   876   NtWaitForSingleObject  (196, 0, 0x0, ...
 03220   780   NtWaitForSingleObject  ... ) == 0x0
 03340  1516   NtSetEventBoostPriority  ... ) == 0x0
 03343   896   NtQueryInformationThread  (728, Basic, 28, ...
 03344   860   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03341  1104   NtWaitForSingleObject  ... ) == 0x102
 03345   780   NtSetEventBoostPriority  (636, ...
 03346  1516   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03343   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1252,Tid=1736,}, 0x0, ) == 0x0
 03279   940   NtWaitForSingleObject  ... ) == 0x0
 03345   780   NtSetEventBoostPriority  ... ) == 0x0
 03347  1104   NtWaitForSingleObject  (196, 0, 0x0, ...
 03348   596   NtClose  (724, ...
 03344   860   NtWaitForSingleObject  ... ) == 0x102
 03346  1516   NtWaitForSingleObject  ... ) == 0x102
 03349   940   NtSetEventBoostPriority  (636, ...
 03350   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81920, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81920, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\0\310\6\0\0" ...  ...
 03348   596   NtClose  ... ) == 0x0
 03351   860   NtWaitForSingleObject  (196, 0, 0x0, ...
 03333   376   NtWaitForSingleObject  ... ) == 0x0
 03349   940   NtSetEventBoostPriority  ... ) == 0x0
 03352  1516   NtWaitForSingleObject  (196, 0, 0x0, ...
 03350   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81921, 0}  ... {28, 56, reply, 0, 1252, 896, 81921, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\0\310\6\0\0" )  ) == 0x0
 03353   596   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ...
 03354   376   NtDeviceIoControlFile  (56, 0, 0x0, 0x0, 0x390008,  (56, 0, 0x0, 0x0, 0x390008, "B].\220\36%\215\366\372\217\314\362\323\243!j\336(\303,\353[_\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 03355   780   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03356   896   NtResumeThread  (728, ...
 03357   376   NtQuerySystemInformation  (TimeOfDay, 48, ...
 03353   596   NtProtectVirtualMemory  ... (0x71a91000), 4096, 32, ) == 0x0
 03355   780   NtWaitForSingleObject  ... ) == 0x102
 03357   376   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 03356   896   NtResumeThread  ... 1, ) == 0x0
 03358   780   NtWaitForSingleObject  (196, 0, 0x0, ...
 03359   940   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03360  1736   NtWaitForSingleObject  (36, 0, 0x0, ...
 03361   596   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ...
 03362   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03359   940   NtWaitForSingleObject  ... ) == 0x102
 03361   596   NtProtectVirtualMemory  ... (0x71a91000), 4096, 4, ) == 0x0
 03363   376   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 03364   940   NtWaitForSingleObject  (196, 0, 0x0, ...
 03365   596   NtFlushInstructionCache  (-1, 1906905088, 128, ...
 03363   376   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 03365   596   NtFlushInstructionCache  ... ) == 0x0
 03366   376   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 03367   376   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 03368   376   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 03369   376   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 03370   376   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 03362   896   NtAllocateVirtualMemory  ... 148832256, 2097152, ) == 0x0
 03371   596   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... }, ...
 03372   896   NtAllocateVirtualMemory  (-1, 150921216, 0, 8192, 4096, 4, ...
 03371   596   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03372   896   NtAllocateVirtualMemory  ... 150921216, 8192, ) == 0x0
 03373   596   NtSetEventBoostPriority  (36, ...
 03374   896   NtProtectVirtualMemory  (-1, (0x8fee000), 4096, 260, ...
 03263  1268   NtWaitForSingleObject  ... ) == 0x0
 03373   596   NtSetEventBoostPriority  ... ) == 0x0
 03375  1268   NtSetEventBoostPriority  (36, ...
 03374   896   NtProtectVirtualMemory  ... (0x8fee000), 4096, 4, ) == 0x0
 03309  2016   NtWaitForSingleObject  ... ) == 0x0
 03375  1268   NtSetEventBoostPriority  ... ) == 0x0
 03376   596   NtClose  (692, ...
 03377  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 9824752, ... }, 9824752, ...
 03378   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03379   376   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 03377  2016   NtQueryAttributesFile  ... ) == 0x0
 03376   596   NtClose  ... ) == 0x0
 03380  1268   NtTestAlert  (...
 03379   376   NtCreateKey  ... -2147482748, 2, ) == 0x0
 03378   896   NtCreateThread  ... 692, {1252, 320}, ) == 0x0
 03381  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... }, 5, 96, ...
 03380  1268   NtTestAlert  ... ) == 0x0
 03382   376   NtSetValueKey  (-2147482748,  (-2147482748, "Seed", 0, 3, "\357\365\337&\266\2\306\313t\321f\232u\265kg^\247\37\230Y\5\36\366{\376z\30t\365\257Oe\334A\323\370\ \370S\250f\30\257\377\212\211P28'\340\262$\16O\225|\2569B\367\270|\351\366\314\231\10\3573*(\355{CE:\202", 80, ... , 0, 3,  (-2147482748, "Seed", 0, 3, "\357\365\337&\266\2\306\313t\321f\232u\265kg^\247\37\230Y\5\36\366{\376z\30t\365\257Oe\334A\323\370\ \370S\250f\30\257\377\212\211P28'\340\262$\16O\225|\2569B\367\270|\351\366\314\231\10\3573*(\355{CE:\202", 80, ... , 80, ...
 03383   896   NtQueryInformationThread  (692, Basic, 28, ...
 03381  2016   NtOpenFile  ... 724, {status=0x0, info=1}, ) == 0x0
 03384  1268   NtContinue  (144637232, 1, ...
 03382   376   NtSetValueKey  ... ) == 0x0
 03383   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1252,Tid=320,}, 0x0, ) == 0x0
 03385  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 724, ...
 03386  1268   NtRegisterThreadTerminatePort  (24, ...
 03387   376   NtClose  (-2147482748, ...
 03388   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81921, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81921, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\0@\1\0\0" ...  ...
 03385  2016   NtCreateSection  ... 740, ) == 0x0
 03386  1268   NtRegisterThreadTerminatePort  ... ) == 0x0
 03387   376   NtClose  ... ) == 0x0
 03388   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81922, 0}  ... {28, 56, reply, 0, 1252, 896, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\0@\1\0\0" )  ) == 0x0
 03389  2016   NtClose  (724, ...
 03390  1268   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03391   596   NtWaitForSingleObject  (36, 0, 0x0, ...
 03354   376   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "Zu)\2260hq\2723\276E\213\206j\336\303\35\376\22T)\332\230|p\275\247\350\205\7\2403\371\244\331\253\37\372\301*JvU\240E\12\233s_\226\231\223\231\34\355\360?\255A\267\227\260\237\373h_\263\263\232\200\255\33)\355NN\227Q5\3^\355b$(\255\201i\303.J\217\257j\326\274|\345\316\216\332/n\224\3366\366\4g\26gv\2\350W\227,!\15\352y\342\31d\177\336\351ju\335\344\371\1\21\366\253\205\315j\256\207\356\326;\374\10\347\354H\251u;\242\207\2724$c\30\36\371}8O\17\\33._\331\327\21\222\332\212\312\370\220\215F\0N'\323\374^\213\253\356\31\300\210\300J\225\23+\253"\353\177s\217\5\321a\206-\373\361S\214\34Y\316r\365dE\14\1\252\324\237^\251\250]\247\2\353\374\260gW\243\302M\251\307\273\234\275fU;\13e\250\367?\331\263\262\13\10", ) \353\177s\217\5\321a\206-\373\361S\214\34Y\316r\365dE\14\1\252\324\237^\251\250]\247\2\353\374\260gW\243\302M\251\307\273\234\275fU;\13e\250\367?\331\263\262\13\10", ) == 0x0
 03389  2016   NtClose  ... ) == 0x0
 03392   896   NtResumeThread  (692, ...
 03393   376   NtDeviceIoControlFile  (56, 0, 0x0, 0x0, 0x390008,  (56, 0, 0x0, 0x0, 0x390008, "B].\220\36%\215\366\372\217\314\362\323\243\7\221\226D\302\20\202\20\240\336(\303,\353[_\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 03390  1268   NtDuplicateObject  ... 724, ) == 0x0
 03392   896   NtResumeThread  ... 1, ) == 0x0
 03394   376   NtQuerySystemInformation  (TimeOfDay, 48, ...
 03395  1268   NtWaitForSingleObject  (88, 0, {0, 0}, ...
 03396   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03394   376   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 03395  1268   NtWaitForSingleObject  ... ) == 0x102
 03396   896   NtAllocateVirtualMemory  ... 150929408, 2097152, ) == 0x0
 03397   376   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 03398  1268   NtWaitForSingleObject  (196, 0, 0x0, ...
 03399   896   NtAllocateVirtualMemory  (-1, 153018368, 0, 8192, 4096, 4, ... 153018368, 8192, ) == 0x0
 03400   896   NtProtectVirtualMemory  (-1, (0x91ee000), 4096, 260, ... (0x91ee000), 4096, 4, ) == 0x0
 03401   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ... 744, {1252, 380}, ) == 0x0
 03402   896   NtQueryInformationThread  (744, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1252,Tid=380,}, 0x0, ) == 0x0
 03403  2016   NtMapViewOfSection  (740, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 03404   320   NtWaitForSingleObject  (36, 0, 0x0, ...
 03397   376   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 03403  2016   NtMapViewOfSection  ... (0x1490000), 0x0, 180224, ) == 0x0
 03405   376   NtQuerySystemInformation  (Performance, 312, ...
 03406  2016   NtClose  (740, ...
 03405   376   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 03406  2016   NtClose  ... ) == 0x0
 03407   376   NtQuerySystemInformation  (Exception, 16, ...
 03408  2016   NtUnmapViewOfSection  (-1, 0x1490000, ...
 03407   376   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 03408  2016   NtUnmapViewOfSection  ... ) == 0x0
 03409   376   NtQuerySystemInformation  (Lookaside, 32, ...
 03410   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81922, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0|\1\0\0" ...  ...
 03411  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 9825060, ... }, 9825060, ...
 03410   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81923, 0}  ... {28, 56, reply, 0, 1252, 896, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0|\1\0\0" )  ) == 0x0
 03411  2016   NtQueryAttributesFile  ... ) == 0x0
 03412   896   NtResumeThread  (744, ...
 03413  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... }, 5, 96, ...
 03412   896   NtResumeThread  ... 1, ) == 0x0
 03413  2016   NtOpenFile  ... 740, {status=0x0, info=1}, ) == 0x0
 03414   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03415  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 740, ...
 03409   376   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 03416   380   NtWaitForSingleObject  (36, 0, 0x0, ...
 03415  2016   NtCreateSection  ... 748, ) == 0x0
 03417   376   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 03414   896   NtAllocateVirtualMemory  ... 153026560, 2097152, ) == 0x0
 03417   376   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 03418   896   NtAllocateVirtualMemory  (-1, 155115520, 0, 8192, 4096, 4, ...
 03419   376   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 03418   896   NtAllocateVirtualMemory  ... 155115520, 8192, ) == 0x0
 03419   376   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 03420   896   NtProtectVirtualMemory  (-1, (0x93ee000), 4096, 260, ...
 03421   376   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 03420   896   NtProtectVirtualMemory  ... (0x93ee000), 4096, 4, ) == 0x0
 03422  2016   NtQuerySection  (748, Image, 48, ...
 03423   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03422  2016   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03421   376   NtCreateKey  ... -2147482748, 2, ) == 0x0
 03424  2016   NtClose  (740, ...
 03425   376   NtSetValueKey  (-2147482748,  (-2147482748, "Seed", 0, 3, "qa4\357\10i\370\220\251\31\243\201S\272I\15E\3Y"\223\323\232\201\326\204D\276|H\30\314v\204^\221]E\356d\2\324\255ra'\265\270\252\33\246B\330\0<\317\16\31\377u\256=\37y*\235\11?\264\226!\233\35\305a\372\375\352}3", 80, ... , 0, 3,  (-2147482748, "Seed", 0, 3, "qa4\357\10i\370\220\251\31\243\201S\272I\15E\3Y"\223\323\232\201\326\204D\276|H\30\314v\204^\221]E\356d\2\324\255ra'\265\270\252\33\246B\330\0<\317\16\31\377u\256=\37y*\235\11?\264\226!\233\35\305a\372\375\352}3", 80, ... \223\323\232\201\326\204D\276|H\30\314v\204^\221]E\356d\2\324\255ra'\265\270\252\33\246B\330\0<\317\16\31\377u\256=\37y*\235\11?\264\226!\233\35\305a\372\375\352}3", 80, ...
 03424  2016   NtClose  ... ) == 0x0
 03425   376   NtSetValueKey  ... ) == 0x0
 03426  2016   NtMapViewOfSection  (748, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 03427   376   NtClose  (-2147482748, ...
 03426  2016   NtMapViewOfSection  ... (0x755c0000), 0x0, 188416, ) == 0x0
 03427   376   NtClose  ... ) == 0x0
 03423   896   NtCreateThread  ... 740, {1252, 1332}, ) == 0x0
 03393   376   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "5\377\344f\212\220\277\223N\20\246*$%\323\362b\257d\354\1\210\24!\234o=\2\13{J\251E\334g\31\270\271\367\212\233\335\3\0\326\201\322\15\327\262\12\17\324k=b@\4\337\204\377vF\310\12\264N\260\21#\34\327T\15\354'te\202B\234g\277\345;\16LX\26\231\13!\244\213@\274\217\307b6Mv\3,\327\224\252x\277G/\336z\17\204'\344>R\11\354~#\205\377PHy\36a5d\345]\270O\326\203\3600\1\26\1R\327$\311rf\301[\34N-z\374\326\226\275\221\302\223\350u\347v\242^h#\33\275\200z\217R\305\2412R\313Y\26^_\26\201\227.\315^-\205\12\}S\22X\15\24\241\202\305\3328\252\25\270\315\322\310V\265\334x\340n\323"O?\26\2014\364o$H\367\7i\354\231I\244\367x\217\31\265\267\330\263\37\206\200\227@\1U\22\371\266", ) O?\26\2014\364o$H\367\7i\354\231I\244\367x\217\31\265\267\330\263\37\206\200\227@\1U\22\371\266", ) == 0x0
 03428   896   NtQueryInformationThread  (740, Basic, 28, ...
 03429  2016   NtClose  (748, ...
 03428   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1252,Tid=1332,}, 0x0, ) == 0x0
 03429  2016   NtClose  ... ) == 0x0
 03430   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81923, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\344\4\0\04\5\0\0" ...  ...
 03431  2016   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ...
 03430   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81924, 0}  ... {28, 56, reply, 0, 1252, 896, 81924, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\344\4\0\04\5\0\0" )  ) == 0x0
 03431  2016   NtProtectVirtualMemory  ... (0x755c1000), 4096, 32, ) == 0x0
 03432   376   NtDeviceIoControlFile  (56, 0, 0x0, 0x0, 0x390008,  (56, 0, 0x0, 0x0, 0x390008, "B].\220\36%\215\366\372\217\314\362\323\243\7\221\226D\302\20\2026[\226D\302\20\202\20\240\336(\303,\353[_\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 03433  2016   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ...
 03434   376   NtQuerySystemInformation  (TimeOfDay, 48, ...
 03433  2016   NtProtectVirtualMemory  ... (0x755c1000), 4096, 4, ) == 0x0
 03434   376   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 03435   896   NtResumeThread  (740, ...
 03436   376   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 03435   896   NtResumeThread  ... 1, ) == 0x0
 03436   376   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 03437   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03438   376   NtQuerySystemInformation  (Performance, 312, ...
 03437   896   NtAllocateVirtualMemory  ... 155123712, 2097152, ) == 0x0
 03439  2016   NtFlushInstructionCache  (-1, 1968967680, 860, ...
 03440  1332   NtWaitForSingleObject  (36, 0, 0x0, ...
 03441   896   NtAllocateVirtualMemory  (-1, 157212672, 0, 8192, 4096, 4, ...
 03439  2016   NtFlushInstructionCache  ... ) == 0x0
 03441   896   NtAllocateVirtualMemory  ... 157212672, 8192, ) == 0x0
 03442  2016   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ...
 03438   376   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 03442  2016   NtProtectVirtualMemory  ... (0x755c1000), 4096, 32, ) == 0x0
 03443   376   NtQuerySystemInformation  (Exception, 16, ...
 03444  2016   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ...
 03443   376   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 03444  2016   NtProtectVirtualMemory  ... (0x755c1000), 4096, 4, ) == 0x0
 03445   376   NtQuerySystemInformation  (Lookaside, 32, ...
 03446   896   NtProtectVirtualMemory  (-1, (0x95ee000), 4096, 260, ...
 03445   376   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 03446   896   NtProtectVirtualMemory  ... (0x95ee000), 4096, 4, ) == 0x0
 03447   376   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 03448   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03449  2016   NtFlushInstructionCache  (-1, 1968967680, 860, ...
 03448   896   NtCreateThread  ... 748, {1252, 1336}, ) == 0x0
 03449  2016   NtFlushInstructionCache  ... ) == 0x0
 03450   896   NtQueryInformationThread  (748, Basic, 28, ...
 03451  2016   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ...
 03450   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1252,Tid=1336,}, 0x0, ) == 0x0
 03451  2016   NtProtectVirtualMemory  ... (0x755c1000), 4096, 32, ) == 0x0
 03447   376   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 03452  2016   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ...
 03453   376   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 03452  2016   NtProtectVirtualMemory  ... (0x755c1000), 4096, 4, ) == 0x0
 03453   376   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 03454   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81924, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81924, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\4\0\08\5\0\0" ...  ...
 03455   376   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 03454   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81925, 0}  ... {28, 56, reply, 0, 1252, 896, 81925, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\4\0\08\5\0\0" )  ) == 0x0
 03455   376   NtCreateKey  ... -2147482748, 2, ) == 0x0
 03456   896   NtResumeThread  (748, ...
 03457   376   NtSetValueKey  (-2147482748,  (-2147482748, "Seed", 0, 3, "\341Y2\7\200O\33\16\364Y\245S\34\351VHv\251\34+\3\322\255*\224\12\232qY1W&f\326#@p5=\3136U\242/<\370\357\242\30\240^z"\274\204]c\231\3320O]\223b\247\361\32\351\0\371x\273\337K\256\30b\273\17{", 80, ... , 0, 3,  (-2147482748, "Seed", 0, 3, "\341Y2\7\200O\33\16\364Y\245S\34\351VHv\251\34+\3\322\255*\224\12\232qY1W&f\326#@p5=\3136U\242/<\370\357\242\30\240^z"\274\204]c\231\3320O]\223b\247\361\32\351\0\371x\273\337K\256\30b\273\17{", 80, ... \274\204]c\231\3320O]\223b\247\361\32\351\0\371x\273\337K\256\30b\273\17{", 80, ...
 03456   896   NtResumeThread  ... 1, ) == 0x0
 03458  2016   NtFlushInstructionCache  (-1, 1968967680, 860, ...
 03459   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03458  2016   NtFlushInstructionCache  ... ) == 0x0
 03457   376   NtSetValueKey  ... ) == 0x0
 03460  1336   NtWaitForSingleObject  (36, 0, 0x0, ...
 03461  2016   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ...
 03462   376   NtClose  (-2147482748, ...
 03461  2016   NtProtectVirtualMemory  ... (0x755c1000), 4096, 32, ) == 0x0
 03462   376   NtClose  ... ) == 0x0
 03463  2016   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ...
 03432   376   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "Oc\352\267\364\322r\327\360/\367\217\201\215\375\370\235\217\260\3q\357"L\334\276\375\3632Ra\2427Q!(4\210\272Z\200\30131\213\306M\235\250\325F\316\227\212\351\3\215\345\16\2\273\243[2\17(s\306\25L\323G\0c\31\214\313\2133\Rx\217\267\37268\35i4o\361>\211v\vOz\32>\241*\36Ba\312\16h\204\266\206e\30B\233\222\374\272\364V\220\232\16E`\325\2660\2\314\256K\305\244\216\231\361\246\335\315_\351zZ5T1\333\243\302"\17\323\241\311\321\\375c\373\353-)|G\257\3\274\346\212$\300#\301\347\3105}\222]\360\320B\271\357\12\270\246\302Q\32\253x'\206\216\272~&x\300t\220\230\363\13\361\261\216\321\27D\5\6\300\307\21\226\34\276+\252Wt\214\202\227\215\203\233\337\245@\364\300`\370\346\10\6`\374\7\252Sl\337\5\226\262\25/\243\273t", ) L\334\276\375\3632Ra\2427Q!(4\210\272Z\200\30131\213\306M\235\250\325F\316\227\212\351\3\215\345\16\2\273\243[2\17(s\306\25L\323G\0c\31\214\313\2133\Rx\217\267\37268\35i4o\361>\211v\vOz\32>\241*\36Ba\312\16h\204\266\206e\30B\233\222\374\272\364V\220\232\16E`\325\2660\2\314\256K\305\244\216\231\361\246\335\315_\351zZ5T1\333\243\302 ... {status=0x0, info=256}, "Oc\352\267\364\322r\327\360/\367\217\201\215\375\370\235\217\260\3q\357"L\334\276\375\3632Ra\2427Q!(4\210\272Z\200\30131\213\306M\235\250\325F\316\227\212\351\3\215\345\16\2\273\243[2\17(s\306\25L\323G\0c\31\214\313\2133\Rx\217\267\37268\35i4o\361>\211v\vOz\32>\241*\36Ba\312\16h\204\266\206e\30B\233\222\374\272\364V\220\232\16E`\325\2660\2\314\256K\305\244\216\231\361\246\335\315_\351zZ5T1\333\243\302"\17\323\241\311\321\\375c\373\353-)|G\257\3\274\346\212$\300#\301\347\3105}\222]\360\320B\271\357\12\270\246\302Q\32\253x'\206\216\272~&x\300t\220\230\363\13\361\261\216\321\27D\5\6\300\307\21\226\34\276+\252Wt\214\202\227\215\203\233\337\245@\364\300`\370\346\10\6`\374\7\252Sl\337\5\226\262\25/\243\273t", ) , ) == 0x0
 03463  2016   NtProtectVirtualMemory  ... (0x755c1000), 4096, 4, ) == 0x0
 03464   376   NtDeviceIoControlFile  (56, 0, 0x0, 0x0, 0x390008,  (56, 0, 0x0, 0x0, 0x390008, "B].\220\36%\215\366\372\217\314\362\323\243\7\221\226D\302\20\2026[\226D\302\20\2026[\226D\302\20\202\20\240\336(\303,\353[_\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 03459   896   NtAllocateVirtualMemory  ... 157220864, 2097152, ) == 0x0
 03465   376   NtQuerySystemInformation  (TimeOfDay, 48, ...
 03466   896   NtAllocateVirtualMemory  (-1, 159309824, 0, 8192, 4096, 4, ...
 03467  2016   NtFlushInstructionCache  (-1, 1968967680, 860, ...
 03466   896   NtAllocateVirtualMemory  ... 159309824, 8192, ) == 0x0
 03467  2016   NtFlushInstructionCache  ... ) == 0x0
 03468   896   NtProtectVirtualMemory  (-1, (0x97ee000), 4096, 260, ...
 03469  2016   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ...
 03468   896   NtProtectVirtualMemory  ... (0x97ee000), 4096, 4, ) == 0x0
 03469  2016   NtProtectVirtualMemory  ... (0x755c1000), 4096, 32, ) == 0x0
 03470   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03471  2016   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ...
 03465   376   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 03471  2016   NtProtectVirtualMemory  ... (0x755c1000), 4096, 4, ) == 0x0
 03472   376   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 03470   896   NtCreateThread  ... 752, {1252, 1808}, ) == 0x0
 03472   376   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 03473   896   NtQueryInformationThread  (752, Basic, 28, ...
 03474   376   NtQuerySystemInformation  (Performance, 312, ...
 03473   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1252,Tid=1808,}, 0x0, ) == 0x0
 03474   376   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 03475   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81925, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81925, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\20\7\0\0" ...  ...
 03476   376   NtQuerySystemInformation  (Exception, 16, ...
 03475   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81926, 0}  ... {28, 56, reply, 0, 1252, 896, 81926, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\20\7\0\0" )  ) == 0x0
 03477  2016   NtFlushInstructionCache  (-1, 1968967680, 860, ...
 03476   376   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 03477  2016   NtFlushInstructionCache  ... ) == 0x0
 03478   376   NtQuerySystemInformation  (Lookaside, 32, ...
 03479  2016   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ...
 03478   376   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 03479  2016   NtProtectVirtualMemory  ... (0x755c1000), 4096, 32, ) == 0x0
 03480   376   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 03481  2016   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ...
 03480   376   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 03481  2016   NtProtectVirtualMemory  ... (0x755c1000), 4096, 4, ) == 0x0
 03482   376   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 03483   896   NtResumeThread  (752, ...
 03484  2016   NtFlushInstructionCache  (-1, 1968967680, 860, ...
 03483   896   NtResumeThread  ... 1, ) == 0x0
 03484  2016   NtFlushInstructionCache  ... ) == 0x0
 03485   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03486  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime"}, ... }, ...
 03485   896   NtAllocateVirtualMemory  ... 159318016, 2097152, ) == 0x0
 03486  2016   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03487   896   NtAllocateVirtualMemory  (-1, 161406976, 0, 8192, 4096, 4, ...
 03488  2016   NtUserGetDC  (0, ...
 03487   896   NtAllocateVirtualMemory  ... 161406976, 8192, ) == 0x0
 03488  2016   NtUserGetDC  ... ) == 0x1010052
 03482   376   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 03489  1808   NtWaitForSingleObject  (36, 0, 0x0, ...
 03490   896   NtProtectVirtualMemory  (-1, (0x99ee000), 4096, 260, ...
 03491   376   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 03490   896   NtProtectVirtualMemory  ... (0x99ee000), 4096, 4, ) == 0x0
 03491   376   NtCreateKey  ... -2147482748, 2, ) == 0x0
 03492   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03493   376   NtSetValueKey  (-2147482748,  (-2147482748, "Seed", 0, 3, "p\4\17\7f\275\376\367/\340\274:\207%"\201b\0\211\277\205o\237\20q\247#\217o\240\341\232S\277\354C\240\213\236\263\4h\346:\346\314\0\24Z\332$\241\15vj\260\3208\337H\372\245\329b\352\260z\210\213\312\206\300\3027\247B\277o", 80, ... , 0, 3,  (-2147482748, "Seed", 0, 3, "p\4\17\7f\275\376\367/\340\274:\207%"\201b\0\211\277\205o\237\20q\247#\217o\240\341\232S\277\354C\240\213\236\263\4h\346:\346\314\0\24Z\332$\241\15vj\260\3208\337H\372\245\329b\352\260z\210\213\312\206\300\3027\247B\277o", 80, ... \201b\0\211\277\205o\237\20q\247#\217o\240\341\232S\277\354C\240\213\236\263\4h\346:\346\314\0\24Z\332$\241\15vj\260\3208\337H\372\245\329b\352\260z\210\213\312\206\300\3027\247B\277o", 80, ...
 03492   896   NtCreateThread  ... 756, {1252, 468}, ) == 0x0
 03493   376   NtSetValueKey  ... ) == 0x0
 03494   896   NtQueryInformationThread  (756, Basic, 28, ...
 03495   376   NtClose  (-2147482748, ...
 03494   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1252,Tid=468,}, 0x0, ) == 0x0
 03496  2016   NtUserSystemParametersInfo  (66, 12, 9825248, 0, ...
 03495   376   NtClose  ... ) == 0x0
 03496  2016   NtUserSystemParametersInfo  ... ) == 0x1
 03464   376   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "&\23\263\325\341P\312\27y\15\27g\206\307$\10\6\244\35.\3671\23\231\377\373N}\243\353\324\202.\364\364\204T\310\314\256\31\257\372\12\245\333\323\11\15\56\242\24{\217\336\177\351\326,/\13\5G\302\240\271\205\326n\246"\17K\237\261\266\26\341\213.\30\304\220$\371\207Io\340\245f\267SQ\327\242B\12'\36\263\326\215zO\3520\351\31\20\21\6\325\205\264\373#\217\243\311\357\364\325t\202\221\17\322\233%\22\331\226/\342\342\331\264C\373\307\307\346\306;c\31f\220\244f/\24\0\246nR\313z{\236=\374,\371\234\357\13\308\220'\304\30\4V\347)\22\256_@\362\202+\204+\341_=6\11Rc\372\325n\3565\316\27=\212K\274`{Q\14\14\316|K\177\261\337z@!"\2733'xb|\250\312\201p\271\202\330T)~", ) \17K\237\261\266\26\341\213.\30\304\220$\371\207Io\340\245f\267SQ\327\242B\12'\36\263\326\215zO\3520\351\31\20\21\6\325\205\264\373#\217\243\311\357\364\325t\202\221\17\322\233%\22\331\226/\342\342\331\264C\373\307\307\346\306;c\31f\220\244f/\24\0\246nR\313z{\236=\374,\371\234\357\13\308\220'\304\30\4V\347)\22\256_@\362\202+\204+\341_=6\11Rc\372\325n\3565\316\27=\212K\274`{Q\14\14\316|K\177\261\337z@!177\253\212\211\212\2526Fj#\246\262\27  ... {status=0x0, info=256}, "&\23\263\325\341P\312\27y\15\27g\206\307$\10\6\244\35.\3671\23\231\377\373N}\243\353\324\202.\364\364\204T\310\314\256\31\257\372\12\245\333\323\11\15\56\242\24{\217\336\177\351\326,/\13\5G\302\240\271\205\326n\246"\17K\237\261\266\26\341\213.\30\304\220$\371\207Io\340\245f\267SQ\327\242B\12'\36\263\326\215zO\3520\351\31\20\21\6\325\205\264\373#\217\243\311\357\364\325t\202\221\17\322\233%\22\331\226/\342\342\331\264C\373\307\307\346\306;c\31f\220\244f/\24\0\246nR\313z{\236=\374,\371\234\357\13\308\220'\304\30\4V\347)\22\256_@\362\202+\204+\341_=6\11Rc\372\325n\3565\316\27=\212K\274`{Q\14\14\316|K\177\261\337z@!"\2733'xb|\250\312\201p\271\202\330T)~", ) , ) == 0x0
 03497  2016   NtUserCallOneParam  (16842834, 57, ...
 03498   376   NtDeviceIoControlFile  (56, 0, 0x0, 0x0, 0x390008,  (56, 0, 0x0, 0x0, 0x390008, "B].\220\36%\215\366\372\217\314\362\323\243\7\221\226D\302\20\2026[\226D\302\20\2026[\226D\302\20\2026[\226D\302\20\202\20\240\336(\303,\353[_\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 03497  2016   NtUserCallOneParam  ... ) == 0x1
 03499   376   NtQuerySystemInformation  (TimeOfDay, 48, ...
 03500  2016   NtGdiCreateCompatibleDC  (0, ...
 03499   376   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 03500  2016   NtGdiCreateCompatibleDC  ... ) == 0x700104dc
 03501   376   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 03502   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81926, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81926, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\344\4\0\0\324\1\0\0" ...  ...
 03503  2016   NtGdiCreateCompatibleDC  (0, ...
 03502   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81927, 0}  ... {28, 56, reply, 0, 1252, 896, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\344\4\0\0\324\1\0\0" )  ) == 0x0
 03503  2016   NtGdiCreateCompatibleDC  ... ) == 0x140106c8
 03504   896   NtResumeThread  (756, ...
 03505  2016   NtGdiCreateCompatibleDC  (0, ...
 03504   896   NtResumeThread  ... 1, ) == 0x0
 03505  2016   NtGdiCreateCompatibleDC  ... ) == 0x28010554
 03506   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03507  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ole32.dll"}, 9822580, ... }, 9822580, ...
 03501   376   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 03508   468   NtWaitForSingleObject  (36, 0, 0x0, ...
 03507  2016   NtQueryAttributesFile  ... ) == 0x0
 03509   376   NtQuerySystemInformation  (Performance, 312, ...
 03506   896   NtAllocateVirtualMemory  ... 161415168, 2097152, ) == 0x0
 03509   376   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 03510   896   NtAllocateVirtualMemory  (-1, 163504128, 0, 8192, 4096, 4, ...
 03511   376   NtQuerySystemInformation  (Exception, 16, ...
 03510   896   NtAllocateVirtualMemory  ... 163504128, 8192, ) == 0x0
 03511   376   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 03512   896   NtProtectVirtualMemory  (-1, (0x9bee000), 4096, 260, ...
 03513   376   NtQuerySystemInformation  (Lookaside, 32, ...
 03512   896   NtProtectVirtualMemory  ... (0x9bee000), 4096, 4, ) == 0x0
 03514  2016   NtUserFindExistingCursorIcon  (9824520, 9824536, 9824584, ...
 03515   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03514  2016   NtUserFindExistingCursorIcon  ... ) == 0x10003
 03513   376   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 03516  2016   NtUserFindExistingCursorIcon  (9824520, 9824536, 9824584, ...
 03517   376   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 03516  2016   NtUserFindExistingCursorIcon  ... ) == 0x10011
 03517   376   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 03518  2016   NtGdiGetStockObject  (5, ...
 03519   376   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 03518  2016   NtGdiGetStockObject  ... ) == 0x1900015
 03519   376   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 03515   896   NtCreateThread  ... 760, {1252, 752}, ) == 0x0
 03520   376   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 03521   896   NtQueryInformationThread  (760, Basic, 28, ...
 03522  2016   NtUserGetClassInfo  (1968963584, 9824652, 9825216, 9824648, 0, ...
 03521   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1252,Tid=752,}, 0x0, ) == 0x0
 03522  2016   NtUserGetClassInfo  ... ) == 0x0
 03523   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81927, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0\360\2\0\0" ...  ...
 03524  2016   NtUserRegisterClassExWOW  (9824536, 9824604, 9824620, 9824636, 0, 384, 0, ...
 03523   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81928, 0}  ... {28, 56, reply, 0, 1252, 896, 81928, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0\360\2\0\0" )  ) == 0x0
 03524  2016   NtUserRegisterClassExWOW  ... ) == 0x8169c079
 03520   376   NtCreateKey  ... -2147482748, 2, ) == 0x0
 03525  2016   NtUserFindExistingCursorIcon  (9824520, 9824536, 9824584, ...
 03526   376   NtSetValueKey  (-2147482748,  (-2147482748, "Seed", 0, 3, "\327\371`\6rp\202\6\233\273Sz\372\231\373\363#\227\340\352p\16\312\277\316\2620\254R\317iD\323\17Qh\250i@\301\302\375\332\234\271\240\223\355H\2376\346\370h\12QyG\235gs\14\357\246ju\210N-\301\23\322\256\335\234t)J\353\366", 80, ... , 0, 3,  (-2147482748, "Seed", 0, 3, "\327\371`\6rp\202\6\233\273Sz\372\231\373\363#\227\340\352p\16\312\277\316\2620\254R\317iD\323\17Qh\250i@\301\302\375\332\234\271\240\223\355H\2376\346\370h\12QyG\235gs\14\357\246ju\210N-\301\23\322\256\335\234t)J\353\366", 80, ... , 80, ...
 03525  2016   NtUserFindExistingCursorIcon  ... ) == 0x10013
 03526   376   NtSetValueKey  ... ) == 0x0
 03527   896   NtResumeThread  (760, ...
 03528   376   NtClose  (-2147482748, ...
 03527   896   NtResumeThread  ... 1, ) == 0x0
 03528   376   NtClose  ... ) == 0x0
 03529   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03498   376   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\355\275\337\22T\343\225\333e\350-hw\313\30\351\227..\362\202\20\350E\242\17/@+\5\233x.\303\342\357P\226na\200\3035\347\305\214\233P\346\371\317\317\251\312E\247*\32\13IDw\323T\13\364Y#\242\326\20\10?\24\16}\25\214}u\305\1\312\371\26\250\375\25\222R\203\14'\207aZ\213\224\320]\206\246\211{\310\202>\220\341\320'qc\377\207\360\237\20H\354\352t!\220\2773\24u\215\267\260\207K\177\320~\302\11\342\345\5\346\24\245\336F\362\31IW\16\371I\266\221\264\247E\313\204\344h\307jz\212I\271\234G\323\343ay\2P\34;Z'\225=y\22M\270\243\330]\1\256g\326\302\256\277\373\340\25_b\3\252\275#?p\26\321\17M\226\32\337YI}\2179p\232\235p\2532\245+\300H\31H\17Q\265P\365\37\241-GMgQ\317q\272\260\206\220"X\366\25\2\2025", ) X\366\25\2\2025", ) == 0x0
 03529   896   NtAllocateVirtualMemory  ... 163512320, 2097152, ) == 0x0
 03530  2016   NtUserGetClassInfo  (1968963584, 9824652, 9825216, 9824648, 0, ...
 03531   752   NtWaitForSingleObject  (36, 0, 0x0, ...
 03532   896   NtAllocateVirtualMemory  (-1, 165601280, 0, 8192, 4096, 4, ...
 03530  2016   NtUserGetClassInfo  ... ) == 0x0
 03532   896   NtAllocateVirtualMemory  ... 165601280, 8192, ) == 0x0
 03533  2016   NtUserRegisterClassExWOW  (9824536, 9824604, 9824620, 9824636, 0, 384, 0, ...
 03534   376   NtDeviceIoControlFile  (56, 0, 0x0, 0x0, 0x390008,  (56, 0, 0x0, 0x0, 0x390008, "B].\220\36%\215\366\372\217\314\362\323\243\7\221\226D\302\20\2026[\226D\302\20\2026[\226D\302\20\2026[\226D\302\20\2026[\226D\302\20\202\20\240\336(\303,\353[_\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 03533  2016   NtUserRegisterClassExWOW  ... ) == 0x8169c07a
 03535   376   NtQuerySystemInformation  (TimeOfDay, 48, ...
 03536  2016   NtUserRegisterWindowMessage  ( ("MSIMEService", ... , ...
 03535   376   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 03536  2016   NtUserRegisterWindowMessage  ... ) == 0xc07b
 03537   376   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 03538   896   NtProtectVirtualMemory  (-1, (0x9dee000), 4096, 260, ...
 03537   376   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 03538   896   NtProtectVirtualMemory  ... (0x9dee000), 4096, 4, ) == 0x0
 03539   376   NtQuerySystemInformation  (Performance, 312, ...
 03540   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03541  2016   NtUserRegisterWindowMessage  ( ("MSIMEUIReady", ... , ...
 03540   896   NtCreateThread  ... 764, {1252, 1512}, ) == 0x0
 03541  2016   NtUserRegisterWindowMessage  ... ) == 0xc07c
 03542   896   NtQueryInformationThread  (764, Basic, 28, ...
 03543  2016   NtUserRegisterWindowMessage  ( ("MSIMEReconvertRequest", ... , ...
 03542   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1252,Tid=1512,}, 0x0, ) == 0x0
 03543  2016   NtUserRegisterWindowMessage  ... ) == 0xc07d
 03539   376   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 03544  2016   NtUserRegisterWindowMessage  ( ("MSIMEReconvert", ... , ...
 03545   376   NtQuerySystemInformation  (Exception, 16, ...
 03544  2016   NtUserRegisterWindowMessage  ... ) == 0xc07e
 03545   376   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 03546   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81928, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81928, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\344\4\0\0\350\5\0\0" ...  ...
 03547   376   NtQuerySystemInformation  (Lookaside, 32, ...
 03546   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81929, 0}  ... {28, 56, reply, 0, 1252, 896, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\344\4\0\0\350\5\0\0" )  ) == 0x0
 03547   376   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 03548   896   NtResumeThread  (764, ...
 03549   376   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 03548   896   NtResumeThread  ... 1, ) == 0x0
 03550  2016   NtUserRegisterWindowMessage  ( ("MSIMEDocumentFeed", ... , ...
 03551   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03550  2016   NtUserRegisterWindowMessage  ... ) == 0xc07f
 03549   376   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 03552  1512   NtWaitForSingleObject  (36, 0, 0x0, ...
 03553  2016   NtUserRegisterWindowMessage  ( ("MSIMEQueryPosition", ... , ...
 03554   376   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 03553  2016   NtUserRegisterWindowMessage  ... ) == 0xc080
 03554   376   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 03555  2016   NtUserRegisterWindowMessage  ( ("MSIMEModeBias", ... , ...
 03556   376   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 03555  2016   NtUserRegisterWindowMessage  ... ) == 0xc081
 03556   376   NtCreateKey  ... -2147482748, 2, ) == 0x0
 03551   896   NtAllocateVirtualMemory  ... 165609472, 2097152, ) == 0x0
 03557   376   NtSetValueKey  (-2147482748,  (-2147482748, "Seed", 0, 3, "\245F\362\277\352D=P>\155\2035\233\4\371:\234\352\313\243dL\11\204\2626\376_qm\31ilg\335\33}\236*\37z\363\272\337\25\16Dh/4\326\272w\277^\201\304\221\222\231\311\3132r2\351\236vK\332jI\320'\2326(c\231", 80, ... , 0, 3,  (-2147482748, "Seed", 0, 3, "\245F\362\277\352D=P>\155\2035\233\4\371:\234\352\313\243dL\11\204\2626\376_qm\31ilg\335\33}\236*\37z\363\272\337\25\16Dh/4\326\272w\277^\201\304\221\222\231\311\3132r2\351\236vK\332jI\320'\2326(c\231", 80, ... , 80, ...
 03558   896   NtAllocateVirtualMemory  (-1, 167698432, 0, 8192, 4096, 4, ...
 03559  2016   NtUserRegisterWindowMessage  ( ("MSIMEShowImePad", ... , ...
 03558   896   NtAllocateVirtualMemory  ... 167698432, 8192, ) == 0x0
 03559  2016   NtUserRegisterWindowMessage  ... ) == 0xc082
 03560   896   NtProtectVirtualMemory  (-1, (0x9fee000), 4096, 260, ...
 03561  2016   NtUserRegisterWindowMessage  ( ("MSIMEMouseOperation", ... , ...
 03560   896   NtProtectVirtualMemory  ... (0x9fee000), 4096, 4, ) == 0x0
 03561  2016   NtUserRegisterWindowMessage  ... ) == 0xc083
 03562   896   NtCreateThread  (0x1f03ff, 0x0, -1, 2292532, 2292476, 1, ...
 03563  2016   NtUserRegisterWindowMessage  ( ("MSIMEKeyMap", ... , ...
 03557   376   NtSetValueKey  ... ) == 0x0
 03563  2016   NtUserRegisterWindowMessage  ... ) == 0xc084
 03564   376   NtClose  (-2147482748, ...
 03562   896   NtCreateThread  ... 768, {1252, 1380}, ) == 0x0
 03564   376   NtClose  ... ) == 0x0
 03565   896   NtQueryInformationThread  (768, Basic, 28, ...
 03534   376   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\23\213R\21|\10\3572m<9u3=\324\374\305\6&X\33\13f\205\357\267\347h\240\367B&\201\322\320~0\2\335@\7Z\320\6I8\307@\205\317\257+:.\37\264%tm\366 \253\16TI\335\4`z\36\273*\346S\245\375\3658\245\2668\347\261%\276BI\245L\266\31:J\357@\345\237\353\302R\206\332\350\353S\14\333\235\5\276\364m\27\224Qu\312\275\373T\214\346|H4I\312\351I\246;\271\347j\240\250\317\372u\20\16\307R2>\257\15\306\206\37\241\204\317\32\234\244\12\13w\260\217\357v)/\3569]\276Q\251\177\1\272sA\273zk\342\\26\224Q\27\376M2V\257\233{x\210\335\252c\343\361\212\31b\346\224D\374\267\3109\323\32\360;\17d\206\204\244\336W\374\261\222\214{\330\363m\302\251\374\24Y\352(\253\272\203^\232\322\233\325\301\267;z\252\4\234\36)\204Q\317\217", ) , ) == 0x0
 03565   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1252,Tid=1380,}, 0x0, ) == 0x0
 03566   376   NtDeviceIoControlFile  (56, 0, 0x0, 0x0, 0x390008,  (56, 0, 0x0, 0x0, 0x390008, "B].\220\36%\215\366\372\217\314\362\323\243\7\221\226D\302\20\2026[\226D\302\20\2026[\226D\302\20\2026[\226D\302\20\2026[\226D\302\20\2026[\226D\302\20\202\20\240\336(\303,\353[_\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 03567   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81929, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\344\4\0\0d\5\0\0" ...  ...
 03568   376   NtQuerySystemInformation  (TimeOfDay, 48, ...
 03567   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81930, 0}  ... {28, 56, reply, 0, 1252, 896, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\344\4\0\0d\5\0\0" )  ) == 0x0
 03569  2016   NtSetEventBoostPriority  (36, ...
 03568   376   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 03324   644   NtWaitForSingleObject  ... ) == 0x0
 03569  2016   NtSetEventBoostPriority  ... ) == 0x0
 03570   644   NtSetEventBoostPriority  (36, ...
 03571   376   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 03360  1736   NtWaitForSingleObject  ... ) == 0x0
 03570   644   NtSetEventBoostPriority  ... ) == 0x0
 03572  2016   NtWaitForSingleObject  (36, 0, 0x0, ...
 03573  1736   NtSetEventBoostPriority  (36, ...
 03571   376   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 03574   896   NtResumeThread  (768, ...
 03391   596   NtWaitForSingleObject  ... ) == 0x0
 03573  1736   NtSetEventBoostPriority  ... ) == 0x0
 03575   376   NtQuerySystemInformation  (Performance, 312, ...
 03576   596   NtSetEventBoostPriority  (36, ...
 03574   896   NtResumeThread  ... 1, ) == 0x0
 03577   644   NtTestAlert  (...
 03404   320   NtWaitForSingleObject  ... ) == 0x0
 03576   596   NtSetEventBoostPriority  ... ) == 0x0
 03575   376   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 03578   896   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03579   320   NtSetEventBoostPriority  (36, ...
 03577   644   NtTestAlert  ... ) == 0x0
 03580   596   NtWaitForSingleObject  (36, 0, 0x0, ...
 03581   376   NtQuerySystemInformation  (Exception, 16, ...
 03416   380   NtWaitForSingleObject  ... ) == 0x0
 03579   320   NtSetEventBoostPriority  ... ) == 0x0
 03578   896   NtAllocateVirtualMemory  ... 167706624, 2097152, ) == 0x0
 03582   644   NtContinue  (146734384, 1, ...
 03583  1736   NtTestAlert  (...
 03584  1380   NtWaitForSingleObject  (36, 0, 0x0, ...
 03585   380   NtSetEventBoostPriority  (36, ...
 03581   376   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 03586   896   NtAllocateVirtualMemory  (-1, 169795584, 0, 8192, 4096, 4, ...
 03587   644   NtRegisterThreadTerminatePort  (24, ...
 03583  1736   NtTestAlert  ... ) == 0x0
 03440  1332   NtWaitForSingleObject  ... ) == 0x0
 03585   380   NtSetEventBoostPriority  ... ) == 0x0
 03588   376   NtQuerySystemInformation  (Lookaside, 32, ...
 03586   896   NtAllocateVirtualMemory  ... 169795584, 8192, ) == 0x0
 03587   644   NtRegisterThreadTerminatePort  ... ) == 0x0
 03589  1332   NtSetEventBoostPriority  (36, ...
NtAddAtom(>)	1	NtGdiHfontCreate(>)	2	NtQueryDefaultLocale(>)	8	NtOpenSection(>)	40
NtEnumerateValueKey(>)	1	NtNotifyChangeKey(>)	2	NtReleaseMutant(>)	8	NtOpenFile(>)	48
NtGdiCreateBitmap(>)	1	NtOpenDirectoryObject(>)	2	NtGdiCreateCompatibleDC(>)	9	NtUserFindExistingCursorIcon(>)	57
NtGdiInit(>)	1	NtQuerySystemTime(>)	2	NtQueryDebugFilterState(>)	9	NtContinue(>)	65
NtGdiQueryFontAssocInfo(>)	1	NtUserGetObjectInformation(>)	2	NtSetInformationProcess(>)	9	NtUserRegisterClassExWOW(>)	67
NtGdiSelectBitmap(>)	1	NtUserGetThreadDesktop(>)	2	NtQueryDefaultUILanguage(>)	10	NtQueryAttributesFile(>)	74
NtOpenKeyedEvent(>)	1	NtUserMessageCall(>)	2	NtQueryVirtualMemory(>)	11	NtMapViewOfSection(>)	78
NtOpenProcess(>)	1	NtUserSetWindowFNID(>)	2	NtQueryInformationFile(>)	13	NtCreateSection(>)	97
NtOpenSymbolicLinkObject(>)	1	NtUserSetWindowLong(>)	2	NtCreateKey(>)	14	NtCreateThread(>)	102
NtQueryEvent(>)	1	NtAccessCheck(>)	3	NtCreateMutant(>)	14	NtResumeThread(>)	105
NtQueryInstallUILanguage(>)	1	NtCreateSemaphore(>)	3	NtOpenProcessTokenEx(>)	14	NtQueryInformationThread(>)	112
NtQueryObject(>)	1	NtFreeVirtualMemory(>)	3	NtQueryDirectoryFile(>)	14	NtRegisterThreadTerminatePort(>)	124
NtQuerySymbolicLinkObject(>)	1	NtOpenEvent(>)	3	NtUserSystemParametersInfo(>)	14	NtQuerySystemInformation(>)	125
NtReadFile(>)	1	NtQueryPerformanceCounter(>)	3	NtDeviceIoControlFile(>)	15	NtTestAlert(>)	125
NtSecureConnectPort(>)	1	NtSetInformationObject(>)	3	NtOpenThreadTokenEx(>)	15	NtDuplicateObject(>)	126
NtSetEvent(>)	1	NtSetInformationThread(>)	3	NtSetValueKey(>)	15	NtFlushInstructionCache(>)	130
NtUserCreateWindowEx(>)	1	NtUserGetDC(>)	3	NtCreateFile(>)	17	NtRequestWaitReplyPort(>)	131
NtUserGetGUIThreadInfo(>)	1	NtOpenThreadToken(>)	4	NtUserGetWindowDC(>)	17	NtOpenKey(>)	162
NtUserGetProcessWindowStation(>)	1	NtUserGetClassInfo(>)	4	NtQueryInformationProcess(>)	19	NtOpenMutant(>)	190
NtUserGetThreadState(>)	1	NtOpenProcessToken(>)	6	NtQueryInformationToken(>)	20	NtQueryValueKey(>)	242
NtCallbackReturn(>)	2	NtWriteFile(>)	6	NtUserCallOneParam(>)	20	NtAllocateVirtualMemory(>)	295
NtConnectPort(>)	2	NtGdiGetStockObject(>)	7	NtQuerySection(>)	22	NtClose(>)	360
NtFsControlFile(>)	2	NtQueryVolumeInformationFile(>)	7	NtUnmapViewOfSection(>)	26	NtProtectVirtualMemory(>)	366
NtGdiCreatePatternBrushInternal(>)	2	NtSetInformationFile(>)	7	NtCreateEvent(>)	36	NtSetEventBoostPriority(>)	529
NtGdiCreateSolidBrush(>)	2	NtUserCallNoParam(>)	7	NtUserRegisterWindowMessage(>)	36	NtWaitForSingleObject(>)	725