Summary:





NtGdiCreateBitmap(>)  1 
NtOpenProcessToken(>)  2 
NtFsControlFile(>)  7 
NtQueryAttributesFile(>)  40 


NtGdiInit(>)  1 
NtQueryDefaultUILanguage(>)  2 
NtQueryInformationFile(>)  7 
NtFlushInstructionCache(>)  57 


NtGdiQueryFontAssocInfo(>)  1 
NtQueryPerformanceCounter(>)  2 
NtConnectPort(>)  8 
NtContinue(>)  96 


NtGdiSelectBitmap(>)  1 
NtQuerySystemTime(>)  2 
NtQueryInformationProcess(>)  9 
NtQuerySystemInformation(>)  122 


NtOpenKeyedEvent(>)  1 
NtReadFile(>)  2 
NtQueryVirtualMemory(>)  9 
NtOpenKey(>)  134 


NtOpenSymbolicLinkObject(>)  1 
NtSetInformationObject(>)  2 
NtSetInformationFile(>)  9 
NtResumeThread(>)  134 


NtQueryInstallUILanguage(>)  1 
NtFreeVirtualMemory(>)  3 
NtSetInformationThread(>)  9 
NtQueryInformationThread(>)  140 


NtQueryObject(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtUnmapViewOfSection(>)  9 
NtCreateThread(>)  141 


NtQuerySymbolicLinkObject(>)  1 
NtOpenProcessTokenEx(>)  3 
NtUserFindExistingCursorIcon(>)  9 
NtCreateEvent(>)  145 


NtRaiseException(>)  1 
NtOpenThreadTokenEx(>)  3 
NtOpenThreadToken(>)  10 
NtRequestWaitReplyPort(>)  174 


NtSetInformationProcess(>)  1 
NtQueryDefaultLocale(>)  3 
NtUserRegisterClassExWOW(>)  14 
NtTestAlert(>)  185 


NtUserCallNoParam(>)  1 
NtQueryVolumeInformationFile(>)  3 
NtQuerySection(>)  15 
NtRegisterThreadTerminatePort(>)  186 


NtUserGetObjectInformation(>)  1 
NtSecureConnectPort(>)  3 
NtSetValueKey(>)  16 
NtDuplicateObject(>)  220 


NtUserGetProcessWindowStation(>)  1 
NtWriteFile(>)  3 
NtCreateKey(>)  18 
NtClose(>)  222 


NtUserGetThreadDesktop(>)  1 
NtCreateIoCompletion(>)  4 
NtOpenSection(>)  22 
NtProtectVirtualMemory(>)  244 


NtCallbackReturn(>)  2 
NtGdiGetStockObject(>)  5 
NtCreateSection(>)  23 
NtQueryValueKey(>)  256 


NtGdiCreateSolidBrush(>)  2 
NtCreateMutant(>)  6 
NtOpenFile(>)  25 
NtAllocateVirtualMemory(>)  401 


NtNotifyChangeKey(>)  2 
NtQueryInformationToken(>)  6 
NtMapViewOfSection(>)  34 
NtSetEventBoostPriority(>)  731 


NtOpenDirectoryObject(>)  2 
NtCreateFile(>)  7 
NtDeviceIoControlFile(>)  36 
NtWaitForSingleObject(>)  996 





Trace:

 00001  1736   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1736   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1736   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1736   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1736   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1736   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1736   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1736   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1736   NtClose  (12, ... ) == 0x0
 00015  1736   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1736   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1736   NtClose  (16, ... ) == 0x0
 00021  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1736   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1736   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1736   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1736   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1736   NtClose  (16, ... ) == 0x0
 00030  1736   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1736   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1736   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1736   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75469, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ) == 0x0
 00036  1736   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1736   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1736   NtClose  (16, ... ) == 0x0
 00041  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1736   NtClose  (16, ... ) == 0x0
 00044  1736   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1736   NtClose  (16, ... ) == 0x0
 00048  1736   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1736   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1736   NtClose  (16, ... ) == 0x0
 00052  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1736   NtClose  (16, ... ) == 0x0
 00055  1736   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1736   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1736   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ... {24, 52, reply, 0, 1636, 1736, 75470, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ) == 0x0
 00060  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75471, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ) == 0x0
 00061  1736   NtProtectVirtualMemory  (-1, (0x409000), 65552, 4, ... (0x409000), 69632, 128, ) == 0x0
 00062  1736   NtProtectVirtualMemory  (-1, (0x409000), 69632, 128, ... (0x409000), 69632, 4, ) == 0x0
 00063  1736   NtFlushInstructionCache  (-1, 4231168, 65552, ... ) == 0x0
 00064  1736   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065  1736   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066  1736   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067  1736   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068  1736   NtClose  (16, ... ) == 0x0
 00069  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071  1736   NtClose  (16, ... ) == 0x0
 00072  1736   NtTestAlert  (... ) == 0x0
 00073  1736   NtContinue  (1244464, 1, ...
 00074  1736   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x40283e,}, 4, ... ) == 0x0
 00075  1736   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00076  1736   NtContinue  (1244400, 0, ...
 00077  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00078  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00079  1736   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080  1736   NtClose  (16, ... ) == 0x0
 00081  1736   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00082  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00083  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00084  1736   NtClose  (16, ... ) == 0x0
 00085  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00086  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00087  1736   NtClose  (16, ... ) == 0x0
 00088  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00089  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00090  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00091  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00092  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00093  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00094  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00095  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00096  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00097  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00098  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00099  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00100  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00101  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00102  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00103  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00104  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00105  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00106  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00109  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75472, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ) == 0x0
 00110  1736   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00111  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00112  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00113  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 28, ) == 0x0
 00114  1736   NtClose  (16, ... ) == 0x0
 00115  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00116  1736   NtClose  (28, ... ) == 0x0
 00117  1736   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00118  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00119  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00120  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 16, ) == 0x0
 00121  1736   NtClose  (28, ... ) == 0x0
 00122  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00123  1736   NtClose  (16, ... ) == 0x0
 00124  1736   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00125  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00126  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00127  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00128  1736   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00129  1736   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00130  1736   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00131  1736   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00132  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00133  1736   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00134  1736   NtClose  (36, ... ) == 0x0
 00135  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00136  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00137  1736   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00138  1736   NtClose  (36, ... ) == 0x0
 00139  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140  1736   NtClose  (32, ... ) == 0x0
 00141  1736   NtClose  (16, ... ) == 0x0
 00142  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00143  1736   NtClose  (28, ... ) == 0x0
 00144  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00145  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00146  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00147  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00148  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00149  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00150  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00151  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00152  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00153  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00154  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00155  1736   NtClose  (28, ... ) == 0x0
 00156  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00157  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00158  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00159  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00160  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00161  1736   NtClose  (28, ... ) == 0x0
 00162  1736   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00163  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00164  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00165  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00166  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00167  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00168  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00169  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00170  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00171  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00172  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00173  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00174  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00175  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176  1736   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00177  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00178  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00179  1736   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00180  1736   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00181  1736   NtClose  (28, ... ) == 0x0
 00182  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00183  1736   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00184  1736   NtClose  (28, ... ) == 0x0
 00185  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00186  1736   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00187  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00191  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00192  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00194  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00195  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 16, ) }, ... 16, ) == 0x0
 00196  1736   NtQueryValueKey  (16,  (16, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197  1736   NtClose  (16, ... ) == 0x0
 00198  1736   NtMapViewOfSection  (-2147481380, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x420000), 0x0, 1060864, ) == 0x0
 00199  1736   NtClose  (-2147481380, ... ) == 0x0
 00200  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 16, ) == 0x0
 00201  1736   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00202  1736   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147481380, ) == 0x0
 00203  1736   NtQueryInformationToken  (-2147481380, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00204  1736   NtQueryInformationToken  (-2147481380, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00205  1736   NtClose  (-2147481380, ... ) == 0x0
 00206  1736   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5439488, 4096, ) == 0x0
 00207  1736   NtFreeVirtualMemory  (-1, (0x530000), 4096, 32768, ... (0x530000), 4096, ) == 0x0
 00208  1736   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00209  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147481380, ) }, ... -2147481380, ) == 0x0
 00210  1736   NtQueryValueKey  (-2147481380,  (-2147481380, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00211  1736   NtClose  (-2147481380, ... ) == 0x0
 00212  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147481380, ) }, ... -2147481380, ) == 0x0
 00213  1736   NtQueryValueKey  (-2147481380,  (-2147481380, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00214  1736   NtClose  (-2147481380, ... ) == 0x0
 00215  1736   NtQueryDefaultLocale  (0, -139347636, ... ) == 0x0
 00216  1736   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00217  1736   NtUserCallNoParam  (24, ... ) == 0x0
 00218  1736   NtGdiCreateCompatibleDC  (0, ...
 00219  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5439488, 4096, ) == 0x0
 00218  1736   NtGdiCreateCompatibleDC  ... ) == 0xf2010663
 00220  1736   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00221  1736   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00222  1736   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0xfd0505f7
 00223  1736   NtGdiCreateSolidBrush  (0, 0, ...
 00224  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8650752, 4096, ) == 0x0
 00223  1736   NtGdiCreateSolidBrush  ... ) == 0x4210057d
 00225  1736   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00226  1736   NtGdiCreateCompatibleDC  (0, ... ) == 0x69010363
 00227  1736   NtGdiSelectBitmap  (1761674083, -50002441, ... ) == 0x185000f
 00228  1736   NtUserGetThreadDesktop  (1736, 0, ... ) == 0x24
 00229  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00230  1736   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00231  1736   NtClose  (44, ... ) == 0x0
 00232  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00233  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8173c017
 00234  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00235  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8173c01c
 00236  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00237  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8173c01e
 00238  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00239  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81738002
 00240  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00241  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8173c018
 00242  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00243  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8173c01a
 00244  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00245  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8173c01d
 00246  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00247  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8173c026
 00248  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00249  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8173c019
 00250  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c020
 00251  1736   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8173c022
 00252  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c023
 00253  1736   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8173c024
 00254  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c025
 00255  1736   NtCallbackReturn  (0, 0, 0, ...
 00256  1736   NtGdiInit  (... ) == 0x1
 00257  1736   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00258  1736   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00259  1736   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 8716288, 28672, ) == 0x0
 00260  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00261  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00263  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00264  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 48, ) == 0x0
 00265  1736   NtQuerySection  (48, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00266  1736   NtClose  (44, ... ) == 0x0
 00267  1736   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00268  1736   NtClose  (48, ... ) == 0x0
 00269  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 48, ) }, ... 48, ) == 0x0
 00270  1736   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00271  1736   NtClose  (48, ... ) == 0x0
 00272  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00273  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00274  1736   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00275  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00276  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00277  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00278  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00280  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00281  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00282  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 44, ) == 0x0
 00283  1736   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00284  1736   NtClose  (48, ... ) == 0x0
 00285  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00286  1736   NtClose  (44, ... ) == 0x0
 00287  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00288  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00289  1736   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00290  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00291  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00292  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00293  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00294  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00295  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8781824, 65536, ) == 0x0
 00296  1736   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00297  1736   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ... 8785920, 8192, ) == 0x0
 00298  1736   NtAllocateVirtualMemory  (-1, 8794112, 0, 4096, 4096, 4, ... 8794112, 4096, ) == 0x0
 00299  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00300  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x870000), 0x0, 12288, ) == 0x0
 00301  1736   NtClose  (44, ... ) == 0x0
 00302  1736   NtAllocateVirtualMemory  (-1, 8798208, 0, 4096, 4096, 4, ... 8798208, 4096, ) == 0x0
 00303  1736   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00304  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00305  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00306  1736   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00307  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00310  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00311  1736   NtFreeVirtualMemory  (-1, (0x850000), 0, 32768, ... (0x850000), 28672, ) == 0x0
 00312  1736   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00313  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00314  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00315  1736   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00316  1736   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00317  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 8912896, 1048576, ) == 0x0
 00318  1736   NtAllocateVirtualMemory  (-1, 8912896, 0, 32768, 4096, 4, ... 8912896, 32768, ) == 0x0
 00319  1736   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00320  1736   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "Jobaka3"}, 0, ... 48, ) }, 0, ... 48, ) == 0x0
 00321  1736   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00322  1736   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00323  1736   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00324  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00325  1736   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Protocol_Catalog9"}, ... 60, ) }, ... 60, ) == 0x0
 00326  1736   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00327  1736   NtNotifyChangeKey  (60, 56, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00328  1736   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00329  1736   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00330  1736   NtQueryValueKey  (60,  (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00331  1736   NtQueryValueKey  (60,  (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00332  1736   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Catalog_Entries"}, ... 64, ) }, ... 64, ) == 0x0
 00333  1736   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00334  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000001"}, ... 68, ) }, ... 68, ) == 0x0
 00335  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00336  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00337  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0R\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0R\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0S\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0S\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0R\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0R\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0S\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0S\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0R\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0R\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0S\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0S\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00338  1736   NtClose  (68, ... ) == 0x0
 00339  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000002"}, ... 68, ) }, ... 68, ) == 0x0
 00340  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00341  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00342  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00343  1736   NtClose  (68, ... ) == 0x0
 00344  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000003"}, ... 68, ) }, ... 68, ) == 0x0
 00345  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00346  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00347  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00348  1736   NtClose  (68, ... ) == 0x0
 00349  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000004"}, ... 68, ) }, ... 68, ) == 0x0
 00350  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00351  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00352  1736   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00353  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0b\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0b\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0c\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0b\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0b\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0c\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0b\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0b\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0c\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00354  1736   NtClose  (68, ... ) == 0x0
 00355  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000005"}, ... 68, ) }, ... 68, ) == 0x0
 00356  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00357  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00358  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00359  1736   NtClose  (68, ... ) == 0x0
 00360  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000006"}, ... 68, ) }, ... 68, ) == 0x0
 00361  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00362  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00363  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00364  1736   NtClose  (68, ... ) == 0x0
 00365  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000007"}, ... 68, ) }, ... 68, ) == 0x0
 00366  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00367  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00368  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00369  1736   NtClose  (68, ... ) == 0x0
 00370  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000008"}, ... 68, ) }, ... 68, ) == 0x0
 00371  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00372  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00373  1736   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00374  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00375  1736   NtClose  (68, ... ) == 0x0
 00376  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000009"}, ... 68, ) }, ... 68, ) == 0x0
 00377  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00378  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00379  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00380  1736   NtClose  (68, ... ) == 0x0
 00381  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000010"}, ... 68, ) }, ... 68, ) == 0x0
 00382  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00383  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00384  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00385  1736   NtClose  (68, ... ) == 0x0
 00386  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000011"}, ... 68, ) }, ... 68, ) == 0x0
 00387  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00388  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00389  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00390  1736   NtClose  (68, ... ) == 0x0
 00391  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000012"}, ... 68, ) }, ... 68, ) == 0x0
 00392  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00393  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00394  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00395  1736   NtClose  (68, ... ) == 0x0
 00396  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000013"}, ... 68, ) }, ... 68, ) == 0x0
 00397  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00398  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00399  1736   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00400  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00401  1736   NtClose  (68, ... ) == 0x0
 00402  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000014"}, ... 68, ) }, ... 68, ) == 0x0
 00403  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00404  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00405  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00406  1736   NtClose  (68, ... ) == 0x0
 00407  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000015"}, ... 68, ) }, ... 68, ) == 0x0
 00408  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00409  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00410  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00411  1736   NtClose  (68, ... ) == 0x0
 00412  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000016"}, ... 68, ) }, ... 68, ) == 0x0
 00413  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00414  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00415  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00416  1736   NtClose  (68, ... ) == 0x0
 00417  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000017"}, ... 68, ) }, ... 68, ) == 0x0
 00418  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00419  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00420  1736   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00421  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00422  1736   NtClose  (68, ... ) == 0x0
 00423  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000018"}, ... 68, ) }, ... 68, ) == 0x0
 00424  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00425  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00426  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00427  1736   NtClose  (68, ... ) == 0x0
 00428  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000019"}, ... 68, ) }, ... 68, ) == 0x0
 00429  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00430  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00431  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00432  1736   NtClose  (68, ... ) == 0x0
 00433  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000020"}, ... 68, ) }, ... 68, ) == 0x0
 00434  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00435  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00436  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00437  1736   NtClose  (68, ... ) == 0x0
 00438  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000021"}, ... 68, ) }, ... 68, ) == 0x0
 00439  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00440  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00441  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00442  1736   NtClose  (68, ... ) == 0x0
 00443  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000022"}, ... 68, ) }, ... 68, ) == 0x0
 00444  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00445  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00446  1736   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00447  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\304\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\304\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\304\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00448  1736   NtClose  (68, ... ) == 0x0
 00449  1736   NtClose  (64, ... ) == 0x0
 00450  1736   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00451  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00452  1736   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 68, ) }, ... 68, ) == 0x0
 00453  1736   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00454  1736   NtNotifyChangeKey  (68, 64, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00455  1736   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00456  1736   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00457  1736   NtQueryValueKey  (68,  (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00458  1736   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Catalog_Entries"}, ... 72, ) }, ... 72, ) == 0x0
 00459  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000001"}, ... 76, ) }, ... 76, ) == 0x0
 00460  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00461  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00462  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00463  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00464  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00465  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00466  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00467  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00468  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00469  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00470  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00471  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00472  1736   NtClose  (76, ... ) == 0x0
 00473  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000002"}, ... 76, ) }, ... 76, ) == 0x0
 00474  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00475  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00476  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00477  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00478  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00479  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00480  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00481  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00482  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00483  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00484  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00485  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00486  1736   NtClose  (76, ... ) == 0x0
 00487  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000003"}, ... 76, ) }, ... 76, ) == 0x0
 00488  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00489  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00490  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00491  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00492  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00493  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00494  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00495  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00496  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00497  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00498  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00499  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00500  1736   NtClose  (76, ... ) == 0x0
 00501  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000004"}, ... 76, ) }, ... 76, ) == 0x0
 00502  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00503  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00504  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00505  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00506  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00507  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00508  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 00509  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00510  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00511  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00512  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00513  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00514  1736   NtClose  (76, ... ) == 0x0
 00515  1736   NtClose  (72, ... ) == 0x0
 00516  1736   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 00517  1736   NtClose  (52, ... ) == 0x0
 00518  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00519  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00520  1736   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00521  1736   NtQueryValueKey  (52,  (52, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00522  1736   NtClose  (52, ... ) == 0x0
 00523  1736   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00524  1736   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00525  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00526  1736   NtQueryInformationFile  (72, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00527  1736   NtQueryInformationFile  (72, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00528  1736   NtQueryInformationFile  (72, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00529  1736   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 00530  1736   NtQueryInformationFile  (72, 1355896, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00531  1736   NtQueryInformationFile  (72, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00532  1736   NtQueryInformationFile  (72, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00533  1736   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00534  1736   NtClose  (-2147481380, ... ) == 0x0
 00533  1736   NtCreateFile  ... 76, {status=0x0, info=2}, ) == 0x0
 00535  1736   NtQueryVolumeInformationFile  (76, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00536  1736   NtQueryInformationFile  (76, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00537  1736   NtQueryVolumeInformationFile  (72, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00538  1736   NtSetInformationFile  (76, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00539  1736   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 72, ... 80, ) == 0x0
 00540  1736   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x850000), {0, 0}, 16384, ) == 0x0
 00541  1736   NtClose  (80, ... ) == 0x0
 00542  1736   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\3\0d\347\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 15872, 0x0, 0, ... {status=0x0, info=15872}, ) \0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 15872, 0x0, 0, ... {status=0x0, info=15872}, ) == 0x0
 00543  1736   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 00544  1736   NtSetInformationFile  (76, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00545  1736   NtClose  (72, ... ) == 0x0
 00546  1736   NtClose  (76, ... ) == 0x0
 00547  1736   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 76, ) }, ... 76, ) == 0x0
 00548  1736   NtSetValueKey  (76,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 00549  1736   NtSetInformationFile  (-2147482448, -139348176, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00550  1736   NtSetInformationFile  (-2147482448, -139348268, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00551  1736   NtSetInformationFile  (-2147482448, -139348576, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00548  1736   NtSetValueKey  ... ) == 0x0
 00552  1736   NtClose  (76, ... ) == 0x0
 00553  1736   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 76, ) }, 0, ... 76, ) == 0x0
 00554  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9961472, 1048576, ) == 0x0
 00555  1736   NtAllocateVirtualMemory  (-1, 11001856, 0, 8192, 4096, 4, ... 11001856, 8192, ) == 0x0
 00556  1736   NtProtectVirtualMemory  (-1, (0xa7e000), 4096, 260, ... (0xa7e000), 4096, 4, ) == 0x0
 00557  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 72, {1636, 1356}, ) == 0x0
 00558  1736   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=1636,Tid=1356,}, 0x0, ) == 0x0
 00559  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75490, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" )  ) == 0x0
 00560  1736   NtResumeThread  (72, ... 1, ) == 0x0
 00561  1356   NtTestAlert  (... ) == 0x0
 00562  1356   NtContinue  (11009328, 1, ...
 00563  1356   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00564  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 80, ) == 0x0
 00565  1356   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00566  1356   NtAllocateVirtualMemory  (-1, 10997760, 0, 4096, 4096, 260, ...
 00567  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11010048, 1048576, ) == 0x0
 00568  1736   NtAllocateVirtualMemory  (-1, 12050432, 0, 8192, 4096, 4, ... 12050432, 8192, ) == 0x0
 00569  1736   NtProtectVirtualMemory  (-1, (0xb7e000), 4096, 260, ... (0xb7e000), 4096, 4, ) == 0x0
 00570  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 84, {1636, 868}, ) == 0x0
 00571  1736   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1636,Tid=868,}, 0x0, ) == 0x0
 00572  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0d\3\0\0" ...  ...
 00566  1356   NtAllocateVirtualMemory  ... 10997760, 4096, ) == 0x0
 00573  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006452, ... ) }, 11006452, ... ) == 0x0
 00574  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00575  1356   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 88, ...
 00572  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75491, 0}  ... {28, 56, reply, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0d\3\0\0" )  ) == 0x0
 00576  1736   NtResumeThread  (84, ... 1, ) == 0x0
 00577  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12058624, 1048576, ) == 0x0
 00578  1736   NtAllocateVirtualMemory  (-1, 13099008, 0, 8192, 4096, 4, ... 13099008, 8192, ) == 0x0
 00579  1736   NtProtectVirtualMemory  (-1, (0xc7e000), 4096, 260, ... (0xc7e000), 4096, 4, ) == 0x0
 00580  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 92, {1636, 808}, ) == 0x0
 00581  1736   NtQueryInformationThread  (92, Basic, 28, ...
 00575  1356   NtCreateSection  ... 96, ) == 0x0
 00582   868   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00583  1356   NtClose  (88, ...
 00582   868   NtCreateEvent  ... 100, ) == 0x0
 00583  1356   NtClose  ... ) == 0x0
 00584   868   NtWaitForSingleObject  (100, 0, 0x0, ...
 00585  1356   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc80000), 0x0, 245760, ) == 0x0
 00586  1356   NtClose  (96, ... ) == 0x0
 00581  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1636,Tid=808,}, 0x0, ) == 0x0
 00587  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0(\3\0\0" ...  ...
 00588  1356   NtUnmapViewOfSection  (-1, 0xc80000, ... ) == 0x0
 00589  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006760, ... }, 11006760, ...
 00587  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75492, 0}  ... {28, 56, reply, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0(\3\0\0" )  ) == 0x0
 00590  1736   NtResumeThread  (92, ... 1, ) == 0x0
 00591  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13107200, 1048576, ) == 0x0
 00592  1736   NtAllocateVirtualMemory  (-1, 14147584, 0, 8192, 4096, 4, ... 14147584, 8192, ) == 0x0
 00593  1736   NtProtectVirtualMemory  (-1, (0xd7e000), 4096, 260, ... (0xd7e000), 4096, 4, ) == 0x0
 00594  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 96, {1636, 2020}, ) == 0x0
 00595  1736   NtQueryInformationThread  (96, Basic, 28, ...
 00589  1356   NtQueryAttributesFile  ... ) == 0x0
 00596   808   NtWaitForSingleObject  (100, 0, 0x0, ...
 00597  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00598  1356   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 104, ) == 0x0
 00599  1356   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00600  1356   NtClose  (88, ... ) == 0x0
 00601  1356   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 00602  1356   NtClose  (104, ...
 00595  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1636,Tid=2020,}, 0x0, ) == 0x0
 00603  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0d\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0d\6\0\0\344\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75493, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0d\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0d\6\0\0\344\7\0\0" )  ) == 0x0
 00604  1736   NtResumeThread  (96, ... 1, ) == 0x0
 00605  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14155776, 1048576, ) == 0x0
 00606  1736   NtAllocateVirtualMemory  (-1, 15196160, 0, 8192, 4096, 4, ... 15196160, 8192, ) == 0x0
 00607  1736   NtProtectVirtualMemory  (-1, (0xe7e000), 4096, 260, ... (0xe7e000), 4096, 4, ) == 0x0
 00602  1356   NtClose  ... ) == 0x0
 00608  2020   NtWaitForSingleObject  (100, 0, 0x0, ...
 00609  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00610  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00611  1356   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00612  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00613  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 00614  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 104, {1636, 896}, ) == 0x0
 00615  1736   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1636,Tid=896,}, 0x0, ) == 0x0
 00616  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\200\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\200\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75494, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\200\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\200\3\0\0" )  ) == 0x0
 00617  1736   NtResumeThread  (104, ... 1, ) == 0x0
 00618  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15204352, 1048576, ) == 0x0
 00619  1736   NtAllocateVirtualMemory  (-1, 16244736, 0, 8192, 4096, 4, ...
 00613  1356   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 00620   896   NtWaitForSingleObject  (100, 0, 0x0, ...
 00621  1356   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00622  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00623  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00624  1356   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00619  1736   NtAllocateVirtualMemory  ... 16244736, 8192, ) == 0x0
 00625  1736   NtProtectVirtualMemory  (-1, (0xf7e000), 4096, 260, ... (0xf7e000), 4096, 4, ) == 0x0
 00626  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 88, {1636, 1252}, ) == 0x0
 00627  1736   NtQueryInformationThread  (88, Basic, 28, ...
 00628  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... }, ...
 00627  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1636,Tid=1252,}, 0x0, ) == 0x0
 00629  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\0\0\0d\6\0\0\344\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\0\0\0d\6\0\0\344\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75495, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\0\0\0d\6\0\0\344\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\0\0\0d\6\0\0\344\4\0\0" )  ) == 0x0
 00630  1736   NtResumeThread  (88, ... 1, ) == 0x0
 00631  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16252928, 1048576, ) == 0x0
 00632  1736   NtAllocateVirtualMemory  (-1, 17293312, 0, 8192, 4096, 4, ... 17293312, 8192, ) == 0x0
 00633  1736   NtProtectVirtualMemory  (-1, (0x107e000), 4096, 260, ... (0x107e000), 4096, 4, ) == 0x0
 00628  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00634  1252   NtWaitForSingleObject  (100, 0, 0x0, ...
 00635  1356   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00636  1356   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00637  1356   NtSetEventBoostPriority  (100, ...
 00584   868   NtWaitForSingleObject  ... ) == 0x0
 00638   868   NtSetEventBoostPriority  (100, ...
 00596   808   NtWaitForSingleObject  ... ) == 0x0
 00639   808   NtSetEventBoostPriority  (100, ...
 00608  2020   NtWaitForSingleObject  ... ) == 0x0
 00640  2020   NtSetEventBoostPriority  (100, ...
 00620   896   NtWaitForSingleObject  ... ) == 0x0
 00641   896   NtSetEventBoostPriority  (100, ...
 00634  1252   NtWaitForSingleObject  ... ) == 0x0
 00642  1252   NtTestAlert  (... ) == 0x0
 00641   896   NtSetEventBoostPriority  ... ) == 0x0
 00640  2020   NtSetEventBoostPriority  ... ) == 0x0
 00639   808   NtSetEventBoostPriority  ... ) == 0x0
 00638   868   NtSetEventBoostPriority  ... ) == 0x0
 00637  1356   NtSetEventBoostPriority  ... ) == 0x0
 00643  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00644  1252   NtContinue  (16252208, 1, ...
 00645   896   NtTestAlert  (...
 00646  2020   NtTestAlert  (...
 00647   808   NtTestAlert  (...
 00648  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00643  1736   NtCreateThread  ... 108, {1636, 2016}, ) == 0x0
 00649  1252   NtRegisterThreadTerminatePort  (24, ...
 00645   896   NtTestAlert  ... ) == 0x0
 00646  2020   NtTestAlert  ... ) == 0x0
 00647   808   NtTestAlert  ... ) == 0x0
 00648  1356   NtCreateEvent  ... 112, ) == 0x0
 00650  1736   NtQueryInformationThread  (108, Basic, 28, ...
 00649  1252   NtRegisterThreadTerminatePort  ... ) == 0x0
 00651   896   NtContinue  (15203632, 1, ...
 00652  2020   NtContinue  (14155056, 1, ...
 00653   808   NtContinue  (13106480, 1, ...
 00654  1356   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 00650  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1636,Tid=2016,}, 0x0, ) == 0x0
 00655  1252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00656   896   NtRegisterThreadTerminatePort  (24, ...
 00657  2020   NtRegisterThreadTerminatePort  (24, ...
 00658   808   NtRegisterThreadTerminatePort  (24, ...
 00654  1356   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00659  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0d\6\0\0\340\7\0\0" ...  ...
 00655  1252   NtDuplicateObject  ... 116, ) == 0x0
 00656   896   NtRegisterThreadTerminatePort  ... ) == 0x0
 00657  2020   NtRegisterThreadTerminatePort  ... ) == 0x0
 00658   808   NtRegisterThreadTerminatePort  ... ) == 0x0
 00660  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11006372, ... }, 11006372, ...
 00661  1252   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00662   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00663  2020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00664   808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00665   868   NtTestAlert  (...
 00659  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75496, 0}  ... {28, 56, reply, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0d\6\0\0\340\7\0\0" )  ) == 0x0
 00661  1252   NtWaitForSingleObject  ... ) == 0x102
 00662   896   NtDuplicateObject  ... 120, ) == 0x0
 00663  2020   NtDuplicateObject  ... 124, ) == 0x0
 00665   868   NtTestAlert  ... ) == 0x0
 00666  1736   NtResumeThread  (108, ...
 00667  1252   NtAllocateVirtualMemory  (-1, 16240640, 0, 4096, 4096, 260, ...
 00668   896   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00669  2020   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00670   868   NtContinue  (12057904, 1, ...
 00666  1736   NtResumeThread  ... 1, ) == 0x0
 00667  1252   NtAllocateVirtualMemory  ... 16240640, 4096, ) == 0x0
 00668   896   NtWaitForSingleObject  ... ) == 0x102
 00669  2020   NtWaitForSingleObject  ... ) == 0x102
 00671   868   NtRegisterThreadTerminatePort  (24, ...
 00672  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00673  1252   NtWaitForSingleObject  (100, 0, 0x0, ...
 00674   896   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00675  2020   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00671   868   NtRegisterThreadTerminatePort  ... ) == 0x0
 00672  1736   NtAllocateVirtualMemory  ... 17301504, 1048576, ) == 0x0
 00674   896   NtCreateEvent  ... 128, ) == 0x0
 00675  2020   NtCreateEvent  ... 132, ) == 0x0
 00676   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00677  1736   NtAllocateVirtualMemory  (-1, 18341888, 0, 8192, 4096, 4, ...
 00664   808   NtDuplicateObject  ... 136, ) == 0x0
 00678  2016   NtWaitForSingleObject  (100, 0, 0x0, ...
 00679   896   NtWaitForSingleObject  (128, 0, 0x0, ...
 00680  2020   NtClose  (132, ...
 00660  1356   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00676   868   NtDuplicateObject  ... 140, ) == 0x0
 00681   808   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00680  2020   NtClose  ... ) == 0x0
 00682  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11006372, ... }, 11006372, ...
 00683   868   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00681   808   NtWaitForSingleObject  ... ) == 0x102
 00684  2020   NtWaitForSingleObject  (128, 0, 0x0, ...
 00682  1356   NtQueryAttributesFile  ... ) == 0x0
 00683   868   NtWaitForSingleObject  ... ) == 0x102
 00685   808   NtWaitForSingleObject  (128, 0, 0x0, ...
 00677  1736   NtAllocateVirtualMemory  ... 18341888, 8192, ) == 0x0
 00686   868   NtWaitForSingleObject  (128, 0, 0x0, ...
 00687  1736   NtProtectVirtualMemory  (-1, (0x117e000), 4096, 260, ... (0x117e000), 4096, 4, ) == 0x0
 00688  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 132, {1636, 2012}, ) == 0x0
 00689  1736   NtQueryInformationThread  (132, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1636,Tid=2012,}, 0x0, ) == 0x0
 00690  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0d\6\0\0\334\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0d\6\0\0\334\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75497, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0d\6\0\0\334\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0d\6\0\0\334\7\0\0" )  ) == 0x0
 00691  1736   NtResumeThread  (132, ... 1, ) == 0x0
 00692  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... }, 5, 96, ...
 00693  2012   NtWaitForSingleObject  (100, 0, 0x0, ...
 00692  1356   NtOpenFile  ... 144, {status=0x0, info=1}, ) == 0x0
 00694  1356   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 144, ... 148, ) == 0x0
 00695  1356   NtQuerySection  (148, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00696  1356   NtClose  (144, ... ) == 0x0
 00697  1356   NtMapViewOfSection  (148, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x662b0000), 0x0, 360448, ) == 0x0
 00698  1356   NtClose  (148, ... ) == 0x0
 00699  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18350080, 1048576, ) == 0x0
 00700  1736   NtAllocateVirtualMemory  (-1, 19390464, 0, 8192, 4096, 4, ... 19390464, 8192, ) == 0x0
 00701  1736   NtProtectVirtualMemory  (-1, (0x127e000), 4096, 260, ... (0x127e000), 4096, 4, ) == 0x0
 00702  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 148, {1636, 1028}, ) == 0x0
 00703  1736   NtQueryInformationThread  (148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1636,Tid=1028,}, 0x0, ) == 0x0
 00704  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\4\4\0\0" ...  ...
 00705  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00706  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00707  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00704  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75498, 0}  ... {28, 56, reply, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\4\4\0\0" )  ) == 0x0
 00708  1736   NtResumeThread  (148, ... 1, ) == 0x0
 00709  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19398656, 1048576, ) == 0x0
 00710  1736   NtAllocateVirtualMemory  (-1, 20439040, 0, 8192, 4096, 4, ... 20439040, 8192, ) == 0x0
 00711  1736   NtProtectVirtualMemory  (-1, (0x137e000), 4096, 260, ... (0x137e000), 4096, 4, ) == 0x0
 00712  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 144, {1636, 384}, ) == 0x0
 00713  1736   NtQueryInformationThread  (144, Basic, 28, ...
 00714  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 00715  1028   NtWaitForSingleObject  (100, 0, 0x0, ...
 00714  1356   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 00716  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00717  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00718  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00719  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00720  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00713  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1636,Tid=384,}, 0x0, ) == 0x0
 00721  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\200\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\200\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75499, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\200\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\200\1\0\0" )  ) == 0x0
 00722  1736   NtResumeThread  (144, ... 1, ) == 0x0
 00723  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20447232, 1048576, ) == 0x0
 00724  1736   NtAllocateVirtualMemory  (-1, 21487616, 0, 8192, 4096, 4, ... 21487616, 8192, ) == 0x0
 00725  1736   NtProtectVirtualMemory  (-1, (0x147e000), 4096, 260, ... (0x147e000), 4096, 4, ) == 0x0
 00726  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 00727   384   NtWaitForSingleObject  (100, 0, 0x0, ...
 00726  1356   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 00728  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00729  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00730  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00731  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00732  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00733  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 152, {1636, 1180}, ) == 0x0
 00734  1736   NtQueryInformationThread  (152, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1636,Tid=1180,}, 0x0, ) == 0x0
 00735  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\234\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75500, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\234\4\0\0" )  ) == 0x0
 00736  1736   NtResumeThread  (152, ... 1, ) == 0x0
 00737  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21495808, 1048576, ) == 0x0
 00738  1736   NtAllocateVirtualMemory  (-1, 22536192, 0, 8192, 4096, 4, ...
 00739  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... }, ...
 00740  1180   NtWaitForSingleObject  (100, 0, 0x0, ...
 00739  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00741  1356   NtSetEventBoostPriority  (100, ...
 00673  1252   NtWaitForSingleObject  ... ) == 0x0
 00742  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 16247760, ... ) }, 16247760, ... ) == 0x0
 00743  1252   NtSetEventBoostPriority  (100, ...
 00678  2016   NtWaitForSingleObject  ... ) == 0x0
 00744  2016   NtSetEventBoostPriority  (100, ...
 00693  2012   NtWaitForSingleObject  ... ) == 0x0
 00745  2012   NtSetEventBoostPriority  (100, ...
 00715  1028   NtWaitForSingleObject  ... ) == 0x0
 00746  1028   NtSetEventBoostPriority  (100, ...
 00727   384   NtWaitForSingleObject  ... ) == 0x0
 00747   384   NtSetEventBoostPriority  (100, ...
 00740  1180   NtWaitForSingleObject  ... ) == 0x0
 00748  1180   NtTestAlert  (... ) == 0x0
 00747   384   NtSetEventBoostPriority  ... ) == 0x0
 00746  1028   NtSetEventBoostPriority  ... ) == 0x0
 00745  2012   NtSetEventBoostPriority  ... ) == 0x0
 00744  2016   NtSetEventBoostPriority  ... ) == 0x0
 00743  1252   NtSetEventBoostPriority  ... ) == 0x0
 00741  1356   NtSetEventBoostPriority  ... ) == 0x0
 00738  1736   NtAllocateVirtualMemory  ... 22536192, 8192, ) == 0x0
 00749  1180   NtContinue  (21495088, 1, ...
 00750   384   NtTestAlert  (...
 00751  1028   NtTestAlert  (...
 00752  2012   NtTestAlert  (...
 00753  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00754  1356   NtQuerySystemInformation  (Basic, 44, ...
 00755  1736   NtProtectVirtualMemory  (-1, (0x157e000), 4096, 260, ...
 00756  1180   NtRegisterThreadTerminatePort  (24, ...
 00750   384   NtTestAlert  ... ) == 0x0
 00751  1028   NtTestAlert  ... ) == 0x0
 00752  2012   NtTestAlert  ... ) == 0x0
 00753  1252   NtCreateEvent  ... 156, ) == 0x0
 00754  1356   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00755  1736   NtProtectVirtualMemory  ... (0x157e000), 4096, 4, ) == 0x0
 00756  1180   NtRegisterThreadTerminatePort  ... ) == 0x0
 00757   384   NtContinue  (20446512, 1, ...
 00758  1028   NtContinue  (19397936, 1, ...
 00759  2012   NtContinue  (18349360, 1, ...
 00760  1252   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 00761  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 00762  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00763  1180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00764   384   NtRegisterThreadTerminatePort  (24, ...
 00765  1028   NtRegisterThreadTerminatePort  (24, ...
 00766  2012   NtRegisterThreadTerminatePort  (24, ...
 00760  1252   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00762  1736   NtCreateThread  ... 160, {1636, 420}, ) == 0x0
 00763  1180   NtDuplicateObject  ... 164, ) == 0x0
 00764   384   NtRegisterThreadTerminatePort  ... ) == 0x0
 00765  1028   NtRegisterThreadTerminatePort  ... ) == 0x0
 00766  2012   NtRegisterThreadTerminatePort  ... ) == 0x0
 00767  2016   NtTestAlert  (...
 00768  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 00769  1736   NtQueryInformationThread  (160, Basic, 28, ...
 00770  1180   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00771   384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00772  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00773  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00767  2016   NtTestAlert  ... ) == 0x0
 00774  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 16247864, ... }, 16247864, ...
 00768  1356   NtOpenKey  ... 168, ) == 0x0
 00769  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1636,Tid=420,}, 0x0, ) == 0x0
 00770  1180   NtWaitForSingleObject  ... ) == 0x102
 00771   384   NtDuplicateObject  ... 172, ) == 0x0
 00772  1028   NtDuplicateObject  ... 176, ) == 0x0
 00775  2016   NtContinue  (17300784, 1, ...
 00776  1356   NtQueryValueKey  (168,  (168, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 00777  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\0\0\0d\6\0\0\244\1\0\0" ...  ...
 00778  1180   NtWaitForSingleObject  (128, 0, 0x0, ...
 00779   384   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00780  1028   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00781  2016   NtRegisterThreadTerminatePort  (24, ...
 00776  1356   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00777  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75501, 0}  ... {28, 56, reply, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\0\0\0d\6\0\0\244\1\0\0" )  ) == 0x0
 00779   384   NtWaitForSingleObject  ... ) == 0x102
 00780  1028   NtWaitForSingleObject  ... ) == 0x102
 00781  2016   NtRegisterThreadTerminatePort  ... ) == 0x0
 00782  1356   NtClose  (168, ...
 00783  1736   NtResumeThread  (160, ...
 00784   384   NtWaitForSingleObject  (128, 0, 0x0, ...
 00785  1028   NtWaitForSingleObject  (128, 0, 0x0, ...
 00786  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00782  1356   NtClose  ... ) == 0x0
 00783  1736   NtResumeThread  ... 1, ) == 0x0
 00773  2012   NtDuplicateObject  ... 168, ) == 0x0
 00787   420   NtWaitForSingleObject  (100, 0, 0x0, ...
 00788  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 00786  2016   NtDuplicateObject  ... 180, ) == 0x0
 00789  2012   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00790  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00791  2016   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00789  2012   NtWaitForSingleObject  ... ) == 0x102
 00790  1736   NtAllocateVirtualMemory  ... 22544384, 1048576, ) == 0x0
 00791  2016   NtWaitForSingleObject  ... ) == 0x102
 00792  2012   NtWaitForSingleObject  (128, 0, 0x0, ...
 00793  1736   NtAllocateVirtualMemory  (-1, 23584768, 0, 8192, 4096, 4, ...
 00794  2016   NtWaitForSingleObject  (128, 0, 0x0, ...
 00793  1736   NtAllocateVirtualMemory  ... 23584768, 8192, ) == 0x0
 00795  1736   NtProtectVirtualMemory  (-1, (0x167e000), 4096, 260, ... (0x167e000), 4096, 4, ) == 0x0
 00796  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 184, {1636, 596}, ) == 0x0
 00797  1736   NtQueryInformationThread  (184, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1636,Tid=596,}, 0x0, ) == 0x0
 00798  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0d\6\0\0T\2\0\0" ...  ...
 00788  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00799  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 188, ) == 0x0
 00800  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 192, ) == 0x0
 00801  1356   NtQuerySystemTime  (...
 00798  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75502, 0}  ... {28, 56, reply, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0d\6\0\0T\2\0\0" )  ) == 0x0
 00802  1736   NtResumeThread  (184, ... 1, ) == 0x0
 00803  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23592960, 1048576, ) == 0x0
 00804  1736   NtAllocateVirtualMemory  (-1, 24633344, 0, 8192, 4096, 4, ... 24633344, 8192, ) == 0x0
 00805  1736   NtProtectVirtualMemory  (-1, (0x177e000), 4096, 260, ... (0x177e000), 4096, 4, ) == 0x0
 00806  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 196, {1636, 376}, ) == 0x0
 00807  1736   NtQueryInformationThread  (196, Basic, 28, ...
 00801  1356   NtQuerySystemTime  ... {-676062862, 29922246}, ) == 0x0
 00774  1252   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00808   596   NtWaitForSingleObject  (100, 0, 0x0, ...
 00809  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00810  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 16247864, ... }, 16247864, ...
 00809  1356   NtCreateEvent  ... 200, ) == 0x0
 00807  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1636,Tid=376,}, 0x0, ) == 0x0
 00811  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 00812  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0d\6\0\0x\1\0\0" ...  ...
 00811  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00812  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75503, 0}  ... {28, 56, reply, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0d\6\0\0x\1\0\0" )  ) == 0x0
 00813  1356   NtQuerySystemInformation  (Performance, 312, ...
 00814  1736   NtResumeThread  (196, ...
 00810  1252   NtQueryAttributesFile  ... ) == 0x0
 00814  1736   NtResumeThread  ... 1, ) == 0x0
 00815  1252   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 00813  1356   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00816   376   NtWaitForSingleObject  (100, 0, 0x0, ...
 00815  1252   NtOpenFile  ... 204, {status=0x0, info=1}, ) == 0x0
 00817  1356   NtQueryInformationProcess  (-1, QuotaLimits, 32, ...
 00818  1252   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ...
 00817  1356   NtQueryInformationProcess  ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00818  1252   NtCreateSection  ... 208, ) == 0x0
 00819  1356   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 00820  1252   NtQuerySection  (208, Image, 48, ...
 00819  1356   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00821  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00822  1356   NtWaitForSingleObject  (100, 0, 0x0, ...
 00821  1736   NtAllocateVirtualMemory  ... 24641536, 1048576, ) == 0x0
 00820  1252   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00823  1736   NtAllocateVirtualMemory  (-1, 25681920, 0, 8192, 4096, 4, ...
 00824  1252   NtClose  (204, ...
 00823  1736   NtAllocateVirtualMemory  ... 25681920, 8192, ) == 0x0
 00824  1252   NtClose  ... ) == 0x0
 00825  1736   NtProtectVirtualMemory  (-1, (0x187e000), 4096, 260, ...
 00826  1252   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 00825  1736   NtProtectVirtualMemory  ... (0x187e000), 4096, 4, ) == 0x0
 00826  1252   NtMapViewOfSection  ... (0x76f20000), 0x0, 159744, ) == 0x0
 00827  1252   NtClose  (208, ... ) == 0x0
 00828  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00829  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00830  1252   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 00831  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 208, {1636, 1168}, ) == 0x0
 00832  1736   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1636,Tid=1168,}, 0x0, ) == 0x0
 00833  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0\220\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75504, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0\220\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0\220\4\0\0" )  ) == 0x0
 00834  1736   NtResumeThread  (208, ... 1, ) == 0x0
 00835  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25690112, 1048576, ) == 0x0
 00836  1736   NtAllocateVirtualMemory  (-1, 26730496, 0, 8192, 4096, 4, ...
 00830  1252   NtFlushInstructionCache  ... ) == 0x0
 00837  1168   NtWaitForSingleObject  (100, 0, 0x0, ...
 00838  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00839  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00840  1252   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00841  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00842  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00843  1252   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 00836  1736   NtAllocateVirtualMemory  ... 26730496, 8192, ) == 0x0
 00844  1736   NtProtectVirtualMemory  (-1, (0x197e000), 4096, 260, ... (0x197e000), 4096, 4, ) == 0x0
 00845  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 204, {1636, 120}, ) == 0x0
 00846  1736   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1636,Tid=120,}, 0x0, ) == 0x0
 00847  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0x\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75505, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0x\0\0\0" )  ) == 0x0
 00848  1736   NtResumeThread  (204, ... 1, ) == 0x0
 00843  1252   NtFlushInstructionCache  ... ) == 0x0
 00849   120   NtWaitForSingleObject  (100, 0, 0x0, ...
 00850  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00851  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00852  1252   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00853  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00854  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00855  1252   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 00856  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26738688, 1048576, ) == 0x0
 00857  1736   NtAllocateVirtualMemory  (-1, 27779072, 0, 8192, 4096, 4, ... 27779072, 8192, ) == 0x0
 00858  1736   NtProtectVirtualMemory  (-1, (0x1a7e000), 4096, 260, ... (0x1a7e000), 4096, 4, ) == 0x0
 00859  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 212, {1636, 928}, ) == 0x0
 00860  1736   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1636,Tid=928,}, 0x0, ) == 0x0
 00861  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0\240\3\0\0" ...  ...
 00855  1252   NtFlushInstructionCache  ... ) == 0x0
 00862  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00863  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00864  1252   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 00861  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75506, 0}  ... {28, 56, reply, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0\240\3\0\0" )  ) == 0x0
 00865  1736   NtResumeThread  (212, ... 1, ) == 0x0
 00866  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27787264, 1048576, ) == 0x0
 00867  1736   NtAllocateVirtualMemory  (-1, 28827648, 0, 8192, 4096, 4, ... 28827648, 8192, ) == 0x0
 00868  1736   NtProtectVirtualMemory  (-1, (0x1b7e000), 4096, 260, ... (0x1b7e000), 4096, 4, ) == 0x0
 00869  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 216, {1636, 1732}, ) == 0x0
 00870  1736   NtQueryInformationThread  (216, Basic, 28, ...
 00864  1252   NtFlushInstructionCache  ... ) == 0x0
 00871   928   NtWaitForSingleObject  (100, 0, 0x0, ...
 00872  1252   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873  1252   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 220, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 220, 2, ) , 0, ... 220, 2, ) == 0x0
 00874  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 224, ) }, ... 224, ) == 0x0
 00875  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00876  1252   NtQueryValueKey  (224,  (224, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00877  1252   NtQueryValueKey  (220,  (220, "DisableAdapterDomainName", Partial, 144, ... , Partial, 144, ...
 00870  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1636,Tid=1732,}, 0x0, ) == 0x0
 00878  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\304\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\304\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75507, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\304\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\304\6\0\0" )  ) == 0x0
 00879  1736   NtResumeThread  (216, ... 1, ) == 0x0
 00880  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28835840, 1048576, ) == 0x0
 00881  1736   NtAllocateVirtualMemory  (-1, 29876224, 0, 8192, 4096, 4, ... 29876224, 8192, ) == 0x0
 00882  1736   NtProtectVirtualMemory  (-1, (0x1c7e000), 4096, 260, ... (0x1c7e000), 4096, 4, ) == 0x0
 00877  1252   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00883  1732   NtWaitForSingleObject  (100, 0, 0x0, ...
 00884  1252   NtQueryValueKey  (224,  (224, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00885  1252   NtQueryValueKey  (220,  (220, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (220, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00886  1252   NtQueryValueKey  (224,  (224, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00887  1252   NtQueryValueKey  (220,  (220, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00888  1252   NtQueryValueKey  (224,  (224, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00889  1252   NtQueryValueKey  (220,  (220, "AllowUnqualifiedQuery", Partial, 144, ... , Partial, 144, ...
 00890  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {1636, 428}, ) == 0x0
 00891  1736   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1636,Tid=428,}, 0x0, ) == 0x0
 00892  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\254\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\254\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75508, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\254\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\254\1\0\0" )  ) == 0x0
 00893  1736   NtResumeThread  (228, ... 1, ) == 0x0
 00894  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29884416, 1048576, ) == 0x0
 00895  1736   NtAllocateVirtualMemory  (-1, 30924800, 0, 8192, 4096, 4, ...
 00889  1252   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00896   428   NtWaitForSingleObject  (100, 0, 0x0, ...
 00897  1252   NtQueryValueKey  (224,  (224, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00898  1252   NtQueryValueKey  (224,  (224, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00899  1252   NtQueryValueKey  (224,  (224, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00900  1252   NtQueryValueKey  (224,  (224, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00901  1252   NtQueryValueKey  (224,  (224, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00902  1252   NtQueryValueKey  (224,  (224, "UseEdns", Partial, 144, ... , Partial, 144, ...
 00895  1736   NtAllocateVirtualMemory  ... 30924800, 8192, ) == 0x0
 00903  1736   NtProtectVirtualMemory  (-1, (0x1d7e000), 4096, 260, ... (0x1d7e000), 4096, 4, ) == 0x0
 00904  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 232, {1636, 748}, ) == 0x0
 00905  1736   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=1636,Tid=748,}, 0x0, ) == 0x0
 00906  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\354\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\354\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75509, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\354\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\354\2\0\0" )  ) == 0x0
 00907  1736   NtResumeThread  (232, ... 1, ) == 0x0
 00902  1252   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00908   748   NtWaitForSingleObject  (100, 0, 0x0, ...
 00909  1252   NtQueryValueKey  (224,  (224, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910  1252   NtQueryValueKey  (224,  (224, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00911  1252   NtQueryValueKey  (224,  (224, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912  1252   NtQueryValueKey  (220,  (220, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00913  1252   NtQueryValueKey  (224,  (224, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914  1252   NtQueryValueKey  (224,  (224, "RegisterAdapterName", Partial, 144, ... , Partial, 144, ...
 00915  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30932992, 1048576, ) == 0x0
 00916  1736   NtAllocateVirtualMemory  (-1, 31973376, 0, 8192, 4096, 4, ... 31973376, 8192, ) == 0x0
 00917  1736   NtProtectVirtualMemory  (-1, (0x1e7e000), 4096, 260, ... (0x1e7e000), 4096, 4, ) == 0x0
 00918  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {1636, 1300}, ) == 0x0
 00919  1736   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=1636,Tid=1300,}, 0x0, ) == 0x0
 00920  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0\24\5\0\0" ...  ...
 00914  1252   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00921  1252   NtQueryValueKey  (220,  (220, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00922  1252   NtQueryValueKey  (224,  (224, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923  1252   NtQueryValueKey  (220,  (220, "DisableReverseAddressRegistrations", Partial, 144, ... , Partial, 144, ...
 00920  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75510, 0}  ... {28, 56, reply, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0\24\5\0\0" )  ) == 0x0
 00924  1736   NtResumeThread  (236, ... 1, ) == 0x0
 00925  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31981568, 1048576, ) == 0x0
 00926  1736   NtAllocateVirtualMemory  (-1, 33021952, 0, 8192, 4096, 4, ... 33021952, 8192, ) == 0x0
 00927  1736   NtProtectVirtualMemory  (-1, (0x1f7e000), 4096, 260, ... (0x1f7e000), 4096, 4, ) == 0x0
 00928  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 240, {1636, 1096}, ) == 0x0
 00929  1736   NtQueryInformationThread  (240, Basic, 28, ...
 00923  1252   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00930  1300   NtWaitForSingleObject  (100, 0, 0x0, ...
 00931  1252   NtQueryValueKey  (224,  (224, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00932  1252   NtQueryValueKey  (220,  (220, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933  1252   NtQueryValueKey  (224,  (224, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00934  1252   NtQueryValueKey  (220,  (220, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00935  1252   NtQueryValueKey  (224,  (224, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00936  1252   NtQueryValueKey  (220,  (220, "DefaultRegistrationRefreshInterval", Partial, 144, ... , Partial, 144, ...
 00929  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=1636,Tid=1096,}, 0x0, ) == 0x0
 00937  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0H\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0H\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75511, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0H\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0H\4\0\0" )  ) == 0x0
 00938  1736   NtResumeThread  (240, ... 1, ) == 0x0
 00939  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33030144, 1048576, ) == 0x0
 00940  1736   NtAllocateVirtualMemory  (-1, 34070528, 0, 8192, 4096, 4, ... 34070528, 8192, ) == 0x0
 00941  1736   NtProtectVirtualMemory  (-1, (0x207e000), 4096, 260, ... (0x207e000), 4096, 4, ) == 0x0
 00936  1252   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00942  1096   NtWaitForSingleObject  (100, 0, 0x0, ...
 00943  1252   NtQueryValueKey  (224,  (224, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944  1252   NtQueryValueKey  (220,  (220, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945  1252   NtQueryValueKey  (224,  (224, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946  1252   NtQueryValueKey  (220,  (220, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947  1252   NtQueryValueKey  (224,  (224, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948  1252   NtQueryValueKey  (224,  (224, "UpdateTopLevelDomainZones", Partial, 144, ... , Partial, 144, ...
 00949  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 244, {1636, 252}, ) == 0x0
 00950  1736   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=1636,Tid=252,}, 0x0, ) == 0x0
 00951  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0\374\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0\374\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75512, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0\374\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0\374\0\0\0" )  ) == 0x0
 00952  1736   NtResumeThread  (244, ... 1, ) == 0x0
 00953  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34078720, 1048576, ) == 0x0
 00954  1736   NtAllocateVirtualMemory  (-1, 35119104, 0, 8192, 4096, 4, ...
 00948  1252   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955   252   NtWaitForSingleObject  (100, 0, 0x0, ...
 00956  1252   NtQueryValueKey  (224,  (224, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00957  1252   NtQueryValueKey  (224,  (224, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958  1252   NtQueryValueKey  (224,  (224, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00959  1252   NtQueryValueKey  (224,  (224, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00960  1252   NtQueryValueKey  (224,  (224, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961  1252   NtQueryValueKey  (224,  (224, "ServerPriorityTimeLimit", Partial, 144, ... , Partial, 144, ...
 00954  1736   NtAllocateVirtualMemory  ... 35119104, 8192, ) == 0x0
 00962  1736   NtProtectVirtualMemory  (-1, (0x217e000), 4096, 260, ... (0x217e000), 4096, 4, ) == 0x0
 00963  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 248, {1636, 500}, ) == 0x0
 00964  1736   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=1636,Tid=500,}, 0x0, ) == 0x0
 00965  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0\364\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0\364\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75513, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0\364\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0\364\1\0\0" )  ) == 0x0
 00966  1736   NtResumeThread  (248, ... 1, ) == 0x0
 00961  1252   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   500   NtWaitForSingleObject  (100, 0, 0x0, ...
 00968  1252   NtQueryValueKey  (224,  (224, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969  1252   NtQueryValueKey  (224,  (224, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00970  1252   NtQueryValueKey  (224,  (224, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971  1252   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 252, ) }, ... 252, ) == 0x0
 00972  1252   NtQueryValueKey  (252,  (252, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (252, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00973  1252   NtClose  (252, ...
 00974  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35127296, 1048576, ) == 0x0
 00975  1736   NtAllocateVirtualMemory  (-1, 36167680, 0, 8192, 4096, 4, ... 36167680, 8192, ) == 0x0
 00976  1736   NtProtectVirtualMemory  (-1, (0x227e000), 4096, 260, ... (0x227e000), 4096, 4, ) == 0x0
 00977  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 256, {1636, 1132}, ) == 0x0
 00978  1736   NtQueryInformationThread  (256, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=1636,Tid=1132,}, 0x0, ) == 0x0
 00979  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75513, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0d\6\0\0l\4\0\0" ...  ...
 00973  1252   NtClose  ... ) == 0x0
 00980  1252   NtClose  (220, ... ) == 0x0
 00981  1252   NtClose  (224, ... ) == 0x0
 00982  1252   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 00979  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75514, 0}  ... {28, 56, reply, 0, 1636, 1736, 75514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0d\6\0\0l\4\0\0" )  ) == 0x0
 00983  1736   NtResumeThread  (256, ... 1, ) == 0x0
 00984  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36175872, 1048576, ) == 0x0
 00985  1736   NtAllocateVirtualMemory  (-1, 37216256, 0, 8192, 4096, 4, ... 37216256, 8192, ) == 0x0
 00986  1736   NtProtectVirtualMemory  (-1, (0x237e000), 4096, 260, ... (0x237e000), 4096, 4, ) == 0x0
 00987  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 224, {1636, 1024}, ) == 0x0
 00988  1736   NtQueryInformationThread  (224, Basic, 28, ...
 00982  1252   NtOpenKey  ... 220, ) == 0x0
 00989  1132   NtWaitForSingleObject  (100, 0, 0x0, ...
 00990  1252   NtQueryValueKey  (220,  (220, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991  1252   NtQueryValueKey  (220,  (220, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00992  1252   NtQueryValueKey  (220,  (220, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00993  1252   NtClose  (220, ... ) == 0x0
 00994  1252   NtSetEventBoostPriority  (100, ...
 00787   420   NtWaitForSingleObject  ... ) == 0x0
 00995   420   NtSetEventBoostPriority  (100, ...
 00808   596   NtWaitForSingleObject  ... ) == 0x0
 00996   596   NtSetEventBoostPriority  (100, ...
 00816   376   NtWaitForSingleObject  ... ) == 0x0
 00997   376   NtSetEventBoostPriority  (100, ...
 00822  1356   NtWaitForSingleObject  ... ) == 0x0
 00998  1356   NtSetEventBoostPriority  (100, ...
 00837  1168   NtWaitForSingleObject  ... ) == 0x0
 00999  1168   NtSetEventBoostPriority  (100, ...
 00849   120   NtWaitForSingleObject  ... ) == 0x0
 01000   120   NtSetEventBoostPriority  (100, ...
 00871   928   NtWaitForSingleObject  ... ) == 0x0
 01001   928   NtSetEventBoostPriority  (100, ...
 00883  1732   NtWaitForSingleObject  ... ) == 0x0
 01002  1732   NtSetEventBoostPriority  (100, ...
 00896   428   NtWaitForSingleObject  ... ) == 0x0
 01003   428   NtSetEventBoostPriority  (100, ...
 00908   748   NtWaitForSingleObject  ... ) == 0x0
 01004   748   NtSetEventBoostPriority  (100, ...
 00930  1300   NtWaitForSingleObject  ... ) == 0x0
 01005  1300   NtSetEventBoostPriority  (100, ...
 00942  1096   NtWaitForSingleObject  ... ) == 0x0
 01006  1096   NtSetEventBoostPriority  (100, ...
 00955   252   NtWaitForSingleObject  ... ) == 0x0
 01007   252   NtSetEventBoostPriority  (100, ...
 00967   500   NtWaitForSingleObject  ... ) == 0x0
 01008   500   NtSetEventBoostPriority  (100, ...
 00989  1132   NtWaitForSingleObject  ... ) == 0x0
 01009  1132   NtAllocateVirtualMemory  (-1, 8802304, 0, 4096, 4096, 4, ... 8802304, 4096, ) == 0x0
 01008   500   NtSetEventBoostPriority  ... ) == 0x0
 01007   252   NtSetEventBoostPriority  ... ) == 0x0
 01006  1096   NtSetEventBoostPriority  ... ) == 0x0
 01005  1300   NtSetEventBoostPriority  ... ) == 0x0
 01004   748   NtSetEventBoostPriority  ... ) == 0x0
 01003   428   NtSetEventBoostPriority  ... ) == 0x0
 01002  1732   NtSetEventBoostPriority  ... ) == 0x0
 01001   928   NtSetEventBoostPriority  ... ) == 0x0
 01000   120   NtSetEventBoostPriority  ... ) == 0x0
 00999  1168   NtSetEventBoostPriority  ... ) == 0x0
 00997   376   NtSetEventBoostPriority  ... ) == 0x0
 00996   596   NtSetEventBoostPriority  ... ) == 0x0
 00995   420   NtSetEventBoostPriority  ... ) == 0x0
 00998  1356   NtSetEventBoostPriority  ... ) == 0x0
 00994  1252   NtSetEventBoostPriority  ... ) == 0x0
 00988  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=1636,Tid=1024,}, 0x0, ) == 0x0
 01010  1132   NtTestAlert  (...
 01011   500   NtTestAlert  (...
 01012   252   NtTestAlert  (...
 01013  1096   NtTestAlert  (...
 01014  1300   NtTestAlert  (...
 01015   748   NtTestAlert  (...
 01016   428   NtTestAlert  (...
 01017  1732   NtTestAlert  (...
 01018   928   NtTestAlert  (...
 01019   120   NtTestAlert  (...
 01020  1168   NtTestAlert  (...
 01021   376   NtTestAlert  (...
 01022   596   NtTestAlert  (...
 01023  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01024  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01025  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75514, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0d\6\0\0\0\4\0\0" ...  ...
 01010  1132   NtTestAlert  ... ) == 0x0
 01011   500   NtTestAlert  ... ) == 0x0
 01012   252   NtTestAlert  ... ) == 0x0
 01013  1096   NtTestAlert  ... ) == 0x0
 01014  1300   NtTestAlert  ... ) == 0x0
 01015   748   NtTestAlert  ... ) == 0x0
 01016   428   NtTestAlert  ... ) == 0x0
 01017  1732   NtTestAlert  ... ) == 0x0
 01018   928   NtTestAlert  ... ) == 0x0
 01019   120   NtTestAlert  ... ) == 0x0
 01020  1168   NtTestAlert  ... ) == 0x0
 01021   376   NtTestAlert  ... ) == 0x0
 01022   596   NtTestAlert  ... ) == 0x0
 01023  1356   NtCreateEvent  ... 220, ) == 0x0
 01026   420   NtTestAlert  (...
 01025  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75515, 0}  ... {28, 56, reply, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0d\6\0\0\0\4\0\0" )  ) == 0x0
 01027  1132   NtContinue  (36175152, 1, ...
 01028   500   NtContinue  (35126576, 1, ...
 01029   252   NtContinue  (34078000, 1, ...
 01030  1096   NtContinue  (33029424, 1, ...
 01031  1300   NtContinue  (31980848, 1, ...
 01032   748   NtContinue  (30932272, 1, ...
 01033   428   NtContinue  (29883696, 1, ...
 01034  1732   NtContinue  (28835120, 1, ...
 01035   928   NtContinue  (27786544, 1, ...
 01036   120   NtContinue  (26737968, 1, ...
 01037  1168   NtContinue  (25689392, 1, ...
 01038   376   NtContinue  (24640816, 1, ...
 01039   596   NtContinue  (23592240, 1, ...
 01024  1252   NtCreateEvent  ... 252, ) == 0x0
 01026   420   NtTestAlert  ... ) == 0x0
 01040  1736   NtResumeThread  (224, ...
 01041  1132   NtRegisterThreadTerminatePort  (24, ...
 01042   500   NtRegisterThreadTerminatePort  (24, ...
 01043   252   NtRegisterThreadTerminatePort  (24, ...
 01044  1096   NtRegisterThreadTerminatePort  (24, ...
 01045  1300   NtRegisterThreadTerminatePort  (24, ...
 01046   748   NtRegisterThreadTerminatePort  (24, ...
 01047   428   NtRegisterThreadTerminatePort  (24, ...
 01048  1732   NtRegisterThreadTerminatePort  (24, ...
 01049   928   NtRegisterThreadTerminatePort  (24, ...
 01050   120   NtRegisterThreadTerminatePort  (24, ...
 01051  1168   NtRegisterThreadTerminatePort  (24, ...
 01052   376   NtRegisterThreadTerminatePort  (24, ...
 01053   596   NtRegisterThreadTerminatePort  (24, ...
 01054  1252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01055   420   NtContinue  (22543664, 1, ...
 01040  1736   NtResumeThread  ... 1, ) == 0x0
 01041  1132   NtRegisterThreadTerminatePort  ... ) == 0x0
 01042   500   NtRegisterThreadTerminatePort  ... ) == 0x0
 01043   252   NtRegisterThreadTerminatePort  ... ) == 0x0
 01044  1096   NtRegisterThreadTerminatePort  ... ) == 0x0
 01045  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 01046   748   NtRegisterThreadTerminatePort  ... ) == 0x0
 01047   428   NtRegisterThreadTerminatePort  ... ) == 0x0
 01048  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 01049   928   NtRegisterThreadTerminatePort  ... ) == 0x0
 01050   120   NtRegisterThreadTerminatePort  ... ) == 0x0
 01051  1168   NtRegisterThreadTerminatePort  ... ) == 0x0
 01052   376   NtRegisterThreadTerminatePort  ... ) == 0x0
 01053   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 01054  1252   NtDuplicateObject  ... 260, ) == 0x0
 01056   420   NtRegisterThreadTerminatePort  (24, ...
 01057  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01058  1024   NtTestAlert  (...
 01059  1132   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01060   500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01061   252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01062  1096   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01063  1300   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01064   748   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01065   428   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01066  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01067   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01068   120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01069  1168   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ...
 01070   376   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01071   596   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01072  1252   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01056   420   NtRegisterThreadTerminatePort  ... ) == 0x0
 01057  1356   NtDuplicateObject  ... 264, ) == 0x0
 01058  1024   NtTestAlert  ... ) == 0x0
 01073  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01059  1132   NtDuplicateObject  ... 268, ) == 0x0
 01060   500   NtDuplicateObject  ... 272, ) == 0x0
 01061   252   NtDuplicateObject  ... 276, ) == 0x0
 01062  1096   NtDuplicateObject  ... 280, ) == 0x0
 01063  1300   NtDuplicateObject  ... 284, ) == 0x0
 01064   748   NtDuplicateObject  ... 288, ) == 0x0
 01065   428   NtDuplicateObject  ... 292, ) == 0x0
 01066  1732   NtDuplicateObject  ... 296, ) == 0x0
 01067   928   NtDuplicateObject  ... 300, ) == 0x0
 01068   120   NtDuplicateObject  ... 304, ) == 0x0
 01069  1168   NtAllocateVirtualMemory  ... 1368064, 4096, ) == 0x0
 01070   376   NtCreateEvent  ... 308, ) == 0x0
 01072  1252   NtCreateEvent  ... 312, ) == 0x0
 01074   420   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01075  1356   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01071   596   NtCreateEvent  ... 316, ) == 0x0
 01073  1736   NtAllocateVirtualMemory  ... 37224448, 1048576, ) == 0x0
 01076  1132   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01077   500   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01078   252   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01079  1096   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01080  1300   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01081   748   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01082   428   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01083  1732   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01084   928   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01085   120   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01086  1168   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01087   376   NtWaitForSingleObject  (308, 0, 0x0, ...
 01088  1252   NtClose  (312, ...
 01089  1024   NtContinue  (37223728, 1, ...
 01075  1356   NtCreateEvent  ... 320, ) == 0x0
 01090   596   NtClose  (316, ...
 01091  1736   NtAllocateVirtualMemory  (-1, 38264832, 0, 8192, 4096, 4, ...
 01076  1132   NtCreateEvent  ... 324, ) == 0x0
 01077   500   NtCreateEvent  ... 328, ) == 0x0
 01078   252   NtCreateEvent  ... 332, ) == 0x0
 01079  1096   NtCreateEvent  ... 336, ) == 0x0
 01080  1300   NtCreateEvent  ... 340, ) == 0x0
 01081   748   NtCreateEvent  ... 344, ) == 0x0
 01082   428   NtCreateEvent  ... 348, ) == 0x0
 01083  1732   NtCreateEvent  ... 352, ) == 0x0
 01084   928   NtCreateEvent  ... 356, ) == 0x0
 01085   120   NtCreateEvent  ... 360, ) == 0x0
 01086  1168   NtCreateEvent  ... 364, ) == 0x0
 01074   420   NtCreateEvent  ... 368, ) == 0x0
 01092  1024   NtRegisterThreadTerminatePort  (24, ...
 01093  1356   NtClose  (320, ...
 01090   596   NtClose  ... ) == 0x0
 01091  1736   NtAllocateVirtualMemory  ... 38264832, 8192, ) == 0x0
 01094  1132   NtClose  (324, ...
 01095   500   NtClose  (328, ...
 01096   252   NtClose  (332, ...
 01097  1096   NtClose  (336, ...
 01098  1300   NtClose  (340, ...
 01099   748   NtClose  (344, ...
 01100   428   NtClose  (348, ...
 01101  1732   NtClose  (352, ...
 01102   928   NtClose  (356, ...
 01103   120   NtClose  (360, ...
 01104  1168   NtClose  (364, ...
 01105   420   NtClose  (368, ...
 01092  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 01093  1356   NtClose  ... ) == 0x0
 01106   596   NtWaitForSingleObject  (308, 0, 0x0, ...
 01107  1736   NtProtectVirtualMemory  (-1, (0x247e000), 4096, 260, ...
 01094  1132   NtClose  ... ) == 0x0
 01095   500   NtClose  ... ) == 0x0
 01096   252   NtClose  ... ) == 0x0
 01097  1096   NtClose  ... ) == 0x0
 01098  1300   NtClose  ... ) == 0x0
 01099   748   NtClose  ... ) == 0x0
 01100   428   NtClose  ... ) == 0x0
 01101  1732   NtClose  ... ) == 0x0
 01102   928   NtClose  ... ) == 0x0
 01103   120   NtClose  ... ) == 0x0
 01104  1168   NtClose  ... ) == 0x0
 01105   420   NtClose  ... ) == 0x0
 01108  1024   NtWaitForSingleObject  (308, 0, 0x0, ...
 01088  1252   NtClose  ... ) == 0x0
 01107  1736   NtProtectVirtualMemory  ... (0x247e000), 4096, 4, ) == 0x0
 01109  1132   NtWaitForSingleObject  (308, 0, 0x0, ...
 01110   500   NtWaitForSingleObject  (308, 0, 0x0, ...
 01111   252   NtWaitForSingleObject  (308, 0, 0x0, ...
 01112  1096   NtWaitForSingleObject  (308, 0, 0x0, ...
 01113  1300   NtWaitForSingleObject  (308, 0, 0x0, ...
 01114   748   NtWaitForSingleObject  (308, 0, 0x0, ...
 01115   428   NtWaitForSingleObject  (308, 0, 0x0, ...
 01116  1732   NtWaitForSingleObject  (308, 0, 0x0, ...
 01117   928   NtWaitForSingleObject  (308, 0, 0x0, ...
 01118   120   NtWaitForSingleObject  (308, 0, 0x0, ...
 01119  1168   NtSetEventBoostPriority  (308, ...
 01120   420   NtWaitForSingleObject  (308, 0, 0x0, ...
 01121  1252   NtWaitForSingleObject  (308, 0, 0x0, ...
 01122  1356   NtWaitForSingleObject  (308, 0, 0x0, ...
 01123  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 312, {1636, 948}, ) == 0x0
 01124  1736   NtQueryInformationThread  (312, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1636,Tid=948,}, 0x0, ) == 0x0
 01125  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75515, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0d\6\0\0\264\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0d\6\0\0\264\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75516, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0d\6\0\0\264\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0d\6\0\0\264\3\0\0" )  ) == 0x0
 01126  1736   NtResumeThread  (312, ... 1, ) == 0x0
 01127  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38273024, 1048576, ) == 0x0
 01128  1736   NtAllocateVirtualMemory  (-1, 39313408, 0, 8192, 4096, 4, ...
 01087   376   NtWaitForSingleObject  ... ) == 0x0
 01119  1168   NtSetEventBoostPriority  ... ) == 0x0
 01129   948   NtTestAlert  (...
 01130   376   NtSetEventBoostPriority  (308, ...
 01131  1168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01129   948   NtTestAlert  ... ) == 0x0
 01106   596   NtWaitForSingleObject  ... ) == 0x0
 01130   376   NtSetEventBoostPriority  ... ) == 0x0
 01131  1168   NtDuplicateObject  ... 368, ) == 0x0
 01132   596   NtSetEventBoostPriority  (308, ...
 01133   948   NtContinue  (38272304, 1, ...
 01128  1736   NtAllocateVirtualMemory  ... 39313408, 8192, ) == 0x0
 01108  1024   NtWaitForSingleObject  ... ) == 0x0
 01132   596   NtSetEventBoostPriority  ... ) == 0x0
 01134  1168   NtWaitForSingleObject  (308, 0, 0x0, ...
 01135   948   NtRegisterThreadTerminatePort  (24, ...
 01136  1024   NtSetEventBoostPriority  (308, ...
 01137  1736   NtProtectVirtualMemory  (-1, (0x257e000), 4096, 260, ...
 01138   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01109  1132   NtWaitForSingleObject  ... ) == 0x0
 01136  1024   NtSetEventBoostPriority  ... ) == 0x0
 01135   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 01137  1736   NtProtectVirtualMemory  ... (0x257e000), 4096, 4, ) == 0x0
 01139  1132   NtSetEventBoostPriority  (308, ...
 01138   376   NtDuplicateObject  ... 364, ) == 0x0
 01140   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01141  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01110   500   NtWaitForSingleObject  ... ) == 0x0
 01142  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01143   376   NtWaitForSingleObject  (308, 0, 0x0, ...
 01140   596   NtDuplicateObject  ... 360, ) == 0x0
 01141  1024   NtDuplicateObject  ... 356, ) == 0x0
 01144   500   NtSetEventBoostPriority  (308, ...
 01142  1736   NtCreateThread  ... 352, {1636, 1064}, ) == 0x0
 01145   596   NtWaitForSingleObject  (308, 0, 0x0, ...
 01146  1024   NtWaitForSingleObject  (308, 0, 0x0, ...
 01111   252   NtWaitForSingleObject  ... ) == 0x0
 01147  1736   NtQueryInformationThread  (352, Basic, 28, ...
 01148   252   NtSetEventBoostPriority  (308, ...
 01144   500   NtSetEventBoostPriority  ... ) == 0x0
 01139  1132   NtSetEventBoostPriority  ... ) == 0x0
 01149   948   NtWaitForSingleObject  (308, 0, 0x0, ...
 01112  1096   NtWaitForSingleObject  ... ) == 0x0
 01150   500   NtWaitForSingleObject  (308, 0, 0x0, ...
 01151  1132   NtWaitForSingleObject  (308, 0, 0x0, ...
 01152  1096   NtSetEventBoostPriority  (308, ...
 01113  1300   NtWaitForSingleObject  ... ) == 0x0
 01153  1300   NtSetEventBoostPriority  (308, ...
 01114   748   NtWaitForSingleObject  ... ) == 0x0
 01154   748   NtSetEventBoostPriority  (308, ...
 01115   428   NtWaitForSingleObject  ... ) == 0x0
 01155   428   NtSetEventBoostPriority  (308, ...
 01116  1732   NtWaitForSingleObject  ... ) == 0x0
 01156  1732   NtSetEventBoostPriority  (308, ...
 01117   928   NtWaitForSingleObject  ... ) == 0x0
 01157   928   NtSetEventBoostPriority  (308, ...
 01118   120   NtWaitForSingleObject  ... ) == 0x0
 01158   120   NtSetEventBoostPriority  (308, ...
 01120   420   NtWaitForSingleObject  ... ) == 0x0
 01159   420   NtSetEventBoostPriority  (308, ...
 01121  1252   NtWaitForSingleObject  ... ) == 0x0
 01160  1252   NtSetEventBoostPriority  (308, ...
 01122  1356   NtWaitForSingleObject  ... ) == 0x0
 01161  1356   NtSetEventBoostPriority  (308, ...
 01134  1168   NtWaitForSingleObject  ... ) == 0x0
 01162  1168   NtSetEventBoostPriority  (308, ...
 01143   376   NtWaitForSingleObject  ... ) == 0x0
 01163   376   NtSetEventBoostPriority  (308, ...
 01145   596   NtWaitForSingleObject  ... ) == 0x0
 01164   596   NtSetEventBoostPriority  (308, ...
 01146  1024   NtWaitForSingleObject  ... ) == 0x0
 01165  1024   NtSetEventBoostPriority  (308, ...
 01149   948   NtWaitForSingleObject  ... ) == 0x0
 01166   948   NtSetEventBoostPriority  (308, ...
 01150   500   NtWaitForSingleObject  ... ) == 0x0
 01167   500   NtSetEventBoostPriority  (308, ...
 01151  1132   NtWaitForSingleObject  ... ) == 0x0
 01168  1132   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01167   500   NtSetEventBoostPriority  ... ) == 0x0
 01166   948   NtSetEventBoostPriority  ... ) == 0x0
 01165  1024   NtSetEventBoostPriority  ... ) == 0x0
 01164   596   NtSetEventBoostPriority  ... ) == 0x0
 01163   376   NtSetEventBoostPriority  ... ) == 0x0
 01162  1168   NtSetEventBoostPriority  ... ) == 0x0
 01161  1356   NtSetEventBoostPriority  ... ) == 0x0
 01160  1252   NtSetEventBoostPriority  ... ) == 0x0
 01159   420   NtSetEventBoostPriority  ... ) == 0x0
 01158   120   NtSetEventBoostPriority  ... ) == 0x0
 01157   928   NtSetEventBoostPriority  ... ) == 0x0
 01156  1732   NtSetEventBoostPriority  ... ) == 0x0
 01155   428   NtSetEventBoostPriority  ... ) == 0x0
 01154   748   NtSetEventBoostPriority  ... ) == 0x0
 01153  1300   NtSetEventBoostPriority  ... ) == 0x0
 01152  1096   NtSetEventBoostPriority  ... ) == 0x0
 01148   252   NtSetEventBoostPriority  ... ) == 0x0
 01147  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1636,Tid=1064,}, 0x0, ) == 0x0
 01168  1132   NtWaitForSingleObject  ... ) == 0x102
 01169   948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01170   500   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01171  1024   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01172   596   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01173   376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01174  1356   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01175  1168   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01176  1252   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01177   120   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01178   928   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01179  1732   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01180   428   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01181   748   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01182  1300   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01183  1096   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01184   252   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01185  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75516, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0d\6\0\0(\4\0\0" ...  ...
 01186  1132   NtWaitForSingleObject  (128, 0, 0x0, ...
 01187   420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01170   500   NtWaitForSingleObject  ... ) == 0x102
 01171  1024   NtWaitForSingleObject  ... ) == 0x102
 01172   596   NtWaitForSingleObject  ... ) == 0x102
 01173   376   NtWaitForSingleObject  ... ) == 0x102
 01169   948   NtDuplicateObject  ... 348, ) == 0x0
 01175  1168   NtWaitForSingleObject  ... ) == 0x102
 01176  1252   NtCreateEvent  ... 344, ) == 0x0
 01185  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75517, 0}  ... {28, 56, reply, 0, 1636, 1736, 75517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0d\6\0\0(\4\0\0" )  ) == 0x0
 01187   420   NtDuplicateObject  ... 340, ) == 0x0
 01188   500   NtWaitForSingleObject  (128, 0, 0x0, ...
 01189  1024   NtWaitForSingleObject  (128, 0, 0x0, ...
 01190   596   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ...
 01191   376   NtWaitForSingleObject  (308, 0, 0x0, ...
 01192   948   NtWaitForSingleObject  (308, 0, 0x0, ...
 01193  1168   NtWaitForSingleObject  (308, 0, 0x0, ...
 01194  1252   NtSetEventBoostPriority  (344, ...
 01195  1736   NtResumeThread  (352, ...
 01196   420   NtWaitForSingleObject  (308, 0, 0x0, ...
 01190   596   NtAllocateVirtualMemory  ... 1372160, 4096, ) == 0x0
 01194  1252   NtSetEventBoostPriority  ... ) == 0x0
 01195  1736   NtResumeThread  ... 1, ) == 0x0
 01197   596   NtSetEventBoostPriority  (308, ...
 01198  1252   NtWaitForSingleObject  (308, 0, 0x0, ...
 01174  1356   NtCreateEvent  ... 336, ) == 0x0
 01177   120   NtWaitForSingleObject  ... ) == 0x102
 01178   928   NtWaitForSingleObject  ... ) == 0x102
 01179  1732   NtWaitForSingleObject  ... ) == 0x102
 01180   428   NtWaitForSingleObject  ... ) == 0x102
 01181   748   NtWaitForSingleObject  ... ) == 0x102
 01182  1300   NtWaitForSingleObject  ... ) == 0x102
 01183  1096   NtWaitForSingleObject  ... ) == 0x102
 01184   252   NtWaitForSingleObject  ... ) == 0x102
 01199  1064   NtTestAlert  (...
 01200  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01201  1356   NtClose  (336, ...
 01202   120   NtWaitForSingleObject  (308, 0, 0x0, ...
 01203   928   NtWaitForSingleObject  (308, 0, 0x0, ...
 01204  1732   NtWaitForSingleObject  (308, 0, 0x0, ...
 01205   428   NtWaitForSingleObject  (308, 0, 0x0, ...
 01206   748   NtWaitForSingleObject  (308, 0, 0x0, ...
 01207  1300   NtWaitForSingleObject  (308, 0, 0x0, ...
 01208  1096   NtWaitForSingleObject  (308, 0, 0x0, ...
 01209   252   NtWaitForSingleObject  (308, 0, 0x0, ...
 01199  1064   NtTestAlert  ... ) == 0x0
 01200  1736   NtAllocateVirtualMemory  ... 39321600, 1048576, ) == 0x0
 01201  1356   NtClose  ... ) == 0x0
 01210  1064   NtContinue  (39320880, 1, ...
 01211  1736   NtAllocateVirtualMemory  (-1, 40361984, 0, 8192, 4096, 4, ...
 01212  1356   NtWaitForSingleObject  (344, 0, 0x0, ...
 01213  1064   NtRegisterThreadTerminatePort  (24, ...
 01211  1736   NtAllocateVirtualMemory  ... 40361984, 8192, ) == 0x0
 01212  1356   NtWaitForSingleObject  ... ) == 0x0
 01213  1064   NtRegisterThreadTerminatePort  ... ) == 0x0
 01214  1736   NtProtectVirtualMemory  (-1, (0x267e000), 4096, 260, ...
 01191   376   NtWaitForSingleObject  ... ) == 0x0
 01197   596   NtSetEventBoostPriority  ... ) == 0x0
 01215  1356   NtWaitForSingleObject  (308, 0, 0x0, ...
 01214  1736   NtProtectVirtualMemory  ... (0x267e000), 4096, 4, ) == 0x0
 01216   376   NtSetEventBoostPriority  (308, ...
 01217   596   NtWaitForSingleObject  (128, 0, 0x0, ...
 01218  1064   NtWaitForSingleObject  (308, 0, 0x0, ...
 01192   948   NtWaitForSingleObject  ... ) == 0x0
 01216   376   NtSetEventBoostPriority  ... ) == 0x0
 01219   948   NtSetEventBoostPriority  (308, ...
 01220  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01193  1168   NtWaitForSingleObject  ... ) == 0x0
 01219   948   NtSetEventBoostPriority  ... ) == 0x0
 01221  1168   NtSetEventBoostPriority  (308, ...
 01220  1736   NtCreateThread  ... 336, {1636, 1384}, ) == 0x0
 01222   376   NtWaitForSingleObject  (128, 0, 0x0, ...
 01196   420   NtWaitForSingleObject  ... ) == 0x0
 01221  1168   NtSetEventBoostPriority  ... ) == 0x0
 01223  1736   NtQueryInformationThread  (336, Basic, 28, ...
 01224   420   NtSetEventBoostPriority  (308, ...
 01225   948   NtWaitForSingleObject  (308, 0, 0x0, ...
 01226  1168   NtWaitForSingleObject  (128, 0, 0x0, ...
 01198  1252   NtWaitForSingleObject  ... ) == 0x0
 01224   420   NtSetEventBoostPriority  ... ) == 0x0
 01227  1252   NtSetEventBoostPriority  (308, ...
 01223  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1636,Tid=1384,}, 0x0, ) == 0x0
 01202   120   NtWaitForSingleObject  ... ) == 0x0
 01227  1252   NtSetEventBoostPriority  ... ) == 0x0
 01228   120   NtSetEventBoostPriority  (308, ...
 01229  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75517, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0d\6\0\0h\5\0\0" ...  ...
 01230   420   NtWaitForSingleObject  (308, 0, 0x0, ...
 01203   928   NtWaitForSingleObject  ... ) == 0x0
 01228   120   NtSetEventBoostPriority  ... ) == 0x0
 01229  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75518, 0}  ... {28, 56, reply, 0, 1636, 1736, 75518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0d\6\0\0h\5\0\0" )  ) == 0x0
 01231   928   NtSetEventBoostPriority  (308, ...
 01232  1252   NtWaitForSingleObject  (308, 0, 0x0, ...
 01204  1732   NtWaitForSingleObject  ... ) == 0x0
 01231   928   NtSetEventBoostPriority  ... ) == 0x0
 01233  1736   NtResumeThread  (336, ...
 01234  1732   NtSetEventBoostPriority  (308, ...
 01235   120   NtWaitForSingleObject  (128, 0, 0x0, ...
 01205   428   NtWaitForSingleObject  ... ) == 0x0
 01234  1732   NtSetEventBoostPriority  ... ) == 0x0
 01233  1736   NtResumeThread  ... 1, ) == 0x0
 01236   428   NtSetEventBoostPriority  (308, ...
 01237   928   NtWaitForSingleObject  (128, 0, 0x0, ...
 01238  1384   NtTestAlert  (...
 01239  1732   NtWaitForSingleObject  (128, 0, 0x0, ...
 01206   748   NtWaitForSingleObject  ... ) == 0x0
 01236   428   NtSetEventBoostPriority  ... ) == 0x0
 01238  1384   NtTestAlert  ... ) == 0x0
 01240   748   NtSetEventBoostPriority  (308, ...
 01241  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01242   428   NtWaitForSingleObject  (128, 0, 0x0, ...
 01207  1300   NtWaitForSingleObject  ... ) == 0x0
 01240   748   NtSetEventBoostPriority  ... ) == 0x0
 01241  1736   NtAllocateVirtualMemory  ... 40370176, 1048576, ) == 0x0
 01243  1300   NtSetEventBoostPriority  (308, ...
 01244  1384   NtContinue  (40369456, 1, ...
 01208  1096   NtWaitForSingleObject  ... ) == 0x0
 01243  1300   NtSetEventBoostPriority  ... ) == 0x0
 01245  1736   NtAllocateVirtualMemory  (-1, 41410560, 0, 8192, 4096, 4, ...
 01246  1096   NtSetEventBoostPriority  (308, ...
 01247  1384   NtRegisterThreadTerminatePort  (24, ...
 01248   748   NtWaitForSingleObject  (128, 0, 0x0, ...
 01209   252   NtWaitForSingleObject  ... ) == 0x0
 01246  1096   NtSetEventBoostPriority  ... ) == 0x0
 01245  1736   NtAllocateVirtualMemory  ... 41410560, 8192, ) == 0x0
 01247  1384   NtRegisterThreadTerminatePort  ... ) == 0x0
 01249   252   NtSetEventBoostPriority  (308, ...
 01250  1300   NtWaitForSingleObject  (128, 0, 0x0, ...
 01251  1736   NtProtectVirtualMemory  (-1, (0x277e000), 4096, 260, ...
 01215  1356   NtWaitForSingleObject  ... ) == 0x0
 01249   252   NtSetEventBoostPriority  ... ) == 0x0
 01252  1384   NtWaitForSingleObject  (308, 0, 0x0, ...
 01253  1356   NtSetEventBoostPriority  (308, ...
 01251  1736   NtProtectVirtualMemory  ... (0x277e000), 4096, 4, ) == 0x0
 01254  1096   NtWaitForSingleObject  (128, 0, 0x0, ...
 01218  1064   NtWaitForSingleObject  ... ) == 0x0
 01253  1356   NtSetEventBoostPriority  ... ) == 0x0
 01255   252   NtWaitForSingleObject  (128, 0, 0x0, ...
 01256  1064   NtSetEventBoostPriority  (308, ...
 01257  1356   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01225   948   NtWaitForSingleObject  ... ) == 0x0
 01256  1064   NtSetEventBoostPriority  ... ) == 0x0
 01258  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01259   948   NtSetEventBoostPriority  (308, ...
 01260  1064   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01230   420   NtWaitForSingleObject  ... ) == 0x0
 01259   948   NtSetEventBoostPriority  ... ) == 0x0
 01258  1736   NtCreateThread  ... 332, {1636, 188}, ) == 0x0
 01257  1356   NtCreateEvent  ... 328, ) == 0x0
 01261   420   NtSetEventBoostPriority  (308, ...
 01262   948   NtWaitForSingleObject  (308, 0, 0x0, ...
 01263  1736   NtQueryInformationThread  (332, Basic, 28, ...
 01232  1252   NtWaitForSingleObject  ... ) == 0x0
 01261   420   NtSetEventBoostPriority  ... ) == 0x0
 01264  1356   NtWaitForSingleObject  (328, 0, 0x0, ...
 01260  1064   NtDuplicateObject  ... 324, ) == 0x0
 01265  1252   NtSetEventBoostPriority  (308, ...
 01263  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1636,Tid=188,}, 0x0, ) == 0x0
 01266   420   NtWaitForSingleObject  (308, 0, 0x0, ...
 01252  1384   NtWaitForSingleObject  ... ) == 0x0
 01265  1252   NtSetEventBoostPriority  ... ) == 0x0
 01267  1064   NtWaitForSingleObject  (308, 0, 0x0, ...
 01268  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75518, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0d\6\0\0\274\0\0\0" ...  ...
 01269  1384   NtSetEventBoostPriority  (308, ...
 01270  1252   NtSetEventBoostPriority  (328, ...
 01262   948   NtWaitForSingleObject  ... ) == 0x0
 01269  1384   NtSetEventBoostPriority  ... ) == 0x0
 01268  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75519, 0}  ... {28, 56, reply, 0, 1636, 1736, 75519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0d\6\0\0\274\0\0\0" )  ) == 0x0
 01271   948   NtSetEventBoostPriority  (308, ...
 01264  1356   NtWaitForSingleObject  ... ) == 0x0
 01270  1252   NtSetEventBoostPriority  ... ) == 0x0
 01267  1064   NtWaitForSingleObject  ... ) == 0x0
 01272  1736   NtResumeThread  (332, ...
 01273  1356   NtWaitForSingleObject  (308, 0, 0x0, ...
 01274  1252   NtWaitForSingleObject  (308, 0, 0x0, ...
 01275  1064   NtSetEventBoostPriority  (308, ...
 01272  1736   NtResumeThread  ... 1, ) == 0x0
 01266   420   NtWaitForSingleObject  ... ) == 0x0
 01275  1064   NtSetEventBoostPriority  ... ) == 0x0
 01276   420   NtSetEventBoostPriority  (308, ...
 01277  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01271   948   NtSetEventBoostPriority  ... ) == 0x0
 01278  1384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01279   188   NtTestAlert  (...
 01273  1356   NtWaitForSingleObject  ... ) == 0x0
 01277  1736   NtAllocateVirtualMemory  ... 41418752, 1048576, ) == 0x0
 01280   948   NtWaitForSingleObject  (328, 0, 0x0, ...
 01278  1384   NtDuplicateObject  ... 320, ) == 0x0
 01279   188   NtTestAlert  ... ) == 0x0
 01281  1356   NtSetEventBoostPriority  (308, ...
 01282  1736   NtAllocateVirtualMemory  (-1, 42459136, 0, 8192, 4096, 4, ...
 01283  1384   NtWaitForSingleObject  (308, 0, 0x0, ...
 01284   188   NtContinue  (41418032, 1, ...
 01274  1252   NtWaitForSingleObject  ... ) == 0x0
 01281  1356   NtSetEventBoostPriority  ... ) == 0x0
 01276   420   NtSetEventBoostPriority  ... ) == 0x0
 01285  1064   NtWaitForSingleObject  (328, 0, 0x0, ...
 01286  1252   NtSetEventBoostPriority  (308, ...
 01287   188   NtRegisterThreadTerminatePort  (24, ...
 01282  1736   NtAllocateVirtualMemory  ... 42459136, 8192, ) == 0x0
 01288   420   NtWaitForSingleObject  (328, 0, 0x0, ...
 01283  1384   NtWaitForSingleObject  ... ) == 0x0
 01286  1252   NtSetEventBoostPriority  ... ) == 0x0
 01287   188   NtRegisterThreadTerminatePort  ... ) == 0x0
 01289  1736   NtProtectVirtualMemory  (-1, (0x287e000), 4096, 260, ...
 01290  1384   NtWaitForSingleObject  (328, 0, 0x0, ...
 01291  1356   NtSetEventBoostPriority  (328, ...
 01292   188   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01289  1736   NtProtectVirtualMemory  ... (0x287e000), 4096, 4, ) == 0x0
 01280   948   NtWaitForSingleObject  ... ) == 0x0
 01291  1356   NtSetEventBoostPriority  ... ) == 0x0
 01292   188   NtDuplicateObject  ... 316, ) == 0x0
 01293   948   NtSetEventBoostPriority  (328, ...
 01294  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01295  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01285  1064   NtWaitForSingleObject  ... ) == 0x0
 01293   948   NtSetEventBoostPriority  ... ) == 0x0
 01296   188   NtWaitForSingleObject  (328, 0, 0x0, ...
 01297  1064   NtSetEventBoostPriority  (328, ...
 01295  1356   NtOpenKey  ... 372, ) == 0x0
 01298  1252   NtWaitForSingleObject  (328, 0, 0x0, ...
 01294  1736   NtCreateThread  ... 376, {1636, 1600}, ) == 0x0
 01288   420   NtWaitForSingleObject  ... ) == 0x0
 01297  1064   NtSetEventBoostPriority  ... ) == 0x0
 01299  1356   NtQueryValueKey  (372,  (372, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01300   420   NtSetEventBoostPriority  (328, ...
 01301  1736   NtQueryInformationThread  (376, Basic, 28, ...
 01302  1064   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01290  1384   NtWaitForSingleObject  ... ) == 0x0
 01300   420   NtSetEventBoostPriority  ... ) == 0x0
 01299  1356   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1636,Tid=1600,}, 0x0, ) == 0x0
 01303   948   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01304  1384   NtSetEventBoostPriority  (328, ...
 01302  1064   NtWaitForSingleObject  ... ) == 0x102
 01305   420   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01306  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75519, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0d\6\0\0@\6\0\0" ...  ...
 01296   188   NtWaitForSingleObject  ... ) == 0x0
 01304  1384   NtSetEventBoostPriority  ... ) == 0x0
 01303   948   NtWaitForSingleObject  ... ) == 0x102
 01307  1064   NtWaitForSingleObject  (128, 0, 0x0, ...
 01305   420   NtWaitForSingleObject  ... ) == 0x102
 01308   188   NtSetEventBoostPriority  (328, ...
 01306  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75520, 0}  ... {28, 56, reply, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0d\6\0\0@\6\0\0" )  ) == 0x0
 01309  1356   NtClose  (372, ...
 01310   948   NtWaitForSingleObject  (128, 0, 0x0, ...
 01298  1252   NtWaitForSingleObject  ... ) == 0x0
 01308   188   NtSetEventBoostPriority  ... ) == 0x0
 01311   420   NtWaitForSingleObject  (128, 0, 0x0, ...
 01312  1384   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01309  1356   NtClose  ... ) == 0x0
 01313  1252   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01314  1736   NtResumeThread  (376, ...
 01312  1384   NtWaitForSingleObject  ... ) == 0x102
 01313  1252   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01315  1356   NtWaitForSingleObject  (308, 0, 0x0, ...
 01314  1736   NtResumeThread  ... 1, ) == 0x0
 01316  1252   NtSetEventBoostPriority  (308, ...
 01317  1384   NtWaitForSingleObject  (308, 0, 0x0, ...
 01318  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01319   188   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01320  1600   NtTestAlert  (...
 01318  1736   NtAllocateVirtualMemory  ... 42467328, 1048576, ) == 0x0
 01319   188   NtWaitForSingleObject  ... ) == 0x102
 01320  1600   NtTestAlert  ... ) == 0x0
 01321  1736   NtAllocateVirtualMemory  (-1, 43507712, 0, 8192, 4096, 4, ...
 01322   188   NtWaitForSingleObject  (308, 0, 0x0, ...
 01323  1600   NtContinue  (42466608, 1, ...
 01321  1736   NtAllocateVirtualMemory  ... 43507712, 8192, ) == 0x0
 01324  1600   NtRegisterThreadTerminatePort  (24, ...
 01315  1356   NtWaitForSingleObject  ... ) == 0x0
 01316  1252   NtSetEventBoostPriority  ... ) == 0x0
 01324  1600   NtRegisterThreadTerminatePort  ... ) == 0x0
 01325  1356   NtSetEventBoostPriority  (308, ...
 01326  1252   NtWaitForSingleObject  (308, 0, 0x0, ...
 01327  1736   NtProtectVirtualMemory  (-1, (0x297e000), 4096, 260, ...
 01317  1384   NtWaitForSingleObject  ... ) == 0x0
 01325  1356   NtSetEventBoostPriority  ... ) == 0x0
 01328  1384   NtSetEventBoostPriority  (308, ...
 01327  1736   NtProtectVirtualMemory  ... (0x297e000), 4096, 4, ) == 0x0
 01329  1600   NtWaitForSingleObject  (308, 0, 0x0, ...
 01322   188   NtWaitForSingleObject  ... ) == 0x0
 01328  1384   NtSetEventBoostPriority  ... ) == 0x0
 01330  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01331   188   NtSetEventBoostPriority  (308, ...
 01332  1356   NtOpenThreadToken  (-2, 0xc, 1, ...
 01333  1384   NtWaitForSingleObject  (128, 0, 0x0, ...
 01326  1252   NtWaitForSingleObject  ... ) == 0x0
 01331   188   NtSetEventBoostPriority  ... ) == 0x0
 01332  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01334  1252   NtSetEventBoostPriority  (308, ...
 01330  1736   NtCreateThread  ... 372, {1636, 1372}, ) == 0x0
 01329  1600   NtWaitForSingleObject  ... ) == 0x0
 01334  1252   NtSetEventBoostPriority  ... ) == 0x0
 01335  1356   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01336  1600   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01337  1736   NtQueryInformationThread  (372, Basic, 28, ...
 01338   188   NtWaitForSingleObject  (128, 0, 0x0, ...
 01336  1600   NtDuplicateObject  ... 380, ) == 0x0
 01335  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01337  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1636,Tid=1372,}, 0x0, ) == 0x0
 01339  1600   NtWaitForSingleObject  (328, 0, 0x0, ...
 01340  1356   NtWaitForSingleObject  (328, 0, 0x0, ...
 01341  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75520, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0d\6\0\0\\5\0\0" ...  ...
 01342  1252   NtSetEventBoostPriority  (328, ...
 01341  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75521, 0}  ... {28, 56, reply, 0, 1636, 1736, 75521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0d\6\0\0\\5\0\0" )  ) == 0x0
 01340  1356   NtWaitForSingleObject  ... ) == 0x0
 01342  1252   NtSetEventBoostPriority  ... ) == 0x0
 01343  1356   NtSetEventBoostPriority  (328, ...
 01339  1600   NtWaitForSingleObject  ... ) == 0x0
 01344  1600   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 01345  1600   NtWaitForSingleObject  (128, 0, 0x0, ...
 01343  1356   NtSetEventBoostPriority  ... ) == 0x0
 01346  1252   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 01347  1736   NtResumeThread  (372, ...
 01346  1252   NtOpenFile  ... 384, {status=0x0, info=0}, ) == 0x0
 01347  1736   NtResumeThread  ... 1, ) == 0x0
 01348  1252   NtDeviceIoControlFile  (384, 0, 0x0, 0x0, 0x390008,  (384, 0, 0x0, 0x0, 0x390008, "W4\272\212\370\235\373\12\342\343\373\367\327<\254\321\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01349  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01350  1252   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01349  1736   NtAllocateVirtualMemory  ... 43515904, 1048576, ) == 0x0
 01351  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006064, ... }, 11006064, ...
 01352  1372   NtWaitForSingleObject  (100, 0, 0x0, ...
 01353  1736   NtAllocateVirtualMemory  (-1, 44556288, 0, 8192, 4096, 4, ...
 01351  1356   NtQueryAttributesFile  ... ) == 0x0
 01353  1736   NtAllocateVirtualMemory  ... 44556288, 8192, ) == 0x0
 01354  1356   NtSetEventBoostPriority  (100, ...
 01350  1252   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01352  1372   NtWaitForSingleObject  ... ) == 0x0
 01354  1356   NtSetEventBoostPriority  ... ) == 0x0
 01355  1372   NtTestAlert  (...
 01356  1252   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01355  1372   NtTestAlert  ... ) == 0x0
 01357  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01356  1252   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01358  1736   NtProtectVirtualMemory  (-1, (0x2a7e000), 4096, 260, ...
 01357  1356   NtOpenKey  ... 388, ) == 0x0
 01359  1252   NtQuerySystemInformation  (Performance, 312, ...
 01358  1736   NtProtectVirtualMemory  ... (0x2a7e000), 4096, 4, ) == 0x0
 01360  1372   NtContinue  (43515184, 1, ...
 01359  1252   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01361  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01362  1372   NtRegisterThreadTerminatePort  (24, ...
 01363  1252   NtQuerySystemInformation  (Exception, 16, ...
 01361  1736   NtCreateThread  ... 392, {1636, 2040}, ) == 0x0
 01362  1372   NtRegisterThreadTerminatePort  ... ) == 0x0
 01364  1356   NtQueryValueKey  (388,  (388, "Transports", Partial, 144, ... , Partial, 144, ...
 01365  1736   NtQueryInformationThread  (392, Basic, 28, ...
 01366  1372   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01364  1356   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01365  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1636,Tid=2040,}, 0x0, ) == 0x0
 01366  1372   NtDuplicateObject  ... 396, ) == 0x0
 01367  1356   NtQueryValueKey  (388,  (388, "Transports", Partial, 144, ... , Partial, 144, ...
 01363  1252   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01368  1372   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01367  1356   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01369  1252   NtQuerySystemInformation  (Lookaside, 32, ...
 01370  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75521, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0d\6\0\0\370\7\0\0" ...  ...
 01371  1356   NtClose  (388, ...
 01369  1252   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01370  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75522, 0}  ... {28, 56, reply, 0, 1636, 1736, 75522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0d\6\0\0\370\7\0\0" )  ) == 0x0
 01371  1356   NtClose  ... ) == 0x0
 01372  1252   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01373  1736   NtResumeThread  (392, ...
 01368  1372   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01372  1252   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01373  1736   NtResumeThread  ... 1, ) == 0x0
 01374  1372   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01375  1252   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01376  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01374  1372   NtWaitForSingleObject  ... ) == 0x102
 01377  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01378  2040   NtTestAlert  (...
 01375  1252   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01379  1372   NtWaitForSingleObject  (128, 0, 0x0, ...
 01377  1356   NtOpenKey  ... 388, ) == 0x0
 01378  2040   NtTestAlert  ... ) == 0x0
 01380  1356   NtQueryValueKey  (388,  (388, "Mapping", Partial, 144, ... , Partial, 144, ...
 01381  2040   NtContinue  (44563760, 1, ...
 01380  1356   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01382  2040   NtRegisterThreadTerminatePort  (24, ...
 01383  1356   NtQueryValueKey  (388,  (388, "Mapping", Partial, 144, ... , Partial, 144, ...
 01382  2040   NtRegisterThreadTerminatePort  ... ) == 0x0
 01383  1356   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01376  1736   NtAllocateVirtualMemory  ... 44564480, 1048576, ) == 0x0
 01384  1252   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01385  2040   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01386  1736   NtAllocateVirtualMemory  (-1, 45604864, 0, 8192, 4096, 4, ...
 01384  1252   NtCreateKey  ... -2147481380, 2, ) == 0x0
 01385  2040   NtDuplicateObject  ... 400, ) == 0x0
 01386  1736   NtAllocateVirtualMemory  ... 45604864, 8192, ) == 0x0
 01387  1252   NtSetValueKey  (-2147481380,  (-2147481380, "Seed", 0, 3, "\246\317\202\24\232\31V\273\242J\4\201\235fd%XF\12\255"\306N\262\226\356%\277\23\14\205\232\231L\36\276S\343\277\21 \333\374\210*\305\204k\24\242Q\275\334\233\346\35\252T?\246\304$W\251\301\237?q\324\340\20sS\301E\224\374J\367\220", 80, ... , 0, 3,  (-2147481380, "Seed", 0, 3, "\246\317\202\24\232\31V\273\242J\4\201\235fd%XF\12\255"\306N\262\226\356%\277\23\14\205\232\231L\36\276S\343\277\21 \333\374\210*\305\204k\24\242Q\275\334\233\346\35\252T?\246\304$W\251\301\237?q\324\340\20sS\301E\224\374J\367\220", 80, ... \306N\262\226\356%\277\23\14\205\232\231L\36\276S\343\277\21 \333\374\210*\305\204k\24\242Q\275\334\233\346\35\252T?\246\304$W\251\301\237?q\324\340\20sS\301E\224\374J\367\220", 80, ...
 01388  2040   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01389  1736   NtProtectVirtualMemory  (-1, (0x2b7e000), 4096, 260, ...
 01390  1356   NtQueryValueKey  (388,  (388, "Mapping", Partial, 152, ... , Partial, 152, ...
 01388  2040   NtWaitForSingleObject  ... ) == 0x102
 01389  1736   NtProtectVirtualMemory  ... (0x2b7e000), 4096, 4, ) == 0x0
 01390  1356   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01391  2040   NtWaitForSingleObject  (128, 0, 0x0, ...
 01392  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01393  1356   NtClose  (388, ...
 01387  1252   NtSetValueKey  ... ) == 0x0
 01393  1356   NtClose  ... ) == 0x0
 01394  1252   NtClose  (-2147481380, ...
 01395  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01394  1252   NtClose  ... ) == 0x0
 01395  1356   NtOpenKey  ... 388, ) == 0x0
 01348  1252   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\32\36\32/\221\33Cja\2548pp\260a\302\356\35Y{\256\320\26\245\274\260\26\317u\376\365\30\34\306\236y\335\7\31\357\214QB\22P=\242\310\205d\302(\337\254\215\6d+\33\242'(^\322\177\247\242\2253\322p\332'\274\36\266\206\342\343~\357T\333\317\374\256\204mj+No\240\334\264\30\212\275Y\250^\220\20\30\236\4))\7=\263\335\221\253\262\221\206\227\272\303\340\254\244\35G\6T\307y9\257\27-\234:\15\33HE"\366\250\213\33Z\242_\214\237O?a\217\203:\315r\320\346$\336\262\230\314\306\227\277\11\230y\6^\226\11\354\2018\226'\210\364\25-\350\222\240$\266\6\206|\354\333\305\305\0\356\254\212\256!\13@\302\201\11\301:$\206\371\273O\255\263\36\31\216]G\323w\30\177\264\346+B\366\2T\261)\377\236\263P\346\275I\262\37\35\360\304\345\~ \177\363$h\266\35\352", ) \366\250\213\33Z\242_\214\237O?a\217\203:\315r\320\346$\336\262\230\314\306\227\277\11\230y\6^\226\11\354\2018\226'\210\364\25-\350\222\240$\266\6\206|\354\333\305\305\0\356\254\212\256!\13@\302\201\11\301:$\206\371\273O\255\263\36\31\216]G\323w\30\177\264\346+B\366\2T\261)\377\236\263P\346\275I\262\37\35\360\304\345\~ \177\363$h\266\35\352", ) == 0x0
 01392  1736   NtCreateThread  ... 404, {1636, 216}, ) == 0x0
 01396  1252   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01397  1736   NtQueryInformationThread  (404, Basic, 28, ...
 01396  1252   NtCreateEvent  ... 408, ) == 0x0
 01397  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1636,Tid=216,}, 0x0, ) == 0x0
 01398  1356   NtQueryValueKey  (388,  (388, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01399  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75522, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0d\6\0\0\330\0\0\0" ...  ...
 01398  1356   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01399  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75523, 0}  ... {28, 56, reply, 0, 1636, 1736, 75523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0d\6\0\0\330\0\0\0" )  ) == 0x0
 01400  1356   NtQueryValueKey  (388,  (388, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01401  1252   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 16248324, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 16248324, 188, ...
 01400  1356   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01402  1356   NtQueryValueKey  (388,  (388, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (388, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01401  1252   NtConnectPort  ... 412, 0x0, 0x0, 0x0, 188, ) == 0x0
 01403  1736   NtResumeThread  (404, ...
 01404  1252   NtRequestWaitReplyPort  (412, {200, 224, new_msg, 0, 1382744, 12, 2, 1310721}  (412, {200, 224, new_msg, 0, 1382744, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210\27\25\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\255Q\10\32\223\277v4\10\31\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\340\30\25\0\322<\33sx\1\24\0\0\31\25\0h\1\24\0\0\0\0\0\0\0\0\0\0\31\25\0P\0\0\0\10\31\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\367\0\372\31\221|\30\364\367\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01403  1736   NtResumeThread  ... 1, ) == 0x0
 01405  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 45613056, 1048576, ) == 0x0
 01406  1736   NtAllocateVirtualMemory  (-1, 46653440, 0, 8192, 4096, 4, ... 46653440, 8192, ) == 0x0
 01404  1252   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1252, 75525, 0}  ... {200, 224, reply, 0, 1636, 1252, 75525, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\255Q\10\32\223\277v4\10\31\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\340\30\25\0\322<\33sx\1\24\0\0\31\25\0h\1\24\0\0\0\0\0\0\0\0\0\0\31\25\0P\0\0\0\10\31\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\367\0\372\31\221|\30\364\367\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01407  1356   NtQueryValueKey  (388,  (388, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01408   216   NtTestAlert  (...
 01409  1736   NtProtectVirtualMemory  (-1, (0x2c7e000), 4096, 260, ...
 01407  1356   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01408   216   NtTestAlert  ... ) == 0x0
 01409  1736   NtProtectVirtualMemory  ... (0x2c7e000), 4096, 4, ) == 0x0
 01410  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11007020, ... }, 11007020, ...
 01411   216   NtContinue  (45612336, 1, ...
 01412  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01410  1356   NtQueryAttributesFile  ... ) == 0x0
 01413   216   NtRegisterThreadTerminatePort  (24, ...
 01414  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01413   216   NtRegisterThreadTerminatePort  ... ) == 0x0
 01414  1356   NtOpenFile  ... 416, {status=0x0, info=1}, ) == 0x0
 01412  1736   NtCreateThread  ... 420, {1636, 152}, ) == 0x0
 01415  1252   NtRequestWaitReplyPort  (412, {64, 88, new_msg, 0, 0, 0, 0, 0}  (412, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01416   216   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01417  1736   NtQueryInformationThread  (420, Basic, 28, ...
 01416   216   NtDuplicateObject  ... 424, ) == 0x0
 01417  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1636,Tid=152,}, 0x0, ) == 0x0
 01418   216   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01419  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75523, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0d\6\0\0\230\0\0\0" ...  ...
 01418   216   NtWaitForSingleObject  ... ) == 0x102
 01419  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75527, 0}  ... {28, 56, reply, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0d\6\0\0\230\0\0\0" )  ) == 0x0
 01420   216   NtWaitForSingleObject  (128, 0, 0x0, ...
 01421  1356   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 416, ...
 01422  1736   NtResumeThread  (420, ...
 01421  1356   NtCreateSection  ... 428, ) == 0x0
 01422  1736   NtResumeThread  ... 1, ) == 0x0
 01423  1356   NtClose  (416, ...
 01424  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01423  1356   NtClose  ... ) == 0x0
 01424  1736   NtAllocateVirtualMemory  ... 46661632, 1048576, ) == 0x0
 01425  1356   NtMapViewOfSection  (428, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01426  1736   NtAllocateVirtualMemory  (-1, 47702016, 0, 8192, 4096, 4, ...
 01425  1356   NtMapViewOfSection  ... (0x850000), 0x0, 20480, ) == 0x0
 01426  1736   NtAllocateVirtualMemory  ... 47702016, 8192, ) == 0x0
 01427   152   NtWaitForSingleObject  (100, 0, 0x0, ...
 01428  1356   NtClose  (428, ... ) == 0x0
 01429  1736   NtProtectVirtualMemory  (-1, (0x2d7e000), 4096, 260, ... (0x2d7e000), 4096, 4, ) == 0x0
 01430  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01431  1356   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 01432  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11007328, ... ) }, 11007328, ... ) == 0x0
 01433  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 428, {status=0x0, info=1}, ) }, 5, 96, ... 428, {status=0x0, info=1}, ) == 0x0
 01434  1356   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 428, ... 416, ) == 0x0
 01430  1736   NtCreateThread  ... 432, {1636, 2036}, ) == 0x0
 01435  1736   NtQueryInformationThread  (432, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1636,Tid=2036,}, 0x0, ) == 0x0
 01436  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75527, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0d\6\0\0\364\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0d\6\0\0\364\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75528, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0d\6\0\0\364\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0d\6\0\0\364\7\0\0" )  ) == 0x0
 01437  1736   NtResumeThread  (432, ... 1, ) == 0x0
 01438  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01439  1356   NtQuerySection  (416, Image, 48, ...
 01440  2036   NtWaitForSingleObject  (100, 0, 0x0, ...
 01439  1356   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01441  1356   NtClose  (428, ... ) == 0x0
 01442  1356   NtMapViewOfSection  (416, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 01443  1356   NtClose  (416, ... ) == 0x0
 01444  1356   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 01438  1736   NtAllocateVirtualMemory  ... 47710208, 1048576, ) == 0x0
 01445  1736   NtAllocateVirtualMemory  (-1, 48750592, 0, 8192, 4096, 4, ... 48750592, 8192, ) == 0x0
 01446  1736   NtProtectVirtualMemory  (-1, (0x2e7e000), 4096, 260, ... (0x2e7e000), 4096, 4, ) == 0x0
 01447  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01415  1252   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1636, 1252, 75526, 0}  ... {52, 76, reply, 0, 1636, 1252, 75526, 0} "\2\332\243\201\1\0\0\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200X\373`\371t\333\243\201\270+\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 01448  1356   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ...
 01449  1252   NtClose  (408, ...
 01448  1356   NtProtectVirtualMemory  ... (0x71a91000), 4096, 4, ) == 0x0
 01449  1252   NtClose  ... ) == 0x0
 01450  1356   NtFlushInstructionCache  (-1, 1906905088, 128, ...
 01451  1252   NtClose  (412, ...
 01450  1356   NtFlushInstructionCache  ... ) == 0x0
 01447  1736   NtCreateThread  ... 408, {1636, 1708}, ) == 0x0
 01452  1736   NtQueryInformationThread  (408, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1636,Tid=1708,}, 0x0, ) == 0x0
 01453  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75528, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0d\6\0\0\254\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0d\6\0\0\254\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75529, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0d\6\0\0\254\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0d\6\0\0\254\6\0\0" )  ) == 0x0
 01454  1736   NtResumeThread  (408, ... 1, ) == 0x0
 01455  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 48758784, 1048576, ) == 0x0
 01456  1736   NtAllocateVirtualMemory  (-1, 49799168, 0, 8192, 4096, 4, ... 49799168, 8192, ) == 0x0
 01451  1252   NtClose  ... ) == 0x0
 01457  1708   NtWaitForSingleObject  (100, 0, 0x0, ...
 01458  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... }, ...
 01459  1252   NtWaitForSingleObject  (100, 0, 0x0, ...
 01458  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01460  1356   NtSetEventBoostPriority  (100, ...
 01427   152   NtWaitForSingleObject  ... ) == 0x0
 01461   152   NtSetEventBoostPriority  (100, ...
 01440  2036   NtWaitForSingleObject  ... ) == 0x0
 01462  2036   NtSetEventBoostPriority  (100, ...
 01457  1708   NtWaitForSingleObject  ... ) == 0x0
 01463  1708   NtSetEventBoostPriority  (100, ...
 01459  1252   NtWaitForSingleObject  ... ) == 0x0
 01464  1252   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 412, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 412, 2, ) , 0, ... 412, 2, ) == 0x0
 01463  1708   NtSetEventBoostPriority  ... ) == 0x0
 01462  2036   NtSetEventBoostPriority  ... ) == 0x0
 01461   152   NtSetEventBoostPriority  ... ) == 0x0
 01460  1356   NtSetEventBoostPriority  ... ) == 0x0
 01465  1736   NtProtectVirtualMemory  (-1, (0x2f7e000), 4096, 260, ...
 01466  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01467  1708   NtTestAlert  (...
 01468  2036   NtTestAlert  (...
 01469  1356   NtClose  (388, ...
 01465  1736   NtProtectVirtualMemory  ... (0x2f7e000), 4096, 4, ) == 0x0
 01466  1252   NtOpenKey  ... 416, ) == 0x0
 01467  1708   NtTestAlert  ... ) == 0x0
 01468  2036   NtTestAlert  ... ) == 0x0
 01469  1356   NtClose  ... ) == 0x0
 01470  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01471  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01472  1708   NtContinue  (48758064, 1, ...
 01473  2036   NtContinue  (47709488, 1, ...
 01474   152   NtTestAlert  (...
 01470  1736   NtCreateThread  ... 388, {1636, 1776}, ) == 0x0
 01471  1252   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01475  1708   NtRegisterThreadTerminatePort  (24, ...
 01476  2036   NtRegisterThreadTerminatePort  (24, ...
 01474   152   NtTestAlert  ... ) == 0x0
 01477  1736   NtQueryInformationThread  (388, Basic, 28, ...
 01478  1252   NtQueryValueKey  (412,  (412, "Hostname", Partial, 144, ... , Partial, 144, ...
 01475  1708   NtRegisterThreadTerminatePort  ... ) == 0x0
 01476  2036   NtRegisterThreadTerminatePort  ... ) == 0x0
 01479   152   NtContinue  (46660912, 1, ...
 01477  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1636,Tid=1776,}, 0x0, ) == 0x0
 01478  1252   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01480  1708   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01481  2036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01482   152   NtRegisterThreadTerminatePort  (24, ...
 01483  1356   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11009664, 67, ... }, 0x0, 0, 3, 3, 0, 11009664, 67, ...
 01484  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75529, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0d\6\0\0\360\6\0\0" ...  ...
 01485  1252   NtQueryValueKey  (412,  (412, "Hostname", Partial, 144, ... , Partial, 144, ...
 01480  1708   NtDuplicateObject  ... 428, ) == 0x0
 01482   152   NtRegisterThreadTerminatePort  ... ) == 0x0
 01483  1356   NtCreateFile  ... 436, {status=0x0, info=0}, ) == 0x0
 01484  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75531, 0}  ... {28, 56, reply, 0, 1636, 1736, 75531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0d\6\0\0\360\6\0\0" )  ) == 0x0
 01485  1252   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01486  1708   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01487   152   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01488  1356   NtDeviceIoControlFile  (436, 112, 0x0, 0x0, 0x1207b,  (436, 112, 0x0, 0x0, 0x1207b, "\7\0\0\0\0\4\24\0\340\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 01489  1736   NtResumeThread  (388, ...
 01490  1252   NtClose  (412, ...
 01486  1708   NtWaitForSingleObject  ... ) == 0x102
 01481  2036   NtDuplicateObject  ... 440, ) == 0x0
 01489  1736   NtResumeThread  ... 1, ) == 0x0
 01490  1252   NtClose  ... ) == 0x0
 01491  1708   NtWaitForSingleObject  (128, 0, 0x0, ...
 01492  2036   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 01493  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01494  1252   NtClose  (416, ...
 01492  2036   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 01488  1356   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\0{ \1\0\0 \0\0\300\332\243\201", ) , ) == 0x0
 01487   152   NtDuplicateObject  ... 412, ) == 0x0
 01495  1776   NtTestAlert  (...
 01494  1252   NtClose  ... ) == 0x0
 01496  2036   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01497  1356   NtDeviceIoControlFile  (436, 112, 0x0, 0x0, 0x1207b,  (436, 112, 0x0, 0x0, 0x1207b, "\6\0\0\0{ \1\0\0 \0\0\300\332\243\201", 16, 16, ... , 16, 16, ...
 01498   152   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01495  1776   NtTestAlert  ... ) == 0x0
 01493  1736   NtAllocateVirtualMemory  ... 49807360, 1048576, ) == 0x0
 01496  2036   NtWaitForSingleObject  ... ) == 0x102
 01497  1356   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\0{ \1\0\0 \0\0\300\332\243\201", ) , ) == 0x0
 01498   152   NtWaitForSingleObject  ... ) == 0x102
 01499  1776   NtContinue  (49806640, 1, ...
 01500  1736   NtAllocateVirtualMemory  (-1, 50847744, 0, 8192, 4096, 4, ...
 01501  1252   NtDeviceIoControlFile  (384, 0, 0x0, 0x0, 0x390008,  (384, 0, 0x0, 0x0, 0x390008, "W4\272\212\370\235\373\7\365\200A\22v\261F\265\20^y\372\376d\344\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01502  1356   NtDeviceIoControlFile  (436, 112, 0x0, 0x0, 0x12047,  (436, 112, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01503   152   NtWaitForSingleObject  (128, 0, 0x0, ...
 01504  1776   NtRegisterThreadTerminatePort  (24, ...
 01500  1736   NtAllocateVirtualMemory  ... 50847744, 8192, ) == 0x0
 01505  1252   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01502  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01504  1776   NtRegisterThreadTerminatePort  ... ) == 0x0
 01506  1736   NtProtectVirtualMemory  (-1, (0x307e000), 4096, 260, ...
 01505  1252   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01507  1356   NtWaitForSingleObject  (56, 0, {0, 0}, ...
 01508  2036   NtWaitForSingleObject  (128, 0, 0x0, ...
 01506  1736   NtProtectVirtualMemory  ... (0x307e000), 4096, 4, ) == 0x0
 01509  1252   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01510  1776   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01511  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01509  1252   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01510  1776   NtDuplicateObject  ... 416, ) == 0x0
 01507  1356   NtWaitForSingleObject  ... ) == 0x102
 01512  1252   NtQuerySystemInformation  (Performance, 312, ...
 01513  1776   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01514  1356   NtDeviceIoControlFile  (436, 112, 0x0, 0x0, 0x12003,  (436, 112, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01511  1736   NtCreateThread  ... 444, {1636, 1324}, ) == 0x0
 01513  1776   NtWaitForSingleObject  ... ) == 0x102
 01515  1736   NtQueryInformationThread  (444, Basic, 28, ...
 01516  1776   NtWaitForSingleObject  (128, 0, 0x0, ...
 01515  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1636,Tid=1324,}, 0x0, ) == 0x0
 01514  1356   NtDeviceIoControlFile  ... {status=0x0, info=448},  ... {status=0x0, info=448}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01512  1252   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01517  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75531, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0d\6\0\0,\5\0\0" ...  ...
 01518  1356   NtDeviceIoControlFile  (436, 112, 0x0, 0x0, 0x12047,  (436, 112, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01519  1252   NtQuerySystemInformation  (Exception, 16, ...
 01517  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75532, 0}  ... {28, 56, reply, 0, 1636, 1736, 75532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0d\6\0\0,\5\0\0" )  ) == 0x0
 01518  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01519  1252   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01520  1356   NtDeviceIoControlFile  (436, 112, 0x0, 0x0, 0x12037,  (436, 112, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 01521  1252   NtQuerySystemInformation  (Lookaside, 32, ...
 01520  1356   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01521  1252   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01522  1356   NtDeviceIoControlFile  (436, 112, 0x0, 0x0, 0x1200b,  (436, 112, 0x0, 0x0, 0x1200b, "\0\376\247\0\5\0\0\0\0\256\24\0", 12, 0, ... , 12, 0, ...
 01523  1252   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01524  1736   NtResumeThread  (444, ...
 01522  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01524  1736   NtResumeThread  ... 1, ) == 0x0
 01525  1356   NtDeviceIoControlFile  (436, 112, 0x0, 0x0, 0x12047,  (436, 112, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\247\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01526  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01525  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01526  1736   NtAllocateVirtualMemory  ... 50855936, 1048576, ) == 0x0
 01523  1252   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01527  1324   NtTestAlert  (...
 01528  1736   NtAllocateVirtualMemory  (-1, 51896320, 0, 8192, 4096, 4, ...
 01529  1252   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01527  1324   NtTestAlert  ... ) == 0x0
 01528  1736   NtAllocateVirtualMemory  ... 51896320, 8192, ) == 0x0
 01529  1252   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01530  1324   NtContinue  (50855216, 1, ...
 01531  1356   NtDeviceIoControlFile  (436, 112, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 01532  1252   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01533  1324   NtRegisterThreadTerminatePort  (24, ...
 01531  1356   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01532  1252   NtCreateKey  ... -2147481440, 2, ) == 0x0
 01533  1324   NtRegisterThreadTerminatePort  ... ) == 0x0
 01534  1356   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01535  1252   NtSetValueKey  (-2147481440,  (-2147481440, "Seed", 0, 3, "aE_v\221\362\331\31\3668\250\355\354T\267A*\25a\252 \303\364Z}\246D|\256\261\354\317\205\200\240A\23\312Y\15\15Z\265\216\177Hj\271L\251\271ML\353l\177S\260\305\365\321\34\4O\252Ukd\340\216\10w\256\336\260"\310\12\242", 80, ... , 0, 3,  (-2147481440, "Seed", 0, 3, "aE_v\221\362\331\31\3668\250\355\354T\267A*\25a\252 \303\364Z}\246D|\256\261\354\317\205\200\240A\23\312Y\15\15Z\265\216\177Hj\271L\251\271ML\353l\177S\260\305\365\321\34\4O\252Ukd\340\216\10w\256\336\260"\310\12\242", 80, ... \310\12\242", 80, ...
 01536  1736   NtProtectVirtualMemory  (-1, (0x317e000), 4096, 260, ...
 01534  1356   NtCreateEvent  ... 452, ) == 0x0
 01537  1324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01536  1736   NtProtectVirtualMemory  ... (0x317e000), 4096, 4, ) == 0x0
 01538  1356   NtWaitForSingleObject  (452, 0, 0x0, ...
 01537  1324   NtDuplicateObject  ... 456, ) == 0x0
 01539  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01540  1324   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 01541  1324   NtWaitForSingleObject  (128, 0, 0x0, ...
 01535  1252   NtSetValueKey  ... ) == 0x0
 01542  1252   NtClose  (-2147481440, ... ) == 0x0
 01501  1252   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\240S\3042\354]\14A\274$-\31d\3\361)~\\346\231\210\34\312o\330\266Lfhg\3m0\200\271\212\311\11\276q\25\347 \275<\254\347\347\2447\7\36\226h\337\357\360w\331)G\330\0\256\311\211xIu\213\244\2521\225\20_\340\267\244\317\54\222F\205\335\212P6\2077b\207\24\270\206\373~`\241ar\345IrN\2179r_i\256\376\210\331\363w\2768F\364\35(\343\264\14\12\34\317k\213+\205|\22640\265<\205/\205\303\335*e\246\327\360\37\206\316g\205i\312\313\360!\2F\264\321\17y|W\374z\260\271\347\12L\222k;I\206\253\301-\365f\241bL3qP|4M\325\331+\322\363\20\2048\374H"\367\317\322-I\331s\3\310c\3248\272\37X\300\364\11\216\331Jq7\336Q2\301\321\261D\312\3057o\253v3W\205\0sSk\225$\223\302\205\273\324\220b", ) \367\317\322-I\331s\3\310c\3248\272\37X\300\364\11\216\331Jq7\336Q2\301\321\261D\312\3057o\253v3W\205\0sSk\225$\223\302\205\273\324\220b", ) == 0x0
 01543  1252   NtDeviceIoControlFile  (384, 0, 0x0, 0x0, 0x390008,  (384, 0, 0x0, 0x0, 0x390008, "W4\272\212\370\235\373\7\365\200A\22v\261K\242s\344\234[s\216\200\20^y\372\376d\344\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01544  1252   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01539  1736   NtCreateThread  ... 460, {1636, 1652}, ) == 0x0
 01545  1736   NtQueryInformationThread  (460, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1636,Tid=1652,}, 0x0, ) == 0x0
 01546  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75532, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0d\6\0\0t\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0d\6\0\0t\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75533, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0d\6\0\0t\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0d\6\0\0t\6\0\0" )  ) == 0x0
 01547  1736   NtResumeThread  (460, ... 1, ) == 0x0
 01548  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 51904512, 1048576, ) == 0x0
 01549  1736   NtAllocateVirtualMemory  (-1, 52944896, 0, 8192, 4096, 4, ... 52944896, 8192, ) == 0x0
 01544  1252   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01550  1652   NtTestAlert  (...
 01551  1252   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01550  1652   NtTestAlert  ... ) == 0x0
 01551  1252   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01552  1652   NtContinue  (51903792, 1, ...
 01553  1252   NtQuerySystemInformation  (Performance, 312, ...
 01554  1652   NtRegisterThreadTerminatePort  (24, ...
 01553  1252   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01554  1652   NtRegisterThreadTerminatePort  ... ) == 0x0
 01555  1252   NtQuerySystemInformation  (Exception, 16, ...
 01556  1736   NtProtectVirtualMemory  (-1, (0x327e000), 4096, 260, ...
 01557  1652   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01556  1736   NtProtectVirtualMemory  ... (0x327e000), 4096, 4, ) == 0x0
 01557  1652   NtDuplicateObject  ... 464, ) == 0x0
 01558  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01559  1652   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01558  1736   NtCreateThread  ... 468, {1636, 588}, ) == 0x0
 01559  1652   NtWaitForSingleObject  ... ) == 0x102
 01560  1736   NtQueryInformationThread  (468, Basic, 28, ...
 01561  1652   NtWaitForSingleObject  (128, 0, 0x0, ...
 01560  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1636,Tid=588,}, 0x0, ) == 0x0
 01555  1252   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01562  1252   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01563  1252   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01564  1252   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01565  1252   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481440, 2, ) }, 0, 0x0, 0, ... -2147481440, 2, ) == 0x0
 01566  1252   NtSetValueKey  (-2147481440,  (-2147481440, "Seed", 0, 3, "\3438\315\15\334\355\312\274\32^\265Zo\255\271\212A\260\312N\315\275\20 \12\26V=}\276\263c\\32\263-\11\302Am\207\2029WiO\300.\33s\31\276\345\230\36\263X\300\225\36\270\274\7/$\262\217l\343\32\347\371`\35Pzj\346n\1", 80, ... ) , 0, 3,  (-2147481440, "Seed", 0, 3, "\3438\315\15\334\355\312\274\32^\265Zo\255\271\212A\260\312N\315\275\20 \12\26V=}\276\263c\\32\263-\11\302Am\207\2029WiO\300.\33s\31\276\345\230\36\263X\300\225\36\270\274\7/$\262\217l\343\32\347\371`\35Pzj\346n\1", 80, ... ) , 80, ... ) == 0x0
 01567  1252   NtClose  (-2147481440, ...
 01568  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75533, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0d\6\0\0L\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0d\6\0\0L\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75534, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0d\6\0\0L\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0d\6\0\0L\2\0\0" )  ) == 0x0
 01569  1736   NtResumeThread  (468, ... 1, ) == 0x0
 01570  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 52953088, 1048576, ) == 0x0
 01571  1736   NtAllocateVirtualMemory  (-1, 53993472, 0, 8192, 4096, 4, ... 53993472, 8192, ) == 0x0
 01572  1736   NtProtectVirtualMemory  (-1, (0x337e000), 4096, 260, ... (0x337e000), 4096, 4, ) == 0x0
 01573  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01567  1252   NtClose  ... ) == 0x0
 01574   588   NtTestAlert  (...
 01543  1252   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\377^\23\365\374\263@[\242Z\266\216\303q\276\357b^\23\222)\351\233\346\215\14\234\225\231\346Q\246M\36\15\270\327\205\16\341\300V\370M\31\213\216_\33\263\3752\230^7(g,}\376HOU\242\264\212\327U\221\363\363\227\274x\223KX\204Ab\351\267\205\261\240p\245]\3\304\2610\11/\262/\200\302\350xH\2662`]\350\2\272m\377+\2478r\247\353\200\311T\223w\302\201Y\4\275r\200\36\244\20E^\275\225\352\322\13\355[~\373R\236\231\203U\255Q\357\361\222\313\225B`\213|\226\11\15~\224\266\345\5\235W\16\364{\367A?\252\270\276p\350z\315\224\200oMN\254\207\227\346\2312\301\330\220\203&%\361=URS2\253\262d\32\360\234,Dfi\14x\242\25\275\300t\215\350\313\13\17T\243\360Fx\262F\276\333[J\342\371w\37\266\321\222\370o\330\300\216\263\13\3724\373E", ) , ) == 0x0
 01574   588   NtTestAlert  ... ) == 0x0
 01575  1252   NtDeviceIoControlFile  (384, 0, 0x0, 0x0, 0x390008,  (384, 0, 0x0, 0x0, 0x390008, "W4\272\212\370\235\373\7\365\200A\22v\261K\242s\344\234[s\203\227s\344\234[s\216\200\20^y\372\376d\344\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01576   588   NtContinue  (52952368, 1, ...
 01577  1252   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01578   588   NtRegisterThreadTerminatePort  (24, ...
 01577  1252   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01578   588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01579  1252   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01573  1736   NtCreateThread  ... 472, {1636, 440}, ) == 0x0
 01580   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01581  1736   NtQueryInformationThread  (472, Basic, 28, ...
 01580   588   NtDuplicateObject  ... 476, ) == 0x0
 01581  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1636,Tid=440,}, 0x0, ) == 0x0
 01582   588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01583  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75534, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0d\6\0\0\270\1\0\0" ...  ...
 01582   588   NtWaitForSingleObject  ... ) == 0x102
 01583  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75535, 0}  ... {28, 56, reply, 0, 1636, 1736, 75535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0d\6\0\0\270\1\0\0" )  ) == 0x0
 01584   588   NtWaitForSingleObject  (128, 0, 0x0, ...
 01579  1252   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01585  1736   NtResumeThread  (472, ...
 01586  1252   NtQuerySystemInformation  (Performance, 312, ...
 01585  1736   NtResumeThread  ... 1, ) == 0x0
 01586  1252   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01587  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01588  1252   NtQuerySystemInformation  (Exception, 16, ...
 01587  1736   NtAllocateVirtualMemory  ... 54001664, 1048576, ) == 0x0
 01588  1252   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01589  1736   NtAllocateVirtualMemory  (-1, 55042048, 0, 8192, 4096, 4, ...
 01590  1252   NtQuerySystemInformation  (Lookaside, 32, ...
 01589  1736   NtAllocateVirtualMemory  ... 55042048, 8192, ) == 0x0
 01591   440   NtTestAlert  (...
 01590  1252   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01591   440   NtTestAlert  ... ) == 0x0
 01592  1252   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01593   440   NtContinue  (54000944, 1, ...
 01592  1252   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01594   440   NtRegisterThreadTerminatePort  (24, ...
 01595  1252   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01594   440   NtRegisterThreadTerminatePort  ... ) == 0x0
 01595  1252   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01596  1736   NtProtectVirtualMemory  (-1, (0x347e000), 4096, 260, ...
 01597  1252   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01596  1736   NtProtectVirtualMemory  ... (0x347e000), 4096, 4, ) == 0x0
 01598   440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01599  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01598   440   NtDuplicateObject  ... 480, ) == 0x0
 01599  1736   NtCreateThread  ... 484, {1636, 1620}, ) == 0x0
 01600   440   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01601  1736   NtQueryInformationThread  (484, Basic, 28, ...
 01600   440   NtWaitForSingleObject  ... ) == 0x102
 01601  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1636,Tid=1620,}, 0x0, ) == 0x0
 01602   440   NtWaitForSingleObject  (128, 0, 0x0, ...
 01597  1252   NtCreateKey  ... -2147481440, 2, ) == 0x0
 01603  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75535, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0d\6\0\0T\6\0\0" ...  ...
 01604  1252   NtSetValueKey  (-2147481440,  (-2147481440, "Seed", 0, 3, "\0\3246\210Au\247\30\222h\254\321b\270\335\224\246Y\206\303MC\15\245ALM\0r|5\330Q#\317\269\305'\6\6\177\270\241?\343\225\214\241\2158XT\357\243[}\364\204\340\357\303\347\216\22F.\360QF\354WY\205O\316\312^]N", 80, ... , 0, 3,  (-2147481440, "Seed", 0, 3, "\0\3246\210Au\247\30\222h\254\321b\270\335\224\246Y\206\303MC\15\245ALM\0r|5\330Q#\317\269\305'\6\6\177\270\241?\343\225\214\241\2158XT\357\243[}\364\204\340\357\303\347\216\22F.\360QF\354WY\205O\316\312^]N", 80, ... , 80, ...
 01603  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75536, 0}  ... {28, 56, reply, 0, 1636, 1736, 75536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0d\6\0\0T\6\0\0" )  ) == 0x0
 01604  1252   NtSetValueKey  ... ) == 0x0
 01605  1736   NtResumeThread  (484, ...
 01606  1252   NtClose  (-2147481440, ...
 01605  1736   NtResumeThread  ... 1, ) == 0x0
 01606  1252   NtClose  ... ) == 0x0
 01607  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01575  1252   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\335\231N\256\14O?\352\270\250\341x\253*d.\24\36\244\262\276\256\4kh\37\20\325\35a\316\315\262g\312\364\317\247\25\202\216k\200\314\240\324\335C\3\257_C2\6\342\206g\1\12\236\211\245\272\304\354e\2\31\353\13\262Y\213B\36-\264z\316[7#a\212\357\245\254\371\356\23\370\214\262\267\276\203I\376\30(\243\330\363\14\33\236/\247Wo\214\227\37\365)\237`\255j\275\17\22\323\10\6\362{Z\255\221Y\1\16\3749\36W\220Ljg\315r\332\316\215\216h\220]K\226g\235\374M1\205\363V\225\366\250\0\14\340p\210Xwx\31\353\374\13\264\301J*\220\237Z4\317\370\231$\271u%\0\0\302\352\316\335;\16\375\317\232\277\302:\202k\253F\347\217\247\351\2674\6_\30\376\362\26tO\6=\215\333\340'\353\302\310\361\16\204\177\331\32\35\325\205\236\355@\253\360\2._\352\223y\337\3", ) , ) == 0x0
 01608  1620   NtTestAlert  (...
 01607  1736   NtAllocateVirtualMemory  ... 55050240, 1048576, ) == 0x0
 01608  1620   NtTestAlert  ... ) == 0x0
 01609  1736   NtAllocateVirtualMemory  (-1, 56090624, 0, 8192, 4096, 4, ...
 01610  1620   NtContinue  (55049520, 1, ...
 01609  1736   NtAllocateVirtualMemory  ... 56090624, 8192, ) == 0x0
 01611  1620   NtRegisterThreadTerminatePort  (24, ...
 01612  1736   NtProtectVirtualMemory  (-1, (0x357e000), 4096, 260, ...
 01611  1620   NtRegisterThreadTerminatePort  ... ) == 0x0
 01612  1736   NtProtectVirtualMemory  ... (0x357e000), 4096, 4, ) == 0x0
 01613  1252   NtDeviceIoControlFile  (384, 0, 0x0, 0x0, 0x390008,  (384, 0, 0x0, 0x0, 0x390008, "W4\272\212\370\235\373\7\365\200A\22v\261K\242s\344\234[s\203\227s\344\234[s\203\227s\344\234[s\216\200\20^y\372\376d\344\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01614  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01615  1252   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01616  1620   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01615  1252   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01616  1620   NtDuplicateObject  ... 488, ) == 0x0
 01617  1252   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01618  1620   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01617  1252   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01618  1620   NtWaitForSingleObject  ... ) == 0x102
 01619  1252   NtQuerySystemInformation  (Performance, 312, ...
 01620  1620   NtWaitForSingleObject  (128, 0, 0x0, ...
 01614  1736   NtCreateThread  ... 492, {1636, 1308}, ) == 0x0
 01619  1252   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01621  1736   NtQueryInformationThread  (492, Basic, 28, ...
 01622  1252   NtQuerySystemInformation  (Exception, 16, ...
 01621  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1636,Tid=1308,}, 0x0, ) == 0x0
 01622  1252   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01623  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75536, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0d\6\0\0\34\5\0\0" ...  ...
 01624  1252   NtQuerySystemInformation  (Lookaside, 32, ...
 01623  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75537, 0}  ... {28, 56, reply, 0, 1636, 1736, 75537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0d\6\0\0\34\5\0\0" )  ) == 0x0
 01624  1252   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01625  1252   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01626  1252   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01627  1252   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481440, 2, ) }, 0, 0x0, 0, ... -2147481440, 2, ) == 0x0
 01628  1252   NtSetValueKey  (-2147481440,  (-2147481440, "Seed", 0, 3, "QR6\376\327\261\21\301\233\10~\376\353\327\254\313\2\316.Z\331\360Q)~\225H\362\245j\101'\254&M>\234\364"H\341\340(\302\252E3\170p\33i&\373\262\333\326\351+A\15\245\230/\261\255\245g\13\277u=\255\23\17\320\273\27", 80, ... , 0, 3,  (-2147481440, "Seed", 0, 3, "QR6\376\327\261\21\301\233\10~\376\353\327\254\313\2\316.Z\331\360Q)~\225H\362\245j\101'\254&M>\234\364"H\341\340(\302\252E3\170p\33i&\373\262\333\326\351+A\15\245\230/\261\255\245g\13\277u=\255\23\17\320\273\27", 80, ... H\341\340(\302\252E3\170p\33i&\373\262\333\326\351+A\15\245\230/\261\255\245g\13\277u=\255\23\17\320\273\27", 80, ...
 01629  1736   NtResumeThread  (492, ... 1, ) == 0x0
 01630  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 56098816, 1048576, ) == 0x0
 01631  1736   NtAllocateVirtualMemory  (-1, 57139200, 0, 8192, 4096, 4, ... 57139200, 8192, ) == 0x0
 01632  1736   NtProtectVirtualMemory  (-1, (0x367e000), 4096, 260, ... (0x367e000), 4096, 4, ) == 0x0
 01633  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 496, {1636, 1376}, ) == 0x0
 01634  1736   NtQueryInformationThread  (496, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1636,Tid=1376,}, 0x0, ) == 0x0
 01628  1252   NtSetValueKey  ... ) == 0x0
 01635  1308   NtTestAlert  (...
 01636  1252   NtClose  (-2147481440, ...
 01635  1308   NtTestAlert  ... ) == 0x0
 01636  1252   NtClose  ... ) == 0x0
 01637  1308   NtContinue  (56098096, 1, ...
 01613  1252   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "5\23\263\333\242\320\374@[\264\272z\120>\222\216`\267L\272\36'\322\2\370L-\373,\352\31/7\3361\32g\256\\224\10\266%\201\263\12uL\30\30\236cK\26\323)}\207l\25\205\210\307De\234\370lzl\320\255p\327f\4$\261\261\325\370\374D\302+;\27\224:\30]o*\200\13\2162\355\376\322\2460\37\334\271XD\37\310\315\327\366\243\2631\205?\16\37\363\323\231\341\37\235"\277\12\365Bg\202\217\321u\326\200FM\345RcZ\230", ) \277\12\365Bg\202\217\321u\326\200FM\345RcZ\230", ) == 0x0
 01638  1308   NtRegisterThreadTerminatePort  (24, ...
 01639  1252   NtDeviceIoControlFile  (384, 0, 0x0, 0x0, 0x390008,  (384, 0, 0x0, 0x0, 0x390008, "W4\272\212\370\235\373\7\365\200A\22v\261K\242s\344\234[s\203\227s\344\234[s\203\227s\344\234[s\203\227s\344\234[s\216\200\20^y\372\376d\344\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01638  1308   NtRegisterThreadTerminatePort  ... ) == 0x0
 01640  1252   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01641  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75537, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0d\6\0\0`\5\0\0" ...  ...
 01642  1308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01641  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75538, 0}  ... {28, 56, reply, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0d\6\0\0`\5\0\0" )  ) == 0x0
 01642  1308   NtDuplicateObject  ... 500, ) == 0x0
 01643  1736   NtResumeThread  (496, ...
 01644  1308   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01643  1736   NtResumeThread  ... 1, ) == 0x0
 01644  1308   NtWaitForSingleObject  ... ) == 0x102
 01645  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01646  1308   NtWaitForSingleObject  (128, 0, 0x0, ...
 01640  1252   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01647  1376   NtTestAlert  (...
 01645  1736   NtAllocateVirtualMemory  ... 57147392, 1048576, ) == 0x0
 01648  1252   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01647  1376   NtTestAlert  ... ) == 0x0
 01649  1736   NtAllocateVirtualMemory  (-1, 58187776, 0, 8192, 4096, 4, ...
 01648  1252   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01650  1376   NtContinue  (57146672, 1, ...
 01649  1736   NtAllocateVirtualMemory  ... 58187776, 8192, ) == 0x0
 01651  1252   NtQuerySystemInformation  (Performance, 312, ...
 01652  1376   NtRegisterThreadTerminatePort  (24, ...
 01653  1736   NtProtectVirtualMemory  (-1, (0x377e000), 4096, 260, ...
 01651  1252   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01652  1376   NtRegisterThreadTerminatePort  ... ) == 0x0
 01653  1736   NtProtectVirtualMemory  ... (0x377e000), 4096, 4, ) == 0x0
 01654  1252   NtQuerySystemInformation  (Exception, 16, ...
 01655  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01656  1376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01654  1252   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01656  1376   NtDuplicateObject  ... 504, ) == 0x0
 01657  1252   NtQuerySystemInformation  (Lookaside, 32, ...
 01658  1376   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 01657  1252   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01658  1376   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 01659  1252   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01660  1376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01659  1252   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01661  1252   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01662  1252   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481440, 2, ) }, 0, 0x0, 0, ... -2147481440, 2, ) == 0x0
 01663  1252   NtSetValueKey  (-2147481440,  (-2147481440, "Seed", 0, 3, "\336\201\26[\364[i\375\374\317lTp@|\274\367\343\367\5N!\350\224H\272\205\215g\370\207=\346Sb\337\217\272m\366\334\231\224\347\364\13[\226\6\303\275\377\257\374\211\353\372\206\233\376\6\332\3753\217\252\304X\276\323\372\35\310b\245\207\377\20I ", 80, ... ) , 0, 3,  (-2147481440, "Seed", 0, 3, "\336\201\26[\364[i\375\374\317lTp@|\274\367\343\367\5N!\350\224H\272\205\215g\370\207=\346Sb\337\217\272m\366\334\231\224\347\364\13[\226\6\303\275\377\257\374\211\353\372\206\233\376\6\332\3753\217\252\304X\276\323\372\35\310b\245\207\377\20I ", 80, ... ) , 80, ... ) == 0x0
 01664  1252   NtClose  (-2147481440, ...
 01655  1736   NtCreateThread  ... 508, {1636, 724}, ) == 0x0
 01660  1376   NtWaitForSingleObject  ... ) == 0x102
 01665  1736   NtQueryInformationThread  (508, Basic, 28, ...
 01666  1376   NtWaitForSingleObject  (128, 0, 0x0, ...
 01665  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1636,Tid=724,}, 0x0, ) == 0x0
 01667  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75538, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0d\6\0\0\324\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0d\6\0\0\324\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75539, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0d\6\0\0\324\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0d\6\0\0\324\2\0\0" )  ) == 0x0
 01668  1736   NtResumeThread  (508, ... 1, ) == 0x0
 01669  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 58195968, 1048576, ) == 0x0
 01670  1736   NtAllocateVirtualMemory  (-1, 59236352, 0, 8192, 4096, 4, ... 59236352, 8192, ) == 0x0
 01664  1252   NtClose  ... ) == 0x0
 01671   724   NtTestAlert  (...
 01639  1252   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\33L\361\234\217\222E\255_-\352\364\3639\216\10\322\314\363\361\227\241\200\2308\27t\217\244f\\17\25\354!T\337;\177\236\34\305)\244\211\313Q~O\346\367\24\243}\271'E|]\0R\243\327\375ei9\3336\344`wz\30\270\252T\27NM\3359.\320\366ijkTQ\211\303\206\202O\353\256\216\325\3156\242\365\311zi\232\336a\324\354*\25j\231\33\255\300\7z\206bQ\356\2234!\0Sa\24\15Zpe  \333x\244\331-\260\357\232\3031hT=-W\333\315\\21\210JF\306\307o4\355\214D\361\376\211R\223\366\3235~\352\277\233O,H\242JHw7\256\247.>\230\313on\244W\250\216\201}\20\343\346\37\302\210z\231JY\321\0Y\320N\270\362\375(\361\360\370o\346\366\3437g\242[, ) , ) == 0x0
 01671   724   NtTestAlert  ... ) == 0x0
 01672  1252   NtDeviceIoControlFile  (384, 0, 0x0, 0x0, 0x390008,  (384, 0, 0x0, 0x0, 0x390008, "W4\272\212\370\235\373\7\365\200A\22v\261K\242s\344\234[s\203\227s\344\234[s\203\227s\344\234[s\203\227s\344\234[s\203\227s\344\234[s\216\200\20^y\372\376d\344\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01673   724   NtContinue  (58195248, 1, ...
 01674  1252   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01675   724   NtRegisterThreadTerminatePort  (24, ...
 01674  1252   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01675   724   NtRegisterThreadTerminatePort  ... ) == 0x0
 01676  1252   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01677  1736   NtProtectVirtualMemory  (-1, (0x387e000), 4096, 260, ...
 01678   724   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01677  1736   NtProtectVirtualMemory  ... (0x387e000), 4096, 4, ) == 0x0
 01678   724   NtDuplicateObject  ... 512, ) == 0x0
 01679  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01680   724   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01679  1736   NtCreateThread  ... 516, {1636, 704}, ) == 0x0
 01680   724   NtWaitForSingleObject  ... ) == 0x102
 01681  1736   NtQueryInformationThread  (516, Basic, 28, ...
 01682   724   NtWaitForSingleObject  (128, 0, 0x0, ...
 01681  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1636,Tid=704,}, 0x0, ) == 0x0
 01676  1252   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01683  1252   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01684  1252   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01685  1252   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01686  1252   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01687  1252   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01688  1252   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01689  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75539, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0d\6\0\0\300\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0d\6\0\0\300\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75540, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0d\6\0\0\300\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0d\6\0\0\300\2\0\0" )  ) == 0x0
 01690  1736   NtResumeThread  (516, ... 1, ) == 0x0
 01691  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 59244544, 1048576, ) == 0x0
 01692  1736   NtAllocateVirtualMemory  (-1, 60284928, 0, 8192, 4096, 4, ... 60284928, 8192, ) == 0x0
 01693  1736   NtProtectVirtualMemory  (-1, (0x397e000), 4096, 260, ... (0x397e000), 4096, 4, ) == 0x0
 01694  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01688  1252   NtCreateKey  ... -2147481440, 2, ) == 0x0
 01695   704   NtTestAlert  (...
 01696  1252   NtSetValueKey  (-2147481440,  (-2147481440, "Seed", 0, 3, "{q\366)\235~\314\4th<\23\4@\204\321\301D\272\221i\330\346U\227G\265\327\302\2775\254jx\204\17l\3658\26N\336\234n\261\21\336\345\311[v\273\j1\223-\273\263\332YVq7o*_\265\246\342\375\322I\2109\237\13\231\356\242", 80, ... , 0, 3,  (-2147481440, "Seed", 0, 3, "{q\366)\235~\314\4th<\23\4@\204\321\301D\272\221i\330\346U\227G\265\327\302\2775\254jx\204\17l\3658\26N\336\234n\261\21\336\345\311[v\273\j1\223-\273\263\332YVq7o*_\265\246\342\375\322I\2109\237\13\231\356\242", 80, ... , 80, ...
 01695   704   NtTestAlert  ... ) == 0x0
 01696  1252   NtSetValueKey  ... ) == 0x0
 01697   704   NtContinue  (59243824, 1, ...
 01698  1252   NtClose  (-2147481440, ...
 01699   704   NtRegisterThreadTerminatePort  (24, ...
 01698  1252   NtClose  ... ) == 0x0
 01699   704   NtRegisterThreadTerminatePort  ... ) == 0x0
 01672  1252   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\277\313e\306`\370/!5\273fU \362\211\35\20\267"\3724\31\215\214\246\224\240X\372\267\347[.p\200\275\332\301\25\313\234E\143\251)\315\14\33B:OL\203~\240\371`\370H"\355/\307\222\242\237Fv\336\342(\37\211\245\341e\222&a4\177\3323^\0\30\370D+,\212\374-\321J\350\235A@9\247\225\317G\202@\337{\235\236\34r\\252Z\267\256\206<<\20.\2705\2\246\263", ) \3724\31\215\214\246\224\240X\372\267\347[.p\200\275\332\301\25\313\234E\143\251)\315\14\33B:OL\203~\240\371`\370H264\250\314\201B7F\244=z\242\22\353++\\2622\316W\255\361\224\\7\25O\15\256o8$Q\O\327[^\0\262\254H\340\243\37\3~\261_\15\322f^\216\4\323\331Q\205 5\202&\210+\201\205\345\362|\331\250\233`\363\13\36$\365;K(\316\11\370\307\216e\344#\255|\33\311m\232v\4h\337\371Xq\5NPZ\234\24I\33\247\207\227\220d\30u=\271\2530\276\36\16; ... {status=0x0, info=256}, "\277\313e\306`\370/!5\273fU \362\211\35\20\267"\3724\31\215\214\246\224\240X\372\267\347[.p\200\275\332\301\25\313\234E\143\251)\315\14\33B:OL\203~\240\371`\370H"\355/\307\222\242\237Fv\336\342(\37\211\245\341e\222&a4\177\3323^\0\30\370D+,\212\374-\321J\350\235A@9\247\225\317G\202@\337{\235\236\34r\\252Z\267\256\206<<\20.\2705\2\246\263", ) , ) == 0x0
 01694  1736   NtCreateThread  ... 520, {1636, 1104}, ) == 0x0
 01700   704   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01701  1736   NtQueryInformationThread  (520, Basic, 28, ...
 01700   704   NtDuplicateObject  ... 524, ) == 0x0
 01701  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1636,Tid=1104,}, 0x0, ) == 0x0
 01702   704   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01703  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75540, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0d\6\0\0P\4\0\0" ...  ...
 01702   704   NtWaitForSingleObject  ... ) == 0x102
 01703  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75541, 0}  ... {28, 56, reply, 0, 1636, 1736, 75541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0d\6\0\0P\4\0\0" )  ) == 0x0
 01704   704   NtWaitForSingleObject  (128, 0, 0x0, ...
 01705  1252   NtDeviceIoControlFile  (384, 0, 0x0, 0x0, 0x390008,  (384, 0, 0x0, 0x0, 0x390008, "W4\272\212\370\235\373\7\365\200A\22v\261K\242s\344\234[s\203\227s\344\234[s\203\227s\344\234[s\203\227s\344\234[s\203\227s\344\234[s\203\227s\344\234[s\216\200\20^y\372\376d\344\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01706  1736   NtResumeThread  (520, ...
 01707  1252   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01706  1736   NtResumeThread  ... 1, ) == 0x0
 01707  1252   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01708  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01709  1252   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01708  1736   NtAllocateVirtualMemory  ... 60293120, 1048576, ) == 0x0
 01709  1252   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01710  1736   NtAllocateVirtualMemory  (-1, 61333504, 0, 8192, 4096, 4, ...
 01711  1252   NtQuerySystemInformation  (Performance, 312, ...
 01710  1736   NtAllocateVirtualMemory  ... 61333504, 8192, ) == 0x0
 01712  1104   NtTestAlert  (...
 01711  1252   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01712  1104   NtTestAlert  ... ) == 0x0
 01713  1252   NtQuerySystemInformation  (Exception, 16, ...
 01714  1104   NtContinue  (60292400, 1, ...
 01713  1252   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01715  1104   NtRegisterThreadTerminatePort  (24, ...
 01716  1252   NtQuerySystemInformation  (Lookaside, 32, ...
 01715  1104   NtRegisterThreadTerminatePort  ... ) == 0x0
 01716  1252   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01717  1736   NtProtectVirtualMemory  (-1, (0x3a7e000), 4096, 260, ...
 01718  1252   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01717  1736   NtProtectVirtualMemory  ... (0x3a7e000), 4096, 4, ) == 0x0
 01719  1104   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01720  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01719  1104   NtDuplicateObject  ... 528, ) == 0x0
 01720  1736   NtCreateThread  ... 532, {1636, 1484}, ) == 0x0
 01721  1104   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01722  1736   NtQueryInformationThread  (532, Basic, 28, ...
 01721  1104   NtWaitForSingleObject  ... ) == 0x102
 01722  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1636,Tid=1484,}, 0x0, ) == 0x0
 01723  1104   NtWaitForSingleObject  (128, 0, 0x0, ...
 01718  1252   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01724  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75541, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0d\6\0\0\314\5\0\0" ...  ...
 01725  1252   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01724  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75542, 0}  ... {28, 56, reply, 0, 1636, 1736, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0d\6\0\0\314\5\0\0" )  ) == 0x0
 01725  1252   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01726  1736   NtResumeThread  (532, ...
 01727  1252   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01726  1736   NtResumeThread  ... 1, ) == 0x0
 01727  1252   NtCreateKey  ... -2147481440, 2, ) == 0x0
 01728  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01729  1252   NtSetValueKey  (-2147481440,  (-2147481440, "Seed", 0, 3, "nS\335\12\345\220p\234\332rV[\333\26\334\341\227#\216Nk\24\24\353>\224m\202\312\242\303[:\31*\264\204\335\245N\235?H\320\33\11\357\22"G`\367\246\335\306\277O$2\237\370\256EX\204\371\260\373\206|\345\355\317\220\303\330jf\230", 80, ... , 0, 3,  (-2147481440, "Seed", 0, 3, "nS\335\12\345\220p\234\332rV[\333\26\334\341\227#\216Nk\24\24\353>\224m\202\312\242\303[:\31*\264\204\335\245N\235?H\320\33\11\357\22"G`\367\246\335\306\277O$2\237\370\256EX\204\371\260\373\206|\345\355\317\220\303\330jf\230", 80, ... G`\367\246\335\306\277O$2\237\370\256EX\204\371\260\373\206|\345\355\317\220\303\330jf\230", 80, ...
 01730  1484   NtTestAlert  (...
 01728  1736   NtAllocateVirtualMemory  ... 61341696, 1048576, ) == 0x0
 01730  1484   NtTestAlert  ... ) == 0x0
 01731  1736   NtAllocateVirtualMemory  (-1, 62382080, 0, 8192, 4096, 4, ...
 01732  1484   NtContinue  (61340976, 1, ...
 01731  1736   NtAllocateVirtualMemory  ... 62382080, 8192, ) == 0x0
 01733  1484   NtRegisterThreadTerminatePort  (24, ...
 01734  1736   NtProtectVirtualMemory  (-1, (0x3b7e000), 4096, 260, ...
 01733  1484   NtRegisterThreadTerminatePort  ... ) == 0x0
 01734  1736   NtProtectVirtualMemory  ... (0x3b7e000), 4096, 4, ) == 0x0
 01729  1252   NtSetValueKey  ... ) == 0x0
 01735  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01736  1252   NtClose  (-2147481440, ...
 01737  1484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01736  1252   NtClose  ... ) == 0x0
 01737  1484   NtDuplicateObject  ... 536, ) == 0x0
 01705  1252   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "B\217\243\204\314\13p\210\320\234\213\341%\10\224\221\324\355\254D+\351\262\213\331\236!\353\276kX\260sR\31\16\273'\242\20>h\2\13h\274\230C\307\276*\351\320\3613\370\331[\200\323vy\3128\337\37I\317"\16\16\206\255D*\375\330\232\216\215m\326\317w\34\16\347\353\345[.;}5V\247\330\257\251\222 4\244x\13\254e\211`\351\242=.'6\22C\10E\372\217l\1\263v%\1\223\233\250D\326\3021\340\257\300\317^mr\246\325S1\346#\213\213\345\215\321G\266\3540\313\234a]\0\316\214\376lt\271\241~by\7e\233\317\215\209o\331\371\331\20L6y<\254\231m\4zz\337\212\356\32\33\0\304\216\242\35or5PP\263\222OR\305O\263@0Fe\314y\267\257\213?\206\1[\255V\204&\343N \212\263\37\17X\247\320\345\354b\332\2K-5\225v\35\242\370", ) \16\16\206\255D*\375\330\232\216\215m\326\317w\34\16\347\353\345[.;}5V\247\330\257\251\222 4\244x\13\254e\211`\351\242=.'6\22C\10E\372\217l\1\263v%\1\223\233\250D\326\3021\340\257\300\317^mr\246\325S1\346#\213\213\345\215\321G\266\3540\313\234a]\0\316\214\376lt\271\241~by\7e\233\317\215\209o\331\371\331\20L6y<\254\231m\4zz\337\212\356\32\33\0\304\216\242\35or5PP\263\222OR\305O\263@0Fe\314y\267\257\213?\206\1[\255V\204&\343N \212\263\37\17X\247\320\345\354b\332\2K-5\225v\35\242\370", ) == 0x0
 01738  1484   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01739  1252   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01738  1484   NtWaitForSingleObject  ... ) == 0x102
 01739  1252   NtCreateEvent  ... 540, ) == 0x0
 01740  1484   NtWaitForSingleObject  (128, 0, 0x0, ...
 01735  1736   NtCreateThread  ... 544, {1636, 1120}, ) == 0x0
 01741  1252   NtSetEventBoostPriority  (452, ...
 01742  1736   NtQueryInformationThread  (544, Basic, 28, ...
 01538  1356   NtWaitForSingleObject  ... ) == 0x0
 01741  1252   NtSetEventBoostPriority  ... ) == 0x0
 01743  1356   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 01742  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1636,Tid=1120,}, 0x0, ) == 0x0
 01743  1356   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 01744  1252   NtWaitForSingleObject  (308, 0, 0x0, ...
 01745  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75542, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0`\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0`\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75543, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0`\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0`\4\0\0" )  ) == 0x0
 01746  1736   NtResumeThread  (544, ... 1, ) == 0x0
 01747  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 62390272, 1048576, ) == 0x0
 01748  1736   NtAllocateVirtualMemory  (-1, 63430656, 0, 8192, 4096, 4, ... 63430656, 8192, ) == 0x0
 01749  1356   NtSetEventBoostPriority  (308, ...
 01750  1120   NtTestAlert  (...
 01744  1252   NtWaitForSingleObject  ... ) == 0x0
 01749  1356   NtSetEventBoostPriority  ... ) == 0x0
 01751  1252   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 16248172, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 16248172, 188, ...
 01750  1120   NtTestAlert  ... ) == 0x0
 01752  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01753  1120   NtContinue  (62389552, 1, ...
 01752  1356   NtCreateEvent  ... 548, ) == 0x0
 01754  1120   NtRegisterThreadTerminatePort  (24, ...
 01755  1356   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 11006584, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 11006584, 188, ...
 01754  1120   NtRegisterThreadTerminatePort  ... ) == 0x0
 01756  1736   NtProtectVirtualMemory  (-1, (0x3c7e000), 4096, 260, ...
 01751  1252   NtConnectPort  ... 552, 0x0, 0x0, 0x0, 188, ) == 0x0
 01756  1736   NtProtectVirtualMemory  ... (0x3c7e000), 4096, 4, ) == 0x0
 01757  1252   NtRequestWaitReplyPort  (552, {200, 224, new_msg, 0, 1382744, 12, 2, 1310721}  (552, {200, 224, new_msg, 0, 1382744, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\252GzM\353\334\345\367\360B\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0P7\25\0\223\260\14\310x\1\24\0\350B\25\0h\1\24\0\0\0\0\0\0\0\0\0\350B\25\0P\0\0\0\360B\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\367\0\372\31\221|\200\363\367\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01758  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 556, {1636, 876}, ) == 0x0
 01759  1736   NtQueryInformationThread  (556, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1636,Tid=876,}, 0x0, ) == 0x0
 01757  1252   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1252, 75546, 0}  ... {200, 224, reply, 0, 1636, 1252, 75546, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\252GzM\353\334\345\367\360B\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0P7\25\0\223\260\14\310x\1\24\0\350B\25\0h\1\24\0\0\0\0\0\0\0\0\0\350B\25\0P\0\0\0\360B\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\367\0\372\31\221|\200\363\367\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01760  1120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01761  1252   NtRequestWaitReplyPort  (552, {44, 68, new_msg, 0, 1636, 1252, 75526, 0}  (552, {44, 68, new_msg, 0, 1636, 1252, 75526, 0} "\1\332\0\0A\2\4\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200\377\377\377\377t\333\243\201\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 01760  1120   NtDuplicateObject  ... 560, ) == 0x0
 01762  1120   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 01763  1120   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01764  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75543, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0d\6\0\0l\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0d\6\0\0l\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75548, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0d\6\0\0l\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0d\6\0\0l\3\0\0" )  ) == 0x0
 01765  1736   NtResumeThread  (556, ... 1, ) == 0x0
 01766  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01755  1356   NtConnectPort  ... 564, 0x0, 0x0, 0x0, 188, ) == 0x0
 01763  1120   NtWaitForSingleObject  ... ) == 0x102
 01761  1252   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1252, 75547, 0}  ... {40, 64, reply, 0, 1636, 1252, 75547, 0} "\2\332\243\201\4\0\0\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200X\373`\371t\333\243\201\320\1\0\0X-\12\0" )  ) == 0x0
 01767   876   NtTestAlert  (...
 01768  1356   NtRequestWaitReplyPort  (564, {200, 224, new_msg, 0, 2883626, 1355840, 12, 2}  (564, {200, 224, new_msg, 0, 2883626, 1355840, 12, 2} "\0\1\0\0p\3\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\1\0\4\0\4\0\0\0\240<\24\0\3\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0V\17\375\4?\350\33U\10N\25\0`\1\24\0\12\0\0\0\0\0\0\0\0\0\0\4(\0\0\0\20N\25\0Y\273\325\351p\3\24\00N\25\0`\1\24\0\0\0\0\0\0\0\0\00N\25\0P\0\0\08N\25\0\360\6\221|H\3\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\247\0\372\31\221|\214\370\247\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 01769  1120   NtWaitForSingleObject  (128, 0, 0x0, ...
 01770  1252   NtRequestWaitReplyPort  (552, {64, 88, new_msg, 56, 1372656, 16248684, 16248784, 0}  (552, {64, 88, new_msg, 56, 1372656, 16248684, 16248784, 0} "\10\357\367\0@\0\24\0\346\277\347w\320\357\367\0l\357\367\0\20\0\0\0\250.\362vd\362\24\0\1\0\0\08R\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\360\332\24\0" ...  ...
 01767   876   NtTestAlert  ... ) == 0x0
 01768  1356   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1356, 75549, 0}  ... {200, 224, reply, 0, 1636, 1356, 75549, 0} "\7\1\0\0p\3\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\240<\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0V\17\375\4?\350\33U\10N\25\0`\1\24\0\12\0\0\0\0\0\0\0\0\0\0\4(\0\0\0\20N\25\0Y\273\325\351p\3\24\00N\25\0`\1\24\0\0\0\0\0\0\0\0\00N\25\0P\0\0\08N\25\0\360\6\221|H\3\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\247\0\372\31\221|\214\370\247\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 01771   876   NtContinue  (63438128, 1, ...
 01772  1356   NtRequestWaitReplyPort  (564, {44, 68, new_msg, 56, 0, 0, 0, 0}  (564, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0 U\25\0\322\0\0\0" ...  ...
 01770  1252   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1252, 75550, 0}  ... {64, 88, reply, 56, 1636, 1252, 75550, 0} "\10\357\367\0@\0\24\0\346\277\347w\320\357\367\0l\357\367\0\20\0\0\0\250.\362vd\362\24\0\1\0\0\08R\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\360\332\24\0" )  ) == 0x0
 01773   876   NtRegisterThreadTerminatePort  (24, ...
 01774  1252   NtClose  (540, ...
 01773   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 01774  1252   NtClose  ... ) == 0x0
 01766  1736   NtAllocateVirtualMemory  ... 63438848, 1048576, ) == 0x0
 01772  1356   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1356, 75551, 0}  ... {40, 64, reply, 0, 1636, 1356, 75551, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\323\1\0\0\350\370\14\0" )  ) == 0x0
 01775   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01776  1736   NtAllocateVirtualMemory  (-1, 64479232, 0, 8192, 4096, 4, ...
 01777  1356   NtRequestWaitReplyPort  (564, {64, 88, new_msg, 56, 1310720, 11006452, 1398040, 0}  (564, {64, 88, new_msg, 56, 1310720, 11006452, 1398040, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0`X\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01775   876   NtDuplicateObject  ... 540, ) == 0x0
 01776  1736   NtAllocateVirtualMemory  ... 64479232, 8192, ) == 0x0
 01778   876   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01779  1736   NtProtectVirtualMemory  (-1, (0x3d7e000), 4096, 260, ...
 01777  1356   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1356, 75552, 0}  ... {64, 88, reply, 56, 1636, 1356, 75552, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0`X\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01778   876   NtWaitForSingleObject  ... ) == 0x102
 01779  1736   NtProtectVirtualMemory  ... (0x3d7e000), 4096, 4, ) == 0x0
 01780  1356   NtRequestWaitReplyPort  (564, {44, 68, new_msg, 56, 1636, 1356, 75551, 0}  (564, {44, 68, new_msg, 56, 1636, 1356, 75551, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0 U\25\0\322\0\0\0" ...  ...
 01781   876   NtWaitForSingleObject  (128, 0, 0x0, ...
 01782  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01783  1252   NtClose  (552, ...
 01780  1356   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1356, 75553, 0}  ... {40, 64, reply, 0, 1636, 1356, 75553, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300l\353\10\370X\353Q\200\351\1\0\0\350\232\14\0" )  ) == 0x0
 01783  1252   NtClose  ... ) == 0x0
 01784  1356   NtRequestWaitReplyPort  (564, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0}  (564, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\230]\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01785  1252   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 01786  1252   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 552, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 552, 2, ) , 0, ... 552, 2, ) == 0x0
 01784  1356   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1356, 75555, 0}  ... {64, 88, reply, 56, 1636, 1356, 75555, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\230]\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01782  1736   NtCreateThread  ... 568, {1636, 940}, ) == 0x0
 01787  1356   NtRequestWaitReplyPort  (564, {44, 68, new_msg, 56, 1636, 1356, 75553, 0}  (564, {44, 68, new_msg, 56, 1636, 1356, 75553, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0 U\25\0\322\0\0\0" ...  ...
 01788  1736   NtQueryInformationThread  (568, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1636,Tid=940,}, 0x0, ) == 0x0
 01789  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75548, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0d\6\0\0\254\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0d\6\0\0\254\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75557, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0d\6\0\0\254\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0d\6\0\0\254\3\0\0" )  ) == 0x0
 01790  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 572, ) }, ... 572, ) == 0x0
 01791  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01792  1252   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01793  1252   NtQueryValueKey  (552,  (552, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (552, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01794  1252   NtQueryValueKey  (552,  (552, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (552, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01795  1252   NtClose  (552, ... ) == 0x0
 01796  1736   NtResumeThread  (568, ...
 01787  1356   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1356, 75556, 0}  ... {40, 64, reply, 0, 1636, 1356, 75556, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300l\253S\371X\353Q\200|\1\0\0h\236\14\0" )  ) == 0x0
 01796  1736   NtResumeThread  ... 1, ) == 0x0
 01797  1356   NtRequestWaitReplyPort  (564, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0}  (564, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0h;\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01798  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 64487424, 1048576, ) == 0x0
 01799  1736   NtAllocateVirtualMemory  (-1, 65527808, 0, 8192, 4096, 4, ... 65527808, 8192, ) == 0x0
 01797  1356   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1356, 75558, 0}  ... {64, 88, reply, 56, 1636, 1356, 75558, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0h;\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01800  1252   NtClose  (572, ...
 01801   940   NtTestAlert  (...
 01802  1356   NtClose  (548, ...
 01800  1252   NtClose  ... ) == 0x0
 01801   940   NtTestAlert  ... ) == 0x0
 01802  1356   NtClose  ... ) == 0x0
 01803  1252   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 01804   940   NtContinue  (64486704, 1, ...
 01805  1736   NtProtectVirtualMemory  (-1, (0x3e7e000), 4096, 260, ...
 01803  1252   NtOpenKey  ... 548, ) == 0x0
 01806   940   NtRegisterThreadTerminatePort  (24, ...
 01805  1736   NtProtectVirtualMemory  ... (0x3e7e000), 4096, 4, ) == 0x0
 01807  1252   NtQueryValueKey  (548,  (548, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 01806   940   NtRegisterThreadTerminatePort  ... ) == 0x0
 01808  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01807  1252   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01809  1356   NtClose  (564, ...
 01808  1736   NtCreateThread  ... 572, {1636, 1316}, ) == 0x0
 01810   940   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01809  1356   NtClose  ... ) == 0x0
 01811  1736   NtQueryInformationThread  (572, Basic, 28, ...
 01810   940   NtDuplicateObject  ... 564, ) == 0x0
 01812  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01811  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1636,Tid=1316,}, 0x0, ) == 0x0
 01813   940   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01812  1356   NtCreateEvent  ... 552, ) == 0x0
 01814  1252   NtClose  (548, ...
 01813   940   NtWaitForSingleObject  ... ) == 0x102
 01815  1356   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 01814  1252   NtClose  ... ) == 0x0
 01816   940   NtWaitForSingleObject  (128, 0, 0x0, ...
 01815  1356   NtOpenKey  ... 548, ) == 0x0
 01817  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 16247760, ... }, 16247760, ...
 01818  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75557, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0d\6\0\0$\5\0\0" ...  ...
 01817  1252   NtQueryAttributesFile  ... ) == 0x0
 01818  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75560, 0}  ... {28, 56, reply, 0, 1636, 1736, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0d\6\0\0$\5\0\0" )  ) == 0x0
 01819  1252   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 01820  1736   NtResumeThread  (572, ...
 01819  1252   NtOpenFile  ... 576, {status=0x0, info=1}, ) == 0x0
 01820  1736   NtResumeThread  ... 1, ) == 0x0
 01821  1356   NtOpenKey  (0x20019, {24, 548, 0x40, 0, 0,  (0x20019, {24, 548, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 01822  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01821  1356   NtOpenKey  ... 580, ) == 0x0
 01823  1252   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 576, ...
 01824  1316   NtWaitForSingleObject  (100, 0, 0x0, ...
 01825  1356   NtQueryValueKey  (580,  (580, "ComputerName", Full, 108, ... , Full, 108, ...
 01823  1252   NtCreateSection  ... 584, ) == 0x0
 01825  1356   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01826  1252   NtClose  (576, ...
 01827  1356   NtClose  (580, ...
 01826  1252   NtClose  ... ) == 0x0
 01827  1356   NtClose  ... ) == 0x0
 01828  1252   NtMapViewOfSection  (584, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01822  1736   NtAllocateVirtualMemory  ... 65536000, 1048576, ) == 0x0
 01828  1252   NtMapViewOfSection  ... (0x850000), 0x0, 20480, ) == 0x0
 01829  1736   NtAllocateVirtualMemory  (-1, 66576384, 0, 8192, 4096, 4, ...
 01830  1356   NtClose  (548, ...
 01829  1736   NtAllocateVirtualMemory  ... 66576384, 8192, ) == 0x0
 01830  1356   NtClose  ... ) == 0x0
 01831  1736   NtProtectVirtualMemory  (-1, (0x3f7e000), 4096, 260, ...
 01832  1356   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ...
 01831  1736   NtProtectVirtualMemory  ... (0x3f7e000), 4096, 4, ) == 0x0
 01832  1356   NtCreateIoCompletion  ... 548, ) == 0x0
 01833  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01834  1356   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ...
 01835  1252   NtClose  (584, ...
 01834  1356   NtCreateIoCompletion  ... 580, ) == 0x0
 01835  1252   NtClose  ... ) == 0x0
 01833  1736   NtCreateThread  ... 584, {1636, 1288}, ) == 0x0
 01836  1736   NtQueryInformationThread  (584, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1636,Tid=1288,}, 0x0, ) == 0x0
 01837  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75560, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0d\6\0\0\10\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0d\6\0\0\10\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75561, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0d\6\0\0\10\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0d\6\0\0\10\5\0\0" )  ) == 0x0
 01838  1252   NtUnmapViewOfSection  (-1, 0x850000, ...
 01839  1356   NtDuplicateObject  (-1, 548, -1, 0x0, 0, 2, ...
 01838  1252   NtUnmapViewOfSection  ... ) == 0x0
 01839  1356   NtDuplicateObject  ... 576, ) == 0x0
 01840  1736   NtResumeThread  (584, ...
 01841  1356   NtOpenThreadToken  (-2, 0xc, 1, ...
 01840  1736   NtResumeThread  ... 1, ) == 0x0
 01841  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01842  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01843  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01842  1736   NtAllocateVirtualMemory  ... 66584576, 1048576, ) == 0x0
 01843  1356   NtCreateEvent  ... 588, ) == 0x0
 01844  1736   NtAllocateVirtualMemory  (-1, 67624960, 0, 8192, 4096, 4, ...
 01845  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 16248068, ... }, 16248068, ...
 01846  1288   NtWaitForSingleObject  (100, 0, 0x0, ...
 01844  1736   NtAllocateVirtualMemory  ... 67624960, 8192, ) == 0x0
 01845  1252   NtQueryAttributesFile  ... ) == 0x0
 01847  1356   NtOpenThreadToken  (-2, 0xc, 1, ...
 01848  1252   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 01847  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01849  1736   NtProtectVirtualMemory  (-1, (0x407e000), 4096, 260, ...
 01850  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01849  1736   NtProtectVirtualMemory  ... (0x407e000), 4096, 4, ) == 0x0
 01850  1356   NtSetInformationThread  ... ) == 0x0
 01851  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01852  1356   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11006144,  (0xc0100080, {24, 0, 0x40, 0, 11006144, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 01851  1736   NtCreateThread  ... 592, {1636, 752}, ) == 0x0
 01852  1356   NtCreateFile  ... 596, {status=0x0, info=1}, ) == 0x0
 01853  1736   NtQueryInformationThread  (592, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1636,Tid=752,}, 0x0, ) == 0x0
 01854  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75561, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0\360\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75562, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0\360\2\0\0" )  ) == 0x0
 01855  1736   NtResumeThread  (592, ... 1, ) == 0x0
 01856  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01857  1356   NtSetInformationFile  (596, 11006200, 8, Pipe, ...
 01848  1252   NtOpenFile  ... 600, {status=0x0, info=1}, ) == 0x0
 01858   752   NtWaitForSingleObject  (100, 0, 0x0, ...
 01857  1356   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01859  1252   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 600, ...
 01860  1356   NtSetInformationFile  (596, 11006188, 8, Completion, ...
 01859  1252   NtCreateSection  ... 604, ) == 0x0
 01860  1356   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01861  1252   NtQuerySection  (604, Image, 48, ...
 01862  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01861  1252   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01862  1356   NtSetInformationThread  ... ) == 0x0
 01863  1252   NtClose  (600, ...
 01856  1736   NtAllocateVirtualMemory  ... 67633152, 1048576, ) == 0x0
 01864  1356   NtWriteFile  (596, 221, 0, 0,  (596, 221, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 01865  1736   NtAllocateVirtualMemory  (-1, 68673536, 0, 8192, 4096, 4, ...
 01864  1356   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 01865  1736   NtAllocateVirtualMemory  ... 68673536, 8192, ) == 0x0
 01866  1356   NtReadFile  (596, 221, 0, 0, 1024, {0, 0}, 0, ...
 01867  1736   NtProtectVirtualMemory  (-1, (0x417e000), 4096, 260, ...
 01866  1356   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01867  1736   NtProtectVirtualMemory  ... (0x417e000), 4096, 4, ) == 0x0
 01868  1356   NtFsControlFile  (596, 221, 0x0, 0x0, 0x11c017,  (596, 221, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\247\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 01869  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01868  1356   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01863  1252   NtClose  ... ) == 0x0
 01869  1736   NtCreateThread  ... 600, {1636, 776}, ) == 0x0
 01870  1252   NtMapViewOfSection  (604, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01871  1736   NtQueryInformationThread  (600, Basic, 28, ...
 01870  1252   NtMapViewOfSection  ... (0x76fb0000), 0x0, 32768, ) == 0x0
 01871  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1636,Tid=776,}, 0x0, ) == 0x0
 01872  1252   NtClose  (604, ...
 01873  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75562, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0d\6\0\0\10\3\0\0" ...  ...
 01872  1252   NtClose  ... ) == 0x0
 01873  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75563, 0}  ... {28, 56, reply, 0, 1636, 1736, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0d\6\0\0\10\3\0\0" )  ) == 0x0
 01874  1252   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 01875  1356   NtFsControlFile  (596, 221, 0x0, 0x0, 0x11c017,  (596, 221, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\1\0\0\0\1\0\0\0&\0(\0\2308\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 01876  1736   NtResumeThread  (600, ...
 01875  1356   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) , ) == 0x103
 01876  1736   NtResumeThread  ... 1, ) == 0x0
 01877  1356   NtFsControlFile  (596, 221, 0x0, 0x0, 0x11c017,  (596, 221, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340", 44, 1024, ... , 44, 1024, ...
 01878  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01877  1356   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\250Z\25\0\1\0\0\0\264Z\25\0 \0\0\0\1\0\0\0\30\0\32\0\300Z\25\0\334Z\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\00e\25\0\1\0\0\0\5\0\15\0@e\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01878  1736   NtAllocateVirtualMemory  ... 68681728, 1048576, ) == 0x0
 01879  1356   NtClose  (588, ...
 01880  1736   NtAllocateVirtualMemory  (-1, 69722112, 0, 8192, 4096, 4, ...
 01879  1356   NtClose  ... ) == 0x0
 01880  1736   NtAllocateVirtualMemory  ... 69722112, 8192, ) == 0x0
 01874  1252   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 01881   776   NtWaitForSingleObject  (100, 0, 0x0, ...
 01882  1356   NtClose  (596, ...
 01883  1252   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 01882  1356   NtClose  ... ) == 0x0
 01883  1252   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 01884  1356   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1382744, 0x0, 11008068, 188, ... , {12, 2, 1, 1}, 0x0, 1382744, 0x0, 11008068, 188, ...
 01885  1252   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 01886  1736   NtProtectVirtualMemory  (-1, (0x427e000), 4096, 260, ...
 01884  1356   NtSecureConnectPort  ... 596, 0x0, 0x0, 0x0, 188, ) == 0x0
 01886  1736   NtProtectVirtualMemory  ... (0x427e000), 4096, 4, ) == 0x0
 01887  1356   NtOpenThreadToken  (-2, 0xc, 1, ...
 01888  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01887  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01888  1736   NtCreateThread  ... 588, {1636, 1124}, ) == 0x0
 01889  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01890  1736   NtQueryInformationThread  (588, Basic, 28, ...
 01889  1356   NtSetInformationThread  ... ) == 0x0
 01890  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1636,Tid=1124,}, 0x0, ) == 0x0
 01885  1252   NtFlushInstructionCache  ... ) == 0x0
 01891  1356   NtRequestWaitReplyPort  (596, {200, 224, new_msg, 0, 1355840, 12, 2, 1310977}  (596, {200, 224, new_msg, 0, 1355840, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\361\265\244\2466\22403\255\25\373\321\300\333~\215\12\0\0\0\304(z\362g\23\364)\0\0\0\0\330V\25\0\340\303\207\257c,5\311(\0\0\0\223\333\0y\0\0\24\0\240\366\247\0f\3\263\243\0\0\0\0p:\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\247\0\372\31\221|X\376\247\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01892  1252   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 01893  1252   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 01894  1252   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 01891  1356   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1356, 75565, 0}  ... {200, 224, reply, 0, 1636, 1356, 75565, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\361\265\244\2466\22403\255\25\373\321\300\333~\215\12\0\0\0\304(z\362g\23\364)\0\0\0\0\330V\25\0\340\303\207\257c,5\311(\0\0\0\223\333\0y\0\0\24\0\240\366\247\0f\3\263\243\0\0\0\0p:\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\247\0\372\31\221|X\376\247\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01895  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75563, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0d\6\0\0d\4\0\0" ...  ...
 01896  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01895  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75566, 0}  ... {28, 56, reply, 0, 1636, 1736, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0d\6\0\0d\4\0\0" )  ) == 0x0
 01896  1356   NtSetInformationThread  ... ) == 0x0
 01897  1736   NtResumeThread  (588, ...
 01898  1356   NtRequestWaitReplyPort  (596, {56, 80, new_msg, 0, 44, 3, 20, 0}  (596, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0b\363\222I\243j\304#\242z\321\340\1\0\0\0\0\0\0\0&\0(\0\264\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 01897  1736   NtResumeThread  ... 1, ) == 0x0
 01894  1252   NtFlushInstructionCache  ... ) == 0x0
 01899  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01900  1252   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... }, ...
 01901  1124   NtWaitForSingleObject  (100, 0, 0x0, ...
 01900  1252   NtOpenSection  ... 604, ) == 0x0
 01902  1252   NtMapViewOfSection  (604, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 01903  1252   NtClose  (604, ... ) == 0x0
 01904  1252   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 01905  1252   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 01906  1252   NtFlushInstructionCache  (-1, 1995837440, 228, ...
 01899  1736   NtAllocateVirtualMemory  ... 69730304, 1048576, ) == 0x0
 01907  1736   NtAllocateVirtualMemory  (-1, 70770688, 0, 8192, 4096, 4, ... 70770688, 8192, ) == 0x0
 01908  1736   NtProtectVirtualMemory  (-1, (0x437e000), 4096, 260, ... (0x437e000), 4096, 4, ) == 0x0
 01909  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 604, {1636, 476}, ) == 0x0
 01910  1736   NtQueryInformationThread  (604, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1636,Tid=476,}, 0x0, ) == 0x0
 01911  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75566, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\334\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\334\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75568, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\334\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\334\1\0\0" )  ) == 0x0
 01906  1252   NtFlushInstructionCache  ... ) == 0x0
 01898  1356   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 1636, 1356, 75567, 0}  ... {44, 68, reply, 0, 1636, 1356, 75567, 0} "\4\376\255\201\0\0\0\0\200Y\274\201\356\12$\342\264\311\275\201:\332R\200X\253v\367\324\376\255\201\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01912  1252   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ...
 01913  1356   NtRaiseException  (11008528, 11007788, 1, ...
 01912  1252   NtProtectVirtualMemory  ... (0x76f61000), 4096, 32, ) == 0x0
 01914  1356   NtQueryVirtualMemory  (-1, 0x77ea0470, BasicVlm, 16, ...
 01915  1252   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 01914  1356   NtQueryVirtualMemory  ... {memory info, class 3, size 16}, 0x0, ) == 0x0
 01915  1252   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 01916  1356   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 01917  1252   NtFlushInstructionCache  (-1, 1995837440, 228, ...
 01918  1736   NtResumeThread  (604, ...
 01916  1356   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01918  1736   NtResumeThread  ... 1, ) == 0x0
 01919  1356   NtContinue  (11006756, 0, ...
 01920  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 70778880, 1048576, ) == 0x0
 01921  1736   NtAllocateVirtualMemory  (-1, 71819264, 0, 8192, 4096, 4, ... 71819264, 8192, ) == 0x0
 01917  1252   NtFlushInstructionCache  ... ) == 0x0
 01922  1356   NtDeviceIoControlFile  (436, 112, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 01923   476   NtWaitForSingleObject  (100, 0, 0x0, ...
 01924  1252   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 01922  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 01924  1252   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 01925  1356   NtWaitForSingleObject  (112, 1, {-5000000, -1}, ...
 01926  1252   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 01927  1252   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 01928  1252   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01929  1252   NtAllocateVirtualMemory  (-1, 8806400, 0, 4096, 4096, 4, ... 8806400, 4096, ) == 0x0
 01930  1252   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01931  1736   NtProtectVirtualMemory  (-1, (0x447e000), 4096, 260, ... (0x447e000), 4096, 4, ) == 0x0
 01932  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 608, {1636, 1624}, ) == 0x0
 01933  1736   NtQueryInformationThread  (608, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1636,Tid=1624,}, 0x0, ) == 0x0
 01934  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75568, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0d\6\0\0X\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0d\6\0\0X\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75569, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0d\6\0\0X\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0d\6\0\0X\6\0\0" )  ) == 0x0
 01935  1736   NtResumeThread  (608, ... 1, ) == 0x0
 01936  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01930  1252   NtCreateEvent  ... 612, ) == 0x0
 01937  1624   NtWaitForSingleObject  (100, 0, 0x0, ...
 01938  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 616, ) }, ... 616, ) == 0x0
 01939  1252   NtQueryValueKey  (616,  (616, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (616, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01940  1252   NtClose  (616, ... ) == 0x0
 01941  1252   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01942  1252   NtQueryPerformanceCounter  (...
 01936  1736   NtAllocateVirtualMemory  ... 71827456, 1048576, ) == 0x0
 01943  1736   NtAllocateVirtualMemory  (-1, 72867840, 0, 8192, 4096, 4, ... 72867840, 8192, ) == 0x0
 01944  1736   NtProtectVirtualMemory  (-1, (0x457e000), 4096, 260, ... (0x457e000), 4096, 4, ) == 0x0
 01945  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 616, {1636, 1440}, ) == 0x0
 01946  1736   NtQueryInformationThread  (616, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1636,Tid=1440,}, 0x0, ) == 0x0
 01947  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0d\6\0\0\240\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0d\6\0\0\240\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75570, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0d\6\0\0\240\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0d\6\0\0\240\5\0\0" )  ) == 0x0
 01942  1252   NtQueryPerformanceCounter  ... {1109232918, 16}, {3579545, 0}, ) == 0x0
 01948  1252   NtSetEventBoostPriority  (100, ...
 01824  1316   NtWaitForSingleObject  ... ) == 0x0
 01949  1316   NtSetEventBoostPriority  (100, ...
 01846  1288   NtWaitForSingleObject  ... ) == 0x0
 01950  1288   NtSetEventBoostPriority  (100, ...
 01858   752   NtWaitForSingleObject  ... ) == 0x0
 01951   752   NtSetEventBoostPriority  (100, ...
 01881   776   NtWaitForSingleObject  ... ) == 0x0
 01952   776   NtSetEventBoostPriority  (100, ...
 01901  1124   NtWaitForSingleObject  ... ) == 0x0
 01953  1124   NtSetEventBoostPriority  (100, ...
 01923   476   NtWaitForSingleObject  ... ) == 0x0
 01954   476   NtSetEventBoostPriority  (100, ...
 01937  1624   NtWaitForSingleObject  ... ) == 0x0
 01955  1624   NtTestAlert  (... ) == 0x0
 01954   476   NtSetEventBoostPriority  ... ) == 0x0
 01953  1124   NtSetEventBoostPriority  ... ) == 0x0
 01952   776   NtSetEventBoostPriority  ... ) == 0x0
 01951   752   NtSetEventBoostPriority  ... ) == 0x0
 01950  1288   NtSetEventBoostPriority  ... ) == 0x0
 01949  1316   NtSetEventBoostPriority  ... ) == 0x0
 01948  1252   NtSetEventBoostPriority  ... ) == 0x0
 01956  1736   NtResumeThread  (616, ...
 01957  1624   NtContinue  (71826736, 1, ...
 01958   476   NtTestAlert  (...
 01959  1124   NtTestAlert  (...
 01960   776   NtTestAlert  (...
 01961   752   NtTestAlert  (...
 01962  1288   NtTestAlert  (...
 01963  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 16247760, ... }, 16247760, ...
 01956  1736   NtResumeThread  ... 1, ) == 0x0
 01964  1624   NtRegisterThreadTerminatePort  (24, ...
 01958   476   NtTestAlert  ... ) == 0x0
 01959  1124   NtTestAlert  ... ) == 0x0
 01960   776   NtTestAlert  ... ) == 0x0
 01961   752   NtTestAlert  ... ) == 0x0
 01962  1288   NtTestAlert  ... ) == 0x0
 01963  1252   NtQueryAttributesFile  ... ) == 0x0
 01965  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01964  1624   NtRegisterThreadTerminatePort  ... ) == 0x0
 01966   476   NtContinue  (70778160, 1, ...
 01967  1124   NtContinue  (69729584, 1, ...
 01968   776   NtContinue  (68681008, 1, ...
 01969   752   NtContinue  (67632432, 1, ...
 01970  1288   NtContinue  (66583856, 1, ...
 01971  1252   NtQuerySystemInformation  (Basic, 44, ...
 01965  1736   NtAllocateVirtualMemory  ... 72876032, 1048576, ) == 0x0
 01972  1624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01973   476   NtRegisterThreadTerminatePort  (24, ...
 01974  1124   NtRegisterThreadTerminatePort  (24, ...
 01975   776   NtRegisterThreadTerminatePort  (24, ...
 01976   752   NtRegisterThreadTerminatePort  (24, ...
 01977  1288   NtRegisterThreadTerminatePort  (24, ...
 01978  1316   NtTestAlert  (...
 01979  1440   NtTestAlert  (...
 01980  1736   NtAllocateVirtualMemory  (-1, 73916416, 0, 8192, 4096, 4, ...
 01972  1624   NtDuplicateObject  ... 620, ) == 0x0
 01973   476   NtRegisterThreadTerminatePort  ... ) == 0x0
 01974  1124   NtRegisterThreadTerminatePort  ... ) == 0x0
 01975   776   NtRegisterThreadTerminatePort  ... ) == 0x0
 01976   752   NtRegisterThreadTerminatePort  ... ) == 0x0
 01977  1288   NtRegisterThreadTerminatePort  ... ) == 0x0
 01978  1316   NtTestAlert  ... ) == 0x0
 01979  1440   NtTestAlert  ... ) == 0x0
 01980  1736   NtAllocateVirtualMemory  ... 73916416, 8192, ) == 0x0
 01981  1624   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01982   476   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01983  1124   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01984   776   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01985   752   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01986  1288   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01987  1316   NtContinue  (65535280, 1, ...
 01988  1440   NtContinue  (72875312, 1, ...
 01971  1252   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01989  1736   NtProtectVirtualMemory  (-1, (0x467e000), 4096, 260, ...
 01981  1624   NtWaitForSingleObject  ... ) == 0x102
 01982   476   NtDuplicateObject  ... 624, ) == 0x0
 01983  1124   NtDuplicateObject  ... 628, ) == 0x0
 01984   776   NtDuplicateObject  ... 632, ) == 0x0
 01985   752   NtDuplicateObject  ... 636, ) == 0x0
 01990  1316   NtRegisterThreadTerminatePort  (24, ...
 01991  1440   NtRegisterThreadTerminatePort  (24, ...
 01992  1252   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 01989  1736   NtProtectVirtualMemory  ... (0x467e000), 4096, 4, ) == 0x0
 01993  1624   NtWaitForSingleObject  (128, 0, 0x0, ...
 01994   476   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01995  1124   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01996   776   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01997   752   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01990  1316   NtRegisterThreadTerminatePort  ... ) == 0x0
 01991  1440   NtRegisterThreadTerminatePort  ... ) == 0x0
 01992  1252   NtAllocateVirtualMemory  ... 8716288, 65536, ) == 0x0
 01998  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01994   476   NtWaitForSingleObject  ... ) == 0x102
 01995  1124   NtWaitForSingleObject  ... ) == 0x102
 01996   776   NtWaitForSingleObject  ... ) == 0x102
 01997   752   NtWaitForSingleObject  ... ) == 0x102
 01999  1316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01986  1288   NtDuplicateObject  ... 640, ) == 0x0
 02000  1252   NtAllocateVirtualMemory  (-1, 8716288, 0, 4096, 4096, 4, ...
 01998  1736   NtCreateThread  ... 644, {1636, 1656}, ) == 0x0
 02001   476   NtWaitForSingleObject  (128, 0, 0x0, ...
 02002  1124   NtWaitForSingleObject  (128, 0, 0x0, ...
 02003   776   NtWaitForSingleObject  (128, 0, 0x0, ...
 02004   752   NtWaitForSingleObject  (128, 0, 0x0, ...
 02005  1440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02006  1288   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ...
 02000  1252   NtAllocateVirtualMemory  ... 8716288, 4096, ) == 0x0
 02007  1736   NtQueryInformationThread  (644, Basic, 28, ...
 02005  1440   NtDuplicateObject  ... 648, ) == 0x0
 02006  1288   NtAllocateVirtualMemory  ... 1404928, 4096, ) == 0x0
 02008  1252   NtWaitForSingleObject  (308, 0, 0x0, ...
 02007  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1636,Tid=1656,}, 0x0, ) == 0x0
 02009  1440   NtWaitForSingleObject  (308, 0, 0x0, ...
 02010  1288   NtSetEventBoostPriority  (308, ...
 01999  1316   NtDuplicateObject  ... 652, ) == 0x0
 02008  1252   NtWaitForSingleObject  ... ) == 0x0
 02010  1288   NtSetEventBoostPriority  ... ) == 0x0
 02011  1252   NtSetEventBoostPriority  (308, ...
 02012  1316   NtWaitForSingleObject  (308, 0, 0x0, ...
 02009  1440   NtWaitForSingleObject  ... ) == 0x0
 02013  1288   NtWaitForSingleObject  (308, 0, 0x0, ...
 02014  1440   NtSetEventBoostPriority  (308, ...
 02011  1252   NtSetEventBoostPriority  ... ) == 0x0
 02015  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0d\6\0\0x\6\0\0" ...  ...
 02012  1316   NtWaitForSingleObject  ... ) == 0x0
 02014  1440   NtSetEventBoostPriority  ... ) == 0x0
 02016  1252   NtAllocateVirtualMemory  (-1, 8720384, 0, 8192, 4096, 4, ...
 02017  1316   NtSetEventBoostPriority  (308, ...
 02015  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75571, 0}  ... {28, 56, reply, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0d\6\0\0x\6\0\0" )  ) == 0x0
 02013  1288   NtWaitForSingleObject  ... ) == 0x0
 02017  1316   NtSetEventBoostPriority  ... ) == 0x0
 02016  1252   NtAllocateVirtualMemory  ... 8720384, 8192, ) == 0x0
 02018  1288   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02019  1736   NtResumeThread  (644, ...
 02020  1440   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02021  1316   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02018  1288   NtWaitForSingleObject  ... ) == 0x102
 02019  1736   NtResumeThread  ... 1, ) == 0x0
 02020  1440   NtWaitForSingleObject  ... ) == 0x102
 02022  1288   NtWaitForSingleObject  (128, 0, 0x0, ...
 02021  1316   NtWaitForSingleObject  ... ) == 0x102
 02023  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02024  1440   NtWaitForSingleObject  (128, 0, 0x0, ...
 02025  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 16247760, ... }, 16247760, ...
 02026  1656   NtWaitForSingleObject  (100, 0, 0x0, ...
 02027  1316   NtWaitForSingleObject  (128, 0, 0x0, ...
 02025  1252   NtQueryAttributesFile  ... ) == 0x0
 02028  1252   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 656, {status=0x0, info=1}, ) }, 5, 96, ... 656, {status=0x0, info=1}, ) == 0x0
 02029  1252   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 656, ... 660, ) == 0x0
 02030  1252   NtClose  (656, ... ) == 0x0
 02031  1252   NtMapViewOfSection  (660, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x4680000), 0x0, 110592, ) == 0x0
 02032  1252   NtClose  (660, ... ) == 0x0
 02023  1736   NtAllocateVirtualMemory  ... 74055680, 1048576, ) == 0x0
 02033  1736   NtAllocateVirtualMemory  (-1, 75096064, 0, 8192, 4096, 4, ... 75096064, 8192, ) == 0x0
 02034  1736   NtProtectVirtualMemory  (-1, (0x479e000), 4096, 260, ... (0x479e000), 4096, 4, ) == 0x0
 02035  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 660, {1636, 760}, ) == 0x0
 02036  1736   NtQueryInformationThread  (660, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1636,Tid=760,}, 0x0, ) == 0x0
 02037  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0d\6\0\0\370\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0d\6\0\0\370\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75572, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0d\6\0\0\370\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0d\6\0\0\370\2\0\0" )  ) == 0x0
 02038  1736   NtResumeThread  (660, ... 1, ) == 0x0
 02039  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 75104256, 1048576, ) == 0x0
 02040  1736   NtAllocateVirtualMemory  (-1, 76144640, 0, 8192, 4096, 4, ... 76144640, 8192, ) == 0x0
 02041  1252   NtUnmapViewOfSection  (-1, 0x4680000, ...
 02042   760   NtWaitForSingleObject  (100, 0, 0x0, ...
 02041  1252   NtUnmapViewOfSection  ... ) == 0x0
 02043  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 16248068, ... ) }, 16248068, ... ) == 0x0
 02044  1252   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 656, {status=0x0, info=1}, ) }, 5, 96, ... 656, {status=0x0, info=1}, ) == 0x0
 02045  1252   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 656, ... 664, ) == 0x0
 02046  1252   NtQuerySection  (664, Image, 48, ...
 02047  1736   NtProtectVirtualMemory  (-1, (0x489e000), 4096, 260, ... (0x489e000), 4096, 4, ) == 0x0
 02048  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 668, {1636, 484}, ) == 0x0
 02049  1736   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1636,Tid=484,}, 0x0, ) == 0x0
 02050  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0\344\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0\344\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75573, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0\344\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0\344\1\0\0" )  ) == 0x0
 02051  1736   NtResumeThread  (668, ... 1, ) == 0x0
 02052  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02046  1252   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02053   484   NtWaitForSingleObject  (100, 0, 0x0, ...
 02054  1252   NtClose  (656, ... ) == 0x0
 02055  1252   NtMapViewOfSection  (664, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x751d0000), 0x0, 122880, ) == 0x0
 02056  1252   NtClose  (664, ... ) == 0x0
 02057  1252   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02058  1252   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ...
 02052  1736   NtAllocateVirtualMemory  ... 76152832, 1048576, ) == 0x0
 02059  1736   NtAllocateVirtualMemory  (-1, 77193216, 0, 8192, 4096, 4, ... 77193216, 8192, ) == 0x0
 02060  1736   NtProtectVirtualMemory  (-1, (0x499e000), 4096, 260, ... (0x499e000), 4096, 4, ) == 0x0
 02061  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 664, {1636, 1580}, ) == 0x0
 02062  1736   NtQueryInformationThread  (664, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1636,Tid=1580,}, 0x0, ) == 0x0
 02063  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0d\6\0\0,\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0d\6\0\0,\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75574, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0d\6\0\0,\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0d\6\0\0,\6\0\0" )  ) == 0x0
 02058  1252   NtProtectVirtualMemory  ... (0x751d1000), 4096, 4, ) == 0x0
 02064  1252   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02065  1252   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02066  1252   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02067  1252   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02068  1252   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02069  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 16247244, ... }, 16247244, ...
 02070  1736   NtResumeThread  (664, ... 1, ) == 0x0
 02071  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 77201408, 1048576, ) == 0x0
 02072  1736   NtAllocateVirtualMemory  (-1, 78241792, 0, 8192, 4096, 4, ... 78241792, 8192, ) == 0x0
 02073  1736   NtProtectVirtualMemory  (-1, (0x4a9e000), 4096, 260, ... (0x4a9e000), 4096, 4, ) == 0x0
 02074  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 656, {1636, 1304}, ) == 0x0
 02075  1736   NtQueryInformationThread  (656, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1636,Tid=1304,}, 0x0, ) == 0x0
 02076  1580   NtWaitForSingleObject  (100, 0, 0x0, ...
 02077  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0d\6\0\0\30\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0d\6\0\0\30\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75575, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0d\6\0\0\30\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0d\6\0\0\30\5\0\0" )  ) == 0x0
 02078  1736   NtResumeThread  (656, ... 1, ) == 0x0
 02079  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02080  1304   NtWaitForSingleObject  (100, 0, 0x0, ...
 02079  1736   NtAllocateVirtualMemory  ... 78249984, 1048576, ) == 0x0
 02081  1736   NtAllocateVirtualMemory  (-1, 79290368, 0, 8192, 4096, 4, ... 79290368, 8192, ) == 0x0
 02082  1736   NtProtectVirtualMemory  (-1, (0x4b9e000), 4096, 260, ... (0x4b9e000), 4096, 4, ) == 0x0
 02083  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {1636, 540}, ) == 0x0
 02084  1736   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1636,Tid=540,}, 0x0, ) == 0x0
 02085  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0\34\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0\34\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75576, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0\34\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0\34\2\0\0" )  ) == 0x0
 02086  1736   NtResumeThread  (672, ... 1, ) == 0x0
 02087  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 79298560, 1048576, ) == 0x0
 02088  1736   NtAllocateVirtualMemory  (-1, 80338944, 0, 8192, 4096, 4, ... 80338944, 8192, ) == 0x0
 02089   540   NtWaitForSingleObject  (100, 0, 0x0, ...
 02090  1736   NtProtectVirtualMemory  (-1, (0x4c9e000), 4096, 260, ... (0x4c9e000), 4096, 4, ) == 0x0
 02091  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 676, {1636, 1956}, ) == 0x0
 02092  1736   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1636,Tid=1956,}, 0x0, ) == 0x0
 02069  1252   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02093  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 16247244, ... ) }, 16247244, ... ) == 0x0
 02094  1252   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 680, {status=0x0, info=1}, ) }, 5, 96, ... 680, {status=0x0, info=1}, ) == 0x0
 02095  1252   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 680, ... 684, ) == 0x0
 02096  1252   NtQuerySection  (684, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02097  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\244\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\244\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75577, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\244\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\244\7\0\0" )  ) == 0x0
 02098  1736   NtResumeThread  (676, ... 1, ) == 0x0
 02099  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 80347136, 1048576, ) == 0x0
 02100  1736   NtAllocateVirtualMemory  (-1, 81387520, 0, 8192, 4096, 4, ... 81387520, 8192, ) == 0x0
 02101  1736   NtProtectVirtualMemory  (-1, (0x4d9e000), 4096, 260, ... (0x4d9e000), 4096, 4, ) == 0x0
 02102  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02103  1252   NtClose  (680, ...
 02104  1956   NtWaitForSingleObject  (100, 0, 0x0, ...
 02103  1252   NtClose  ... ) == 0x0
 02105  1252   NtMapViewOfSection  (684, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 02106  1252   NtClose  (684, ... ) == 0x0
 02107  1252   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02108  1252   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02109  1252   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02102  1736   NtCreateThread  ... 684, {1636, 1480}, ) == 0x0
 02110  1736   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1636,Tid=1480,}, 0x0, ) == 0x0
 02111  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\310\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\310\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75578, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\310\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\310\5\0\0" )  ) == 0x0
 02112  1736   NtResumeThread  (684, ... 1, ) == 0x0
 02113  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 81395712, 1048576, ) == 0x0
 02114  1736   NtAllocateVirtualMemory  (-1, 82436096, 0, 8192, 4096, 4, ... 82436096, 8192, ) == 0x0
 02115  1252   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ...
 02116  1480   NtWaitForSingleObject  (100, 0, 0x0, ...
 02115  1252   NtProtectVirtualMemory  ... (0x77921000), 4096, 32, ) == 0x0
 02117  1252   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02118  1252   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02119  1252   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02120  1252   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02121  1252   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02122  1736   NtProtectVirtualMemory  (-1, (0x4e9e000), 4096, 260, ... (0x4e9e000), 4096, 4, ) == 0x0
 02123  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {1636, 460}, ) == 0x0
 02124  1736   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1636,Tid=460,}, 0x0, ) == 0x0
 02125  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0\314\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0\314\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75579, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0\314\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0\314\1\0\0" )  ) == 0x0
 02126  1736   NtResumeThread  (680, ... 1, ) == 0x0
 02127  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02128  1252   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ...
 02129   460   NtWaitForSingleObject  (100, 0, 0x0, ...
 02128  1252   NtProtectVirtualMemory  ... (0x77921000), 4096, 32, ) == 0x0
 02130  1252   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02131  1252   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02132  1252   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02133  1252   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02134  1252   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02127  1736   NtAllocateVirtualMemory  ... 82444288, 1048576, ) == 0x0
 02135  1736   NtAllocateVirtualMemory  (-1, 83484672, 0, 8192, 4096, 4, ... 83484672, 8192, ) == 0x0
 02136  1736   NtProtectVirtualMemory  (-1, (0x4f9e000), 4096, 260, ... (0x4f9e000), 4096, 4, ) == 0x0
 02137  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 688, {1636, 1068}, ) == 0x0
 02138  1736   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1636,Tid=1068,}, 0x0, ) == 0x0
 02139  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0,\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0,\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75580, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0,\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0,\4\0\0" )  ) == 0x0
 02140  1252   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02141  1252   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02142  1252   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02143  1736   NtResumeThread  (688, ... 1, ) == 0x0
 02144  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 83492864, 1048576, ) == 0x0
 02145  1736   NtAllocateVirtualMemory  (-1, 84533248, 0, 8192, 4096, 4, ... 84533248, 8192, ) == 0x0
 02146  1252   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... }, ...
 02147  1068   NtWaitForSingleObject  (100, 0, 0x0, ...
 02146  1252   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02148  1252   NtQueryDefaultUILanguage  (2090319928, ...
 02149  1252   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02150  1252   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481440, ) == 0x0
 02151  1252   NtQueryInformationToken  (-2147481440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02152  1252   NtClose  (-2147481440, ...
 02153  1736   NtProtectVirtualMemory  (-1, (0x509e000), 4096, 260, ... (0x509e000), 4096, 4, ) == 0x0
 02154  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 692, {1636, 1572}, ) == 0x0
 02155  1736   NtQueryInformationThread  (692, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1636,Tid=1572,}, 0x0, ) == 0x0
 02156  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0$\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0$\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75581, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0$\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0$\6\0\0" )  ) == 0x0
 02157  1736   NtResumeThread  (692, ... 1, ) == 0x0
 02158  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02152  1252   NtClose  ... ) == 0x0
 02159  1572   NtWaitForSingleObject  (100, 0, 0x0, ...
 02160  1252   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481440, ) }, ... -2147481440, ) == 0x0
 02161  1252   NtOpenKey  (0x80000000, {24, -2147481440, 0x240, 0, 0,  (0x80000000, {24, -2147481440, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02162  1252   NtOpenKey  (0x80000000, {24, -2147481440, 0x640, 0, 0,  (0x80000000, {24, -2147481440, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481392, ) }, ... -2147481392, ) == 0x0
 02163  1252   NtQueryValueKey  (-2147481392,  (-2147481392, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02164  1252   NtClose  (-2147481392, ... ) == 0x0
 02165  1252   NtClose  (-2147481440, ...
 02158  1736   NtAllocateVirtualMemory  ... 84541440, 1048576, ) == 0x0
 02166  1736   NtAllocateVirtualMemory  (-1, 85581824, 0, 8192, 4096, 4, ... 85581824, 8192, ) == 0x0
 02167  1736   NtProtectVirtualMemory  (-1, (0x519e000), 4096, 260, ... (0x519e000), 4096, 4, ) == 0x0
 02168  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 696, {1636, 1604}, ) == 0x0
 02169  1736   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1636,Tid=1604,}, 0x0, ) == 0x0
 02170  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0D\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0D\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75582, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0D\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0D\6\0\0" )  ) == 0x0
 02165  1252   NtClose  ... ) == 0x0
 02148  1252   NtQueryDefaultUILanguage  ... ) == 0x0
 02171  1252   NtAllocateVirtualMemory  (-1, 16236544, 0, 4096, 4096, 260, ... 16236544, 4096, ) == 0x0
 02172  1252   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 02173  1252   NtQueryDefaultLocale  (1, 16247964, ... ) == 0x0
 02174  1252   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02175  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 700, ) }, ... 700, ) == 0x0
 02176  1736   NtResumeThread  (696, ... 1, ) == 0x0
 02177  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 85590016, 1048576, ) == 0x0
 02178  1736   NtAllocateVirtualMemory  (-1, 86630400, 0, 8192, 4096, 4, ... 86630400, 8192, ) == 0x0
 02179  1736   NtProtectVirtualMemory  (-1, (0x529e000), 4096, 260, ... (0x529e000), 4096, 4, ) == 0x0
 02180  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 704, {1636, 1240}, ) == 0x0
 02181  1736   NtQueryInformationThread  (704, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1636,Tid=1240,}, 0x0, ) == 0x0
 02182  1252   NtQueryValueKey  (700,  (700, "SystemSetupInProgress", Partial, 144, ... , Partial, 144, ...
 02183  1604   NtWaitForSingleObject  (100, 0, 0x0, ...
 02182  1252   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02184  1252   NtClose  (700, ... ) == 0x0
 02185  1252   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 700, ) == 0x0
 02186  1252   NtCallbackReturn  (0, 0, 0, ...
 02187  1252   NtUserGetProcessWindowStation  (... ) == 0x20
 02188  1252   NtUserGetObjectInformation  (32, 1, 16247560, 12, 16247572, ... ) == 0x1
 02189  1252   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... }, ...
 02190  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\330\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\330\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75583, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\330\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\330\4\0\0" )  ) == 0x0
 02191  1736   NtResumeThread  (704, ... 1, ) == 0x0
 02192  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 86638592, 1048576, ) == 0x0
 02193  1736   NtAllocateVirtualMemory  (-1, 87678976, 0, 8192, 4096, 4, ... 87678976, 8192, ) == 0x0
 02194  1736   NtProtectVirtualMemory  (-1, (0x539e000), 4096, 260, ... (0x539e000), 4096, 4, ) == 0x0
 02195  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02189  1252   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02196  1240   NtWaitForSingleObject  (100, 0, 0x0, ...
 02197  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\WPA\PnP"}, ... 708, ) }, ... 708, ) == 0x0
 02198  1252   NtQueryValueKey  (708,  (708, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (708, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 02199  1252   NtClose  (708, ... ) == 0x0
 02200  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 708, ) }, ... 708, ) == 0x0
 02201  1252   NtQueryValueKey  (708,  (708, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (708, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02202  1252   NtQueryValueKey  (708,  (708, "OsLoaderPath", Partial, 144, ... , Partial, 144, ...
 02195  1736   NtCreateThread  ... 712, {1636, 1796}, ) == 0x0
 02203  1736   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1636,Tid=1796,}, 0x0, ) == 0x0
 02204  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0\4\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0\4\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75584, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0\4\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0\4\7\0\0" )  ) == 0x0
 02205  1736   NtResumeThread  (712, ... 1, ) == 0x0
 02206  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 87687168, 1048576, ) == 0x0
 02207  1736   NtAllocateVirtualMemory  (-1, 88727552, 0, 8192, 4096, 4, ... 88727552, 8192, ) == 0x0
 02202  1252   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02208  1796   NtWaitForSingleObject  (100, 0, 0x0, ...
 02209  1252   NtClose  (708, ... ) == 0x0
 02210  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 708, ) }, ... 708, ) == 0x0
 02211  1252   NtQueryValueKey  (708,  (708, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (708, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02212  1252   NtQueryValueKey  (708,  (708, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (708, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02213  1252   NtClose  (708, ... ) == 0x0
 02214  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... }, ...
 02215  1736   NtProtectVirtualMemory  (-1, (0x549e000), 4096, 260, ... (0x549e000), 4096, 4, ) == 0x0
 02216  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 708, {1636, 1156}, ) == 0x0
 02217  1736   NtQueryInformationThread  (708, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1636,Tid=1156,}, 0x0, ) == 0x0
 02218  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0d\6\0\0\204\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0d\6\0\0\204\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75585, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0d\6\0\0\204\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0d\6\0\0\204\4\0\0" )  ) == 0x0
 02219  1736   NtResumeThread  (708, ... 1, ) == 0x0
 02220  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02214  1252   NtOpenKey  ... 716, ) == 0x0
 02221  1156   NtWaitForSingleObject  (100, 0, 0x0, ...
 02222  1252   NtQueryValueKey  (716,  (716, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (716, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02223  1252   NtQueryValueKey  (716,  (716, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (716, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02224  1252   NtClose  (716, ... ) == 0x0
 02225  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 716, ) }, ... 716, ) == 0x0
 02226  1252   NtQueryValueKey  (716,  (716, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (716, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02227  1252   NtQueryValueKey  (716,  (716, "ServicePackSourcePath", Partial, 144, ... , Partial, 144, ...
 02220  1736   NtAllocateVirtualMemory  ... 88735744, 1048576, ) == 0x0
 02228  1736   NtAllocateVirtualMemory  (-1, 89776128, 0, 8192, 4096, 4, ... 89776128, 8192, ) == 0x0
 02229  1736   NtProtectVirtualMemory  (-1, (0x559e000), 4096, 260, ... (0x559e000), 4096, 4, ) == 0x0
 02230  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 720, {1636, 1700}, ) == 0x0
 02231  1736   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1636,Tid=1700,}, 0x0, ) == 0x0
 02232  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75585, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0\244\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0\244\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75586, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0\244\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0\244\6\0\0" )  ) == 0x0
 02227  1252   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02233  1252   NtClose  (716, ... ) == 0x0
 02234  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 716, ) }, ... 716, ) == 0x0
 02235  1252   NtQueryValueKey  (716,  (716, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (716, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02236  1252   NtQueryValueKey  (716,  (716, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (716, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02237  1252   NtClose  (716, ... ) == 0x0
 02238  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... }, ...
 02239  1736   NtResumeThread  (720, ... 1, ) == 0x0
 02240  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 89784320, 1048576, ) == 0x0
 02241  1736   NtAllocateVirtualMemory  (-1, 90824704, 0, 8192, 4096, 4, ... 90824704, 8192, ) == 0x0
 02242  1736   NtProtectVirtualMemory  (-1, (0x569e000), 4096, 260, ... (0x569e000), 4096, 4, ) == 0x0
 02243  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 716, {1636, 1728}, ) == 0x0
 02244  1736   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1636,Tid=1728,}, 0x0, ) == 0x0
 02238  1252   NtOpenKey  ... 724, ) == 0x0
 02245  1700   NtWaitForSingleObject  (100, 0, 0x0, ...
 02246  1252   NtQueryValueKey  (724,  (724, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (724, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02247  1252   NtQueryValueKey  (724,  (724, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (724, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02248  1252   NtClose  (724, ... ) == 0x0
 02249  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 724, ) }, ... 724, ) == 0x0
 02250  1252   NtQueryValueKey  (724,  (724, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02251  1252   NtQueryValueKey  (724,  (724, "DevicePath", Partial, 346, ... , Partial, 346, ...
 02252  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75586, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0\300\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0\300\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75587, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0\300\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0\300\6\0\0" )  ) == 0x0
 02253  1736   NtResumeThread  (716, ... 1, ) == 0x0
 02254  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 90832896, 1048576, ) == 0x0
 02255  1736   NtAllocateVirtualMemory  (-1, 91873280, 0, 8192, 4096, 4, ... 91873280, 8192, ) == 0x0
 02256  1736   NtProtectVirtualMemory  (-1, (0x579e000), 4096, 260, ... (0x579e000), 4096, 4, ) == 0x0
 02257  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02251  1252   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 02258  1728   NtWaitForSingleObject  (100, 0, 0x0, ...
 02259  1252   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 02260  1252   NtClose  (724, ... ) == 0x0
 02261  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 724, ) == 0x0
 02262  1252   NtCreateMutant  (0x1f0001, 0x0, 0, ... 728, ) == 0x0
 02263  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 732, ) == 0x0
 02264  1252   NtCreateMutant  (0x1f0001, 0x0, 0, ...
 02257  1736   NtCreateThread  ... 736, {1636, 712}, ) == 0x0
 02265  1736   NtQueryInformationThread  (736, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1636,Tid=712,}, 0x0, ) == 0x0
 02266  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75587, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0d\6\0\0\310\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0d\6\0\0\310\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75588, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0d\6\0\0\310\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0d\6\0\0\310\2\0\0" )  ) == 0x0
 02267  1736   NtResumeThread  (736, ... 1, ) == 0x0
 02268  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 91881472, 1048576, ) == 0x0
 02269  1736   NtAllocateVirtualMemory  (-1, 92921856, 0, 8192, 4096, 4, ... 92921856, 8192, ) == 0x0
 02264  1252   NtCreateMutant  ... 740, ) == 0x0
 02270   712   NtWaitForSingleObject  (100, 0, 0x0, ...
 02271  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 744, ) == 0x0
 02272  1252   NtCreateMutant  (0x1f0001, 0x0, 0, ... 748, ) == 0x0
 02273  1252   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 752, ) }, ... 752, ) == 0x0
 02274  1252   NtQueryValueKey  (752,  (752, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (752, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02275  1252   NtQueryValueKey  (752,  (752, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (752, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02276  1252   NtQueryValueKey  (752,  (752, "LogPath", Partial, 144, ... , Partial, 144, ...
 02277  1736   NtProtectVirtualMemory  (-1, (0x589e000), 4096, 260, ... (0x589e000), 4096, 4, ) == 0x0
 02278  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 756, {1636, 1764}, ) == 0x0
 02279  1736   NtQueryInformationThread  (756, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1636,Tid=1764,}, 0x0, ) == 0x0
 02280  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75588, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0\344\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0\344\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75589, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0\344\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0\344\6\0\0" )  ) == 0x0
 02281  1736   NtResumeThread  (756, ... 1, ) == 0x0
 02282  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02276  1252   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02283  1764   NtWaitForSingleObject  (100, 0, 0x0, ...
 02284  1252   NtOpenKey  (0x1, {24, 752, 0x40, 0, 0,  (0x1, {24, 752, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02285  1252   NtClose  (752, ... ) == 0x0
 02286  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 16247476, ... ) }, 16247476, ... ) == 0x0
 02287  1252   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 752, ) }, ... 752, ) == 0x0
 02288  1252   NtQueryValueKey  (752,  (752, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (752, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (752, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02289  1252   NtClose  (752, ...
 02282  1736   NtAllocateVirtualMemory  ... 92930048, 1048576, ) == 0x0
 02290  1736   NtAllocateVirtualMemory  (-1, 93970432, 0, 8192, 4096, 4, ... 93970432, 8192, ) == 0x0
 02291  1736   NtProtectVirtualMemory  (-1, (0x599e000), 4096, 260, ... (0x599e000), 4096, 4, ) == 0x0
 02292  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 760, {1636, 464}, ) == 0x0
 02293  1736   NtQueryInformationThread  (760, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1636,Tid=464,}, 0x0, ) == 0x0
 02294  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75589, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0d\6\0\0\320\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0d\6\0\0\320\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75590, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0d\6\0\0\320\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0d\6\0\0\320\1\0\0" )  ) == 0x0
 02289  1252   NtClose  ... ) == 0x0
 02295  1252   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 752, ) }, ... 752, ) == 0x0
 02296  1252   NtQueryValueKey  (752,  (752, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (752, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (752, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 02297  1252   NtClose  (752, ... ) == 0x0
 02298  1252   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02299  1252   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 752, ) }, ... 752, ) == 0x0
 02300  1252   NtQueryValueKey  (752,  (752, "Domain", Full, 128, ... , Full, 128, ...
 02301  1736   NtResumeThread  (760, ... 1, ) == 0x0
 02302  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 93978624, 1048576, ) == 0x0
 02303  1736   NtAllocateVirtualMemory  (-1, 95019008, 0, 8192, 4096, 4, ... 95019008, 8192, ) == 0x0
 02304  1736   NtProtectVirtualMemory  (-1, (0x5a9e000), 4096, 260, ... (0x5a9e000), 4096, 4, ) == 0x0
 02305  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 764, {1636, 444}, ) == 0x0
 02306  1736   NtQueryInformationThread  (764, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1636,Tid=444,}, 0x0, ) == 0x0
 02300  1252   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02307   464   NtWaitForSingleObject  (100, 0, 0x0, ...
 02308  1252   NtClose  (752, ... ) == 0x0
 02309  1252   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshbth.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02310  1252   NtSetEventBoostPriority  (100, ...
 02026  1656   NtWaitForSingleObject  ... ) == 0x0
 02311  1656   NtSetEventBoostPriority  (100, ...
 02042   760   NtWaitForSingleObject  ... ) == 0x0
 02312   760   NtSetEventBoostPriority  (100, ...
 02053   484   NtWaitForSingleObject  ... ) == 0x0
 02313   484   NtSetEventBoostPriority  (100, ...
 02076  1580   NtWaitForSingleObject  ... ) == 0x0
 02314  1580   NtSetEventBoostPriority  (100, ...
 02080  1304   NtWaitForSingleObject  ... ) == 0x0
 02315  1304   NtSetEventBoostPriority  (100, ...
 02089   540   NtWaitForSingleObject  ... ) == 0x0
 02316   540   NtSetEventBoostPriority  (100, ...
 02104  1956   NtWaitForSingleObject  ... ) == 0x0
 02317  1956   NtSetEventBoostPriority  (100, ...
 02116  1480   NtWaitForSingleObject  ... ) == 0x0
 02318  1480   NtSetEventBoostPriority  (100, ...
 02129   460   NtWaitForSingleObject  ... ) == 0x0
 02319   460   NtSetEventBoostPriority  (100, ...
 02147  1068   NtWaitForSingleObject  ... ) == 0x0
 02320  1068   NtSetEventBoostPriority  (100, ...
 02159  1572   NtWaitForSingleObject  ... ) == 0x0
 02321  1572   NtSetEventBoostPriority  (100, ...
 02183  1604   NtWaitForSingleObject  ... ) == 0x0
 02322  1604   NtSetEventBoostPriority  (100, ...
 02196  1240   NtWaitForSingleObject  ... ) == 0x0
 02323  1240   NtSetEventBoostPriority  (100, ...
 02208  1796   NtWaitForSingleObject  ... ) == 0x0
 02324  1796   NtSetEventBoostPriority  (100, ...
 02221  1156   NtWaitForSingleObject  ... ) == 0x0
 02325  1156   NtSetEventBoostPriority  (100, ...
 02245  1700   NtWaitForSingleObject  ... ) == 0x0
 02326  1700   NtSetEventBoostPriority  (100, ...
 02258  1728   NtWaitForSingleObject  ... ) == 0x0
 02327  1728   NtSetEventBoostPriority  (100, ...
 02270   712   NtWaitForSingleObject  ... ) == 0x0
 02328   712   NtSetEventBoostPriority  (100, ...
 02283  1764   NtWaitForSingleObject  ... ) == 0x0
 02329  1764   NtAllocateVirtualMemory  (-1, 8810496, 0, 4096, 4096, 4, ... 8810496, 4096, ) == 0x0
 02328   712   NtSetEventBoostPriority  ... ) == 0x0
 02327  1728   NtSetEventBoostPriority  ... ) == 0x0
 02326  1700   NtSetEventBoostPriority  ... ) == 0x0
 02325  1156   NtSetEventBoostPriority  ... ) == 0x0
 02324  1796   NtSetEventBoostPriority  ... ) == 0x0
 02323  1240   NtSetEventBoostPriority  ... ) == 0x0
 02322  1604   NtSetEventBoostPriority  ... ) == 0x0
 02321  1572   NtSetEventBoostPriority  ... ) == 0x0
 02320  1068   NtSetEventBoostPriority  ... ) == 0x0
 02319   460   NtSetEventBoostPriority  ... ) == 0x0
 02318  1480   NtSetEventBoostPriority  ... ) == 0x0
 02317  1956   NtSetEventBoostPriority  ... ) == 0x0
 02316   540   NtSetEventBoostPriority  ... ) == 0x0
 02315  1304   NtSetEventBoostPriority  ... ) == 0x0
 02314  1580   NtSetEventBoostPriority  ... ) == 0x0
 02313   484   NtSetEventBoostPriority  ... ) == 0x0
 02312   760   NtSetEventBoostPriority  ... ) == 0x0
 02311  1656   NtSetEventBoostPriority  ... ) == 0x0
 02310  1252   NtSetEventBoostPriority  ... ) == 0x0
 02330  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75590, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0d\6\0\0\274\1\0\0" ...  ...
 02331  1764   NtSetEventBoostPriority  (100, ...
 02332   712   NtTestAlert  (...
 02333  1728   NtTestAlert  (...
 02334  1700   NtTestAlert  (...
 02335  1156   NtTestAlert  (...
 02336  1796   NtTestAlert  (...
 02337  1240   NtTestAlert  (...
 02338  1604   NtTestAlert  (...
 02339  1572   NtTestAlert  (...
 02340  1068   NtTestAlert  (...
 02341   460   NtTestAlert  (...
 02342  1480   NtTestAlert  (...
 02343  1956   NtTestAlert  (...
 02344   540   NtTestAlert  (...
 02345  1304   NtTestAlert  (...
 02346  1580   NtTestAlert  (...
 02347   484   NtTestAlert  (...
 02348   760   NtTestAlert  (...
 02349  1252   NtWaitForSingleObject  (100, 0, 0x0, ...
 02330  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75591, 0}  ... {28, 56, reply, 0, 1636, 1736, 75591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0d\6\0\0\274\1\0\0" )  ) == 0x0
 02307   464   NtWaitForSingleObject  ... ) == 0x0
 02331  1764   NtSetEventBoostPriority  ... ) == 0x0
 02332   712   NtTestAlert  ... ) == 0x0
 02333  1728   NtTestAlert  ... ) == 0x0
 02334  1700   NtTestAlert  ... ) == 0x0
 02335  1156   NtTestAlert  ... ) == 0x0
 02336  1796   NtTestAlert  ... ) == 0x0
 02337  1240   NtTestAlert  ... ) == 0x0
 02338  1604   NtTestAlert  ... ) == 0x0
 02339  1572   NtTestAlert  ... ) == 0x0
 02340  1068   NtTestAlert  ... ) == 0x0
 02341   460   NtTestAlert  ... ) == 0x0
 02342  1480   NtTestAlert  ... ) == 0x0
 02343  1956   NtTestAlert  ... ) == 0x0
 02344   540   NtTestAlert  ... ) == 0x0
 02345  1304   NtTestAlert  ... ) == 0x0
 02346  1580   NtTestAlert  ... ) == 0x0
 02347   484   NtTestAlert  ... ) == 0x0
 02348   760   NtTestAlert  ... ) == 0x0
 02350   464   NtSetEventBoostPriority  (100, ...
 02351  1736   NtResumeThread  (764, ...
 02352  1764   NtTestAlert  (...
 02353   712   NtContinue  (91880752, 1, ...
 02354  1728   NtContinue  (90832176, 1, ...
 02355  1700   NtContinue  (89783600, 1, ...
 02356  1156   NtContinue  (88735024, 1, ...
 02357  1796   NtContinue  (87686448, 1, ...
 02358  1240   NtContinue  (86637872, 1, ...
 02359  1604   NtContinue  (85589296, 1, ...
 02360  1572   NtContinue  (84540720, 1, ...
 02361  1068   NtContinue  (83492144, 1, ...
 02362   460   NtContinue  (82443568, 1, ...
 02363  1480   NtContinue  (81394992, 1, ...
 02364  1956   NtContinue  (80346416, 1, ...
 02365   540   NtContinue  (79297840, 1, ...
 02366  1304   NtContinue  (78249264, 1, ...
 02367  1580   NtContinue  (77200688, 1, ...
 02368   484   NtContinue  (76152112, 1, ...
 02349  1252   NtWaitForSingleObject  ... ) == 0x0
 02350   464   NtSetEventBoostPriority  ... ) == 0x0
 02369   760   NtContinue  (75103536, 1, ...
 02351  1736   NtResumeThread  ... 1, ) == 0x0
 02352  1764   NtTestAlert  ... ) == 0x0
 02370   712   NtRegisterThreadTerminatePort  (24, ...
 02371  1728   NtRegisterThreadTerminatePort  (24, ...
 02372  1700   NtRegisterThreadTerminatePort  (24, ...
 02373  1156   NtRegisterThreadTerminatePort  (24, ...
 02374  1796   NtRegisterThreadTerminatePort  (24, ...
 02375  1240   NtRegisterThreadTerminatePort  (24, ...
 02376  1604   NtRegisterThreadTerminatePort  (24, ...
 02377  1572   NtRegisterThreadTerminatePort  (24, ...
 02378  1068   NtRegisterThreadTerminatePort  (24, ...
 02379   460   NtRegisterThreadTerminatePort  (24, ...
 02380  1480   NtRegisterThreadTerminatePort  (24, ...
 02381  1956   NtRegisterThreadTerminatePort  (24, ...
 02382   540   NtRegisterThreadTerminatePort  (24, ...
 02383  1304   NtRegisterThreadTerminatePort  (24, ...
 02384  1580   NtRegisterThreadTerminatePort  (24, ...
 02385  1252   NtSetEventBoostPriority  (128, ...
 02386   484   NtRegisterThreadTerminatePort  (24, ...
 02387  1656   NtTestAlert  (...
 02388   444   NtTestAlert  (...
 02389   760   NtRegisterThreadTerminatePort  (24, ...
 02390  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02391  1764   NtContinue  (92929328, 1, ...
 02370   712   NtRegisterThreadTerminatePort  ... ) == 0x0
 02371  1728   NtRegisterThreadTerminatePort  ... ) == 0x0
 02372  1700   NtRegisterThreadTerminatePort  ... ) == 0x0
 02373  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 02374  1796   NtRegisterThreadTerminatePort  ... ) == 0x0
 02375  1240   NtRegisterThreadTerminatePort  ... ) == 0x0
 02376  1604   NtRegisterThreadTerminatePort  ... ) == 0x0
 02377  1572   NtRegisterThreadTerminatePort  ... ) == 0x0
 02378  1068   NtRegisterThreadTerminatePort  ... ) == 0x0
 02379   460   NtRegisterThreadTerminatePort  ... ) == 0x0
 02380  1480   NtRegisterThreadTerminatePort  ... ) == 0x0
 02381  1956   NtRegisterThreadTerminatePort  ... ) == 0x0
 02382   540   NtRegisterThreadTerminatePort  ... ) == 0x0
 02383  1304   NtRegisterThreadTerminatePort  ... ) == 0x0
 00679   896   NtWaitForSingleObject  ... ) == 0x0
 02385  1252   NtSetEventBoostPriority  ... ) == 0x0
 02384  1580   NtRegisterThreadTerminatePort  ... ) == 0x0
 02386   484   NtRegisterThreadTerminatePort  ... ) == 0x0
 02387  1656   NtTestAlert  ... ) == 0x0
 02388   444   NtTestAlert  ... ) == 0x0
 02389   760   NtRegisterThreadTerminatePort  ... ) == 0x0
 02392   464   NtTestAlert  (...
 02393  1764   NtRegisterThreadTerminatePort  (24, ...
 02394   712   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02395  1728   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02396  1700   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02397  1156   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02398  1796   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02399  1240   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02400  1604   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02401  1572   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02402  1068   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02403   460   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02404  1480   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02405  1956   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02406   540   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02407   896   NtSetEventBoostPriority  (128, ...
 02408  1304   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02390  1736   NtAllocateVirtualMemory  ... 95027200, 1048576, ) == 0x0
 02409  1580   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02410   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02411  1656   NtContinue  (73923888, 1, ...
 02412   444   NtContinue  (95026480, 1, ...
 02413   760   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02392   464   NtTestAlert  ... ) == 0x0
 02414  1252   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02393  1764   NtRegisterThreadTerminatePort  ... ) == 0x0
 02394   712   NtDuplicateObject  ... 752, ) == 0x0
 02395  1728   NtDuplicateObject  ... 768, ) == 0x0
 02396  1700   NtDuplicateObject  ... 772, ) == 0x0
 02397  1156   NtDuplicateObject  ... 776, ) == 0x0
 02398  1796   NtDuplicateObject  ... 780, ) == 0x0
 02399  1240   NtDuplicateObject  ... 784, ) == 0x0
 02400  1604   NtDuplicateObject  ... 788, ) == 0x0
 02401  1572   NtDuplicateObject  ... 792, ) == 0x0
 02402  1068   NtDuplicateObject  ... 796, ) == 0x0
 02403   460   NtDuplicateObject  ... 800, ) == 0x0
 02404  1480   NtDuplicateObject  ... 804, ) == 0x0
 02405  1956   NtDuplicateObject  ... 808, ) == 0x0
 00684  2020   NtWaitForSingleObject  ... ) == 0x0
 02407   896   NtSetEventBoostPriority  ... ) == 0x0
 02406   540   NtDuplicateObject  ... 812, ) == 0x0
 02415  1736   NtAllocateVirtualMemory  (-1, 96067584, 0, 8192, 4096, 4, ...
 02408  1304   NtDuplicateObject  ... 816, ) == 0x0
 02409  1580   NtDuplicateObject  ... 820, ) == 0x0
 02416  1656   NtRegisterThreadTerminatePort  (24, ...
 02417   444   NtRegisterThreadTerminatePort  (24, ...
 02410   484   NtDuplicateObject  ... 824, ) == 0x0
 02418   464   NtContinue  (93977904, 1, ...
 02414  1252   NtCreateEvent  ... 828, ) == 0x0
 02419  1764   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02420   712   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02421  1728   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02422  1700   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02423  1156   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02424  1796   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02425  1240   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02426  1604   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02427  1572   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02428  1068   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02429   460   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02430  1480   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02431  2020   NtSetEventBoostPriority  (128, ...
 02432  1956   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02433   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02434   540   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ...
 02415  1736   NtAllocateVirtualMemory  ... 96067584, 8192, ) == 0x0
 02435  1304   NtWaitForSingleObject  (308, 0, 0x0, ...
 02436  1580   NtWaitForSingleObject  (308, 0, 0x0, ...
 02416  1656   NtRegisterThreadTerminatePort  ... ) == 0x0
 02417   444   NtRegisterThreadTerminatePort  ... ) == 0x0
 02437   484   NtWaitForSingleObject  (308, 0, 0x0, ...
 02438   464   NtRegisterThreadTerminatePort  (24, ...
 02439  1252   NtWaitForSingleObject  (308, 0, 0x0, ...
 02419  1764   NtDuplicateObject  ... 832, ) == 0x0
 02420   712   NtWaitForSingleObject  ... ) == 0x102
 02421  1728   NtWaitForSingleObject  ... ) == 0x102
 02422  1700   NtWaitForSingleObject  ... ) == 0x102
 02423  1156   NtWaitForSingleObject  ... ) == 0x102
 02424  1796   NtWaitForSingleObject  ... ) == 0x102
 02425  1240   NtWaitForSingleObject  ... ) == 0x102
 02426  1604   NtWaitForSingleObject  ... ) == 0x102
 02427  1572   NtWaitForSingleObject  ... ) == 0x102
 02428  1068   NtWaitForSingleObject  ... ) == 0x102
 02429   460   NtWaitForSingleObject  ... ) == 0x102
 00685   808   NtWaitForSingleObject  ... ) == 0x0
 02431  2020   NtSetEventBoostPriority  ... ) == 0x0
 02430  1480   NtWaitForSingleObject  ... ) == 0x102
 02432  1956   NtWaitForSingleObject  ... ) == 0x102
 02413   760   NtDuplicateObject  ... 836, ) == 0x0
 02434   540   NtAllocateVirtualMemory  ... 1413120, 4096, ) == 0x0
 02440  1736   NtProtectVirtualMemory  (-1, (0x5b9e000), 4096, 260, ...
 02441  1656   NtWaitForSingleObject  (308, 0, 0x0, ...
 02433   896   NtCreateEvent  ... 840, ) == 0x0
 02438   464   NtRegisterThreadTerminatePort  ... ) == 0x0
 02442  1764   NtWaitForSingleObject  (308, 0, 0x0, ...
 02443   712   NtWaitForSingleObject  (308, 0, 0x0, ...
 02444  1728   NtWaitForSingleObject  (308, 0, 0x0, ...
 02445  1700   NtWaitForSingleObject  (308, 0, 0x0, ...
 02446  1156   NtWaitForSingleObject  (308, 0, 0x0, ...
 02447  1796   NtWaitForSingleObject  (308, 0, 0x0, ...
 02448  1240   NtWaitForSingleObject  (308, 0, 0x0, ...
 02449  1604   NtWaitForSingleObject  (308, 0, 0x0, ...
 02450  1572   NtWaitForSingleObject  (308, 0, 0x0, ...
 02451  1068   NtWaitForSingleObject  (308, 0, 0x0, ...
 02452   808   NtWaitForSingleObject  (308, 0, 0x0, ...
 02453   460   NtWaitForSingleObject  (308, 0, 0x0, ...
 02454   444   NtWaitForSingleObject  (308, 0, 0x0, ...
 02455  1480   NtWaitForSingleObject  (308, 0, 0x0, ...
 02456  1956   NtWaitForSingleObject  (308, 0, 0x0, ...
 02457   760   NtWaitForSingleObject  (308, 0, 0x0, ...
 02458   540   NtSetEventBoostPriority  (308, ...
 02440  1736   NtProtectVirtualMemory  ... (0x5b9e000), 4096, 4, ) == 0x0
 02459  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02460   896   NtWaitForSingleObject  (308, 0, 0x0, ...
 02461   464   NtWaitForSingleObject  (308, 0, 0x0, ...
 02435  1304   NtWaitForSingleObject  ... ) == 0x0
 02458   540   NtSetEventBoostPriority  ... ) == 0x0
 02462  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02459  2020   NtCreateEvent  ... 844, ) == 0x0
 02463  1304   NtSetEventBoostPriority  (308, ...
 02464   540   NtWaitForSingleObject  (308, 0, 0x0, ...
 02436  1580   NtWaitForSingleObject  ... ) == 0x0
 02463  1304   NtSetEventBoostPriority  ... ) == 0x0
 02465  2020   NtWaitForSingleObject  (308, 0, 0x0, ...
 02462  1736   NtCreateThread  ... 848, {1636, 432}, ) == 0x0
 02466  1580   NtSetEventBoostPriority  (308, ...
 02437   484   NtWaitForSingleObject  ... ) == 0x0
 02467   484   NtSetEventBoostPriority  (308, ...
 02439  1252   NtWaitForSingleObject  ... ) == 0x0
 02468  1252   NtSetEventBoostPriority  (308, ...
 02442  1764   NtWaitForSingleObject  ... ) == 0x0
 02469  1764   NtSetEventBoostPriority  (308, ...
 02443   712   NtWaitForSingleObject  ... ) == 0x0
 02470   712   NtSetEventBoostPriority  (308, ...
 02444  1728   NtWaitForSingleObject  ... ) == 0x0
 02471  1728   NtSetEventBoostPriority  (308, ...
 02445  1700   NtWaitForSingleObject  ... ) == 0x0
 02472  1700   NtSetEventBoostPriority  (308, ...
 02446  1156   NtWaitForSingleObject  ... ) == 0x0
 02473  1156   NtSetEventBoostPriority  (308, ...
 02447  1796   NtWaitForSingleObject  ... ) == 0x0
 02474  1796   NtSetEventBoostPriority  (308, ...
 02448  1240   NtWaitForSingleObject  ... ) == 0x0
 02475  1240   NtSetEventBoostPriority  (308, ...
 02449  1604   NtWaitForSingleObject  ... ) == 0x0
 02476  1604   NtSetEventBoostPriority  (308, ...
 02450  1572   NtWaitForSingleObject  ... ) == 0x0
 02477  1572   NtSetEventBoostPriority  (308, ...
 02452   808   NtWaitForSingleObject  ... ) == 0x0
 02478   808   NtSetEventBoostPriority  (308, ...
 02451  1068   NtWaitForSingleObject  ... ) == 0x0
 02479  1068   NtSetEventBoostPriority  (308, ...
 02453   460   NtWaitForSingleObject  ... ) == 0x0
 02480   460   NtSetEventBoostPriority  (308, ...
 02454   444   NtWaitForSingleObject  ... ) == 0x0
 02481   444   NtSetEventBoostPriority  (308, ...
 02455  1480   NtWaitForSingleObject  ... ) == 0x0
 02482  1480   NtSetEventBoostPriority  (308, ...
 02456  1956   NtWaitForSingleObject  ... ) == 0x0
 02483  1956   NtSetEventBoostPriority  (308, ...
 02457   760   NtWaitForSingleObject  ... ) == 0x0
 02484   760   NtSetEventBoostPriority  (308, ...
 02460   896   NtWaitForSingleObject  ... ) == 0x0
 02485   896   NtSetEventBoostPriority  (308, ...
 02441  1656   NtWaitForSingleObject  ... ) == 0x0
 02486  1656   NtSetEventBoostPriority  (308, ...
 02461   464   NtWaitForSingleObject  ... ) == 0x0
 02487   464   NtSetEventBoostPriority  (308, ...
 02464   540   NtWaitForSingleObject  ... ) == 0x0
 02488   540   NtSetEventBoostPriority  (308, ...
 02465  2020   NtWaitForSingleObject  ... ) == 0x0
 02489  2020   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ... 1417216, 4096, ) == 0x0
 02485   896   NtSetEventBoostPriority  ... ) == 0x0
 02484   760   NtSetEventBoostPriority  ... ) == 0x0
 02483  1956   NtSetEventBoostPriority  ... ) == 0x0
 02482  1480   NtSetEventBoostPriority  ... ) == 0x0
 02481   444   NtSetEventBoostPriority  ... ) == 0x0
 02480   460   NtSetEventBoostPriority  ... ) == 0x0
 02479  1068   NtSetEventBoostPriority  ... ) == 0x0
 02478   808   NtSetEventBoostPriority  ... ) == 0x0
 02477  1572   NtSetEventBoostPriority  ... ) == 0x0
 02476  1604   NtSetEventBoostPriority  ... ) == 0x0
 02475  1240   NtSetEventBoostPriority  ... ) == 0x0
 02474  1796   NtSetEventBoostPriority  ... ) == 0x0
 02473  1156   NtSetEventBoostPriority  ... ) == 0x0
 02472  1700   NtSetEventBoostPriority  ... ) == 0x0
 02471  1728   NtSetEventBoostPriority  ... ) == 0x0
 02470   712   NtSetEventBoostPriority  ... ) == 0x0
 02469  1764   NtSetEventBoostPriority  ... ) == 0x0
 02468  1252   NtSetEventBoostPriority  ... ) == 0x0
 02467   484   NtSetEventBoostPriority  ... ) == 0x0
 02466  1580   NtSetEventBoostPriority  ... ) == 0x0
 02490  1736   NtQueryInformationThread  (848, Basic, 28, ...
 02488   540   NtSetEventBoostPriority  ... ) == 0x0
 02487   464   NtSetEventBoostPriority  ... ) == 0x0
 02486  1656   NtSetEventBoostPriority  ... ) == 0x0
 02491  1304   NtWaitForSingleObject  (308, 0, 0x0, ...
 02492  2020   NtSetEventBoostPriority  (308, ...
 02493   896   NtWaitForSingleObject  (308, 0, 0x0, ...
 02494   760   NtWaitForSingleObject  (308, 0, 0x0, ...
 02495  1956   NtWaitForSingleObject  (128, 0, 0x0, ...
 02496   444   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02497  1480   NtWaitForSingleObject  (128, 0, 0x0, ...
 02498   460   NtWaitForSingleObject  (128, 0, 0x0, ...
 02499  1068   NtWaitForSingleObject  (128, 0, 0x0, ...
 02500   808   NtWaitForSingleObject  (308, 0, 0x0, ...
 02501  1572   NtWaitForSingleObject  (128, 0, 0x0, ...
 02502  1604   NtWaitForSingleObject  (128, 0, 0x0, ...
 02503  1240   NtWaitForSingleObject  (128, 0, 0x0, ...
 02504  1796   NtWaitForSingleObject  (128, 0, 0x0, ...
 02505  1156   NtWaitForSingleObject  (128, 0, 0x0, ...
 02506  1700   NtWaitForSingleObject  (128, 0, 0x0, ...
 02507  1728   NtWaitForSingleObject  (128, 0, 0x0, ...
 02508   712   NtWaitForSingleObject  (128, 0, 0x0, ...
 02509  1764   NtWaitForSingleObject  (308, 0, 0x0, ...
 02510  1252   NtWaitForSingleObject  (308, 0, 0x0, ...
 02511   484   NtWaitForSingleObject  (308, 0, 0x0, ...
 02490  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1636,Tid=432,}, 0x0, ) == 0x0
 02512   540   NtWaitForSingleObject  (308, 0, 0x0, ...
 02513   464   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02514  1656   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02491  1304   NtWaitForSingleObject  ... ) == 0x0
 02492  2020   NtSetEventBoostPriority  ... ) == 0x0
 02515  1580   NtWaitForSingleObject  (308, 0, 0x0, ...
 02516  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75591, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0d\6\0\0\260\1\0\0" ...  ...
 02513   464   NtDuplicateObject  ... 852, ) == 0x0
 02517  1304   NtSetEventBoostPriority  (308, ...
 02514  1656   NtDuplicateObject  ... 856, ) == 0x0
 02518  2020   NtWaitForSingleObject  (308, 0, 0x0, ...
 02516  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75592, 0}  ... {28, 56, reply, 0, 1636, 1736, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0d\6\0\0\260\1\0\0" )  ) == 0x0
 02496   444   NtDuplicateObject  ... 860, ) == 0x0
 02493   896   NtWaitForSingleObject  ... ) == 0x0
 02517  1304   NtSetEventBoostPriority  ... ) == 0x0
 02519   464   NtWaitForSingleObject  (308, 0, 0x0, ...
 02520  1656   NtWaitForSingleObject  (308, 0, 0x0, ...
 02521   896   NtSetEventBoostPriority  (308, ...
 02522   444   NtWaitForSingleObject  (308, 0, 0x0, ...
 02523  1304   NtWaitForSingleObject  (328, 0, 0x0, ...
 02494   760   NtWaitForSingleObject  ... ) == 0x0
 02521   896   NtSetEventBoostPriority  ... ) == 0x0
 02524  1736   NtResumeThread  (848, ...
 02525   760   NtSetEventBoostPriority  (308, ...
 02526   896   NtWaitForSingleObject  (308, 0, 0x0, ...
 02500   808   NtWaitForSingleObject  ... ) == 0x0
 02525   760   NtSetEventBoostPriority  ... ) == 0x0
 02524  1736   NtResumeThread  ... 1, ) == 0x0
 02527   808   NtSetEventBoostPriority  (308, ...
 02528   760   NtWaitForSingleObject  (328, 0, 0x0, ...
 02509  1764   NtWaitForSingleObject  ... ) == 0x0
 02527   808   NtSetEventBoostPriority  ... ) == 0x0
 02529  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02530   432   NtWaitForSingleObject  (308, 0, 0x0, ...
 02531  1764   NtSetEventBoostPriority  (308, ...
 02532   808   NtWaitForSingleObject  (308, 0, 0x0, ...
 02529  1736   NtAllocateVirtualMemory  ... 96075776, 1048576, ) == 0x0
 02510  1252   NtWaitForSingleObject  ... ) == 0x0
 02531  1764   NtSetEventBoostPriority  ... ) == 0x0
 02533  1252   NtSetEventBoostPriority  (308, ...
 02534  1736   NtAllocateVirtualMemory  (-1, 97116160, 0, 8192, 4096, 4, ...
 02511   484   NtWaitForSingleObject  ... ) == 0x0
 02533  1252   NtSetEventBoostPriority  ... ) == 0x0
 02535  1764   NtWaitForSingleObject  (328, 0, 0x0, ...
 02536   484   NtSetEventBoostPriority  (308, ...
 02534  1736   NtAllocateVirtualMemory  ... 97116160, 8192, ) == 0x0
 02537  1252   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 16247988, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 16247988, 188, ...
 02512   540   NtWaitForSingleObject  ... ) == 0x0
 02536   484   NtSetEventBoostPriority  ... ) == 0x0
 02538  1736   NtProtectVirtualMemory  (-1, (0x5c9e000), 4096, 260, ...
 02539   540   NtSetEventBoostPriority  (308, ...
 02540   484   NtWaitForSingleObject  (328, 0, 0x0, ...
 02515  1580   NtWaitForSingleObject  ... ) == 0x0
 02539   540   NtSetEventBoostPriority  ... ) == 0x0
 02538  1736   NtProtectVirtualMemory  ... (0x5c9e000), 4096, 4, ) == 0x0
 02537  1252   NtConnectPort  ... 864, 0x0, 0x0, 0x0, 188, ) == 0x0
 02541  1580   NtSetEventBoostPriority  (308, ...
 02542  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02518  2020   NtWaitForSingleObject  ... ) == 0x0
 02541  1580   NtSetEventBoostPriority  ... ) == 0x0
 02543  1252   NtRequestWaitReplyPort  (864, {200, 224, new_msg, 0, 1381672, 12, 2, 1310721}  (864, {200, 224, new_msg, 0, 1381672, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\10\235k\17\342\30@\236\200\253\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0X\221\25\0\367I"\343x\1\24\0x\253\25\0h\1\24\0\0\0\0\0\0\0\0\0x\253\25\0P\0\0\0\200\253\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\04\353\367\0\372\31\221|\310\362\367\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... \343x\1\24\0x\253\25\0h\1\24\0\0\0\0\0\0\0\0\0x\253\25\0P\0\0\0\200\253\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\04\353\367\0\372\31\221|\310\362\367\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...
 02544  2020   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ...
 02542  1736   NtCreateThread  ... 868, {1636, 1524}, ) == 0x0
 02545  1580   NtWaitForSingleObject  (328, 0, 0x0, ...
 02544  2020   NtAllocateVirtualMemory  ... 1421312, 4096, ) == 0x0
 02546  1736   NtQueryInformationThread  (868, Basic, 28, ...
 02543  1252   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1252, 75594, 0}  ... {200, 224, reply, 0, 1636, 1252, 75594, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\10\235k\17\342\30@\236\200\253\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0X\221\25\0\367I"\343x\1\24\0x\253\25\0h\1\24\0\0\0\0\0\0\0\0\0x\253\25\0P\0\0\0\200\253\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\04\353\367\0\372\31\221|\310\362\367\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) \343x\1\24\0x\253\25\0h\1\24\0\0\0\0\0\0\0\0\0x\253\25\0P\0\0\0\200\253\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\04\353\367\0\372\31\221|\310\362\367\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) == 0x0
 02547   540   NtSetEventBoostPriority  (328, ...
 02546  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1636,Tid=1524,}, 0x0, ) == 0x0
 02548  1252   NtRequestWaitReplyPort  (864, {64, 88, new_msg, 0, 1636, 1252, 75547, 0}  (864, {64, 88, new_msg, 0, 1636, 1252, 75547, 0} "\1\332\0\0A\2\10\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200\377\377\377\377t\333\243\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02523  1304   NtWaitForSingleObject  ... ) == 0x0
 02547   540   NtSetEventBoostPriority  ... ) == 0x0
 02549  2020   NtSetEventBoostPriority  (308, ...
 02550  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75592, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0d\6\0\0\364\5\0\0" ...  ...
 02551  1304   NtWaitForSingleObject  (308, 0, 0x0, ...
 02552   540   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02519   464   NtWaitForSingleObject  ... ) == 0x0
 02549  2020   NtSetEventBoostPriority  ... ) == 0x0
 02550  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75595, 0}  ... {28, 56, reply, 0, 1636, 1736, 75595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0d\6\0\0\364\5\0\0" )  ) == 0x0
 02553   464   NtSetEventBoostPriority  (308, ...
 02552   540   NtWaitForSingleObject  ... ) == 0x102
 02554  2020   NtWaitForSingleObject  (308, 0, 0x0, ...
 02520  1656   NtWaitForSingleObject  ... ) == 0x0
 02553   464   NtSetEventBoostPriority  ... ) == 0x0
 02555  1736   NtResumeThread  (868, ...
 02556   540   NtWaitForSingleObject  (308, 0, 0x0, ...
 02557  1656   NtSetEventBoostPriority  (308, ...
 02558   464   NtWaitForSingleObject  (308, 0, 0x0, ...
 02555  1736   NtResumeThread  ... 1, ) == 0x0
 02548  1252   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1636, 1252, 75596, 0}  ... {52, 76, reply, 0, 1636, 1252, 75596, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\360\317\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 02522   444   NtWaitForSingleObject  ... ) == 0x0
 02557  1656   NtSetEventBoostPriority  ... ) == 0x0
 02559  1524   NtWaitForSingleObject  (100, 0, 0x0, ...
 02560  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02561   444   NtSetEventBoostPriority  (308, ...
 02562  1252   NtWaitForSingleObject  (308, 0, 0x0, ...
 02563  1656   NtWaitForSingleObject  (308, 0, 0x0, ...
 02526   896   NtWaitForSingleObject  ... ) == 0x0
 02561   444   NtSetEventBoostPriority  ... ) == 0x0
 02560  1736   NtAllocateVirtualMemory  ... 97124352, 1048576, ) == 0x0
 02564   896   NtSetEventBoostPriority  (308, ...
 02530   432   NtWaitForSingleObject  ... ) == 0x0
 02565   432   NtSetEventBoostPriority  (308, ...
 02532   808   NtWaitForSingleObject  ... ) == 0x0
 02566   808   NtSetEventBoostPriority  (308, ...
 02551  1304   NtWaitForSingleObject  ... ) == 0x0
 02567  1304   NtSetEventBoostPriority  (308, ...
 02554  2020   NtWaitForSingleObject  ... ) == 0x0
 02568  2020   NtSetEventBoostPriority  (308, ...
 02556   540   NtWaitForSingleObject  ... ) == 0x0
 02569   540   NtSetEventBoostPriority  (308, ...
 02558   464   NtWaitForSingleObject  ... ) == 0x0
 02570   464   NtSetEventBoostPriority  (308, ...
 02562  1252   NtWaitForSingleObject  ... ) == 0x0
 02571  1252   NtSetEventBoostPriority  (308, ...
 02563  1656   NtWaitForSingleObject  ... ) == 0x0
 02572  1656   NtWaitForSingleObject  (328, 0, 0x0, ...
 02571  1252   NtSetEventBoostPriority  ... ) == 0x0
 02568  2020   NtSetEventBoostPriority  ... ) == 0x0
 02565   432   NtSetEventBoostPriority  ... ) == 0x0
 02573  1736   NtAllocateVirtualMemory  (-1, 98164736, 0, 8192, 4096, 4, ...
 02570   464   NtSetEventBoostPriority  ... ) == 0x0
 02569   540   NtSetEventBoostPriority  ... ) == 0x0
 02567  1304   NtSetEventBoostPriority  ... ) == 0x0
 02566   808   NtSetEventBoostPriority  ... ) == 0x0
 02564   896   NtSetEventBoostPriority  ... ) == 0x0
 02574   444   NtWaitForSingleObject  (328, 0, 0x0, ...
 02575  1252   NtWaitForSingleObject  (328, 0, 0x0, ...
 02576  2020   NtAllocateVirtualMemory  (-1, 14143488, 0, 4096, 4096, 260, ...
 02573  1736   NtAllocateVirtualMemory  ... 98164736, 8192, ) == 0x0
 02577   464   NtWaitForSingleObject  (328, 0, 0x0, ...
 02578   540   NtWaitForSingleObject  (128, 0, 0x0, ...
 02579   432   NtSetEventBoostPriority  (100, ...
 02580   808   NtSetEventBoostPriority  (128, ...
 02581   896   NtAllocateVirtualMemory  (-1, 15192064, 0, 4096, 4096, 260, ...
 02576  2020   NtAllocateVirtualMemory  ... 14143488, 4096, ) == 0x0
 02582  1736   NtProtectVirtualMemory  (-1, (0x5d9e000), 4096, 260, ...
 02559  1524   NtWaitForSingleObject  ... ) == 0x0
 02579   432   NtSetEventBoostPriority  ... ) == 0x0
 00686   868   NtWaitForSingleObject  ... ) == 0x0
 02580   808   NtSetEventBoostPriority  ... ) == 0x0
 02581   896   NtAllocateVirtualMemory  ... 15192064, 4096, ) == 0x0
 02583  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02584  1524   NtTestAlert  (...
 02582  1736   NtProtectVirtualMemory  ... (0x5d9e000), 4096, 4, ) == 0x0
 02585   868   NtSetEventBoostPriority  (128, ...
 02586   432   NtTestAlert  (...
 02587  1304   NtSetEventBoostPriority  (328, ...
 02588   808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02584  1524   NtTestAlert  ... ) == 0x0
 02583  2020   NtCreateEvent  ... 872, ) == 0x0
 00778  1180   NtWaitForSingleObject  ... ) == 0x0
 02585   868   NtSetEventBoostPriority  ... ) == 0x0
 02589  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02586   432   NtTestAlert  ... ) == 0x0
 02528   760   NtWaitForSingleObject  ... ) == 0x0
 02587  1304   NtSetEventBoostPriority  ... ) == 0x0
 02588   808   NtCreateEvent  ... 876, ) == 0x0
 02590   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02591  1180   NtSetEventBoostPriority  (128, ...
 02592  2020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02593  1524   NtContinue  (97123632, 1, ...
 02594   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02595   760   NtSetEventBoostPriority  (328, ...
 02596   432   NtContinue  (96075056, 1, ...
 02597  1304   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02598   808   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ...
 00784   384   NtWaitForSingleObject  ... ) == 0x0
 02591  1180   NtSetEventBoostPriority  ... ) == 0x0
 02590   896   NtCreateEvent  ... 880, ) == 0x0
 02592  2020   NtDuplicateObject  ... 884, ) == 0x0
 02599  1524   NtRegisterThreadTerminatePort  (24, ...
 02535  1764   NtWaitForSingleObject  ... ) == 0x0
 02594   868   NtCreateEvent  ... 888, ) == 0x0
 02600   432   NtRegisterThreadTerminatePort  (24, ...
 02597  1304   NtWaitForSingleObject  ... ) == 0x102
 02601   384   NtWaitForSingleObject  (308, 0, 0x0, ...
 02598   808   NtAllocateVirtualMemory  ... 1425408, 4096, ) == 0x0
 02595   760   NtSetEventBoostPriority  ... ) == 0x0
 02589  1736   NtCreateThread  ... 892, {1636, 240}, ) == 0x0
 02602   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02603  1180   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02599  1524   NtRegisterThreadTerminatePort  ... ) == 0x0
 02604  1764   NtWaitForSingleObject  (308, 0, 0x0, ...
 02605   868   NtWaitForSingleObject  (308, 0, 0x0, ...
 02606  2020   NtWaitForSingleObject  (308, 0, 0x0, ...
 02607  1304   NtWaitForSingleObject  (128, 0, 0x0, ...
 02608   808   NtSetEventBoostPriority  (308, ...
 02609   760   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02610  1736   NtQueryInformationThread  (892, Basic, 28, ...
 02602   896   NtDuplicateObject  ... 896, ) == 0x0
 02603  1180   NtCreateEvent  ... 900, ) == 0x0
 02611  1524   NtWaitForSingleObject  (308, 0, 0x0, ...
 02600   432   NtRegisterThreadTerminatePort  ... ) == 0x0
 02601   384   NtWaitForSingleObject  ... ) == 0x0
 02608   808   NtSetEventBoostPriority  ... ) == 0x0
 02610  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1636,Tid=240,}, 0x0, ) == 0x0
 02612   896   NtWaitForSingleObject  (308, 0, 0x0, ...
 02613  1180   NtWaitForSingleObject  (308, 0, 0x0, ...
 02614   384   NtSetEventBoostPriority  (308, ...
 02615   432   NtWaitForSingleObject  (308, 0, 0x0, ...
 02609   760   NtWaitForSingleObject  ... ) == 0x102
 02616  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75595, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0d\6\0\0\360\0\0\0" ...  ...
 02604  1764   NtWaitForSingleObject  ... ) == 0x0
 02614   384   NtSetEventBoostPriority  ... ) == 0x0
 02617   760   NtWaitForSingleObject  (128, 0, 0x0, ...
 02618  1764   NtSetEventBoostPriority  (308, ...
 02616  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75597, 0}  ... {28, 56, reply, 0, 1636, 1736, 75597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0d\6\0\0\360\0\0\0" )  ) == 0x0
 02619   808   NtWaitForSingleObject  (308, 0, 0x0, ...
 02605   868   NtWaitForSingleObject  ... ) == 0x0
 02618  1764   NtSetEventBoostPriority  ... ) == 0x0
 02620   384   NtWaitForSingleObject  (308, 0, 0x0, ...
 02621   868   NtSetEventBoostPriority  (308, ...
 02622  1736   NtResumeThread  (892, ...
 02606  2020   NtWaitForSingleObject  ... ) == 0x0
 02621   868   NtSetEventBoostPriority  ... ) == 0x0
 02623  2020   NtSetEventBoostPriority  (308, ...
 02622  1736   NtResumeThread  ... 1, ) == 0x0
 02624  1764   NtSetEventBoostPriority  (328, ...
 02611  1524   NtWaitForSingleObject  ... ) == 0x0
 02623  2020   NtSetEventBoostPriority  ... ) == 0x0
 02625  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02626  1524   NtSetEventBoostPriority  (308, ...
 02540   484   NtWaitForSingleObject  ... ) == 0x0
 02624  1764   NtSetEventBoostPriority  ... ) == 0x0
 02627  2020   NtWaitForSingleObject  (308, 0, 0x0, ...
 02612   896   NtWaitForSingleObject  ... ) == 0x0
 02628   484   NtWaitForSingleObject  (308, 0, 0x0, ...
 02626  1524   NtSetEventBoostPriority  ... ) == 0x0
 02625  1736   NtAllocateVirtualMemory  ... 98172928, 1048576, ) == 0x0
 02629  1764   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02630   868   NtWaitForSingleObject  (308, 0, 0x0, ...
 02631   240   NtWaitForSingleObject  (308, 0, 0x0, ...
 02632   896   NtSetEventBoostPriority  (308, ...
 02633  1736   NtAllocateVirtualMemory  (-1, 99213312, 0, 8192, 4096, 4, ...
 02629  1764   NtWaitForSingleObject  ... ) == 0x102
 02613  1180   NtWaitForSingleObject  ... ) == 0x0
 02632   896   NtSetEventBoostPriority  ... ) == 0x0
 02633  1736   NtAllocateVirtualMemory  ... 99213312, 8192, ) == 0x0
 02634  1180   NtSetEventBoostPriority  (308, ...
 02635  1764   NtWaitForSingleObject  (128, 0, 0x0, ...
 02636  1524   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02637   896   NtWaitForSingleObject  (308, 0, 0x0, ...
 02615   432   NtWaitForSingleObject  ... ) == 0x0
 02634  1180   NtSetEventBoostPriority  ... ) == 0x0
 02638  1736   NtProtectVirtualMemory  (-1, (0x5e9e000), 4096, 260, ...
 02636  1524   NtDuplicateObject  ... 904, ) == 0x0
 02639   432   NtSetEventBoostPriority  (308, ...
 02638  1736   NtProtectVirtualMemory  ... (0x5e9e000), 4096, 4, ) == 0x0
 02619   808   NtWaitForSingleObject  ... ) == 0x0
 02639   432   NtSetEventBoostPriority  ... ) == 0x0
 02640  1524   NtWaitForSingleObject  (308, 0, 0x0, ...
 02641   808   NtSetEventBoostPriority  (308, ...
 02642  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02643  1180   NtWaitForSingleObject  (308, 0, 0x0, ...
 02620   384   NtWaitForSingleObject  ... ) == 0x0
 02641   808   NtSetEventBoostPriority  ... ) == 0x0
 02642  1736   NtCreateThread  ... 908, {1636, 276}, ) == 0x0
 02644   384   NtSetEventBoostPriority  (308, ...
 02645   808   NtWaitForSingleObject  (308, 0, 0x0, ...
 02628   484   NtWaitForSingleObject  ... ) == 0x0
 02644   384   NtSetEventBoostPriority  ... ) == 0x0
 02646  1736   NtQueryInformationThread  (908, Basic, 28, ...
 02647   432   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02648   484   NtSetEventBoostPriority  (308, ...
 02649   384   NtWaitForSingleObject  (308, 0, 0x0, ...
 02646  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1636,Tid=276,}, 0x0, ) == 0x0
 02627  2020   NtWaitForSingleObject  ... ) == 0x0
 02647   432   NtDuplicateObject  ... 912, ) == 0x0
 02648   484   NtSetEventBoostPriority  ... ) == 0x0
 02650  2020   NtSetEventBoostPriority  (308, ...
 02651   432   NtWaitForSingleObject  (308, 0, 0x0, ...
 02652  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75597, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0d\6\0\0\24\1\0\0" ...  ...
 02630   868   NtWaitForSingleObject  ... ) == 0x0
 02652  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75598, 0}  ... {28, 56, reply, 0, 1636, 1736, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0d\6\0\0\24\1\0\0" )  ) == 0x0
 02653   868   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ...
 02654  1736   NtResumeThread  (908, ...
 02653   868   NtAllocateVirtualMemory  ... 1429504, 4096, ) == 0x0
 02654  1736   NtResumeThread  ... 1, ) == 0x0
 02655   868   NtSetEventBoostPriority  (308, ...
 02656  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02650  2020   NtSetEventBoostPriority  ... ) == 0x0
 02657   484   NtSetEventBoostPriority  (328, ...
 02658   276   NtWaitForSingleObject  (100, 0, 0x0, ...
 02631   240   NtWaitForSingleObject  ... ) == 0x0
 02655   868   NtSetEventBoostPriority  ... ) == 0x0
 02659  2020   NtWaitForSingleObject  (328, 0, 0x0, ...
 02545  1580   NtWaitForSingleObject  ... ) == 0x0
 02657   484   NtSetEventBoostPriority  ... ) == 0x0
 02660   240   NtSetEventBoostPriority  (308, ...
 02661   868   NtWaitForSingleObject  (308, 0, 0x0, ...
 02662  1580   NtWaitForSingleObject  (308, 0, 0x0, ...
 02663   484   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02637   896   NtWaitForSingleObject  ... ) == 0x0
 02660   240   NtSetEventBoostPriority  ... ) == 0x0
 02664   896   NtSetEventBoostPriority  (308, ...
 02663   484   NtWaitForSingleObject  ... ) == 0x102
 02656  1736   NtAllocateVirtualMemory  ... 99221504, 1048576, ) == 0x0
 02640  1524   NtWaitForSingleObject  ... ) == 0x0
 02664   896   NtSetEventBoostPriority  ... ) == 0x0
 02665   484   NtWaitForSingleObject  (308, 0, 0x0, ...
 02666  1524   NtSetEventBoostPriority  (308, ...
 02667  1736   NtAllocateVirtualMemory  (-1, 100261888, 0, 8192, 4096, 4, ...
 02668   896   NtWaitForSingleObject  (308, 0, 0x0, ...
 02669   240   NtSetEventBoostPriority  (100, ...
 02643  1180   NtWaitForSingleObject  ... ) == 0x0
 02666  1524   NtSetEventBoostPriority  ... ) == 0x0
 02667  1736   NtAllocateVirtualMemory  ... 100261888, 8192, ) == 0x0
 02670  1180   NtSetEventBoostPriority  (308, ...
 02658   276   NtWaitForSingleObject  ... ) == 0x0
 02669   240   NtSetEventBoostPriority  ... ) == 0x0
 02645   808   NtWaitForSingleObject  ... ) == 0x0
 02671   276   NtWaitForSingleObject  (308, 0, 0x0, ...
 02670  1180   NtSetEventBoostPriority  ... ) == 0x0
 02672  1736   NtProtectVirtualMemory  (-1, (0x5f9e000), 4096, 260, ...
 02673   808   NtSetEventBoostPriority  (308, ...
 02674   240   NtTestAlert  (...
 02675  1180   NtWaitForSingleObject  (308, 0, 0x0, ...
 02649   384   NtWaitForSingleObject  ... ) == 0x0
 02672  1736   NtProtectVirtualMemory  ... (0x5f9e000), 4096, 4, ) == 0x0
 02674   240   NtTestAlert  ... ) == 0x0
 02673   808   NtSetEventBoostPriority  ... ) == 0x0
 02676  1524   NtWaitForSingleObject  (308, 0, 0x0, ...
 02677   384   NtSetEventBoostPriority  (308, ...
 02678  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02679   240   NtContinue  (98172208, 1, ...
 02680   808   NtWaitForSingleObject  (308, 0, 0x0, ...
 02651   432   NtWaitForSingleObject  ... ) == 0x0
 02677   384   NtSetEventBoostPriority  ... ) == 0x0
 02681   240   NtRegisterThreadTerminatePort  (24, ...
 02682   432   NtSetEventBoostPriority  (308, ...
 02683   384   NtWaitForSingleObject  (308, 0, 0x0, ...
 02678  1736   NtCreateThread  ... 916, {1636, 1592}, ) == 0x0
 02662  1580   NtWaitForSingleObject  ... ) == 0x0
 02682   432   NtSetEventBoostPriority  ... ) == 0x0
 02684  1580   NtSetEventBoostPriority  (308, ...
 02685  1736   NtQueryInformationThread  (916, Basic, 28, ...
 02681   240   NtRegisterThreadTerminatePort  ... ) == 0x0
 02661   868   NtWaitForSingleObject  ... ) == 0x0
 02685  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1636,Tid=1592,}, 0x0, ) == 0x0
 02686   240   NtWaitForSingleObject  (308, 0, 0x0, ...
 02687   868   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ...
 02688  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75598, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0d\6\0\08\6\0\0" ...  ...
 02687   868   NtAllocateVirtualMemory  ... 1433600, 4096, ) == 0x0
 02688  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75599, 0}  ... {28, 56, reply, 0, 1636, 1736, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0d\6\0\08\6\0\0" )  ) == 0x0
 02684  1580   NtSetEventBoostPriority  ... ) == 0x0
 02689   432   NtWaitForSingleObject  (308, 0, 0x0, ...
 02690   868   NtSetEventBoostPriority  (308, ...
 02691  1736   NtResumeThread  (916, ...
 02665   484   NtWaitForSingleObject  ... ) == 0x0
 02690   868   NtSetEventBoostPriority  ... ) == 0x0
 02692   484   NtSetEventBoostPriority  (308, ...
 02691  1736   NtResumeThread  ... 1, ) == 0x0
 02668   896   NtWaitForSingleObject  ... ) == 0x0
 02693   868   NtWaitForSingleObject  (308, 0, 0x0, ...
 02694  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02695   896   NtSetEventBoostPriority  (308, ...
 02694  1736   NtAllocateVirtualMemory  ... 100270080, 1048576, ) == 0x0
 02671   276   NtWaitForSingleObject  ... ) == 0x0
 02696   276   NtSetEventBoostPriority  (308, ...
 02676  1524   NtWaitForSingleObject  ... ) == 0x0
 02697  1524   NtSetEventBoostPriority  (308, ...
 02675  1180   NtWaitForSingleObject  ... ) == 0x0
 02698  1180   NtSetEventBoostPriority  (308, ...
 02680   808   NtWaitForSingleObject  ... ) == 0x0
 02699   808   NtSetEventBoostPriority  (308, ...
 02683   384   NtWaitForSingleObject  ... ) == 0x0
 02700   384   NtSetEventBoostPriority  (308, ...
 02686   240   NtWaitForSingleObject  ... ) == 0x0
 02701   240   NtSetEventBoostPriority  (308, ...
 02689   432   NtWaitForSingleObject  ... ) == 0x0
 02702   432   NtSetEventBoostPriority  (308, ...
 02693   868   NtWaitForSingleObject  ... ) == 0x0
 02703   868   NtAllocateVirtualMemory  (-1, 12046336, 0, 4096, 4096, 260, ... 12046336, 4096, ) == 0x0
 02702   432   NtSetEventBoostPriority  ... ) == 0x0
 02701   240   NtSetEventBoostPriority  ... ) == 0x0
 02700   384   NtSetEventBoostPriority  ... ) == 0x0
 02699   808   NtSetEventBoostPriority  ... ) == 0x0
 02697  1524   NtSetEventBoostPriority  ... ) == 0x0
 02696   276   NtSetEventBoostPriority  ... ) == 0x0
 02704  1736   NtAllocateVirtualMemory  (-1, 101310464, 0, 8192, 4096, 4, ...
 02698  1180   NtSetEventBoostPriority  ... ) == 0x0
 02695   896   NtSetEventBoostPriority  ... ) == 0x0
 02692   484   NtSetEventBoostPriority  ... ) == 0x0
 02705  1580   NtSetEventBoostPriority  (328, ...
 02706  1592   NtWaitForSingleObject  (100, 0, 0x0, ...
 02707   432   NtWaitForSingleObject  (328, 0, 0x0, ...
 02708   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02709   240   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02710   384   NtSetEventBoostPriority  (128, ...
 02711  1524   NtWaitForSingleObject  (328, 0, 0x0, ...
 02712   808   NtAllocateVirtualMemory  (-1, 13094912, 0, 4096, 4096, 260, ...
 02704  1736   NtAllocateVirtualMemory  ... 101310464, 8192, ) == 0x0
 02713  1180   NtAllocateVirtualMemory  (-1, 21483520, 0, 4096, 4096, 260, ...
 02714   896   NtWaitForSingleObject  (328, 0, 0x0, ...
 02715   484   NtWaitForSingleObject  (128, 0, 0x0, ...
 02572  1656   NtWaitForSingleObject  ... ) == 0x0
 02705  1580   NtSetEventBoostPriority  ... ) == 0x0
 02716   276   NtSetEventBoostPriority  (100, ...
 02708   868   NtCreateEvent  ... 920, ) == 0x0
 02709   240   NtDuplicateObject  ... 924, ) == 0x0
 00785  1028   NtWaitForSingleObject  ... ) == 0x0
 02710   384   NtSetEventBoostPriority  ... ) == 0x0
 02712   808   NtAllocateVirtualMemory  ... 13094912, 4096, ) == 0x0
 02713  1180   NtAllocateVirtualMemory  ... 21483520, 4096, ) == 0x0
 02717  1656   NtSetEventBoostPriority  (328, ...
 02718  1580   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02706  1592   NtWaitForSingleObject  ... ) == 0x0
 02716   276   NtSetEventBoostPriority  ... ) == 0x0
 02719   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02720  1028   NtSetEventBoostPriority  (128, ...
 02721   240   NtWaitForSingleObject  (328, 0, 0x0, ...
 02722   384   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02723   808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02724  1736   NtProtectVirtualMemory  (-1, (0x609e000), 4096, 260, ...
 02574   444   NtWaitForSingleObject  ... ) == 0x0
 02725  1592   NtTestAlert  (...
 02718  1580   NtWaitForSingleObject  ... ) == 0x102
 02726   276   NtTestAlert  (...
 00792  2012   NtWaitForSingleObject  ... ) == 0x0
 02720  1028   NtSetEventBoostPriority  ... ) == 0x0
 02719   868   NtDuplicateObject  ... 928, ) == 0x0
 02722   384   NtCreateEvent  ... 932, ) == 0x0
 02723   808   NtCreateEvent  ... 936, ) == 0x0
 02724  1736   NtProtectVirtualMemory  ... (0x609e000), 4096, 4, ) == 0x0
 02725  1592   NtTestAlert  ... ) == 0x0
 02727   444   NtSetEventBoostPriority  (328, ...
 02728  1580   NtWaitForSingleObject  (128, 0, 0x0, ...
 02729  2012   NtSetEventBoostPriority  (128, ...
 02726   276   NtTestAlert  ... ) == 0x0
 02717  1656   NtSetEventBoostPriority  ... ) == 0x0
 02730  1180   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02731   868   NtWaitForSingleObject  (328, 0, 0x0, ...
 02732   384   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ...
 02733   808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02734  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02735  1028   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02575  1252   NtWaitForSingleObject  ... ) == 0x0
 02727   444   NtSetEventBoostPriority  ... ) == 0x0
 02736  1592   NtContinue  (100269360, 1, ...
 00794  2016   NtWaitForSingleObject  ... ) == 0x0
 02729  2012   NtSetEventBoostPriority  ... ) == 0x0
 02737   276   NtContinue  (99220784, 1, ...
 02730  1180   NtCreateEvent  ... 940, ) == 0x0
 02732   384   NtAllocateVirtualMemory  ... 1437696, 4096, ) == 0x0
 02733   808   NtDuplicateObject  ... 944, ) == 0x0
 02734  1736   NtCreateThread  ... 948, {1636, 1500}, ) == 0x0
 02738  1252   NtSetEventBoostPriority  (328, ...
 02735  1028   NtCreateEvent  ... 952, ) == 0x0
 02739   444   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02740  2016   NtWaitForSingleObject  (308, 0, 0x0, ...
 02741  1592   NtRegisterThreadTerminatePort  (24, ...
 02742  1656   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02743   276   NtRegisterThreadTerminatePort  (24, ...
 02744  1180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02745  2012   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02746   384   NtSetEventBoostPriority  (308, ...
 02577   464   NtWaitForSingleObject  ... ) == 0x0
 02738  1252   NtSetEventBoostPriority  ... ) == 0x0
 02747  1736   NtQueryInformationThread  (948, Basic, 28, ...
 02748  1028   NtWaitForSingleObject  (308, 0, 0x0, ...
 02749   808   NtWaitForSingleObject  (308, 0, 0x0, ...
 02741  1592   NtRegisterThreadTerminatePort  ... ) == 0x0
 02742  1656   NtWaitForSingleObject  ... ) == 0x102
 02739   444   NtWaitForSingleObject  ... ) == 0x102
 02744  1180   NtDuplicateObject  ... 956, ) == 0x0
 02745  2012   NtCreateEvent  ... 960, ) == 0x0
 02750   464   NtWaitForSingleObject  (308, 0, 0x0, ...
 02740  2016   NtWaitForSingleObject  ... ) == 0x0
 02746   384   NtSetEventBoostPriority  ... ) == 0x0
 02751  1252   NtClose  (828, ...
 02747  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1636,Tid=1500,}, 0x0, ) == 0x0
 02752  1592   NtWaitForSingleObject  (308, 0, 0x0, ...
 02753  1656   NtWaitForSingleObject  (128, 0, 0x0, ...
 02754   444   NtWaitForSingleObject  (128, 0, 0x0, ...
 02755  1180   NtWaitForSingleObject  (308, 0, 0x0, ...
 02756  2016   NtSetEventBoostPriority  (308, ...
 02757  2012   NtWaitForSingleObject  (308, 0, 0x0, ...
 02758   384   NtWaitForSingleObject  (308, 0, 0x0, ...
 02743   276   NtRegisterThreadTerminatePort  ... ) == 0x0
 02751  1252   NtClose  ... ) == 0x0
 02748  1028   NtWaitForSingleObject  ... ) == 0x0
 02756  2016   NtSetEventBoostPriority  ... ) == 0x0
 02759   276   NtWaitForSingleObject  (308, 0, 0x0, ...
 02760  1028   NtSetEventBoostPriority  (308, ...
 02761  1252   NtClose  (864, ...
 02762  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75599, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0d\6\0\0\334\5\0\0" ...  ...
 02749   808   NtWaitForSingleObject  ... ) == 0x0
 02760  1028   NtSetEventBoostPriority  ... ) == 0x0
 02761  1252   NtClose  ... ) == 0x0
 02763   808   NtSetEventBoostPriority  (308, ...
 02762  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75601, 0}  ... {28, 56, reply, 0, 1636, 1736, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0d\6\0\0\334\5\0\0" )  ) == 0x0
 02764  2016   NtWaitForSingleObject  (308, 0, 0x0, ...
 02750   464   NtWaitForSingleObject  ... ) == 0x0
 02763   808   NtSetEventBoostPriority  ... ) == 0x0
 02765  1252   NtWaitForSingleObject  (328, 0, 0x0, ...
 02766  1736   NtResumeThread  (948, ...
 02767   464   NtSetEventBoostPriority  (308, ...
 02768   808   NtWaitForSingleObject  (308, 0, 0x0, ...
 02752  1592   NtWaitForSingleObject  ... ) == 0x0
 02767   464   NtSetEventBoostPriority  ... ) == 0x0
 02766  1736   NtResumeThread  ... 1, ) == 0x0
 02769  1028   NtWaitForSingleObject  (308, 0, 0x0, ...
 02770  1592   NtSetEventBoostPriority  (308, ...
 02771  1500   NtWaitForSingleObject  (308, 0, 0x0, ...
 02772  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02755  1180   NtWaitForSingleObject  ... ) == 0x0
 02770  1592   NtSetEventBoostPriority  ... ) == 0x0
 02773   464   NtSetEventBoostPriority  (328, ...
 02774  1180   NtSetEventBoostPriority  (308, ...
 02772  1736   NtAllocateVirtualMemory  ... 101318656, 1048576, ) == 0x0
 02757  2012   NtWaitForSingleObject  ... ) == 0x0
 02774  1180   NtSetEventBoostPriority  ... ) == 0x0
 02659  2020   NtWaitForSingleObject  ... ) == 0x0
 02773   464   NtSetEventBoostPriority  ... ) == 0x0
 02775  2012   NtSetEventBoostPriority  (308, ...
 02776  1736   NtAllocateVirtualMemory  (-1, 102359040, 0, 8192, 4096, 4, ...
 02777  1592   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02778  2020   NtWaitForSingleObject  (308, 0, 0x0, ...
 02758   384   NtWaitForSingleObject  ... ) == 0x0
 02775  2012   NtSetEventBoostPriority  ... ) == 0x0
 02779   464   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02776  1736   NtAllocateVirtualMemory  ... 102359040, 8192, ) == 0x0
 02780   384   NtSetEventBoostPriority  (308, ...
 02777  1592   NtDuplicateObject  ... 864, ) == 0x0
 02781  1180   NtWaitForSingleObject  (308, 0, 0x0, ...
 02779   464   NtWaitForSingleObject  ... ) == 0x102
 02759   276   NtWaitForSingleObject  ... ) == 0x0
 02780   384   NtSetEventBoostPriority  ... ) == 0x0
 02782  1736   NtProtectVirtualMemory  (-1, (0x619e000), 4096, 260, ...
 02783  1592   NtWaitForSingleObject  (308, 0, 0x0, ...
 02784   276   NtSetEventBoostPriority  (308, ...
 02785   464   NtWaitForSingleObject  (308, 0, 0x0, ...
 02786  2012   NtWaitForSingleObject  (308, 0, 0x0, ...
 02782  1736   NtProtectVirtualMemory  ... (0x619e000), 4096, 4, ) == 0x0
 02764  2016   NtWaitForSingleObject  ... ) == 0x0
 02784   276   NtSetEventBoostPriority  ... ) == 0x0
 02787   384   NtWaitForSingleObject  (308, 0, 0x0, ...
 02788  2016   NtSetEventBoostPriority  (308, ...
 02789  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02768   808   NtWaitForSingleObject  ... ) == 0x0
 02788  2016   NtSetEventBoostPriority  ... ) == 0x0
 02790   276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02791   808   NtSetEventBoostPriority  (308, ...
 02792  2016   NtWaitForSingleObject  (308, 0, 0x0, ...
 02769  1028   NtWaitForSingleObject  ... ) == 0x0
 02790   276   NtDuplicateObject  ... 828, ) == 0x0
 02791   808   NtSetEventBoostPriority  ... ) == 0x0
 02789  1736   NtCreateThread  ... 964, {1636, 2032}, ) == 0x0
 02793  1028   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ...
 02794   276   NtWaitForSingleObject  (308, 0, 0x0, ...
 02795   808   NtWaitForSingleObject  (308, 0, 0x0, ...
 02796  1736   NtQueryInformationThread  (964, Basic, 28, ...
 02793  1028   NtAllocateVirtualMemory  ... 1441792, 4096, ) == 0x0
 02796  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1636,Tid=2032,}, 0x0, ) == 0x0
 02797  1028   NtSetEventBoostPriority  (308, ...
 02798  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75601, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0d\6\0\0\360\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0d\6\0\0\360\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75602, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0d\6\0\0\360\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0d\6\0\0\360\7\0\0" )  ) == 0x0
 02799  1736   NtResumeThread  (964, ... 1, ) == 0x0
 02800  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 102367232, 1048576, ) == 0x0
 02801  1736   NtAllocateVirtualMemory  (-1, 103407616, 0, 8192, 4096, 4, ... 103407616, 8192, ) == 0x0
 02771  1500   NtWaitForSingleObject  ... ) == 0x0
 02797  1028   NtSetEventBoostPriority  ... ) == 0x0
 02802  2032   NtWaitForSingleObject  (100, 0, 0x0, ...
 02803  1500   NtSetEventBoostPriority  (308, ...
 02804  1028   NtWaitForSingleObject  (308, 0, 0x0, ...
 02778  2020   NtWaitForSingleObject  ... ) == 0x0
 02803  1500   NtSetEventBoostPriority  ... ) == 0x0
 02805  2020   NtSetEventBoostPriority  (308, ...
 02806  1736   NtProtectVirtualMemory  (-1, (0x629e000), 4096, 260, ...
 02781  1180   NtWaitForSingleObject  ... ) == 0x0
 02805  2020   NtSetEventBoostPriority  ... ) == 0x0
 02807  1180   NtSetEventBoostPriority  (308, ...
 02806  1736   NtProtectVirtualMemory  ... (0x629e000), 4096, 4, ) == 0x0
 02808  1500   NtSetEventBoostPriority  (100, ...
 02783  1592   NtWaitForSingleObject  ... ) == 0x0
 02807  1180   NtSetEventBoostPriority  ... ) == 0x0
 02809  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02810  1592   NtSetEventBoostPriority  (308, ...
 02802  2032   NtWaitForSingleObject  ... ) == 0x0
 02808  1500   NtSetEventBoostPriority  ... ) == 0x0
 02811  1180   NtWaitForSingleObject  (308, 0, 0x0, ...
 02786  2012   NtWaitForSingleObject  ... ) == 0x0
 02812  2032   NtWaitForSingleObject  (308, 0, 0x0, ...
 02810  1592   NtSetEventBoostPriority  ... ) == 0x0
 02809  1736   NtCreateThread  ... 968, {1636, 932}, ) == 0x0
 02813  1500   NtTestAlert  (...
 02814  2020   NtSetEventBoostPriority  (328, ...
 02815  2012   NtSetEventBoostPriority  (308, ...
 02816  1736   NtQueryInformationThread  (968, Basic, 28, ...
 02813  1500   NtTestAlert  ... ) == 0x0
 02785   464   NtWaitForSingleObject  ... ) == 0x0
 02815  2012   NtSetEventBoostPriority  ... ) == 0x0
 02707   432   NtWaitForSingleObject  ... ) == 0x0
 02814  2020   NtSetEventBoostPriority  ... ) == 0x0
 02816  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1636,Tid=932,}, 0x0, ) == 0x0
 02817   464   NtSetEventBoostPriority  (308, ...
 02818  1500   NtContinue  (101317936, 1, ...
 02819   432   NtWaitForSingleObject  (308, 0, 0x0, ...
 02820  2012   NtWaitForSingleObject  (308, 0, 0x0, ...
 02821  2020   NtWaitForSingleObject  (308, 0, 0x0, ...
 02822  1592   NtWaitForSingleObject  (308, 0, 0x0, ...
 02787   384   NtWaitForSingleObject  ... ) == 0x0
 02823  1500   NtRegisterThreadTerminatePort  (24, ...
 02817   464   NtSetEventBoostPriority  ... ) == 0x0
 02824  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75602, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0d\6\0\0\244\3\0\0" ...  ...
 02825   384   NtSetEventBoostPriority  (308, ...
 02826   464   NtWaitForSingleObject  (128, 0, 0x0, ...
 02824  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75603, 0}  ... {28, 56, reply, 0, 1636, 1736, 75603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0d\6\0\0\244\3\0\0" )  ) == 0x0
 02794   276   NtWaitForSingleObject  ... ) == 0x0
 02825   384   NtSetEventBoostPriority  ... ) == 0x0
 02827   276   NtSetEventBoostPriority  (308, ...
 02828  1736   NtResumeThread  (968, ...
 02795   808   NtWaitForSingleObject  ... ) == 0x0
 02827   276   NtSetEventBoostPriority  ... ) == 0x0
 02829   384   NtWaitForSingleObject  (308, 0, 0x0, ...
 02830   808   NtSetEventBoostPriority  (308, ...
 02828  1736   NtResumeThread  ... 1, ) == 0x0
 02823  1500   NtRegisterThreadTerminatePort  ... ) == 0x0
 02831   276   NtWaitForSingleObject  (308, 0, 0x0, ...
 02832   932   NtWaitForSingleObject  (100, 0, 0x0, ...
 02792  2016   NtWaitForSingleObject  ... ) == 0x0
 02830   808   NtSetEventBoostPriority  ... ) == 0x0
 02833  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02834  1500   NtWaitForSingleObject  (308, 0, 0x0, ...
 02835  2016   NtSetEventBoostPriority  (308, ...
 02836   808   NtWaitForSingleObject  (308, 0, 0x0, ...
 02804  1028   NtWaitForSingleObject  ... ) == 0x0
 02837  1028   NtAllocateVirtualMemory  (-1, 1445888, 0, 4096, 4096, 4, ... 1445888, 4096, ) == 0x0
 02838  1028   NtSetEventBoostPriority  (308, ...
 02812  2032   NtWaitForSingleObject  ... ) == 0x0
 02839  2032   NtSetEventBoostPriority  (308, ...
 02811  1180   NtWaitForSingleObject  ... ) == 0x0
 02840  1180   NtSetEventBoostPriority  (308, ...
 02819   432   NtWaitForSingleObject  ... ) == 0x0
 02841   432   NtSetEventBoostPriority  (308, ...
 02821  2020   NtWaitForSingleObject  ... ) == 0x0
 02842  2020   NtSetEventBoostPriority  (308, ...
 02822  1592   NtWaitForSingleObject  ... ) == 0x0
 02843  1592   NtSetEventBoostPriority  (308, ...
 02820  2012   NtWaitForSingleObject  ... ) == 0x0
 02844  2012   NtSetEventBoostPriority  (308, ...
 02831   276   NtWaitForSingleObject  ... ) == 0x0
 02845   276   NtSetEventBoostPriority  (308, ...
 02829   384   NtWaitForSingleObject  ... ) == 0x0
 02846   384   NtSetEventBoostPriority  (308, ...
 02834  1500   NtWaitForSingleObject  ... ) == 0x0
 02847  1500   NtSetEventBoostPriority  (308, ...
 02836   808   NtWaitForSingleObject  ... ) == 0x0
 02848   808   NtWaitForSingleObject  (328, 0, 0x0, ...
 02847  1500   NtSetEventBoostPriority  ... ) == 0x0
 02845   276   NtSetEventBoostPriority  ... ) == 0x0
 02843  1592   NtSetEventBoostPriority  ... ) == 0x0
 02842  2020   NtSetEventBoostPriority  ... ) == 0x0
 02839  2032   NtSetEventBoostPriority  ... ) == 0x0
 02846   384   NtSetEventBoostPriority  ... ) == 0x0
 02844  2012   NtSetEventBoostPriority  ... ) == 0x0
 02841   432   NtSetEventBoostPriority  ... ) == 0x0
 02840  1180   NtSetEventBoostPriority  ... ) == 0x0
 02838  1028   NtSetEventBoostPriority  ... ) == 0x0
 02835  2016   NtSetEventBoostPriority  ... ) == 0x0
 02833  1736   NtAllocateVirtualMemory  ... 103415808, 1048576, ) == 0x0
 02849   276   NtWaitForSingleObject  (328, 0, 0x0, ...
 02850  1592   NtWaitForSingleObject  (328, 0, 0x0, ...
 02851  1500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02852  2020   NtWaitForSingleObject  (328, 0, 0x0, ...
 02853   384   NtAllocateVirtualMemory  (-1, 20434944, 0, 4096, 4096, 260, ...
 02854  2012   NtAllocateVirtualMemory  (-1, 18337792, 0, 4096, 4096, 260, ...
 02855  2032   NtSetEventBoostPriority  (100, ...
 02856  1180   NtWaitForSingleObject  (328, 0, 0x0, ...
 02857  1028   NtAllocateVirtualMemory  (-1, 19386368, 0, 4096, 4096, 260, ...
 02858  2016   NtSetEventBoostPriority  (128, ...
 02859  1736   NtAllocateVirtualMemory  (-1, 104456192, 0, 8192, 4096, 4, ...
 02860   432   NtSetEventBoostPriority  (328, ...
 02851  1500   NtDuplicateObject  ... 972, ) == 0x0
 02853   384   NtAllocateVirtualMemory  ... 20434944, 4096, ) == 0x0
 02854  2012   NtAllocateVirtualMemory  ... 18337792, 4096, ) == 0x0
 02832   932   NtWaitForSingleObject  ... ) == 0x0
 02855  2032   NtSetEventBoostPriority  ... ) == 0x0
 02857  1028   NtAllocateVirtualMemory  ... 19386368, 4096, ) == 0x0
 01186  1132   NtWaitForSingleObject  ... ) == 0x0
 02858  2016   NtSetEventBoostPriority  ... ) == 0x0
 02859  1736   NtAllocateVirtualMemory  ... 104456192, 8192, ) == 0x0
 02711  1524   NtWaitForSingleObject  ... ) == 0x0
 02860   432   NtSetEventBoostPriority  ... ) == 0x0
 02861  1500   NtWaitForSingleObject  (328, 0, 0x0, ...
 02862   384   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02863   932   NtTestAlert  (...
 02864  2032   NtTestAlert  (...
 02865  1132   NtSetEventBoostPriority  (128, ...
 02866  1028   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02867  2012   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02868  1524   NtSetEventBoostPriority  (328, ...
 02869  1736   NtProtectVirtualMemory  (-1, (0x639e000), 4096, 260, ...
 02870   432   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02863   932   NtTestAlert  ... ) == 0x0
 02862   384   NtCreateEvent  ... 976, ) == 0x0
 01188   500   NtWaitForSingleObject  ... ) == 0x0
 02865  1132   NtSetEventBoostPriority  ... ) == 0x0
 02864  2032   NtTestAlert  ... ) == 0x0
 02866  1028   NtCreateEvent  ... 980, ) == 0x0
 02714   896   NtWaitForSingleObject  ... ) == 0x0
 02867  2012   NtCreateEvent  ... 984, ) == 0x0
 02869  1736   NtProtectVirtualMemory  ... (0x639e000), 4096, 4, ) == 0x0
 02870   432   NtWaitForSingleObject  ... ) == 0x102
 02868  1524   NtSetEventBoostPriority  ... ) == 0x0
 02871  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02872   500   NtSetEventBoostPriority  (128, ...
 02873   384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02874   932   NtContinue  (103415088, 1, ...
 02875  2032   NtContinue  (102366512, 1, ...
 02876  1132   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02877   896   NtSetEventBoostPriority  (328, ...
 02878  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02879  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02880   432   NtWaitForSingleObject  (128, 0, 0x0, ...
 02881  1524   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01189  1024   NtWaitForSingleObject  ... ) == 0x0
 02872   500   NtSetEventBoostPriority  ... ) == 0x0
 02871  2016   NtCreateEvent  ... 988, ) == 0x0
 02873   384   NtDuplicateObject  ... 992, ) == 0x0
 02882   932   NtRegisterThreadTerminatePort  (24, ...
 02883  2032   NtRegisterThreadTerminatePort  (24, ...
 02876  1132   NtCreateEvent  ... 996, ) == 0x0
 02721   240   NtWaitForSingleObject  ... ) == 0x0
 02877   896   NtSetEventBoostPriority  ... ) == 0x0
 02878  2012   NtDuplicateObject  ... 1000, ) == 0x0
 02884  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02879  1736   NtCreateThread  ... 1004, {1636, 1644}, ) == 0x0
 02885  1024   NtSetEventBoostPriority  (128, ...
 02881  1524   NtWaitForSingleObject  ... ) == 0x102
 02886  2016   NtAllocateVirtualMemory  (-1, 1449984, 0, 4096, 4096, 4, ...
 02887   384   NtWaitForSingleObject  (308, 0, 0x0, ...
 02882   932   NtRegisterThreadTerminatePort  ... ) == 0x0
 02888   500   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02889   240   NtWaitForSingleObject  (308, 0, 0x0, ...
 02890  1132   NtWaitForSingleObject  (308, 0, 0x0, ...
 02883  2032   NtRegisterThreadTerminatePort  ... ) == 0x0
 02891  2012   NtWaitForSingleObject  (308, 0, 0x0, ...
 02884  1028   NtDuplicateObject  ... 1008, ) == 0x0
 01217   596   NtWaitForSingleObject  ... ) == 0x0
 02885  1024   NtSetEventBoostPriority  ... ) == 0x0
 02892  1736   NtQueryInformationThread  (1004, Basic, 28, ...
 02893  1524   NtWaitForSingleObject  (128, 0, 0x0, ...
 02886  2016   NtAllocateVirtualMemory  ... 1449984, 4096, ) == 0x0
 02894   932   NtWaitForSingleObject  (308, 0, 0x0, ...
 02888   500   NtCreateEvent  ... 1012, ) == 0x0
 02895  2032   NtWaitForSingleObject  (308, 0, 0x0, ...
 02896   596   NtWaitForSingleObject  (308, 0, 0x0, ...
 02897  1028   NtWaitForSingleObject  (308, 0, 0x0, ...
 02898   896   NtWaitForSingleObject  (452, 0, 0x0, ...
 02892  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1636,Tid=1644,}, 0x0, ) == 0x0
 02899  2016   NtSetEventBoostPriority  (308, ...
 02900   500   NtWaitForSingleObject  (308, 0, 0x0, ...
 02901  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75603, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\3\0\0d\6\0\0l\6\0\0" ...  ...
 02887   384   NtWaitForSingleObject  ... ) == 0x0
 02899  2016   NtSetEventBoostPriority  ... ) == 0x0
 02902   384   NtSetEventBoostPriority  (308, ...
 02901  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75604, 0}  ... {28, 56, reply, 0, 1636, 1736, 75604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\3\0\0d\6\0\0l\6\0\0" )  ) == 0x0
 02903  1024   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02889   240   NtWaitForSingleObject  ... ) == 0x0
 02902   384   NtSetEventBoostPriority  ... ) == 0x0
 02904  2016   NtWaitForSingleObject  (308, 0, 0x0, ...
 02905   240   NtSetEventBoostPriority  (308, ...
 02903  1024   NtCreateEvent  ... 1016, ) == 0x0
 02906  1736   NtResumeThread  (1004, ...
 02890  1132   NtWaitForSingleObject  ... ) == 0x0
 02905   240   NtSetEventBoostPriority  ... ) == 0x0
 02907  1024   NtWaitForSingleObject  (308, 0, 0x0, ...
 02908  1132   NtSetEventBoostPriority  (308, ...
 02906  1736   NtResumeThread  ... 1, ) == 0x0
 02909   384   NtWaitForSingleObject  (308, 0, 0x0, ...
 02891  2012   NtWaitForSingleObject  ... ) == 0x0
 02908  1132   NtSetEventBoostPriority  ... ) == 0x0
 02910  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02911  2012   NtSetEventBoostPriority  (308, ...
 02912   240   NtSetEventBoostPriority  (328, ...
 02913  1644   NtWaitForSingleObject  (308, 0, 0x0, ...
 02894   932   NtWaitForSingleObject  ... ) == 0x0
 02911  2012   NtSetEventBoostPriority  ... ) == 0x0
 02910  1736   NtAllocateVirtualMemory  ... 104464384, 1048576, ) == 0x0
 02731   868   NtWaitForSingleObject  ... ) == 0x0
 02912   240   NtSetEventBoostPriority  ... ) == 0x0
 02914   932   NtSetEventBoostPriority  (308, ...
 02915  1132   NtWaitForSingleObject  (308, 0, 0x0, ...
 02916   868   NtWaitForSingleObject  (308, 0, 0x0, ...
 02917  1736   NtAllocateVirtualMemory  (-1, 105504768, 0, 8192, 4096, 4, ...
 02896   596   NtWaitForSingleObject  ... ) == 0x0
 02914   932   NtSetEventBoostPriority  ... ) == 0x0
 02918   240   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02919   596   NtSetEventBoostPriority  (308, ...
 02917  1736   NtAllocateVirtualMemory  ... 105504768, 8192, ) == 0x0
 02920  2012   NtWaitForSingleObject  (308, 0, 0x0, ...
 02895  2032   NtWaitForSingleObject  ... ) == 0x0
 02919   596   NtSetEventBoostPriority  ... ) == 0x0
 02918   240   NtWaitForSingleObject  ... ) == 0x102
 02921   932   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02922  2032   NtSetEventBoostPriority  (308, ...
 02923  1736   NtProtectVirtualMemory  (-1, (0x649e000), 4096, 260, ...
 02924   240   NtWaitForSingleObject  (128, 0, 0x0, ...
 02897  1028   NtWaitForSingleObject  ... ) == 0x0
 02922  2032   NtSetEventBoostPriority  ... ) == 0x0
 02921   932   NtDuplicateObject  ... 1020, ) == 0x0
 02923  1736   NtProtectVirtualMemory  ... (0x649e000), 4096, 4, ) == 0x0
 02925   596   NtWaitForSingleObject  (308, 0, 0x0, ...
 02926  1028   NtSetEventBoostPriority  (308, ...
 02927   932   NtWaitForSingleObject  (308, 0, 0x0, ...
 02928  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02900   500   NtWaitForSingleObject  ... ) == 0x0
 02926  1028   NtSetEventBoostPriority  ... ) == 0x0
 02929   500   NtSetEventBoostPriority  (308, ...
 02928  1736   NtCreateThread  ... 1024, {1636, 504}, ) == 0x0
 02930  2032   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02904  2016   NtWaitForSingleObject  ... ) == 0x0
 02929   500   NtSetEventBoostPriority  ... ) == 0x0
 02931  1736   NtQueryInformationThread  (1024, Basic, 28, ...
 02932  2016   NtSetEventBoostPriority  (308, ...
 02930  2032   NtDuplicateObject  ... 1028, ) == 0x0
 02933  1028   NtWaitForSingleObject  (308, 0, 0x0, ...
 02907  1024   NtWaitForSingleObject  ... ) == 0x0
 02932  2016   NtSetEventBoostPriority  ... ) == 0x0
 02931  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1636,Tid=504,}, 0x0, ) == 0x0
 02934  2032   NtWaitForSingleObject  (308, 0, 0x0, ...
 02935  1024   NtSetEventBoostPriority  (308, ...
 02936  2016   NtWaitForSingleObject  (308, 0, 0x0, ...
 02937   500   NtWaitForSingleObject  (308, 0, 0x0, ...
 02909   384   NtWaitForSingleObject  ... ) == 0x0
 02935  1024   NtSetEventBoostPriority  ... ) == 0x0
 02938  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75604, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\4\0\0d\6\0\0\370\1\0\0" ...  ...
 02939   384   NtSetEventBoostPriority  (308, ...
 02913  1644   NtWaitForSingleObject  ... ) == 0x0
 02940  1644   NtSetEventBoostPriority  (308, ...
 02916   868   NtWaitForSingleObject  ... ) == 0x0
 02941   868   NtSetEventBoostPriority  (308, ...
 02915  1132   NtWaitForSingleObject  ... ) == 0x0
 02942  1132   NtSetEventBoostPriority  (308, ...
 02920  2012   NtWaitForSingleObject  ... ) == 0x0
 02943  2012   NtSetEventBoostPriority  (308, ...
 02925   596   NtWaitForSingleObject  ... ) == 0x0
 02944   596   NtSetEventBoostPriority  (308, ...
 02927   932   NtWaitForSingleObject  ... ) == 0x0
 02945   932   NtSetEventBoostPriority  (308, ...
 02933  1028   NtWaitForSingleObject  ... ) == 0x0
 02946  1028   NtSetEventBoostPriority  (308, ...
 02934  2032   NtWaitForSingleObject  ... ) == 0x0
 02947  2032   NtSetEventBoostPriority  (308, ...
 02937   500   NtWaitForSingleObject  ... ) == 0x0
 02948   500   NtAllocateVirtualMemory  (-1, 1454080, 0, 4096, 4096, 4, ... 1454080, 4096, ) == 0x0
 02949   500   NtSetEventBoostPriority  (308, ...
 02947  2032   NtSetEventBoostPriority  ... ) == 0x0
 02946  1028   NtSetEventBoostPriority  ... ) == 0x0
 02945   932   NtSetEventBoostPriority  ... ) == 0x0
 02944   596   NtSetEventBoostPriority  ... ) == 0x0
 02943  2012   NtSetEventBoostPriority  ... ) == 0x0
 02942  1132   NtSetEventBoostPriority  ... ) == 0x0
 02941   868   NtSetEventBoostPriority  ... ) == 0x0
 02940  1644   NtSetEventBoostPriority  ... ) == 0x0
 02939   384   NtSetEventBoostPriority  ... ) == 0x0
 02938  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75605, 0}  ... {28, 56, reply, 0, 1636, 1736, 75605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\4\0\0d\6\0\0\370\1\0\0" )  ) == 0x0
 02950  1024   NtWaitForSingleObject  (308, 0, 0x0, ...
 02936  2016   NtWaitForSingleObject  ... ) == 0x0
 02949   500   NtSetEventBoostPriority  ... ) == 0x0
 02951  1028   NtWaitForSingleObject  (308, 0, 0x0, ...
 02952  2032   NtWaitForSingleObject  (308, 0, 0x0, ...
 02953   596   NtSetEventBoostPriority  (128, ...
 02954  2012   NtWaitForSingleObject  (308, 0, 0x0, ...
 02955  1132   NtWaitForSingleObject  (308, 0, 0x0, ...
 02956   932   NtWaitForSingleObject  (308, 0, 0x0, ...
 02957   868   NtSetEventBoostPriority  (328, ...
 02958   384   NtWaitForSingleObject  (308, 0, 0x0, ...
 02959  1736   NtResumeThread  (1024, ...
 02960  2016   NtSetEventBoostPriority  (308, ...
 02961   500   NtWaitForSingleObject  (308, 0, 0x0, ...
 02962  1644   NtTestAlert  (...
 01222   376   NtWaitForSingleObject  ... ) == 0x0
 02953   596   NtSetEventBoostPriority  ... ) == 0x0
 02765  1252   NtWaitForSingleObject  ... ) == 0x0
 02957   868   NtSetEventBoostPriority  ... ) == 0x0
 02959  1736   NtResumeThread  ... 1, ) == 0x0
 02950  1024   NtWaitForSingleObject  ... ) == 0x0
 02962  1644   NtTestAlert  ... ) == 0x0
 02963   376   NtWaitForSingleObject  (308, 0, 0x0, ...
 02964  1252   NtSetEventBoostPriority  (328, ...
 02965   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02966   868   NtWaitForSingleObject  (452, 0, 0x0, ...
 02967  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02968  1024   NtSetEventBoostPriority  (308, ...
 02969  1644   NtContinue  (104463664, 1, ...
 02848   808   NtWaitForSingleObject  ... ) == 0x0
 02964  1252   NtSetEventBoostPriority  ... ) == 0x0
 02965   596   NtCreateEvent  ... 1032, ) == 0x0
 02960  2016   NtSetEventBoostPriority  ... ) == 0x0
 02970   504   NtTestAlert  (...
 02952  2032   NtWaitForSingleObject  ... ) == 0x0
 02968  1024   NtSetEventBoostPriority  ... ) == 0x0
 02971   808   NtWaitForSingleObject  (308, 0, 0x0, ...
 02972  1644   NtRegisterThreadTerminatePort  (24, ...
 02967  1736   NtAllocateVirtualMemory  ... 105512960, 1048576, ) == 0x0
 02973   596   NtWaitForSingleObject  (308, 0, 0x0, ...
 02974  2016   NtWaitForSingleObject  (308, 0, 0x0, ...
 02975  2032   NtSetEventBoostPriority  (308, ...
 02970   504   NtTestAlert  ... ) == 0x0
 02976  1024   NtWaitForSingleObject  (308, 0, 0x0, ...
 02972  1644   NtRegisterThreadTerminatePort  ... ) == 0x0
 02977  1736   NtAllocateVirtualMemory  (-1, 106553344, 0, 8192, 4096, 4, ...
 02951  1028   NtWaitForSingleObject  ... ) == 0x0
 02975  2032   NtSetEventBoostPriority  ... ) == 0x0
 02978   504   NtContinue  (105512240, 1, ...
 02979  1252   NtWaitForSingleObject  (328, 0, 0x0, ...
 02980  1644   NtWaitForSingleObject  (308, 0, 0x0, ...
 02981  1028   NtSetEventBoostPriority  (308, ...
 02977  1736   NtAllocateVirtualMemory  ... 106553344, 8192, ) == 0x0
 02982  2032   NtWaitForSingleObject  (328, 0, 0x0, ...
 02983   504   NtRegisterThreadTerminatePort  (24, ...
 02954  2012   NtWaitForSingleObject  ... ) == 0x0
 02984  1736   NtProtectVirtualMemory  (-1, (0x659e000), 4096, 260, ...
 02981  1028   NtSetEventBoostPriority  ... ) == 0x0
 02983   504   NtRegisterThreadTerminatePort  ... ) == 0x0
 02985  2012   NtSetEventBoostPriority  (308, ...
 02984  1736   NtProtectVirtualMemory  ... (0x659e000), 4096, 4, ) == 0x0
 02986  1028   NtWaitForSingleObject  (328, 0, 0x0, ...
 02956   932   NtWaitForSingleObject  ... ) == 0x0
 02987  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02988   932   NtSetEventBoostPriority  (308, ...
 02985  2012   NtSetEventBoostPriority  ... ) == 0x0
 02989   504   NtWaitForSingleObject  (308, 0, 0x0, ...
 02955  1132   NtWaitForSingleObject  ... ) == 0x0
 02988   932   NtSetEventBoostPriority  ... ) == 0x0
 02990  2012   NtWaitForSingleObject  (308, 0, 0x0, ...
 02991  1132   NtAllocateVirtualMemory  (-1, 1458176, 0, 4096, 4096, 4, ...
 02992   932   NtWaitForSingleObject  (328, 0, 0x0, ...
 02991  1132   NtAllocateVirtualMemory  ... 1458176, 4096, ) == 0x0
 02987  1736   NtCreateThread  ... 1036, {1636, 1948}, ) == 0x0
 02993  1132   NtSetEventBoostPriority  (308, ...
 02961   500   NtWaitForSingleObject  ... ) == 0x0
 02994   500   NtSetEventBoostPriority  (308, ...
 02963   376   NtWaitForSingleObject  ... ) == 0x0
 02995   376   NtSetEventBoostPriority  (308, ...
 02958   384   NtWaitForSingleObject  ... ) == 0x0
 02996   384   NtSetEventBoostPriority  (308, ...
 02971   808   NtWaitForSingleObject  ... ) == 0x0
 02997   808   NtSetEventBoostPriority  (308, ...
 02973   596   NtWaitForSingleObject  ... ) == 0x0
 02998   596   NtSetEventBoostPriority  (308, ...
 02974  2016   NtWaitForSingleObject  ... ) == 0x0
 02999  2016   NtSetEventBoostPriority  (308, ...
 02976  1024   NtWaitForSingleObject  ... ) == 0x0
 03000  1024   NtAllocateVirtualMemory  (-1, 1462272, 0, 4096, 4096, 4, ... 1462272, 4096, ) == 0x0
 03001  1024   NtSetEventBoostPriority  (308, ...
 02980  1644   NtWaitForSingleObject  ... ) == 0x0
 03002  1644   NtSetEventBoostPriority  (308, ...
 02989   504   NtWaitForSingleObject  ... ) == 0x0
 03003   504   NtSetEventBoostPriority  (308, ...
 02990  2012   NtWaitForSingleObject  ... ) == 0x0
 03004  2012   NtWaitForSingleObject  (328, 0, 0x0, ...
 03003   504   NtSetEventBoostPriority  ... ) == 0x0
 03005   504   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02999  2016   NtSetEventBoostPriority  ... ) == 0x0
 02998   596   NtSetEventBoostPriority  ... ) == 0x0
 02997   808   NtSetEventBoostPriority  ... ) == 0x0
 02995   376   NtSetEventBoostPriority  ... ) == 0x0
 02994   500   NtSetEventBoostPriority  ... ) == 0x0
 03006  1736   NtQueryInformationThread  (1036, Basic, 28, ...
 03002  1644   NtSetEventBoostPriority  ... ) == 0x0
 03001  1024   NtSetEventBoostPriority  ... ) == 0x0
 02996   384   NtSetEventBoostPriority  ... ) == 0x0
 02993  1132   NtSetEventBoostPriority  ... ) == 0x0
 03005   504   NtDuplicateObject  ... 1040, ) == 0x0
 03007  2016   NtAllocateVirtualMemory  (-1, 17289216, 0, 4096, 4096, 260, ...
 03008   596   NtAllocateVirtualMemory  (-1, 1466368, 0, 4096, 4096, 4, ...
 03009   808   NtSetEventBoostPriority  (328, ...
 03010   376   NtWaitForSingleObject  (308, 0, 0x0, ...
 03006  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1636,Tid=1948,}, 0x0, ) == 0x0
 03011  1644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03012   500   NtWaitForSingleObject  (308, 0, 0x0, ...
 03013   384   NtWaitForSingleObject  (308, 0, 0x0, ...
 03014  1024   NtWaitForSingleObject  (308, 0, 0x0, ...
 03015   504   NtWaitForSingleObject  (308, 0, 0x0, ...
 03007  2016   NtAllocateVirtualMemory  ... 17289216, 4096, ) == 0x0
 03008   596   NtAllocateVirtualMemory  ... 1466368, 4096, ) == 0x0
 02849   276   NtWaitForSingleObject  ... ) == 0x0
 03009   808   NtSetEventBoostPriority  ... ) == 0x0
 03016  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75605, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\4\0\0d\6\0\0\234\7\0\0" ...  ...
 03011  1644   NtDuplicateObject  ... 1044, ) == 0x0
 03017  2016   NtWaitForSingleObject  (308, 0, 0x0, ...
 03018   276   NtWaitForSingleObject  (308, 0, 0x0, ...
 03019   596   NtSetEventBoostPriority  (308, ...
 03020   808   NtWaitForSingleObject  (452, 0, 0x0, ...
 03016  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75606, 0}  ... {28, 56, reply, 0, 1636, 1736, 75606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\4\0\0d\6\0\0\234\7\0\0" )  ) == 0x0
 03021  1132   NtWaitForSingleObject  (308, 0, 0x0, ...
 03010   376   NtWaitForSingleObject  ... ) == 0x0
 03019   596   NtSetEventBoostPriority  ... ) == 0x0
 03022  1644   NtWaitForSingleObject  (308, 0, 0x0, ...
 03023   376   NtSetEventBoostPriority  (308, ...
 03024   596   NtWaitForSingleObject  (308, 0, 0x0, ...
 03012   500   NtWaitForSingleObject  ... ) == 0x0
 03023   376   NtSetEventBoostPriority  ... ) == 0x0
 03025   500   NtSetEventBoostPriority  (308, ...
 03013   384   NtWaitForSingleObject  ... ) == 0x0
 03026   384   NtSetEventBoostPriority  (308, ...
 03014  1024   NtWaitForSingleObject  ... ) == 0x0
 03027  1024   NtSetEventBoostPriority  (308, ...
 03015   504   NtWaitForSingleObject  ... ) == 0x0
 03028   504   NtSetEventBoostPriority  (308, ...
 03018   276   NtWaitForSingleObject  ... ) == 0x0
 03029   276   NtSetEventBoostPriority  (308, ...
 03017  2016   NtWaitForSingleObject  ... ) == 0x0
 03030  2016   NtSetEventBoostPriority  (308, ...
 03021  1132   NtWaitForSingleObject  ... ) == 0x0
 03031  1132   NtSetEventBoostPriority  (308, ...
 03022  1644   NtWaitForSingleObject  ... ) == 0x0
 03032  1644   NtSetEventBoostPriority  (308, ...
 03024   596   NtWaitForSingleObject  ... ) == 0x0
 03033   596   NtAllocateVirtualMemory  (-1, 23580672, 0, 4096, 4096, 260, ... 23580672, 4096, ) == 0x0
 03032  1644   NtSetEventBoostPriority  ... ) == 0x0
 03031  1132   NtSetEventBoostPriority  ... ) == 0x0
 03030  2016   NtSetEventBoostPriority  ... ) == 0x0
 03028   504   NtSetEventBoostPriority  ... ) == 0x0
 03027  1024   NtSetEventBoostPriority  ... ) == 0x0
 03026   384   NtSetEventBoostPriority  ... ) == 0x0
 03025   500   NtSetEventBoostPriority  ... ) == 0x0
 03034   376   NtSetEventBoostPriority  (128, ...
 03029   276   NtSetEventBoostPriority  ... ) == 0x0
 03035  1736   NtResumeThread  (1036, ...
 03036  1644   NtWaitForSingleObject  (328, 0, 0x0, ...
 03037  1132   NtAllocateVirtualMemory  (-1, 36163584, 0, 4096, 4096, 260, ...
 03038   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03039  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03040  1024   NtAllocateVirtualMemory  (-1, 37212160, 0, 4096, 4096, 260, ...
 03041   504   NtWaitForSingleObject  (328, 0, 0x0, ...
 03042   500   NtAllocateVirtualMemory  (-1, 35115008, 0, 4096, 4096, 260, ...
 03043   384   NtWaitForSingleObject  (328, 0, 0x0, ...
 01226  1168   NtWaitForSingleObject  ... ) == 0x0
 03034   376   NtSetEventBoostPriority  ... ) == 0x0
 03035  1736   NtResumeThread  ... 1, ) == 0x0
 03044   276   NtSetEventBoostPriority  (328, ...
 03045  1948   NtTestAlert  (...
 03038   596   NtCreateEvent  ... 1048, ) == 0x0
 03039  2016   NtCreateEvent  ... 1052, ) == 0x0
 03037  1132   NtAllocateVirtualMemory  ... 36163584, 4096, ) == 0x0
 03040  1024   NtAllocateVirtualMemory  ... 37212160, 4096, ) == 0x0
 03046  1168   NtSetEventBoostPriority  (128, ...
 03047   376   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03048  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02852  2020   NtWaitForSingleObject  ... ) == 0x0
 03044   276   NtSetEventBoostPriority  ... ) == 0x0
 03045  1948   NtTestAlert  ... ) == 0x0
 03049   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03050  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03051  1132   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03052  1024   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01235   120   NtWaitForSingleObject  ... ) == 0x0
 03046  1168   NtSetEventBoostPriority  ... ) == 0x0
 03047   376   NtCreateEvent  ... 1056, ) == 0x0
 03053  2020   NtSetEventBoostPriority  (328, ...
 03048  1736   NtAllocateVirtualMemory  ... 106561536, 1048576, ) == 0x0
 03054   276   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03055  1948   NtContinue  (106560816, 1, ...
 03049   596   NtDuplicateObject  ... 1060, ) == 0x0
 03050  2016   NtDuplicateObject  ... 1064, ) == 0x0
 03051  1132   NtCreateEvent  ... 1068, ) == 0x0
 03056   120   NtSetEventBoostPriority  (128, ...
 03052  1024   NtCreateEvent  ... 1072, ) == 0x0
 03057  1168   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02856  1180   NtWaitForSingleObject  ... ) == 0x0
 03053  2020   NtSetEventBoostPriority  ... ) == 0x0
 03058   376   NtAllocateVirtualMemory  (-1, 24629248, 0, 4096, 4096, 260, ...
 03059  1736   NtAllocateVirtualMemory  (-1, 107601920, 0, 8192, 4096, 4, ...
 03054   276   NtWaitForSingleObject  ... ) == 0x102
 03060  1948   NtRegisterThreadTerminatePort  (24, ...
 03061   596   NtWaitForSingleObject  (328, 0, 0x0, ...
 03062  2016   NtWaitForSingleObject  (328, 0, 0x0, ...
 01237   928   NtWaitForSingleObject  ... ) == 0x0
 03056   120   NtSetEventBoostPriority  ... ) == 0x0
 03063  1132   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03064  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03042   500   NtAllocateVirtualMemory  ... 35115008, 4096, ) == 0x0
 03065  1180   NtSetEventBoostPriority  (328, ...
 03066  2020   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 03058   376   NtAllocateVirtualMemory  ... 24629248, 4096, ) == 0x0
 03059  1736   NtAllocateVirtualMemory  ... 107601920, 8192, ) == 0x0
 03067   276   NtWaitForSingleObject  (128, 0, 0x0, ...
 03060  1948   NtRegisterThreadTerminatePort  ... ) == 0x0
 03068   928   NtSetEventBoostPriority  (128, ...
 03069   120   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03063  1132   NtDuplicateObject  ... 1076, ) == 0x0
 03064  1024   NtDuplicateObject  ... 1080, ) == 0x0
 02850  1592   NtWaitForSingleObject  ... ) == 0x0
 03065  1180   NtSetEventBoostPriority  ... ) == 0x0
 03070   500   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03057  1168   NtCreateEvent  ... 1084, ) == 0x0
 03071   376   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03066  2020   NtCreateEvent  ... 1088, ) == 0x0
 03072  1736   NtProtectVirtualMemory  (-1, (0x669e000), 4096, 260, ...
 01239  1732   NtWaitForSingleObject  ... ) == 0x0
 03068   928   NtSetEventBoostPriority  ... ) == 0x0
 03073  1948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03074  1132   NtWaitForSingleObject  (328, 0, 0x0, ...
 03075  1592   NtSetEventBoostPriority  (328, ...
 03076  1024   NtWaitForSingleObject  (328, 0, 0x0, ...
 03069   120   NtCreateEvent  ... 1092, ) == 0x0
 03070   500   NtCreateEvent  ... 1096, ) == 0x0
 03077  1168   NtAllocateVirtualMemory  (-1, 1470464, 0, 4096, 4096, 4, ...
 03078  1180   NtWaitForSingleObject  (452, 0, 0x0, ...
 03079  2020   NtWaitForSingleObject  (328, 0, 0x0, ...
 03080  1732   NtWaitForSingleObject  (308, 0, 0x0, ...
 03072  1736   NtProtectVirtualMemory  ... (0x669e000), 4096, 4, ) == 0x0
 03081   928   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03073  1948   NtDuplicateObject  ... 1100, ) == 0x0
 03071   376   NtCreateEvent  ... 1104, ) == 0x0
 02861  1500   NtWaitForSingleObject  ... ) == 0x0
 03075  1592   NtSetEventBoostPriority  ... ) == 0x0
 03082   120   NtWaitForSingleObject  (308, 0, 0x0, ...
 03083   500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03077  1168   NtAllocateVirtualMemory  ... 1470464, 4096, ) == 0x0
 03084  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03085  1948   NtWaitForSingleObject  (308, 0, 0x0, ...
 03086   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03087  1500   NtWaitForSingleObject  (308, 0, 0x0, ...
 03088  1592   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03083   500   NtDuplicateObject  ... 1108, ) == 0x0
 03089  1168   NtSetEventBoostPriority  (308, ...
 03084  1736   NtCreateThread  ... 1112, {1636, 1520}, ) == 0x0
 03086   376   NtDuplicateObject  ... 1116, ) == 0x0
 03090   500   NtWaitForSingleObject  (308, 0, 0x0, ...
 03080  1732   NtWaitForSingleObject  ... ) == 0x0
 03089  1168   NtSetEventBoostPriority  ... ) == 0x0
 03091  1736   NtQueryInformationThread  (1112, Basic, 28, ...
 03092   376   NtWaitForSingleObject  (308, 0, 0x0, ...
 03081   928   NtCreateEvent  ... 1120, ) == 0x0
 03088  1592   NtWaitForSingleObject  ... ) == 0x102
 03093  1732   NtSetEventBoostPriority  (308, ...
 03094  1168   NtWaitForSingleObject  (308, 0, 0x0, ...
 03091  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1636,Tid=1520,}, 0x0, ) == 0x0
 03095   928   NtWaitForSingleObject  (308, 0, 0x0, ...
 03082   120   NtWaitForSingleObject  ... ) == 0x0
 03093  1732   NtSetEventBoostPriority  ... ) == 0x0
 03096  1592   NtWaitForSingleObject  (128, 0, 0x0, ...
 03097   120   NtSetEventBoostPriority  (308, ...
 03098  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75606, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\4\0\0d\6\0\0\360\5\0\0" ...  ...
 03085  1948   NtWaitForSingleObject  ... ) == 0x0
 03097   120   NtSetEventBoostPriority  ... ) == 0x0
 03099  1948   NtSetEventBoostPriority  (308, ...
 03098  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75607, 0}  ... {28, 56, reply, 0, 1636, 1736, 75607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\4\0\0d\6\0\0\360\5\0\0" )  ) == 0x0
 03100  1732   NtWaitForSingleObject  (308, 0, 0x0, ...
 03087  1500   NtWaitForSingleObject  ... ) == 0x0
 03099  1948   NtSetEventBoostPriority  ... ) == 0x0
 03101  1736   NtResumeThread  (1112, ...
 03102  1500   NtSetEventBoostPriority  (308, ...
 03103   120   NtWaitForSingleObject  (308, 0, 0x0, ...
 03092   376   NtWaitForSingleObject  ... ) == 0x0
 03102  1500   NtSetEventBoostPriority  ... ) == 0x0
 03101  1736   NtResumeThread  ... 1, ) == 0x0
 03104   376   NtSetEventBoostPriority  (308, ...
 03105  1948   NtWaitForSingleObject  (328, 0, 0x0, ...
 03106  1520   NtWaitForSingleObject  (308, 0, 0x0, ...
 03090   500   NtWaitForSingleObject  ... ) == 0x0
 03104   376   NtSetEventBoostPriority  ... ) == 0x0
 03107  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03108   500   NtSetEventBoostPriority  (308, ...
 03109  1500   NtSetEventBoostPriority  (328, ...
 03110   376   NtWaitForSingleObject  (308, 0, 0x0, ...
 03094  1168   NtWaitForSingleObject  ... ) == 0x0
 02979  1252   NtWaitForSingleObject  ... ) == 0x0
 03109  1500   NtSetEventBoostPriority  ... ) == 0x0
 03111  1252   NtSetEventBoostPriority  (328, ...
 03112  1168   NtSetEventBoostPriority  (308, ...
 02982  2032   NtWaitForSingleObject  ... ) == 0x0
 03111  1252   NtSetEventBoostPriority  ... ) == 0x0
 03113  1500   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03114  2032   NtSetEventBoostPriority  (328, ...
 03095   928   NtWaitForSingleObject  ... ) == 0x0
 03115  1252   NtWaitForSingleObject  (308, 0, 0x0, ...
 02986  1028   NtWaitForSingleObject  ... ) == 0x0
 03113  1500   NtWaitForSingleObject  ... ) == 0x102
 03116   928   NtSetEventBoostPriority  (308, ...
 03114  2032   NtSetEventBoostPriority  ... ) == 0x0
 03112  1168   NtSetEventBoostPriority  ... ) == 0x0
 03108   500   NtSetEventBoostPriority  ... ) == 0x0
 03107  1736   NtAllocateVirtualMemory  ... 107610112, 1048576, ) == 0x0
 03117  1028   NtWaitForSingleObject  (308, 0, 0x0, ...
 03118  1500   NtWaitForSingleObject  (128, 0, 0x0, ...
 03100  1732   NtWaitForSingleObject  ... ) == 0x0
 03116   928   NtSetEventBoostPriority  ... ) == 0x0
 03119  2032   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03120  1168   NtWaitForSingleObject  (308, 0, 0x0, ...
 03121   500   NtWaitForSingleObject  (308, 0, 0x0, ...
 03122  1736   NtAllocateVirtualMemory  (-1, 108650496, 0, 8192, 4096, 4, ...
 03123  1732   NtSetEventBoostPriority  (308, ...
 03103   120   NtWaitForSingleObject  ... ) == 0x0
 03124   120   NtSetEventBoostPriority  (308, ...
 03106  1520   NtWaitForSingleObject  ... ) == 0x0
 03125  1520   NtSetEventBoostPriority  (308, ...
 03110   376   NtWaitForSingleObject  ... ) == 0x0
 03126   376   NtSetEventBoostPriority  (308, ...
 03117  1028   NtWaitForSingleObject  ... ) == 0x0
 03127  1028   NtSetEventBoostPriority  (308, ...
 03115  1252   NtWaitForSingleObject  ... ) == 0x0
 03128  1252   NtSetEventBoostPriority  (308, ...
 03120  1168   NtWaitForSingleObject  ... ) == 0x0
 03129  1168   NtSetEventBoostPriority  (308, ...
 03121   500   NtWaitForSingleObject  ... ) == 0x0
 03130   500   NtWaitForSingleObject  (328, 0, 0x0, ...
 03129  1168   NtSetEventBoostPriority  ... ) == 0x0
 03127  1028   NtSetEventBoostPriority  ... ) == 0x0
 03126   376   NtSetEventBoostPriority  ... ) == 0x0
 03125  1520   NtSetEventBoostPriority  ... ) == 0x0
 03124   120   NtSetEventBoostPriority  ... ) == 0x0
 03123  1732   NtSetEventBoostPriority  ... ) == 0x0
 03122  1736   NtAllocateVirtualMemory  ... 108650496, 8192, ) == 0x0
 03128  1252   NtSetEventBoostPriority  ... ) == 0x0
 03131   928   NtAllocateVirtualMemory  (-1, 1474560, 0, 4096, 4096, 4, ...
 03119  2032   NtWaitForSingleObject  ... ) == 0x102
 03132  1168   NtWaitForSingleObject  (308, 0, 0x0, ...
 03133   376   NtWaitForSingleObject  (308, 0, 0x0, ...
 03134  1028   NtSetEventBoostPriority  (328, ...
 03135   120   NtWaitForSingleObject  (308, 0, 0x0, ...
 03136  1732   NtSetEventBoostPriority  (128, ...
 03137  1736   NtProtectVirtualMemory  (-1, (0x679e000), 4096, 260, ...
 03138  1252   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03131   928   NtAllocateVirtualMemory  ... 1474560, 4096, ) == 0x0
 03139  2032   NtWaitForSingleObject  (128, 0, 0x0, ...
 03140  1520   NtTestAlert  (...
 03004  2012   NtWaitForSingleObject  ... ) == 0x0
 03134  1028   NtSetEventBoostPriority  ... ) == 0x0
 03137  1736   NtProtectVirtualMemory  ... (0x679e000), 4096, 4, ) == 0x0
 03138  1252   NtCreateKey  ... 1124, 2, ) == 0x0
 03141   928   NtSetEventBoostPriority  (308, ...
 03142  2012   NtSetEventBoostPriority  (328, ...
 03140  1520   NtTestAlert  ... ) == 0x0
 03143  1028   NtWaitForSingleObject  (452, 0, 0x0, ...
 03144  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01242   428   NtWaitForSingleObject  ... ) == 0x0
 03136  1732   NtSetEventBoostPriority  ... ) == 0x0
 02992   932   NtWaitForSingleObject  ... ) == 0x0
 03142  2012   NtSetEventBoostPriority  ... ) == 0x0
 03132  1168   NtWaitForSingleObject  ... ) == 0x0
 03141   928   NtSetEventBoostPriority  ... ) == 0x0
 03145  1520   NtContinue  (107609392, 1, ...
 03146  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 03147   428   NtWaitForSingleObject  (308, 0, 0x0, ...
 03148   932   NtWaitForSingleObject  (308, 0, 0x0, ...
 03149  1732   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03144  1736   NtCreateThread  ... 1128, {1636, 1396}, ) == 0x0
 03150  1168   NtSetEventBoostPriority  (308, ...
 03151   928   NtWaitForSingleObject  (308, 0, 0x0, ...
 03152  1520   NtRegisterThreadTerminatePort  (24, ...
 03146  1252   NtOpenKey  ... 1132, ) == 0x0
 03149  1732   NtCreateEvent  ... 1136, ) == 0x0
 03133   376   NtWaitForSingleObject  ... ) == 0x0
 03150  1168   NtSetEventBoostPriority  ... ) == 0x0
 03153  1736   NtQueryInformationThread  (1128, Basic, 28, ...
 03152  1520   NtRegisterThreadTerminatePort  ... ) == 0x0
 03154  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 03155   376   NtSetEventBoostPriority  (308, ...
 03156  1732   NtWaitForSingleObject  (308, 0, 0x0, ...
 03157  1168   NtWaitForSingleObject  (308, 0, 0x0, ...
 03153  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1636,Tid=1396,}, 0x0, ) == 0x0
 03158  1520   NtWaitForSingleObject  (308, 0, 0x0, ...
 03135   120   NtWaitForSingleObject  ... ) == 0x0
 03154  1252   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03155   376   NtSetEventBoostPriority  ... ) == 0x0
 03159  2012   NtWaitForSingleObject  (452, 0, 0x0, ...
 03160  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75607, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\4\0\0d\6\0\0t\5\0\0" ...  ...
 03161   120   NtAllocateVirtualMemory  (-1, 1478656, 0, 4096, 4096, 4, ...
 03162  1252   NtQueryValueKey  (1124,  (1124, "Hostname", Partial, 144, ... , Partial, 144, ...
 03163   376   NtWaitForSingleObject  (308, 0, 0x0, ...
 03160  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75608, 0}  ... {28, 56, reply, 0, 1636, 1736, 75608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\4\0\0d\6\0\0t\5\0\0" )  ) == 0x0
 03161   120   NtAllocateVirtualMemory  ... 1478656, 4096, ) == 0x0
 03162  1252   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 03164   120   NtSetEventBoostPriority  (308, ...
 03165  1736   NtResumeThread  (1128, ...
 03148   932   NtWaitForSingleObject  ... ) == 0x0
 03166   932   NtSetEventBoostPriority  (308, ...
 03147   428   NtWaitForSingleObject  ... ) == 0x0
 03167   428   NtSetEventBoostPriority  (308, ...
 03151   928   NtWaitForSingleObject  ... ) == 0x0
 03168   928   NtSetEventBoostPriority  (308, ...
 03156  1732   NtWaitForSingleObject  ... ) == 0x0
 03169  1732   NtSetEventBoostPriority  (308, ...
 03157  1168   NtWaitForSingleObject  ... ) == 0x0
 03170  1168   NtSetEventBoostPriority  (308, ...
 03163   376   NtWaitForSingleObject  ... ) == 0x0
 03171   376   NtSetEventBoostPriority  (308, ...
 03158  1520   NtWaitForSingleObject  ... ) == 0x0
 03172  1520   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 1140, ) == 0x0
 03173  1520   NtWaitForSingleObject  (328, 0, 0x0, ...
 03171   376   NtSetEventBoostPriority  ... ) == 0x0
 03169  1732   NtSetEventBoostPriority  ... ) == 0x0
 03168   928   NtSetEventBoostPriority  ... ) == 0x0
 03167   428   NtSetEventBoostPriority  ... ) == 0x0
 03165  1736   NtResumeThread  ... 1, ) == 0x0
 03170  1168   NtSetEventBoostPriority  ... ) == 0x0
 03166   932   NtSetEventBoostPriority  ... ) == 0x0
 03164   120   NtSetEventBoostPriority  ... ) == 0x0
 03174  1252   NtQueryValueKey  (1124,  (1124, "Hostname", Partial, 144, ... , Partial, 144, ...
 03175   376   NtWaitForSingleObject  (328, 0, 0x0, ...
 03176  1396   NtTestAlert  (...
 03177  1732   NtAllocateVirtualMemory  (-1, 1482752, 0, 4096, 4096, 4, ...
 03178   928   NtWaitForSingleObject  (308, 0, 0x0, ...
 03179  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03180  1168   NtWaitForSingleObject  (308, 0, 0x0, ...
 03181   428   NtWaitForSingleObject  (308, 0, 0x0, ...
 03182   932   NtSetEventBoostPriority  (328, ...
 03174  1252   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 03176  1396   NtTestAlert  ... ) == 0x0