Summary:


NtGdiCreateBitmap(>) 
 1 
NtOpenDirectoryObject(>) 
 2 
NtFsControlFile(>) 
 7 
NtQueryAttributesFile(>) 
 39 

NtGdiInit(>) 
 1 
NtOpenProcessToken(>) 
 2 
NtQueryInformationFile(>) 
 7 
NtFlushInstructionCache(>) 
 54 

NtGdiQueryFontAssocInfo(>) 
 1 
NtQueryDefaultUILanguage(>) 
 2 
NtQueryInformationToken(>) 
 7 
NtCreateEvent(>) 
 91 

NtGdiSelectBitmap(>) 
 1 
NtQueryPerformanceCounter(>) 
 2 
NtSetInformationFile(>) 
 7 
NtContinue(>) 
 99 

NtOpenKeyedEvent(>) 
 1 
NtReadFile(>) 
 2 
NtSetInformationThread(>) 
 7 
NtQuerySystemInformation(>) 
 121 

NtOpenSymbolicLinkObject(>) 
 1 
NtSetInformationObject(>) 
 2 
NtUnmapViewOfSection(>) 
 8 
NtOpenKey(>) 
 127 

NtQueryInstallUILanguage(>) 
 1 
NtUserGetObjectInformation(>) 
 2 
NtUserFindExistingCursorIcon(>) 
 9 
NtQueryInformationThread(>) 
 150 

NtQueryObject(>) 
 1 
NtFreeVirtualMemory(>) 
 3 
NtOpenThreadToken(>) 
 10 
NtResumeThread(>) 
 150 

NtQuerySymbolicLinkObject(>) 
 1 
NtGdiCreateCompatibleDC(>) 
 3 
NtQueryInformationProcess(>) 
 10 
NtCreateThread(>) 
 151 

NtQuerySystemTime(>) 
 1 
NtOpenProcessTokenEx(>) 
 3 
NtQueryVirtualMemory(>) 
 10 
NtRequestWaitReplyPort(>) 
 184 

NtRaiseException(>) 
 1 
NtOpenThreadTokenEx(>) 
 3 
NtQuerySection(>) 
 14 
NtTestAlert(>) 
 188 

NtSetInformationProcess(>) 
 1 
NtQueryDefaultLocale(>) 
 3 
NtUserRegisterClassExWOW(>) 
 14 
NtRegisterThreadTerminatePort(>) 
 190 

NtUserCallNoParam(>) 
 1 
NtSecureConnectPort(>) 
 3 
NtSetValueKey(>) 
 16 
NtDuplicateObject(>) 
 200 

NtUserGetProcessWindowStation(>) 
 1 
NtQueryVolumeInformationFile(>) 
 4 
NtCreateKey(>) 
 19 
NtClose(>) 
 211 

NtUserGetThreadDesktop(>) 
 1 
NtWriteFile(>) 
 4 
NtCreateSection(>) 
 22 
NtQueryValueKey(>) 
 249 

NtCallbackReturn(>) 
 2 
NtCreateFile(>) 
 5 
NtOpenSection(>) 
 22 
NtProtectVirtualMemory(>) 
 262 

NtCreateIoCompletion(>) 
 2 
NtCreateMutant(>) 
 5 
NtOpenFile(>) 
 24 
NtAllocateVirtualMemory(>) 
 382 

NtGdiCreateSolidBrush(>) 
 2 
NtGdiGetStockObject(>) 
 5 
NtMapViewOfSection(>) 
 35 
NtSetEventBoostPriority(>) 
 759 

NtNotifyChangeKey(>) 
 2 
NtConnectPort(>) 
 6 
NtDeviceIoControlFile(>) 
 36 
NtWaitForSingleObject(>) 
 1025 


Trace:
 00001  1736   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1736   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1736   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1736   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1736   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1736   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1736   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1736   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1736   NtClose  (12, ... ) == 0x0
 00015  1736   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1736   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1736   NtClose  (16, ... ) == 0x0
 00021  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1736   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1736   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1736   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1736   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1736   NtClose  (16, ... ) == 0x0
 00030  1736   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1736   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1736   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1736   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75469, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ) == 0x0
 00036  1736   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1736   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1736   NtClose  (16, ... ) == 0x0
 00041  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1736   NtClose  (16, ... ) == 0x0
 00044  1736   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1736   NtClose  (16, ... ) == 0x0
 00048  1736   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1736   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1736   NtClose  (16, ... ) == 0x0
 00052  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1736   NtClose  (16, ... ) == 0x0
 00055  1736   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1736   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1736   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ... {24, 52, reply, 0, 1636, 1736, 75470, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ) == 0x0
 00060  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75471, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ) == 0x0
 00061  1736   NtProtectVirtualMemory  (-1, (0x409000), 122896, 4, ... (0x409000), 126976, 128, ) == 0x0
 00062  1736   NtProtectVirtualMemory  (-1, (0x409000), 126976, 128, ... (0x409000), 126976, 4, ) == 0x0
 00063  1736   NtFlushInstructionCache  (-1, 4231168, 122896, ... ) == 0x0
 00064  1736   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065  1736   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066  1736   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067  1736   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068  1736   NtClose  (16, ... ) == 0x0
 00069  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071  1736   NtClose  (16, ... ) == 0x0
 00072  1736   NtTestAlert  (... ) == 0x0
 00073  1736   NtContinue  (1244464, 1, ...
 00074  1736   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x420010,}, 4, ... ) == 0x0
 00075  1736   NtQueryVirtualMemory  (-1, 0x402847, Basic, 28, ... {BaseAddress=0x402000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00076  1736   NtContinue  (1244280, 0, ...
 00077  1736   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00078  1736   NtContinue  (1244400, 0, ...
 00079  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00080  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00081  1736   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00082  1736   NtClose  (16, ... ) == 0x0
 00083  1736   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00084  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00085  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00086  1736   NtClose  (16, ... ) == 0x0
 00087  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00088  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00089  1736   NtClose  (16, ... ) == 0x0
 00090  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00091  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00092  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00093  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00094  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00095  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00096  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00097  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00098  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00099  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00100  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00101  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00102  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00103  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00104  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00105  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00106  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00107  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00108  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00110  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00111  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75472, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ) == 0x0
 00112  1736   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00113  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00114  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00115  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 28, ) == 0x0
 00116  1736   NtClose  (16, ... ) == 0x0
 00117  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x430000), 0x0, 110592, ) == 0x0
 00118  1736   NtClose  (28, ... ) == 0x0
 00119  1736   NtUnmapViewOfSection  (-1, 0x430000, ... ) == 0x0
 00120  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00121  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00122  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 16, ) == 0x0
 00123  1736   NtClose  (28, ... ) == 0x0
 00124  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x430000), 0x0, 110592, ) == 0x0
 00125  1736   NtClose  (16, ... ) == 0x0
 00126  1736   NtUnmapViewOfSection  (-1, 0x430000, ... ) == 0x0
 00127  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00128  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00129  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00130  1736   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00131  1736   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00132  1736   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00133  1736   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00134  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00135  1736   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00136  1736   NtClose  (36, ... ) == 0x0
 00137  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00138  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00139  1736   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00140  1736   NtClose  (36, ... ) == 0x0
 00141  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00142  1736   NtClose  (32, ... ) == 0x0
 00143  1736   NtClose  (16, ... ) == 0x0
 00144  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00145  1736   NtClose  (28, ... ) == 0x0
 00146  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00147  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00148  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00149  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00150  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00151  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00152  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00153  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00154  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00155  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00156  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00157  1736   NtClose  (28, ... ) == 0x0
 00158  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00159  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00160  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00161  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00162  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00163  1736   NtClose  (28, ... ) == 0x0
 00164  1736   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00165  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00166  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00167  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00168  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00169  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00170  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00171  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00172  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00173  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00174  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00175  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00176  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00177  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00178  1736   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00179  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00180  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00181  1736   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00182  1736   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00183  1736   NtClose  (28, ... ) == 0x0
 00184  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00185  1736   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00186  1736   NtClose  (28, ... ) == 0x0
 00187  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00188  1736   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00189  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00190  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00191  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00192  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00193  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00194  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00195  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00196  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 16, ) }, ... 16, ) == 0x0
 00198  1736   NtQueryValueKey  (16,  (16, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00199  1736   NtClose  (16, ... ) == 0x0
 00200  1736   NtMapViewOfSection  (-2147482576, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x430000), 0x0, 1060864, ) == 0x0
 00201  1736   NtClose  (-2147482576, ... ) == 0x0
 00202  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 16, ) == 0x0
 00203  1736   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00204  1736   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482576, ) == 0x0
 00205  1736   NtQueryInformationToken  (-2147482576, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00206  1736   NtQueryInformationToken  (-2147482576, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00207  1736   NtClose  (-2147482576, ... ) == 0x0
 00208  1736   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5505024, 4096, ) == 0x0
 00209  1736   NtFreeVirtualMemory  (-1, (0x540000), 4096, 32768, ... (0x540000), 4096, ) == 0x0
 00210  1736   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00211  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00212  1736   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00213  1736   NtClose  (-2147482576, ... ) == 0x0
 00214  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00215  1736   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00216  1736   NtClose  (-2147482576, ... ) == 0x0
 00217  1736   NtQueryDefaultLocale  (0, -139347636, ... ) == 0x0
 00218  1736   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00219  1736   NtUserCallNoParam  (24, ... ) == 0x0
 00220  1736   NtGdiCreateCompatibleDC  (0, ...
 00221  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5505024, 4096, ) == 0x0
 00220  1736   NtGdiCreateCompatibleDC  ... ) == 0xf2010663
 00222  1736   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00223  1736   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00224  1736   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0xfd0505f7
 00225  1736   NtGdiCreateSolidBrush  (0, 0, ...
 00226  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8716288, 4096, ) == 0x0
 00225  1736   NtGdiCreateSolidBrush  ... ) == 0x4210057d
 00227  1736   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00228  1736   NtGdiCreateCompatibleDC  (0, ... ) == 0x69010363
 00229  1736   NtGdiSelectBitmap  (1761674083, -50002441, ... ) == 0x185000f
 00230  1736   NtUserGetThreadDesktop  (1736, 0, ... ) == 0x24
 00231  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00232  1736   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00233  1736   NtClose  (44, ... ) == 0x0
 00234  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00235  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8173c017
 00236  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00237  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8173c01c
 00238  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00239  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8173c01e
 00240  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00241  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81738002
 00242  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00243  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8173c018
 00244  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00245  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8173c01a
 00246  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00247  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8173c01d
 00248  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00249  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8173c026
 00250  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00251  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8173c019
 00252  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c020
 00253  1736   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8173c022
 00254  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c023
 00255  1736   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8173c024
 00256  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c025
 00257  1736   NtCallbackReturn  (0, 0, 0, ...
 00258  1736   NtGdiInit  (... ) == 0x1
 00259  1736   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00260  1736   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00261  1736   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 8781824, 28672, ) == 0x0
 00262  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00265  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00266  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 48, ) == 0x0
 00267  1736   NtQuerySection  (48, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00268  1736   NtClose  (44, ... ) == 0x0
 00269  1736   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00270  1736   NtClose  (48, ... ) == 0x0
 00271  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 48, ) }, ... 48, ) == 0x0
 00272  1736   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00273  1736   NtClose  (48, ... ) == 0x0
 00274  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00275  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00276  1736   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00277  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00278  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00279  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00280  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00282  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00283  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00284  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 44, ) == 0x0
 00285  1736   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00286  1736   NtClose  (48, ... ) == 0x0
 00287  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00288  1736   NtClose  (44, ... ) == 0x0
 00289  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00290  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00291  1736   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00292  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00293  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00294  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00295  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00297  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8847360, 65536, ) == 0x0
 00298  1736   NtAllocateVirtualMemory  (-1, 8847360, 0, 4096, 4096, 4, ... 8847360, 4096, ) == 0x0
 00299  1736   NtAllocateVirtualMemory  (-1, 8851456, 0, 8192, 4096, 4, ... 8851456, 8192, ) == 0x0
 00300  1736   NtAllocateVirtualMemory  (-1, 8859648, 0, 4096, 4096, 4, ... 8859648, 4096, ) == 0x0
 00301  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00302  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x880000), 0x0, 12288, ) == 0x0
 00303  1736   NtClose  (44, ... ) == 0x0
 00304  1736   NtAllocateVirtualMemory  (-1, 8863744, 0, 4096, 4096, 4, ... 8863744, 4096, ) == 0x0
 00305  1736   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00306  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00307  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00308  1736   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00309  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00312  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00313  1736   NtFreeVirtualMemory  (-1, (0x860000), 0, 32768, ... (0x860000), 28672, ) == 0x0
 00314  1736   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00315  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00316  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00317  1736   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00318  1736   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00319  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 8978432, 1048576, ) == 0x0
 00320  1736   NtAllocateVirtualMemory  (-1, 8978432, 0, 32768, 4096, 4, ... 8978432, 32768, ) == 0x0
 00321  1736   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00322  1736   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "Jobaka3"}, 0, ... 48, ) }, 0, ... 48, ) == 0x0
 00323  1736   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00324  1736   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00325  1736   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00326  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00327  1736   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Protocol_Catalog9"}, ... 60, ) }, ... 60, ) == 0x0
 00328  1736   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00329  1736   NtNotifyChangeKey  (60, 56, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00330  1736   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00331  1736   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00332  1736   NtQueryValueKey  (60,  (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00333  1736   NtQueryValueKey  (60,  (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00334  1736   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Catalog_Entries"}, ... 64, ) }, ... 64, ) == 0x0
 00335  1736   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00336  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000001"}, ... 68, ) }, ... 68, ) == 0x0
 00337  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00338  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00339  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0T\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0T\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0U\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0V\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0T\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0T\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0U\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0V\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0T\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0T\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0U\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0V\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00340  1736   NtClose  (68, ... ) == 0x0
 00341  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000002"}, ... 68, ) }, ... 68, ) == 0x0
 00342  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00343  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00344  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0Y\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0Z\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0[\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0Y\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0Z\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0[\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0Y\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0Z\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0[\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00345  1736   NtClose  (68, ... ) == 0x0
 00346  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000003"}, ... 68, ) }, ... 68, ) == 0x0
 00347  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00348  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00349  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0^\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0^\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0_\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0_\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0`\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0`\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0^\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0^\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0_\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0_\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0`\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0`\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0`\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0^\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0^\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0_\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0_\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0`\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0`\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00350  1736   NtClose  (68, ... ) == 0x0
 00351  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000004"}, ... 68, ) }, ... 68, ) == 0x0
 00352  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00353  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00354  1736   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00355  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0d\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0d\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0e\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0f\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0d\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0d\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0e\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0f\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0d\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0d\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0e\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0f\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00356  1736   NtClose  (68, ... ) == 0x0
 00357  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000005"}, ... 68, ) }, ... 68, ) == 0x0
 00358  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00359  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00360  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0i\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0i\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0j\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0k\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0i\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0i\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0j\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0k\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0i\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0i\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0j\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0k\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00361  1736   NtClose  (68, ... ) == 0x0
 00362  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000006"}, ... 68, ) }, ... 68, ) == 0x0
 00363  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00364  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00365  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0n\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0n\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0o\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0p\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0n\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0n\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0o\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0p\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0n\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0n\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0o\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0p\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00366  1736   NtClose  (68, ... ) == 0x0
 00367  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000007"}, ... 68, ) }, ... 68, ) == 0x0
 00368  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00369  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00370  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0s\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0s\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0t\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0u\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0s\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0s\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0t\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0u\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0s\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0s\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0t\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0u\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00371  1736   NtClose  (68, ... ) == 0x0
 00372  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000008"}, ... 68, ) }, ... 68, ) == 0x0
 00373  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00374  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00375  1736   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00376  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0y\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0y\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0z\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0{\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0y\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0y\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0z\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0{\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0y\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0y\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0z\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0{\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00377  1736   NtClose  (68, ... ) == 0x0
 00378  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000009"}, ... 68, ) }, ... 68, ) == 0x0
 00379  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00380  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00381  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0~\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0~\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\177\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\200\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0~\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0~\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\177\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\200\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0~\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0~\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\177\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\200\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00382  1736   NtClose  (68, ... ) == 0x0
 00383  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000010"}, ... 68, ) }, ... 68, ) == 0x0
 00384  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00385  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00386  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\203\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\204\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\205\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\203\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\204\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\205\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\203\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\204\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\205\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00387  1736   NtClose  (68, ... ) == 0x0
 00388  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000011"}, ... 68, ) }, ... 68, ) == 0x0
 00389  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00390  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00391  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\210\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\211\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\212\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\210\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\211\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\212\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\210\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\211\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\212\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00392  1736   NtClose  (68, ... ) == 0x0
 00393  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000012"}, ... 68, ) }, ... 68, ) == 0x0
 00394  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00395  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00396  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\215\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\216\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\217\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\215\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\216\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\217\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\215\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\216\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\217\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00397  1736   NtClose  (68, ... ) == 0x0
 00398  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000013"}, ... 68, ) }, ... 68, ) == 0x0
 00399  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00400  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00401  1736   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00402  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\223\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\224\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\225\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\223\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\224\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\225\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\223\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\224\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\225\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00403  1736   NtClose  (68, ... ) == 0x0
 00404  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000014"}, ... 68, ) }, ... 68, ) == 0x0
 00405  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00406  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00407  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\230\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\231\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\232\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\230\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\231\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\232\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\230\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\231\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\232\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00408  1736   NtClose  (68, ... ) == 0x0
 00409  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000015"}, ... 68, ) }, ... 68, ) == 0x0
 00410  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00411  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00412  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\235\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\236\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\237\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\235\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\236\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\237\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\235\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\236\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\237\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00413  1736   NtClose  (68, ... ) == 0x0
 00414  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000016"}, ... 68, ) }, ... 68, ) == 0x0
 00415  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00416  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00417  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\242\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\243\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\244\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\242\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\243\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\244\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\242\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\243\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\244\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00418  1736   NtClose  (68, ... ) == 0x0
 00419  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000017"}, ... 68, ) }, ... 68, ) == 0x0
 00420  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00421  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00422  1736   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00423  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\250\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\251\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\252\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\250\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\251\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\252\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\250\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\251\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\252\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00424  1736   NtClose  (68, ... ) == 0x0
 00425  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000018"}, ... 68, ) }, ... 68, ) == 0x0
 00426  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00427  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00428  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\255\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\256\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\257\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\255\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\256\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\257\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\255\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\256\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\257\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00429  1736   NtClose  (68, ... ) == 0x0
 00430  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000019"}, ... 68, ) }, ... 68, ) == 0x0
 00431  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00432  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00433  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\262\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\263\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\264\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\262\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\263\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\264\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\262\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\263\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\264\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00434  1736   NtClose  (68, ... ) == 0x0
 00435  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000020"}, ... 68, ) }, ... 68, ) == 0x0
 00436  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00437  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00438  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\267\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\270\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\271\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\267\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\270\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\271\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\267\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\270\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\271\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00439  1736   NtClose  (68, ... ) == 0x0
 00440  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000021"}, ... 68, ) }, ... 68, ) == 0x0
 00441  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00442  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00443  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\274\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\275\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\276\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\276\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\277\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\274\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\275\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\276\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\276\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\277\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\276\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\277\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\274\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\275\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\276\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\276\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\277\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00444  1736   NtClose  (68, ... ) == 0x0
 00445  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000022"}, ... 68, ) }, ... 68, ) == 0x0
 00446  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00447  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00448  1736   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00449  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\302\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\304\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\304\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\305\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\305\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\306\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\302\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\304\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\304\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\305\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\305\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\306\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\302\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\304\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\304\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\305\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\305\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\306\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00450  1736   NtClose  (68, ... ) == 0x0
 00451  1736   NtClose  (64, ... ) == 0x0
 00452  1736   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00453  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00454  1736   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 68, ) }, ... 68, ) == 0x0
 00455  1736   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00456  1736   NtNotifyChangeKey  (68, 64, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00457  1736   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00458  1736   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00459  1736   NtQueryValueKey  (68,  (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00460  1736   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Catalog_Entries"}, ... 72, ) }, ... 72, ) == 0x0
 00461  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000001"}, ... 76, ) }, ... 76, ) == 0x0
 00462  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00463  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00464  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00465  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00466  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00467  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00468  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00469  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00470  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00471  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00472  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00473  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00474  1736   NtClose  (76, ... ) == 0x0
 00475  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000002"}, ... 76, ) }, ... 76, ) == 0x0
 00476  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00477  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00478  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00479  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00480  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00481  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00482  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00483  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00484  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00485  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00486  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00487  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00488  1736   NtClose  (76, ... ) == 0x0
 00489  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000003"}, ... 76, ) }, ... 76, ) == 0x0
 00490  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00491  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00492  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00493  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00494  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00495  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00496  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00497  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00498  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00499  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00500  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00501  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00502  1736   NtClose  (76, ... ) == 0x0
 00503  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000004"}, ... 76, ) }, ... 76, ) == 0x0
 00504  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00505  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00506  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00507  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00508  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00509  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00510  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 00511  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00512  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00513  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00514  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00515  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00516  1736   NtClose  (76, ... ) == 0x0
 00517  1736   NtClose  (72, ... ) == 0x0
 00518  1736   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 00519  1736   NtClose  (52, ... ) == 0x0
 00520  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00521  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00522  1736   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00523  1736   NtQueryValueKey  (52,  (52, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00524  1736   NtClose  (52, ... ) == 0x0
 00525  1736   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00526  1736   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00527  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00528  1736   NtQueryInformationFile  (72, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00529  1736   NtQueryInformationFile  (72, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00530  1736   NtQueryInformationFile  (72, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00531  1736   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 00532  1736   NtQueryInformationFile  (72, 1355896, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00533  1736   NtQueryInformationFile  (72, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00534  1736   NtQueryInformationFile  (72, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00535  1736   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00536  1736   NtClose  (-2147482576, ... ) == 0x0
 00535  1736   NtCreateFile  ... 76, {status=0x0, info=2}, ) == 0x0
 00537  1736   NtQueryVolumeInformationFile  (76, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00538  1736   NtQueryInformationFile  (76, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00539  1736   NtQueryVolumeInformationFile  (72, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00540  1736   NtQueryVolumeInformationFile  (72, 1239912, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00541  1736   NtSetInformationFile  (76, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00542  1736   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 72, ... 80, ) == 0x0
 00543  1736   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x990000), {0, 0}, 118784, ) == 0x0
 00544  1736   NtClose  (80, ... ) == 0x0
 00545  1736   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\2\0d\347\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0\20\0\2\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\200\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0`\0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \0\0\0\0\0\0\20\0\2\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\200\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0`\0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00546  1736   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 53264, 0x0, 0, ... {status=0x0, info=53264}, ) , 53264, 0x0, 0, ... {status=0x0, info=53264}, ) == 0x0
 00547  1736   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 00548  1736   NtSetInformationFile  (76, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00549  1736   NtClose  (72, ... ) == 0x0
 00550  1736   NtClose  (76, ... ) == 0x0
 00551  1736   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 76, ) }, ... 76, ) == 0x0
 00552  1736   NtSetValueKey  (76,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 00553  1736   NtSetInformationFile  (-2147482448, -139348176, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00554  1736   NtSetInformationFile  (-2147482448, -139348268, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00555  1736   NtSetInformationFile  (-2147482448, -139348576, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00552  1736   NtSetValueKey  ... ) == 0x0
 00556  1736   NtClose  (76, ... ) == 0x0
 00557  1736   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 76, ) }, 0, ... 76, ) == 0x0
 00558  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10027008, 1048576, ) == 0x0
 00559  1736   NtAllocateVirtualMemory  (-1, 11067392, 0, 8192, 4096, 4, ... 11067392, 8192, ) == 0x0
 00560  1736   NtProtectVirtualMemory  (-1, (0xa8e000), 4096, 260, ... (0xa8e000), 4096, 4, ) == 0x0
 00561  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 72, {1636, 1356}, ) == 0x0
 00562  1736   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1636,Tid=1356,}, 0x0, ) == 0x0
 00563  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75490, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" )  ) == 0x0
 00564  1736   NtResumeThread  (72, ... 1, ) == 0x0
 00565  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11075584, 1048576, ) == 0x0
 00566  1736   NtAllocateVirtualMemory  (-1, 12115968, 0, 8192, 4096, 4, ... 12115968, 8192, ) == 0x0
 00567  1736   NtProtectVirtualMemory  (-1, (0xb8e000), 4096, 260, ...
 00568  1356   NtTestAlert  (... ) == 0x0
 00569  1356   NtContinue  (11074864, 1, ...
 00570  1356   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00571  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 80, ) == 0x0
 00572  1356   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00573  1356   NtAllocateVirtualMemory  (-1, 11063296, 0, 4096, 4096, 260, ...
 00567  1736   NtProtectVirtualMemory  ... (0xb8e000), 4096, 4, ) == 0x0
 00574  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 84, {1636, 868}, ) == 0x0
 00575  1736   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1636,Tid=868,}, 0x0, ) == 0x0
 00576  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0d\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75491, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0d\3\0\0" )  ) == 0x0
 00577  1736   NtResumeThread  (84, ... 1, ) == 0x0
 00578  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12124160, 1048576, ) == 0x0
 00573  1356   NtAllocateVirtualMemory  ... 11063296, 4096, ) == 0x0
 00579   868   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00580  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11071988, ... }, 11071988, ...
 00579   868   NtCreateEvent  ... 88, ) == 0x0
 00580  1356   NtQueryAttributesFile  ... ) == 0x0
 00581   868   NtWaitForSingleObject  (88, 0, 0x0, ...
 00582  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00583  1356   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 96, ) == 0x0
 00584  1356   NtClose  (92, ... ) == 0x0
 00585  1356   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc90000), 0x0, 245760, ) == 0x0
 00586  1356   NtClose  (96, ...
 00587  1736   NtAllocateVirtualMemory  (-1, 13164544, 0, 8192, 4096, 4, ... 13164544, 8192, ) == 0x0
 00588  1736   NtProtectVirtualMemory  (-1, (0xc8e000), 4096, 260, ... (0xc8e000), 4096, 4, ) == 0x0
 00589  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 92, {1636, 808}, ) == 0x0
 00590  1736   NtQueryInformationThread  (92, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1636,Tid=808,}, 0x0, ) == 0x0
 00591  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0(\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0(\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75492, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0(\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0(\3\0\0" )  ) == 0x0
 00592  1736   NtResumeThread  (92, ...
 00586  1356   NtClose  ... ) == 0x0
 00592  1736   NtResumeThread  ... 1, ) == 0x0
 00593  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13434880, 1048576, ) == 0x0
 00594  1736   NtAllocateVirtualMemory  (-1, 14475264, 0, 8192, 4096, 4, ... 14475264, 8192, ) == 0x0
 00595  1736   NtProtectVirtualMemory  (-1, (0xdce000), 4096, 260, ...
 00596   808   NtWaitForSingleObject  (88, 0, 0x0, ...
 00595  1736   NtProtectVirtualMemory  ... (0xdce000), 4096, 4, ) == 0x0
 00597  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 96, {1636, 2020}, ) == 0x0
 00598  1736   NtQueryInformationThread  (96, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1636,Tid=2020,}, 0x0, ) == 0x0
 00599  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0d\6\0\0\344\7\0\0" ...  ...
 00600  1356   NtUnmapViewOfSection  (-1, 0xc90000, ... ) == 0x0
 00601  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11072296, ... ) }, 11072296, ... ) == 0x0
 00602  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00603  1356   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 104, ) == 0x0
 00604  1356   NtQuerySection  (104, Image, 48, ...
 00599  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75493, 0}  ... {28, 56, reply, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0d\6\0\0\344\7\0\0" )  ) == 0x0
 00605  1736   NtResumeThread  (96, ... 1, ) == 0x0
 00606  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14483456, 1048576, ) == 0x0
 00607  1736   NtAllocateVirtualMemory  (-1, 15523840, 0, 8192, 4096, 4, ... 15523840, 8192, ) == 0x0
 00608  1736   NtProtectVirtualMemory  (-1, (0xece000), 4096, 260, ... (0xece000), 4096, 4, ) == 0x0
 00609  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 108, {1636, 896}, ) == 0x0
 00604  1356   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00610  2020   NtWaitForSingleObject  (88, 0, 0x0, ...
 00611  1356   NtClose  (100, ... ) == 0x0
 00612  1356   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 00613  1356   NtClose  (104, ... ) == 0x0
 00614  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00615  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 00616  1736   NtQueryInformationThread  (108, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1636,Tid=896,}, 0x0, ) == 0x0
 00617  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0d\6\0\0\200\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0d\6\0\0\200\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75494, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0d\6\0\0\200\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0d\6\0\0\200\3\0\0" )  ) == 0x0
 00618  1736   NtResumeThread  (108, ... 1, ) == 0x0
 00619  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15532032, 1048576, ) == 0x0
 00620  1736   NtAllocateVirtualMemory  (-1, 16572416, 0, 8192, 4096, 4, ... 16572416, 8192, ) == 0x0
 00621  1736   NtProtectVirtualMemory  (-1, (0xfce000), 4096, 260, ...
 00615  1356   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 00622   896   NtWaitForSingleObject  (88, 0, 0x0, ...
 00623  1356   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00624  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00625  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00626  1356   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00627  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00628  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 00621  1736   NtProtectVirtualMemory  ... (0xfce000), 4096, 4, ) == 0x0
 00629  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 104, {1636, 1252}, ) == 0x0
 00630  1736   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1636,Tid=1252,}, 0x0, ) == 0x0
 00631  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\344\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\344\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75495, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\344\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\344\4\0\0" )  ) == 0x0
 00632  1736   NtResumeThread  (104, ... 1, ) == 0x0
 00633  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16580608, 1048576, ) == 0x0
 00628  1356   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 00634  1252   NtWaitForSingleObject  (88, 0, 0x0, ...
 00635  1356   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00636  1736   NtAllocateVirtualMemory  (-1, 17620992, 0, 8192, 4096, 4, ...
 00637  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00638  1356   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00639  1356   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00640  1356   NtSetEventBoostPriority  (88, ...
 00581   868   NtWaitForSingleObject  ... ) == 0x0
 00641   868   NtSetEventBoostPriority  (88, ...
 00596   808   NtWaitForSingleObject  ... ) == 0x0
 00642   808   NtSetEventBoostPriority  (88, ...
 00610  2020   NtWaitForSingleObject  ... ) == 0x0
 00643  2020   NtSetEventBoostPriority  (88, ...
 00622   896   NtWaitForSingleObject  ... ) == 0x0
 00644   896   NtSetEventBoostPriority  (88, ...
 00634  1252   NtWaitForSingleObject  ... ) == 0x0
 00645  1252   NtTestAlert  (... ) == 0x0
 00644   896   NtSetEventBoostPriority  ... ) == 0x0
 00643  2020   NtSetEventBoostPriority  ... ) == 0x0
 00642   808   NtSetEventBoostPriority  ... ) == 0x0
 00641   868   NtSetEventBoostPriority  ... ) == 0x0
 00640  1356   NtSetEventBoostPriority  ... ) == 0x0
 00636  1736   NtAllocateVirtualMemory  ... 17620992, 8192, ) == 0x0
 00646  1252   NtContinue  (16579888, 1, ...
 00647   896   NtTestAlert  (...
 00648  2020   NtTestAlert  (...
 00649   808   NtTestAlert  (...
 00650  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00651  1736   NtProtectVirtualMemory  (-1, (0x10ce000), 4096, 260, ...
 00652  1252   NtRegisterThreadTerminatePort  (24, ...
 00647   896   NtTestAlert  ... ) == 0x0
 00648  2020   NtTestAlert  ... ) == 0x0
 00649   808   NtTestAlert  ... ) == 0x0
 00653   868   NtTestAlert  (...
 00651  1736   NtProtectVirtualMemory  ... (0x10ce000), 4096, 4, ) == 0x0
 00652  1252   NtRegisterThreadTerminatePort  ... ) == 0x0
 00654   896   NtContinue  (15531312, 1, ...
 00655  2020   NtContinue  (14482736, 1, ...
 00656   808   NtContinue  (13172016, 1, ...
 00653   868   NtTestAlert  ... ) == 0x0
 00657  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00658  1252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00659   896   NtRegisterThreadTerminatePort  (24, ...
 00660  2020   NtRegisterThreadTerminatePort  (24, ...
 00661   808   NtRegisterThreadTerminatePort  (24, ...
 00662   868   NtContinue  (12123440, 1, ...
 00657  1736   NtCreateThread  ... 100, {1636, 2016}, ) == 0x0
 00658  1252   NtDuplicateObject  ... 112, ) == 0x0
 00659   896   NtRegisterThreadTerminatePort  ... ) == 0x0
 00660  2020   NtRegisterThreadTerminatePort  ... ) == 0x0
 00661   808   NtRegisterThreadTerminatePort  ... ) == 0x0
 00663   868   NtRegisterThreadTerminatePort  (24, ...
 00650  1356   NtCreateEvent  ... 116, ) == 0x0
 00664  1252   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00665   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00666  2020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00667   808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00663   868   NtRegisterThreadTerminatePort  ... ) == 0x0
 00668  1356   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 00669  1736   NtQueryInformationThread  (100, Basic, 28, ...
 00664  1252   NtWaitForSingleObject  ... ) == 0x102
 00665   896   NtDuplicateObject  ... 120, ) == 0x0
 00666  2020   NtDuplicateObject  ... 124, ) == 0x0
 00670   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00668  1356   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00669  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1636,Tid=2016,}, 0x0, ) == 0x0
 00671  1252   NtAllocateVirtualMemory  (-1, 16568320, 0, 4096, 4096, 260, ...
 00672   896   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00673  2020   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00667   808   NtDuplicateObject  ... 128, ) == 0x0
 00674  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11071908, ... }, 11071908, ...
 00675  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\340\7\0\0" ...  ...
 00671  1252   NtAllocateVirtualMemory  ... 16568320, 4096, ) == 0x0
 00672   896   NtWaitForSingleObject  ... ) == 0x102
 00673  2020   NtWaitForSingleObject  ... ) == 0x102
 00676   808   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00675  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75496, 0}  ... {28, 56, reply, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\340\7\0\0" )  ) == 0x0
 00677  1252   NtWaitForSingleObject  (88, 0, 0x0, ...
 00678   896   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00679  2020   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00676   808   NtWaitForSingleObject  ... ) == 0x102
 00680  1736   NtResumeThread  (100, ...
 00678   896   NtCreateEvent  ... 132, ) == 0x0
 00679  2020   NtCreateEvent  ... 136, ) == 0x0
 00681   808   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00670   868   NtDuplicateObject  ... 140, ) == 0x0
 00680  1736   NtResumeThread  ... 1, ) == 0x0
 00682   896   NtWaitForSingleObject  (132, 0, 0x0, ...
 00683  2016   NtWaitForSingleObject  (88, 0, 0x0, ...
 00681   808   NtCreateEvent  ... 144, ) == 0x0
 00684   868   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00685  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00686  2020   NtClose  (136, ...
 00684   868   NtWaitForSingleObject  ... ) == 0x102
 00685  1736   NtAllocateVirtualMemory  ... 17629184, 1048576, ) == 0x0
 00686  2020   NtClose  ... ) == 0x0
 00687   868   NtWaitForSingleObject  (132, 0, 0x0, ...
 00688  1736   NtAllocateVirtualMemory  (-1, 18669568, 0, 8192, 4096, 4, ...
 00689  2020   NtWaitForSingleObject  (132, 0, 0x0, ...
 00688  1736   NtAllocateVirtualMemory  ... 18669568, 8192, ) == 0x0
 00690  1736   NtProtectVirtualMemory  (-1, (0x11ce000), 4096, 260, ... (0x11ce000), 4096, 4, ) == 0x0
 00691  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 136, {1636, 2012}, ) == 0x0
 00692  1736   NtQueryInformationThread  (136, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1636,Tid=2012,}, 0x0, ) == 0x0
 00693  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0d\6\0\0\334\7\0\0" ...  ...
 00694   808   NtClose  (144, ... ) == 0x0
 00695   808   NtWaitForSingleObject  (132, 0, 0x0, ...
 00693  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75497, 0}  ... {28, 56, reply, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0d\6\0\0\334\7\0\0" )  ) == 0x0
 00696  1736   NtResumeThread  (136, ... 1, ) == 0x0
 00697  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18677760, 1048576, ) == 0x0
 00674  1356   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00698  2012   NtWaitForSingleObject  (88, 0, 0x0, ...
 00699  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11071908, ... ) }, 11071908, ... ) == 0x0
 00700  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... 144, {status=0x0, info=1}, ) }, 5, 96, ... 144, {status=0x0, info=1}, ) == 0x0
 00701  1356   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 144, ... 148, ) == 0x0
 00702  1356   NtQuerySection  (148, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00703  1356   NtClose  (144, ... ) == 0x0
 00704  1736   NtAllocateVirtualMemory  (-1, 19718144, 0, 8192, 4096, 4, ... 19718144, 8192, ) == 0x0
 00705  1736   NtProtectVirtualMemory  (-1, (0x12ce000), 4096, 260, ... (0x12ce000), 4096, 4, ) == 0x0
 00706  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 144, {1636, 1028}, ) == 0x0
 00707  1736   NtQueryInformationThread  (144, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1636,Tid=1028,}, 0x0, ) == 0x0
 00708  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\4\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75498, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\4\4\0\0" )  ) == 0x0
 00709  1736   NtResumeThread  (144, ...
 00710  1356   NtMapViewOfSection  (148, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x662b0000), 0x0, 360448, ) == 0x0
 00711  1356   NtClose  (148, ... ) == 0x0
 00712  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00713  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00714  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 00709  1736   NtResumeThread  ... 1, ) == 0x0
 00715  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19726336, 1048576, ) == 0x0
 00716  1736   NtAllocateVirtualMemory  (-1, 20766720, 0, 8192, 4096, 4, ... 20766720, 8192, ) == 0x0
 00717  1736   NtProtectVirtualMemory  (-1, (0x13ce000), 4096, 260, ... (0x13ce000), 4096, 4, ) == 0x0
 00718  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 148, {1636, 384}, ) == 0x0
 00719  1736   NtQueryInformationThread  (148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1636,Tid=384,}, 0x0, ) == 0x0
 00720  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\200\1\0\0" ...  ...
 00714  1356   NtFlushInstructionCache  ... ) == 0x0
 00721  1028   NtWaitForSingleObject  (88, 0, 0x0, ...
 00722  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00723  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00724  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00725  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00726  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00727  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 00720  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75499, 0}  ... {28, 56, reply, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\200\1\0\0" )  ) == 0x0
 00728  1736   NtResumeThread  (148, ... 1, ) == 0x0
 00729  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20774912, 1048576, ) == 0x0
 00730  1736   NtAllocateVirtualMemory  (-1, 21815296, 0, 8192, 4096, 4, ... 21815296, 8192, ) == 0x0
 00731  1736   NtProtectVirtualMemory  (-1, (0x14ce000), 4096, 260, ... (0x14ce000), 4096, 4, ) == 0x0
 00732  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 152, {1636, 1180}, ) == 0x0
 00727  1356   NtFlushInstructionCache  ... ) == 0x0
 00733   384   NtWaitForSingleObject  (88, 0, 0x0, ...
 00734  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00735  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00736  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00737  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00738  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00739  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 00740  1736   NtQueryInformationThread  (152, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1636,Tid=1180,}, 0x0, ) == 0x0
 00741  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\234\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75500, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\234\4\0\0" )  ) == 0x0
 00742  1736   NtResumeThread  (152, ... 1, ) == 0x0
 00743  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21823488, 1048576, ) == 0x0
 00744  1736   NtAllocateVirtualMemory  (-1, 22863872, 0, 8192, 4096, 4, ... 22863872, 8192, ) == 0x0
 00745  1736   NtProtectVirtualMemory  (-1, (0x15ce000), 4096, 260, ...
 00739  1356   NtFlushInstructionCache  ... ) == 0x0
 00746  1180   NtWaitForSingleObject  (88, 0, 0x0, ...
 00747  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00748  1356   NtSetEventBoostPriority  (88, ...
 00677  1252   NtWaitForSingleObject  ... ) == 0x0
 00749  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 16575440, ... ) }, 16575440, ... ) == 0x0
 00748  1356   NtSetEventBoostPriority  ... ) == 0x0
 00745  1736   NtProtectVirtualMemory  ... (0x15ce000), 4096, 4, ) == 0x0
 00750  1356   NtWaitForSingleObject  (88, 0, 0x0, ...
 00751  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00752  1252   NtSetEventBoostPriority  (88, ...
 00751  1736   NtCreateThread  ... 156, {1636, 420}, ) == 0x0
 00683  2016   NtWaitForSingleObject  ... ) == 0x0
 00752  1252   NtSetEventBoostPriority  ... ) == 0x0
 00753  2016   NtSetEventBoostPriority  (88, ...
 00754  1736   NtQueryInformationThread  (156, Basic, 28, ...
 00698  2012   NtWaitForSingleObject  ... ) == 0x0
 00753  2016   NtSetEventBoostPriority  ... ) == 0x0
 00755  1252   NtWaitForSingleObject  (88, 0, 0x0, ...
 00756  2012   NtSetEventBoostPriority  (88, ...
 00754  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1636,Tid=420,}, 0x0, ) == 0x0
 00721  1028   NtWaitForSingleObject  ... ) == 0x0
 00756  2012   NtSetEventBoostPriority  ... ) == 0x0
 00757  1028   NtSetEventBoostPriority  (88, ...
 00758  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0d\6\0\0\244\1\0\0" ...  ...
 00759  2016   NtTestAlert  (...
 00733   384   NtWaitForSingleObject  ... ) == 0x0
 00757  1028   NtSetEventBoostPriority  ... ) == 0x0
 00760  2012   NtTestAlert  (...
 00761   384   NtSetEventBoostPriority  (88, ...
 00759  2016   NtTestAlert  ... ) == 0x0
 00758  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75501, 0}  ... {28, 56, reply, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0d\6\0\0\244\1\0\0" )  ) == 0x0
 00746  1180   NtWaitForSingleObject  ... ) == 0x0
 00761   384   NtSetEventBoostPriority  ... ) == 0x0
 00760  2012   NtTestAlert  ... ) == 0x0
 00762  2016   NtContinue  (17628464, 1, ...
 00763  1180   NtSetEventBoostPriority  (88, ...
 00764  1736   NtResumeThread  (156, ...
 00765  1028   NtTestAlert  (...
 00766  2012   NtContinue  (18677040, 1, ...
 00750  1356   NtWaitForSingleObject  ... ) == 0x0
 00763  1180   NtSetEventBoostPriority  ... ) == 0x0
 00767  2016   NtRegisterThreadTerminatePort  (24, ...
 00764  1736   NtResumeThread  ... 1, ) == 0x0
 00765  1028   NtTestAlert  ... ) == 0x0
 00768  1356   NtSetEventBoostPriority  (88, ...
 00769  2012   NtRegisterThreadTerminatePort  (24, ...
 00770   384   NtTestAlert  (...
 00771   420   NtWaitForSingleObject  (88, 0, 0x0, ...
 00767  2016   NtRegisterThreadTerminatePort  ... ) == 0x0
 00772  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00755  1252   NtWaitForSingleObject  ... ) == 0x0
 00773  1028   NtContinue  (19725616, 1, ...
 00769  2012   NtRegisterThreadTerminatePort  ... ) == 0x0
 00770   384   NtTestAlert  ... ) == 0x0
 00774  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00772  1736   NtAllocateVirtualMemory  ... 22872064, 1048576, ) == 0x0
 00775  1252   NtSetEventBoostPriority  (88, ...
 00776  1028   NtRegisterThreadTerminatePort  (24, ...
 00777  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00778   384   NtContinue  (20774192, 1, ...
 00768  1356   NtSetEventBoostPriority  ... ) == 0x0
 00779  1180   NtTestAlert  (...
 00774  2016   NtDuplicateObject  ... 160, ) == 0x0
 00771   420   NtWaitForSingleObject  ... ) == 0x0
 00775  1252   NtSetEventBoostPriority  ... ) == 0x0
 00776  1028   NtRegisterThreadTerminatePort  ... ) == 0x0
 00780  1736   NtAllocateVirtualMemory  (-1, 23912448, 0, 8192, 4096, 4, ...
 00781   384   NtRegisterThreadTerminatePort  (24, ...
 00782  1356   NtWaitForSingleObject  (88, 0, 0x0, ...
 00779  1180   NtTestAlert  ... ) == 0x0
 00783   420   NtSetEventBoostPriority  (88, ...
 00784  2016   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00777  2012   NtDuplicateObject  ... 164, ) == 0x0
 00785  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00780  1736   NtAllocateVirtualMemory  ... 23912448, 8192, ) == 0x0
 00781   384   NtRegisterThreadTerminatePort  ... ) == 0x0
 00782  1356   NtWaitForSingleObject  ... ) == 0x0
 00783   420   NtSetEventBoostPriority  ... ) == 0x0
 00786  1180   NtContinue  (21822768, 1, ...
 00784  2016   NtWaitForSingleObject  ... ) == 0x102
 00787  2012   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00788  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00789  1736   NtProtectVirtualMemory  (-1, (0x16ce000), 4096, 260, ...
 00790  1356   NtQuerySystemInformation  (Basic, 44, ...
 00791   384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00785  1028   NtDuplicateObject  ... 168, ) == 0x0
 00792  1180   NtRegisterThreadTerminatePort  (24, ...
 00793  2016   NtWaitForSingleObject  (132, 0, 0x0, ...
 00787  2012   NtWaitForSingleObject  ... ) == 0x102
 00788  1252   NtCreateEvent  ... 172, ) == 0x0
 00790  1356   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00789  1736   NtProtectVirtualMemory  ... (0x16ce000), 4096, 4, ) == 0x0
 00794   420   NtTestAlert  (...
 00795  1028   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00792  1180   NtRegisterThreadTerminatePort  ... ) == 0x0
 00796  2012   NtWaitForSingleObject  (132, 0, 0x0, ...
 00797  1252   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 00791   384   NtDuplicateObject  ... 176, ) == 0x0
 00798  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00794   420   NtTestAlert  ... ) == 0x0
 00795  1028   NtWaitForSingleObject  ... ) == 0x102
 00799  1180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00797  1252   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00800   384   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00798  1736   NtCreateThread  ... 180, {1636, 596}, ) == 0x0
 00801   420   NtContinue  (22871344, 1, ...
 00802  1028   NtWaitForSingleObject  (132, 0, 0x0, ...
 00803  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 00804  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 16575544, ... }, 16575544, ...
 00800   384   NtWaitForSingleObject  ... ) == 0x102
 00799  1180   NtDuplicateObject  ... 184, ) == 0x0
 00805   420   NtRegisterThreadTerminatePort  (24, ...
 00803  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00806   384   NtWaitForSingleObject  (132, 0, 0x0, ...
 00807  1180   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00805   420   NtRegisterThreadTerminatePort  ... ) == 0x0
 00808  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 00807  1180   NtWaitForSingleObject  ... ) == 0x102
 00809   420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00808  1356   NtOpenKey  ... 188, ) == 0x0
 00810  1180   NtWaitForSingleObject  (132, 0, 0x0, ...
 00811  1736   NtQueryInformationThread  (180, Basic, 28, ...
 00812  1356   NtQueryValueKey  (188,  (188, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 00811  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1636,Tid=596,}, 0x0, ) == 0x0
 00812  1356   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00813  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0d\6\0\0T\2\0\0" ...  ...
 00809   420   NtDuplicateObject  ... 192, ) == 0x0
 00813  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75502, 0}  ... {28, 56, reply, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0d\6\0\0T\2\0\0" )  ) == 0x0
 00814   420   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00815  1736   NtResumeThread  (180, ...
 00814   420   NtWaitForSingleObject  ... ) == 0x102
 00816  1356   NtClose  (188, ...
 00817   420   NtWaitForSingleObject  (132, 0, 0x0, ...
 00816  1356   NtClose  ... ) == 0x0
 00818  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00819  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 188, ) == 0x0
 00820  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 196, ) == 0x0
 00821  1356   NtQuerySystemTime  (... {-2040018474, 29922243}, ) == 0x0
 00822  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0
 00815  1736   NtResumeThread  ... 1, ) == 0x0
 00823  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23920640, 1048576, ) == 0x0
 00824  1736   NtAllocateVirtualMemory  (-1, 24961024, 0, 8192, 4096, 4, ... 24961024, 8192, ) == 0x0
 00825  1736   NtProtectVirtualMemory  (-1, (0x17ce000), 4096, 260, ... (0x17ce000), 4096, 4, ) == 0x0
 00826  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 204, {1636, 376}, ) == 0x0
 00827  1736   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1636,Tid=376,}, 0x0, ) == 0x0
 00828  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0x\1\0\0" ...  ...
 00829  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 00830   596   NtWaitForSingleObject  (88, 0, 0x0, ...
 00804  1252   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00829  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00831  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 16575544, ... }, 16575544, ...
 00832  1356   NtQuerySystemInformation  (Performance, 312, ...
 00831  1252   NtQueryAttributesFile  ... ) == 0x0
 00832  1356   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00833  1252   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 00834  1356   NtQueryInformationProcess  (-1, QuotaLimits, 32, ...
 00828  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75503, 0}  ... {28, 56, reply, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0x\1\0\0" )  ) == 0x0
 00834  1356   NtQueryInformationProcess  ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00835  1736   NtResumeThread  (204, ...
 00833  1252   NtOpenFile  ... 208, {status=0x0, info=1}, ) == 0x0
 00835  1736   NtResumeThread  ... 1, ) == 0x0
 00836  1252   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ...
 00837  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00836  1252   NtCreateSection  ... 212, ) == 0x0
 00837  1736   NtAllocateVirtualMemory  ... 24969216, 1048576, ) == 0x0
 00838  1252   NtQuerySection  (212, Image, 48, ...
 00839  1356   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 00840   376   NtWaitForSingleObject  (88, 0, 0x0, ...
 00838  1252   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00839  1356   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00841  1252   NtClose  (208, ...
 00842  1356   NtWaitForSingleObject  (88, 0, 0x0, ...
 00843  1736   NtAllocateVirtualMemory  (-1, 26009600, 0, 8192, 4096, 4, ... 26009600, 8192, ) == 0x0
 00844  1736   NtProtectVirtualMemory  (-1, (0x18ce000), 4096, 260, ... (0x18ce000), 4096, 4, ) == 0x0
 00845  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 216, {1636, 1168}, ) == 0x0
 00846  1736   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1636,Tid=1168,}, 0x0, ) == 0x0
 00847  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\220\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75504, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\220\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\220\4\0\0" )  ) == 0x0
 00848  1736   NtResumeThread  (216, ...
 00841  1252   NtClose  ... ) == 0x0
 00849  1252   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 00850  1252   NtClose  (212, ... ) == 0x0
 00851  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00852  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00853  1252   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00854  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 00848  1736   NtResumeThread  ... 1, ) == 0x0
 00855  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26017792, 1048576, ) == 0x0
 00856  1736   NtAllocateVirtualMemory  (-1, 27058176, 0, 8192, 4096, 4, ... 27058176, 8192, ) == 0x0
 00857  1736   NtProtectVirtualMemory  (-1, (0x19ce000), 4096, 260, ... (0x19ce000), 4096, 4, ) == 0x0
 00858  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 212, {1636, 120}, ) == 0x0
 00859  1736   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1636,Tid=120,}, 0x0, ) == 0x0
 00860  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0x\0\0\0" ...  ...
 00854  1252   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 00861  1168   NtWaitForSingleObject  (88, 0, 0x0, ...
 00862  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00863  1252   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00864  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00865  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00866  1252   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00867  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 00860  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75505, 0}  ... {28, 56, reply, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0x\0\0\0" )  ) == 0x0
 00868  1736   NtResumeThread  (212, ... 1, ) == 0x0
 00869  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27066368, 1048576, ) == 0x0
 00870  1736   NtAllocateVirtualMemory  (-1, 28106752, 0, 8192, 4096, 4, ... 28106752, 8192, ) == 0x0
 00871  1736   NtProtectVirtualMemory  (-1, (0x1ace000), 4096, 260, ... (0x1ace000), 4096, 4, ) == 0x0
 00872  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 208, {1636, 928}, ) == 0x0
 00867  1252   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 00873   120   NtWaitForSingleObject  (88, 0, 0x0, ...
 00874  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00875  1252   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00876  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00877  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00878  1252   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00879  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 00880  1736   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1636,Tid=928,}, 0x0, ) == 0x0
 00881  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0\240\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0\240\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75506, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0\240\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0\240\3\0\0" )  ) == 0x0
 00882  1736   NtResumeThread  (208, ... 1, ) == 0x0
 00883  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28114944, 1048576, ) == 0x0
 00884  1736   NtAllocateVirtualMemory  (-1, 29155328, 0, 8192, 4096, 4, ... 29155328, 8192, ) == 0x0
 00885  1736   NtProtectVirtualMemory  (-1, (0x1bce000), 4096, 260, ...
 00879  1252   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 00886   928   NtWaitForSingleObject  (88, 0, 0x0, ...
 00887  1252   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00888  1252   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00889  1252   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890  1252   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 220, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 220, 2, ) , 0, ... 220, 2, ) == 0x0
 00891  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 224, ) }, ... 224, ) == 0x0
 00892  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 00885  1736   NtProtectVirtualMemory  ... (0x1bce000), 4096, 4, ) == 0x0
 00893  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {1636, 1732}, ) == 0x0
 00894  1736   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1636,Tid=1732,}, 0x0, ) == 0x0
 00895  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\304\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\304\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75507, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\304\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\304\6\0\0" )  ) == 0x0
 00896  1736   NtResumeThread  (228, ... 1, ) == 0x0
 00897  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29163520, 1048576, ) == 0x0
 00892  1252   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00898  1732   NtWaitForSingleObject  (88, 0, 0x0, ...
 00899  1252   NtQueryValueKey  (224,  (224, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00900  1252   NtQueryValueKey  (220,  (220, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00901  1252   NtQueryValueKey  (224,  (224, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00902  1252   NtQueryValueKey  (220,  (220, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (220, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00903  1252   NtQueryValueKey  (224,  (224, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904  1252   NtQueryValueKey  (220,  (220, "PrioritizeRecordData", Partial, 144, ... , Partial, 144, ...
 00905  1736   NtAllocateVirtualMemory  (-1, 30203904, 0, 8192, 4096, 4, ... 30203904, 8192, ) == 0x0
 00906  1736   NtProtectVirtualMemory  (-1, (0x1cce000), 4096, 260, ... (0x1cce000), 4096, 4, ) == 0x0
 00907  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 232, {1636, 428}, ) == 0x0
 00908  1736   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=1636,Tid=428,}, 0x0, ) == 0x0
 00909  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\254\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\254\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75508, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\254\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\254\1\0\0" )  ) == 0x0
 00910  1736   NtResumeThread  (232, ...
 00904  1252   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00911  1252   NtQueryValueKey  (224,  (224, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912  1252   NtQueryValueKey  (220,  (220, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00913  1252   NtQueryValueKey  (224,  (224, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914  1252   NtQueryValueKey  (224,  (224, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00915  1252   NtQueryValueKey  (224,  (224, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916  1252   NtQueryValueKey  (224,  (224, "FilterClusterIp", Partial, 144, ... , Partial, 144, ...
 00910  1736   NtResumeThread  ... 1, ) == 0x0
 00917  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30212096, 1048576, ) == 0x0
 00918  1736   NtAllocateVirtualMemory  (-1, 31252480, 0, 8192, 4096, 4, ... 31252480, 8192, ) == 0x0
 00919  1736   NtProtectVirtualMemory  (-1, (0x1dce000), 4096, 260, ... (0x1dce000), 4096, 4, ) == 0x0
 00920  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {1636, 748}, ) == 0x0
 00921  1736   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=1636,Tid=748,}, 0x0, ) == 0x0
 00922  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0\354\2\0\0" ...  ...
 00916  1252   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923   428   NtWaitForSingleObject  (88, 0, 0x0, ...
 00924  1252   NtQueryValueKey  (224,  (224, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925  1252   NtQueryValueKey  (224,  (224, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00926  1252   NtQueryValueKey  (224,  (224, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00927  1252   NtQueryValueKey  (224,  (224, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00928  1252   NtQueryValueKey  (224,  (224, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00929  1252   NtQueryValueKey  (220,  (220, "DisableDynamicUpdate", Partial, 144, ... , Partial, 144, ...
 00922  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75509, 0}  ... {28, 56, reply, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0\354\2\0\0" )  ) == 0x0
 00930  1736   NtResumeThread  (236, ... 1, ) == 0x0
 00931  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31260672, 1048576, ) == 0x0
 00932  1736   NtAllocateVirtualMemory  (-1, 32301056, 0, 8192, 4096, 4, ... 32301056, 8192, ) == 0x0
 00933  1736   NtProtectVirtualMemory  (-1, (0x1ece000), 4096, 260, ... (0x1ece000), 4096, 4, ) == 0x0
 00934  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 240, {1636, 1300}, ) == 0x0
 00929  1252   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00935   748   NtWaitForSingleObject  (88, 0, 0x0, ...
 00936  1252   NtQueryValueKey  (224,  (224, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00937  1252   NtQueryValueKey  (224,  (224, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938  1252   NtQueryValueKey  (220,  (220, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00939  1252   NtQueryValueKey  (224,  (224, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940  1252   NtQueryValueKey  (220,  (220, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00941  1252   NtQueryValueKey  (224,  (224, "RegisterWanAdapters", Partial, 144, ... , Partial, 144, ...
 00942  1736   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=1636,Tid=1300,}, 0x0, ) == 0x0
 00943  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0\24\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0\24\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75510, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0\24\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0\24\5\0\0" )  ) == 0x0
 00944  1736   NtResumeThread  (240, ... 1, ) == 0x0
 00945  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32309248, 1048576, ) == 0x0
 00946  1736   NtAllocateVirtualMemory  (-1, 33349632, 0, 8192, 4096, 4, ... 33349632, 8192, ) == 0x0
 00947  1736   NtProtectVirtualMemory  (-1, (0x1fce000), 4096, 260, ...
 00941  1252   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948  1300   NtWaitForSingleObject  (88, 0, 0x0, ...
 00949  1252   NtQueryValueKey  (220,  (220, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950  1252   NtQueryValueKey  (224,  (224, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951  1252   NtQueryValueKey  (220,  (220, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952  1252   NtQueryValueKey  (224,  (224, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953  1252   NtQueryValueKey  (220,  (220, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00954  1252   NtQueryValueKey  (224,  (224, "RegistrationMaxAddressCount", Partial, 144, ... , Partial, 144, ...
 00947  1736   NtProtectVirtualMemory  ... (0x1fce000), 4096, 4, ) == 0x0
 00955  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 244, {1636, 1096}, ) == 0x0
 00956  1736   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=1636,Tid=1096,}, 0x0, ) == 0x0
 00957  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0H\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0H\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75511, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0H\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0H\4\0\0" )  ) == 0x0
 00958  1736   NtResumeThread  (244, ... 1, ) == 0x0
 00959  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33357824, 1048576, ) == 0x0
 00954  1252   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00960  1096   NtWaitForSingleObject  (88, 0, 0x0, ...
 00961  1252   NtQueryValueKey  (220,  (220, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00962  1252   NtQueryValueKey  (224,  (224, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963  1252   NtQueryValueKey  (220,  (220, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00964  1252   NtQueryValueKey  (224,  (224, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965  1252   NtQueryValueKey  (224,  (224, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00966  1252   NtQueryValueKey  (224,  (224, "DnsTest", Partial, 144, ... , Partial, 144, ...
 00967  1736   NtAllocateVirtualMemory  (-1, 34398208, 0, 8192, 4096, 4, ... 34398208, 8192, ) == 0x0
 00968  1736   NtProtectVirtualMemory  (-1, (0x20ce000), 4096, 260, ... (0x20ce000), 4096, 4, ) == 0x0
 00969  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 248, {1636, 252}, ) == 0x0
 00970  1736   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=1636,Tid=252,}, 0x0, ) == 0x0
 00971  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0\374\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0\374\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75512, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0\374\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0\374\0\0\0" )  ) == 0x0
 00972  1736   NtResumeThread  (248, ...
 00966  1252   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973  1252   NtQueryValueKey  (224,  (224, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00974  1252   NtQueryValueKey  (224,  (224, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975  1252   NtQueryValueKey  (224,  (224, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00976  1252   NtQueryValueKey  (224,  (224, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00977  1252   NtQueryValueKey  (224,  (224, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00978  1252   NtQueryValueKey  (224,  (224, "MaxCachedSockets", Partial, 144, ... , Partial, 144, ...
 00972  1736   NtResumeThread  ... 1, ) == 0x0
 00979  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34406400, 1048576, ) == 0x0
 00980  1736   NtAllocateVirtualMemory  (-1, 35446784, 0, 8192, 4096, 4, ... 35446784, 8192, ) == 0x0
 00981  1736   NtProtectVirtualMemory  (-1, (0x21ce000), 4096, 260, ... (0x21ce000), 4096, 4, ) == 0x0
 00982  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 252, {1636, 500}, ) == 0x0
 00983  1736   NtQueryInformationThread  (252, Basic, 28, ...
 00978  1252   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00984  1252   NtQueryValueKey  (224,  (224, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00985  1252   NtQueryValueKey  (224,  (224, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986  1252   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... }, ...
 00987   252   NtWaitForSingleObject  (88, 0, 0x0, ...
 00983  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=1636,Tid=500,}, 0x0, ) == 0x0
 00988  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0d\6\0\0\364\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0d\6\0\0\364\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75513, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0d\6\0\0\364\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0d\6\0\0\364\1\0\0" )  ) == 0x0
 00989  1736   NtResumeThread  (252, ... 1, ) == 0x0
 00990  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35454976, 1048576, ) == 0x0
 00991  1736   NtAllocateVirtualMemory  (-1, 36495360, 0, 8192, 4096, 4, ... 36495360, 8192, ) == 0x0
 00992  1736   NtProtectVirtualMemory  (-1, (0x22ce000), 4096, 260, ... (0x22ce000), 4096, 4, ) == 0x0
 00986  1252   NtOpenKey  ... 256, ) == 0x0
 00993   500   NtWaitForSingleObject  (88, 0, 0x0, ...
 00994  1252   NtQueryValueKey  (256,  (256, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00995  1252   NtClose  (256, ... ) == 0x0
 00996  1252   NtClose  (220, ... ) == 0x0
 00997  1252   NtClose  (224, ... ) == 0x0
 00998  1252   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 224, ) }, ... 224, ) == 0x0
 00999  1252   NtQueryValueKey  (224,  (224, "DnsQueryTimeouts", Partial, 144, ... , Partial, 144, ...
 01000  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 220, {1636, 1132}, ) == 0x0
 01001  1736   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=1636,Tid=1132,}, 0x0, ) == 0x0
 01002  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75513, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0l\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0l\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75514, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0l\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0l\4\0\0" )  ) == 0x0
 01003  1736   NtResumeThread  (220, ... 1, ) == 0x0
 01004  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36503552, 1048576, ) == 0x0
 01005  1736   NtAllocateVirtualMemory  (-1, 37543936, 0, 8192, 4096, 4, ...
 00999  1252   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01006  1132   NtWaitForSingleObject  (88, 0, 0x0, ...
 01007  1252   NtQueryValueKey  (224,  (224, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01008  1252   NtQueryValueKey  (224,  (224, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01009  1252   NtClose  (224, ... ) == 0x0
 01010  1252   NtSetEventBoostPriority  (88, ...
 00830   596   NtWaitForSingleObject  ... ) == 0x0
 01011   596   NtSetEventBoostPriority  (88, ...
 00840   376   NtWaitForSingleObject  ... ) == 0x0
 01012   376   NtSetEventBoostPriority  (88, ...
 00842  1356   NtWaitForSingleObject  ... ) == 0x0
 01013  1356   NtSetEventBoostPriority  (88, ...
 00861  1168   NtWaitForSingleObject  ... ) == 0x0
 01014  1168   NtSetEventBoostPriority  (88, ...
 00873   120   NtWaitForSingleObject  ... ) == 0x0
 01015   120   NtSetEventBoostPriority  (88, ...
 00886   928   NtWaitForSingleObject  ... ) == 0x0
 01016   928   NtSetEventBoostPriority  (88, ...
 00898  1732   NtWaitForSingleObject  ... ) == 0x0
 01017  1732   NtSetEventBoostPriority  (88, ...
 00923   428   NtWaitForSingleObject  ... ) == 0x0
 01018   428   NtSetEventBoostPriority  (88, ...
 00935   748   NtWaitForSingleObject  ... ) == 0x0
 01019   748   NtSetEventBoostPriority  (88, ...
 00948  1300   NtWaitForSingleObject  ... ) == 0x0
 01020  1300   NtSetEventBoostPriority  (88, ...
 00960  1096   NtWaitForSingleObject  ... ) == 0x0
 01021  1096   NtSetEventBoostPriority  (88, ...
 00987   252   NtWaitForSingleObject  ... ) == 0x0
 01022   252   NtSetEventBoostPriority  (88, ...
 00993   500   NtWaitForSingleObject  ... ) == 0x0
 01023   500   NtSetEventBoostPriority  (88, ...
 01006  1132   NtWaitForSingleObject  ... ) == 0x0
 01024  1132   NtAllocateVirtualMemory  (-1, 8867840, 0, 4096, 4096, 4, ... 8867840, 4096, ) == 0x0
 01023   500   NtSetEventBoostPriority  ... ) == 0x0
 01022   252   NtSetEventBoostPriority  ... ) == 0x0
 01021  1096   NtSetEventBoostPriority  ... ) == 0x0
 01020  1300   NtSetEventBoostPriority  ... ) == 0x0
 01019   748   NtSetEventBoostPriority  ... ) == 0x0
 01018   428   NtSetEventBoostPriority  ... ) == 0x0
 01017  1732   NtSetEventBoostPriority  ... ) == 0x0
 01016   928   NtSetEventBoostPriority  ... ) == 0x0
 01015   120   NtSetEventBoostPriority  ... ) == 0x0
 01014  1168   NtSetEventBoostPriority  ... ) == 0x0
 01013  1356   NtSetEventBoostPriority  ... ) == 0x0
 01012   376   NtSetEventBoostPriority  ... ) == 0x0
 01011   596   NtSetEventBoostPriority  ... ) == 0x0
 01010  1252   NtSetEventBoostPriority  ... ) == 0x0
 01005  1736   NtAllocateVirtualMemory  ... 37543936, 8192, ) == 0x0
 01025  1132   NtTestAlert  (...
 01026   500   NtTestAlert  (...
 01027   252   NtTestAlert  (...
 01028  1096   NtTestAlert  (...
 01029  1300   NtTestAlert  (...
 01030   748   NtTestAlert  (...
 01031   428   NtTestAlert  (...
 01032  1732   NtTestAlert  (...
 01033   928   NtTestAlert  (...
 01034   120   NtTestAlert  (...
 01035  1168   NtTestAlert  (...
 01036  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01037   376   NtTestAlert  (...
 01038  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01039  1736   NtProtectVirtualMemory  (-1, (0x23ce000), 4096, 260, ...
 01025  1132   NtTestAlert  ... ) == 0x0
 01026   500   NtTestAlert  ... ) == 0x0
 01027   252   NtTestAlert  ... ) == 0x0
 01028  1096   NtTestAlert  ... ) == 0x0
 01029  1300   NtTestAlert  ... ) == 0x0
 01030   748   NtTestAlert  ... ) == 0x0
 01031   428   NtTestAlert  ... ) == 0x0
 01032  1732   NtTestAlert  ... ) == 0x0
 01033   928   NtTestAlert  ... ) == 0x0
 01034   120   NtTestAlert  ... ) == 0x0
 01035  1168   NtTestAlert  ... ) == 0x0
 01036  1356   NtCreateEvent  ... 224, ) == 0x0
 01037   376   NtTestAlert  ... ) == 0x0
 01038  1252   NtCreateEvent  ... 256, ) == 0x0
 01039  1736   NtProtectVirtualMemory  ... (0x23ce000), 4096, 4, ) == 0x0
 01040  1132   NtContinue  (36502832, 1, ...
 01041   500   NtContinue  (35454256, 1, ...
 01042   252   NtContinue  (34405680, 1, ...
 01043  1096   NtContinue  (33357104, 1, ...
 01044  1300   NtContinue  (32308528, 1, ...
 01045   748   NtContinue  (31259952, 1, ...
 01046   428   NtContinue  (30211376, 1, ...
 01047  1732   NtContinue  (29162800, 1, ...
 01048   928   NtContinue  (28114224, 1, ...
 01049   120   NtContinue  (27065648, 1, ...
 01050  1168   NtContinue  (26017072, 1, ...
 01051  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01052   376   NtContinue  (24968496, 1, ...
 01053  1252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01054  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01055  1132   NtRegisterThreadTerminatePort  (24, ...
 01056   500   NtRegisterThreadTerminatePort  (24, ...
 01057   252   NtRegisterThreadTerminatePort  (24, ...
 01058  1096   NtRegisterThreadTerminatePort  (24, ...
 01059  1300   NtRegisterThreadTerminatePort  (24, ...
 01060   748   NtRegisterThreadTerminatePort  (24, ...
 01061   428   NtRegisterThreadTerminatePort  (24, ...
 01062  1732   NtRegisterThreadTerminatePort  (24, ...
 01063   928   NtRegisterThreadTerminatePort  (24, ...
 01064   120   NtRegisterThreadTerminatePort  (24, ...
 01065  1168   NtRegisterThreadTerminatePort  (24, ...
 01051  1356   NtDuplicateObject  ... 260, ) == 0x0
 01066   376   NtRegisterThreadTerminatePort  (24, ...
 01067   596   NtTestAlert  (...
 01054  1736   NtCreateThread  ... 264, {1636, 1024}, ) == 0x0
 01055  1132   NtRegisterThreadTerminatePort  ... ) == 0x0
 01056   500   NtRegisterThreadTerminatePort  ... ) == 0x0
 01057   252   NtRegisterThreadTerminatePort  ... ) == 0x0
 01058  1096   NtRegisterThreadTerminatePort  ... ) == 0x0
 01059  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 01060   748   NtRegisterThreadTerminatePort  ... ) == 0x0
 01061   428   NtRegisterThreadTerminatePort  ... ) == 0x0
 01062  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 01063   928   NtRegisterThreadTerminatePort  ... ) == 0x0
 01064   120   NtRegisterThreadTerminatePort  ... ) == 0x0
 01065  1168   NtRegisterThreadTerminatePort  ... ) == 0x0
 01068  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01066   376   NtRegisterThreadTerminatePort  ... ) == 0x0
 01067   596   NtTestAlert  ... ) == 0x0
 01069  1736   NtQueryInformationThread  (264, Basic, 28, ...
 01070  1132   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01071   500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01072   252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01073  1096   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ...
 01074  1300   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01075   748   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01076   428   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01077  1732   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01078   928   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01079   120   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01080  1168   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01081   376   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01082   596   NtContinue  (23919920, 1, ...
 01068  1356   NtOpenKey  ... 268, ) == 0x0
 01053  1252   NtDuplicateObject  ... 272, ) == 0x0
 01069  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1636,Tid=1024,}, 0x0, ) == 0x0
 01070  1132   NtDuplicateObject  ... 276, ) == 0x0
 01071   500   NtDuplicateObject  ... 280, ) == 0x0
 01072   252   NtDuplicateObject  ... 284, ) == 0x0
 01073  1096   NtAllocateVirtualMemory  ... 1368064, 4096, ) == 0x0
 01074  1300   NtCreateEvent  ... 288, ) == 0x0
 01075   748   NtCreateEvent  ... 292, ) == 0x0
 01076   428   NtCreateEvent  ... 296, ) == 0x0
 01077  1732   NtCreateEvent  ... 300, ) == 0x0
 01078   928   NtCreateEvent  ... 304, ) == 0x0
 01079   120   NtCreateEvent  ... 308, ) == 0x0
 01080  1168   NtCreateEvent  ... 312, ) == 0x0
 01083   596   NtRegisterThreadTerminatePort  (24, ...
 01084  1356   NtQueryValueKey  (268,  (268, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01085  1252   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01086  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75514, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0d\6\0\0\0\4\0\0" ...  ...
 01087  1132   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01088   500   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01089   252   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01090  1096   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01091  1300   NtWaitForSingleObject  (288, 0, 0x0, ...
 01092   748   NtClose  (292, ...
 01093   428   NtClose  (296, ...
 01094  1732   NtClose  (300, ...
 01095   928   NtClose  (304, ...
 01096   120   NtClose  (308, ...
 01097  1168   NtClose  (312, ...
 01083   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 01084  1356   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01085  1252   NtCreateEvent  ... 316, ) == 0x0
 01086  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75515, 0}  ... {28, 56, reply, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0d\6\0\0\0\4\0\0" )  ) == 0x0
 01087  1132   NtCreateEvent  ... 320, ) == 0x0
 01088   500   NtCreateEvent  ... 324, ) == 0x0
 01089   252   NtCreateEvent  ... 328, ) == 0x0
 01090  1096   NtCreateEvent  ... 332, ) == 0x0
 01092   748   NtClose  ... ) == 0x0
 01093   428   NtClose  ... ) == 0x0
 01094  1732   NtClose  ... ) == 0x0
 01095   928   NtClose  ... ) == 0x0
 01096   120   NtClose  ... ) == 0x0
 01097  1168   NtClose  ... ) == 0x0
 01098   596   NtWaitForSingleObject  (288, 0, 0x0, ...
 01099  1356   NtClose  (268, ...
 01100  1252   NtClose  (316, ...
 01101  1736   NtResumeThread  (264, ...
 01102  1132   NtClose  (320, ...
 01103   500   NtClose  (324, ...
 01104   252   NtClose  (328, ...
 01105  1096   NtClose  (332, ...
 01106   748   NtWaitForSingleObject  (288, 0, 0x0, ...
 01107   428   NtWaitForSingleObject  (288, 0, 0x0, ...
 01108  1732   NtWaitForSingleObject  (288, 0, 0x0, ...
 01109   928   NtWaitForSingleObject  (288, 0, 0x0, ...
 01110   120   NtWaitForSingleObject  (288, 0, 0x0, ...
 01111  1168   NtWaitForSingleObject  (288, 0, 0x0, ...
 01081   376   NtCreateEvent  ... 312, ) == 0x0
 01099  1356   NtClose  ... ) == 0x0
 01100  1252   NtClose  ... ) == 0x0
 01101  1736   NtResumeThread  ... 1, ) == 0x0
 01102  1132   NtClose  ... ) == 0x0
 01103   500   NtClose  ... ) == 0x0
 01104   252   NtClose  ... ) == 0x0
 01105  1096   NtClose  ... ) == 0x0
 01112   376   NtClose  (312, ...
 01113  1356   NtWaitForSingleObject  (288, 0, 0x0, ...
 01114  1252   NtWaitForSingleObject  (288, 0, 0x0, ...
 01115  1024   NtTestAlert  (...
 01116  1132   NtWaitForSingleObject  (288, 0, 0x0, ...
 01117   500   NtWaitForSingleObject  (288, 0, 0x0, ...
 01118   252   NtWaitForSingleObject  (288, 0, 0x0, ...
 01119  1096   NtSetEventBoostPriority  (288, ...
 01112   376   NtClose  ... ) == 0x0
 01120  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01115  1024   NtTestAlert  ... ) == 0x0
 01121   376   NtWaitForSingleObject  (288, 0, 0x0, ...
 01120  1736   NtAllocateVirtualMemory  ... 37552128, 1048576, ) == 0x0
 01122  1024   NtContinue  (37551408, 1, ...
 01123  1736   NtAllocateVirtualMemory  (-1, 38592512, 0, 8192, 4096, 4, ...
 01124  1024   NtRegisterThreadTerminatePort  (24, ...
 01123  1736   NtAllocateVirtualMemory  ... 38592512, 8192, ) == 0x0
 01124  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 01125  1736   NtProtectVirtualMemory  (-1, (0x24ce000), 4096, 260, ...
 01091  1300   NtWaitForSingleObject  ... ) == 0x0
 01119  1096   NtSetEventBoostPriority  ... ) == 0x0
 01125  1736   NtProtectVirtualMemory  ... (0x24ce000), 4096, 4, ) == 0x0
 01126  1300   NtSetEventBoostPriority  (288, ...
 01127  1096   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01128  1024   NtWaitForSingleObject  (288, 0, 0x0, ...
 01106   748   NtWaitForSingleObject  ... ) == 0x0
 01126  1300   NtSetEventBoostPriority  ... ) == 0x0
 01127  1096   NtDuplicateObject  ... 312, ) == 0x0
 01129   748   NtSetEventBoostPriority  (288, ...
 01130  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01107   428   NtWaitForSingleObject  ... ) == 0x0
 01129   748   NtSetEventBoostPriority  ... ) == 0x0
 01131  1096   NtWaitForSingleObject  (288, 0, 0x0, ...
 01132   428   NtSetEventBoostPriority  (288, ...
 01130  1736   NtCreateThread  ... 332, {1636, 948}, ) == 0x0
 01133  1300   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01108  1732   NtWaitForSingleObject  ... ) == 0x0
 01132   428   NtSetEventBoostPriority  ... ) == 0x0
 01134  1736   NtQueryInformationThread  (332, Basic, 28, ...
 01135  1732   NtSetEventBoostPriority  (288, ...
 01133  1300   NtDuplicateObject  ... 328, ) == 0x0
 01136   748   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01109   928   NtWaitForSingleObject  ... ) == 0x0
 01135  1732   NtSetEventBoostPriority  ... ) == 0x0
 01134  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1636,Tid=948,}, 0x0, ) == 0x0
 01137  1300   NtWaitForSingleObject  (288, 0, 0x0, ...
 01138   928   NtSetEventBoostPriority  (288, ...
 01136   748   NtDuplicateObject  ... 324, ) == 0x0
 01139   428   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01140  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75515, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0d\6\0\0\264\3\0\0" ...  ...
 01110   120   NtWaitForSingleObject  ... ) == 0x0
 01138   928   NtSetEventBoostPriority  ... ) == 0x0
 01141   748   NtWaitForSingleObject  (288, 0, 0x0, ...
 01139   428   NtDuplicateObject  ... 320, ) == 0x0
 01142   120   NtSetEventBoostPriority  (288, ...
 01140  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75516, 0}  ... {28, 56, reply, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0d\6\0\0\264\3\0\0" )  ) == 0x0
 01143  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01111  1168   NtWaitForSingleObject  ... ) == 0x0
 01142   120   NtSetEventBoostPriority  ... ) == 0x0
 01144   428   NtWaitForSingleObject  (288, 0, 0x0, ...
 01145  1736   NtResumeThread  (332, ...
 01146  1168   NtSetEventBoostPriority  (288, ...
 01143  1732   NtDuplicateObject  ... 316, ) == 0x0
 01147   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01098   596   NtWaitForSingleObject  ... ) == 0x0
 01146  1168   NtSetEventBoostPriority  ... ) == 0x0
 01145  1736   NtResumeThread  ... 1, ) == 0x0
 01148  1732   NtWaitForSingleObject  (288, 0, 0x0, ...
 01149   596   NtSetEventBoostPriority  (288, ...
 01147   928   NtDuplicateObject  ... 268, ) == 0x0
 01150   120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01151   948   NtTestAlert  (...
 01152  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01113  1356   NtWaitForSingleObject  ... ) == 0x0
 01153   928   NtWaitForSingleObject  (288, 0, 0x0, ...
 01150   120   NtDuplicateObject  ... 308, ) == 0x0
 01151   948   NtTestAlert  ... ) == 0x0
 01152  1736   NtAllocateVirtualMemory  ... 38600704, 1048576, ) == 0x0
 01154  1356   NtSetEventBoostPriority  (288, ...
 01155   120   NtWaitForSingleObject  (288, 0, 0x0, ...
 01156   948   NtContinue  (38599984, 1, ...
 01157  1736   NtAllocateVirtualMemory  (-1, 39641088, 0, 8192, 4096, 4, ...
 01114  1252   NtWaitForSingleObject  ... ) == 0x0
 01158   948   NtRegisterThreadTerminatePort  (24, ...
 01154  1356   NtSetEventBoostPriority  ... ) == 0x0
 01149   596   NtSetEventBoostPriority  ... ) == 0x0
 01159  1168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01160  1252   NtSetEventBoostPriority  (288, ...
 01158   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 01161  1356   NtOpenThreadToken  (-2, 0xc, 1, ...
 01162   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01159  1168   NtDuplicateObject  ... 304, ) == 0x0
 01116  1132   NtWaitForSingleObject  ... ) == 0x0
 01160  1252   NtSetEventBoostPriority  ... ) == 0x0
 01157  1736   NtAllocateVirtualMemory  ... 39641088, 8192, ) == 0x0
 01161  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01162   596   NtDuplicateObject  ... 300, ) == 0x0
 01163  1168   NtWaitForSingleObject  (288, 0, 0x0, ...
 01164  1132   NtSetEventBoostPriority  (288, ...
 01165  1252   NtWaitForSingleObject  (288, 0, 0x0, ...
 01166  1736   NtProtectVirtualMemory  (-1, (0x25ce000), 4096, 260, ...
 01167   948   NtWaitForSingleObject  (288, 0, 0x0, ...
 01168  1356   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01117   500   NtWaitForSingleObject  ... ) == 0x0
 01166  1736   NtProtectVirtualMemory  ... (0x25ce000), 4096, 4, ) == 0x0
 01168  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01169   500   NtSetEventBoostPriority  (288, ...
 01170  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01171  1356   NtWaitForSingleObject  (288, 0, 0x0, ...
 01118   252   NtWaitForSingleObject  ... ) == 0x0
 01170  1736   NtCreateThread  ... 296, {1636, 1064}, ) == 0x0
 01172   252   NtSetEventBoostPriority  (288, ...
 01173  1736   NtQueryInformationThread  (296, Basic, 28, ...
 01121   376   NtWaitForSingleObject  ... ) == 0x0
 01172   252   NtSetEventBoostPriority  ... ) == 0x0
 01169   500   NtSetEventBoostPriority  ... ) == 0x0
 01164  1132   NtSetEventBoostPriority  ... ) == 0x0
 01174   596   NtWaitForSingleObject  (288, 0, 0x0, ...
 01175   376   NtSetEventBoostPriority  (288, ...
 01176   252   NtWaitForSingleObject  (288, 0, 0x0, ...
 01177   500   NtWaitForSingleObject  (288, 0, 0x0, ...
 01178  1132   NtWaitForSingleObject  (288, 0, 0x0, ...
 01128  1024   NtWaitForSingleObject  ... ) == 0x0
 01175   376   NtSetEventBoostPriority  ... ) == 0x0
 01179  1024   NtSetEventBoostPriority  (288, ...
 01173  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1636,Tid=1064,}, 0x0, ) == 0x0
 01131  1096   NtWaitForSingleObject  ... ) == 0x0
 01179  1024   NtSetEventBoostPriority  ... ) == 0x0
 01180  1096   NtSetEventBoostPriority  (288, ...
 01181  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75516, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0d\6\0\0(\4\0\0" ...  ...
 01137  1300   NtWaitForSingleObject  ... ) == 0x0
 01180  1096   NtSetEventBoostPriority  ... ) == 0x0
 01182  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01183  1300   NtSetEventBoostPriority  (288, ...
 01181  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75517, 0}  ... {28, 56, reply, 0, 1636, 1736, 75517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0d\6\0\0(\4\0\0" )  ) == 0x0
 01184   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01185  1096   NtWaitForSingleObject  (288, 0, 0x0, ...
 01141   748   NtWaitForSingleObject  ... ) == 0x0
 01183  1300   NtSetEventBoostPriority  ... ) == 0x0
 01186  1736   NtResumeThread  (296, ...
 01184   376   NtDuplicateObject  ... 292, ) == 0x0
 01187   748   NtSetEventBoostPriority  (288, ...
 01182  1024   NtDuplicateObject  ... 336, ) == 0x0
 01186  1736   NtResumeThread  ... 1, ) == 0x0
 01144   428   NtWaitForSingleObject  ... ) == 0x0
 01187   748   NtSetEventBoostPriority  ... ) == 0x0
 01188   376   NtWaitForSingleObject  (288, 0, 0x0, ...
 01189  1024   NtWaitForSingleObject  (288, 0, 0x0, ...
 01190  1300   NtWaitForSingleObject  (288, 0, 0x0, ...
 01191  1064   NtTestAlert  (...
 01192   428   NtSetEventBoostPriority  (288, ...
 01193  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01148  1732   NtWaitForSingleObject  ... ) == 0x0
 01192   428   NtSetEventBoostPriority  ... ) == 0x0
 01191  1064   NtTestAlert  ... ) == 0x0
 01194  1732   NtSetEventBoostPriority  (288, ...
 01193  1736   NtAllocateVirtualMemory  ... 39649280, 1048576, ) == 0x0
 01195   748   NtWaitForSingleObject  (288, 0, 0x0, ...
 01153   928   NtWaitForSingleObject  ... ) == 0x0
 01194  1732   NtSetEventBoostPriority  ... ) == 0x0
 01196  1064   NtContinue  (39648560, 1, ...
 01197  1736   NtAllocateVirtualMemory  (-1, 40689664, 0, 8192, 4096, 4, ...
 01198   928   NtSetEventBoostPriority  (288, ...
 01199   428   NtWaitForSingleObject  (288, 0, 0x0, ...
 01200  1064   NtRegisterThreadTerminatePort  (24, ...
 01155   120   NtWaitForSingleObject  ... ) == 0x0
 01198   928   NtSetEventBoostPriority  ... ) == 0x0
 01197  1736   NtAllocateVirtualMemory  ... 40689664, 8192, ) == 0x0
 01201   120   NtSetEventBoostPriority  (288, ...
 01200  1064   NtRegisterThreadTerminatePort  ... ) == 0x0
 01202  1732   NtWaitForSingleObject  (288, 0, 0x0, ...
 01163  1168   NtWaitForSingleObject  ... ) == 0x0
 01201   120   NtSetEventBoostPriority  ... ) == 0x0
 01203  1736   NtProtectVirtualMemory  (-1, (0x26ce000), 4096, 260, ...
 01204   928   NtWaitForSingleObject  (288, 0, 0x0, ...
 01205  1168   NtSetEventBoostPriority  (288, ...
 01206  1064   NtWaitForSingleObject  (288, 0, 0x0, ...
 01203  1736   NtProtectVirtualMemory  ... (0x26ce000), 4096, 4, ) == 0x0
 01165  1252   NtWaitForSingleObject  ... ) == 0x0
 01205  1168   NtSetEventBoostPriority  ... ) == 0x0
 01207   120   NtWaitForSingleObject  (288, 0, 0x0, ...
 01208  1252   NtSetEventBoostPriority  (288, ...
 01209  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01167   948   NtWaitForSingleObject  ... ) == 0x0
 01208  1252   NtSetEventBoostPriority  ... ) == 0x0
 01210   948   NtSetEventBoostPriority  (288, ...
 01209  1736   NtCreateThread  ... 340, {1636, 1384}, ) == 0x0
 01211  1168   NtWaitForSingleObject  (288, 0, 0x0, ...
 01171  1356   NtWaitForSingleObject  ... ) == 0x0
 01210   948   NtSetEventBoostPriority  ... ) == 0x0
 01212  1736   NtQueryInformationThread  (340, Basic, 28, ...
 01213  1356   NtSetEventBoostPriority  (288, ...
 01214   948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01174   596   NtWaitForSingleObject  ... ) == 0x0
 01213  1356   NtSetEventBoostPriority  ... ) == 0x0
 01212  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1636,Tid=1384,}, 0x0, ) == 0x0
 01215  1252   NtWaitForSingleObject  (288, 0, 0x0, ...
 01216   596   NtSetEventBoostPriority  (288, ...
 01214   948   NtDuplicateObject  ... 344, ) == 0x0
 01217  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75517, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0d\6\0\0h\5\0\0" ...  ...
 01176   252   NtWaitForSingleObject  ... ) == 0x0
 01216   596   NtSetEventBoostPriority  ... ) == 0x0
 01218   948   NtWaitForSingleObject  (288, 0, 0x0, ...
 01219   252   NtSetEventBoostPriority  (288, ...
 01220   596   NtWaitForSingleObject  (288, 0, 0x0, ...
 01177   500   NtWaitForSingleObject  ... ) == 0x0
 01219   252   NtSetEventBoostPriority  ... ) == 0x0
 01221  1356   NtWaitForSingleObject  (288, 0, 0x0, ...
 01217  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75518, 0}  ... {28, 56, reply, 0, 1636, 1736, 75518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0d\6\0\0h\5\0\0" )  ) == 0x0
 01222   500   NtSetEventBoostPriority  (288, ...
 01178  1132   NtWaitForSingleObject  ... ) == 0x0
 01223  1132   NtSetEventBoostPriority  (288, ...
 01185  1096   NtWaitForSingleObject  ... ) == 0x0
 01224  1096   NtSetEventBoostPriority  (288, ...
 01188   376   NtWaitForSingleObject  ... ) == 0x0
 01225   376   NtSetEventBoostPriority  (288, ...
 01189  1024   NtWaitForSingleObject  ... ) == 0x0
 01226  1024   NtSetEventBoostPriority  (288, ...
 01190  1300   NtWaitForSingleObject  ... ) == 0x0
 01227  1300   NtSetEventBoostPriority  (288, ...
 01195   748   NtWaitForSingleObject  ... ) == 0x0
 01228   748   NtSetEventBoostPriority  (288, ...
 01199   428   NtWaitForSingleObject  ... ) == 0x0
 01229   428   NtSetEventBoostPriority  (288, ...
 01202  1732   NtWaitForSingleObject  ... ) == 0x0
 01230  1732   NtSetEventBoostPriority  (288, ...
 01204   928   NtWaitForSingleObject  ... ) == 0x0
 01231   928   NtSetEventBoostPriority  (288, ...
 01206  1064   NtWaitForSingleObject  ... ) == 0x0
 01232  1064   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01233  1064   NtSetEventBoostPriority  (288, ...
 01231   928   NtSetEventBoostPriority  ... ) == 0x0
 01230  1732   NtSetEventBoostPriority  ... ) == 0x0
 01229   428   NtSetEventBoostPriority  ... ) == 0x0
 01228   748   NtSetEventBoostPriority  ... ) == 0x0
 01227  1300   NtSetEventBoostPriority  ... ) == 0x0
 01226  1024   NtSetEventBoostPriority  ... ) == 0x0
 01225   376   NtSetEventBoostPriority  ... ) == 0x0
 01224  1096   NtSetEventBoostPriority  ... ) == 0x0
 01223  1132   NtSetEventBoostPriority  ... ) == 0x0
 01222   500   NtSetEventBoostPriority  ... ) == 0x0
 01234  1736   NtResumeThread  (340, ...
 01235   252   NtWaitForSingleObject  (288, 0, 0x0, ...
 01236   928   NtWaitForSingleObject  (288, 0, 0x0, ...
 01237  1732   NtWaitForSingleObject  (288, 0, 0x0, ...
 01238   428   NtWaitForSingleObject  (288, 0, 0x0, ...
 01239   748   NtWaitForSingleObject  (288, 0, 0x0, ...
 01240  1300   NtWaitForSingleObject  (288, 0, 0x0, ...
 01207   120   NtWaitForSingleObject  ... ) == 0x0
 01233  1064   NtSetEventBoostPriority  ... ) == 0x0
 01241  1024   NtWaitForSingleObject  (288, 0, 0x0, ...
 01242  1096   NtWaitForSingleObject  (288, 0, 0x0, ...
 01243   376   NtWaitForSingleObject  (288, 0, 0x0, ...
 01244  1132   NtWaitForSingleObject  (288, 0, 0x0, ...
 01234  1736   NtResumeThread  ... 1, ) == 0x0
 01245   500   NtWaitForSingleObject  (288, 0, 0x0, ...
 01246  1384   NtTestAlert  (...
 01247   120   NtSetEventBoostPriority  (288, ...
 01248  1064   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01249  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01246  1384   NtTestAlert  ... ) == 0x0
 01211  1168   NtWaitForSingleObject  ... ) == 0x0
 01247   120   NtSetEventBoostPriority  ... ) == 0x0
 01248  1064   NtDuplicateObject  ... 348, ) == 0x0
 01249  1736   NtAllocateVirtualMemory  ... 40697856, 1048576, ) == 0x0
 01250  1168   NtSetEventBoostPriority  (288, ...
 01251  1384   NtContinue  (40697136, 1, ...
 01252   120   NtWaitForSingleObject  (288, 0, 0x0, ...
 01253  1064   NtWaitForSingleObject  (288, 0, 0x0, ...
 01215  1252   NtWaitForSingleObject  ... ) == 0x0
 01250  1168   NtSetEventBoostPriority  ... ) == 0x0
 01254  1736   NtAllocateVirtualMemory  (-1, 41738240, 0, 8192, 4096, 4, ...
 01255  1384   NtRegisterThreadTerminatePort  (24, ...
 01256  1252   NtSetEventBoostPriority  (288, ...
 01257  1168   NtWaitForSingleObject  (288, 0, 0x0, ...
 01218   948   NtWaitForSingleObject  ... ) == 0x0
 01256  1252   NtSetEventBoostPriority  ... ) == 0x0
 01255  1384   NtRegisterThreadTerminatePort  ... ) == 0x0
 01254  1736   NtAllocateVirtualMemory  ... 41738240, 8192, ) == 0x0
 01258   948   NtSetEventBoostPriority  (288, ...
 01259  1252   NtWaitForSingleObject  (288, 0, 0x0, ...
 01220   596   NtWaitForSingleObject  ... ) == 0x0
 01258   948   NtSetEventBoostPriority  ... ) == 0x0
 01260  1736   NtProtectVirtualMemory  (-1, (0x27ce000), 4096, 260, ...
 01261  1384   NtWaitForSingleObject  (288, 0, 0x0, ...
 01262   596   NtSetEventBoostPriority  (288, ...
 01260  1736   NtProtectVirtualMemory  ... (0x27ce000), 4096, 4, ) == 0x0
 01221  1356   NtWaitForSingleObject  ... ) == 0x0
 01263  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01264  1356   NtSetEventBoostPriority  (288, ...
 01263  1736   NtCreateThread  ... 352, {1636, 188}, ) == 0x0
 01235   252   NtWaitForSingleObject  ... ) == 0x0
 01264  1356   NtSetEventBoostPriority  ... ) == 0x0
 01265   252   NtSetEventBoostPriority  (288, ...
 01266  1736   NtQueryInformationThread  (352, Basic, 28, ...
 01236   928   NtWaitForSingleObject  ... ) == 0x0
 01265   252   NtSetEventBoostPriority  ... ) == 0x0
 01267  1356   NtWaitForSingleObject  (288, 0, 0x0, ...
 01262   596   NtSetEventBoostPriority  ... ) == 0x0
 01268   948   NtWaitForSingleObject  (288, 0, 0x0, ...
 01269   928   NtSetEventBoostPriority  (288, ...
 01270   252   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01266  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1636,Tid=188,}, 0x0, ) == 0x0
 01271   596   NtWaitForSingleObject  (288, 0, 0x0, ...
 01237  1732   NtWaitForSingleObject  ... ) == 0x0
 01269   928   NtSetEventBoostPriority  ... ) == 0x0
 01272  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75518, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0d\6\0\0\274\0\0\0" ...  ...
 01273  1732   NtSetEventBoostPriority  (288, ...
 01274   928   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01272  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75519, 0}  ... {28, 56, reply, 0, 1636, 1736, 75519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0d\6\0\0\274\0\0\0" )  ) == 0x0
 01238   428   NtWaitForSingleObject  ... ) == 0x0
 01274   928   NtCreateEvent  ... 356, ) == 0x0
 01275  1736   NtResumeThread  (352, ...
 01276   428   NtSetEventBoostPriority  (288, ...
 01273  1732   NtSetEventBoostPriority  ... ) == 0x0
 01270   252   NtCreateEvent  ... 360, ) == 0x0
 01275  1736   NtResumeThread  ... 1, ) == 0x0
 01239   748   NtWaitForSingleObject  ... ) == 0x0
 01277  1732   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01278   252   NtWaitForSingleObject  (360, 0, 0x0, ...
 01276   428   NtSetEventBoostPriority  ... ) == 0x0
 01279   928   NtClose  (356, ...
 01280   188   NtTestAlert  (...
 01281   748   NtSetEventBoostPriority  (288, ...
 01277  1732   NtCreateEvent  ... 364, ) == 0x0
 01282   428   NtWaitForSingleObject  (360, 0, 0x0, ...
 01279   928   NtClose  ... ) == 0x0
 01280   188   NtTestAlert  ... ) == 0x0
 01241  1024   NtWaitForSingleObject  ... ) == 0x0
 01281   748   NtSetEventBoostPriority  ... ) == 0x0
 01283  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01284   928   NtWaitForSingleObject  (360, 0, 0x0, ...
 01285   188   NtContinue  (41745712, 1, ...
 01286  1024   NtSetEventBoostPriority  (288, ...
 01287   748   NtWaitForSingleObject  (288, 0, 0x0, ...
 01283  1736   NtAllocateVirtualMemory  ... 41746432, 1048576, ) == 0x0
 01288   188   NtRegisterThreadTerminatePort  (24, ...
 01240  1300   NtWaitForSingleObject  ... ) == 0x0
 01286  1024   NtSetEventBoostPriority  ... ) == 0x0
 01289  1736   NtAllocateVirtualMemory  (-1, 42786816, 0, 8192, 4096, 4, ...
 01290  1300   NtSetEventBoostPriority  (288, ...
 01288   188   NtRegisterThreadTerminatePort  ... ) == 0x0
 01291  1024   NtWaitForSingleObject  (288, 0, 0x0, ...
 01243   376   NtWaitForSingleObject  ... ) == 0x0
 01289  1736   NtAllocateVirtualMemory  ... 42786816, 8192, ) == 0x0
 01290  1300   NtSetEventBoostPriority  ... ) == 0x0
 01292  1732   NtClose  (364, ...
 01293   188   NtWaitForSingleObject  (288, 0, 0x0, ...
 01294   376   NtSetEventBoostPriority  (288, ...
 01295  1736   NtProtectVirtualMemory  (-1, (0x28ce000), 4096, 260, ...
 01296  1300   NtWaitForSingleObject  (288, 0, 0x0, ...
 01292  1732   NtClose  ... ) == 0x0
 01244  1132   NtWaitForSingleObject  ... ) == 0x0
 01294   376   NtSetEventBoostPriority  ... ) == 0x0
 01295  1736   NtProtectVirtualMemory  ... (0x28ce000), 4096, 4, ) == 0x0
 01297  1132   NtSetEventBoostPriority  (288, ...
 01298  1732   NtWaitForSingleObject  (360, 0, 0x0, ...
 01299   376   NtWaitForSingleObject  (288, 0, 0x0, ...
 01245   500   NtWaitForSingleObject  ... ) == 0x0
 01297  1132   NtSetEventBoostPriority  ... ) == 0x0
 01300  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01301   500   NtSetEventBoostPriority  (288, ...
 01302  1132   NtWaitForSingleObject  (288, 0, 0x0, ...
 01242  1096   NtWaitForSingleObject  ... ) == 0x0
 01301   500   NtSetEventBoostPriority  ... ) == 0x0
 01300  1736   NtCreateThread  ... 364, {1636, 1600}, ) == 0x0
 01303  1096   NtSetEventBoostPriority  (288, ...
 01304   500   NtWaitForSingleObject  (288, 0, 0x0, ...
 01253  1064   NtWaitForSingleObject  ... ) == 0x0
 01305  1736   NtQueryInformationThread  (364, Basic, 28, ...
 01303  1096   NtSetEventBoostPriority  ... ) == 0x0
 01306  1064   NtSetEventBoostPriority  (288, ...
 01305  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1636,Tid=1600,}, 0x0, ) == 0x0
 01307  1096   NtWaitForSingleObject  (288, 0, 0x0, ...
 01252   120   NtWaitForSingleObject  ... ) == 0x0
 01306  1064   NtSetEventBoostPriority  ... ) == 0x0
 01308  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75519, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0d\6\0\0@\6\0\0" ...  ...
 01309   120   NtSetEventBoostPriority  (288, ...
 01257  1168   NtWaitForSingleObject  ... ) == 0x0
 01310  1168   NtSetEventBoostPriority  (288, ...
 01259  1252   NtWaitForSingleObject  ... ) == 0x0
 01311  1252   NtSetEventBoostPriority  (288, ...
 01261  1384   NtWaitForSingleObject  ... ) == 0x0
 01312  1384   NtSetEventBoostPriority  (288, ...
 01268   948   NtWaitForSingleObject  ... ) == 0x0
 01313   948   NtSetEventBoostPriority  (288, ...
 01267  1356   NtWaitForSingleObject  ... ) == 0x0
 01314  1356   NtSetEventBoostPriority  (288, ...
 01271   596   NtWaitForSingleObject  ... ) == 0x0
 01315   596   NtSetEventBoostPriority  (288, ...
 01287   748   NtWaitForSingleObject  ... ) == 0x0
 01316   748   NtSetEventBoostPriority  (288, ...
 01293   188   NtWaitForSingleObject  ... ) == 0x0
 01317   188   NtSetEventBoostPriority  (288, ...
 01296  1300   NtWaitForSingleObject  ... ) == 0x0
 01318  1300   NtSetEventBoostPriority  (288, ...
 01291  1024   NtWaitForSingleObject  ... ) == 0x0
 01319  1024   NtSetEventBoostPriority  (288, ...
 01299   376   NtWaitForSingleObject  ... ) == 0x0
 01320   376   NtSetEventBoostPriority  (288, ...
 01302  1132   NtWaitForSingleObject  ... ) == 0x0
 01321  1132   NtSetEventBoostPriority  (288, ...
 01307  1096   NtWaitForSingleObject  ... ) == 0x0
 01322  1096   NtSetEventBoostPriority  (288, ...
 01304   500   NtWaitForSingleObject  ... ) == 0x0
 01323   500   NtWaitForSingleObject  (360, 0, 0x0, ...
 01322  1096   NtSetEventBoostPriority  ... ) == 0x0
 01318  1300   NtSetEventBoostPriority  ... ) == 0x0
 01317   188   NtSetEventBoostPriority  ... ) == 0x0
 01316   748   NtSetEventBoostPriority  ... ) == 0x0
 01315   596   NtSetEventBoostPriority  ... ) == 0x0
 01313   948   NtSetEventBoostPriority  ... ) == 0x0
 01312  1384   NtSetEventBoostPriority  ... ) == 0x0
 01308  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75520, 0}  ... {28, 56, reply, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0d\6\0\0@\6\0\0" )  ) == 0x0
 01321  1132   NtSetEventBoostPriority  ... ) == 0x0
 01320   376   NtSetEventBoostPriority  ... ) == 0x0
 01319  1024   NtSetEventBoostPriority  ... ) == 0x0
 01314  1356   NtSetEventBoostPriority  ... ) == 0x0
 01311  1252   NtSetEventBoostPriority  ... ) == 0x0
 01310  1168   NtSetEventBoostPriority  ... ) == 0x0
 01309   120   NtSetEventBoostPriority  ... ) == 0x0
 01324  1064   NtWaitForSingleObject  (360, 0, 0x0, ...
 01325  1096   NtWaitForSingleObject  (360, 0, 0x0, ...
 01326   188   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01327  1300   NtWaitForSingleObject  (360, 0, 0x0, ...
 01328   748   NtWaitForSingleObject  (360, 0, 0x0, ...
 01329   948   NtWaitForSingleObject  (360, 0, 0x0, ...
 01330  1384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01331  1736   NtResumeThread  (364, ...
 01332  1132   NtWaitForSingleObject  (360, 0, 0x0, ...
 01333   376   NtWaitForSingleObject  (360, 0, 0x0, ...
 01334  1024   NtWaitForSingleObject  (360, 0, 0x0, ...
 01335  1356   NtSetEventBoostPriority  (360, ...
 01336  1252   NtWaitForSingleObject  (360, 0, 0x0, ...
 01337  1168   NtWaitForSingleObject  (360, 0, 0x0, ...
 01338   120   NtWaitForSingleObject  (360, 0, 0x0, ...
 01339   596   NtWaitForSingleObject  (360, 0, 0x0, ...
 01326   188   NtDuplicateObject  ... 356, ) == 0x0
 01331  1736   NtResumeThread  ... 1, ) == 0x0
 01278   252   NtWaitForSingleObject  ... ) == 0x0
 01335  1356   NtSetEventBoostPriority  ... ) == 0x0
 01340   188   NtWaitForSingleObject  (360, 0, 0x0, ...
 01341   252   NtSetEventBoostPriority  (360, ...
 01342  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01330  1384   NtDuplicateObject  ... 368, ) == 0x0
 01343  1600   NtTestAlert  (...
 01282   428   NtWaitForSingleObject  ... ) == 0x0
 01341   252   NtSetEventBoostPriority  ... ) == 0x0
 01342  1736   NtAllocateVirtualMemory  ... 42795008, 1048576, ) == 0x0
 01344  1384   NtWaitForSingleObject  (360, 0, 0x0, ...
 01345   428   NtSetEventBoostPriority  (360, ...
 01343  1600   NtTestAlert  ... ) == 0x0
 01346  1356   NtWaitForSingleObject  (360, 0, 0x0, ...
 01347  1736   NtAllocateVirtualMemory  (-1, 43835392, 0, 8192, 4096, 4, ...
 01284   928   NtWaitForSingleObject  ... ) == 0x0
 01345   428   NtSetEventBoostPriority  ... ) == 0x0
 01348  1600   NtContinue  (42794288, 1, ...
 01349   252   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01350   928   NtSetEventBoostPriority  (360, ...
 01347  1736   NtAllocateVirtualMemory  ... 43835392, 8192, ) == 0x0
 01351  1600   NtRegisterThreadTerminatePort  (24, ...
 01298  1732   NtWaitForSingleObject  ... ) == 0x0
 01350   928   NtSetEventBoostPriority  ... ) == 0x0
 01349   252   NtWaitForSingleObject  ... ) == 0x102
 01352  1736   NtProtectVirtualMemory  (-1, (0x29ce000), 4096, 260, ...
 01353  1732   NtSetEventBoostPriority  (360, ...
 01351  1600   NtRegisterThreadTerminatePort  ... ) == 0x0
 01354   428   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01355   252   NtWaitForSingleObject  (132, 0, 0x0, ...
 01323   500   NtWaitForSingleObject  ... ) == 0x0
 01353  1732   NtSetEventBoostPriority  ... ) == 0x0
 01352  1736   NtProtectVirtualMemory  ... (0x29ce000), 4096, 4, ) == 0x0
 01356   928   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01354   428   NtWaitForSingleObject  ... ) == 0x102
 01357   500   NtSetEventBoostPriority  (360, ...
 01358  1600   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01359  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01356   928   NtWaitForSingleObject  ... ) == 0x102
 01324  1064   NtWaitForSingleObject  ... ) == 0x0
 01360   428   NtWaitForSingleObject  (132, 0, 0x0, ...
 01358  1600   NtDuplicateObject  ... 372, ) == 0x0
 01359  1736   NtCreateThread  ... 376, {1636, 1372}, ) == 0x0
 01361   928   NtWaitForSingleObject  (132, 0, 0x0, ...
 01362  1064   NtSetEventBoostPriority  (360, ...
 01363  1600   NtWaitForSingleObject  (360, 0, 0x0, ...
 01364  1736   NtQueryInformationThread  (376, Basic, 28, ...
 01325  1096   NtWaitForSingleObject  ... ) == 0x0
 01362  1064   NtSetEventBoostPriority  ... ) == 0x0
 01357   500   NtSetEventBoostPriority  ... ) == 0x0
 01365  1732   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01366  1096   NtSetEventBoostPriority  (360, ...
 01367  1064   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01364  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1636,Tid=1372,}, 0x0, ) == 0x0
 01327  1300   NtWaitForSingleObject  ... ) == 0x0
 01366  1096   NtSetEventBoostPriority  ... ) == 0x0
 01365  1732   NtWaitForSingleObject  ... ) == 0x102
 01368   500   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01369  1300   NtSetEventBoostPriority  (360, ...
 01370  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75520, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0d\6\0\0\\5\0\0" ...  ...
 01371  1096   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01372  1732   NtWaitForSingleObject  (132, 0, 0x0, ...
 01328   748   NtWaitForSingleObject  ... ) == 0x0
 01369  1300   NtSetEventBoostPriority  ... ) == 0x0
 01368   500   NtWaitForSingleObject  ... ) == 0x102
 01370  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75521, 0}  ... {28, 56, reply, 0, 1636, 1736, 75521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0d\6\0\0\\5\0\0" )  ) == 0x0
 01367  1064   NtWaitForSingleObject  ... ) == 0x102
 01373   748   NtSetEventBoostPriority  (360, ...
 01374  1300   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01375   500   NtWaitForSingleObject  (132, 0, 0x0, ...
 01376  1736   NtResumeThread  (376, ...
 01329   948   NtWaitForSingleObject  ... ) == 0x0
 01373   748   NtSetEventBoostPriority  ... ) == 0x0
 01377  1064   NtWaitForSingleObject  (132, 0, 0x0, ...
 01371  1096   NtWaitForSingleObject  ... ) == 0x102
 01378   948   NtSetEventBoostPriority  (360, ...
 01376  1736   NtResumeThread  ... 1, ) == 0x0
 01379   748   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01332  1132   NtWaitForSingleObject  ... ) == 0x0
 01380  1096   NtWaitForSingleObject  (132, 0, 0x0, ...
 01378   948   NtSetEventBoostPriority  ... ) == 0x0
 01374  1300   NtWaitForSingleObject  ... ) == 0x102
 01381  1372   NtTestAlert  (...
 01382  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01383  1132   NtSetEventBoostPriority  (360, ...
 01384   948   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01385  1300   NtWaitForSingleObject  (132, 0, 0x0, ...
 01381  1372   NtTestAlert  ... ) == 0x0
 01382  1736   NtAllocateVirtualMemory  ... 43843584, 1048576, ) == 0x0
 01333   376   NtWaitForSingleObject  ... ) == 0x0
 01383  1132   NtSetEventBoostPriority  ... ) == 0x0
 01386  1372   NtContinue  (43842864, 1, ...
 01387   376   NtSetEventBoostPriority  (360, ...
 01388  1736   NtAllocateVirtualMemory  (-1, 44883968, 0, 8192, 4096, 4, ...
 01379   748   NtWaitForSingleObject  ... ) == 0x102
 01384   948   NtWaitForSingleObject  ... ) == 0x102
 01334  1024   NtWaitForSingleObject  ... ) == 0x0
 01387   376   NtSetEventBoostPriority  ... ) == 0x0
 01389  1372   NtRegisterThreadTerminatePort  (24, ...
 01388  1736   NtAllocateVirtualMemory  ... 44883968, 8192, ) == 0x0
 01390   748   NtWaitForSingleObject  (132, 0, 0x0, ...
 01391  1024   NtSetEventBoostPriority  (360, ...
 01392   948   NtWaitForSingleObject  (132, 0, 0x0, ...
 01393  1132   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01389  1372   NtRegisterThreadTerminatePort  ... ) == 0x0
 01394  1736   NtProtectVirtualMemory  (-1, (0x2ace000), 4096, 260, ...
 01336  1252   NtWaitForSingleObject  ... ) == 0x0
 01391  1024   NtSetEventBoostPriority  ... ) == 0x0
 01393  1132   NtWaitForSingleObject  ... ) == 0x102
 01395   376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01396  1252   NtSetEventBoostPriority  (360, ...
 01394  1736   NtProtectVirtualMemory  ... (0x2ace000), 4096, 4, ) == 0x0
 01397  1372   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01398  1132   NtWaitForSingleObject  (132, 0, 0x0, ...
 01337  1168   NtWaitForSingleObject  ... ) == 0x0
 01396  1252   NtSetEventBoostPriority  ... ) == 0x0
 01395   376   NtWaitForSingleObject  ... ) == 0x102
 01399  1024   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01397  1372   NtDuplicateObject  ... 380, ) == 0x0
 01400  1168   NtSetEventBoostPriority  (360, ...
 01401  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01402   376   NtWaitForSingleObject  (132, 0, 0x0, ...
 01399  1024   NtWaitForSingleObject  ... ) == 0x102
 01338   120   NtWaitForSingleObject  ... ) == 0x0
 01400  1168   NtSetEventBoostPriority  ... ) == 0x0
 01403  1372   NtWaitForSingleObject  (360, 0, 0x0, ...
 01401  1736   NtCreateThread  ... 384, {1636, 2040}, ) == 0x0
 01404   120   NtSetEventBoostPriority  (360, ...
 01405  1024   NtWaitForSingleObject  (132, 0, 0x0, ...
 01406  1252   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01339   596   NtWaitForSingleObject  ... ) == 0x0
 01404   120   NtSetEventBoostPriority  ... ) == 0x0
 01407  1736   NtQueryInformationThread  (384, Basic, 28, ...
 01408   596   NtWaitForSingleObject  (288, 0, 0x0, ...
 01406  1252   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01409  1168   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01407  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1636,Tid=2040,}, 0x0, ) == 0x0
 01410  1252   NtSetEventBoostPriority  (288, ...
 01409  1168   NtWaitForSingleObject  ... ) == 0x102
 01411  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75521, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0d\6\0\0\370\7\0\0" ...  ...
 01408   596   NtWaitForSingleObject  ... ) == 0x0
 01410  1252   NtSetEventBoostPriority  ... ) == 0x0
 01412  1168   NtWaitForSingleObject  (288, 0, 0x0, ...
 01413   596   NtSetEventBoostPriority  (288, ...
 01414  1252   NtWaitForSingleObject  (360, 0, 0x0, ...
 01413   596   NtSetEventBoostPriority  ... ) == 0x0
 01412  1168   NtWaitForSingleObject  ... ) == 0x0
 01415   120   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01411  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75522, 0}  ... {28, 56, reply, 0, 1636, 1736, 75522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0d\6\0\0\370\7\0\0" )  ) == 0x0
 01416   596   NtSetEventBoostPriority  (360, ...
 01415   120   NtWaitForSingleObject  ... ) == 0x102
 01417  1736   NtResumeThread  (384, ...
 01340   188   NtWaitForSingleObject  ... ) == 0x0
 01416   596   NtSetEventBoostPriority  ... ) == 0x0
 01418   120   NtWaitForSingleObject  (288, 0, 0x0, ...
 01419   188   NtWaitForSingleObject  (288, 0, 0x0, ...
 01417  1736   NtResumeThread  ... 1, ) == 0x0
 01420   596   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01421  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01420   596   NtWaitForSingleObject  ... ) == 0x102
 01421  1736   NtAllocateVirtualMemory  ... 44892160, 1048576, ) == 0x0
 01422   596   NtWaitForSingleObject  (288, 0, 0x0, ...
 01423  1736   NtAllocateVirtualMemory  (-1, 45932544, 0, 8192, 4096, 4, ...
 01424  1168   NtSetEventBoostPriority  (288, ...
 01425  2040   NtTestAlert  (...
 01419   188   NtWaitForSingleObject  ... ) == 0x0
 01424  1168   NtSetEventBoostPriority  ... ) == 0x0
 01426   188   NtSetEventBoostPriority  (288, ...
 01425  2040   NtTestAlert  ... ) == 0x0
 01418   120   NtWaitForSingleObject  ... ) == 0x0
 01426   188   NtSetEventBoostPriority  ... ) == 0x0
 01427  1168   NtWaitForSingleObject  (132, 0, 0x0, ...
 01428   120   NtSetEventBoostPriority  (288, ...
 01429  2040   NtContinue  (44891440, 1, ...
 01423  1736   NtAllocateVirtualMemory  ... 45932544, 8192, ) == 0x0
 01422   596   NtWaitForSingleObject  ... ) == 0x0
 01428   120   NtSetEventBoostPriority  ... ) == 0x0
 01430  2040   NtRegisterThreadTerminatePort  (24, ...
 01431   596   NtWaitForSingleObject  (132, 0, 0x0, ...
 01432  1736   NtProtectVirtualMemory  (-1, (0x2bce000), 4096, 260, ...
 01433   188   NtSetEventBoostPriority  (360, ...
 01430  2040   NtRegisterThreadTerminatePort  ... ) == 0x0
 01432  1736   NtProtectVirtualMemory  ... (0x2bce000), 4096, 4, ) == 0x0
 01344  1384   NtWaitForSingleObject  ... ) == 0x0
 01433   188   NtSetEventBoostPriority  ... ) == 0x0
 01434   120   NtWaitForSingleObject  (132, 0, 0x0, ...
 01435  1384   NtSetEventBoostPriority  (360, ...
 01436  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01437   188   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01346  1356   NtWaitForSingleObject  ... ) == 0x0
 01435  1384   NtSetEventBoostPriority  ... ) == 0x0
 01436  1736   NtCreateThread  ... 388, {1636, 216}, ) == 0x0
 01438  1356   NtSetEventBoostPriority  (360, ...
 01437   188   NtWaitForSingleObject  ... ) == 0x102
 01439  2040   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01363  1600   NtWaitForSingleObject  ... ) == 0x0
 01438  1356   NtSetEventBoostPriority  ... ) == 0x0
 01440  1736   NtQueryInformationThread  (388, Basic, 28, ...
 01441   188   NtWaitForSingleObject  (132, 0, 0x0, ...
 01442  1600   NtSetEventBoostPriority  (360, ...
 01439  2040   NtDuplicateObject  ... 392, ) == 0x0
 01443  1356   NtWaitForSingleObject  (360, 0, 0x0, ...
 01444  1384   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01440  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1636,Tid=216,}, 0x0, ) == 0x0
 01403  1372   NtWaitForSingleObject  ... ) == 0x0
 01442  1600   NtSetEventBoostPriority  ... ) == 0x0
 01445  2040   NtWaitForSingleObject  (360, 0, 0x0, ...
 01444  1384   NtWaitForSingleObject  ... ) == 0x102
 01446  1372   NtSetEventBoostPriority  (360, ...
 01447  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75522, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0d\6\0\0\330\0\0\0" ...  ...
 01414  1252   NtWaitForSingleObject  ... ) == 0x0
 01446  1372   NtSetEventBoostPriority  ... ) == 0x0
 01448  1384   NtWaitForSingleObject  (132, 0, 0x0, ...
 01449  1252   NtSetEventBoostPriority  (360, ...
 01447  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75523, 0}  ... {28, 56, reply, 0, 1636, 1736, 75523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0d\6\0\0\330\0\0\0" )  ) == 0x0
 01450  1600   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01443  1356   NtWaitForSingleObject  ... ) == 0x0
 01449  1252   NtSetEventBoostPriority  ... ) == 0x0
 01451  1736   NtResumeThread  (388, ...
 01452  1356   NtSetEventBoostPriority  (360, ...
 01450  1600   NtWaitForSingleObject  ... ) == 0x102
 01453  1372   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01445  2040   NtWaitForSingleObject  ... ) == 0x0
 01451  1736   NtResumeThread  ... 1, ) == 0x0
 01454  1600   NtWaitForSingleObject  (132, 0, 0x0, ...
 01453  1372   NtWaitForSingleObject  ... ) == 0x102
 01455  2040   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01452  1356   NtSetEventBoostPriority  ... ) == 0x0
 01456  1252   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01457   216   NtTestAlert  (...
 01458  1372   NtWaitForSingleObject  (288, 0, 0x0, ...
 01459  1356   NtWaitForSingleObject  (360, 0, 0x0, ...
 01456  1252   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01457   216   NtTestAlert  ... ) == 0x0
 01460  1252   NtSetEventBoostPriority  (288, ...
 01461   216   NtContinue  (45940016, 1, ...
 01458  1372   NtWaitForSingleObject  ... ) == 0x0
 01460  1252   NtSetEventBoostPriority  ... ) == 0x0
 01462  1372   NtWaitForSingleObject  (132, 0, 0x0, ...
 01463   216   NtRegisterThreadTerminatePort  (24, ...
 01464  1252   NtSetEventBoostPriority  (360, ...
 01463   216   NtRegisterThreadTerminatePort  ... ) == 0x0
 01459  1356   NtWaitForSingleObject  ... ) == 0x0
 01464  1252   NtSetEventBoostPriority  ... ) == 0x0
 01465  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01455  2040   NtWaitForSingleObject  ... ) == 0x102
 01466  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11071600, ... }, 11071600, ...
 01467   216   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01465  1736   NtAllocateVirtualMemory  ... 45940736, 1048576, ) == 0x0
 01466  1356   NtQueryAttributesFile  ... ) == 0x0
 01468  2040   NtWaitForSingleObject  (132, 0, 0x0, ...
 01467   216   NtDuplicateObject  ... 396, ) == 0x0
 01469  1736   NtAllocateVirtualMemory  (-1, 46981120, 0, 8192, 4096, 4, ...
 01470  1252   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 01471   216   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01469  1736   NtAllocateVirtualMemory  ... 46981120, 8192, ) == 0x0
 01470  1252   NtOpenFile  ... 400, {status=0x0, info=0}, ) == 0x0
 01471   216   NtWaitForSingleObject  ... ) == 0x102
 01472  1736   NtProtectVirtualMemory  (-1, (0x2cce000), 4096, 260, ...
 01473  1252   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "\367\317\202t 1a\2265\\252\235\11n\345^\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01474   216   NtWaitForSingleObject  (132, 0, 0x0, ...
 01472  1736   NtProtectVirtualMemory  ... (0x2cce000), 4096, 4, ) == 0x0
 01475  1252   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01476  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... 404, ) }, ... 404, ) == 0x0
 01477  1356   NtQueryValueKey  (404,  (404, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (404, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01478  1356   NtQueryValueKey  (404,  (404, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (404, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01479  1356   NtClose  (404, ... ) == 0x0
 01480  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 404, ) }, ... 404, ) == 0x0
 01481  1356   NtQueryValueKey  (404,  (404, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01482  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01475  1252   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01482  1736   NtCreateThread  ... 408, {1636, 152}, ) == 0x0
 01483  1252   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01484  1736   NtQueryInformationThread  (408, Basic, 28, ...
 01483  1252   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01484  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1636,Tid=152,}, 0x0, ) == 0x0
 01485  1252   NtQuerySystemInformation  (Performance, 312, ...
 01486  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75523, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0d\6\0\0\230\0\0\0" ...  ...
 01485  1252   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01487  1252   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01488  1252   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01489  1252   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01490  1252   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01491  1356   NtQueryValueKey  (404,  (404, "Mapping", Partial, 144, ... , Partial, 144, ...
 01486  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75524, 0}  ... {28, 56, reply, 0, 1636, 1736, 75524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0d\6\0\0\230\0\0\0" )  ) == 0x0
 01491  1356   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01492  1736   NtResumeThread  (408, ...
 01493  1356   NtQueryValueKey  (404,  (404, "Mapping", Partial, 152, ... , Partial, 152, ...
 01492  1736   NtResumeThread  ... 1, ) == 0x0
 01493  1356   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01494  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01495  1356   NtClose  (404, ...
 01494  1736   NtAllocateVirtualMemory  ... 46989312, 1048576, ) == 0x0
 01495  1356   NtClose  ... ) == 0x0
 01496  1736   NtAllocateVirtualMemory  (-1, 48029696, 0, 8192, 4096, 4, ...
 01490  1252   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01497   152   NtTestAlert  (...
 01498  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01499  1252   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01497   152   NtTestAlert  ... ) == 0x0
 01498  1356   NtOpenKey  ... 404, ) == 0x0
 01499  1252   NtCreateKey  ... -2147482576, 2, ) == 0x0
 01500   152   NtContinue  (46988592, 1, ...
 01501  1356   NtQueryValueKey  (404,  (404, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01502  1252   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\275C\336\311\264\341Ht\323qH,\22^\273U\242\246\256\33f\2x@\250\15/\257e\235\307\272\37\235;\221\361\357j\343\305\21:\355\334&\2709\230\262\35Bq\347\307\375\202 \360\355\312A\311w\2\22y\12\260\370\274E|\34\35\262\300\366,\10", 80, ... , 0, 3,  (-2147482576, "Seed", 0, 3, "\275C\336\311\264\341Ht\323qH,\22^\273U\242\246\256\33f\2x@\250\15/\257e\235\307\272\37\235;\221\361\357j\343\305\21:\355\334&\2709\230\262\35Bq\347\307\375\202 \360\355\312A\311w\2\22y\12\260\370\274E|\34\35\262\300\366,\10", 80, ... , 80, ...
 01503   152   NtRegisterThreadTerminatePort  (24, ...
 01501  1356   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01503   152   NtRegisterThreadTerminatePort  ... ) == 0x0
 01504  1356   NtQueryValueKey  (404,  (404, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01496  1736   NtAllocateVirtualMemory  ... 48029696, 8192, ) == 0x0
 01502  1252   NtSetValueKey  ... ) == 0x0
 01504  1356   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01505  1736   NtProtectVirtualMemory  (-1, (0x2dce000), 4096, 260, ...
 01506  1252   NtClose  (-2147482576, ...
 01507   152   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01505  1736   NtProtectVirtualMemory  ... (0x2dce000), 4096, 4, ) == 0x0
 01506  1252   NtClose  ... ) == 0x0
 01507   152   NtDuplicateObject  ... 412, ) == 0x0
 01508  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01473  1252   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "5\202J\21y\301p\311\253\372\271\227\254\22\333v\3258\236t\342\4\264\14\257\270\246nL\314\372{\316[\30\236\220\265\334\3728.+\261G\375\232\343\246\374E\242\241\217\256\0\352tC\212Yzaak\335H7mk'+\12\263\3335t\362[\330\340\363\252\231,+\6\321F^]m(al\331\274\16\201\30a4\356\322\13\366V5\341\341\250\366\267G7\231\304/|O+\302\27F\363!/A\247\201b\221r\207\200\325\317\346@"\252\36\26\17!\372B\305n\12\223\23|\247\20\271\375\3D\231t;\343\375\360\34\250O\34:\270\213\272]\6\12R\341\256\261\37#\232\315\201\3737\253E-\377\312y\272.\33|i\314\352U\37\31>Tn\350\15P\323\2"\370\256\313\335\204\203%$r\327\334|BT\202z7\207\30\206V\206\223\253\237\21\210\306\236\203]\325J\274\230\343\37\37\256\272\237\267\22\10", ) \252\36\26\17!\372B\305n\12\223\23|\247\20\271\375\3D\231t;\343\375\360\34\250O\34:\270\213\272]\6\12R\341\256\261\37#\232\315\201\3737\253E-\377\312y\272.\33|i\314\352U\37\31>Tn\350\15P\323\2 ... {status=0x0, info=256}, "5\202J\21y\301p\311\253\372\271\227\254\22\333v\3258\236t\342\4\264\14\257\270\246nL\314\372{\316[\30\236\220\265\334\3728.+\261G\375\232\343\246\374E\242\241\217\256\0\352tC\212Yzaak\335H7mk'+\12\263\3335t\362[\330\340\363\252\231,+\6\321F^]m(al\331\274\16\201\30a4\356\322\13\366V5\341\341\250\366\267G7\231\304/|O+\302\27F\363!/A\247\201b\221r\207\200\325\317\346@"\252\36\26\17!\372B\305n\12\223\23|\247\20\271\375\3D\231t;\343\375\360\34\250O\34:\270\213\272]\6\12R\341\256\261\37#\232\315\201\3737\253E-\377\312y\272.\33|i\314\352U\37\31>Tn\350\15P\323\2"\370\256\313\335\204\203%$r\327\334|BT\202z7\207\30\206V\206\223\253\237\21\210\306\236\203]\325J\274\230\343\37\37\256\272\237\267\22\10", ) , ) == 0x0
 01509   152   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01508  1736   NtCreateThread  ... 416, {1636, 900}, ) == 0x0
 01510  1252   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01509   152   NtWaitForSingleObject  ... ) == 0x102
 01511  1736   NtQueryInformationThread  (416, Basic, 28, ...
 01510  1252   NtCreateEvent  ... 420, ) == 0x0
 01512   152   NtWaitForSingleObject  (132, 0, 0x0, ...
 01513  1356   NtQueryValueKey  (404,  (404, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01511  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1636,Tid=900,}, 0x0, ) == 0x0
 01514  1252   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 16576004, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 16576004, 188, ...
 01513  1356   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01515  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75524, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0d\6\0\0\204\3\0\0" ...  ...
 01516  1356   NtQueryValueKey  (404,  (404, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01515  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75526, 0}  ... {28, 56, reply, 0, 1636, 1736, 75526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0d\6\0\0\204\3\0\0" )  ) == 0x0
 01514  1252   NtConnectPort  ... 424, 0x0, 0x0, 0x0, 188, ) == 0x0
 01516  1356   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01517  1736   NtResumeThread  (416, ...
 01518  1252   NtRequestWaitReplyPort  (424, {200, 224, new_msg, 0, 1383568, 12, 2, 1}  (424, {200, 224, new_msg, 0, 1383568, 12, 2, 1} "\0\5\24\0\274\0\0\0\4>\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0@\5\24\0\4\0\0\0\1\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\1553\26_W\331l\20\34\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\2(\0\0\0\30\34\25\0\12\233F\320h\5\24\08\34\25\0h\1\24\0\0\0\0\0\0\0\0\08\34\25\0P\0\0\0@\34\25\0\360\6\221|@\5\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\374\0\372\31\221|\30\364\374\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01519  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11072556, ... }, 11072556, ...
 01517  1736   NtResumeThread  ... 1, ) == 0x0
 01519  1356   NtQueryAttributesFile  ... ) == 0x0
 01518  1252   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1252, 75527, 0}  ... {200, 224, reply, 0, 1636, 1252, 75527, 0} "\7\5\24\0\274\0\0\0\4>\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\1\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\1553\26_W\331l\20\34\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\2(\0\0\0\30\34\25\0\12\233F\320h\5\24\08\34\25\0h\1\24\0\0\0\0\0\0\0\0\08\34\25\0P\0\0\0@\34\25\0\360\6\221|@\5\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\374\0\372\31\221|\30\364\374\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01520   900   NtWaitForSingleObject  (88, 0, 0x0, ...
 01521  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01522  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01521  1736   NtAllocateVirtualMemory  ... 48037888, 1048576, ) == 0x0
 01522  1356   NtOpenFile  ... 428, {status=0x0, info=1}, ) == 0x0
 01523  1736   NtAllocateVirtualMemory  (-1, 49078272, 0, 8192, 4096, 4, ...
 01524  1356   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 428, ...
 01523  1736   NtAllocateVirtualMemory  ... 49078272, 8192, ) == 0x0
 01524  1356   NtCreateSection  ... 432, ) == 0x0
 01525  1736   NtProtectVirtualMemory  (-1, (0x2ece000), 4096, 260, ...
 01526  1356   NtClose  (428, ...
 01525  1736   NtProtectVirtualMemory  ... (0x2ece000), 4096, 4, ) == 0x0
 01526  1356   NtClose  ... ) == 0x0
 01527  1252   NtRequestWaitReplyPort  (424, {64, 88, new_msg, 0, 0, 0, 0, 0}  (424, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01528  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 428, {1636, 1388}, ) == 0x0
 01529  1736   NtQueryInformationThread  (428, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1636,Tid=1388,}, 0x0, ) == 0x0
 01530  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75526, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0d\6\0\0l\5\0\0" ...  ...
 01531  1356   NtMapViewOfSection  (432, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 20480, ) == 0x0
 01532  1356   NtClose  (432, ... ) == 0x0
 01530  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75529, 0}  ... {28, 56, reply, 0, 1636, 1736, 75529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0d\6\0\0l\5\0\0" )  ) == 0x0
 01533  1736   NtResumeThread  (428, ... 1, ) == 0x0
 01534  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 49086464, 1048576, ) == 0x0
 01535  1736   NtAllocateVirtualMemory  (-1, 50126848, 0, 8192, 4096, 4, ...
 01536  1388   NtWaitForSingleObject  (88, 0, 0x0, ...
 01535  1736   NtAllocateVirtualMemory  ... 50126848, 8192, ) == 0x0
 01537  1736   NtProtectVirtualMemory  (-1, (0x2fce000), 4096, 260, ... (0x2fce000), 4096, 4, ) == 0x0
 01538  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 432, {1636, 1708}, ) == 0x0
 01539  1736   NtQueryInformationThread  (432, Basic, 28, ...
 01540  1356   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 01541  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11072864, ... ) }, 11072864, ... ) == 0x0
 01542  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 436, {status=0x0, info=1}, ) }, 5, 96, ... 436, {status=0x0, info=1}, ) == 0x0
 01543  1356   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 436, ... 440, ) == 0x0
 01544  1356   NtQuerySection  (440, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01545  1356   NtClose  (436, ... ) == 0x0
 01539  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1636,Tid=1708,}, 0x0, ) == 0x0
 01546  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75529, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0d\6\0\0\254\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0d\6\0\0\254\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75530, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0d\6\0\0\254\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0d\6\0\0\254\6\0\0" )  ) == 0x0
 01547  1736   NtResumeThread  (432, ... 1, ) == 0x0
 01548  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 50135040, 1048576, ) == 0x0
 01549  1736   NtAllocateVirtualMemory  (-1, 51175424, 0, 8192, 4096, 4, ... 51175424, 8192, ) == 0x0
 01550  1736   NtProtectVirtualMemory  (-1, (0x30ce000), 4096, 260, ... (0x30ce000), 4096, 4, ) == 0x0
 01551  1356   NtMapViewOfSection  (440, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01527  1252   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1636, 1252, 75528, 0}  ... {52, 76, reply, 0, 1636, 1252, 75528, 0} "\2\332\243\201\1\0\0\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200X\373`\371t\333\243\201\270+\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 01552  1708   NtWaitForSingleObject  (88, 0, 0x0, ...
 01551  1356   NtMapViewOfSection  ... (0x71a90000), 0x0, 32768, ) == 0x0
 01553  1252   NtClose  (420, ...
 01554  1356   NtClose  (440, ...
 01553  1252   NtClose  ... ) == 0x0
 01554  1356   NtClose  ... ) == 0x0
 01555  1252   NtClose  (424, ...
 01556  1356   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ...
 01557  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01556  1356   NtProtectVirtualMemory  ... (0x71a91000), 4096, 32, ) == 0x0
 01557  1736   NtCreateThread  ... 440, {1636, 1324}, ) == 0x0
 01555  1252   NtClose  ... ) == 0x0
 01558  1736   NtQueryInformationThread  (440, Basic, 28, ...
 01559  1252   NtWaitForSingleObject  (88, 0, 0x0, ...
 01558  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1636,Tid=1324,}, 0x0, ) == 0x0
 01560  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75530, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0d\6\0\0,\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0d\6\0\0,\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75532, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0d\6\0\0,\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0d\6\0\0,\5\0\0" )  ) == 0x0
 01561  1736   NtResumeThread  (440, ... 1, ) == 0x0
 01562  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 51183616, 1048576, ) == 0x0
 01563  1736   NtAllocateVirtualMemory  (-1, 52224000, 0, 8192, 4096, 4, ...
 01564  1356   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ...
 01565  1324   NtWaitForSingleObject  (88, 0, 0x0, ...
 01564  1356   NtProtectVirtualMemory  ... (0x71a91000), 4096, 4, ) == 0x0
 01566  1356   NtFlushInstructionCache  (-1, 1906905088, 128, ... ) == 0x0
 01567  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01568  1356   NtSetEventBoostPriority  (88, ...
 01520   900   NtWaitForSingleObject  ... ) == 0x0
 01569   900   NtSetEventBoostPriority  (88, ...
 01536  1388   NtWaitForSingleObject  ... ) == 0x0
 01570  1388   NtSetEventBoostPriority  (88, ...
 01552  1708   NtWaitForSingleObject  ... ) == 0x0
 01571  1708   NtSetEventBoostPriority  (88, ...
 01559  1252   NtWaitForSingleObject  ... ) == 0x0
 01572  1252   NtSetEventBoostPriority  (88, ...
 01565  1324   NtWaitForSingleObject  ... ) == 0x0
 01573  1324   NtTestAlert  (... ) == 0x0
 01572  1252   NtSetEventBoostPriority  ... ) == 0x0
 01571  1708   NtSetEventBoostPriority  ... ) == 0x0
 01570  1388   NtSetEventBoostPriority  ... ) == 0x0
 01569   900   NtSetEventBoostPriority  ... ) == 0x0
 01568  1356   NtSetEventBoostPriority  ... ) == 0x0
 01563  1736   NtAllocateVirtualMemory  ... 52224000, 8192, ) == 0x0
 01574  1324   NtContinue  (51182896, 1, ...
 01575  1252   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01576  1708   NtTestAlert  (...
 01577  1388   NtTestAlert  (...
 01578   900   NtTestAlert  (...
 01579  1736   NtProtectVirtualMemory  (-1, (0x31ce000), 4096, 260, ...
 01580  1324   NtRegisterThreadTerminatePort  (24, ...
 01575  1252   NtCreateKey  ... 424, 2, ) == 0x0
 01576  1708   NtTestAlert  ... ) == 0x0
 01577  1388   NtTestAlert  ... ) == 0x0
 01578   900   NtTestAlert  ... ) == 0x0
 01579  1736   NtProtectVirtualMemory  ... (0x31ce000), 4096, 4, ) == 0x0
 01580  1324   NtRegisterThreadTerminatePort  ... ) == 0x0
 01581  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01582  1708   NtContinue  (50134320, 1, ...
 01583  1388   NtContinue  (49085744, 1, ...
 01584   900   NtContinue  (48037168, 1, ...
 01585  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01586  1324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01581  1252   NtOpenKey  ... 420, ) == 0x0
 01587  1708   NtRegisterThreadTerminatePort  (24, ...
 01588  1388   NtRegisterThreadTerminatePort  (24, ...
 01589   900   NtRegisterThreadTerminatePort  (24, ...
 01585  1736   NtCreateThread  ... 436, {1636, 1884}, ) == 0x0
 01586  1324   NtDuplicateObject  ... 444, ) == 0x0
 01590  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01587  1708   NtRegisterThreadTerminatePort  ... ) == 0x0
 01588  1388   NtRegisterThreadTerminatePort  ... ) == 0x0
 01589   900   NtRegisterThreadTerminatePort  ... ) == 0x0
 01591  1736   NtQueryInformationThread  (436, Basic, 28, ...
 01592  1324   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01590  1252   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01593  1708   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01594  1388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01595   900   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 01596  1356   NtClose  (404, ...
 01591  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1636,Tid=1884,}, 0x0, ) == 0x0
 01592  1324   NtWaitForSingleObject  ... ) == 0x102
 01597  1252   NtQueryValueKey  (424,  (424, "Hostname", Partial, 144, ... , Partial, 144, ...
 01593  1708   NtDuplicateObject  ... 448, ) == 0x0
 01594  1388   NtDuplicateObject  ... 452, ) == 0x0
 01596  1356   NtClose  ... ) == 0x0
 01598  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75532, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0d\6\0\0\\7\0\0" ...  ...
 01599  1324   NtWaitForSingleObject  (132, 0, 0x0, ...
 01597  1252   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01600  1708   NtWaitForSingleObject  (288, 0, 0x0, ...
 01601  1388   NtWaitForSingleObject  (288, 0, 0x0, ...
 01602  1356   NtWaitForSingleObject  (288, 0, 0x0, ...
 01598  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75533, 0}  ... {28, 56, reply, 0, 1636, 1736, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0d\6\0\0\\7\0\0" )  ) == 0x0
 01603  1252   NtQueryValueKey  (424,  (424, "Hostname", Partial, 144, ... , Partial, 144, ...
 01604  1736   NtResumeThread  (436, ...
 01603  1252   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01604  1736   NtResumeThread  ... 1, ) == 0x0
 01605  1252   NtClose  (424, ...
 01595   900   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 01606  1884   NtTestAlert  (...
 01605  1252   NtClose  ... ) == 0x0
 01607   900   NtSetEventBoostPriority  (288, ...
 01606  1884   NtTestAlert  ... ) == 0x0
 01608  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01600  1708   NtWaitForSingleObject  ... ) == 0x0
 01607   900   NtSetEventBoostPriority  ... ) == 0x0
 01609  1884   NtContinue  (52231472, 1, ...
 01610  1708   NtSetEventBoostPriority  (288, ...
 01608  1736   NtAllocateVirtualMemory  ... 52232192, 1048576, ) == 0x0
 01611   900   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01601  1388   NtWaitForSingleObject  ... ) == 0x0
 01610  1708   NtSetEventBoostPriority  ... ) == 0x0
 01612  1884   NtRegisterThreadTerminatePort  (24, ...
 01613  1736   NtAllocateVirtualMemory  (-1, 53272576, 0, 8192, 4096, 4, ...
 01614  1388   NtSetEventBoostPriority  (288, ...
 01611   900   NtDuplicateObject  ... 424, ) == 0x0
 01615  1252   NtClose  (420, ...
 01612  1884   NtRegisterThreadTerminatePort  ... ) == 0x0
 01602  1356   NtWaitForSingleObject  ... ) == 0x0
 01614  1388   NtSetEventBoostPriority  ... ) == 0x0
 01613  1736   NtAllocateVirtualMemory  ... 53272576, 8192, ) == 0x0
 01616   900   NtWaitForSingleObject  (288, 0, 0x0, ...
 01615  1252   NtClose  ... ) == 0x0
 01617  1708   NtWaitForSingleObject  (288, 0, 0x0, ...
 01618  1356   NtSetEventBoostPriority  (288, ...
 01619  1884   NtWaitForSingleObject  (288, 0, 0x0, ...
 01620  1736   NtProtectVirtualMemory  (-1, (0x32ce000), 4096, 260, ...
 01621  1388   NtWaitForSingleObject  (288, 0, 0x0, ...
 01622  1252   NtWaitForSingleObject  (288, 0, 0x0, ...
 01618  1356   NtSetEventBoostPriority  ... ) == 0x0
 01617  1708   NtWaitForSingleObject  ... ) == 0x0
 01620  1736   NtProtectVirtualMemory  ... (0x32ce000), 4096, 4, ) == 0x0
 01623  1708   NtSetEventBoostPriority  (288, ...
 01624  1356   NtWaitForSingleObject  (288, 0, 0x0, ...
 01619  1884   NtWaitForSingleObject  ... ) == 0x0
 01623  1708   NtSetEventBoostPriority  ... ) == 0x0
 01625  1884   NtSetEventBoostPriority  (288, ...
 01621  1388   NtWaitForSingleObject  ... ) == 0x0
 01626  1388   NtSetEventBoostPriority  (288, ...
 01622  1252   NtWaitForSingleObject  ... ) == 0x0
 01627  1252   NtSetEventBoostPriority  (288, ...
 01616   900   NtWaitForSingleObject  ... ) == 0x0
 01628   900   NtSetEventBoostPriority  (288, ...
 01624  1356   NtWaitForSingleObject  ... ) == 0x0
 01629  1356   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11075200, 67, ... 420, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 11075200, 67, ... 420, {status=0x0, info=0}, ) == 0x0
 01630  1356   NtDeviceIoControlFile  (420, 116, 0x0, 0x0, 0x1207b,  (420, 116, 0x0, 0x0, 0x1207b, "\7\0\0\0x\1\24\0\340\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 01627  1252   NtSetEventBoostPriority  ... ) == 0x0
 01626  1388   NtSetEventBoostPriority  ... ) == 0x0
 01625  1884   NtSetEventBoostPriority  ... ) == 0x0
 01631  1708   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01628   900   NtSetEventBoostPriority  ... ) == 0x0
 01632  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01630  1356   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0 \376\255\201", ) , ) == 0x0
 01633  1388   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01634  1884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01635  1252   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "\367\317\202t 1aM\341\274_G\224/\272\0\274\340G\210^\344\35\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01636   900   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01632  1736   NtCreateThread  ... 404, {1636, 248}, ) == 0x0
 01637  1356   NtDeviceIoControlFile  (420, 116, 0x0, 0x0, 0x1207b,  (420, 116, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0 \376\255\201", 16, 16, ... , 16, 16, ...
 01631  1708   NtWaitForSingleObject  ... ) == 0x102
 01633  1388   NtWaitForSingleObject  ... ) == 0x102
 01638  1252   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01639  1736   NtQueryInformationThread  (404, Basic, 28, ...
 01637  1356   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0 \376\255\201", ) , ) == 0x0
 01640  1708   NtWaitForSingleObject  (132, 0, 0x0, ...
 01641  1388   NtWaitForSingleObject  (132, 0, 0x0, ...
 01638  1252   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01639  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1636,Tid=248,}, 0x0, ) == 0x0
 01642  1356   NtDeviceIoControlFile  (420, 116, 0x0, 0x0, 0x12047,  (420, 116, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01643  1252   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01644  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75533, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0d\6\0\0\370\0\0\0" ...  ...
 01642  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01643  1252   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01645  1356   NtWaitForSingleObject  (56, 0, {0, 0}, ...
 01646  1252   NtQuerySystemInformation  (Performance, 312, ...
 01634  1884   NtDuplicateObject  ... 456, ) == 0x0
 01636   900   NtWaitForSingleObject  ... ) == 0x102
 01644  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75534, 0}  ... {28, 56, reply, 0, 1636, 1736, 75534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0d\6\0\0\370\0\0\0" )  ) == 0x0
 01645  1356   NtWaitForSingleObject  ... ) == 0x102
 01647  1884   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01648   900   NtWaitForSingleObject  (132, 0, 0x0, ...
 01649  1736   NtResumeThread  (404, ...
 01650  1356   NtDeviceIoControlFile  (420, 116, 0x0, 0x0, 0x12003,  (420, 116, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01647  1884   NtWaitForSingleObject  ... ) == 0x102
 01649  1736   NtResumeThread  ... 1, ) == 0x0
 01651  1884   NtWaitForSingleObject  (132, 0, 0x0, ...
 01652  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 53280768, 1048576, ) == 0x0
 01653  1736   NtAllocateVirtualMemory  (-1, 54321152, 0, 8192, 4096, 4, ... 54321152, 8192, ) == 0x0
 01654  1736   NtProtectVirtualMemory  (-1, (0x33ce000), 4096, 260, ... (0x33ce000), 4096, 4, ) == 0x0
 01655  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 464, {1636, 1652}, ) == 0x0
 01656  1736   NtQueryInformationThread  (464, Basic, 28, ...
 01646  1252   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01657   248   NtTestAlert  (...
 01650  1356   NtDeviceIoControlFile  ... {status=0x0, info=460},  ... {status=0x0, info=460}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01658  1252   NtQuerySystemInformation  (Exception, 16, ...
 01657   248   NtTestAlert  ... ) == 0x0
 01659  1356   NtDeviceIoControlFile  (420, 116, 0x0, 0x0, 0x12047,  (420, 116, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01658  1252   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01660   248   NtContinue  (53280048, 1, ...
 01659  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01661  1252   NtQuerySystemInformation  (Lookaside, 32, ...
 01662   248   NtRegisterThreadTerminatePort  (24, ...
 01663  1356   NtDeviceIoControlFile  (420, 116, 0x0, 0x0, 0x12037,  (420, 116, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 01661  1252   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01662   248   NtRegisterThreadTerminatePort  ... ) == 0x0
 01663  1356   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01664  1252   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01656  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1636,Tid=1652,}, 0x0, ) == 0x0
 01665  1356   NtDeviceIoControlFile  (420, 116, 0x0, 0x0, 0x1200b,  (420, 116, 0x0, 0x0, 0x1200b, "\0\376\250\0\5\0\0\0\0\255\24\0", 12, 0, ... , 12, 0, ...
 01666   248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01667  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75534, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0d\6\0\0t\6\0\0" ...  ...
 01664  1252   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01666   248   NtDuplicateObject  ... 468, ) == 0x0
 01667  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75535, 0}  ... {28, 56, reply, 0, 1636, 1736, 75535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0d\6\0\0t\6\0\0" )  ) == 0x0
 01668  1252   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01669   248   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01670  1736   NtResumeThread  (464, ...
 01668  1252   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01669   248   NtWaitForSingleObject  ... ) == 0x102
 01670  1736   NtResumeThread  ... 1, ) == 0x0
 01671  1252   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01672   248   NtWaitForSingleObject  (132, 0, 0x0, ...
 01665  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01673  1652   NtTestAlert  (...
 01671  1252   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01674  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01675  1356   NtDeviceIoControlFile  (420, 116, 0x0, 0x0, 0x12047,  (420, 116, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\250\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01673  1652   NtTestAlert  ... ) == 0x0
 01676  1252   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "Q0\357\355\241\17\230*\351\31\267\222.\304S\225\37+\1s\321)'\146\240\304?\306=3\210F"\315\213;`Z5\230\7\364\30C\212D\200\261;\0\20\270O \15\22\363\314\221Z\305_\11\3042{\203\312\267F\356]!\233HA\261V>", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "Q0\357\355\241\17\230*\351\31\267\222.\304S\225\37+\1s\321)'\146\240\304?\306=3\210F"\315\213;`Z5\230\7\364\30C\212D\200\261;\0\20\270O \15\22\363\314\221Z\305_\11\3042{\203\312\267F\356]!\233HA\261V>", 80, ... \315\213;`Z5\230\7\364\30C\212D\200\261;\0\20\270O \15\22\363\314\221Z\305_\11\3042{\203\312\267F\356]!\233HA\261V>", 80, ...
 01674  1736   NtAllocateVirtualMemory  ... 54329344, 1048576, ) == 0x0
 01675  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01677  1652   NtContinue  (54328624, 1, ...
 01678  1736   NtAllocateVirtualMemory  (-1, 55369728, 0, 8192, 4096, 4, ...
 01679  1356   NtDeviceIoControlFile  (420, 116, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 01680  1652   NtRegisterThreadTerminatePort  (24, ...
 01678  1736   NtAllocateVirtualMemory  ... 55369728, 8192, ) == 0x0
 01679  1356   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01680  1652   NtRegisterThreadTerminatePort  ... ) == 0x0
 01681  1736   NtProtectVirtualMemory  (-1, (0x34ce000), 4096, 260, ...
 01682  1356   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01676  1252   NtSetValueKey  ... ) == 0x0
 01681  1736   NtProtectVirtualMemory  ... (0x34ce000), 4096, 4, ) == 0x0
 01683  1652   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01684  1252   NtClose  (-2147482564, ...
 01682  1356   NtCreateEvent  ... 472, ) == 0x0
 01683  1652   NtDuplicateObject  ... 476, ) == 0x0
 01684  1252   NtClose  ... ) == 0x0
 01685  1356   NtWaitForSingleObject  (472, 0, 0x0, ...
 01686  1652   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01635  1252   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\361\0/\371\340\20\335Qb;Y\247\247\4\304\177\363j\7\3169\304\275\304\37\5CZ\370\225"{\343\327Uy\177P\321\254Q\244dG\244\6 \342\362\334_\257=\234\25\336\322\264i\202\307\272\266\4\316]\240y\267\362\231cV\3323H\271\3\247\347\226_o\337\254\374\11d\306}\216\322\361\3548\255 \355\4>\16\275\11\341\324\240(PfsL\214\371?6\323\2\253|y\225\374\365!\7\311\301\270tO\1\360$g-IB\225\224\244\211\234\375\250\357/\25\15\2562\343,\372\364\320\334\5_\345\356\276\304\375\353C\264\310K\30\15\335\271zu\277\315\311\254\334Z\304\177Nxd|\362\351\364\1\12\345i\377j\205\251\326\3252!\34\227j\221\37$!\315\375t\277\305\250:`\274\270\363_\331}\10\353\372_\277\310z\260\27\204\307?\267+\220%>\274\34\346i\254\3uH\341\332\11L\5\203!\316K", ) {\343\327Uy\177P\321\254Q\244dG\244\6 \342\362\334_\257=\234\25\336\322\264i\202\307\272\266\4\316]\240y\267\362\231cV\3323H\271\3\247\347\226_o\337\254\374\11d\306}\216\322\361\3548\255 \355\4>\16\275\11\341\324\240(PfsL\214\371?6\323\2\253|y\225\374\365!\7\311\301\270tO\1\360$g-IB\225\224\244\211\234\375\250\357/\25\15\2562\343,\372\364\320\334\5_\345\356\276\304\375\353C\264\310K\30\15\335\271zu\277\315\311\254\334Z\304\177Nxd|\362\351\364\1\12\345i\377j\205\251\326\3252!\34\227j\221\37$!\315\375t\277\305\250:`\274\270\363_\331}\10\353\372_\277\310z\260\27\204\307?\267+\220%>\274\34\346i\254\3uH\341\332\11L\5\203!\316K", ) == 0x0
 01686  1652   NtWaitForSingleObject  ... ) == 0x102
 01687  1252   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "\367\317\202t 1aM\341\274_G\224/a\324\\25\235\25\37\273C\274\340G\210^\344\35\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01688  1652   NtWaitForSingleObject  (132, 0, 0x0, ...
 01689  1252   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01690  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 480, {1636, 588}, ) == 0x0
 01691  1736   NtQueryInformationThread  (480, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1636,Tid=588,}, 0x0, ) == 0x0
 01692  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75535, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0d\6\0\0L\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0d\6\0\0L\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75536, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0d\6\0\0L\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0d\6\0\0L\2\0\0" )  ) == 0x0
 01693  1736   NtResumeThread  (480, ... 1, ) == 0x0
 01694  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 55377920, 1048576, ) == 0x0
 01695  1736   NtAllocateVirtualMemory  (-1, 56418304, 0, 8192, 4096, 4, ...
 01689  1252   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01696   588   NtTestAlert  (...
 01697  1252   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01696   588   NtTestAlert  ... ) == 0x0
 01697  1252   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01698   588   NtContinue  (55377200, 1, ...
 01699  1252   NtQuerySystemInformation  (Performance, 312, ...
 01700   588   NtRegisterThreadTerminatePort  (24, ...
 01699  1252   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01700   588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01701  1252   NtQuerySystemInformation  (Exception, 16, ...
 01695  1736   NtAllocateVirtualMemory  ... 56418304, 8192, ) == 0x0
 01702   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01703  1736   NtProtectVirtualMemory  (-1, (0x35ce000), 4096, 260, ...
 01702   588   NtDuplicateObject  ... 484, ) == 0x0
 01703  1736   NtProtectVirtualMemory  ... (0x35ce000), 4096, 4, ) == 0x0
 01704   588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01705  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01704   588   NtWaitForSingleObject  ... ) == 0x102
 01705  1736   NtCreateThread  ... 488, {1636, 440}, ) == 0x0
 01706   588   NtWaitForSingleObject  (132, 0, 0x0, ...
 01707  1736   NtQueryInformationThread  (488, Basic, 28, ...
 01701  1252   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01708  1252   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01709  1252   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01710  1252   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01711  1252   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482564, 2, ) }, 0, 0x0, 0, ... -2147482564, 2, ) == 0x0
 01712  1252   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\23\371\2643\255\376v\311\325\264>\266\337i\325\205\344\253m\221\337\300\201c$\225\217\274UA\244a\7\231u8\345\313S\366\236Y\341\202JLD\2\321}i\325>\350"\301\346\264\256,\331=u#[\200\341\217\235\3504\2707\240\343\330\345\5\333\213", 80, ... ) , 0, 3,  (-2147482564, "Seed", 0, 3, "\23\371\2643\255\376v\311\325\264>\266\337i\325\205\344\253m\221\337\300\201c$\225\217\274UA\244a\7\231u8\345\313S\366\236Y\341\202JLD\2\321}i\325>\350"\301\346\264\256,\331=u#[\200\341\217\235\3504\2707\240\343\330\345\5\333\213", 80, ... ) \301\346\264\256,\331=u#[\200\341\217\235\3504\2707\240\343\330\345\5\333\213", 80, ... ) == 0x0
 01713  1252   NtClose  (-2147482564, ...
 01707  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1636,Tid=440,}, 0x0, ) == 0x0
 01714  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75536, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0d\6\0\0\270\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0d\6\0\0\270\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75537, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0d\6\0\0\270\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0d\6\0\0\270\1\0\0" )  ) == 0x0
 01715  1736   NtResumeThread  (488, ... 1, ) == 0x0
 01716  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 56426496, 1048576, ) == 0x0
 01717  1736   NtAllocateVirtualMemory  (-1, 57466880, 0, 8192, 4096, 4, ... 57466880, 8192, ) == 0x0
 01718  1736   NtProtectVirtualMemory  (-1, (0x36ce000), 4096, 260, ... (0x36ce000), 4096, 4, ) == 0x0
 01713  1252   NtClose  ... ) == 0x0
 01719   440   NtTestAlert  (...
 01687  1252   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "J.\14\230;\317\204\210vC\270-\34\251\357\215?\264\23f\237}"J\225\313\325;\243\16\22c\2\206\366\237N\273\263\333\273\3703\252\254I\306d\360\342\3\260;\366z\266F7\267\3342#\16\261\337\247\370\32~\241\260 \3449\346)[a\270p\373T(u\251\262\243G+\206*\356P\245-\2509\262\210\200\245\23\243\260\3013B\362)\304\203\326;\240\33\221\205\203\316u2\342p\237+\243\340\264\34\10\351\261Sk\234\256\227\20\214Lw\352\2\350\1]\323\307\5\210\366xpn\3355n\2159R\10\336\250\205\257\201~U\317\315\272\371\251\2153\267\271s\313\345\211\244-(\264\333\256NG\313\307\344\37\340V\245xB\17769\327\24750\244\347\1\277\210\20Wr\226j\2315*.\34\10\1777\210\2\375_N\204\222\27V\206D\27\231\274~\24\20"\301\373\203}\31\203\217\3037&Vl", ) J\225\313\325;\243\16\22c\2\206\366\237N\273\263\333\273\3703\252\254I\306d\360\342\3\260;\366z\266F7\267\3342#\16\261\337\247\370\32~\241\260 \3449\346)[a\270p\373T(u\251\262\243G+\206*\356P\245-\2509\262\210\200\245\23\243\260\3013B\362)\304\203\326;\240\33\221\205\203\316u2\342p\237+\243\340\264\34\10\351\261Sk\234\256\227\20\214Lw\352\2\350\1]\323\307\5\210\366xpn\3355n\2159R\10\336\250\205\257\201~U\317\315\272\371\251\2153\267\271s\313\345\211\244-(\264\333\256NG\313\307\344\37\340V\245xB\17769\327\24750\244\347\1\277\210\20Wr\226j\2315*.\34\10\1777\210\2\375_N\204\222\27V\206D\27\231\274~\24\20 ... {status=0x0, info=256}, "J.\14\230;\317\204\210vC\270-\34\251\357\215?\264\23f\237}"J\225\313\325;\243\16\22c\2\206\366\237N\273\263\333\273\3703\252\254I\306d\360\342\3\260;\366z\266F7\267\3342#\16\261\337\247\370\32~\241\260 \3449\346)[a\270p\373T(u\251\262\243G+\206*\356P\245-\2509\262\210\200\245\23\243\260\3013B\362)\304\203\326;\240\33\221\205\203\316u2\342p\237+\243\340\264\34\10\351\261Sk\234\256\227\20\214Lw\352\2\350\1]\323\307\5\210\366xpn\3355n\2159R\10\336\250\205\257\201~U\317\315\272\371\251\2153\267\271s\313\345\211\244-(\264\333\256NG\313\307\344\37\340V\245xB\17769\327\24750\244\347\1\277\210\20Wr\226j\2315*.\34\10\1777\210\2\375_N\204\222\27V\206D\27\231\274~\24\20"\301\373\203}\31\203\217\3037&Vl", ) , ) == 0x0
 01719   440   NtTestAlert  ... ) == 0x0
 01720  1252   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "\367\317\202t 1aM\341\274_G\224/a\324\\25\235\25\37`\227\\25\235\25\37\273C\274\340G\210^\344\35\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01721   440   NtContinue  (56425776, 1, ...
 01722  1252   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01723   440   NtRegisterThreadTerminatePort  (24, ...
 01722  1252   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01723   440   NtRegisterThreadTerminatePort  ... ) == 0x0
 01724  1252   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01725  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01726   440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01725  1736   NtCreateThread  ... 492, {1636, 1296}, ) == 0x0
 01726   440   NtDuplicateObject  ... 496, ) == 0x0
 01727  1736   NtQueryInformationThread  (492, Basic, 28, ...
 01728   440   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01727  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1636,Tid=1296,}, 0x0, ) == 0x0
 01728   440   NtWaitForSingleObject  ... ) == 0x102
 01729  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75537, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0d\6\0\0\20\5\0\0" ...  ...
 01730   440   NtWaitForSingleObject  (132, 0, 0x0, ...
 01729  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75538, 0}  ... {28, 56, reply, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0d\6\0\0\20\5\0\0" )  ) == 0x0
 01724  1252   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01731  1736   NtResumeThread  (492, ...
 01732  1252   NtQuerySystemInformation  (Performance, 312, ...
 01731  1736   NtResumeThread  ... 1, ) == 0x0
 01732  1252   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01733  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01734  1252   NtQuerySystemInformation  (Exception, 16, ...
 01733  1736   NtAllocateVirtualMemory  ... 57475072, 1048576, ) == 0x0
 01734  1252   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01735  1736   NtAllocateVirtualMemory  (-1, 58515456, 0, 8192, 4096, 4, ...
 01736  1252   NtQuerySystemInformation  (Lookaside, 32, ...
 01737  1296   NtTestAlert  (...
 01735  1736   NtAllocateVirtualMemory  ... 58515456, 8192, ) == 0x0
 01737  1296   NtTestAlert  ... ) == 0x0
 01738  1736   NtProtectVirtualMemory  (-1, (0x37ce000), 4096, 260, ...
 01739  1296   NtContinue  (57474352, 1, ...
 01738  1736   NtProtectVirtualMemory  ... (0x37ce000), 4096, 4, ) == 0x0
 01740  1296   NtRegisterThreadTerminatePort  (24, ...
 01741  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01740  1296   NtRegisterThreadTerminatePort  ... ) == 0x0
 01741  1736   NtCreateThread  ... 500, {1636, 1620}, ) == 0x0
 01736  1252   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01742  1736   NtQueryInformationThread  (500, Basic, 28, ...
 01743  1252   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01744  1296   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01743  1252   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01744  1296   NtDuplicateObject  ... 504, ) == 0x0
 01745  1252   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01746  1296   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 01745  1252   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01746  1296   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 01747  1252   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01748  1296   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01742  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1636,Tid=1620,}, 0x0, ) == 0x0
 01749  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75538, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0d\6\0\0T\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0d\6\0\0T\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75539, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0d\6\0\0T\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0d\6\0\0T\6\0\0" )  ) == 0x0
 01750  1736   NtResumeThread  (500, ... 1, ) == 0x0
 01751  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 58523648, 1048576, ) == 0x0
 01752  1736   NtAllocateVirtualMemory  (-1, 59564032, 0, 8192, 4096, 4, ... 59564032, 8192, ) == 0x0
 01753  1736   NtProtectVirtualMemory  (-1, (0x38ce000), 4096, 260, ... (0x38ce000), 4096, 4, ) == 0x0
 01747  1252   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01748  1296   NtWaitForSingleObject  ... ) == 0x102
 01754  1620   NtTestAlert  (...
 01755  1252   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\370\333\242`\256\200\31\331\245\203J\340\361Df\247,#\200-A\300\3448\30\34\20\261\266\7N}\314O\223-\253w\1}\317a\363\21\202\325\254\275\214\32\242\264\3767\26J\23\4\354\364\261\2556N\267\3\302\265\320d\0\12\276\200d\2330\201\341`", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\370\333\242`\256\200\31\331\245\203J\340\361Df\247,#\200-A\300\3448\30\34\20\261\266\7N}\314O\223-\253w\1}\317a\363\21\202\325\254\275\214\32\242\264\3767\26J\23\4\354\364\261\2556N\267\3\302\265\320d\0\12\276\200d\2330\201\341`", 80, ... , 80, ...
 01756  1296   NtWaitForSingleObject  (132, 0, 0x0, ...
 01754  1620   NtTestAlert  ... ) == 0x0
 01755  1252   NtSetValueKey  ... ) == 0x0
 01757  1620   NtContinue  (58522928, 1, ...
 01758  1252   NtClose  (-2147482564, ...
 01759  1620   NtRegisterThreadTerminatePort  (24, ...
 01758  1252   NtClose  ... ) == 0x0
 01759  1620   NtRegisterThreadTerminatePort  ... ) == 0x0
 01720  1252   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "x\345\356T\255\365@s\332\34'uHJ\3\301\2\1RDcfK\205\13iS+\2764\260U(=&\213\3317\307\374\72O\370\261^\363;\2363P5\356\373v\7\335\247/|\33`4|\327\234\320\232\26\350ZX\311\312\331c\340q\36z\332\262\254(J\276\21\303\300t\203\214\323)!\357\12e9\213\261\350\25\300iD\314\212^\362\254k)A\210\275\27\234\303ys\12\324\31]\357\260\224\6`\364\323/b\335\217Y\314\257\256\362\336\21\200\31\20\36\302\276\245wB\361\370\245\241\347\303\25\327&\234d\7\373\226%\324\317\313\273\206[\177\7=&\321\347\363\351+\305\271b1l\345Ib\222\374\366M0&([\27\266\367z\365\356+\265\344\231\277\360\14\2157\7\246\5\372BO\215\230l\2149\335&,\371\360\235\351\243\247\257\236\326\326\222>\267kr\300\14\241C\3\371\17]\213\321\3433\233i", ) , ) == 0x0
 01760  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01761  1620   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01760  1736   NtCreateThread  ... 508, {1636, 1588}, ) == 0x0
 01761  1620   NtDuplicateObject  ... 512, ) == 0x0
 01762  1736   NtQueryInformationThread  (508, Basic, 28, ...
 01763  1620   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01762  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1636,Tid=1588,}, 0x0, ) == 0x0
 01763  1620   NtWaitForSingleObject  ... ) == 0x102
 01764  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75539, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0d\6\0\04\6\0\0" ...  ...
 01765  1620   NtWaitForSingleObject  (132, 0, 0x0, ...
 01764  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75540, 0}  ... {28, 56, reply, 0, 1636, 1736, 75540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0d\6\0\04\6\0\0" )  ) == 0x0
 01766  1252   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "\367\317\202t 1aM\341\274_G\224/a\324\\25\235\25\37`\227\\25\235\25\37`\227\\25\235\25\37\273C\274\340G\210^\344\35\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01767  1736   NtResumeThread  (508, ...
 01768  1252   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01767  1736   NtResumeThread  ... 1, ) == 0x0
 01768  1252   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01769  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01770  1252   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01769  1736   NtAllocateVirtualMemory  ... 59572224, 1048576, ) == 0x0
 01770  1252   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01771  1736   NtAllocateVirtualMemory  (-1, 60612608, 0, 8192, 4096, 4, ...
 01772  1252   NtQuerySystemInformation  (Performance, 312, ...
 01773  1588   NtTestAlert  (...
 01771  1736   NtAllocateVirtualMemory  ... 60612608, 8192, ) == 0x0
 01773  1588   NtTestAlert  ... ) == 0x0
 01774  1736   NtProtectVirtualMemory  (-1, (0x39ce000), 4096, 260, ...
 01775  1588   NtContinue  (59571504, 1, ...
 01774  1736   NtProtectVirtualMemory  ... (0x39ce000), 4096, 4, ) == 0x0
 01776  1588   NtRegisterThreadTerminatePort  (24, ...
 01777  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01776  1588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01777  1736   NtCreateThread  ... 516, {1636, 2044}, ) == 0x0
 01772  1252   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01778  1736   NtQueryInformationThread  (516, Basic, 28, ...
 01779  1252   NtQuerySystemInformation  (Exception, 16, ...
 01780  1588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01779  1252   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01780  1588   NtDuplicateObject  ... 520, ) == 0x0
 01781  1252   NtQuerySystemInformation  (Lookaside, 32, ...
 01782  1588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01781  1252   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01782  1588   NtWaitForSingleObject  ... ) == 0x102
 01783  1252   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01784  1588   NtWaitForSingleObject  (132, 0, 0x0, ...
 01778  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1636,Tid=2044,}, 0x0, ) == 0x0
 01783  1252   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01785  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75540, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0d\6\0\0\374\7\0\0" ...  ...
 01786  1252   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01785  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75541, 0}  ... {28, 56, reply, 0, 1636, 1736, 75541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0d\6\0\0\374\7\0\0" )  ) == 0x0
 01786  1252   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01787  1736   NtResumeThread  (516, ...
 01788  1252   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01787  1736   NtResumeThread  ... 1, ) == 0x0
 01788  1252   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01789  2044   NtTestAlert  (...
 01790  1252   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "Q{X\303\241C\266b7\256\13\254$Ig\376\271\202\233\357\22\331F\235\243\24\224\3109\230A\250:\277\217\256\262\205\372\367\13F\315\327\332\31\302\214c\264\375py\30\256\317\241\3^\22\240%j\34\10|;b\12\252\236\273pFq\21\241\25\261\376", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "Q{X\303\241C\266b7\256\13\254$Ig\376\271\202\233\357\22\331F\235\243\24\224\3109\230A\250:\277\217\256\262\205\372\367\13F\315\327\332\31\302\214c\264\375py\30\256\317\241\3^\22\240%j\34\10|;b\12\252\236\273pFq\21\241\25\261\376", 80, ... , 80, ...
 01789  2044   NtTestAlert  ... ) == 0x0
 01791  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01792  2044   NtContinue  (60620080, 1, ...
 01791  1736   NtAllocateVirtualMemory  ... 60620800, 1048576, ) == 0x0
 01793  2044   NtRegisterThreadTerminatePort  (24, ...
 01794  1736   NtAllocateVirtualMemory  (-1, 61661184, 0, 8192, 4096, 4, ...
 01793  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 01794  1736   NtAllocateVirtualMemory  ... 61661184, 8192, ) == 0x0
 01790  1252   NtSetValueKey  ... ) == 0x0
 01795  1736   NtProtectVirtualMemory  (-1, (0x3ace000), 4096, 260, ...
 01796  1252   NtClose  (-2147482564, ...
 01795  1736   NtProtectVirtualMemory  ... (0x3ace000), 4096, 4, ) == 0x0
 01796  1252   NtClose  ... ) == 0x0
 01797  2044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01766  1252   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\351\253\213\354I\327\12\21\236|5\232\377\253P\7\323\365\37>\352\261\332L\314\204'\307\367Mw\315\254\37\362\330\3356\321\256\3000e\307\6\257\7yu\35``\207\215pe\347\317\203|\201\262YY\226\217\3\373Y\300?\0\321\305V|\357\321\14\311\20\2Q\351\216\274\36\204\372\37\317\330Kz_f\370\376d\257\262\214\343\241\376v\250\23u\351\377\272R\231\342K\233\3130\205*\340\223\212\273M\236\364\255\233\367\215\342]DGB\366\300\327\375\211\311\313\376\347A\203\3742ZJ\230\341~u$&F-\303\252\253D\21t\210\352\337\3501\6\205\y\2441\357>\213\241\276\225\213z)>\254\210\270\243\312\366>\347M\225|\243\262\314\24\331m\263Y\347\242\15\271*\226\210\240\23\332\232\204\233\361\232\210W\0\2429\320\305WQ\337/R^\335"$\231\274\254\313\35 \31\365\350\300[U\0LRR\236\12", ) $\231\274\254\313\35 \31\365\350\300[U\0LRR\236\12", ) == 0x0
 01797  2044   NtDuplicateObject  ... 524, ) == 0x0
 01798  1252   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "\367\317\202t 1aM\341\274_G\224/a\324\\25\235\25\37`\227\\25\235\25\37`\227\\25\235\25\37`\227\\25\235\25\37\273C\274\340G\210^\344\35\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01799  2044   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01800  1252   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01799  2044   NtWaitForSingleObject  ... ) == 0x102
 01801  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01802  2044   NtWaitForSingleObject  (132, 0, 0x0, ...
 01801  1736   NtCreateThread  ... 528, {1636, 1308}, ) == 0x0
 01800  1252   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01803  1736   NtQueryInformationThread  (528, Basic, 28, ...
 01804  1252   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01803  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1636,Tid=1308,}, 0x0, ) == 0x0
 01804  1252   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01805  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75541, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0d\6\0\0\34\5\0\0" ...  ...
 01806  1252   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01807  1252   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01808  1252   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01809  1252   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01810  1252   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01805  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75542, 0}  ... {28, 56, reply, 0, 1636, 1736, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0d\6\0\0\34\5\0\0" )  ) == 0x0
 01811  1736   NtResumeThread  (528, ... 1, ) == 0x0
 01812  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 61669376, 1048576, ) == 0x0
 01813  1736   NtAllocateVirtualMemory  (-1, 62709760, 0, 8192, 4096, 4, ... 62709760, 8192, ) == 0x0
 01814  1736   NtProtectVirtualMemory  (-1, (0x3bce000), 4096, 260, ... (0x3bce000), 4096, 4, ) == 0x0
 01815  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 532, {1636, 1676}, ) == 0x0
 01816  1736   NtQueryInformationThread  (532, Basic, 28, ...
 01810  1252   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01817  1308   NtTestAlert  (...
 01818  1252   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01817  1308   NtTestAlert  ... ) == 0x0
 01818  1252   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01819  1308   NtContinue  (61668656, 1, ...
 01820  1252   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\245\3031%\260\374\217\265\353\2.\200\272\227\346$\261\320\242\3268[\W\233\364\233\261/iUh\3350\202w\271@x\3301\353\16\201\346\335\236\276\3261\214\264\311\377\353\251\360_(\3\303\3666\254+\364\366c\357xC\303\2005\255D\210a!\236", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\245\3031%\260\374\217\265\353\2.\200\272\227\346$\261\320\242\3268[\W\233\364\233\261/iUh\3350\202w\271@x\3301\353\16\201\346\335\236\276\3261\214\264\311\377\353\251\360_(\3\303\3666\254+\364\366c\357xC\303\2005\255D\210a!\236", 80, ... , 80, ...
 01821  1308   NtRegisterThreadTerminatePort  (24, ...
 01820  1252   NtSetValueKey  ... ) == 0x0
 01821  1308   NtRegisterThreadTerminatePort  ... ) == 0x0
 01822  1252   NtClose  (-2147482564, ...
 01816  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1636,Tid=1676,}, 0x0, ) == 0x0
 01823  1308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01824  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75542, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0d\6\0\0\214\6\0\0" ...  ...
 01823  1308   NtDuplicateObject  ... 536, ) == 0x0
 01824  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75543, 0}  ... {28, 56, reply, 0, 1636, 1736, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0d\6\0\0\214\6\0\0" )  ) == 0x0
 01825  1308   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01826  1736   NtResumeThread  (532, ...
 01825  1308   NtWaitForSingleObject  ... ) == 0x102
 01826  1736   NtResumeThread  ... 1, ) == 0x0
 01827  1308   NtWaitForSingleObject  (132, 0, 0x0, ...
 01822  1252   NtClose  ... ) == 0x0
 01828  1676   NtTestAlert  (...
 01829  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01798  1252   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\264#m\240\205\241/.\331\3767-\247\234\321\357RGP\370za\3\360\21;\355\252|!\326M\260k\217~\35m\3334\30\201\250\203\251\301\331Y\263x\25\355\32\32X\211\16|\243\241\322\1\277\332,U\351\267i\260w\307\1\265\10\"\206\337\253\272\377Ip\224\272\273d\256+n\255\347\346N\372Y]\274\363X \221\15\231\260P\376W\4\270xB7E\27\212w\356\343Vh\13d4;#F\261\272B9PC\201\310\24\17<^\243\207\325h\323\301;\207\204\223\5I\17\225c\326s\12\353!\202\305*8\333%L\273=\34\317\357\313Y\4\222}\367\324f\366\372\302\30\30\327[=\204\277\252\360\15\23\275{H\312\277\23\25\366\231X\3773\361l\211\302\260\272\330\331\13\364\36\225$\2268\26ff\355\247\237\220\334\27i\333u1H\178_H\347\277\220\\227\227\274qc$p*\257\243\276\326\304", ) \206\337\253\272\377Ip\224\272\273d\256+n\255\347\346N\372Y]\274\363X \221\15\231\260P\376W\4\270xB7E\27\212w\356\343Vh\13d4;#F\261\272B9PC\201\310\24\17<^\243\207\325h\323\301;\207\204\223\5I\17\225c\326s\12\353!\202\305*8\333%L\273=\34\317\357\313Y\4\222}\367\324f\366\372\302\30\30\327[=\204\277\252\360\15\23\275{H\312\277\23\25\366\231X\3773\361l\211\302\260\272\330\331\13\364\36\225$\2268\26ff\355\247\237\220\334\27i\333u1H\178_H\347\277\220\\227\227\274qc$p*\257\243\276\326\304", ) == 0x0
 01828  1676   NtTestAlert  ... ) == 0x0
 01829  1736   NtAllocateVirtualMemory  ... 62717952, 1048576, ) == 0x0
 01830  1252   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "\367\317\202t 1aM\341\274_G\224/a\324\\25\235\25\37`\227\\25\235\25\37`\227\\25\235\25\37`\227\\25\235\25\37`\227\\25\235\25\37\273C\274\340G\210^\344\35\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01831  1676   NtContinue  (62717232, 1, ...
 01832  1736   NtAllocateVirtualMemory  (-1, 63758336, 0, 8192, 4096, 4, ...
 01833  1252   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01834  1676   NtRegisterThreadTerminatePort  (24, ...
 01832  1736   NtAllocateVirtualMemory  ... 63758336, 8192, ) == 0x0
 01833  1252   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01834  1676   NtRegisterThreadTerminatePort  ... ) == 0x0
 01835  1736   NtProtectVirtualMemory  (-1, (0x3cce000), 4096, 260, ...
 01836  1252   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01835  1736   NtProtectVirtualMemory  ... (0x3cce000), 4096, 4, ) == 0x0
 01837  1676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01836  1252   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01837  1676   NtDuplicateObject  ... 540, ) == 0x0
 01838  1252   NtQuerySystemInformation  (Performance, 312, ...
 01839  1676   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01838  1252   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01839  1676   NtWaitForSingleObject  ... ) == 0x102
 01840  1252   NtQuerySystemInformation  (Exception, 16, ...
 01841  1676   NtWaitForSingleObject  (132, 0, 0x0, ...
 01840  1252   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01842  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01843  1252   NtQuerySystemInformation  (Lookaside, 32, ...
 01842  1736   NtCreateThread  ... 544, {1636, 1376}, ) == 0x0
 01844  1736   NtQueryInformationThread  (544, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1636,Tid=1376,}, 0x0, ) == 0x0
 01845  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75543, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0`\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0`\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75544, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0`\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0`\5\0\0" )  ) == 0x0
 01846  1736   NtResumeThread  (544, ... 1, ) == 0x0
 01847  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 63766528, 1048576, ) == 0x0
 01848  1736   NtAllocateVirtualMemory  (-1, 64806912, 0, 8192, 4096, 4, ...
 01843  1252   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01849  1376   NtTestAlert  (...
 01850  1252   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01849  1376   NtTestAlert  ... ) == 0x0
 01850  1252   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01851  1376   NtContinue  (63765808, 1, ...
 01852  1252   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01853  1376   NtRegisterThreadTerminatePort  (24, ...
 01852  1252   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01853  1376   NtRegisterThreadTerminatePort  ... ) == 0x0
 01854  1252   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01848  1736   NtAllocateVirtualMemory  ... 64806912, 8192, ) == 0x0
 01855  1376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01856  1736   NtProtectVirtualMemory  (-1, (0x3dce000), 4096, 260, ...
 01855  1376   NtDuplicateObject  ... 548, ) == 0x0
 01856  1736   NtProtectVirtualMemory  ... (0x3dce000), 4096, 4, ) == 0x0
 01857  1376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01858  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01857  1376   NtWaitForSingleObject  ... ) == 0x102
 01858  1736   NtCreateThread  ... 552, {1636, 1436}, ) == 0x0
 01859  1376   NtWaitForSingleObject  (132, 0, 0x0, ...
 01860  1736   NtQueryInformationThread  (552, Basic, 28, ...
 01854  1252   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01861  1252   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\3\360I%bM\354\231M\212\330s\375@)t\307\371v\322\270u\233\357o\263(;&\336L\217\355K\220\376\270\2347p\330\305sh\300\15\350\336\33\254\273y\2762\302\333?]\350\262=w\243\333\30AR\11\365\330\17S\15\3366\207\242\211\252+", 80, ... ) , 0, 3,  (-2147482564, "Seed", 0, 3, "\3\360I%bM\354\231M\212\330s\375@)t\307\371v\322\270u\233\357o\263(;&\336L\217\355K\220\376\270\2347p\330\305sh\300\15\350\336\33\254\273y\2762\302\333?]\350\262=w\243\333\30AR\11\365\330\17S\15\3366\207\242\211\252+", 80, ... ) , 80, ... ) == 0x0
 01862  1252   NtClose  (-2147482564, ... ) == 0x0
 01830  1252   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\335S\323\325;\317\275\366\2608mA\276&\371$b\230\351iY\1|"\232G\14\314\314\31\26Inj\306B\344\277\12=\332\3423$A\304\357\16\316\262G5iMIT/\244\363\177\343\273\202vn\235X\242\207]-\3621`s\204:\2629-\222\236\11\360\211l\243'c\253\354x\212\334\245\205\226\203$\302\6\260\2632\245\37!!\23\370\36\5\312\254\215>\14z\266\333\5\273QLi\34\217cs\37\203\251\237o\347)\316\330\263|.]\37\15\276\315\262\22\277*\225A*\365?\315\301tM\34r\336z\3464\375\340\376\6\27\15$\265_\17\16=]\314\360\1*\215\352\331\364&\14P\360\222\336\265uLT\334,\14\25\243\331d\216I|\355{q\27v\354\245\375b\255\327\10\301\275\221\304#\266\18@\354Y\316U\315\3407\21023t\243\241;\312m\22W\213\20290\216\2X`F", ) \232G\14\314\314\31\26Inj\306B\344\277\12=\332\3423$A\304\357\16\316\262G5iMIT/\244\363\177\343\273\202vn\235X\242\207]-\3621`s\204:\2629-\222\236\11\360\211l\243'c\253\354x\212\334\245\205\226\203$\302\6\260\2632\245\37!!\23\370\36\5\312\254\215>\14z\266\333\5\273QLi\34\217cs\37\203\251\237o\347)\316\330\263|.]\37\15\276\315\262\22\277*\225A*\365?\315\301tM\34r\336z\3464\375\340\376\6\27\15$\265_\17\16=]\314\360\1*\215\352\331\364&\14P\360\222\336\265uLT\334,\14\25\243\331d\216I|\355{q\27v\354\245\375b\255\327\10\301\275\221\304#\266\18@\354Y\316U\315\3407\21023t\243\241;\312m\22W\213\20290\216\2X`F", ) == 0x0
 01863  1252   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "\367\317\202t 1aM\341\274_G\224/a\324\\25\235\25\37`\227\\25\235\25\37`\227\\25\235\25\37`\227\\25\235\25\37`\227\\25\235\25\37`\227\\25\235\25\37\273C\274\340G\210^\344\35\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01864  1252   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01865  1252   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01866  1252   NtQuerySystemInformation  (Performance, 312, ...
 01860  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1636,Tid=1436,}, 0x0, ) == 0x0
 01867  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75544, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0d\6\0\0\234\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0d\6\0\0\234\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75545, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0d\6\0\0\234\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0d\6\0\0\234\5\0\0" )  ) == 0x0
 01868  1736   NtResumeThread  (552, ... 1, ) == 0x0
 01869  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 64815104, 1048576, ) == 0x0
 01870  1736   NtAllocateVirtualMemory  (-1, 65855488, 0, 8192, 4096, 4, ... 65855488, 8192, ) == 0x0
 01871  1736   NtProtectVirtualMemory  (-1, (0x3ece000), 4096, 260, ... (0x3ece000), 4096, 4, ) == 0x0
 01866  1252   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01872  1436   NtTestAlert  (...
 01873  1252   NtQuerySystemInformation  (Exception, 16, ...
 01872  1436   NtTestAlert  ... ) == 0x0
 01873  1252   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01874  1436   NtContinue  (64814384, 1, ...
 01875  1252   NtQuerySystemInformation  (Lookaside, 32, ...
 01876  1436   NtRegisterThreadTerminatePort  (24, ...
 01875  1252   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01876  1436   NtRegisterThreadTerminatePort  ... ) == 0x0
 01877  1252   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01878  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01879  1436   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01878  1736   NtCreateThread  ... 556, {1636, 724}, ) == 0x0
 01879  1436   NtDuplicateObject  ... 560, ) == 0x0
 01880  1736   NtQueryInformationThread  (556, Basic, 28, ...
 01881  1436   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01880  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1636,Tid=724,}, 0x0, ) == 0x0
 01881  1436   NtWaitForSingleObject  ... ) == 0x102
 01882  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75545, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0d\6\0\0\324\2\0\0" ...  ...
 01883  1436   NtWaitForSingleObject  (132, 0, 0x0, ...
 01882  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75546, 0}  ... {28, 56, reply, 0, 1636, 1736, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0d\6\0\0\324\2\0\0" )  ) == 0x0
 01877  1252   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01884  1736   NtResumeThread  (556, ...
 01885  1252   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01884  1736   NtResumeThread  ... 1, ) == 0x0
 01885  1252   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01886  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01887  1252   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01886  1736   NtAllocateVirtualMemory  ... 65863680, 1048576, ) == 0x0
 01887  1252   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01888  1736   NtAllocateVirtualMemory  (-1, 66904064, 0, 8192, 4096, 4, ...
 01889  1252   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\211|\224t9)mZ\356\15\2775\267\337\323\335\207\24r\323\272\215EA\201\213b\307\315=?\345\220\255\232(\323\341\230,)\6j{\363\223\205J\2F\276\372s\34\36\363\334\355\230b\6&\257\231\320\255_\216\251=\1\26\344\20\270\32]\24\357\223", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\211|\224t9)mZ\356\15\2775\267\337\323\335\207\24r\323\272\215EA\201\213b\307\315=?\345\220\255\232(\323\341\230,)\6j{\363\223\205J\2F\276\372s\34\36\363\334\355\230b\6&\257\231\320\255_\216\251=\1\26\344\20\270\32]\24\357\223", 80, ... , 80, ...
 01890   724   NtAllocateVirtualMemory  (-1, 8871936, 0, 4096, 4096, 4, ...
 01888  1736   NtAllocateVirtualMemory  ... 66904064, 8192, ) == 0x0
 01890   724   NtAllocateVirtualMemory  ... 8871936, 4096, ) == 0x0
 01891  1736   NtProtectVirtualMemory  (-1, (0x3fce000), 4096, 260, ...
 01892   724   NtTestAlert  (...
 01891  1736   NtProtectVirtualMemory  ... (0x3fce000), 4096, 4, ) == 0x0
 01892   724   NtTestAlert  ... ) == 0x0
 01893  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01894   724   NtContinue  (65862960, 1, ...
 01893  1736   NtCreateThread  ... 564, {1636, 1276}, ) == 0x0
 01889  1252   NtSetValueKey  ... ) == 0x0
 01895  1736   NtQueryInformationThread  (564, Basic, 28, ...
 01896  1252   NtClose  (-2147482564, ...
 01897   724   NtRegisterThreadTerminatePort  (24, ...
 01896  1252   NtClose  ... ) == 0x0
 01897   724   NtRegisterThreadTerminatePort  ... ) == 0x0
 01863  1252   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "%\361\354\3\312\377\305\365\313A\367\240\230\213)\34\32\3579\11~\330b\336~\326y\12\262Ox\360\374\234[+\315q\3553\1\21L\3\377\354\21'U+\17R\316\314c#\247gR\202\255\370Pr\307\345\254\305\33n6\302\32*jf-;\5\10\354\333\323\326<\253\305\9\253\307\336A\211\361\260\267\2228\330`\20\211C)y\256\350\\301q\364\337>tZ\240't\37,\233-\366\351\352J@\325\212\34\323G\355\3\347J\205\360(\336\226\366P(\217\356\355c\203\5\275\354\214P\244\240@\247\200F\254a\265\277\373B)%\35\242\200\324\371\262\365\3\343@\342\14t\31\356\352\334r\372$)>\374\251\254\331\216Y3\257\27\225\210\204j\5\231X;\247\334%\300\254\260\306\212\13[\277\213\332\\253m,\353`J\261\267\330\233\263\240r\300\256\23W\265^\212\244(\275\213\12\315\363\317\240^\264EN\266", ) , ) == 0x0
 01898   724   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01899  1252   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01898   724   NtDuplicateObject  ... 568, ) == 0x0
 01899  1252   NtCreateEvent  ... 572, ) == 0x0
 01900   724   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01895  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1636,Tid=1276,}, 0x0, ) == 0x0
 01901  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75546, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0d\6\0\0\374\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0d\6\0\0\374\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75547, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0d\6\0\0\374\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0d\6\0\0\374\4\0\0" )  ) == 0x0
 01902  1736   NtResumeThread  (564, ... 1, ) == 0x0
 01903  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 66912256, 1048576, ) == 0x0
 01904  1736   NtAllocateVirtualMemory  (-1, 67952640, 0, 8192, 4096, 4, ... 67952640, 8192, ) == 0x0
 01905  1736   NtProtectVirtualMemory  (-1, (0x40ce000), 4096, 260, ... (0x40ce000), 4096, 4, ) == 0x0
 01906  1252   NtSetEventBoostPriority  (472, ...
 01900   724   NtWaitForSingleObject  ... ) == 0x102
 01907  1276   NtTestAlert  (...
 01685  1356   NtWaitForSingleObject  ... ) == 0x0
 01906  1252   NtSetEventBoostPriority  ... ) == 0x0
 01908   724   NtWaitForSingleObject  (132, 0, 0x0, ...
 01909  1356   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 01907  1276   NtTestAlert  ... ) == 0x0
 01910  1252   NtWaitForSingleObject  (288, 0, 0x0, ...
 01909  1356   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 01911  1276   NtContinue  (66911536, 1, ...
 01912  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01913  1276   NtRegisterThreadTerminatePort  (24, ...
 01912  1736   NtCreateThread  ... 576, {1636, 1368}, ) == 0x0
 01913  1276   NtRegisterThreadTerminatePort  ... ) == 0x0
 01914  1736   NtQueryInformationThread  (576, Basic, 28, ...
 01915  1356   NtSetEventBoostPriority  (288, ...
 01914  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1636,Tid=1368,}, 0x0, ) == 0x0
 01910  1252   NtWaitForSingleObject  ... ) == 0x0
 01915  1356   NtSetEventBoostPriority  ... ) == 0x0
 01916  1252   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 16575852, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 16575852, 188, ...
 01917  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75547, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0d\6\0\0X\5\0\0" ...  ...
 01918  1356   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 01919  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 580, ) == 0x0
 01920  1356   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 11072120, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 11072120, 188, ...
 01921  1276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 584, ) == 0x0
 01922  1276   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 01923  1276   NtWaitForSingleObject  (132, 0, 0x0, ...
 01917  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75549, 0}  ... {28, 56, reply, 0, 1636, 1736, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0d\6\0\0X\5\0\0" )  ) == 0x0
 01916  1252   NtConnectPort  ... 588, 0x0, 0x0, 0x0, 188, ) == 0x0
 01924  1736   NtResumeThread  (576, ...
 01925  1252   NtRequestWaitReplyPort  (588, {200, 224, new_msg, 0, 1383568, 12, 2, 1310721}  (588, {200, 224, new_msg, 0, 1383568, 12, 2, 1310721} "\0\3\24\0\274\0\0\0$?\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\376=kl\214\327\317\27\220@\25\0d\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\300=\25\0\311\363\257\376\300\3\24\0\210@\25\0h\1\24\0\0\0\0\0\0\0\0\0\210@\25\0P\0\0\0\220@\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\374\0\372\31\221|\200\363\374\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01924  1736   NtResumeThread  ... 1, ) == 0x0
 01926  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 67960832, 1048576, ) == 0x0
 01927  1736   NtAllocateVirtualMemory  (-1, 69001216, 0, 8192, 4096, 4, ... 69001216, 8192, ) == 0x0
 01928  1736   NtProtectVirtualMemory  (-1, (0x41ce000), 4096, 260, ... (0x41ce000), 4096, 4, ) == 0x0
 01929  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 592, {1636, 704}, ) == 0x0
 01930  1736   NtQueryInformationThread  (592, Basic, 28, ...
 01920  1356   NtConnectPort  ... 596, 0x0, 0x0, 0x0, 188, ) == 0x0
 01931  1368   NtTestAlert  (...
 01925  1252   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1252, 75551, 0}  ... {200, 224, reply, 0, 1636, 1252, 75551, 0} "\7\3\24\0\274\0\0\0$?\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\376=kl\214\327\317\27\220@\25\0d\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\300=\25\0\311\363\257\376\300\3\24\0\210@\25\0h\1\24\0\0\0\0\0\0\0\0\0\210@\25\0P\0\0\0\220@\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\374\0\372\31\221|\200\363\374\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01932  1356   NtRequestWaitReplyPort  (596, {200, 224, new_msg, 0, 2883626, 1355840, 12, 2}  (596, {200, 224, new_msg, 0, 2883626, 1355840, 12, 2} "\0\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\1\0\4\0\4\0\0\0\240<\24\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0\224\241*|\245{\212A\220T\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0hT\25\0\246E\177\355x\1\24\0\210T\25\0h\1\24\0\0\0\0\0\0\0\0\0\210T\25\0P\0\0\0\220T\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\250\0\372\31\221|\214\370\250\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 01931  1368   NtTestAlert  ... ) == 0x0
 01933  1252   NtRequestWaitReplyPort  (588, {44, 68, new_msg, 0, 1636, 1252, 75528, 0}  (588, {44, 68, new_msg, 0, 1636, 1252, 75528, 0} "\1\332\0\0A\2\4\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200\377\377\377\377t\333\243\201\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 01934  1368   NtContinue  (67960112, 1, ...
 01932  1356   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1356, 75552, 0}  ... {200, 224, reply, 0, 1636, 1356, 75552, 0} "\7\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\240<\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0\224\241*|\245{\212A\220T\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0hT\25\0\246E\177\355x\1\24\0\210T\25\0h\1\24\0\0\0\0\0\0\0\0\0\210T\25\0P\0\0\0\220T\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\250\0\372\31\221|\214\370\250\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 01935  1368   NtRegisterThreadTerminatePort  (24, ...
 01930  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1636,Tid=704,}, 0x0, ) == 0x0
 01935  1368   NtRegisterThreadTerminatePort  ... ) == 0x0
 01936  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75549, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0\300\2\0\0" ...  ...
 01937  1356   NtRequestWaitReplyPort  (596, {44, 68, new_msg, 56, 0, 0, 0, 0}  (596, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\240Y\25\0\322\0\0\0" ...  ...
 01933  1252   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1252, 75553, 0}  ... {40, 64, reply, 0, 1636, 1252, 75553, 0} "\2\332\243\201\4\0\0\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200X\373`\371t\333\243\201\320\1\0\0X-\12\0" )  ) == 0x0
 01936  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75554, 0}  ... {28, 56, reply, 0, 1636, 1736, 75554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0\300\2\0\0" )  ) == 0x0
 01938  1252   NtRequestWaitReplyPort  (588, {64, 88, new_msg, 56, 1371120, 16576364, 16576464, 0}  (588, {64, 88, new_msg, 56, 1371120, 16576364, 16576464, 0} "\10\357\374\0@\0\24\0\346\277\347w\320\357\374\0l\357\374\0\20\0\0\0\250.\362vd\354\24\0\1\0\0\0\230Z\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\340\314\24\0" ...  ...
 01939  1736   NtResumeThread  (592, ...
 01937  1356   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1356, 75555, 0}  ... {40, 64, reply, 0, 1636, 1356, 75555, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\323\1\0\0\350\370\14\0" )  ) == 0x0
 01939  1736   NtResumeThread  ... 1, ) == 0x0
 01940  1356   NtRequestWaitReplyPort  (596, {64, 88, new_msg, 56, 1310720, 11071988, 1399192, 0}  (596, {64, 88, new_msg, 56, 1310720, 11071988, 1399192, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0p\\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01938  1252   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1252, 75556, 0}  ... {64, 88, reply, 56, 1636, 1252, 75556, 0} "\10\357\374\0@\0\24\0\346\277\347w\320\357\374\0l\357\374\0\20\0\0\0\250.\362vd\354\24\0\1\0\0\0\230Z\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\340\314\24\0" )  ) == 0x0
 01941  1368   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01942   704   NtTestAlert  (...
 01943  1252   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ...
 01941  1368   NtDuplicateObject  ... 600, ) == 0x0
 01940  1356   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1356, 75557, 0}  ... {64, 88, reply, 56, 1636, 1356, 75557, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0p\\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01942   704   NtTestAlert  ... ) == 0x0
 01943  1252   NtAllocateVirtualMemory  ... 1400832, 4096, ) == 0x0
 01944  1368   NtWaitForSingleObject  (288, 0, 0x0, ...
 01945  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01946   704   NtContinue  (69008688, 1, ...
 01947  1356   NtWaitForSingleObject  (288, 0, 0x0, ...
 01945  1736   NtAllocateVirtualMemory  ... 69009408, 1048576, ) == 0x0
 01948   704   NtRegisterThreadTerminatePort  (24, ...
 01949  1736   NtAllocateVirtualMemory  (-1, 70049792, 0, 8192, 4096, 4, ...
 01948   704   NtRegisterThreadTerminatePort  ... ) == 0x0
 01949  1736   NtAllocateVirtualMemory  ... 70049792, 8192, ) == 0x0
 01950  1252   NtSetEventBoostPriority  (288, ...
 01951  1736   NtProtectVirtualMemory  (-1, (0x42ce000), 4096, 260, ...
 01944  1368   NtWaitForSingleObject  ... ) == 0x0
 01950  1252   NtSetEventBoostPriority  ... ) == 0x0
 01952  1368   NtSetEventBoostPriority  (288, ...
 01951  1736   NtProtectVirtualMemory  ... (0x42ce000), 4096, 4, ) == 0x0
 01947  1356   NtWaitForSingleObject  ... ) == 0x0
 01952  1368   NtSetEventBoostPriority  ... ) == 0x0
 01953  1252   NtClose  (572, ...
 01954   704   NtWaitForSingleObject  (288, 0, 0x0, ...
 01955  1356   NtSetEventBoostPriority  (288, ...
 01956  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01953  1252   NtClose  ... ) == 0x0
 01955  1356   NtSetEventBoostPriority  ... ) == 0x0
 01954   704   NtWaitForSingleObject  ... ) == 0x0
 01956  1736   NtCreateThread  ... 572, {1636, 1568}, ) == 0x0
 01957  1356   NtWaitForSingleObject  (288, 0, 0x0, ...
 01958  1252   NtClose  (588, ...
 01959   704   NtSetEventBoostPriority  (288, ...
 01960  1736   NtQueryInformationThread  (572, Basic, 28, ...
 01961  1368   NtWaitForSingleObject  (288, 0, 0x0, ...
 01958  1252   NtClose  ... ) == 0x0
 01959   704   NtSetEventBoostPriority  ... ) == 0x0
 01960  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1636,Tid=1568,}, 0x0, ) == 0x0
 01961  1368   NtWaitForSingleObject  ... ) == 0x0
 01962   704   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01963  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75554, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0d\6\0\0 \6\0\0" ...  ...
 01964  1368   NtSetEventBoostPriority  (288, ...
 01965  1252   NtWaitForSingleObject  (288, 0, 0x0, ...
 01957  1356   NtWaitForSingleObject  ... ) == 0x0
 01964  1368   NtSetEventBoostPriority  ... ) == 0x0
 01966  1356   NtSetEventBoostPriority  (288, ...
 01965  1252   NtWaitForSingleObject  ... ) == 0x0
 01967  1252   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 588, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 588, 2, ) , 0, ... 588, 2, ) == 0x0
 01968  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01969  1368   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01966  1356   NtSetEventBoostPriority  ... ) == 0x0
 01962   704   NtDuplicateObject  ... 604, ) == 0x0
 01963  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75559, 0}  ... {28, 56, reply, 0, 1636, 1736, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0d\6\0\0 \6\0\0" )  ) == 0x0
 01968  1252   NtOpenKey  ... 608, ) == 0x0
 01970  1356   NtRequestWaitReplyPort  (596, {44, 68, new_msg, 56, 1636, 1356, 75555, 0}  (596, {44, 68, new_msg, 56, 1636, 1356, 75555, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0\240Y\25\0\322\0\0\0" ...  ...
 01971   704   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01972  1736   NtResumeThread  (572, ...
 01973  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01971   704   NtWaitForSingleObject  ... ) == 0x102
 01972  1736   NtResumeThread  ... 1, ) == 0x0
 01973  1252   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01974   704   NtWaitForSingleObject  (132, 0, 0x0, ...
 01975  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01976  1252   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 01975  1736   NtAllocateVirtualMemory  ... 70057984, 1048576, ) == 0x0
 01976  1252   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01977  1736   NtAllocateVirtualMemory  (-1, 71098368, 0, 8192, 4096, 4, ...
 01978  1252   NtQueryValueKey  (588,  (588, "Domain", Partial, 144, ... , Partial, 144, ...
 01969  1368   NtWaitForSingleObject  ... ) == 0x102
 01970  1356   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1356, 75560, 0}  ... {40, 64, reply, 0, 1636, 1356, 75560, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300l\353\10\370X\353Q\200\351\1\0\0\350\232\14\0" )  ) == 0x0
 01979  1568   NtTestAlert  (...
 01977  1736   NtAllocateVirtualMemory  ... 71098368, 8192, ) == 0x0
 01980  1368   NtWaitForSingleObject  (132, 0, 0x0, ...
 01981  1356   NtRequestWaitReplyPort  (596, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0}  (596, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0Pm\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01979  1568   NtTestAlert  ... ) == 0x0
 01982  1736   NtProtectVirtualMemory  (-1, (0x43ce000), 4096, 260, ...
 01983  1568   NtContinue  (70057264, 1, ...
 01982  1736   NtProtectVirtualMemory  ... (0x43ce000), 4096, 4, ) == 0x0
 01981  1356   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1356, 75561, 0}  ... {64, 88, reply, 56, 1636, 1356, 75561, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0Pm\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01984  1568   NtRegisterThreadTerminatePort  (24, ...
 01985  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01986  1356   NtRequestWaitReplyPort  (596, {44, 68, new_msg, 56, 1636, 1356, 75560, 0}  (596, {44, 68, new_msg, 56, 1636, 1356, 75560, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\240Y\25\0\322\0\0\0" ...  ...
 01984  1568   NtRegisterThreadTerminatePort  ... ) == 0x0
 01985  1736   NtCreateThread  ... 612, {1636, 1104}, ) == 0x0
 01978  1252   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01987  1736   NtQueryInformationThread  (612, Basic, 28, ...
 01988  1252   NtQueryValueKey  (588,  (588, "Domain", Partial, 144, ... , Partial, 144, ...
 01989  1568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01986  1356   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1356, 75562, 0}  ... {40, 64, reply, 0, 1636, 1356, 75562, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300l\253S\371X\353Q\200|\1\0\0h\236\14\0" )  ) == 0x0
 01988  1252   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01989  1568   NtDuplicateObject  ... 616, ) == 0x0
 01990  1356   NtRequestWaitReplyPort  (596, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0}  (596, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\30J\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01991  1252   NtClose  (588, ...
 01992  1568   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01991  1252   NtClose  ... ) == 0x0
 01992  1568   NtWaitForSingleObject  ... ) == 0x102
 01990  1356   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1356, 75563, 0}  ... {64, 88, reply, 56, 1636, 1356, 75563, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\30J\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01993  1252   NtClose  (608, ...
 01994  1568   NtWaitForSingleObject  (132, 0, 0x0, ...
 01995  1356   NtClose  (580, ...
 01987  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1636,Tid=1104,}, 0x0, ) == 0x0
 01993  1252   NtClose  ... ) == 0x0
 01995  1356   NtClose  ... ) == 0x0
 01996  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75559, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0d\6\0\0P\4\0\0" ...  ...
 01997  1252   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 01996  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75564, 0}  ... {28, 56, reply, 0, 1636, 1736, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0d\6\0\0P\4\0\0" )  ) == 0x0
 01997  1252   NtOpenKey  ... 580, ) == 0x0
 01998  1736   NtResumeThread  (612, ...
 01999  1252   NtQueryValueKey  (580,  (580, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 01998  1736   NtResumeThread  ... 1, ) == 0x0
 01999  1252   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02000  1356   NtClose  (596, ...
 02001  1104   NtTestAlert  (...
 02002  1252   NtClose  (580, ...
 02000  1356   NtClose  ... ) == 0x0
 02001  1104   NtTestAlert  ... ) == 0x0
 02003  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02004  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02005  1104   NtContinue  (71105840, 1, ...
 02003  1736   NtAllocateVirtualMemory  ... 71106560, 1048576, ) == 0x0
 02004  1356   NtCreateEvent  ... 596, ) == 0x0
 02006  1104   NtRegisterThreadTerminatePort  (24, ...
 02007  1736   NtAllocateVirtualMemory  (-1, 72146944, 0, 8192, 4096, 4, ...
 02008  1356   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 02006  1104   NtRegisterThreadTerminatePort  ... ) == 0x0
 02007  1736   NtAllocateVirtualMemory  ... 72146944, 8192, ) == 0x0
 02008  1356   NtOpenKey  ... 608, ) == 0x0
 02002  1252   NtClose  ... ) == 0x0
 02009  1736   NtProtectVirtualMemory  (-1, (0x44ce000), 4096, 260, ...
 02010  1104   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02011  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 16575440, ... }, 16575440, ...
 02009  1736   NtProtectVirtualMemory  ... (0x44ce000), 4096, 4, ) == 0x0
 02010  1104   NtDuplicateObject  ... 580, ) == 0x0
 02011  1252   NtQueryAttributesFile  ... ) == 0x0
 02012  1356   NtOpenKey  (0x20019, {24, 608, 0x40, 0, 0,  (0x20019, {24, 608, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 02013  1104   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02014  1252   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02012  1356   NtOpenKey  ... 588, ) == 0x0
 02013  1104   NtWaitForSingleObject  ... ) == 0x102
 02014  1252   NtOpenFile  ... 620, {status=0x0, info=1}, ) == 0x0
 02015  1356   NtQueryValueKey  (588,  (588, "ComputerName", Full, 108, ... , Full, 108, ...
 02016  1104   NtWaitForSingleObject  (132, 0, 0x0, ...
 02017  1252   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 620, ...
 02015  1356   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02018  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02019  1356   NtClose  (588, ...
 02018  1736   NtCreateThread  ... 624, {1636, 784}, ) == 0x0
 02019  1356   NtClose  ... ) == 0x0
 02020  1736   NtQueryInformationThread  (624, Basic, 28, ...
 02017  1252   NtCreateSection  ... 588, ) == 0x0
 02020  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1636,Tid=784,}, 0x0, ) == 0x0
 02021  1252   NtClose  (620, ...
 02022  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75564, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0d\6\0\0\20\3\0\0" ...  ...
 02021  1252   NtClose  ... ) == 0x0
 02023  1252   NtMapViewOfSection  (588, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 20480, ) == 0x0
 02024  1252   NtClose  (588, ... ) == 0x0
 02025  1356   NtClose  (608, ... ) == 0x0
 02026  1356   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 608, ) == 0x0
 02027  1356   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 588, ) == 0x0
 02022  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75566, 0}  ... {28, 56, reply, 0, 1636, 1736, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0d\6\0\0\20\3\0\0" )  ) == 0x0
 02028  1252   NtUnmapViewOfSection  (-1, 0x860000, ...
 02029  1736   NtResumeThread  (624, ...
 02028  1252   NtUnmapViewOfSection  ... ) == 0x0
 02029  1736   NtResumeThread  ... 1, ) == 0x0
 02030  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 16575748, ... }, 16575748, ...
 02031  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02032  1356   NtDuplicateObject  (-1, 608, -1, 0x0, 0, 2, ...
 02033   784   NtWaitForSingleObject  (88, 0, 0x0, ...
 02031  1736   NtAllocateVirtualMemory  ... 72155136, 1048576, ) == 0x0
 02032  1356   NtDuplicateObject  ... 620, ) == 0x0
 02034  1736   NtAllocateVirtualMemory  (-1, 73195520, 0, 8192, 4096, 4, ...
 02035  1356   NtOpenThreadToken  (-2, 0xc, 1, ...
 02030  1252   NtQueryAttributesFile  ... ) == 0x0
 02035  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02036  1252   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02037  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02036  1252   NtOpenFile  ... 628, {status=0x0, info=1}, ) == 0x0
 02037  1356   NtCreateEvent  ... 632, ) == 0x0
 02038  1252   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 628, ...
 02034  1736   NtAllocateVirtualMemory  ... 73195520, 8192, ) == 0x0
 02038  1252   NtCreateSection  ... 636, ) == 0x0
 02039  1736   NtProtectVirtualMemory  (-1, (0x45ce000), 4096, 260, ...
 02040  1252   NtQuerySection  (636, Image, 48, ...
 02039  1736   NtProtectVirtualMemory  ... (0x45ce000), 4096, 4, ) == 0x0
 02041  1356   NtOpenThreadToken  (-2, 0xc, 1, ...
 02042  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02041  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02043  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02044  1356   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11071680,  (0xc0100080, {24, 0, 0x40, 0, 11071680, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 640, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 640, {status=0x0, info=1}, ) == 0x0
 02045  1356   NtSetInformationFile  (640, 11071736, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02046  1356   NtSetInformationFile  (640, 11071724, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02047  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02042  1736   NtCreateThread  ... 644, {1636, 1792}, ) == 0x0
 02040  1252   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02048  1736   NtQueryInformationThread  (644, Basic, 28, ...
 02049  1252   NtClose  (628, ...
 02048  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1636,Tid=1792,}, 0x0, ) == 0x0
 02049  1252   NtClose  ... ) == 0x0
 02050  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75566, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0d\6\0\0\0\7\0\0" ...  ...
 02051  1252   NtMapViewOfSection  (636, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02050  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75567, 0}  ... {28, 56, reply, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0d\6\0\0\0\7\0\0" )  ) == 0x0
 02051  1252   NtMapViewOfSection  ... (0x76fb0000), 0x0, 32768, ) == 0x0
 02052  1356   NtWriteFile  (640, 225, 0, 0,  (640, 225, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 02053  1252   NtClose  (636, ...
 02052  1356   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 02054  1736   NtResumeThread  (644, ...
 02055  1356   NtReadFile  (640, 225, 0, 0, 1024, {0, 0}, 0, ...
 02054  1736   NtResumeThread  ... 1, ) == 0x0
 02055  1356   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02056  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02057  1356   NtFsControlFile  (640, 225, 0x0, 0x0, 0x11c017,  (640, 225, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\250\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 02056  1736   NtAllocateVirtualMemory  ... 73203712, 1048576, ) == 0x0
 02057  1356   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02058  1736   NtAllocateVirtualMemory  (-1, 74244096, 0, 8192, 4096, 4, ...
 02053  1252   NtClose  ... ) == 0x0
 02059  1792   NtWaitForSingleObject  (88, 0, 0x0, ...
 02058  1736   NtAllocateVirtualMemory  ... 74244096, 8192, ) == 0x0
 02060  1252   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02061  1356   NtFsControlFile  (640, 225, 0x0, 0x0, 0x11c017,  (640, 225, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\1\0\0\0\1\0\0\0&\0(\0PM\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 02060  1252   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02061  1356   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) , ) == 0x103
 02062  1252   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02063  1356   NtFsControlFile  (640, 225, 0x0, 0x0, 0x11c017,  (640, 225, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340", 44, 1024, ... , 44, 1024, ...
 02064  1736   NtProtectVirtualMemory  (-1, (0x46ce000), 4096, 260, ...
 02063  1356   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\210a\25\0\1\0\0\0\224a\25\0 \0\0\0\1\0\0\0\30\0\32\0\240a\25\0\274a\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0Hl\25\0\1\0\0\0\5\0\15\0Xl\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02064  1736   NtProtectVirtualMemory  ... (0x46ce000), 4096, 4, ) == 0x0
 02065  1356   NtClose  (632, ...
 02066  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02065  1356   NtClose  ... ) == 0x0
 02066  1736   NtCreateThread  ... 632, {1636, 192}, ) == 0x0
 02062  1252   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02067  1736   NtQueryInformationThread  (632, Basic, 28, ...
 02068  1252   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 02067  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1636,Tid=192,}, 0x0, ) == 0x0
 02068  1252   NtFlushInstructionCache  ... ) == 0x0
 02069  1356   NtClose  (640, ...
 02070  1252   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02069  1356   NtClose  ... ) == 0x0
 02070  1252   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02071  1356   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1383568, 0x0, 11073604, 188, ... , {12, 2, 1, 1}, 0x0, 1383568, 0x0, 11073604, 188, ...
 02072  1252   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02071  1356   NtSecureConnectPort  ... 640, 0x0, 0x0, 0x0, 188, ) == 0x0
 02073  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75567, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0d\6\0\0\300\0\0\0" ...  ...
 02074  1356   NtOpenThreadToken  (-2, 0xc, 1, ...
 02073  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75569, 0}  ... {28, 56, reply, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0d\6\0\0\300\0\0\0" )  ) == 0x0
 02072  1252   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02075  1736   NtResumeThread  (632, ...
 02076  1252   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 02075  1736   NtResumeThread  ... 1, ) == 0x0
 02076  1252   NtFlushInstructionCache  ... ) == 0x0
 02077  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02078  1252   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... }, ...
 02074  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02079   192   NtWaitForSingleObject  (88, 0, 0x0, ...
 02078  1252   NtOpenSection  ... 636, ) == 0x0
 02080  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02081  1252   NtMapViewOfSection  (636, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02080  1356   NtSetInformationThread  ... ) == 0x0
 02077  1736   NtAllocateVirtualMemory  ... 74252288, 1048576, ) == 0x0
 02082  1356   NtRequestWaitReplyPort  (640, {200, 224, new_msg, 0, 1355840, 12, 2, 1310977}  (640, {200, 224, new_msg, 0, 1355840, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\214{\262{~\12[\206\374=\343C\270f\210\301\12\0\0\0F\366\6\31\203`R&\0\0\0\0hA\25\0y\16Y\12`\260\13\266(\0\0\0W\232\0\232\0\0\24\0\240\366\250\0\207\345P\373\0\0\0\0\220T\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\250\0\372\31\221|X\376\250\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02083  1736   NtAllocateVirtualMemory  (-1, 75292672, 0, 8192, 4096, 4, ... 75292672, 8192, ) == 0x0
 02084  1736   NtProtectVirtualMemory  (-1, (0x47ce000), 4096, 260, ... (0x47ce000), 4096, 4, ) == 0x0
 02085  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02082  1356   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1356, 75570, 0}  ... {200, 224, reply, 0, 1636, 1356, 75570, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\214{\262{~\12[\206\374=\343C\270f\210\301\12\0\0\0F\366\6\31\203`R&\0\0\0\0hA\25\0y\16Y\12`\260\13\266(\0\0\0W\232\0\232\0\0\24\0\240\366\250\0\207\345P\373\0\0\0\0\220T\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\250\0\372\31\221|X\376\250\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02081  1252   NtMapViewOfSection  ... (0x76f60000), 0x0, 180224, ) == 0x0
 02085  1736   NtCreateThread  ... 628, {1636, 1484}, ) == 0x0
 02086  1252   NtClose  (636, ...
 02087  1736   NtQueryInformationThread  (628, Basic, 28, ...
 02086  1252   NtClose  ... ) == 0x0
 02087  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1636,Tid=1484,}, 0x0, ) == 0x0
 02088  1252   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ...
 02089  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0d\6\0\0\314\5\0\0" ...  ...
 02088  1252   NtProtectVirtualMemory  ... (0x76f61000), 4096, 32, ) == 0x0
 02089  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75571, 0}  ... {28, 56, reply, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0d\6\0\0\314\5\0\0" )  ) == 0x0
 02090  1252   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 02091  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02092  1736   NtResumeThread  (628, ...
 02091  1356   NtSetInformationThread  ... ) == 0x0
 02092  1736   NtResumeThread  ... 1, ) == 0x0
 02093  1356   NtRequestWaitReplyPort  (640, {56, 80, new_msg, 0, 44, 3, 20, 0}  (640, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0b\363\222I\243j\304#\242z\321\340\1\0\0\0\0\0\0\0&\0(\0\244\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 02094  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 75300864, 1048576, ) == 0x0
 02095  1736   NtAllocateVirtualMemory  (-1, 76341248, 0, 8192, 4096, 4, ... 76341248, 8192, ) == 0x0
 02090  1252   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 02096  1484   NtWaitForSingleObject  (88, 0, 0x0, ...
 02097  1252   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 02098  1252   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02099  1252   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 02100  1252   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 02101  1252   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 02102  1252   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02103  1736   NtProtectVirtualMemory  (-1, (0x48ce000), 4096, 260, ... (0x48ce000), 4096, 4, ) == 0x0
 02104  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 636, {1636, 1120}, ) == 0x0
 02105  1736   NtQueryInformationThread  (636, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1636,Tid=1120,}, 0x0, ) == 0x0
 02106  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\0`\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\0`\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75573, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\0`\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\0`\4\0\0" )  ) == 0x0
 02107  1736   NtResumeThread  (636, ... 1, ) == 0x0
 02108  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02102  1252   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02093  1356   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 1636, 1356, 75572, 0}  ... {44, 68, reply, 0, 1636, 1356, 75572, 0} "\4\376\255\201\0\0\0\0\200Y\274\201\356\12$\342\264\311\275\201:\332R\200X\253v\367\324\376\255\201\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02109  1120   NtWaitForSingleObject  (88, 0, 0x0, ...
 02110  1252   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 02111  1356   NtRaiseException  (11074064, 11073324, 1, ...
 02110  1252   NtFlushInstructionCache  ... ) == 0x0
 02108  1736   NtAllocateVirtualMemory  ... 76349440, 1048576, ) == 0x0
 02112  1252   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... }, ...
 02113  1736   NtAllocateVirtualMemory  (-1, 77389824, 0, 8192, 4096, 4, ...
 02112  1252   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02113  1736   NtAllocateVirtualMemory  ... 77389824, 8192, ) == 0x0
 02114  1252   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02115  1736   NtProtectVirtualMemory  (-1, (0x49ce000), 4096, 260, ...
 02116  1356   NtQueryVirtualMemory  (-1, 0x77ea0470, BasicVlm, 16, ...
 02115  1736   NtProtectVirtualMemory  ... (0x49ce000), 4096, 4, ) == 0x0
 02116  1356   NtQueryVirtualMemory  ... {memory info, class 3, size 16}, 0x0, ) == 0x0
 02117  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02118  1356   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 02114  1252   NtCreateEvent  ... 648, ) == 0x0
 02118  1356   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02119  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... }, ...
 02120  1356   NtContinue  (11072292, 0, ...
 02119  1252   NtOpenKey  ... 652, ) == 0x0
 02121  1252   NtQueryValueKey  (652,  (652, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (652, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02122  1252   NtClose  (652, ... ) == 0x0
 02123  1252   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02124  1252   NtQueryPerformanceCounter  (...
 02117  1736   NtCreateThread  ... 652, {1636, 520}, ) == 0x0
 02125  1736   NtQueryInformationThread  (652, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1636,Tid=520,}, 0x0, ) == 0x0
 02126  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0d\6\0\0\10\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0d\6\0\0\10\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75574, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0d\6\0\0\10\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0d\6\0\0\10\2\0\0" )  ) == 0x0
 02127  1736   NtResumeThread  (652, ... 1, ) == 0x0
 02128  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 77398016, 1048576, ) == 0x0
 02129  1736   NtAllocateVirtualMemory  (-1, 78438400, 0, 8192, 4096, 4, ... 78438400, 8192, ) == 0x0
 02124  1252   NtQueryPerformanceCounter  ... {1108536210, 16}, {3579545, 0}, ) == 0x0
 02130   520   NtWaitForSingleObject  (88, 0, 0x0, ...
 02131  1356   NtDeviceIoControlFile  (420, 116, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 02132  1252   NtSetEventBoostPriority  (88, ...
 02131  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 02033   784   NtWaitForSingleObject  ... ) == 0x0
 02132  1252   NtSetEventBoostPriority  ... ) == 0x0
 02133   784   NtSetEventBoostPriority  (88, ...
 02134  1356   NtWaitForSingleObject  (116, 1, {-5000000, -1}, ...
 02059  1792   NtWaitForSingleObject  ... ) == 0x0
 02133   784   NtSetEventBoostPriority  ... ) == 0x0
 02135  1252   NtWaitForSingleObject  (88, 0, 0x0, ...
 02136  1736   NtProtectVirtualMemory  (-1, (0x4ace000), 4096, 260, ...
 02137  1792   NtSetEventBoostPriority  (88, ...
 02079   192   NtWaitForSingleObject  ... ) == 0x0
 02138   192   NtSetEventBoostPriority  (88, ...
 02096  1484   NtWaitForSingleObject  ... ) == 0x0
 02139  1484   NtSetEventBoostPriority  (88, ...
 02109  1120   NtWaitForSingleObject  ... ) == 0x0
 02140  1120   NtSetEventBoostPriority  (88, ...
 02130   520   NtWaitForSingleObject  ... ) == 0x0
 02141   520   NtSetEventBoostPriority  (88, ...
 02135  1252   NtWaitForSingleObject  ... ) == 0x0
 02142  1252   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 02141   520   NtSetEventBoostPriority  ... ) == 0x0
 02140  1120   NtSetEventBoostPriority  ... ) == 0x0
 02139  1484   NtSetEventBoostPriority  ... ) == 0x0
 02138   192   NtSetEventBoostPriority  ... ) == 0x0
 02137  1792   NtSetEventBoostPriority  ... ) == 0x0
 02136  1736   NtProtectVirtualMemory  ... (0x4ace000), 4096, 4, ) == 0x0
 02143   784   NtTestAlert  (...
 02144  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 16575440, ... }, 16575440, ...
 02145   520   NtTestAlert  (...
 02146  1120   NtTestAlert  (...
 02147  1484   NtTestAlert  (...
 02148   192   NtTestAlert  (...
 02149  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02143   784   NtTestAlert  ... ) == 0x0
 02144  1252   NtQueryAttributesFile  ... ) == 0x0
 02145   520   NtTestAlert  ... ) == 0x0
 02146  1120   NtTestAlert  ... ) == 0x0
 02147  1484   NtTestAlert  ... ) == 0x0
 02148   192   NtTestAlert  ... ) == 0x0
 02149  1736   NtCreateThread  ... 656, {1636, 1612}, ) == 0x0
 02150   784   NtContinue  (72154416, 1, ...
 02151  1252   NtQuerySystemInformation  (Basic, 44, ...
 02152   520   NtContinue  (77397296, 1, ...
 02153  1120   NtContinue  (76348720, 1, ...
 02154  1484   NtContinue  (75300144, 1, ...
 02155   192   NtContinue  (74251568, 1, ...
 02156  1736   NtQueryInformationThread  (656, Basic, 28, ...
 02157   784   NtRegisterThreadTerminatePort  (24, ...
 02151  1252   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02158   520   NtRegisterThreadTerminatePort  (24, ...
 02159  1120   NtRegisterThreadTerminatePort  (24, ...
 02160  1484   NtRegisterThreadTerminatePort  (24, ...
 02161   192   NtRegisterThreadTerminatePort  (24, ...
 02156  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1636,Tid=1612,}, 0x0, ) == 0x0
 02157   784   NtRegisterThreadTerminatePort  ... ) == 0x0
 02162  1252   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 02158   520   NtRegisterThreadTerminatePort  ... ) == 0x0
 02159  1120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02160  1484   NtRegisterThreadTerminatePort  ... ) == 0x0
 02161   192   NtRegisterThreadTerminatePort  ... ) == 0x0
 02163  1792   NtTestAlert  (...
 02164   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02162  1252   NtAllocateVirtualMemory  ... 8781824, 65536, ) == 0x0
 02165   520   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02166  1120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02167  1484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02168   192   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02163  1792   NtTestAlert  ... ) == 0x0
 02169  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0d\6\0\0L\6\0\0" ...  ...
 02164   784   NtDuplicateObject  ... 660, ) == 0x0
 02170  1252   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ...
 02165   520   NtDuplicateObject  ... 664, ) == 0x0
 02166  1120   NtDuplicateObject  ... 668, ) == 0x0
 02167  1484   NtDuplicateObject  ... 672, ) == 0x0
 02171  1792   NtContinue  (73202992, 1, ...
 02169  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75575, 0}  ... {28, 56, reply, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0d\6\0\0L\6\0\0" )  ) == 0x0
 02172   784   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02170  1252   NtAllocateVirtualMemory  ... 8781824, 4096, ) == 0x0
 02173   520   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02174  1120   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02175  1484   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02176  1792   NtRegisterThreadTerminatePort  (24, ...
 02177  1736   NtResumeThread  (656, ...
 02172   784   NtWaitForSingleObject  ... ) == 0x102
 02178  1252   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ...
 02173   520   NtWaitForSingleObject  ... ) == 0x102
 02174  1120   NtWaitForSingleObject  ... ) == 0x102
 02175  1484   NtWaitForSingleObject  ... ) == 0x102
 02176  1792   NtRegisterThreadTerminatePort  ... ) == 0x0
 02177  1736   NtResumeThread  ... 1, ) == 0x0
 02179   784   NtWaitForSingleObject  (132, 0, 0x0, ...
 02178  1252   NtAllocateVirtualMemory  ... 8785920, 8192, ) == 0x0
 02180   520   NtWaitForSingleObject  (132, 0, 0x0, ...
 02181  1120   NtWaitForSingleObject  (132, 0, 0x0, ...
 02182  1484   NtWaitForSingleObject  (132, 0, 0x0, ...
 02183  1792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02184  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02185  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 16575440, ... }, 16575440, ...
 02168   192   NtDuplicateObject  ... 676, ) == 0x0
 02186  1612   NtWaitForSingleObject  (88, 0, 0x0, ...
 02183  1792   NtDuplicateObject  ... 680, ) == 0x0
 02185  1252   NtQueryAttributesFile  ... ) == 0x0
 02187   192   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02188  1792   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02184  1736   NtAllocateVirtualMemory  ... 78446592, 1048576, ) == 0x0
 02187   192   NtWaitForSingleObject  ... ) == 0x102
 02188  1792   NtWaitForSingleObject  ... ) == 0x102
 02189  1736   NtAllocateVirtualMemory  (-1, 79486976, 0, 8192, 4096, 4, ...
 02190   192   NtWaitForSingleObject  (132, 0, 0x0, ...
 02191  1792   NtWaitForSingleObject  (132, 0, 0x0, ...
 02189  1736   NtAllocateVirtualMemory  ... 79486976, 8192, ) == 0x0
 02192  1736   NtProtectVirtualMemory  (-1, (0x4bce000), 4096, 260, ... (0x4bce000), 4096, 4, ) == 0x0
 02193  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {1636, 876}, ) == 0x0
 02194  1736   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1636,Tid=876,}, 0x0, ) == 0x0
 02195  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0l\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0l\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75576, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0l\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0l\3\0\0" )  ) == 0x0
 02196  1252   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 688, {status=0x0, info=1}, ) }, 5, 96, ... 688, {status=0x0, info=1}, ) == 0x0
 02197  1252   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 688, ... 692, ) == 0x0
 02198  1252   NtClose  (688, ... ) == 0x0
 02199  1252   NtMapViewOfSection  (692, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc90000), 0x0, 110592, ) == 0x0
 02200  1252   NtClose  (692, ... ) == 0x0
 02201  1736   NtResumeThread  (684, ... 1, ) == 0x0
 02202  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 79495168, 1048576, ) == 0x0
 02203  1736   NtAllocateVirtualMemory  (-1, 80535552, 0, 8192, 4096, 4, ... 80535552, 8192, ) == 0x0
 02204   876   NtWaitForSingleObject  (88, 0, 0x0, ...
 02205  1736   NtProtectVirtualMemory  (-1, (0x4cce000), 4096, 260, ... (0x4cce000), 4096, 4, ) == 0x0
 02206  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 692, {1636, 1628}, ) == 0x0
 02207  1736   NtQueryInformationThread  (692, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1636,Tid=1628,}, 0x0, ) == 0x0
 02208  1252   NtUnmapViewOfSection  (-1, 0xc90000, ... ) == 0x0
 02209  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 16575748, ... ) }, 16575748, ... ) == 0x0
 02210  1252   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 688, {status=0x0, info=1}, ) }, 5, 96, ... 688, {status=0x0, info=1}, ) == 0x0
 02211  1252   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 688, ... 696, ) == 0x0
 02212  1252   NtQuerySection  (696, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02213  1252   NtClose  (688, ... ) == 0x0
 02214  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0\\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0\\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75577, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0\\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0\\6\0\0" )  ) == 0x0
 02215  1736   NtResumeThread  (692, ... 1, ) == 0x0
 02216  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 80543744, 1048576, ) == 0x0
 02217  1736   NtAllocateVirtualMemory  (-1, 81584128, 0, 8192, 4096, 4, ... 81584128, 8192, ) == 0x0
 02218  1736   NtProtectVirtualMemory  (-1, (0x4dce000), 4096, 260, ... (0x4dce000), 4096, 4, ) == 0x0
 02219  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02220  1252   NtMapViewOfSection  (696, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02221  1628   NtWaitForSingleObject  (88, 0, 0x0, ...
 02220  1252   NtMapViewOfSection  ... (0x751d0000), 0x0, 122880, ) == 0x0
 02222  1252   NtClose  (696, ... ) == 0x0
 02223  1252   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02224  1252   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02225  1252   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02219  1736   NtCreateThread  ... 696, {1636, 940}, ) == 0x0
 02226  1736   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1636,Tid=940,}, 0x0, ) == 0x0
 02227  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0\254\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0\254\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75578, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0\254\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0\254\3\0\0" )  ) == 0x0
 02228  1736   NtResumeThread  (696, ... 1, ) == 0x0
 02229  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 81592320, 1048576, ) == 0x0
 02230  1736   NtAllocateVirtualMemory  (-1, 82632704, 0, 8192, 4096, 4, ... 82632704, 8192, ) == 0x0
 02231  1252   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ...
 02232   940   NtWaitForSingleObject  (88, 0, 0x0, ...
 02231  1252   NtProtectVirtualMemory  ... (0x751d1000), 4096, 32, ) == 0x0
 02233  1252   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02234  1252   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02235  1252   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02236  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 16574924, ... }, 16574924, ...
 02237  1736   NtProtectVirtualMemory  (-1, (0x4ece000), 4096, 260, ... (0x4ece000), 4096, 4, ) == 0x0
 02238  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 688, {1636, 1316}, ) == 0x0
 02239  1736   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1636,Tid=1316,}, 0x0, ) == 0x0
 02240  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0$\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0$\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75579, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0$\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0$\5\0\0" )  ) == 0x0
 02241  1736   NtResumeThread  (688, ... 1, ) == 0x0
 02242  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02243  1316   NtWaitForSingleObject  (88, 0, 0x0, ...
 02242  1736   NtAllocateVirtualMemory  ... 82640896, 1048576, ) == 0x0
 02244  1736   NtAllocateVirtualMemory  (-1, 83681280, 0, 8192, 4096, 4, ... 83681280, 8192, ) == 0x0
 02245  1736   NtProtectVirtualMemory  (-1, (0x4fce000), 4096, 260, ... (0x4fce000), 4096, 4, ) == 0x0
 02246  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 700, {1636, 1924}, ) == 0x0
 02247  1736   NtQueryInformationThread  (700, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1636,Tid=1924,}, 0x0, ) == 0x0
 02248  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0d\6\0\0\204\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0d\6\0\0\204\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75580, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0d\6\0\0\204\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0d\6\0\0\204\7\0\0" )  ) == 0x0
 02249  1736   NtResumeThread  (700, ... 1, ) == 0x0
 02250  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 83689472, 1048576, ) == 0x0
 02251  1736   NtAllocateVirtualMemory  (-1, 84729856, 0, 8192, 4096, 4, ... 84729856, 8192, ) == 0x0
 02236  1252   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02252  1924   NtWaitForSingleObject  (88, 0, 0x0, ...
 02253  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 16574924, ... ) }, 16574924, ... ) == 0x0
 02254  1252   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 704, {status=0x0, info=1}, ) }, 5, 96, ... 704, {status=0x0, info=1}, ) == 0x0
 02255  1252   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 704, ... 708, ) == 0x0
 02256  1252   NtQuerySection  (708, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02257  1252   NtClose  (704, ... ) == 0x0
 02258  1252   NtMapViewOfSection  (708, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02259  1736   NtProtectVirtualMemory  (-1, (0x50ce000), 4096, 260, ... (0x50ce000), 4096, 4, ) == 0x0
 02260  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 704, {1636, 644}, ) == 0x0
 02261  1736   NtQueryInformationThread  (704, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1636,Tid=644,}, 0x0, ) == 0x0
 02262  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\204\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\204\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75581, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\204\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\204\2\0\0" )  ) == 0x0
 02263  1736   NtResumeThread  (704, ... 1, ) == 0x0
 02264  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02258  1252   NtMapViewOfSection  ... (0x77920000), 0x0, 995328, ) == 0x0
 02265   644   NtWaitForSingleObject  (88, 0, 0x0, ...
 02266  1252   NtClose  (708, ... ) == 0x0
 02267  1252   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02268  1252   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02269  1252   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02270  1252   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02271  1252   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ...
 02264  1736   NtAllocateVirtualMemory  ... 84738048, 1048576, ) == 0x0
 02272  1736   NtAllocateVirtualMemory  (-1, 85778432, 0, 8192, 4096, 4, ... 85778432, 8192, ) == 0x0
 02273  1736   NtProtectVirtualMemory  (-1, (0x51ce000), 4096, 260, ... (0x51ce000), 4096, 4, ) == 0x0
 02274  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 708, {1636, 1288}, ) == 0x0
 02275  1736   NtQueryInformationThread  (708, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1636,Tid=1288,}, 0x0, ) == 0x0
 02276  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0d\6\0\0\10\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0d\6\0\0\10\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75582, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0d\6\0\0\10\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0d\6\0\0\10\5\0\0" )  ) == 0x0
 02271  1252   NtProtectVirtualMemory  ... (0x77921000), 4096, 4, ) == 0x0
 02277  1252   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02278  1252   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02279  1252   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02280  1252   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02281  1252   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02282  1252   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ...
 02283  1736   NtResumeThread  (708, ... 1, ) == 0x0
 02284  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 85786624, 1048576, ) == 0x0
 02285  1736   NtAllocateVirtualMemory  (-1, 86827008, 0, 8192, 4096, 4, ... 86827008, 8192, ) == 0x0
 02286  1736   NtProtectVirtualMemory  (-1, (0x52ce000), 4096, 260, ... (0x52ce000), 4096, 4, ) == 0x0
 02287  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 712, {1636, 752}, ) == 0x0
 02288  1736   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1636,Tid=752,}, 0x0, ) == 0x0
 02282  1252   NtProtectVirtualMemory  ... (0x77921000), 4096, 4, ) == 0x0
 02289  1288   NtWaitForSingleObject  (88, 0, 0x0, ...
 02290  1252   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02291  1252   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02292  1252   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02293  1252   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02294  1252   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02295  1252   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ...
 02296  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0\360\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75583, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0\360\2\0\0" )  ) == 0x0
 02297  1736   NtResumeThread  (712, ... 1, ) == 0x0
 02298  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 86835200, 1048576, ) == 0x0
 02299  1736   NtAllocateVirtualMemory  (-1, 87875584, 0, 8192, 4096, 4, ... 87875584, 8192, ) == 0x0
 02300  1736   NtProtectVirtualMemory  (-1, (0x53ce000), 4096, 260, ... (0x53ce000), 4096, 4, ) == 0x0
 02301  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02295  1252   NtProtectVirtualMemory  ... (0x751d1000), 4096, 4, ) == 0x0
 02302   752   NtWaitForSingleObject  (88, 0, 0x0, ...
 02303  1252   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02304  1252   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02305  1252   NtQueryDefaultUILanguage  (2090319928, ...
 02306  1252   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02307  1252   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482564, ) == 0x0
 02301  1736   NtCreateThread  ... 716, {1636, 624}, ) == 0x0
 02308  1736   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1636,Tid=624,}, 0x0, ) == 0x0
 02309  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0p\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0p\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75584, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0p\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0p\2\0\0" )  ) == 0x0
 02310  1736   NtResumeThread  (716, ... 1, ) == 0x0
 02311  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 87883776, 1048576, ) == 0x0
 02312  1736   NtAllocateVirtualMemory  (-1, 88924160, 0, 8192, 4096, 4, ... 88924160, 8192, ) == 0x0
 02313  1252   NtQueryInformationToken  (-2147482564, User, 80, ...
 02314   624   NtWaitForSingleObject  (88, 0, 0x0, ...
 02313  1252   NtQueryInformationToken  ... {token info, class 1, size 36}, 36, ) == 0x0
 02315  1252   NtClose  (-2147482564, ... ) == 0x0
 02316  1252   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482564, ) }, ... -2147482564, ) == 0x0
 02317  1252   NtOpenKey  (0x80000000, {24, -2147482564, 0x240, 0, 0,  (0x80000000, {24, -2147482564, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02318  1252   NtOpenKey  (0x80000000, {24, -2147482564, 0x640, 0, 0,  (0x80000000, {24, -2147482564, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481440, ) }, ... -2147481440, ) == 0x0
 02319  1252   NtQueryValueKey  (-2147481440,  (-2147481440, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02320  1736   NtProtectVirtualMemory  (-1, (0x54ce000), 4096, 260, ... (0x54ce000), 4096, 4, ) == 0x0
 02321  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 720, {1636, 380}, ) == 0x0
 02322  1736   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1636,Tid=380,}, 0x0, ) == 0x0
 02323  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0|\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0|\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75585, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0|\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0|\1\0\0" )  ) == 0x0
 02324  1252   NtClose  (-2147481440, ... ) == 0x0
 02325  1252   NtClose  (-2147482564, ... ) == 0x0
 02305  1252   NtQueryDefaultUILanguage  ... ) == 0x0
 02326  1252   NtAllocateVirtualMemory  (-1, 16564224, 0, 4096, 4096, 260, ... 16564224, 4096, ) == 0x0
 02327  1252   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 02328  1252   NtQueryDefaultLocale  (1, 16575644, ... ) == 0x0
 02329  1252   NtQueryInformationProcess  (-1, Wow64, 4, ...
 02330  1736   NtResumeThread  (720, ... 1, ) == 0x0
 02331  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 88932352, 1048576, ) == 0x0
 02332  1736   NtAllocateVirtualMemory  (-1, 89972736, 0, 8192, 4096, 4, ... 89972736, 8192, ) == 0x0
 02333  1736   NtProtectVirtualMemory  (-1, (0x55ce000), 4096, 260, ... (0x55ce000), 4096, 4, ) == 0x0
 02334  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 724, {1636, 776}, ) == 0x0
 02335  1736   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1636,Tid=776,}, 0x0, ) == 0x0
 02329  1252   NtQueryInformationProcess  ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02336   380   NtWaitForSingleObject  (88, 0, 0x0, ...
 02337  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 728, ) }, ... 728, ) == 0x0
 02338  1252   NtQueryValueKey  (728,  (728, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (728, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02339  1252   NtClose  (728, ... ) == 0x0
 02340  1252   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 728, ) == 0x0
 02341  1252   NtCallbackReturn  (0, 0, 0, ...
 02342  1252   NtUserGetProcessWindowStation  (... ) == 0x20
 02343  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75585, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0d\6\0\0\10\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0d\6\0\0\10\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75586, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0d\6\0\0\10\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0d\6\0\0\10\3\0\0" )  ) == 0x0
 02344  1736   NtResumeThread  (724, ... 1, ) == 0x0
 02345  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 89980928, 1048576, ) == 0x0
 02346  1736   NtAllocateVirtualMemory  (-1, 91021312, 0, 8192, 4096, 4, ... 91021312, 8192, ) == 0x0
 02347  1736   NtProtectVirtualMemory  (-1, (0x56ce000), 4096, 260, ... (0x56ce000), 4096, 4, ) == 0x0
 02348  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02349  1252   NtUserGetObjectInformation  (32, 1, 16575240, 12, 16575252, ...
 02350   776   NtWaitForSingleObject  (88, 0, 0x0, ...
 02349  1252   NtUserGetObjectInformation  ... ) == 0x1
 02351  1252   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02352  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\WPA\PnP"}, ... 732, ) }, ... 732, ) == 0x0
 02353  1252   NtQueryValueKey  (732,  (732, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (732, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 02354  1252   NtClose  (732, ... ) == 0x0
 02355  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 732, ) }, ... 732, ) == 0x0
 02348  1736   NtCreateThread  ... 736, {1636, 312}, ) == 0x0
 02356  1736   NtQueryInformationThread  (736, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1636,Tid=312,}, 0x0, ) == 0x0
 02357  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75586, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0d\6\0\08\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0d\6\0\08\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75587, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0d\6\0\08\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0d\6\0\08\1\0\0" )  ) == 0x0
 02358  1736   NtResumeThread  (736, ... 1, ) == 0x0
 02359  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 91029504, 1048576, ) == 0x0
 02360  1736   NtAllocateVirtualMemory  (-1, 92069888, 0, 8192, 4096, 4, ... 92069888, 8192, ) == 0x0
 02361  1252   NtQueryValueKey  (732,  (732, "OsLoaderPath", Partial, 144, ... , Partial, 144, ...
 02362   312   NtWaitForSingleObject  (88, 0, 0x0, ...
 02361  1252   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02363  1252   NtQueryValueKey  (732,  (732, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (732, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02364  1252   NtClose  (732, ... ) == 0x0
 02365  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 732, ) }, ... 732, ) == 0x0
 02366  1252   NtQueryValueKey  (732,  (732, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (732, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02367  1252   NtQueryValueKey  (732,  (732, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (732, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02368  1736   NtProtectVirtualMemory  (-1, (0x57ce000), 4096, 260, ... (0x57ce000), 4096, 4, ) == 0x0
 02369  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 740, {1636, 1124}, ) == 0x0
 02370  1736   NtQueryInformationThread  (740, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1636,Tid=1124,}, 0x0, ) == 0x0
 02371  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75587, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0d\6\0\0d\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0d\6\0\0d\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75588, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0d\6\0\0d\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0d\6\0\0d\4\0\0" )  ) == 0x0
 02372  1736   NtResumeThread  (740, ... 1, ) == 0x0
 02373  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02374  1252   NtClose  (732, ...
 02375  1124   NtWaitForSingleObject  (88, 0, 0x0, ...
 02374  1252   NtClose  ... ) == 0x0
 02376  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 732, ) }, ... 732, ) == 0x0
 02377  1252   NtQueryValueKey  (732,  (732, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (732, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02378  1252   NtQueryValueKey  (732,  (732, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (732, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02379  1252   NtClose  (732, ... ) == 0x0
 02380  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 732, ) }, ... 732, ) == 0x0
 02373  1736   NtAllocateVirtualMemory  ... 92078080, 1048576, ) == 0x0
 02381  1736   NtAllocateVirtualMemory  (-1, 93118464, 0, 8192, 4096, 4, ... 93118464, 8192, ) == 0x0
 02382  1736   NtProtectVirtualMemory  (-1, (0x58ce000), 4096, 260, ... (0x58ce000), 4096, 4, ) == 0x0
 02383  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 744, {1636, 1404}, ) == 0x0
 02384  1736   NtQueryInformationThread  (744, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1636,Tid=1404,}, 0x0, ) == 0x0
 02385  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75588, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0d\6\0\0|\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0d\6\0\0|\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75589, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0d\6\0\0|\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0d\6\0\0|\5\0\0" )  ) == 0x0
 02386  1252   NtQueryValueKey  (732,  (732, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (732, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02387  1252   NtQueryValueKey  (732,  (732, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (732, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02388  1252   NtClose  (732, ... ) == 0x0
 02389  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 732, ) }, ... 732, ) == 0x0
 02390  1252   NtQueryValueKey  (732,  (732, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (732, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02391  1252   NtQueryValueKey  (732,  (732, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (732, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02392  1736   NtResumeThread  (744, ... 1, ) == 0x0
 02393  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 93126656, 1048576, ) == 0x0
 02394  1736   NtAllocateVirtualMemory  (-1, 94167040, 0, 8192, 4096, 4, ... 94167040, 8192, ) == 0x0
 02395  1736   NtProtectVirtualMemory  (-1, (0x59ce000), 4096, 260, ... (0x59ce000), 4096, 4, ) == 0x0
 02396  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 748, {1636, 476}, ) == 0x0
 02397  1736   NtQueryInformationThread  (748, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1636,Tid=476,}, 0x0, ) == 0x0
 02398  1252   NtClose  (732, ...
 02399  1404   NtWaitForSingleObject  (88, 0, 0x0, ...
 02398  1252   NtClose  ... ) == 0x0
 02400  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 732, ) }, ... 732, ) == 0x0
 02401  1252   NtQueryValueKey  (732,  (732, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (732, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02402  1252   NtQueryValueKey  (732,  (732, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (732, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02403  1252   NtClose  (732, ... ) == 0x0
 02404  1252   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 732, ) }, ... 732, ) == 0x0
 02405  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75589, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0d\6\0\0\334\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0d\6\0\0\334\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75590, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0d\6\0\0\334\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0d\6\0\0\334\1\0\0" )  ) == 0x0
 02406  1736   NtResumeThread  (748, ... 1, ) == 0x0
 02407  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 94175232, 1048576, ) == 0x0
 02408  1736   NtAllocateVirtualMemory  (-1, 95215616, 0, 8192, 4096, 4, ... 95215616, 8192, ) == 0x0
 02409  1736   NtProtectVirtualMemory  (-1, (0x5ace000), 4096, 260, ... (0x5ace000), 4096, 4, ) == 0x0
 02410  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02411  1252   NtQueryValueKey  (732,  (732, "DevicePath", Partial, 144, ... , Partial, 144, ...
 02412   476   NtWaitForSingleObject  (88, 0, 0x0, ...
 02411  1252   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 02413  1252   NtQueryValueKey  (732,  (732, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (732, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 02414  1252   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 02415  1252   NtClose  (732, ... ) == 0x0
 02416  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 732, ) == 0x0
 02417  1252   NtCreateMutant  (0x1f0001, 0x0, 0, ... 752, ) == 0x0
 02410  1736   NtCreateThread  ... 756, {1636, 1964}, ) == 0x0
 02418  1736   NtQueryInformationThread  (756, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1636,Tid=1964,}, 0x0, ) == 0x0
 02419  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75590, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0\254\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0\254\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75591, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0\254\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0\254\7\0\0" )  ) == 0x0
 02420  1736   NtResumeThread  (756, ... 1, ) == 0x0
 02421  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 95223808, 1048576, ) == 0x0
 02422  1736   NtAllocateVirtualMemory  (-1, 96264192, 0, 8192, 4096, 4, ... 96264192, 8192, ) == 0x0
 02423  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02424  1964   NtWaitForSingleObject  (88, 0, 0x0, ...
 02423  1252   NtCreateEvent  ... 760, ) == 0x0
 02425  1252   NtCreateMutant  (0x1f0001, 0x0, 0, ... 764, ) == 0x0
 02426  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 768, ) == 0x0
 02427  1252   NtCreateMutant  (0x1f0001, 0x0, 0, ... 772, ) == 0x0
 02428  1252   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 776, ) }, ... 776, ) == 0x0
 02429  1252   NtQueryValueKey  (776,  (776, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (776, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02430  1736   NtProtectVirtualMemory  (-1, (0x5bce000), 4096, 260, ... (0x5bce000), 4096, 4, ) == 0x0
 02431  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 780, {1636, 740}, ) == 0x0
 02432  1736   NtQueryInformationThread  (780, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1636,Tid=740,}, 0x0, ) == 0x0
 02433  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75591, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0d\6\0\0\344\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0d\6\0\0\344\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75592, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0d\6\0\0\344\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0d\6\0\0\344\2\0\0" )  ) == 0x0
 02434  1736   NtResumeThread  (780, ... 1, ) == 0x0
 02435  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02436  1252   NtQueryValueKey  (776,  (776, "LogLevel", Partial, 144, ... , Partial, 144, ...
 02437   740   NtWaitForSingleObject  (88, 0, 0x0, ...
 02436  1252   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02438  1252   NtQueryValueKey  (776,  (776, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02439  1252   NtOpenKey  (0x1, {24, 776, 0x40, 0, 0,  (0x1, {24, 776, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02440  1252   NtClose  (776, ... ) == 0x0
 02441  1252   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 16575156, ... ) }, 16575156, ... ) == 0x0
 02442  1252   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 776, ) }, ... 776, ) == 0x0
 02435  1736   NtAllocateVirtualMemory  ... 96272384, 1048576, ) == 0x0
 02443  1736   NtAllocateVirtualMemory  (-1, 97312768, 0, 8192, 4096, 4, ... 97312768, 8192, ) == 0x0
 02444  1736   NtProtectVirtualMemory  (-1, (0x5cce000), 4096, 260, ... (0x5cce000), 4096, 4, ) == 0x0
 02445  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 784, {1636, 1624}, ) == 0x0
 02446  1736   NtQueryInformationThread  (784, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1636,Tid=1624,}, 0x0, ) == 0x0
 02447  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75592, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0d\6\0\0X\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0d\6\0\0X\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75593, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0d\6\0\0X\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0d\6\0\0X\6\0\0" )  ) == 0x0
 02448  1252   NtQueryValueKey  (776,  (776, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (776, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (776, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02449  1252   NtClose  (776, ... ) == 0x0
 02450  1252   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 776, ) }, ... 776, ) == 0x0
 02451  1252   NtQueryValueKey  (776,  (776, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (776, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (776, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 02452  1252   NtClose  (776, ... ) == 0x0
 02453  1252   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02454  1736   NtResumeThread  (784, ... 1, ) == 0x0
 02455  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 97320960, 1048576, ) == 0x0
 02456  1736   NtAllocateVirtualMemory  (-1, 98361344, 0, 8192, 4096, 4, ... 98361344, 8192, ) == 0x0
 02457  1736   NtProtectVirtualMemory  (-1, (0x5dce000), 4096, 260, ... (0x5dce000), 4096, 4, ) == 0x0
 02458  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 776, {1636, 1716}, ) == 0x0
 02459  1736   NtQueryInformationThread  (776, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1636,Tid=1716,}, 0x0, ) == 0x0
 02460  1252   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 02461  1624   NtWaitForSingleObject  (88, 0, 0x0, ...
 02460  1252   NtOpenKey  ... 788, ) == 0x0
 02462  1252   NtQueryValueKey  (788,  (788, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (788, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (788, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02463  1252   NtClose  (788, ... ) == 0x0
 02464  1252   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshbth.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02465  1252   NtSetEventBoostPriority  (88, ...
 02186  1612   NtWaitForSingleObject  ... ) == 0x0
 02466  1612   NtSetEventBoostPriority  (88, ...
 02204   876   NtWaitForSingleObject  ... ) == 0x0
 02467   876   NtSetEventBoostPriority  (88, ...
 02221  1628   NtWaitForSingleObject  ... ) == 0x0
 02468  1628   NtSetEventBoostPriority  (88, ...
 02232   940   NtWaitForSingleObject  ... ) == 0x0
 02469   940   NtSetEventBoostPriority  (88, ...
 02243  1316   NtWaitForSingleObject  ... ) == 0x0
 02470  1316   NtSetEventBoostPriority  (88, ...
 02252  1924   NtWaitForSingleObject  ... ) == 0x0
 02471  1924   NtSetEventBoostPriority  (88, ...
 02265   644   NtWaitForSingleObject  ... ) == 0x0
 02472   644   NtSetEventBoostPriority  (88, ...
 02289  1288   NtWaitForSingleObject  ... ) == 0x0
 02473  1288   NtSetEventBoostPriority  (88, ...
 02302   752   NtWaitForSingleObject  ... ) == 0x0
 02474   752   NtSetEventBoostPriority  (88, ...
 02314   624   NtWaitForSingleObject  ... ) == 0x0
 02475   624   NtSetEventBoostPriority  (88, ...
 02336   380   NtWaitForSingleObject  ... ) == 0x0
 02476   380   NtSetEventBoostPriority  (88, ...
 02350   776   NtWaitForSingleObject  ... ) == 0x0
 02477   776   NtSetEventBoostPriority  (88, ...
 02362   312   NtWaitForSingleObject  ... ) == 0x0
 02478   312   NtSetEventBoostPriority  (88, ...
 02375  1124   NtWaitForSingleObject  ... ) == 0x0
 02479  1124   NtSetEventBoostPriority  (88, ...
 02399  1404   NtWaitForSingleObject  ... ) == 0x0
 02480  1404   NtAllocateVirtualMemory  (-1, 8876032, 0, 4096, 4096, 4, ... 8876032, 4096, ) == 0x0
 02479  1124   NtSetEventBoostPriority  ... ) == 0x0
 02478   312   NtSetEventBoostPriority  ... ) == 0x0
 02477   776   NtSetEventBoostPriority  ... ) == 0x0
 02476   380   NtSetEventBoostPriority  ... ) == 0x0
 02475   624   NtSetEventBoostPriority  ... ) == 0x0
 02474   752   NtSetEventBoostPriority  ... ) == 0x0
 02473  1288   NtSetEventBoostPriority  ... ) == 0x0
 02472   644   NtSetEventBoostPriority  ... ) == 0x0
 02471  1924   NtSetEventBoostPriority  ... ) == 0x0
 02470  1316   NtSetEventBoostPriority  ... ) == 0x0
 02469   940   NtSetEventBoostPriority  ... ) == 0x0
 02468  1628   NtSetEventBoostPriority  ... ) == 0x0
 02467   876   NtSetEventBoostPriority  ... ) == 0x0
 02466  1612   NtSetEventBoostPriority  ... ) == 0x0
 02465  1252   NtSetEventBoostPriority  ... ) == 0x0
 02481  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75593, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0d\6\0\0\264\6\0\0" ...  ...
 02482  1404   NtSetEventBoostPriority  (88, ...
 02483  1124   NtTestAlert  (...
 02484   312   NtTestAlert  (...
 02485   776   NtTestAlert  (...
 02486   380   NtTestAlert  (...
 02487   624   NtTestAlert  (...
 02488   752   NtTestAlert  (...
 02489  1288   NtTestAlert  (...
 02490   644   NtTestAlert  (...
 02491  1924   NtTestAlert  (...
 02492  1316   NtTestAlert  (...
 02493   940   NtTestAlert  (...
 02494  1628   NtTestAlert  (...
 02495   876   NtTestAlert  (...
 02496  1252   NtWaitForSingleObject  (88, 0, 0x0, ...
 02481  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75594, 0}  ... {28, 56, reply, 0, 1636, 1736, 75594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0d\6\0\0\264\6\0\0" )  ) == 0x0
 02412   476   NtWaitForSingleObject  ... ) == 0x0
 02482  1404   NtSetEventBoostPriority  ... ) == 0x0
 02483  1124   NtTestAlert  ... ) == 0x0
 02484   312   NtTestAlert  ... ) == 0x0
 02485   776   NtTestAlert  ... ) == 0x0
 02486   380   NtTestAlert  ... ) == 0x0
 02487   624   NtTestAlert  ... ) == 0x0
 02488   752   NtTestAlert  ... ) == 0x0
 02489  1288   NtTestAlert  ... ) == 0x0
 02490   644   NtTestAlert  ... ) == 0x0
 02491  1924   NtTestAlert  ... ) == 0x0
 02492  1316   NtTestAlert  ... ) == 0x0
 02493   940   NtTestAlert  ... ) == 0x0
 02494  1628   NtTestAlert  ... ) == 0x0
 02495   876   NtTestAlert  ... ) == 0x0
 02497   476   NtSetEventBoostPriority  (88, ...
 02498  1736   NtResumeThread  (776, ...
 02499  1404   NtTestAlert  (...
 02500  1124   NtContinue  (92077360, 1, ...
 02501   312   NtContinue  (91028784, 1, ...
 02502   776   NtContinue  (89980208, 1, ...
 02503   380   NtContinue  (88931632, 1, ...
 02504   624   NtContinue  (87883056, 1, ...
 02505   752   NtContinue  (86834480, 1, ...
 02506  1288   NtContinue  (85785904, 1, ...
 02507   644   NtContinue  (84737328, 1, ...
 02508  1924   NtContinue  (83688752, 1, ...
 02509  1316   NtContinue  (82640176, 1, ...
 02510   940   NtContinue  (81591600, 1, ...
 02511  1628   NtContinue  (80543024, 1, ...
 02424  1964   NtWaitForSingleObject  ... ) == 0x0
 02497   476   NtSetEventBoostPriority  ... ) == 0x0
 02512   876   NtContinue  (79494448, 1, ...
 02498  1736   NtResumeThread  ... 1, ) == 0x0
 02499  1404   NtTestAlert  ... ) == 0x0
 02513  1124   NtRegisterThreadTerminatePort  (24, ...
 02514   312   NtRegisterThreadTerminatePort  (24, ...
 02515   776   NtRegisterThreadTerminatePort  (24, ...
 02516   380   NtRegisterThreadTerminatePort  (24, ...
 02517   624   NtRegisterThreadTerminatePort  (24, ...
 02518   752   NtRegisterThreadTerminatePort  (24, ...
 02519  1288   NtRegisterThreadTerminatePort  (24, ...
 02520   644   NtRegisterThreadTerminatePort  (24, ...
 02521  1924   NtRegisterThreadTerminatePort  (24, ...
 02522  1316   NtRegisterThreadTerminatePort  (24, ...
 02523   940   NtRegisterThreadTerminatePort  (24, ...
 02524  1964   NtSetEventBoostPriority  (88, ...
 02525  1628   NtRegisterThreadTerminatePort  (24, ...
 02526  1612   NtTestAlert  (...
 02527  1716   NtWaitForSingleObject  (88, 0, 0x0, ...
 02528   876   NtRegisterThreadTerminatePort  (24, ...
 02529  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02530  1404   NtContinue  (93125936, 1, ...
 02513  1124   NtRegisterThreadTerminatePort  ... ) == 0x0
 02514   312   NtRegisterThreadTerminatePort  ... ) == 0x0
 02515   776   NtRegisterThreadTerminatePort  ... ) == 0x0
 02516   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 02517   624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02518   752   NtRegisterThreadTerminatePort  ... ) == 0x0
 02519  1288   NtRegisterThreadTerminatePort  ... ) == 0x0
 02520   644   NtRegisterThreadTerminatePort  ... ) == 0x0
 02521  1924   NtRegisterThreadTerminatePort  ... ) == 0x0
 02522  1316   NtRegisterThreadTerminatePort  ... ) == 0x0
 02437   740   NtWaitForSingleObject  ... ) == 0x0
 02524  1964   NtSetEventBoostPriority  ... ) == 0x0
 02523   940   NtRegisterThreadTerminatePort  ... ) == 0x0
 02525  1628   NtRegisterThreadTerminatePort  ... ) == 0x0
 02526  1612   NtTestAlert  ... ) == 0x0
 02528   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 02531   476   NtTestAlert  (...
 02532  1404   NtRegisterThreadTerminatePort  (24, ...
 02533  1124   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02534   312   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02535   776   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02536   380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02537   624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02538   752   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02539  1288   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02540   644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02541  1924   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02542   740   NtSetEventBoostPriority  (88, ...
 02543  1316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02529  1736   NtAllocateVirtualMemory  ... 98369536, 1048576, ) == 0x0
 02544   940   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02545  1628   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02546  1612   NtContinue  (78445872, 1, ...
 02547   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02531   476   NtTestAlert  ... ) == 0x0
 02548  1964   NtTestAlert  (...
 02532  1404   NtRegisterThreadTerminatePort  ... ) == 0x0
 02533  1124   NtDuplicateObject  ... 788, ) == 0x0
 02534   312   NtDuplicateObject  ... 792, ) == 0x0
 02535   776   NtDuplicateObject  ... 796, ) == 0x0
 02536   380   NtDuplicateObject  ... 800, ) == 0x0
 02537   624   NtDuplicateObject  ... 804, ) == 0x0
 02538   752   NtDuplicateObject  ... 808, ) == 0x0
 02539  1288   NtDuplicateObject  ... 812, ) == 0x0
 02540   644   NtDuplicateObject  ... 816, ) == 0x0
 02461  1624   NtWaitForSingleObject  ... ) == 0x0
 02542   740   NtSetEventBoostPriority  ... ) == 0x0
 02541  1924   NtDuplicateObject  ... 820, ) == 0x0
 02549  1736   NtAllocateVirtualMemory  (-1, 99409920, 0, 8192, 4096, 4, ...
 02543  1316   NtDuplicateObject  ... 824, ) == 0x0
 02544   940   NtDuplicateObject  ... 828, ) == 0x0
 02550  1612   NtRegisterThreadTerminatePort  (24, ...
 02545  1628   NtDuplicateObject  ... 832, ) == 0x0
 02551   476   NtContinue  (94174512, 1, ...
 02548  1964   NtTestAlert  ... ) == 0x0
 02552  1404   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02553  1124   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02554   312   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02555   776   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02556   380   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02557   624   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02558   752   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02559  1288   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02560  1624   NtSetEventBoostPriority  (88, ...
 02561   644   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02547   876   NtDuplicateObject  ... 836, ) == 0x0
 02562  1924   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02549  1736   NtAllocateVirtualMemory  ... 99409920, 8192, ) == 0x0
 02563  1316   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02564   940   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ...
 02550  1612   NtRegisterThreadTerminatePort  ... ) == 0x0
 02565  1628   NtWaitForSingleObject  (288, 0, 0x0, ...
 02566   476   NtRegisterThreadTerminatePort  (24, ...
 02567  1964   NtContinue  (95223088, 1, ...
 02552  1404   NtDuplicateObject  ... 840, ) == 0x0
 02553  1124   NtWaitForSingleObject  ... ) == 0x102
 02554   312   NtWaitForSingleObject  ... ) == 0x102
 02555   776   NtWaitForSingleObject  ... ) == 0x102
 02556   380   NtWaitForSingleObject  ... ) == 0x102
 02557   624   NtWaitForSingleObject  ... ) == 0x102
 02558   752   NtWaitForSingleObject  ... ) == 0x102
 02496  1252   NtWaitForSingleObject  ... ) == 0x0
 02560  1624   NtSetEventBoostPriority  ... ) == 0x0
 02559  1288   NtWaitForSingleObject  ... ) == 0x102
 02561   644   NtWaitForSingleObject  ... ) == 0x102
 02568   876   NtWaitForSingleObject  (288, 0, 0x0, ...
 02562  1924   NtWaitForSingleObject  ... ) == 0x102
 02569  1736   NtProtectVirtualMemory  (-1, (0x5ece000), 4096, 260, ...
 02563  1316   NtWaitForSingleObject  ... ) == 0x102
 02564   940   NtAllocateVirtualMemory  ... 1413120, 4096, ) == 0x0
 02570  1612   NtWaitForSingleObject  (288, 0, 0x0, ...
 02566   476   NtRegisterThreadTerminatePort  ... ) == 0x0
 02571  1964   NtRegisterThreadTerminatePort  (24, ...
 02572  1404   NtWaitForSingleObject  (288, 0, 0x0, ...
 02573  1124   NtWaitForSingleObject  (288, 0, 0x0, ...
 02574   312   NtWaitForSingleObject  (288, 0, 0x0, ...
 02575   776   NtWaitForSingleObject  (288, 0, 0x0, ...
 02576   380   NtWaitForSingleObject  (288, 0, 0x0, ...
 02577   624   NtWaitForSingleObject  (288, 0, 0x0, ...
 02578  1252   NtSetEventBoostPriority  (88, ...
 02579   752   NtWaitForSingleObject  (288, 0, 0x0, ...
 02580   740   NtTestAlert  (...
 02581  1288   NtWaitForSingleObject  (288, 0, 0x0, ...
 02582   644   NtWaitForSingleObject  (288, 0, 0x0, ...
 02583  1924   NtWaitForSingleObject  (288, 0, 0x0, ...
 02569  1736   NtProtectVirtualMemory  ... (0x5ece000), 4096, 4, ) == 0x0
 02584  1316   NtWaitForSingleObject  (288, 0, 0x0, ...
 02585   940   NtSetEventBoostPriority  (288, ...
 02586  1624   NtTestAlert  (...
 02587   476   NtWaitForSingleObject  (288, 0, 0x0, ...
 02571  1964   NtRegisterThreadTerminatePort  ... ) == 0x0
 02527  1716   NtWaitForSingleObject  ... ) == 0x0
 02578  1252   NtSetEventBoostPriority  ... ) == 0x0
 02580   740   NtTestAlert  ... ) == 0x0
 02588  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02565  1628   NtWaitForSingleObject  ... ) == 0x0
 02585   940   NtSetEventBoostPriority  ... ) == 0x0
 02586  1624   NtTestAlert  ... ) == 0x0
 02589  1716   NtWaitForSingleObject  (288, 0, 0x0, ...
 02590  1964   NtWaitForSingleObject  (288, 0, 0x0, ...
 02591   740   NtContinue  (96271664, 1, ...
 02592  1252   NtWaitForSingleObject  (288, 0, 0x0, ...
 02593  1628   NtSetEventBoostPriority  (288, ...
 02594   940   NtWaitForSingleObject  (288, 0, 0x0, ...
 02595  1624   NtContinue  (97320240, 1, ...
 02588  1736   NtCreateThread  ... 844, {1636, 1440}, ) == 0x0
 02596   740   NtRegisterThreadTerminatePort  (24, ...
 02568   876   NtWaitForSingleObject  ... ) == 0x0
 02593  1628   NtSetEventBoostPriority  ... ) == 0x0
 02597  1624   NtRegisterThreadTerminatePort  (24, ...
 02598  1736   NtQueryInformationThread  (844, Basic, 28, ...
 02599   876   NtSetEventBoostPriority  (288, ...
 02596   740   NtRegisterThreadTerminatePort  ... ) == 0x0
 02597  1624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02572  1404   NtWaitForSingleObject  ... ) == 0x0
 02599   876   NtSetEventBoostPriority  ... ) == 0x0
 02598  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1636,Tid=1440,}, 0x0, ) == 0x0
 02600   740   NtWaitForSingleObject  (288, 0, 0x0, ...
 02601  1404   NtSetEventBoostPriority  (288, ...
 02602  1624   NtWaitForSingleObject  (288, 0, 0x0, ...
 02603  1628   NtWaitForSingleObject  (288, 0, 0x0, ...
 02604  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75594, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\3\0\0d\6\0\0\240\5\0\0" ...  ...
 02605   876   NtWaitForSingleObject  (288, 0, 0x0, ...
 02573  1124   NtWaitForSingleObject  ... ) == 0x0
 02601  1404   NtSetEventBoostPriority  ... ) == 0x0
 02604  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75595, 0}  ... {28, 56, reply, 0, 1636, 1736, 75595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\3\0\0d\6\0\0\240\5\0\0" )  ) == 0x0
 02606  1124   NtSetEventBoostPriority  (288, ...
 02607  1404   NtWaitForSingleObject  (288, 0, 0x0, ...
 02574   312   NtWaitForSingleObject  ... ) == 0x0
 02606  1124   NtSetEventBoostPriority  ... ) == 0x0
 02608   312   NtSetEventBoostPriority  (288, ...
 02609  1736   NtResumeThread  (844, ...
 02575   776   NtWaitForSingleObject  ... ) == 0x0
 02608   312   NtSetEventBoostPriority  ... ) == 0x0
 02610   776   NtSetEventBoostPriority  (288, ...
 02609  1736   NtResumeThread  ... 1, ) == 0x0
 02611  1124   NtWaitForSingleObject  (132, 0, 0x0, ...
 02576   380   NtWaitForSingleObject  ... ) == 0x0
 02610   776   NtSetEventBoostPriority  ... ) == 0x0
 02612  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02613   380   NtSetEventBoostPriority  (288, ...
 02614   312   NtWaitForSingleObject  (132, 0, 0x0, ...
 02615  1440   NtWaitForSingleObject  (88, 0, 0x0, ...
 02577   624   NtWaitForSingleObject  ... ) == 0x0
 02613   380   NtSetEventBoostPriority  ... ) == 0x0
 02612  1736   NtAllocateVirtualMemory  ... 99418112, 1048576, ) == 0x0
 02616   624   NtSetEventBoostPriority  (288, ...
 02617   776   NtWaitForSingleObject  (132, 0, 0x0, ...
 02579   752   NtWaitForSingleObject  ... ) == 0x0
 02616   624   NtSetEventBoostPriority  ... ) == 0x0
 02618  1736   NtAllocateVirtualMemory  (-1, 100458496, 0, 8192, 4096, 4, ...
 02619   752   NtSetEventBoostPriority  (288, ...
 02620   380   NtWaitForSingleObject  (132, 0, 0x0, ...
 02581  1288   NtWaitForSingleObject  ... ) == 0x0
 02619   752   NtSetEventBoostPriority  ... ) == 0x0
 02618  1736   NtAllocateVirtualMemory  ... 100458496, 8192, ) == 0x0
 02621  1288   NtSetEventBoostPriority  (288, ...
 02622   624   NtWaitForSingleObject  (132, 0, 0x0, ...
 02623   752   NtWaitForSingleObject  (132, 0, 0x0, ...
 02582   644   NtWaitForSingleObject  ... ) == 0x0
 02621  1288   NtSetEventBoostPriority  ... ) == 0x0
 02624   644   NtSetEventBoostPriority  (288, ...
 02625  1736   NtProtectVirtualMemory  (-1, (0x5fce000), 4096, 260, ...
 02583  1924   NtWaitForSingleObject  ... ) == 0x0
 02624   644   NtSetEventBoostPriority  ... ) == 0x0
 02626  1924   NtSetEventBoostPriority  (288, ...
 02625  1736   NtProtectVirtualMemory  ... (0x5fce000), 4096, 4, ) == 0x0
 02627  1288   NtWaitForSingleObject  (132, 0, 0x0, ...
 02584  1316   NtWaitForSingleObject  ... ) == 0x0
 02626  1924   NtSetEventBoostPriority  ... ) == 0x0
 02628  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02629  1316   NtSetEventBoostPriority  (288, ...
 02630   644   NtWaitForSingleObject  (132, 0, 0x0, ...
 02570  1612   NtWaitForSingleObject  ... ) == 0x0
 02629  1316   NtSetEventBoostPriority  ... ) == 0x0
 02628  1736   NtCreateThread  ... 848, {1636, 1516}, ) == 0x0
 02631  1612   NtSetEventBoostPriority  (288, ...
 02632  1924   NtWaitForSingleObject  (132, 0, 0x0, ...
 02587   476   NtWaitForSingleObject  ... ) == 0x0
 02633  1736   NtQueryInformationThread  (848, Basic, 28, ...
 02634   476   NtSetEventBoostPriority  (288, ...
 02633  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1636,Tid=1516,}, 0x0, ) == 0x0
 02589  1716   NtWaitForSingleObject  ... ) == 0x0
 02634   476   NtSetEventBoostPriority  ... ) == 0x0
 02631  1612   NtSetEventBoostPriority  ... ) == 0x0
 02635  1316   NtWaitForSingleObject  (132, 0, 0x0, ...
 02636  1716   NtSetEventBoostPriority  (288, ...
 02637   476   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02638  1612   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02592  1252   NtWaitForSingleObject  ... ) == 0x0
 02636  1716   NtSetEventBoostPriority  ... ) == 0x0
 02637   476   NtDuplicateObject  ... 852, ) == 0x0
 02639  1252   NtSetEventBoostPriority  (288, ...
 02638  1612   NtDuplicateObject  ... 856, ) == 0x0
 02640  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75595, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0d\6\0\0\354\5\0\0" ...  ...
 02641  1716   NtSetEventBoostPriority  (88, ...
 02590  1964   NtWaitForSingleObject  ... ) == 0x0
 02639  1252   NtSetEventBoostPriority  ... ) == 0x0
 02642   476   NtWaitForSingleObject  (288, 0, 0x0, ...
 02640  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75596, 0}  ... {28, 56, reply, 0, 1636, 1736, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0d\6\0\0\354\5\0\0" )  ) == 0x0
 02643  1964   NtSetEventBoostPriority  (288, ...
 02615  1440   NtWaitForSingleObject  ... ) == 0x0
 02641  1716   NtSetEventBoostPriority  ... ) == 0x0
 02644  1252   NtSetEventBoostPriority  (132, ...
 02594   940   NtWaitForSingleObject  ... ) == 0x0
 02645  1440   NtWaitForSingleObject  (288, 0, 0x0, ...
 02646  1736   NtResumeThread  (848, ...
 02647  1716   NtTestAlert  (...
 02643  1964   NtSetEventBoostPriority  ... ) == 0x0
 02648  1612   NtWaitForSingleObject  (288, 0, 0x0, ...
 02649   940   NtSetEventBoostPriority  (288, ...
 02646  1736   NtResumeThread  ... 1, ) == 0x0
 02647  1716   NtTestAlert  ... ) == 0x0
 02650  1964   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02600   740   NtWaitForSingleObject  ... ) == 0x0
 02651  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02652  1716   NtContinue  (98368816, 1, ...
 02650  1964   NtDuplicateObject  ... 860, ) == 0x0
 02653   740   NtSetEventBoostPriority  (288, ...
 02649   940   NtSetEventBoostPriority  ... ) == 0x0
 00682   896   NtWaitForSingleObject  ... ) == 0x0
 02644  1252   NtSetEventBoostPriority  ... ) == 0x0
 02654  1516   NtWaitForSingleObject  (88, 0, 0x0, ...
 02655  1716   NtRegisterThreadTerminatePort  (24, ...
 02651  1736   NtAllocateVirtualMemory  ... 100466688, 1048576, ) == 0x0
 02603  1628   NtWaitForSingleObject  ... ) == 0x0
 02656   940   NtWaitForSingleObject  (288, 0, 0x0, ...
 02657   896   NtWaitForSingleObject  (288, 0, 0x0, ...
 02658  1252   NtWaitForSingleObject  (288, 0, 0x0, ...
 02653   740   NtSetEventBoostPriority  ... ) == 0x0
 02659  1964   NtWaitForSingleObject  (288, 0, 0x0, ...
 02660  1736   NtAllocateVirtualMemory  (-1, 101507072, 0, 8192, 4096, 4, ...
 02661  1628   NtSetEventBoostPriority  (288, ...
 02662   740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02660  1736   NtAllocateVirtualMemory  ... 101507072, 8192, ) == 0x0
 02605   876   NtWaitForSingleObject  ... ) == 0x0
 02661  1628   NtSetEventBoostPriority  ... ) == 0x0
 02662   740   NtDuplicateObject  ... 864, ) == 0x0
 02663   876   NtSetEventBoostPriority  (288, ...
 02664  1736   NtProtectVirtualMemory  (-1, (0x60ce000), 4096, 260, ...
 02665  1628   NtWaitForSingleObject  (360, 0, 0x0, ...
 02655  1716   NtRegisterThreadTerminatePort  ... ) == 0x0
 02602  1624   NtWaitForSingleObject  ... ) == 0x0
 02663   876   NtSetEventBoostPriority  ... ) == 0x0
 02664  1736   NtProtectVirtualMemory  ... (0x60ce000), 4096, 4, ) == 0x0
 02666   740   NtWaitForSingleObject  (288, 0, 0x0, ...
 02667  1624   NtSetEventBoostPriority  (288, ...
 02668  1716   NtWaitForSingleObject  (288, 0, 0x0, ...
 02669   876   NtWaitForSingleObject  (360, 0, 0x0, ...
 02670  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02607  1404   NtWaitForSingleObject  ... ) == 0x0
 02667  1624   NtSetEventBoostPriority  ... ) == 0x0
 02671  1404   NtSetEventBoostPriority  (288, ...
 02672  1624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02642   476   NtWaitForSingleObject  ... ) == 0x0
 02671  1404   NtSetEventBoostPriority  ... ) == 0x0
 02673   476   NtSetEventBoostPriority  (288, ...
 02672  1624   NtDuplicateObject  ... 868, ) == 0x0
 02645  1440   NtWaitForSingleObject  ... ) == 0x0
 02673   476   NtSetEventBoostPriority  ... ) == 0x0
 02674  1404   NtWaitForSingleObject  (360, 0, 0x0, ...
 02670  1736   NtCreateThread  ... 872, {1636, 1664}, ) == 0x0
 02675  1440   NtSetEventBoostPriority  (288, ...
 02676   476   NtWaitForSingleObject  (288, 0, 0x0, ...
 02677  1624   NtWaitForSingleObject  (288, 0, 0x0, ...
 02648  1612   NtWaitForSingleObject  ... ) == 0x0
 02675  1440   NtSetEventBoostPriority  ... ) == 0x0
 02678  1736   NtQueryInformationThread  (872, Basic, 28, ...
 02679  1612   NtSetEventBoostPriority  (288, ...
 02656   940   NtWaitForSingleObject  ... ) == 0x0
 02680   940   NtSetEventBoostPriority  (288, ...
 02657   896   NtWaitForSingleObject  ... ) == 0x0
 02681   896   NtSetEventBoostPriority  (288, ...
 02658  1252   NtWaitForSingleObject  ... ) == 0x0
 02682  1252   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ... 1417216, 4096, ) == 0x0
 02681   896   NtSetEventBoostPriority  ... ) == 0x0
 02680   940   NtSetEventBoostPriority  ... ) == 0x0
 02679  1612   NtSetEventBoostPriority  ... ) == 0x0
 02678  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1636,Tid=1664,}, 0x0, ) == 0x0
 02683  1440   NtSetEventBoostPriority  (88, ...
 02684  1252   NtSetEventBoostPriority  (288, ...
 02685   896   NtWaitForSingleObject  (288, 0, 0x0, ...
 02686  1612   NtWaitForSingleObject  (288, 0, 0x0, ...
 02687  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75596, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0d\6\0\0\200\6\0\0" ...  ...
 02654  1516   NtWaitForSingleObject  ... ) == 0x0
 02683  1440   NtSetEventBoostPriority  ... ) == 0x0
 02659  1964   NtWaitForSingleObject  ... ) == 0x0
 02684  1252   NtSetEventBoostPriority  ... ) == 0x0
 02688   940   NtSetEventBoostPriority  (360, ...
 02689  1516   NtWaitForSingleObject  (288, 0, 0x0, ...
 02687  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75597, 0}  ... {28, 56, reply, 0, 1636, 1736, 75597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0d\6\0\0\200\6\0\0" )  ) == 0x0
 02690  1964   NtSetEventBoostPriority  (288, ...
 02691  1440   NtTestAlert  (...
 02692  1252   NtWaitForSingleObject  (288, 0, 0x0, ...
 02665  1628   NtWaitForSingleObject  ... ) == 0x0
 02688   940   NtSetEventBoostPriority  ... ) == 0x0
 02666   740   NtWaitForSingleObject  ... ) == 0x0
 02690  1964   NtSetEventBoostPriority  ... ) == 0x0
 02691  1440   NtTestAlert  ... ) == 0x0
 02693  1628   NtWaitForSingleObject  (288, 0, 0x0, ...
 02694   740   NtSetEventBoostPriority  (288, ...
 02695   940   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02696  1964   NtWaitForSingleObject  (288, 0, 0x0, ...
 02668  1716   NtWaitForSingleObject  ... ) == 0x0
 02694   740   NtSetEventBoostPriority  ... ) == 0x0
 02697  1440   NtContinue  (99417392, 1, ...
 02695   940   NtWaitForSingleObject  ... ) == 0x102
 02698  1736   NtResumeThread  (872, ...
 02699  1716   NtSetEventBoostPriority  (288, ...
 02700   740   NtWaitForSingleObject  (288, 0, 0x0, ...
 02701  1440   NtRegisterThreadTerminatePort  (24, ...
 02702   940   NtWaitForSingleObject  (288, 0, 0x0, ...
 02677  1624   NtWaitForSingleObject  ... ) == 0x0
 02699  1716   NtSetEventBoostPriority  ... ) == 0x0
 02698  1736   NtResumeThread  ... 1, ) == 0x0
 02703  1664   NtWaitForSingleObject  (88, 0, 0x0, ...
 02701  1440   NtRegisterThreadTerminatePort  ... ) == 0x0
 02704  1624   NtSetEventBoostPriority  (288, ...
 02705  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02676   476   NtWaitForSingleObject  ... ) == 0x0
 02704  1624   NtSetEventBoostPriority  ... ) == 0x0
 02706  1440   NtWaitForSingleObject  (288, 0, 0x0, ...
 02707   476   NtSetEventBoostPriority  (288, ...
 02705  1736   NtAllocateVirtualMemory  ... 101515264, 1048576, ) == 0x0
 02708  1624   NtWaitForSingleObject  (288, 0, 0x0, ...
 02685   896   NtWaitForSingleObject  ... ) == 0x0
 02709  1736   NtAllocateVirtualMemory  (-1, 102555648, 0, 8192, 4096, 4, ...
 02707   476   NtSetEventBoostPriority  ... ) == 0x0
 02710  1716   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02711   896   NtSetEventBoostPriority  (288, ...
 02709  1736   NtAllocateVirtualMemory  ... 102555648, 8192, ) == 0x0
 02712   476   NtWaitForSingleObject  (360, 0, 0x0, ...
 02710  1716   NtDuplicateObject  ... 876, ) == 0x0
 02689  1516   NtWaitForSingleObject  ... ) == 0x0
 02711   896   NtSetEventBoostPriority  ... ) == 0x0
 02713  1516   NtSetEventBoostPriority  (288, ...
 02714  1716   NtWaitForSingleObject  (288, 0, 0x0, ...
 02686  1612   NtWaitForSingleObject  ... ) == 0x0
 02713  1516   NtSetEventBoostPriority  ... ) == 0x0
 02715   896   NtWaitForSingleObject  (288, 0, 0x0, ...
 02716  1612   NtSetEventBoostPriority  (288, ...
 02717  1736   NtProtectVirtualMemory  (-1, (0x61ce000), 4096, 260, ...
 02718  1516   NtSetEventBoostPriority  (88, ...
 02692  1252   NtWaitForSingleObject  ... ) == 0x0
 02717  1736   NtProtectVirtualMemory  ... (0x61ce000), 4096, 4, ) == 0x0
 02703  1664   NtWaitForSingleObject  ... ) == 0x0
 02718  1516   NtSetEventBoostPriority  ... ) == 0x0
 02719  1252   NtSetEventBoostPriority  (288, ...
 02720  1664   NtWaitForSingleObject  (288, 0, 0x0, ...
 02721  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02722  1516   NtTestAlert  (...
 02693  1628   NtWaitForSingleObject  ... ) == 0x0
 02719  1252   NtSetEventBoostPriority  ... ) == 0x0
 02721  1736   NtCreateThread  ... 880, {1636, 1972}, ) == 0x0
 02723  1628   NtSetEventBoostPriority  (288, ...
 02722  1516   NtTestAlert  ... ) == 0x0
 02716  1612   NtSetEventBoostPriority  ... ) == 0x0
 02696  1964   NtWaitForSingleObject  ... ) == 0x0
 02724  1736   NtQueryInformationThread  (880, Basic, 28, ...
 02725  1516   NtContinue  (100465968, 1, ...
 02726  1612   NtWaitForSingleObject  (288, 0, 0x0, ...
 02727  1964   NtSetEventBoostPriority  (288, ...
 02724  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1636,Tid=1972,}, 0x0, ) == 0x0
 02728  1516   NtRegisterThreadTerminatePort  (24, ...
 02700   740   NtWaitForSingleObject  ... ) == 0x0
 02727  1964   NtSetEventBoostPriority  ... ) == 0x0
 02723  1628   NtSetEventBoostPriority  ... ) == 0x0
 02729  1252   NtWaitForSingleObject  (288, 0, 0x0, ...
 02730  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75597, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0d\6\0\0\264\7\0\0" ...  ...
 02731   740   NtSetEventBoostPriority  (288, ...
 02732  1964   NtWaitForSingleObject  (288, 0, 0x0, ...
 02728  1516   NtRegisterThreadTerminatePort  ... ) == 0x0
 02730  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75598, 0}  ... {28, 56, reply, 0, 1636, 1736, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0d\6\0\0\264\7\0\0" )  ) == 0x0
 02702   940   NtWaitForSingleObject  ... ) == 0x0
 02733  1516   NtWaitForSingleObject  (288, 0, 0x0, ...
 02734  1736   NtResumeThread  (880, ...
 02735   940   NtSetEventBoostPriority  (288, ...
 02734  1736   NtResumeThread  ... 1, ) == 0x0
 02706  1440   NtWaitForSingleObject  ... ) == 0x0
 02736  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02737  1440   NtSetEventBoostPriority  (288, ...
 02735   940   NtSetEventBoostPriority  ... ) == 0x0
 02731   740   NtSetEventBoostPriority  ... ) == 0x0
 02738  1628   NtSetEventBoostPriority  (360, ...
 02739  1972   NtWaitForSingleObject  (88, 0, 0x0, ...
 02708  1624   NtWaitForSingleObject  ... ) == 0x0
 02737  1440   NtSetEventBoostPriority  ... ) == 0x0
 02740   940   NtWaitForSingleObject  (132, 0, 0x0, ...
 02741   740   NtWaitForSingleObject  (288, 0, 0x0, ...
 02669   876   NtWaitForSingleObject  ... ) == 0x0
 02738  1628   NtSetEventBoostPriority  ... ) == 0x0
 02742  1624   NtSetEventBoostPriority  (288, ...
 02736  1736   NtAllocateVirtualMemory  ... 102563840, 1048576, ) == 0x0
 02743   876   NtWaitForSingleObject  (288, 0, 0x0, ...
 02714  1716   NtWaitForSingleObject  ... ) == 0x0
 02744  1628   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02745  1736   NtAllocateVirtualMemory  (-1, 103604224, 0, 8192, 4096, 4, ...
 02746  1716   NtSetEventBoostPriority  (288, ...
 02744  1628   NtWaitForSingleObject  ... ) == 0x102
 02745  1736   NtAllocateVirtualMemory  ... 103604224, 8192, ) == 0x0
 02720  1664   NtWaitForSingleObject  ... ) == 0x0
 02746  1716   NtSetEventBoostPriority  ... ) == 0x0
 02747  1628   NtWaitForSingleObject  (132, 0, 0x0, ...
 02748  1664   NtSetEventBoostPriority  (288, ...
 02749  1736   NtProtectVirtualMemory  (-1, (0x62ce000), 4096, 260, ...
 02742  1624   NtSetEventBoostPriority  ... ) == 0x0
 02750  1440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02751  1716   NtWaitForSingleObject  (288, 0, 0x0, ...
 02715   896   NtWaitForSingleObject  ... ) == 0x0
 02748  1664   NtSetEventBoostPriority  ... ) == 0x0
 02749  1736   NtProtectVirtualMemory  ... (0x62ce000), 4096, 4, ) == 0x0
 02752  1624   NtWaitForSingleObject  (360, 0, 0x0, ...
 02750  1440   NtDuplicateObject  ... 884, ) == 0x0
 02753   896   NtSetEventBoostPriority  (288, ...
 02754  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02726  1612   NtWaitForSingleObject  ... ) == 0x0
 02755  1440   NtWaitForSingleObject  (288, 0, 0x0, ...
 02753   896   NtSetEventBoostPriority  ... ) == 0x0
 02756  1664   NtSetEventBoostPriority  (88, ...
 02757  1612   NtSetEventBoostPriority  (288, ...
 02758   896   NtSetEventBoostPriority  (132, ...
 02739  1972   NtWaitForSingleObject  ... ) == 0x0
 02756  1664   NtSetEventBoostPriority  ... ) == 0x0
 02729  1252   NtWaitForSingleObject  ... ) == 0x0
 02757  1612   NtSetEventBoostPriority  ... ) == 0x0
 02759  1972   NtWaitForSingleObject  (288, 0, 0x0, ...
 00687   868   NtWaitForSingleObject  ... ) == 0x0
 02758   896   NtSetEventBoostPriority  ... ) == 0x0
 02760  1252   NtSetEventBoostPriority  (288, ...
 02761  1664   NtTestAlert  (...
 02754  1736   NtCreateThread  ... 888, {1636, 780}, ) == 0x0
 02762   868   NtWaitForSingleObject  (288, 0, 0x0, ...
 02763  1612   NtWaitForSingleObject  (360, 0, 0x0, ...
 02732  1964   NtWaitForSingleObject  ... ) == 0x0
 02760  1252   NtSetEventBoostPriority  ... ) == 0x0
 02761  1664   NtTestAlert  ... ) == 0x0
 02764  1736   NtQueryInformationThread  (888, Basic, 28, ...
 02765  1964   NtSetEventBoostPriority  (288, ...
 02766  1252   NtWaitForSingleObject  (288, 0, 0x0, ...
 02767  1664   NtContinue  (101514544, 1, ...
 02733  1516   NtWaitForSingleObject  ... ) == 0x0
 02765  1964   NtSetEventBoostPriority  ... ) == 0x0
 02764  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1636,Tid=780,}, 0x0, ) == 0x0
 02768   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02769  1516   NtSetEventBoostPriority  (288, ...
 02770  1664   NtRegisterThreadTerminatePort  (24, ...
 02771  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75598, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0d\6\0\0\14\3\0\0" ...  ...
 02741   740   NtWaitForSingleObject  ... ) == 0x0
 02769  1516   NtSetEventBoostPriority  ... ) == 0x0
 02768   896   NtCreateEvent  ... 892, ) == 0x0
 02772  1964   NtWaitForSingleObject  (360, 0, 0x0, ...
 02773   740   NtSetEventBoostPriority  (288, ...
 02771  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75599, 0}  ... {28, 56, reply, 0, 1636, 1736, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0d\6\0\0\14\3\0\0" )  ) == 0x0
 02770  1664   NtRegisterThreadTerminatePort  ... ) == 0x0
 02774   896   NtWaitForSingleObject  (288, 0, 0x0, ...
 02743   876   NtWaitForSingleObject  ... ) == 0x0
 02773   740   NtSetEventBoostPriority  ... ) == 0x0
 02775  1516   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02776  1664   NtWaitForSingleObject  (288, 0, 0x0, ...
 02777   876   NtSetEventBoostPriority  (288, ...
 02778  1736   NtResumeThread  (888, ...
 02775  1516   NtDuplicateObject  ... 896, ) == 0x0
 02751  1716   NtWaitForSingleObject  ... ) == 0x0
 02778  1736   NtResumeThread  ... 1, ) == 0x0
 02779  1516   NtWaitForSingleObject  (288, 0, 0x0, ...
 02780  1716   NtSetEventBoostPriority  (288, ...
 02781  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02755  1440   NtWaitForSingleObject  ... ) == 0x0
 02780  1716   NtSetEventBoostPriority  ... ) == 0x0
 02782  1440   NtSetEventBoostPriority  (288, ...
 02781  1736   NtAllocateVirtualMemory  ... 103612416, 1048576, ) == 0x0
 02759  1972   NtWaitForSingleObject  ... ) == 0x0
 02782  1440   NtSetEventBoostPriority  ... ) == 0x0
 02783  1716   NtWaitForSingleObject  (360, 0, 0x0, ...
 02784  1972   NtSetEventBoostPriority  (288, ...
 02785  1736   NtAllocateVirtualMemory  (-1, 104652800, 0, 8192, 4096, 4, ...
 02777   876   NtSetEventBoostPriority  ... ) == 0x0
 02786   740   NtWaitForSingleObject  (360, 0, 0x0, ...
 02787   780   NtWaitForSingleObject  (88, 0, 0x0, ...
 02788  1440   NtWaitForSingleObject  (360, 0, 0x0, ...
 02762   868   NtWaitForSingleObject  ... ) == 0x0
 02784  1972   NtSetEventBoostPriority  ... ) == 0x0
 02785  1736   NtAllocateVirtualMemory  ... 104652800, 8192, ) == 0x0
 02789   868   NtSetEventBoostPriority  (288, ...
 02790   876   NtSetEventBoostPriority  (360, ...
 02791  1972   NtSetEventBoostPriority  (88, ...
 02766  1252   NtWaitForSingleObject  ... ) == 0x0
 02789   868   NtSetEventBoostPriority  ... ) == 0x0
 02674  1404   NtWaitForSingleObject  ... ) == 0x0
 02790   876   NtSetEventBoostPriority  ... ) == 0x0
 02792  1252   NtSetEventBoostPriority  (288, ...
 02787   780   NtWaitForSingleObject  ... ) == 0x0
 02791  1972   NtSetEventBoostPriority  ... ) == 0x0
 02793  1736   NtProtectVirtualMemory  (-1, (0x63ce000), 4096, 260, ...
 02794  1404   NtWaitForSingleObject  (288, 0, 0x0, ...
 02774   896   NtWaitForSingleObject  ... ) == 0x0
 02795   780   NtWaitForSingleObject  (288, 0, 0x0, ...
 02796   876   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02797  1972   NtTestAlert  (...
 02793  1736   NtProtectVirtualMemory  ... (0x63ce000), 4096, 4, ) == 0x0
 02798   896   NtSetEventBoostPriority  (288, ...
 02796   876   NtWaitForSingleObject  ... ) == 0x102
 02797  1972   NtTestAlert  ... ) == 0x0
 02799  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02776  1664   NtWaitForSingleObject  ... ) == 0x0
 02798   896   NtSetEventBoostPriority  ... ) == 0x0
 02800   876   NtWaitForSingleObject  (132, 0, 0x0, ...
 02801  1972   NtContinue  (102563120, 1, ...
 02802  1664   NtSetEventBoostPriority  (288, ...
 02799  1736   NtCreateThread  ... 900, {1636, 1656}, ) == 0x0
 02792  1252   NtSetEventBoostPriority  ... ) == 0x0
 02803   868   NtWaitForSingleObject  (288, 0, 0x0, ...
 02804   896   NtWaitForSingleObject  (288, 0, 0x0, ...
 02779  1516   NtWaitForSingleObject  ... ) == 0x0
 02802  1664   NtSetEventBoostPriority  ... ) == 0x0
 02805  1972   NtRegisterThreadTerminatePort  (24, ...
 02806  1736   NtQueryInformationThread  (900, Basic, 28, ...
 02807  1252   NtWaitForSingleObject  (288, 0, 0x0, ...
 02808  1516   NtSetEventBoostPriority  (288, ...
 02809  1664   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02806  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1636,Tid=1656,}, 0x0, ) == 0x0
 02794  1404   NtWaitForSingleObject  ... ) == 0x0
 02808  1516   NtSetEventBoostPriority  ... ) == 0x0
 02809  1664   NtDuplicateObject  ... 904, ) == 0x0
 02805  1972   NtRegisterThreadTerminatePort  ... ) == 0x0
 02810  1404   NtSetEventBoostPriority  (288, ...
 02811  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75599, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0d\6\0\0x\6\0\0" ...  ...
 02812  1664   NtWaitForSingleObject  (288, 0, 0x0, ...
 02795   780   NtWaitForSingleObject  ... ) == 0x0
 02813  1972   NtWaitForSingleObject  (288, 0, 0x0, ...
 02811  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75600, 0}  ... {28, 56, reply, 0, 1636, 1736, 75600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0d\6\0\0x\6\0\0" )  ) == 0x0
 02814   780   NtSetEventBoostPriority  (288, ...
 02803   868   NtWaitForSingleObject  ... ) == 0x0
 02815   868   NtSetEventBoostPriority  (288, ...
 02804   896   NtWaitForSingleObject  ... ) == 0x0
 02816   896   NtSetEventBoostPriority  (288, ...
 02807  1252   NtWaitForSingleObject  ... ) == 0x0
 02817  1252   NtSetEventBoostPriority  (288, ...
 02812  1664   NtWaitForSingleObject  ... ) == 0x0
 02818  1664   NtSetEventBoostPriority  (288, ...
 02813  1972   NtWaitForSingleObject  ... ) == 0x0
 02819  1972   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 908, ) == 0x0
 02818  1664   NtSetEventBoostPriority  ... ) == 0x0
 02817  1252   NtSetEventBoostPriority  ... ) == 0x0
 02816   896   NtSetEventBoostPriority  ... ) == 0x0
 02815   868   NtSetEventBoostPriority  ... ) == 0x0
 02814   780   NtSetEventBoostPriority  ... ) == 0x0
 02820  1736   NtResumeThread  (900, ...
 02810  1404   NtSetEventBoostPriority  ... ) == 0x0
 02821  1516   NtWaitForSingleObject  (360, 0, 0x0, ...
 02822  1972   NtWaitForSingleObject  (360, 0, 0x0, ...
 02823  1664   NtWaitForSingleObject  (360, 0, 0x0, ...
 02824   896   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ...
 02825   868   NtSetEventBoostPriority  (132, ...
 02826  1252   NtWaitForSingleObject  (288, 0, 0x0, ...
 02820  1736   NtResumeThread  ... 1, ) == 0x0
 02827   780   NtTestAlert  (...
 02828  1404   NtSetEventBoostPriority  (360, ...
 02829  1656   NtWaitForSingleObject  (288, 0, 0x0, ...
 02824   896   NtAllocateVirtualMemory  ... 1421312, 4096, ) == 0x0
 02830  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02827   780   NtTestAlert  ... ) == 0x0
 02712   476   NtWaitForSingleObject  ... ) == 0x0
 02828  1404   NtSetEventBoostPriority  ... ) == 0x0
 02831   896   NtSetEventBoostPriority  (288, ...
 00689  2020   NtWaitForSingleObject  ... ) == 0x0
 02825   868   NtSetEventBoostPriority  ... ) == 0x0
 02832   476   NtWaitForSingleObject  (288, 0, 0x0, ...
 02833   780   NtContinue  (103611696, 1, ...
 02834  1404   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02826  1252   NtWaitForSingleObject  ... ) == 0x0
 02831   896   NtSetEventBoostPriority  ... ) == 0x0
 02835  2020   NtWaitForSingleObject  (288, 0, 0x0, ...
 02836   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02837   780   NtRegisterThreadTerminatePort  (24, ...
 02838  1252   NtSetEventBoostPriority  (288, ...
 02834  1404   NtWaitForSingleObject  ... ) == 0x102
 02839   896   NtWaitForSingleObject  (288, 0, 0x0, ...
 02836   868   NtCreateEvent  ... 912, ) == 0x0
 02829  1656   NtWaitForSingleObject  ... ) == 0x0
 02838  1252   NtSetEventBoostPriority  ... ) == 0x0
 02837   780   NtRegisterThreadTerminatePort  ... ) == 0x0
 02840  1404   NtWaitForSingleObject  (132, 0, 0x0, ...
 02841  1656   NtSetEventBoostPriority  (288, ...
 02842   868   NtWaitForSingleObject  (288, 0, 0x0, ...
 02843  1252   NtWaitForSingleObject  (288, 0, 0x0, ...
 02844   780   NtWaitForSingleObject  (288, 0, 0x0, ...
 02830  1736   NtAllocateVirtualMemory  ... 104660992, 1048576, ) == 0x0
 02832   476   NtWaitForSingleObject  ... ) == 0x0
 02841  1656   NtSetEventBoostPriority  ... ) == 0x0
 02845   476   NtSetEventBoostPriority  (288, ...
 02846  1736   NtAllocateVirtualMemory  (-1, 105701376, 0, 8192, 4096, 4, ...
 02835  2020   NtWaitForSingleObject  ... ) == 0x0
 02845   476   NtSetEventBoostPriority  ... ) == 0x0
 02847  2020   NtSetEventBoostPriority  (288, ...
 02846  1736   NtAllocateVirtualMemory  ... 105701376, 8192, ) == 0x0
 02848  1656   NtTestAlert  (...
 02839   896   NtWaitForSingleObject  ... ) == 0x0
 02847  2020   NtSetEventBoostPriority  ... ) == 0x0
 02849  1736   NtProtectVirtualMemory  (-1, (0x64ce000), 4096, 260, ...
 02850   896   NtSetEventBoostPriority  (288, ...
 02848  1656   NtTestAlert  ... ) == 0x0
 02851   476   NtSetEventBoostPriority  (360, ...
 02842   868   NtWaitForSingleObject  ... ) == 0x0
 02850   896   NtSetEventBoostPriority  ... ) == 0x0
 02849  1736   NtProtectVirtualMemory  ... (0x64ce000), 4096, 4, ) == 0x0
 02852  1656   NtContinue  (104660272, 1, ...
 02853   868   NtSetEventBoostPriority  (288, ...
 02752  1624   NtWaitForSingleObject  ... ) == 0x0
 02851   476   NtSetEventBoostPriority  ... ) == 0x0
 02854  2020   NtWaitForSingleObject  (288, 0, 0x0, ...
 02855  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02843  1252   NtWaitForSingleObject  ... ) == 0x0
 02856  1624   NtWaitForSingleObject  (288, 0, 0x0, ...
 02853   868   NtSetEventBoostPriority  ... ) == 0x0
 02857  1656   NtRegisterThreadTerminatePort  (24, ...
 02858   476   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02859   896   NtWaitForSingleObject  (288, 0, 0x0, ...
 02860  1252   NtSetEventBoostPriority  (288, ...
 02855  1736   NtCreateThread  ... 916, {1636, 1248}, ) == 0x0
 02857  1656   NtRegisterThreadTerminatePort  ... ) == 0x0
 02858   476   NtWaitForSingleObject  ... ) == 0x102
 02844   780   NtWaitForSingleObject  ... ) == 0x0
 02861  1736   NtQueryInformationThread  (916, Basic, 28, ...
 02862  1656   NtWaitForSingleObject  (288, 0, 0x0, ...
 02863   476   NtWaitForSingleObject  (132, 0, 0x0, ...
 02864   780   NtSetEventBoostPriority  (288, ...
 02861  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1636,Tid=1248,}, 0x0, ) == 0x0
 02860  1252   NtSetEventBoostPriority  ... ) == 0x0
 02865   868   NtWaitForSingleObject  (288, 0, 0x0, ...
 02854  2020   NtWaitForSingleObject  ... ) == 0x0
 02866  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75600, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0d\6\0\0\340\4\0\0" ...  ...
 02867  1252   NtWaitForSingleObject  (288, 0, 0x0, ...
 02868  2020   NtSetEventBoostPriority  (288, ...
 02866  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75601, 0}  ... {28, 56, reply, 0, 1636, 1736, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0d\6\0\0\340\4\0\0" )  ) == 0x0
 02856  1624   NtWaitForSingleObject  ... ) == 0x0
 02868  2020   NtSetEventBoostPriority  ... ) == 0x0
 02864   780   NtSetEventBoostPriority  ... ) == 0x0
 02869  1624   NtSetEventBoostPriority  (288, ...
 02870  2020   NtWaitForSingleObject  (288, 0, 0x0, ...
 02859   896   NtWaitForSingleObject  ... ) == 0x0
 02869  1624   NtSetEventBoostPriority  ... ) == 0x0
 02871   780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02872  1736   NtResumeThread  (916, ...
 02873   896   NtSetEventBoostPriority  (288, ...
 02871   780   NtDuplicateObject  ... 920, ) == 0x0
 02862  1656   NtWaitForSingleObject  ... ) == 0x0
 02873   896   NtSetEventBoostPriority  ... ) == 0x0
 02872  1736   NtResumeThread  ... 1, ) == 0x0
 02874  1624   NtSetEventBoostPriority  (360, ...
 02875  1656   NtSetEventBoostPriority  (288, ...
 02876   896   NtWaitForSingleObject  (288, 0, 0x0, ...
 02877  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02865   868   NtWaitForSingleObject  ... ) == 0x0
 02763  1612   NtWaitForSingleObject  ... ) == 0x0
 02874  1624   NtSetEventBoostPriority  ... ) == 0x0
 02875  1656   NtSetEventBoostPriority  ... ) == 0x0
 02878   780   NtWaitForSingleObject  (288, 0, 0x0, ...
 02879  1248   NtWaitForSingleObject  (288, 0, 0x0, ...
 02877  1736   NtAllocateVirtualMemory  ... 105709568, 1048576, ) == 0x0
 02880  1612   NtWaitForSingleObject  (288, 0, 0x0, ...
 02881   868   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ...
 02882  1624   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02883  1656   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02884  1736   NtAllocateVirtualMemory  (-1, 106749952, 0, 8192, 4096, 4, ...
 02881   868   NtAllocateVirtualMemory  ... 1425408, 4096, ) == 0x0
 02882  1624   NtWaitForSingleObject  ... ) == 0x102
 02883  1656   NtDuplicateObject  ... 924, ) == 0x0
 02884  1736   NtAllocateVirtualMemory  ... 106749952, 8192, ) == 0x0
 02885   868   NtSetEventBoostPriority  (288, ...
 02886  1624   NtWaitForSingleObject  (288, 0, 0x0, ...
 02887  1656   NtWaitForSingleObject  (288, 0, 0x0, ...
 02888  1736   NtProtectVirtualMemory  (-1, (0x65ce000), 4096, 260, ...
 02867  1252   NtWaitForSingleObject  ... ) == 0x0
 02885   868   NtSetEventBoostPriority  ... ) == 0x0
 02888  1736   NtProtectVirtualMemory  ... (0x65ce000), 4096, 4, ) == 0x0
 02889  1252   NtSetEventBoostPriority  (288, ...
 02890   868   NtWaitForSingleObject  (288, 0, 0x0, ...
 02891  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02870  2020   NtWaitForSingleObject  ... ) == 0x0
 02889  1252   NtSetEventBoostPriority  ... ) == 0x0
 02892  2020   NtSetEventBoostPriority  (288, ...
 02891  1736   NtCreateThread  ... 928, {1636, 1036}, ) == 0x0
 02878   780   NtWaitForSingleObject  ... ) == 0x0
 02893  1736   NtQueryInformationThread  (928, Basic, 28, ...
 02894   780   NtSetEventBoostPriority  (288, ...
 02893  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1636,Tid=1036,}, 0x0, ) == 0x0
 02879  1248   NtWaitForSingleObject  ... ) == 0x0
 02894   780   NtSetEventBoostPriority  ... ) == 0x0
 02892  2020   NtSetEventBoostPriority  ... ) == 0x0
 02895  1252   NtWaitForSingleObject  (288, 0, 0x0, ...
 02896  1248   NtSetEventBoostPriority  (288, ...
 02897   780   NtWaitForSingleObject  (288, 0, 0x0, ...
 02898  2020   NtSetEventBoostPriority  (132, ...
 02880  1612   NtWaitForSingleObject  ... ) == 0x0
 02896  1248   NtSetEventBoostPriority  ... ) == 0x0
 02899  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75601, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0d\6\0\0\14\4\0\0" ...  ...
 02900  1612   NtSetEventBoostPriority  (288, ...
 00695   808   NtWaitForSingleObject  ... ) == 0x0
 02898  2020   NtSetEventBoostPriority  ... ) == 0x0
 02876   896   NtWaitForSingleObject  ... ) == 0x0
 02901   808   NtWaitForSingleObject  (288, 0, 0x0, ...
 02900  1612   NtSetEventBoostPriority  ... ) == 0x0
 02899  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75602, 0}  ... {28, 56, reply, 0, 1636, 1736, 75602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0d\6\0\0\14\4\0\0" )  ) == 0x0
 02902  1248   NtTestAlert  (...
 02903   896   NtSetEventBoostPriority  (288, ...
 02904  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02905  1736   NtResumeThread  (928, ...
 02887  1656   NtWaitForSingleObject  ... ) == 0x0
 02902  1248   NtTestAlert  ... ) == 0x0
 02904  2020   NtCreateEvent  ... 932, ) == 0x0
 02905  1736   NtResumeThread  ... 1, ) == 0x0
 02906  1656   NtSetEventBoostPriority  (288, ...
 02907  1248   NtContinue  (105708848, 1, ...
 02908  2020   NtWaitForSingleObject  (288, 0, 0x0, ...
 02909  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02890   868   NtWaitForSingleObject  ... ) == 0x0
 02906  1656   NtSetEventBoostPriority  ... ) == 0x0
 02910  1248   NtRegisterThreadTerminatePort  (24, ...
 02903   896   NtSetEventBoostPriority  ... ) == 0x0
 02911  1612   NtSetEventBoostPriority  (360, ...
 02912  1036   NtWaitForSingleObject  (288, 0, 0x0, ...
 02913   868   NtSetEventBoostPriority  (288, ...
 02914  1656   NtWaitForSingleObject  (288, 0, 0x0, ...
 02910  1248   NtRegisterThreadTerminatePort  ... ) == 0x0
 02915   896   NtWaitForSingleObject  (288, 0, 0x0, ...
 02772  1964   NtWaitForSingleObject  ... ) == 0x0
 02911  1612   NtSetEventBoostPriority  ... ) == 0x0
 02886  1624   NtWaitForSingleObject  ... ) == 0x0
 02913   868   NtSetEventBoostPriority  ... ) == 0x0
 02909  1736   NtAllocateVirtualMemory  ... 106758144, 1048576, ) == 0x0
 02916  1248   NtWaitForSingleObject  (288, 0, 0x0, ...
 02917  1964   NtWaitForSingleObject  (288, 0, 0x0, ...
 02918  1624   NtSetEventBoostPriority  (288, ...
 02919  1612   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02920  1736   NtAllocateVirtualMemory  (-1, 107798528, 0, 8192, 4096, 4, ...
 02921   868   NtWaitForSingleObject  (288, 0, 0x0, ...
 02895  1252   NtWaitForSingleObject  ... ) == 0x0
 02919  1612   NtWaitForSingleObject  ... ) == 0x102
 02920  1736   NtAllocateVirtualMemory  ... 107798528, 8192, ) == 0x0
 02922  1252   NtSetEventBoostPriority  (288, ...
 02923  1612   NtWaitForSingleObject  (132, 0, 0x0, ...
 02924  1736   NtProtectVirtualMemory  (-1, (0x66ce000), 4096, 260, ...
 02897   780   NtWaitForSingleObject  ... ) == 0x0
 02922  1252   NtSetEventBoostPriority  ... ) == 0x0
 02918  1624   NtSetEventBoostPriority  ... ) == 0x0
 02925   780   NtSetEventBoostPriority  (288, ...
 02924  1736   NtProtectVirtualMemory  ... (0x66ce000), 4096, 4, ) == 0x0
 02926  1252   NtWaitForSingleObject  (288, 0, 0x0, ...
 02901   808   NtWaitForSingleObject  ... ) == 0x0
 02927  1624   NtWaitForSingleObject  (132, 0, 0x0, ...
 02928  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02925   780   NtSetEventBoostPriority  ... ) == 0x0
 02929   808   NtSetEventBoostPriority  (288, ...
 02908  2020   NtWaitForSingleObject  ... ) == 0x0
 02930  2020   NtSetEventBoostPriority  (288, ...
 02912  1036   NtWaitForSingleObject  ... ) == 0x0
 02931  1036   NtSetEventBoostPriority  (288, ...
 02915   896   NtWaitForSingleObject  ... ) == 0x0
 02932   896   NtSetEventBoostPriority  (288, ...
 02914  1656   NtWaitForSingleObject  ... ) == 0x0
 02933  1656   NtSetEventBoostPriority  (288, ...
 02917  1964   NtWaitForSingleObject  ... ) == 0x0
 02934  1964   NtSetEventBoostPriority  (288, ...
 02921   868   NtWaitForSingleObject  ... ) == 0x0
 02935   868   NtSetEventBoostPriority  (288, ...
 02916  1248   NtWaitForSingleObject  ... ) == 0x0
 02936  1248   NtSetEventBoostPriority  (288, ...
 02926  1252   NtWaitForSingleObject  ... ) == 0x0
 02937  1252   NtWaitForSingleObject  (360, 0, 0x0, ...
 02935   868   NtSetEventBoostPriority  ... ) == 0x0
 02938   868   NtAllocateVirtualMemory  (-1, 12111872, 0, 4096, 4096, 260, ...
 02934  1964   NtSetEventBoostPriority  ... ) == 0x0
 02932   896   NtSetEventBoostPriority  ... ) == 0x0
 02931  1036   NtSetEventBoostPriority  ... ) == 0x0
 02930  2020   NtSetEventBoostPriority  ... ) == 0x0
 02929   808   NtSetEventBoostPriority  ... ) == 0x0
 02939   780   NtWaitForSingleObject  (360, 0, 0x0, ...
 02936  1248   NtSetEventBoostPriority  ... ) == 0x0
 02933  1656   NtSetEventBoostPriority  ... ) == 0x0
 02928  1736   NtCreateThread  ... 936, {1636, 760}, ) == 0x0
 02938   868   NtAllocateVirtualMemory  ... 12111872, 4096, ) == 0x0
 02940  1964   NtSetEventBoostPriority  (360, ...
 02941   896   NtAllocateVirtualMemory  (-1, 15519744, 0, 4096, 4096, 260, ...
 02942  1036   NtTestAlert  (...
 02943  2020   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ...
 02944  1248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02945  1656   NtWaitForSingleObject  (360, 0, 0x0, ...
 02946  1736   NtQueryInformationThread  (936, Basic, 28, ...
 02947   868   NtWaitForSingleObject  (288, 0, 0x0, ...
 02783  1716   NtWaitForSingleObject  ... ) == 0x0
 02940  1964   NtSetEventBoostPriority  ... ) == 0x0
 02941   896   NtAllocateVirtualMemory  ... 15519744, 4096, ) == 0x0
 02942  1036   NtTestAlert  ... ) == 0x0
 02943  2020   NtAllocateVirtualMemory  ... 1429504, 4096, ) == 0x0
 02944  1248   NtDuplicateObject  ... 940, ) == 0x0
 02946  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1636,Tid=760,}, 0x0, ) == 0x0
 02948  1716   NtWaitForSingleObject  (288, 0, 0x0, ...
 02949  1964   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02950   896   NtWaitForSingleObject  (288, 0, 0x0, ...
 02951  1036   NtContinue  (106757424, 1, ...
 02952  2020   NtSetEventBoostPriority  (288, ...
 02953   808   NtSetEventBoostPriority  (132, ...
 02954  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75602, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0d\6\0\0\370\2\0\0" ...  ...
 02949  1964   NtWaitForSingleObject  ... ) == 0x102
 02955  1036   NtRegisterThreadTerminatePort  (24, ...
 02947   868   NtWaitForSingleObject  ... ) == 0x0
 02952  2020   NtSetEventBoostPriority  ... ) == 0x0
 00793  2016   NtWaitForSingleObject  ... ) == 0x0
 02953   808   NtSetEventBoostPriority  ... ) == 0x0
 02954  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75603, 0}  ... {28, 56, reply, 0, 1636, 1736, 75603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0d\6\0\0\370\2\0\0" )  ) == 0x0
 02956  1964   NtWaitForSingleObject  (132, 0, 0x0, ...
 02957   868   NtSetEventBoostPriority  (288, ...
 02955  1036   NtRegisterThreadTerminatePort  ... ) == 0x0
 02958  2016   NtWaitForSingleObject  (288, 0, 0x0, ...
 02959  2020   NtWaitForSingleObject  (288, 0, 0x0, ...
 02960   808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02961  1248   NtWaitForSingleObject  (288, 0, 0x0, ...
 02962  1736   NtResumeThread  (936, ...
 02948  1716   NtWaitForSingleObject  ... ) == 0x0
 02957   868   NtSetEventBoostPriority  ... ) == 0x0
 02963  1036   NtWaitForSingleObject  (288, 0, 0x0, ...
 02960   808   NtCreateEvent  ... 944, ) == 0x0
 02964  1716   NtSetEventBoostPriority  (288, ...
 02962  1736   NtResumeThread  ... 1, ) == 0x0
 02965   868   NtWaitForSingleObject  (288, 0, 0x0, ...
 02966   760   NtWaitForSingleObject  (288, 0, 0x0, ...
 02950   896   NtWaitForSingleObject  ... ) == 0x0
 02967   808   NtWaitForSingleObject  (288, 0, 0x0, ...
 02968  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02969   896   NtSetEventBoostPriority  (288, ...
 02968  1736   NtAllocateVirtualMemory  ... 107806720, 1048576, ) == 0x0
 02958  2016   NtWaitForSingleObject  ... ) == 0x0
 02969   896   NtSetEventBoostPriority  ... ) == 0x0
 02970  2016   NtSetEventBoostPriority  (288, ...
 02971  1736   NtAllocateVirtualMemory  (-1, 108847104, 0, 8192, 4096, 4, ...
 02964  1716   NtSetEventBoostPriority  ... ) == 0x0
 02959  2020   NtWaitForSingleObject  ... ) == 0x0
 02970  2016   NtSetEventBoostPriority  ... ) == 0x0
 02971  1736   NtAllocateVirtualMemory  ... 108847104, 8192, ) == 0x0
 02972   896   NtWaitForSingleObject  (288, 0, 0x0, ...
 02973  2020   NtSetEventBoostPriority  (288, ...
 02974  1716   NtSetEventBoostPriority  (360, ...
 02975  2016   NtWaitForSingleObject  (288, 0, 0x0, ...
 02961  1248   NtWaitForSingleObject  ... ) == 0x0
 02973  2020   NtSetEventBoostPriority  ... ) == 0x0
 02786   740   NtWaitForSingleObject  ... ) == 0x0
 02974  1716   NtSetEventBoostPriority  ... ) == 0x0
 02976  1248   NtSetEventBoostPriority  (288, ...
 02977  1736   NtProtectVirtualMemory  (-1, (0x67ce000), 4096, 260, ...
 02978   740   NtWaitForSingleObject  (288, 0, 0x0, ...
 02965   868   NtWaitForSingleObject  ... ) == 0x0
 02976  1248   NtSetEventBoostPriority  ... ) == 0x0
 02979  1716   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02980   868   NtSetEventBoostPriority  (288, ...
 02977  1736   NtProtectVirtualMemory  ... (0x67ce000), 4096, 4, ) == 0x0
 02981  1248   NtWaitForSingleObject  (288, 0, 0x0, ...
 02966   760   NtWaitForSingleObject  ... ) == 0x0
 02980   868   NtSetEventBoostPriority  ... ) == 0x0
 02979  1716   NtWaitForSingleObject  ... ) == 0x102
 02982  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02983  2020   NtWaitForSingleObject  (288, 0, 0x0, ...
 02984   760   NtSetEventBoostPriority  (288, ...
 02985   868   NtWaitForSingleObject  (288, 0, 0x0, ...
 02986  1716   NtWaitForSingleObject  (288, 0, 0x0, ...
 02982  1736   NtCreateThread  ... 948, {1636, 860}, ) == 0x0
 02967   808   NtWaitForSingleObject  ... ) == 0x0
 02984   760   NtSetEventBoostPriority  ... ) == 0x0
 02987   808   NtSetEventBoostPriority  (288, ...
 02988  1736   NtQueryInformationThread  (948, Basic, 28, ...
 02963  1036   NtWaitForSingleObject  ... ) == 0x0
 02987   808   NtSetEventBoostPriority  ... ) == 0x0
 02989  1036   NtSetEventBoostPriority  (288, ...
 02988  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=1636,Tid=860,}, 0x0, ) == 0x0
 02990   760   NtTestAlert  (...
 02972   896   NtWaitForSingleObject  ... ) == 0x0
 02989  1036   NtSetEventBoostPriority  ... ) == 0x0
 02991   808   NtWaitForSingleObject  (288, 0, 0x0, ...
 02990   760   NtTestAlert  ... ) == 0x0
 02992   896   NtSetEventBoostPriority  (288, ...
 02993  1036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02994   760   NtContinue  (107806000, 1, ...
 02975  2016   NtWaitForSingleObject  ... ) == 0x0
 02992   896   NtSetEventBoostPriority  ... ) == 0x0
 02993  1036   NtDuplicateObject  ... 952, ) == 0x0
 02995  2016   NtSetEventBoostPriority  (288, ...
 02996   760   NtRegisterThreadTerminatePort  (24, ...
 02997   896   NtWaitForSingleObject  (288, 0, 0x0, ...
 02998  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75603, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0d\6\0\0\\3\0\0" ...  ...
 02978   740   NtWaitForSingleObject  ... ) == 0x0
 02995  2016   NtSetEventBoostPriority  ... ) == 0x0
 02996   760   NtRegisterThreadTerminatePort  ... ) == 0x0
 02999  1036   NtWaitForSingleObject  (288, 0, 0x0, ...
 03000   740   NtSetEventBoostPriority  (288, ...
 02998  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75604, 0}  ... {28, 56, reply, 0, 1636, 1736, 75604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0d\6\0\0\\3\0\0" )  ) == 0x0
 03001  2016   NtSetEventBoostPriority  (132, ...
 03002   760   NtWaitForSingleObject  (288, 0, 0x0, ...
 02983  2020   NtWaitForSingleObject  ... ) == 0x0
 03000   740   NtSetEventBoostPriority  ... ) == 0x0
 03003  1736   NtResumeThread  (948, ...
 00796  2012   NtWaitForSingleObject  ... ) == 0x0
 03001  2016   NtSetEventBoostPriority  ... ) == 0x0
 03004  2020   NtSetEventBoostPriority  (288, ...
 03003  1736   NtResumeThread  ... 1, ) == 0x0
 03005  2012   NtWaitForSingleObject  (288, 0, 0x0, ...
 02981  1248   NtWaitForSingleObject  ... ) == 0x0
 03004  2020   NtSetEventBoostPriority  ... ) == 0x0
 03006  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03007  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03008  1248   NtSetEventBoostPriority  (288, ...
 03009  2020   NtWaitForSingleObject  (288, 0, 0x0, ...
 03006  2016   NtCreateEvent  ... 956, ) == 0x0
 03010   740   NtSetEventBoostPriority  (360, ...
 03011   860   NtWaitForSingleObject  (288, 0, 0x0, ...
 02985   868   NtWaitForSingleObject  ... ) == 0x0
 03008  1248   NtSetEventBoostPriority  ... ) == 0x0
 03007  1736   NtAllocateVirtualMemory  ... 108855296, 1048576, ) == 0x0
 03012  2016   NtWaitForSingleObject  (288, 0, 0x0, ...
 02788  1440   NtWaitForSingleObject  ... ) == 0x0
 03010   740   NtSetEventBoostPriority  ... ) == 0x0
 03013   868   NtSetEventBoostPriority  (288, ...
 03014  1248   NtWaitForSingleObject  (288, 0, 0x0, ...
 03015  1736   NtAllocateVirtualMemory  (-1, 109895680, 0, 8192, 4096, 4, ...
 03016  1440   NtWaitForSingleObject  (288, 0, 0x0, ...
 03017   740   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02986  1716   NtWaitForSingleObject  ... ) == 0x0
 03015  1736   NtAllocateVirtualMemory  ... 109895680, 8192, ) == 0x0
 03017   740   NtWaitForSingleObject  ... ) == 0x102
 03018  1716   NtSetEventBoostPriority  (288, ...
 03019  1736   NtProtectVirtualMemory  (-1, (0x68ce000), 4096, 260, ...
 03020   740   NtWaitForSingleObject  (132, 0, 0x0, ...
 02991   808   NtWaitForSingleObject  ... ) == 0x0
 03019  1736   NtProtectVirtualMemory  ... (0x68ce000), 4096, 4, ) == 0x0
 03018  1716   NtSetEventBoostPriority  ... ) == 0x0
 03013   868   NtSetEventBoostPriority  ... ) == 0x0
 03021   808   NtSetEventBoostPriority  (288, ...
 03022  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03023  1716   NtWaitForSingleObject  (132, 0, 0x0, ...
 03024   868   NtWaitForSingleObject  (288, 0, 0x0, ...
 02999  1036   NtWaitForSingleObject  ... ) == 0x0
 03021   808   NtSetEventBoostPriority  ... ) == 0x0
 03025  1036   NtSetEventBoostPriority  (288, ...
 02997   896   NtWaitForSingleObject  ... ) == 0x0
 03026   896   NtSetEventBoostPriority  (288, ...
 03002   760   NtWaitForSingleObject  ... ) == 0x0
 03027   760   NtSetEventBoostPriority  (288, ...
 03005  2012   NtWaitForSingleObject  ... ) == 0x0
 03028  2012   NtSetEventBoostPriority  (288, ...
 03011   860   NtWaitForSingleObject  ... ) == 0x0
 03029   860   NtSetEventBoostPriority  (288, ...
 03012  2016   NtWaitForSingleObject  ... ) == 0x0
 03030  2016   NtSetEventBoostPriority  (288, ...
 03014  1248   NtWaitForSingleObject  ... ) == 0x0
 03031  1248   NtSetEventBoostPriority  (288, ...
 03016  1440   NtWaitForSingleObject  ... ) == 0x0
 03032  1440   NtSetEventBoostPriority  (288, ...
 03009  2020   NtWaitForSingleObject  ... ) == 0x0
 03033  2020   NtSetEventBoostPriority  (288, ...
 03024   868   NtWaitForSingleObject  ... ) == 0x0
 03034   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 960, ) == 0x0
 03032  1440   NtSetEventBoostPriority  ... ) == 0x0
 03031  1248   NtSetEventBoostPriority  ... ) == 0x0
 03030  2016   NtSetEventBoostPriority  ... ) == 0x0
 03029   860   NtSetEventBoostPriority  ... ) == 0x0
 03028  2012   NtSetEventBoostPriority  ... ) == 0x0
 03025  1036   NtSetEventBoostPriority  ... ) == 0x0
 03035   808   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ...
 03033  2020   NtSetEventBoostPriority  ... ) == 0x0
 03027   760   NtSetEventBoostPriority  ... ) == 0x0
 03026   896   NtSetEventBoostPriority  ... ) == 0x0
 03022  1736   NtCreateThread  ... 964, {1636, 484}, ) == 0x0
 03036   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03037  1440   NtSetEventBoostPriority  (360, ...
 03038  1248   NtWaitForSingleObject  (360, 0, 0x0, ...
 03039  2016   NtWaitForSingleObject  (288, 0, 0x0, ...
 03040   860   NtTestAlert  (...
 03041  1036   NtWaitForSingleObject  (288, 0, 0x0, ...
 03042  2012   NtSetEventBoostPriority  (132, ...
 03043  2020   NtWaitForSingleObject  (288, 0, 0x0, ...
 03044   760   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03045   896   NtWaitForSingleObject  (288, 0, 0x0, ...
 03046  1736   NtQueryInformationThread  (964, Basic, 28, ...
 03036   868   NtDuplicateObject  ... 968, ) == 0x0
 02821  1516   NtWaitForSingleObject  ... ) == 0x0
 03037  1440   NtSetEventBoostPriority  ... ) == 0x0
 03040   860   NtTestAlert  ... ) == 0x0
 03035   808   NtAllocateVirtualMemory  ... 1433600, 4096, ) == 0x0
 00802  1028   NtWaitForSingleObject  ... ) == 0x0
 03042  2012   NtSetEventBoostPriority  ... ) == 0x0
 03044   760   NtDuplicateObject  ... 972, ) == 0x0
 03046  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=1636,Tid=484,}, 0x0, ) == 0x0
 03047  1516   NtSetEventBoostPriority  (360, ...
 03048   868   NtWaitForSingleObject  (288, 0, 0x0, ...
 03049  1440   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03050   860   NtContinue  (108854576, 1, ...
 03051  1028   NtWaitForSingleObject  (288, 0, 0x0, ...
 03052   808   NtSetEventBoostPriority  (288, ...
 03053  2012   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02822  1972   NtWaitForSingleObject  ... ) == 0x0
 03047  1516   NtSetEventBoostPriority  ... ) == 0x0
 03054  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75604, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0d\6\0\0\344\1\0\0" ...  ...
 03049  1440   NtWaitForSingleObject  ... ) == 0x102
 03055   860   NtRegisterThreadTerminatePort  (24, ...
 03039  2016   NtWaitForSingleObject  ... ) == 0x0
 03052   808   NtSetEventBoostPriority  ... ) == 0x0
 03056  1972   NtWaitForSingleObject  (288, 0, 0x0, ...
 03053  2012   NtCreateEvent  ... 976, ) == 0x0
 03057  1516   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03054  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75605, 0}  ... {28, 56, reply, 0, 1636, 1736, 75605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0d\6\0\0\344\1\0\0" )  ) == 0x0
 03058  1440   NtWaitForSingleObject  (132, 0, 0x0, ...
 03059  2016   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ...
 03055   860   NtRegisterThreadTerminatePort  ... ) == 0x0
 03060   808   NtWaitForSingleObject  (288, 0, 0x0, ...
 03061  2012   NtWaitForSingleObject  (288, 0, 0x0, ...
 03062   760   NtWaitForSingleObject  (288, 0, 0x0, ...
 03057  1516   NtWaitForSingleObject  ... ) == 0x102
 03063  1736   NtResumeThread  (964, ...
 03059  2016   NtAllocateVirtualMemory  ... 1437696, 4096, ) == 0x0
 03064   860   NtWaitForSingleObject  (288, 0, 0x0, ...
 03065  1516   NtWaitForSingleObject  (288, 0, 0x0, ...
 03066  2016   NtSetEventBoostPriority  (288, ...
 03063  1736   NtResumeThread  ... 1, ) == 0x0
 03067   484   NtWaitForSingleObject  (288, 0, 0x0, ...
 03068  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 109903872, 1048576, ) == 0x0
 03069  1736   NtAllocateVirtualMemory  (-1, 110944256, 0, 8192, 4096, 4, ... 110944256, 8192, ) == 0x0
 03070  1736   NtProtectVirtualMemory  (-1, (0x69ce000), 4096, 260, ... (0x69ce000), 4096, 4, ) == 0x0
 03071  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 980, {1636, 1580}, ) == 0x0
 03072  1736   NtQueryInformationThread  (980, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=1636,Tid=1580,}, 0x0, ) == 0x0
 03043  2020   NtWaitForSingleObject  ... ) == 0x0
 03066  2016   NtSetEventBoostPriority  ... ) == 0x0
 03073  2020   NtSetEventBoostPriority  (288, ...
 03074  2016   NtWaitForSingleObject  (288, 0, 0x0, ...
 03045   896   NtWaitForSingleObject  ... ) == 0x0
 03073  2020   NtSetEventBoostPriority  ... ) == 0x0
 03075   896   NtSetEventBoostPriority  (288, ...
 03076  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75605, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\3\0\0d\6\0\0,\6\0\0" ...  ...
 03041  1036   NtWaitForSingleObject  ... ) == 0x0
 03075   896   NtSetEventBoostPriority  ... ) == 0x0
 03077  1036   NtSetEventBoostPriority  (288, ...
 03076  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75606, 0}  ... {28, 56, reply, 0, 1636, 1736, 75606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\3\0\0d\6\0\0,\6\0\0" )  ) == 0x0
 03078  2020   NtWaitForSingleObject  (288, 0, 0x0, ...
 03048   868   NtWaitForSingleObject  ... ) == 0x0
 03079  1736   NtResumeThread  (980, ...
 03080   868   NtSetEventBoostPriority  (288, ...
 03079  1736   NtResumeThread  ... 1, ) == 0x0
 03051  1028   NtWaitForSingleObject  ... ) == 0x0
 03080   868   NtSetEventBoostPriority  ... ) == 0x0
 03081  1028   NtSetEventBoostPriority  (288, ...
 03082  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03077  1036   NtSetEventBoostPriority  ... ) == 0x0
 03083   896   NtWaitForSingleObject  (288, 0, 0x0, ...
 03084  1580   NtWaitForSingleObject  (88, 0, 0x0, ...
 03056  1972   NtWaitForSingleObject  ... ) == 0x0
 03081  1028   NtSetEventBoostPriority  ... ) == 0x0
 03085   868   NtWaitForSingleObject  (288, 0, 0x0, ...
 03086  1036   NtWaitForSingleObject  (360, 0, 0x0, ...
 03087  1972   NtSetEventBoostPriority  (288, ...
 03082  1736   NtAllocateVirtualMemory  ... 110952448, 1048576, ) == 0x0
 03060   808   NtWaitForSingleObject  ... ) == 0x0
 03087  1972   NtSetEventBoostPriority  ... ) == 0x0
 03088   808   NtSetEventBoostPriority  (288, ...
 03089  1736   NtAllocateVirtualMemory  (-1, 111992832, 0, 8192, 4096, 4, ...
 03090  1028   NtWaitForSingleObject  (288, 0, 0x0, ...
 03061  2012   NtWaitForSingleObject  ... ) == 0x0
 03088   808   NtSetEventBoostPriority  ... ) == 0x0
 03089  1736   NtAllocateVirtualMemory  ... 111992832, 8192, ) == 0x0
 03091  2012   NtSetEventBoostPriority  (288, ...
 03092  1972   NtSetEventBoostPriority  (360, ...
 03062   760   NtWaitForSingleObject  ... ) == 0x0
 03091  2012   NtSetEventBoostPriority  ... ) == 0x0
 03093  1736   NtProtectVirtualMemory  (-1, (0x6ace000), 4096, 260, ...
 03094   760   NtSetEventBoostPriority  (288, ...
 02823  1664   NtWaitForSingleObject  ... ) == 0x0
 03092  1972   NtSetEventBoostPriority  ... ) == 0x0
 03095   808   NtWaitForSingleObject  (288, 0, 0x0, ...
 03065  1516   NtWaitForSingleObject  ... ) == 0x0
 03096  1664   NtSetEventBoostPriority  (360, ...
 03094   760   NtSetEventBoostPriority  ... ) == 0x0
 03093  1736   NtProtectVirtualMemory  ... (0x6ace000), 4096, 4, ) == 0x0
 03097  1972   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03098  1516   NtSetEventBoostPriority  (288, ...
 02937  1252   NtWaitForSingleObject  ... ) == 0x0
 03096  1664   NtSetEventBoostPriority  ... ) == 0x0
 03099   760   NtWaitForSingleObject  (288, 0, 0x0, ...
 03100  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03064   860   NtWaitForSingleObject  ... ) == 0x0
 03101  1252   NtWaitForSingleObject  (288, 0, 0x0, ...
 03098  1516   NtSetEventBoostPriority  ... ) == 0x0
 03097  1972   NtWaitForSingleObject  ... ) == 0x102
 03102  1664   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03103  2012   NtWaitForSingleObject  (288, 0, 0x0, ...
 03104   860   NtSetEventBoostPriority  (288, ...
 03100  1736   NtCreateThread  ... 984, {1636, 1756}, ) == 0x0
 03105  1972   NtWaitForSingleObject  (288, 0, 0x0, ...
 03106  1516   NtWaitForSingleObject  (132, 0, 0x0, ...
 03067   484   NtWaitForSingleObject  ... ) == 0x0
 03107  1736   NtQueryInformationThread  (984, Basic, 28, ...
 03104   860   NtSetEventBoostPriority  ... ) == 0x0
 03102  1664   NtWaitForSingleObject  ... ) == 0x102
 03108   484   NtSetEventBoostPriority  (288, ...
 03107  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff58000,Pid=1636,Tid=1756,}, 0x0, ) == 0x0
 03109   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03110  1664   NtWaitForSingleObject  (288, 0, 0x0, ...
 03074  2016   NtWaitForSingleObject  ... ) == 0x0
 03108   484   NtSetEventBoostPriority  ... ) == 0x0
 03109   860   NtDuplicateObject  ... 988, ) == 0x0
 03111  2016   NtSetEventBoostPriority  (288, ...
 03112  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75606, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\3\0\0d\6\0\0\334\6\0\0" ...  ...
 03113   484   NtSetEventBoostPriority  (88, ...
 03078  2020   NtWaitForSingleObject  ... ) == 0x0
 03111  2016   NtSetEventBoostPriority  ... ) == 0x0
 03112  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75607, 0}  ... {28, 56, reply, 0, 1636, 1736, 75607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\3\0\0d\6\0\0\334\6\0\0" )  ) == 0x0
 03114  2020   NtSetEventBoostPriority  (288, ...
 03084  1580   NtWaitForSingleObject  ... ) == 0x0
 03113   484   NtSetEventBoostPriority  ... ) == 0x0
 03115   860   NtWaitForSingleObject  (288, 0, 0x0, ...
 03083   896   NtWaitForSingleObject  ... ) == 0x0
 03116  1580   NtWaitForSingleObject  (288, 0, 0x0, ...
 03114  2020   NtSetEventBoostPriority  ... ) == 0x0
 03117  1736   NtResumeThread  (984, ...
 03118   484   NtTestAlert  (...
 03119   896   NtSetEventBoostPriority  (288, ...
 03120  2020   NtAllocateVirtualMemory  (-1, 14471168, 0, 4096, 4096, 260, ...
 03117  1736   NtResumeThread  ... 1, ) == 0x0
 03085   868   NtWaitForSingleObject  ... ) == 0x0
 03119   896   NtSetEventBoostPriority  ... ) == 0x0
 03118   484   NtTestAlert  ... ) == 0x0
 03121  2016   NtWaitForSingleObject  (288, 0, 0x0, ...
 03122  1756   NtWaitForSingleObject  (88, 0, 0x0, ...
 03123   868   NtSetEventBoostPriority  (288, ...
 03124  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03125   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03126   484   NtContinue  (109903152, 1, ...
 03090  1028   NtWaitForSingleObject  ... ) == 0x0
 03123   868   NtSetEventBoostPriority  ... ) == 0x0
 03120  2020   NtAllocateVirtualMemory  ... 14471168, 4096, ) == 0x0
 03124  1736   NtAllocateVirtualMemory  ... 112001024, 1048576, ) == 0x0
 03127  1028   NtSetEventBoostPriority  (288, ...
 03128   484   NtRegisterThreadTerminatePort  (24, ...
 03129   868   NtWaitForSingleObject  (360, 0, 0x0, ...
 03130  2020   NtWaitForSingleObject  (288, 0, 0x0, ...
 03095   808   NtWaitForSingleObject  ... ) == 0x0
 03127  1028   NtSetEventBoostPriority  ... ) == 0x0
 03131  1736   NtAllocateVirtualMemory  (-1, 113041408, 0, 8192, 4096, 4, ...
 03125   896   NtCreateEvent  ... 992, ) == 0x0
 03128   484   NtRegisterThreadTerminatePort  ... ) == 0x0
 03132   808   NtSetEventBoostPriority  (288, ...
 03133  1028   NtWaitForSingleObject  (288, 0, 0x0, ...
 03131  1736   NtAllocateVirtualMemory  ... 113041408, 8192, ) == 0x0
 03134   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03099   760   NtWaitForSingleObject  ... ) == 0x0
 03132   808   NtSetEventBoostPriority  ... ) == 0x0
 03135   484   NtWaitForSingleObject  (288, 0, 0x0, ...
 03136  1736   NtProtectVirtualMemory  (-1, (0x6bce000), 4096, 260, ...
 03137   760   NtSetEventBoostPriority  (288, ...
 03134   896   NtDuplicateObject  ... 996, ) == 0x0
 03138   808   NtWaitForSingleObject  (288, 0, 0x0, ...
 03101  1252   NtWaitForSingleObject  ... ) == 0x0
 03136  1736   NtProtectVirtualMemory  ... (0x6bce000), 4096, 4, ) == 0x0
 03139   896   NtWaitForSingleObject  (288, 0, 0x0, ...
 03137   760   NtSetEventBoostPriority  ... ) == 0x0
 03140  1252   NtSetEventBoostPriority  (288, ...
 03141  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03103  2012   NtWaitForSingleObject  ... ) == 0x0
 03142   760   NtWaitForSingleObject  (288, 0, 0x0, ...
 03140  1252   NtSetEventBoostPriority  ... ) == 0x0
 03143  2012   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ...
 03141  1736   NtCreateThread  ... 1000, {1636, 1304}, ) == 0x0
 03143  2012   NtAllocateVirtualMemory  ... 1441792, 4096, ) == 0x0
 03144  1736   NtQueryInformationThread  (1000, Basic, 28, ...
 03145  2012   NtSetEventBoostPriority  (288, ...
 03144  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff57000,Pid=1636,Tid=1304,}, 0x0, ) == 0x0
 03146  1252   NtSetEventBoostPriority  (360, ...
 03147  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75607, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0d\6\0\0\30\5\0\0" ...  ...
 02939   780   NtWaitForSingleObject  ... ) == 0x0
 03146  1252   NtSetEventBoostPriority  ... ) == 0x0
 03148   780   NtWaitForSingleObject  (288, 0, 0x0, ...
 03147  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75608, 0}  ... {28, 56, reply, 0, 1636, 1736, 75608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0d\6\0\0\30\5\0\0" )  ) == 0x0
 03149  1252   NtWaitForSingleObject  (360, 0, 0x0, ...
 03105  1972   NtWaitForSingleObject  ... ) == 0x0
 03145  2012   NtSetEventBoostPriority  ... ) == 0x0
 03150  1972   NtSetEventBoostPriority  (288, ...
 03151  2012   NtWaitForSingleObject  (288, 0, 0x0, ...
 03110  1664   NtWaitForSingleObject  ... ) == 0x0
 03152  1664   NtSetEventBoostPriority  (288, ...
 03116  1580   NtWaitForSingleObject  ... ) == 0x0
 03153  1580   NtSetEventBoostPriority  (288, ...
 03115   860   NtWaitForSingleObject  ... ) == 0x0
 03154   860   NtSetEventBoostPriority  (288, ...
 03121  2016   NtWaitForSingleObject  ... ) == 0x0
 03155  2016   NtSetEventBoostPriority  (288, ...
 03130  2020   NtWaitForSingleObject  ... ) == 0x0
 03156  2020   NtSetEventBoostPriority  (288, ...
 03135   484   NtWaitForSingleObject  ... ) == 0x0
 03157   484   NtSetEventBoostPriority  (288, ...
 03133  1028   NtWaitForSingleObject  ... ) == 0x0
 03158  1028   NtSetEventBoostPriority  (288, ...
 03139   896   NtWaitForSingleObject  ... ) == 0x0
 03159   896   NtSetEventBoostPriority  (288, ...
 03138   808   NtWaitForSingleObject  ... ) == 0x0
 03160   808   NtSetEventBoostPriority  (288, ...
 03142   760   NtWaitForSingleObject  ... ) == 0x0
 03161   760   NtSetEventBoostPriority  (288, ...
 03148   780   NtWaitForSingleObject  ... ) == 0x0
 03162   780   NtSetEventBoostPriority  (288, ...
 03151  2012   NtWaitForSingleObject  ... ) == 0x0
 03163  2012   NtAllocateVirtualMemory  (-1, 18665472, 0, 4096, 4096, 260, ... 18665472, 4096, ) == 0x0
 03162   780   NtSetEventBoostPriority  ... ) == 0x0
 03161   760   NtSetEventBoostPriority  ... ) == 0x0
 03159   896   NtSetEventBoostPriority  ... ) == 0x0
 03157   484   NtSetEventBoostPriority  ... ) == 0x0
 03156  2020   NtSetEventBoostPriority  ... ) == 0x0
 03155  2016   NtSetEventBoostPriority  ... ) == 0x0
 03154   860   NtSetEventBoostPriority  ... ) == 0x0
 03153  1580   NtSetEventBoostPriority  ... ) == 0x0
 03152  1664   NtSetEventBoostPriority  ... ) == 0x0
 03160   808   NtSetEventBoostPriority  ... ) == 0x0
 03158  1028   NtSetEventBoostPriority  ... ) == 0x0
 03150  1972   NtSetEventBoostPriority  ... ) == 0x0
 03164  1736   NtResumeThread  (1000, ...
 03165  2012   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03166   780   NtSetEventBoostPriority  (360, ...
 03167   760   NtWaitForSingleObject  (360, 0, 0x0, ...
 03168   896   NtWaitForSingleObject  (360, 0, 0x0, ...
 03169   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03170  2016   NtAllocateVirtualMemory  (-1, 17616896, 0, 4096, 4096, 260, ...
 03171   860   NtWaitForSingleObject  (360, 0, 0x0, ...
 03172  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03173  1580   NtSetEventBoostPriority  (88, ...
 03174   808   NtAllocateVirtualMemory  (-1, 13160448, 0, 4096, 4096, 260, ...
 03175  1028   NtSetEventBoostPriority  (132, ...
 03176  1972   NtWaitForSingleObject  (132, 0, 0x0, ...
 03164  1736   NtResumeThread  ... 1, ) == 0x0
 03165  2012   NtCreateEvent  ... 1004, ) == 0x0
 02945  1656   NtWaitForSingleObject  ... ) == 0x0
 03166   780   NtSetEventBoostPriority  ... ) == 0x0
 03169   484   NtDuplicateObject  ... 1008, ) == 0x0
 03177  1664   NtWaitForSingleObject  (132, 0, 0x0, ...
 03178  1304   NtWaitForSingleObject  (88, 0, 0x0, ...
 03170  2016   NtAllocateVirtualMemory  ... 17616896, 4096, ) == 0x0
 03172  2020   NtCreateEvent  ... 1012, ) == 0x0
 03122  1756   NtWaitForSingleObject  ... ) == 0x0
 03173  1580   NtSetEventBoostPriority  ... ) == 0x0
 03174   808   NtAllocateVirtualMemory  ... 13160448, 4096, ) == 0x0
 00806   384   NtWaitForSingleObject  ... ) == 0x0
 03175  1028   NtSetEventBoostPriority  ... ) == 0x0
 03179  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03180  1656   NtSetEventBoostPriority  (360, ...
 03181  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03182   780   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03183   484   NtWaitForSingleObject  (360, 0, 0x0, ...